Ok, Sorry for the bad headline. Back to the topic now… Wintermute was hacked for ~160m a few hours ago. I took a quick look and my best guess is that it was a hot wallet compromise due to the Profanity bug that was publicly disclosed a few days ago by 1inch team. The attack …
Cream Finance was hacked again on 27th October 2021. Likely for the final time. The attacker stole $130m+ worth of assets from Cream’s lending protocol. The attack was executed over multiple transactions due to block gas limits, but the bulk of it happened in this transaction. This was one of the most sophisticated and cleanly …
Creamed Cream – Learn the Secret Recipe (Cream Hack Analysis) Read More »
I will do live security reviews of Ethereum smart contracts and share my approach to auditing on a stream. The live stream is scheduled to start at 3.30 PM GMT on Sunday (22/08/2021). Link: https://www.youtube.com/watch?v=LLiJK_VeAvQ Notes Here are some brief notes that I’ll use as talking points on the stream. A detailed blog post will …
The Bug The DutchAuction smart contract inherits the BoringBatchable utility contract that allows callers to batch different calls together. There is a commitEth function in the auction contract that uses msg.value to know the amount of ETH commited by the user. If the user commits more ETH than the contract’s capacity, the contract refunds the …
A peek inside the MISO war room – $350m incident response story Read More »
On 10th August 2021, Poly Network suffered from a hack that caused a loss of over 600 million dollars. The hack happened across multiple blockchains including Ethereum, Binance Smart Chain, and Polygon. This is the largest crypto hack yet. Poly Network is a Blockchain interoperability project that allows people to send transactions across blockchains. One …
Poly Network Hack Analysis – Largest Crypto Hack Read More »
A bug was exploited in the Cover protocol’s liquidity mining/farming contract called Blacksmith. Multiple hackers used the bug to mint practically infinite tokens. The biggest hacker burned most of the hacked tokens and returned 4350 ether but there still are around 70 thousand Cover tokens in circulation that were created using this exploit and shouldn’t exist. The original hacker has cashed out about 1400 ether, 1 million DAI, 3k LINK, and 90 WBTC, about $4.4 million in total already.
This blog post will guide you through the process of forking a substrate blockchain like Polkadot. Substrate does not offer any forking capabilities out of the box but we can still create a “fork” relatively easily. I created a small script to make the process much easier, you can find the script here. How does …
This article kicks off a series of technical Substrate articles that I have planned. I will be discussing various specifics of Substrate in these articles that will help developers building on top of Substrate understand Substrate better. The topic for this post is Substrate’s Imbalances. Background The balances module of Substrate’s FRAME runtime maintains a …
This is the story of a simple bug in the FRAME runtime of Parity’s Substrate blockchain framework. The bug allowed attackers to do infinitely large transactions without paying any extra fees. The vulnerability was the result of a buggy implementation of fee calculation in the FRAME runtime of Substrate. By exploiting this vulnerability, an attacker …
Free blockchain storage – Tale of a bug in Substrate’s FRAME runtime Read More »
Rust is a programming language that is geared towards speed and safety. Rust has gained a lot of adoption in the past few years and developers are loving it. Although there are numerous other systems programming languages, Rust is one of the very few alternatives to C/C++ that can hold its own when it comes …