rokinot

🚨SlowMist TI Alert🚨 💸 Loss: 14.411518807585587 ETH 🔍 Root Cause: Storage slot collision between `ATOHook.rewards` mapping slot and Solady `ReentrancyGuard` fixed slot (`0x02215292eb9609279094554c6e223f800950648ddfa3da30329838d6c170928d`). The `nonReentrant` modifier in `getReward()` writes sentinel value `0xffffffffffffff` to the guard slot, which is simultaneously read as `rewards[attackContract]` due to the collision. This inflated reward is paid as ETH each call, allowing 200 repeated claims. 📌 Attacker (EOA): 0x2d2aafc193c24e59bd16139056ac9b4df4d37ad0 📌 Victim Contract: 0xa10de71ddb4e0d51938ef6e0118822e157a62888 📌 Attack Contract: 0x2441e480f62bf609a08da09143e4baf8a817d757 Storage collision between reward accounting and reentrancy guard enables unlimited reward drainage. Powered by #SlowMist.AI https://t.co/vzW3aa8pnH

Are you kidding me? A Security researcher found an exploit in ZCash (a 10B$ protocol) using Claude Opus 4.8. An exploit where anyone could create infinite supply and sell to market. A bug that was there since 2022. The worse part is there is no way to find out if someone didn't exploit the protocol in all these years.

🚨Confirmation of a massive potential ZEC exploit TLDR: - ZCASH hired a security researcher to try to find exploit vectors - The researcher (Taylor Hornby) found one that would let him create unlimited counterfeit ZEC in a shielded pool - The exploit is now fixed as of June 1 - There is no way to know if the pool was exploited BUT the team feels that it is unlikely - They're proposing a network upgrade with new accounting that would prove whether any counterfeit ZEC was created or not Market clearly spooked with ZEC down 25%