Rsam

- make a model - market it as "extremely powerful at cybersecurity" - everyone is now hyped and waiting for your new model to be released, more than happy to pay you 200$ when it comes out - model released, big sales - users complain that any security related question is blocked due to "safety measures" - turns out the model was never as good at cybersecurity as claimed - but it does not matter, because the weakness is hidden behind the "safety measures"

https://t.co/ZgW8MIbYwg this is how this attack happened in simple terms (rekted around $4.3M in USDC, 274 WETH, $434K in USDT, and 14.16 PAXG (gold)): 1- the attacker first created fake tokens on osmosis chain, the osmosis chain has a token factory which allows users to create their own tokens. the attacker created fake versions of USDT, USDT, PAXG (gold) and WETH. 2- osmosis chain can communicate with gravity chain through cosmos IBC (inter-blockchain communication), so attacker bridged their fake tokens to gravity chain using IBC. as soon as the tokens arrived on gravity chain, they got assigned a unique IBC denom on gravity chain (https://t.co/oLR7jsACz6 this link explain IBC denoms, the IBC denom is something like this [ibc_denom = 'ibc/' + hash('path' + 'base_denom')]) 3- the gravity bridge has a registry which maps an IBC denom to an ETH token address. so for example, the registry maps ibc_denom X to pepe coin on ethereum chain. that means when you withdraw a pepe wrapper coin that has the ibc_denom X from gravity chain, you will receive real pepe coins on ethereum chain. 4- now the attacker only needs to map the ibc_denom of the fake tokens they have to the address of a real coins on ethereum (USDC, USDT, PAXG, WETH) and then by withdrawing the fake coins they just bridged into gravity, they can receive real assets on ethereum chain 5- to do this attacker used the gravity's ethereum bridge contract (https://t.co/631Tfqogz0), they called the deployERC20 function with a malformed ibc denom which included both the ibc_denom of the fake tokens they have on the gravity chain as well as the real coin addresses (USDC, USDT, PAXG, WERH) on the ethereum chain (ibc/C92D312D79D9C44B6C6F94AF40FFCB30A334D87F08952D6ED9904E3E83A9F50C/0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48/transfer/channel-10/factory/osmo1m9athjzah02f2mnrgtcke7e5ya3zpvw8lccuss) (and tx = https://t.co/PJkrZku1oe) 6- this ibc denom was crafted in such a way that when picked up by gravity validators and orchestrators they mapped the ibc_denom of the fake hacker tokens to the real coin addresses on ethereum 7- now the ibc denoms of the fake attacker coins were pointing to the real ethereum addresses (e.g. fake_usdt_denom => real_usdt_address). 8- attacker simply withdrewed those coins and received real assets on ethereum chain. easy peasy lemon squeezy. Lesson learnt for future protocols/bridges integrated with IBC to make defi great again? never ever freely trust user-controlled cross-chain metadata to change some critical states, check every edge case, validate every bit, and more importantly dont forget good audits. #MAKE_DEFI_GREAT_AGAIN

When auditing a protocol, ask AI to write test scenarios starting from contract deployment all the way through day-to-day protocol lifecycle and user interactions. Then follow those tests as you read the code. It gives you a much clearer understanding of how the whole protocol works, and how each piece fits together.

https://t.co/u6UECpMC4u How this rekt happend: 1. The old DxSale v1 locker used an Ownable admin model. whoever held the owner key could call privileged functions and bypass what users thought were immutable LP locks. 2. the original owner called transferOwnership, giving the attacker full admin control of the primary locker contract and two other locker contracts. 3. Because the attacker was now owner, the “locked” LP tokens were no longer protected by time-lock logic in practice so admin authority could trigger token transfers out directly. 4. The attacker used EIP-7702-style batch delegation / atomic transaction tooling to efficiently hit 1,400+ liquidity pools on BNB Chain in a coordinated flow. 5. They pulled LP tokens from the locker, redeemed/removed liquidity from pools, and converted the locked positions into movable assets. 6. Proceeds were routed through aggregation/relay wallets and then dispersed to Binance deposit addresses.