恶俗·茶话会 / 万象更新
https://twitter.com/evilcos/status/1654710328960364544

除了中心化、所有操作都是O(n)
补充两个点:
1.同一种四个字符的组合只能存在一个币,虽然防止假币,但只要有人抢先注册后来就用不了
2.转账是通过生成transfer信息NFT再转给接收者实现的,NFT只有第一次转移会改变余额状态。如果你花钱买到了用过的NFT,就被骗了
Twitter
BRC-20 有一种暴力美学在里面。

一张张纸(JSON 格式),纸的内容大概就定义了 4 个字符的 token 名字,加上数量,加上 mint/transfer 等最基本动作,没了。至于算账的问题交给了中心化机构去做(比如 UniSat 市场),因为 BRC-20 自己不算账,BRC-20 就是一张张这么粗暴的纸而已。
1.2K views
恶俗·茶话会 / 万象更新
https://twitter.com/0xngmi/status/1660043447913381888
攻击者的手法倒不是他解释的那样。攻击者直接创建0xAF54,0xAF54 create2 0x7DC8,0x7DC8 create提案0xC503,最后一步用的是create只在乎caller和nonce,0x7DC8自毁重建nonce重置,所以创建出来的0xC503地址一样,内容不同
Twitter
tldr of tornado governance hack:
1. hacker makes a proposal that executes code from a contract
2. users vote for the proposal since contract code looks good, proposal passes
3. hacker self-destructs contract and deploys malicious one in same address
4. 2nd…
1.1K viewsedited  
恶俗·茶话会 / 万象更新
https://twitter.com/peckshield/status/1662650673731624961

麻吉带哥1000e喜提归零
X (formerly Twitter)
PeckShield Inc. (@peckshield) on X
It appears today's @jimbosprotocol hack leads to the 4090 ETH loss (w/ ~$7.5M).

This hack is due to the lack of slippage control of liquidity-shifting operation -- such that the protocol-owned liquidity is invested into a skewed/imbalanced price range…
1.1K views
恶俗·茶话会 / 万象更新
https://twitter.com/dWalletLabs/status/1663492997005074433

对项目方有用,对我们来说妹什么用。至少有一个多签名的私钥才能利用,现实情况是做不到的

之前TetherToken的isTrusted也是,Tether根本没添加任何地址
Twitter
0d, our superstar cybersecurity research team, discovered a vulnerability in TRON multisig accounts putting over $500M of digital assets at risk - it was disclosed and fixed so there are no user assets at risk now.

A technical breakdown:
https://t.co/nMj6kV6Oc3
1.1K views
恶俗·茶话会 / 万象更新
要用env文件,避免敏感信息出现在代码、历史记录、网站访问日志中

https://twitter.com/greysign1/status/1664109947758743552
Twitter
我第一时间联系了 @0xVeryBigOrange 和其他在交易所的好朋友,没有成功找到项目方,同时我在unsheth的discord里向开发者请求好友,很幸运在40分钟后,wagmi上线并取得联系。
1.4K views
恶俗·茶话会 / 万象更新
https://polygonscan.com/address/0x000000005bccee35410752d9bb942e8d3fd28e85
这家伙复制得挺快啊

HashflowRouter(在ETH、BSC、ARB、POL、AVA)未检查caller是否是authorized
对比OPT上的router (0xFb1b9A97f1836173390D8bdEaF9004727311A8e1)检查了
Polygon (MATIC) Blockchain Explorer
Contract Address 0x000000005bccee35410752d9bb942e8d3fd28e85 | PolygonScan
The Contract Address 0x000000005bccee35410752d9bb942e8d3fd28e85 page allows users to view the source code, transactions, balances, and analytics for the contract address. Users can also interact and make transactions to the contract directly on PolygonScan.
1.2K viewsedited  
恶俗·茶话会 / 万象更新
恶俗·茶话会 / 万象更新
https://mirror.xyz/x-explore.eth/SuFUrWjJTcUnWZGm6cge8F7ilRuUD5PKcyuJToJProU
https://twitter.com/0xblanker/status/1677784395137323008

开偷了,铸造gas token换钱
Twitter
@MultichainOrg @RevokeCash @Rabby_io BSC上出现了一个攻击者,部署了一个假的ERC-20代币(合约地址:https://t.co/QKaZWIDL9m),修改了`approve()`方法,并手动给大批链上地址伪造授权,让Revoke Cash和Rabby提醒用户取消授权。
1.0K viewsedited  
恶俗·茶话会 / 万象更新
Dedaub反编译波场:
首先确保你拿到的是runtime bytecode,看里面没有CODECOPY
从开头搜索十六进制50 D3和50 D2,都改成50 34,替换之后就是合法的EVM bytecode可以直接反编译
1.1K views
恶俗·茶话会 / 万象更新
https://twitter.com/AnciliaInc/status/1681902951168884736

_airdrop exploit,他标出(not yet)的地址攻击不了
ETH上的TADPOLE和GELDPEPE、LadyPepe垃圾币大概1小时前被攻击,获利4个ETH
977 viewsedited  
恶俗·茶话会 / 万象更新
恶俗·茶话会 / 万象更新
https://twitter.com/AnciliaInc/status/1681902951168884736 _airdrop exploit,他标出(not yet)的地址攻击不了 ETH上的TADPOLE和GELDPEPE、LadyPepe垃圾币大概1小时前被攻击,获利4个ETH
airdrop.t.sol
2.4 KB
1.1K views
恶俗·茶话会 / 万象更新
Forwarded from bupt.moe
#security
Libbitcoin Explorer 使用了 PRNG 而非 CSPRNG 作为随机数初始源,导致私钥强度不够可能被攻击者猜出。
Libbitcoin Explorer 开发者否认这是一个bug。

编者评:开发者行为很奇怪,据披露文件说在 v2.3.0 (2017年) 的时候还是使用的 std::random_device + std::uniform_int_distribution 来作为随机数源的(也不安全), v3.0.0 之后就改成 get_clock_speed() + std::mt19937 作为随机数源了。这个刻意的修改我认为应该是故意削弱随机数发生器的安全性。

https://milksad.info/disclosure.html
897 views
恶俗·茶话会 / 万象更新
恶俗·茶话会 / 万象更新
#security Libbitcoin Explorer 使用了 PRNG 而非 CSPRNG 作为随机数初始源,导致私钥强度不够可能被攻击者猜出。 Libbitcoin Explorer 开发者否认这是一个bug。 编者评:开发者行为很奇怪,据披露文件说在 v2.3.0 (2017年) 的时候还是使用的 std::random_device + std::uniform_int_distribution 来作为随机数源的(也不安全), v3.0.0 之后就改成 get_clock_speed() +…
注:trUST wallet旧版
1.1K views
恶俗·茶话会 / 万象更新
Exactly Protocol Exploiter 1: 0x3747DbBCb5C07786a4c59883E473A2e38F571af9
exploiter 2: 0xE4f34a72d7c18b6f666d6cA53fBC3790bc9da042
exploiter 3 大部分交互都是3发出的 0x417179df13bA3ed138B0A58eaA0C3813430a20e0
contract: https://optimistic.etherscan.io/address/0x6dd61c69415c8ecab3fefd80d079435ead1a5b4d
给他装到了,操作太多我看不懂呀
Optimism Network Explorer
Contract Address 0x6dd61c69415c8ecab3fefd80d079435ead1a5b4d | Optimistic Etherscan
The Contract Address 0x6dd61c69415c8ecab3fefd80d079435ead1a5b4d page allows users to view the source code, transactions, balances, and analytics for the contract address. Users can also interact and make transactions to the contract directly on Optimistic…
1.1K views
恶俗·茶话会 / 万象更新
恶俗·茶话会 / 万象更新
https://vxtwitter.com/anciliainc/status/1647374021745606656 [AI Smart Contract Auditor]'s contract rekt
https://x.com/AnciliaInc/status/1701355439504720228

https://etherscan.io/tx/0x00b375f8e90fc54c1345b33c686977ebec26877e2c8cac165429927a6c9bdbec
X (formerly Twitter)
Ancilia, Inc. on X
.@0x0Audits You probably want to take a look at a tx ending with 65429927a6c9bdbec, Contact us for details.
914 views
恶俗·茶话会 / 万象更新
https://x.com/AnciliaInc/status/1709352941541630049

Attack contract:
0x0bb02653ca1c3c4915cae217aa02c16e68ae381a
Victim: 0x6705d8196D06DA351371b6E0692fC18504ed4864 (bridge)
X (formerly Twitter)
Ancilia, Inc. (@AnciliaInc) on X
#ancilia_alert : Our early warning system detected a re-entry attack attempts and then a successful attack on a bridge contract on BSC, in which the attacker gained over $400,000.

Here is the salted-hash tx, we will share more info when we can find the…
837 viewsedited  
恶俗·茶话会 / 万象更新
恶俗·茶话会 / 万象更新
https://x.com/AnciliaInc/status/1709352941541630049 Attack contract: 0x0bb02653ca1c3c4915cae217aa02c16e68ae381a Victim: 0x6705d8196D06DA351371b6E0692fC18504ed4864 (bridge)
out存在重入,每个uuid的签名可多次提款
该bridge同时存在于ETH BSC POL ARB OP AVA CRO FTM BASE网络,只有BSC被搞,其他链上资产已转移
949 viewsedited  
恶俗·茶话会 / 万象更新
BSC上刚创建两天的币LTCW (0xe96a1c406bb7094f93b47a525cba2e957d2d8b82)爆了,损失10万u
txn: https://bscscan.com/tx/0x3f374107c769e924177461700a9eca2cd25f1180b83b203bffa7635bd3be153d
原因是可以调用rebase函数固定销毁池子130个币,总共只有18000多个币
reported by @mload in blocksec chat
BNB Smart Chain Explorer
BNB Smart Chain Transaction Hash (Txhash) Details | BscScan
Binance (BNB) detailed transaction info for txhash 0x3f374107c769e924177461700a9eca2cd25f1180b83b203bffa7635bd3be153d. The transaction status, block confirmation, gas fee, Binance, and token transfer are shown.
1.1K viewsedited  
恶俗·茶话会 / 万象更新
老朋友鸭嘴兽platypus

https://twitter.com/BlockSecTeam/status/1712445197538468298
X (formerly Twitter)
BlockSec (@BlockSecTeam) on X
Due to the affected protocol being paused, here is a preliminary analysis of this @Platypusdefi incident:

1. It's a Flashloan attack, with a total loss of ~$2M. The Hacker manipulated 'cash' and 'liability' which affected the swap price.

2. The first attack…
1.2K views
恶俗·茶话会 / 万象更新
https://twitter.com/Phalcon_xyz/status/1732581441278824773

不保密了,直接公开 ThirdWeb exploit

Forwarder.execute -> TargetContract.multicall -> TargetContract.PriviledgedFunction

根本原因:multicall delegatecall自己保留msg.sender为Forwarder,在calldata结尾添加bytes20 address可伪造任意_msgSender
X (formerly Twitter)
BlockSec Phalcon (@Phalcon_xyz) on X
Our system detected some price manipulation attacks that abuse the public burn issue. The loss is ~$200K.

Attack TXs:
1. https://t.co/bKRO2WjmbC
2. https://t.co/34GqOD9d6N
1.1K viewsedited  
恶俗·茶话会 / 万象更新
https://x.com/peckshield/status/1745907642118123774

最近很多精度问题啊
https://etherscan.io/tx/0x04e16a79ff928db2fa88619cdd045cdfc7979a61d836c9c9e585b3d6f6d8bc31
X (formerly Twitter)
PeckShield Inc. (@peckshield) on X
The @Wise_Lending market was exploited today, resulting in ~177 ETH loss (~$464K).

Our initial analysis shows the share accounting logic is flawed with a precision issue to drain the market funds.

Here is the related hack tx: https://t.co/aadbYIjX9o
872 viewsedited  
2024/05/17 13:43:43
Back to Top
HTML Embed Code: