During @MIM_Spell's active MIM depeg, our security posture monitor at @ThemisLabs flagged a fresh address (0x5C3923…) being added as a signer to a controlling multisig.
From 3/5 to 3/6, threshold held at 3, so the signing ratio eased 60%→50%. The address has no prior transaction history and owns no other Safe. Added through the existing signer quorum.
Could be an emergency-response signer the team spun up, yet still worth watching.
A new key gained control-plane authority during an active incident, which is the exact moment authority changes deserve attention.
tx: https://t.co/5UOzeD0IYz
Humanity Protocol's compromised proxy changed implementation again today.
Themis Scan flagged it within seconds. Initially, I thought it was an attack.
The proxy's upgrade history is three events. The original implementation, live for a year. The malicious one installed during the June 9 hack. And today, the protocol restoring the original.
Today's change reverted to the year-old verified launch code, undoing the attacker's upgrade.
We are building Themis Scan to catch the changes that matter, upgrades, authority transfers, threshold changes, before it becomes security incident
Hold tight, more is coming
Themis is now a verified security vendor on @HackenProof Marketplace!
This means projects looking for smart contract audits and DeFi governance security can find us directly through one of Web3's most trusted platforms 🤝
🔗 Learn more: https://t.co/COq9igEv4x
Themis Scan gave Aztec Connect a control-plane score of 100. However, the protocol was drained for roughly 2.1 million dollars on June 14. Does that mean Themis got it wrong?
Spoiler alert: No. The score was right. Funds left through the proving layer, which on-chain analysis alone cannot see into.
Let's take a dive into the onchain analysis.
The contract had been immutable since the 2024 sunset. No upgrade key, authority renounced. This is confirmed on-chain.
We then traced how a contract with no live operator lost everything:
The attacker made 14 processRollup calls. Each carried a SNARK proof. The contract's original, never-modified verifier checked all 14 and returned valid, with the real precompiles running. No upgrade, no setVerifier, no admin call, no approval drain. Around 909 ETH and six tokens left through the rollup's own withdrawal path, gated by nothing but a valid proof. The contract did exactly what it was built to do, for the attacker.
The problem most likely sits in the proving system. Our onchain trace cannot prove why the proofs were forgeable. It needs the off-chain circuit and proving key analysis. Those are not public.
We are investigating a potential exploit affecting Aztec Connect. ~$2.1m was transferred from the immutable smart contract in transaction:
https://t.co/BVNdWd5K6E
Aztec Connect was deprecated 3 years ago. Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us.
We will share further updates in due course.
@VietnamNewsVNS the risks of pirated softwares is that they most likely contain different kinds of malware/backdoors. Better use licensed or open-sourced :)
We are building a public index so users know how risky a protocol is before they interact with it.
91 is indexed, any protocol you scan (free) will be indexed too.
https://t.co/Ff7uyst5BF
Raydium lost $1.34m yesterday to a program it "retired" in 2021.
"No current users affected" only helps comforting users.
The money was still there, contract was still live. The only thing that changed in 2021 was that Raydium stopped looking at it.
In short, the legacy AMM V3 pools never verified the LP mint. So the attacker minted their own LP token, presented it as the real one, and withdrew against a supply they controlled. It's like going to a bank to exchange money. The only catch is the money you bring is fake.
The same bug we found when audited the Saros DLMM reward program in 2025. We caught this class in an audit. Raydium found it in production, years later.
Link to our previous DLLM reward report (first bug, 5.1):
https://t.co/PoMSV03k9N
@Steven_Research@Humanityprot Bên mình có phân tích onchain và kết quả là:
- upgradeable proxy
- proxy admin kiểm soát bởi EOA
- không timelock
- upgrade path outside governance
- one upgrade executed by 0x6Aa2...53bB
https://t.co/0InIrYZkyW
@saddikubaba it's too simple to say a laptop got hacked. Imagine that happens in tradfi, a bank say "oh! one of our laptop, which holds the admin creds, got hacked". Life is too good to be able to claim that without consequences.
Yesterday (June 9), We found another example of governance risk, the "elephant in the room".
The $TOP governance had direct mint authority, no timelock, and a token supply small enough for an attacker to take control.
@ethanyish Here is what we found onchain:
- Single EOA controls the entire protocol (no timelock detected)
- It's a upgradeable proxy, and upgrade path outside governance
- One upgrade executed by 0x6Aa2...53bB
https://t.co/0InIrYZkyW