ChainThreat Security

11 months ago

Report🔗: https://t.co/UzG4mE4ivT

0

2

0

112

11 months ago

The @playhuego audit is complete and soon to be listed on the official @AbstractChain Portal! ChainThreat Security (Web2/Web3 assessments) executed the audit, led by @abarbatei. Big thanks to @0xmorgosh & team for the trust. More audits coming to Abstract soon! Full report 👇

2

6

2

1

2K

over 1 year ago

One of the most common security vulnerabilities in web dApps—and how to prevent it. Our founder breaks it down.

over 1 year ago

One of the most common security vulnerabilities I see in web dApp assessments is relying on signed messages (i.e., personal_sign) for authentication. Web3 dApps often use personal_sign for authentication, assuming it’s secure because only the owner of the wallet can sign messages. But what if attackers trick users into signing something they shouldn’t from a fake site? The Risk: An attacker can phish a signature from a user and reuse it to impersonate them, transfer offchain assets to a new onchain wallet, or execute layer-2 transactions—without needing their private key. Actual Findings: - The ability to phish admin account signatures to access their cloud hosted airdrop portal for unauthorized minting of assets. - The ability to takeover player accounts and their in-game NFT assets. How to Fix It: - Require two-factor auth for sensitive state changing actions - Implement strict CORS policies to prevent phishing attempts - Require domain-bound signatures (EIP-4361: Sign-In with Ethereum) - Use a nonce in signed message requests to prevent replay attacks **The risks vary depending on if you're operating on a layer 2 protocol, use a Web2 backend, or are using pure web3 infra without a backend. If your dApp uses personal_sign, how do you prevent signature reuse?

2

7

0

1

1K

2

1

0

556

chainthreatsec retweeted

over 1 year ago

The 3 Most Common Front-End Attacks on DApps @1inch & @Cointelegraph fell victim to front-end exploits last month. DApps using @solana's web3.js were hit just this week. Hackers don’t stop at smart contracts—they find the weakest link. Here’s how to protect your DApp 🧵

1

2

1

2

533

over 1 year ago

The following dapps should ensure their versions of the Lottie Player js library are pinned to <= 2.0.4. Blockaid identified a supply chain attack affecting versions >= 2.0.5 @Velvet_Capital @dexkit @DeBox_Social @yup_io @StabilityW_AI https://t.co/LSIhYOExTu

Blockaid

@blockaid_

over 1 year ago

🚨 URGENT: Blockaid systems have detected a potential supply chain attack targeting dApps that use Lottie Player. A new version of this npm packaged was deployed a couple of minutes ago, with multiple legitimate dApps now issuing malicious transactions. More updates soon.

blockaid_'s tweet photo. 🚨 URGENT: Blockaid systems have detected a potential supply chain attack targeting dApps that use Lottie Player.

A new version of this npm packaged was deployed a couple of minutes ago, with multiple legitimate dApps now issuing malicious transactions.

More updates soon. https://t.co/FRpnj11JkQ

15

296

103

43

189K

0

1

0

360

over 1 year ago

@blockaid_ @EDUMOfficial @DeBox_Social @Crypto_Scratch_ Also vulnerable @StabilityW_AI

0

2

0

289

over 1 year ago

We ran a quick scan and the following dapps run the vulnerable library identified by @blockaid_. We'll keep scanning for other dapps. Reach out if you think you might be vulnerable. @EDUMOfficial, @DeBox_Social, @Crypto_Scratch_

Blockaid

@blockaid_

over 1 year ago

🚨 URGENT: Blockaid systems have detected a potential supply chain attack targeting dApps that use Lottie Player. A new version of this npm packaged was deployed a couple of minutes ago, with multiple legitimate dApps now issuing malicious transactions. More updates soon.

15

296

103

43

189K

1

7

0

2

4K

chainthreatsec retweeted

over 1 year ago

Honored to receive such a testimonial from @TomBilyeu on my penetration testing and consulting work for @projectkyzen. With @chainthreatsec, we’re bridging traditional security assessments into Web3, delivering end-to-end testing across your entire attack surface.

0

5

2

0

2K

over 1 year ago

Our founder, @_jasondoyle, was recognized by a legend in the space for helping Web3 security providers improve their detection capabilities!

Revoke.cash @RevokeCash

about 2 years ago

Recently @_jasondoyle has been testing a lot of security-focused browser extensions. With this he helped us catch a potential bypass of our extension. Now that the issue is fixed, we want to send him a public shoutout for all this work he's doing for the crypto community! 🫡

10

71

10

0

12K

0

1

0

240

over 1 year ago

Front-end attacks and phishing continue to be major attack vectors draining user wallets. Our founder @_jasondoyle has been working with several Web3 scam detection providers to enhance their capabilities.

Blockaid

@blockaid_

about 2 years ago

Working with the community is a core value of our team at Blockaid, which is why we would like to take a moment to shout out @jdoylesecurity and the work he's been doing lately to help security providers up their game, like this recent analysis of security tools or his dApp security course 🦾

0

5

0

2K

0

164

chainthreatsec retweeted

about 2 years ago

Thrilled to have played a part in boosting the drainer detection for you guys! Thanks for the shout-out.

1

8

1

0

584

chainthreatsec retweeted

about 2 years ago

Grateful to contribute to the evolving landscape of Web3 security with @MintDefense and others. The journey continues! 🚀

0

4

1

0

523

chainthreatsec retweeted

over 2 years ago

It’s been an honor working with the @projectkyzen team and helping fortify their #web3 innovations!

10

4

1

0

2K

chainthreatsec retweeted

Revoke.cash @RevokeCash

about 2 years ago

Security Researcher @jdoylesecurity has been doing important penetration testing to help improve Web3 security tooling. Today he shares his methodology on the Revoke blog to help more people become security researchers and make the industry safer. https://t.co/PDmi4XZy5Y

5

41

9

13

10K

chainthreatsec retweeted