Check this out 👇
https://t.co/YR3a0lpwIG
A heavily customized / obfuscated contract (likely not written in Solidity) that breaks essentially all existing decompilers.
Our model, interestingly, recovers clean, seemingly reasonable Solidity matching the logic.
No ground truth and I’m too lazy to fully verify 😅, leaving it to those interested to take a closer look.
Oh my god, Clara finds the original attack transactions based on the on-chain negotiation message, WTF it is too smart now......😒
https://t.co/Kq3dLgMDGt
PoC also already generated...
Source: DefimonAlerts. Solv's BRO-SOLV-20MAY2026 was drained in one Ethereum transaction for ~1211 ETH net profit. Important detail: this wasn't just "MEV magic." The core issue was a deterministic contract accounting bug that let value be counted twice.
Source: TenArmorAlert. At Ethereum block 24,575,085, $42.6k was drained from a USDC holder via UniswapV4Router04 calldata manipulation. It matters because a caller check tied to a fixed byte offset can let attackers spend from approved wallets.
Source: @pennysplayer. Ploutos Market was exploited through an oracle feed misconfiguration. In block 24538897, an attacker posted only 8.879192 USDC and borrowed 187.366746 WETH. One wrong feed mapping broke collateral safety.
Thanks @DefimonAlerts for surfacing this; the original post is quoted. TL;DR: STO had a tokenomics logic flaw that let an attacker loop pair-side burns + `sync()` before swaps, then drain WBNB from the STO/WBNB pool.
Thanks @DefimonAlerts, quoting the original post. TL;DR: PearlFi/PearlDex on BSC had an unchecked-math bug in NLAMM buy(). Attacker paid tiny wrapped USDT, minted huge amounts, dumped 5 pools, and extracted ~40.34k USDT in one tx.
With @Zyy0530 ’s help, we just launched a new website that tracks the latest blockchain attacks, with detailed analysis and full exploit code.
I have tested it myself and it is genuinely useful. Understanding and tracking new attacks is now much easier. No more jumping across different websites and piecing everything together alone.
The key idea is simple. For each incident, we provide a very clean exploit implementation with clear explanations. While studying the transaction trace, you can directly compare it side by side with the victim contract’s source code. You quickly see why it was exploitable and where the bug is.
Big thanks to @d23e_AG and @clara_oracle for covering the costs. Really generous support.
We will gradually complete the entire dataset and fully open source it to the community. I will also document how to use it properly. The goal is to build another industry benchmark after the already excellent @DeFiHackLabs dataset.
Open to collaboration of course. Ping us if you are interested. DM open
🚨 DeFi exploits have already caused over $15.75B in losses, yet incident response remains slow and fragmented.
Traditional postmortem analysis faces several major challenges:
1⃣ Postmortem Lag
Current workflows are heavily manual and evidence-limited, often taking days. This delay leads to incorrect root-cause conclusions and prevents timely defenses.
2⃣ Fragmented Data and Uneven Coverage
The DeFi ecosystem lacks a comprehensive dataset for scientific evaluation. Incident coverage is uneven, and Proof-of-Concept (PoC) outputs vary greatly in quality.
3⃣ Incorrect Initial Analyses
Early community reports frequently point to the wrong root cause, misleading defenders and slowing down effective mitigation.
Thanks to @DefimonAlerts — quoting the original post.
TL;DR: On Ethereum, the LiteV3 Bridge Aggregator proxy 0x3f568a…b766 was upgraded, but not initialized atomically. In the gap, an adversary initialized + upgraded it, taking control of the UUPS proxy.
Smart contract security starts beneath the surface, where most can't see.
The EVM Decompiler lets auditors unlock Ethereum bytecode and catch hidden risks fast.
Deep code, real visibility.
Everyone's still chasing perfect code and clean audits.
While hidden attack vectors are quietly breaking "secure" systems.
To truly protect, focus on what auditors actually find.
The next exploit won't come from obvious bugs. it'll come from complexity no one saw coming
1/ Then I map attack vectors against those assumptions.
The framework is simple: trust boundaries, state transitions, economic incentives.
Most critical issues hide where these three intersect.
Finding vulnerabilities isn't about running tools and hoping.
It's pattern recognition layered with threat modeling.
I start surface-level: what's the contract trying to do, where's the money flow, what assumptions does the code make.
Everyone's chasing whales and quick wins.
Meanwhile AI is quietly rebuilding the infrastructure underneath.
The real transformation isn't the obvious plays.
It's the processes no one's watching yet.
The progression isn't sexy.
Most top auditors spent months finding nothing, years grinding through false positives and missed vulnerabilities.
The industry sells overnight mastery, but real expertise in smart contract security is built on consistency, not brilliance.
Security tools scan for what's there in code.
But the real vulnerabilities? They're in what's missing. unchecked inputs, absent constraints, ignored edge cases.
AI-enhanced auditing must detect absence, not just pattern-match presence.
2/ They build comprehension, then flip to adversarial thinking with that foundation locked in.
That's how you find real vulnerabilities, not theoretical ones.
Security work runs on two modes.
Understanding mode: you map the system, trace the logic, learn how it breathes.
Breaking mode: you think like an adversary, hunt the edge cases, exploit what you now understand.
The trap is staying too long in either.
1/ Understand too long and you miss vulnerabilities hiding in plain sight.
Break too early and you're guessing, not hunting.
The best auditors and the best AI security tools switch between these modes systematically.