https://twitter.com/evilcos/status/1654710328960364544
除了中心化、所有操作都是O(n)
补充两个点:
1.同一种四个字符的组合只能存在一个币,虽然防止假币,但只要有人抢先注册后来就用不了
2.转账是通过生成transfer信息NFT再转给接收者实现的,NFT只有第一次转移会改变余额状态。如果你花钱买到了用过的NFT,就被骗了
除了中心化、所有操作都是O(n)
补充两个点:
1.同一种四个字符的组合只能存在一个币,虽然防止假币,但只要有人抢先注册后来就用不了
2.转账是通过生成transfer信息NFT再转给接收者实现的,NFT只有第一次转移会改变余额状态。如果你花钱买到了用过的NFT,就被骗了
Twitter
BRC-20 有一种暴力美学在里面。
一张张纸(JSON 格式),纸的内容大概就定义了 4 个字符的 token 名字,加上数量,加上 mint/transfer 等最基本动作,没了。至于算账的问题交给了中心化机构去做(比如 UniSat 市场),因为 BRC-20 自己不算账,BRC-20 就是一张张这么粗暴的纸而已。
一张张纸(JSON 格式),纸的内容大概就定义了 4 个字符的 token 名字,加上数量,加上 mint/transfer 等最基本动作,没了。至于算账的问题交给了中心化机构去做(比如 UniSat 市场),因为 BRC-20 自己不算账,BRC-20 就是一张张这么粗暴的纸而已。
https://twitter.com/0xngmi/status/1660043447913381888
攻击者的手法倒不是他解释的那样。攻击者直接创建0xAF54,0xAF54 create2 0x7DC8,0x7DC8 create提案0xC503,最后一步用的是create只在乎caller和nonce,0x7DC8自毁重建nonce重置,所以创建出来的0xC503地址一样,内容不同
攻击者的手法倒不是他解释的那样。攻击者直接创建0xAF54,0xAF54 create2 0x7DC8,0x7DC8 create提案0xC503,最后一步用的是create只在乎caller和nonce,0x7DC8自毁重建nonce重置,所以创建出来的0xC503地址一样,内容不同
Twitter
tldr of tornado governance hack:
1. hacker makes a proposal that executes code from a contract
2. users vote for the proposal since contract code looks good, proposal passes
3. hacker self-destructs contract and deploys malicious one in same address
4. 2nd…
1. hacker makes a proposal that executes code from a contract
2. users vote for the proposal since contract code looks good, proposal passes
3. hacker self-destructs contract and deploys malicious one in same address
4. 2nd…
https://twitter.com/dWalletLabs/status/1663492997005074433
对项目方有用,对我们来说妹什么用。至少有一个多签名的私钥才能利用,现实情况是做不到的
之前TetherToken的isTrusted也是,Tether根本没添加任何地址
对项目方有用,对我们来说妹什么用。至少有一个多签名的私钥才能利用,现实情况是做不到的
之前TetherToken的isTrusted也是,Tether根本没添加任何地址
Twitter
0d, our superstar cybersecurity research team, discovered a vulnerability in TRON multisig accounts putting over $500M of digital assets at risk - it was disclosed and fixed so there are no user assets at risk now.
A technical breakdown:
https://t.co/nMj6kV6Oc3
A technical breakdown:
https://t.co/nMj6kV6Oc3
https://polygonscan.com/address/0x000000005bccee35410752d9bb942e8d3fd28e85
这家伙复制得挺快啊
HashflowRouter(在ETH、BSC、ARB、POL、AVA)未检查caller是否是authorized
对比OPT上的router (
这家伙复制得挺快啊
HashflowRouter(在ETH、BSC、ARB、POL、AVA)未检查caller是否是authorized
对比OPT上的router (
0xFb1b9A97f1836173390D8bdEaF9004727311A8e1
)检查了Polygon (MATIC) Blockchain Explorer
Contract Address 0x000000005bccee35410752d9bb942e8d3fd28e85 | PolygonScan
The Contract Address 0x000000005bccee35410752d9bb942e8d3fd28e85 page allows users to view the source code, transactions, balances, and analytics for the contract address. Users can also interact and make transactions to the contract directly on PolygonScan.
Dedaub反编译波场:
首先确保你拿到的是runtime bytecode,看里面没有CODECOPY
从开头搜索十六进制50 D3和50 D2,都改成50 34,替换之后就是合法的EVM bytecode可以直接反编译
首先确保你拿到的是runtime bytecode,看里面没有CODECOPY
从开头搜索十六进制50 D3和50 D2,都改成50 34,替换之后就是合法的EVM bytecode可以直接反编译
https://twitter.com/AnciliaInc/status/1681902951168884736
_airdrop exploit,他标出(not yet)的地址攻击不了
ETH上的TADPOLE和GELDPEPE、LadyPepe垃圾币大概1小时前被攻击,获利4个ETH
_airdrop exploit,他标出(not yet)的地址攻击不了
ETH上的TADPOLE和GELDPEPE、LadyPepe垃圾币大概1小时前被攻击,获利4个ETH
Forwarded from bupt.moe
#security
Libbitcoin Explorer 使用了 PRNG 而非 CSPRNG 作为随机数初始源,导致私钥强度不够可能被攻击者猜出。
Libbitcoin Explorer 开发者否认这是一个bug。
编者评:开发者行为很奇怪,据披露文件说在 v2.3.0 (2017年) 的时候还是使用的
https://milksad.info/disclosure.html
Libbitcoin Explorer 使用了 PRNG 而非 CSPRNG 作为随机数初始源,导致私钥强度不够可能被攻击者猜出。
Libbitcoin Explorer 开发者否认这是一个bug。
编者评:开发者行为很奇怪,据披露文件说在 v2.3.0 (2017年) 的时候还是使用的
std::random_device
+ std::uniform_int_distribution
来作为随机数源的(也不安全), v3.0.0 之后就改成 get_clock_speed()
+ std::mt19937
作为随机数源了。这个刻意的修改我认为应该是故意削弱随机数发生器的安全性。https://milksad.info/disclosure.html
Exactly Protocol Exploiter 1: 0x3747DbBCb5C07786a4c59883E473A2e38F571af9
exploiter 2: 0xE4f34a72d7c18b6f666d6cA53fBC3790bc9da042
exploiter 3 大部分交互都是3发出的 0x417179df13bA3ed138B0A58eaA0C3813430a20e0
contract: https://optimistic.etherscan.io/address/0x6dd61c69415c8ecab3fefd80d079435ead1a5b4d
给他装到了,操作太多我看不懂呀
exploiter 2: 0xE4f34a72d7c18b6f666d6cA53fBC3790bc9da042
exploiter 3 大部分交互都是3发出的 0x417179df13bA3ed138B0A58eaA0C3813430a20e0
contract: https://optimistic.etherscan.io/address/0x6dd61c69415c8ecab3fefd80d079435ead1a5b4d
给他装到了,操作太多我看不懂呀
Optimism Network Explorer
Contract Address 0x6dd61c69415c8ecab3fefd80d079435ead1a5b4d | Optimistic Etherscan
The Contract Address 0x6dd61c69415c8ecab3fefd80d079435ead1a5b4d page allows users to view the source code, transactions, balances, and analytics for the contract address. Users can also interact and make transactions to the contract directly on Optimistic…
恶俗·茶话会 / 万象更新
https://vxtwitter.com/anciliainc/status/1647374021745606656 [AI Smart Contract Auditor]'s contract rekt
https://x.com/AnciliaInc/status/1701355439504720228
https://etherscan.io/tx/0x00b375f8e90fc54c1345b33c686977ebec26877e2c8cac165429927a6c9bdbec
https://etherscan.io/tx/0x00b375f8e90fc54c1345b33c686977ebec26877e2c8cac165429927a6c9bdbec
X (formerly Twitter)
Ancilia, Inc. on X
.@0x0Audits You probably want to take a look at a tx ending with 65429927a6c9bdbec, Contact us for details.
https://x.com/AnciliaInc/status/1709352941541630049
Attack contract:
0x0bb02653ca1c3c4915cae217aa02c16e68ae381a
Victim: 0x6705d8196D06DA351371b6E0692fC18504ed4864 (bridge)
Attack contract:
0x0bb02653ca1c3c4915cae217aa02c16e68ae381a
Victim: 0x6705d8196D06DA351371b6E0692fC18504ed4864 (bridge)
X (formerly Twitter)
Ancilia, Inc. (@AnciliaInc) on X
#ancilia_alert : Our early warning system detected a re-entry attack attempts and then a successful attack on a bridge contract on BSC, in which the attacker gained over $400,000.
Here is the salted-hash tx, we will share more info when we can find the…
Here is the salted-hash tx, we will share more info when we can find the…
恶俗·茶话会 / 万象更新
https://x.com/AnciliaInc/status/1709352941541630049 Attack contract: 0x0bb02653ca1c3c4915cae217aa02c16e68ae381a Victim: 0x6705d8196D06DA351371b6E0692fC18504ed4864 (bridge)
out存在重入,每个uuid的签名可多次提款
该bridge同时存在于ETH BSC POL ARB OP AVA CRO FTM BASE网络,只有BSC被搞,其他链上资产已转移
该bridge同时存在于ETH BSC POL ARB OP AVA CRO FTM BASE网络,只有BSC被搞,其他链上资产已转移
BSC上刚创建两天的币LTCW (
txn: https://bscscan.com/tx/0x3f374107c769e924177461700a9eca2cd25f1180b83b203bffa7635bd3be153d
原因是可以调用rebase函数固定销毁池子130个币,总共只有18000多个币
reported by @mload in blocksec chat
0xe96a1c406bb7094f93b47a525cba2e957d2d8b82
)爆了,损失10万utxn: https://bscscan.com/tx/0x3f374107c769e924177461700a9eca2cd25f1180b83b203bffa7635bd3be153d
原因是可以调用rebase函数固定销毁池子130个币,总共只有18000多个币
reported by @mload in blocksec chat
BNB Smart Chain Explorer
BNB Smart Chain Transaction Hash (Txhash) Details | BscScan
Binance (BNB) detailed transaction info for txhash 0x3f374107c769e924177461700a9eca2cd25f1180b83b203bffa7635bd3be153d. The transaction status, block confirmation, gas fee, Binance, and token transfer are shown.
https://twitter.com/Phalcon_xyz/status/1732581441278824773
不保密了,直接公开 ThirdWeb exploit
Forwarder.execute -> TargetContract.multicall -> TargetContract.PriviledgedFunction
根本原因:multicall delegatecall自己保留msg.sender为Forwarder,在calldata结尾添加bytes20 address可伪造任意_msgSender
不保密了,直接公开 ThirdWeb exploit
Forwarder.execute -> TargetContract.multicall -> TargetContract.PriviledgedFunction
根本原因:multicall delegatecall自己保留msg.sender为Forwarder,在calldata结尾添加bytes20 address可伪造任意_msgSender
X (formerly Twitter)
BlockSec Phalcon (@Phalcon_xyz) on X
Our system detected some price manipulation attacks that abuse the public burn issue. The loss is ~$200K.
Attack TXs:
1. https://t.co/bKRO2WjmbC
2. https://t.co/34GqOD9d6N
Attack TXs:
1. https://t.co/bKRO2WjmbC
2. https://t.co/34GqOD9d6N
https://x.com/peckshield/status/1745907642118123774
最近很多精度问题啊
https://etherscan.io/tx/0x04e16a79ff928db2fa88619cdd045cdfc7979a61d836c9c9e585b3d6f6d8bc31
最近很多精度问题啊
https://etherscan.io/tx/0x04e16a79ff928db2fa88619cdd045cdfc7979a61d836c9c9e585b3d6f6d8bc31
X (formerly Twitter)
PeckShield Inc. (@peckshield) on X
The @Wise_Lending market was exploited today, resulting in ~177 ETH loss (~$464K).
Our initial analysis shows the share accounting logic is flawed with a precision issue to drain the market funds.
Here is the related hack tx: https://t.co/aadbYIjX9o
Our initial analysis shows the share accounting logic is flawed with a precision issue to drain the market funds.
Here is the related hack tx: https://t.co/aadbYIjX9o