Creamed Cream – Learn the Secret Recipe (Cream Hack Analysis)

Cream Finance was hacked again on 27th October 2021. Likely for the final time. The attacker stole $130m+ worth of assets from Cream’s lending protocol. The attack was executed over multiple transactions due to block gas limits, but the bulk of it happened in this transaction. This was one of the most sophisticated and cleanly …

Creamed Cream – Learn the Secret Recipe (Cream Hack Analysis) Read More »

Live Stream #1 – Auditing Smart Contracts

I will do live security reviews of Ethereum smart contracts and share my approach to auditing on a stream. The live stream is scheduled to start at 3.30 PM GMT on Sunday (22/08/2021). Link: https://www.youtube.com/watch?v=LLiJK_VeAvQ Notes Here are some brief notes that I’ll use as talking points on the stream. A detailed blog post will …

Live Stream #1 – Auditing Smart Contracts Read More »

A peek inside the MISO war room – $350m incident response story

The Bug The DutchAuction smart contract inherits the BoringBatchable utility contract that allows callers to batch different calls together. There is a commitEth function in the auction contract that uses msg.value to know the amount of ETH commited by the user. If the user commits more ETH than the contract’s capacity, the contract refunds the …

A peek inside the MISO war room – $350m incident response story Read More »

Poly Network Hack Analysis – Largest Crypto Hack

On 10th August 2021, Poly Network suffered from a hack that caused a loss of over 600 million dollars. The hack happened across multiple blockchains including Ethereum, Binance Smart Chain, and Polygon. This is the largest crypto hack yet. Poly Network is a Blockchain interoperability project that allows people to send transactions across blockchains. One …

Poly Network Hack Analysis – Largest Crypto Hack Read More »

Cover protocol hack analysis: Infinite Cover tokens minted via an exploit

A bug was exploited in the Cover protocol’s liquidity mining/farming contract called Blacksmith. Multiple hackers used the bug to mint practically infinite tokens. The biggest hacker burned most of the hacked tokens and returned 4350 ether but there still are around 70 thousand Cover tokens in circulation that were created using this exploit and shouldn’t exist. The original hacker has cashed out about 1400 ether, 1 million DAI, 3k LINK, and 90 WBTC, about $4.4 million in total already.

Substrate Deep Dive: Imbalances

This article kicks off a series of technical Substrate articles that I have planned. I will be discussing various specifics of Substrate in these articles that will help developers building on top of Substrate understand Substrate better. The topic for this post is Substrate’s Imbalances. Background The balances module of Substrate’s FRAME runtime maintains a …

Substrate Deep Dive: Imbalances Read More »

Free blockchain storage – Tale of a bug in Substrate’s FRAME runtime

This is the story of a simple bug in the FRAME runtime of Parity’s Substrate blockchain framework. The bug allowed attackers to do infinitely large transactions without paying any extra fees. The vulnerability was the result of a buggy implementation of fee calculation in the FRAME runtime of Substrate. By exploiting this vulnerability, an attacker …

Free blockchain storage – Tale of a bug in Substrate’s FRAME runtime Read More »