VectorBits

⚠️Earlier Attack: STO Protocol - Loss ~69k The attack reported by DefimonAlerts came from yet another imitator. We have identified an earlier and more serious attack incident. Same token name — Victim token $STO: 0xc6941C6bffdc844073e2c7C22816216C3890Cd65 The first $STO attack was carried out by a completely different Attacker: 0x87A8Ff8AD993C10aF4ad85b62Ddb50b4968ABc93 Attack TX: https://t.co/THMqGHQJ80 Profit from this $STO attack: ~69k Vulnerability type (both incidents): Logic Error — Deflationary Sell-Burn Drain

👋AI Agent-powered EVM smart contract vulnerability batch detection framework。 Modes: Mode 1: Directed Scanning/Mode 2: Hybrid Fuzzing Input: Batch addresses / Block ranges / Real-time monitoring Decision: Strategy-driven, multi-LLM integration, Slither + LLM co-verification https://t.co/1rfdakZ5MM

Alert Notic Attack Tx: https://t.co/IZKqJSRl7I Victim contract: 0x763FaE69d2b7882Ed6470BBcABA3A0B368c8f1D9 Attacker: 0x6bfdd4a4e895d5437b3073a3bc22a3ff6d3227fb Chain: BNB Smart Chain Loss: ~ $245k Preliminary Root Cause Analysis: The core issue appears to be related to the `getUserLPAmount` function producing incorrect LP share calculations under extreme conditions Key observations from preliminary analysis: 1. The protocol relies on internal reserve tracking that is not strongly validated against real-time pool balances and lacks protection mechanisms to defend against flash loan manipulation. 2. Under flash-loan-induced extreme liquidity states, the return value of `getUserLPAmount` becomes significantly distorted. 3. The function with selector `0x3cc9` (likely involved in reserve synchronization, LP burning, redemption, or reward distribution logic) does not appear to include deviation checks, threshold guards, or rollback conditions when reserve and actual pool states diverge substantially. 4. The combination of: - Calling `processLPReward` - Toggling internal state (selector `0x0f2de53f`) - Performing a very large buy of LED tokens directly to the dead address triggers abnormal behavior, including unexpected `LPRewardDistributed` events and abnormal increases in pool WBNB balance. 5. The attacker exploits this inconsistency by first massively buying LED to the burn address (causing price impact + abnormal reward/pool inflation), then immediately selling the acquired LED back, extracting profit from the distorted pool state.

🔍 Threat Intelligence Program is Live We’re opening our threat intelligence pipeline to the community. Submit threat incidents via our website "https://t.co/nYd2zezD0C Intelligence Column" or [email protected]. 💰 Premium rewards + an extra $10,000 USDC incentive pool, available after our March launch. #ThreatIntel #Web3Security #BugBounty #SecurityResearch

New blog post: Empty JSP File Evasion 🕵️‍♂️ Make a JSP file appear completely empty on disk while running a full webshell. Exploits Tomcat's timestamp-based recompilation to load malicious .class without triggering detection. Highly stealthy for red team ops. https://t.co/HOn3fbpAWV #InfoSec #WebShell #RedTeam #CyberSecurity #bypass

Yesterday, we received a theft incident request. We traced the on-chain flows, identified the root cause, and conducted remote incident response on the victim’s computer. Attacker address: 0xd1a5ddddac356fb4c57d7de55740366684ef1a59 The attacker stole funds from 10 victim wallets across 10 transactions, totaling $41k. Funds were stolen as USDC on Base, then bridged to Solana, and ultimately flowed to ChangeNOW. Root cause: downloading a malicious file. Malware sample hashes: hash1: 0be8e24e4faf7055cb0d458332d2e7f92660b49b7faa182fdee661670f96783d hash2: 0df30d75b43433200fa3b5a6ab7e4eea8f9a755c5cd4cdfe019c3be837b7121f Sample download link: https://t.co/BjG9KHJE9f Based on historical samples, this appears to be large-scale malware targeting Web3 practitioners, often bundled with third-party software. If you ever experience a theft incident and need assistance, feel free to contact https://t[.]me/S7iter. Of course, we sincerely hope you never have to face situations like this.