📢 Attention, DeFi projects!
Secure your protocol's entire lifecycle with BlockSec🛡️.
From pre-launch security audits to post-launch attack monitoring and blocking (Phalcon), we've got you covered.
Learn more about our full-stack security solution at .
.
@KyberSwap
was exploited due to tick manipulation and double liquidity counting.
In summary, the attackers borrowed a flash loan and drained the pools with low liquidity. By executing swaps and altering positions, they manipulated the current prices and ticks of the victimized
1/
@samczsun
explained that the attacker exploited the vulnerability in mev-boost-relay to drain MEV bots. After digging into the attack, we have two more findings. First, the attacker used a honeypot tx to lure MEV bots. Second, the honeypot tx has a self-protected mechanism.
1/ Exploits on chain are growing at an alarming rate. Here's how
#BlockSec
responds when an attack occurs and the secret weapons we deploy to analyze incidents quickly and accurately.
1/ Alert | BlockSec detected that exploiters are replaying the message (calldata) of the PoS chain on
@EthereumPow
. The root cause of the exploitation is that the bridge doesn't correctly verify the actual chainid (which is maintained by itself) of the cross-chain message.
1/ The key to the success of the Tornado Cash DAO attack is that 1) blindly vote -- vote without knowing the consequence; 2) a proposal contract can be updated through a well-designed trick -- create and create2.
Click to see the detailed attack steps:
Please note that this reentrancy issue is associated with the use of 'use_eth', which could potentially place the WETH-related pools in jeopardy!
@CurveFinance
, please DM us if you need any help.
1/ There is a flawed logic in borrow() of the ParaProxy contract (0x638a) of
@ParaSpace_NFT
. The attacker can borrow more tokens as his scaledBalance will be enlarged by depositing into the position of the proxy (0xC5c9), i.e., specifying the _recipient of depositApeCoin().
.
@AaveAave
the latest upgrade of ReserveInterestRateStrategy in Aave V2 (Polygon) has caused a temporary halt of the protocol, impacting assets worth ~$110M!
The root cause is the new ReserveInterestRateStrategy is only compatible with Ethereum, not compatible with Polygon.
found a governance issue in Aave V2 impacting the Polygon Aave V2 Pool, causing USDT/BTC/ETH/MATIC assets worth up to 120 million to become inaccessible.
@AaveAave
A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.
Other pools are safe.
Unibot
@TeamUnibot
was reported to be hacked.
As the code is not open-sourced, we suspect that there is a lack of input validation of the function 0xb2bd16ab in the 0x126c contract, which allows an arbitrary call. Therefore, an attacker could invoke 'transferFrom' to transfer
1/ We are thrilled to launch a powerful transaction explorer: Phalcon (), which aims to provide comprehensive data on invocation flow, balance changes, and fund flows. Currently, it supports
#Ethereum
,
#BSC
, and
#Cronos
.
Phalcon has released the biggest update yet! 🎉
Here's what's new.
- Source code view directly shows the source code, parameters, and return values along with the trace.
- Fund flow chart intuitively shows the Token transfer in a transaction.
Let's deep dive into transactions!
We knew that
@SushiSwap
RouteProcessor2 was attacked. We evaluated possible damages in the past few hours and made this public only after we think it's safe : users' assets are always our first priority.
Btw: we rescued part of them and will release the details later.
We observed that the
#Euler
attacker 0xb66cd966670d962C227B3EABA30a872DbFb995db is returning money to Euler finance now.
3000 Ether was returning so far.
Excited to be the ecosystem security partner for
@Ancient8_gg
! 🎉
We are currently partnering with Ancient8 for auditing, with more security-focused collabs in the pipeline.
Ancient8 aims to empower the next 100 million Metaverse citizens, and BlockSec is here to secure their
1/ We have analyzed the recent
@Platypusdefi
attack and found that the attacker made a mistake in the first attack transaction, which prevented the attacker from withdrawing the profits. Here is the full story.
Thanks,
@spreekaway
for pointing out this direction.
🎉Phalcon now supports
#Avalanche
C-Chain
@avalancheavax
!
* Latest transactions since block height 20876888 are available. Old transactions are importing and should be available later
* Now we support
#ETH
#BSC
#Cronos
#Avalanche
Try this transaction:
1/
@SturdyFinance
was attacked and the loss is ~442 ETH. The root cause is due to the typical Balancer's read-only reentrancy, while the price of B-stETH-STABLE was manipulated!
Hey
@LefterisJP
, your blame is unfair. There are some facts you did not know.
- We located this WETH pool (0x8301) issue at 17:10 UTC on July 30. Unfortunately, we cannot DM
@CurveFinance
on Twitter because their DM is not allowed. So we shared this finding with a trusted
You either need to be an idiot or outright malicious to tweet out potential vulnerabilities
@BlockSecTeam
while there is an ongoing incident
Adding screenshots and asking the potential victim to DM you? IN A PUBLIC TWEET?
I wont even quote your tweet/s but what the actual fuck?
We are assisting
@Era_Lend
to this issue, and the root cause has been identified. The total loss is ~$3.4M.
Specifically, this is a read-only re-entrancy attack.
Another attack tx is:
Attacker address:
0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a
1/
@iearnfinance
was hacked with two consecutive attack transactions. The root cause is due to an (on-purpose?) misconfiguration which makes the rebalance of the pools rely on an incorrect underlying token. This misconfiguration has been there for more than three years.
Thrilled to announce our proposal has been supported by a grant from Uniswap Foundation
@UniswapFND
! Our static analyzer will support the secure operations of Uniswap v4. 🦄
The new "Hooks" feature in
#Uniswap
v4 significantly enhances the extensibility and flexibility of
1/ We confirmed that both
@paraswap
deployer address (0x490ce4616672e93b1c8f5e43aa80312fd73dee8c) and
@curve
deployer address(0x07a3458ad662fbcdd4fca0b1b37be6a5b1bcd7ac) are vulnerable to the profanity vulnerability. The private keys can be recovered.
1/ Hi
@paraswap
,I heard that you want to see this? your deployer address private key may have been compromised (possibly due to Profanity vulnerability) and funds have been stolen on multiple chains.
1/ The PolyNetwork was attacked. There are multiple attack transactions. The attacker first locked a small number of tokens on the source chain and then unlocked more tokens on the destination chain.
1/
@eulerfinance
is attacked. The root cause is due to the lack of liquidity check in the function donateToReserves()
See the detailed attack steps below.
We are thrilled to announce Phalcon's new feature Transaction Simulation is live for ETH. You can simulate arbitrary transactions on ANY position in ANY block, and instantly get complete traces/events and balance changes.
Fly with Phalcon!
1/
@Pawnfi
was attacked in a furry of transactions (e.g., ) The root cause for the attack is that the protocol failed to verify whether the NFT had actually been transferred when users used a specified NFT as collateral for borrowing.
1/ RouteProcessor2
@SushiSwap
has a vulnerability that can drain accounts that approved to this contract. Our system immediately detected the attack attempt to
@0xsifu
and rescued some funds. Unfortunately, some other funds cannot be rescued.
.
@LeetSwap
on $Base was attacked, and the loss was over 340 ETH. The attacker abused the public _transferFeesSupportingTaxTokens function to manipulate the pool:
1. Swapping $WETH for another token A.
2. Invoking the _transferFeesSupportingTaxTokens function to transfer token A,
The
@Hope_money_
on Ethereum was subjected to an exploit due to a precision loss issue. There have been several such attacks recently. We advise developers to review these incidents and promptly conduct self-checks. Here are the details:
On October 18, 2023, at 11:48:59 AM +UTC, the HopeLend protocol fell victim to a hacker attack. It is important to note that the hacker did not profit from this attack.
The attack resulted in a loss of approximately 528 ETH, out of which 263.91 ETH were bribed by the frontrunner
1/ How is a honeypot contract trapped by an MEV bot
The defi_game() is a honeypot contract. If the player can guess the answer to the question, he/she will get the Ether inside the contract.
@Mudit__Gupta
1/
@ZunamiProtocol
was hacked, and the loss is over $2M. It is a price manipulation attack that dues to the flawed calculation of the LP price, i.e., within the totalHoldings function of strategies like MIMCurveStakeDao where sdt and sdtPrice were artificially inflated.
1/2) Our monitoring system alerted that SashimiSwap
@SashimiSwap
was attacked (both Ethereum and BSC). and we confirmed that it is due to the bad logic of the swap function, which ALWAYS use the first pair to calculate the balances.
@bantg
@defiprime
1/5) Yesterday, we reported the attack towards the Visor project (
@VisorFinance
). We deleted the twitter later due to the raised concern that the disclosed information could be abused to attack others. Then we confirmed that other pools are safe (also confirmed by
@samczsun
).
🦅We are thrilled to announce a significant upgrade to Phalcon ().
1/ Debug Capability:
Phalcon now can dive into the function level analysis with the view of source code, corresponding internal/external function calls, and the concrete parameter values.
The exploiters use
@ankr
's deployer address to replace the $aBNBc contract's implementation. Afterward, use the new added backdoor function (0x3b3a5522) to mint $aBNBc token.
The following chart shows the exploiters' fund flow generated by MetaDock with one-click.
1/
@Level__Finance
was reported to be hacked due to the lack of checks of repeated items for the array argument of the vulnerable function. Note that the hacker first tried to make a preparation but failed several times 7 days ago, and finally made it before launching the attacks.
As a blockchain security firm, it’s our natural duty to protect users’ assets and safeguard the web3 world for its long-lasting prosperity. However, recent events have led to discussions about the attack alert rule and procedure. We feel called to stand up and openly share our
Our monitoring system detected that multiple pools related to
@RariCapital
@feiprotocol
were attacked, and lost more than 80M US dollars. The root cause is due to a typical reentrancy vulnerability.
@defiprime
The strategic partnership between BlockSec Phalcon and
@puffer_finance
is set to elevate the entire
#Restaking
field to new heights of security standards. 🙌
👏 We're excited to announce a new level of partnership with
@puffer_finance
. We are integrating our Phalcon platform into Puffer’s protocol to enhance their security measures.
The
@ExactlyProtocol
has been paused. It's time to review the attack.
The root cause is
#insufficient_check
. The attacker was able to bypass the permit check in the leverage function of the DebtManager contract by directly passing a fake market address without validation, and
#PhalconAttackAlert
@ExactlyProtocol
got hacked with~$7.3M loss by now.
Join Phalcon Block Waitlist, get precise alert before attack tx was executed, take automatic actions to fight hackers back. 🦾
🚀 We're thrilled to introduce Phalcon Fork, a cutting-edge toolkit for Web3 developers & security researchers! It enables collaborative testing with private mainnet states, creating private chains forked from any mainnet position.
#Web3
#DeFi
3/ The exploiter (0x82fae) first transferred 200 WETH through the omni bridge of the Gnosis chain, and then replayed the same message on the PoW chain and got extra 200 ETHW. As a result, the balance of the chain contract deployed on the PoW chain would be drained.
It’s a ridiculous logic. The Vyper officially announced the affected versions on UTC 16:44 July 30, and Curve confirmed at 16:45. After that, three attacks happened between 19:08 and 22:00. Do you think these exploits might have been white hacked if they hadn't tweeted and
Gotta wonder if some of yesterday's exploits might have been white hacked in time if multiple "auditors" like
@SupremacyHQ
and
@BlockSecTeam
hadn't tweeted which Vyper versions were affected when a team was working hard to keep it under wraps. Shameful behaviour.
💡 Curious about how
#PufferProtocol
keeps its funds secure? Check out BlockSec's deep dive into its access control architecture!
Understand the roles, smart contracts, and strategies for managing over $900M assets. Knowledge is power!
@puffer_finance
1/ We are thrilled to announce the industry-leading transaction pre-execution service - Mopsus. Mopsus aims to help users understand transactions before signing.
Glad to help
@ParaSpace_NFT
recover the fund and appreciate the transparency in the whole process. Long term collaboration is on the way to help secure the project and the whole ecosystem.
Thank you again to
@BlockSecTeam
and their exceptional assistance in ensuring the security of the ParaSpace platform. We received the 2,909 $ETH that the
@BlockSecTeam
recovered and awarded them a 5% bounty.
Key updates you need to know RE our security patch/overhaul 🪡
1/ BitKeep’s
@BitKeepOS
(unverified) contract (0x75eb on BSC) was hacked. Looks like its function allows the attacker to execute an arbitrary call, i.e., both addr & function signature can be specified in the calldata --- then tokens approved to the contract were transferred out.
🚨
@starsarenacom
has been exploited. Since it is not open source, we suspect that some key configurations have been manipulated due to a re-entrancy issue.
They forked
@friendtech
's code, but the issue is in the new/edited parts.
#PhalconAttackAlert
@starsarenacom
got hacked with~$2.9M loss.
Join Phalcon Block Waitlist, get precise alert before attack tx was executed, and take automatic actions to fight hackers back. 🦾
1/ Our system monitored that
@0vixProtocol
on Ploygon was hacked, and the loss is around $2M. The root cause is due to the flawed price calculation of a deflation token.
.
@raft_fi
protocol on Ethereum was attacked due to a precision loss issue. The loss amounted to ~1577 Ether. However, the attacker mistakenly burnt 1570 of them, ultimately resulting in a net profit of -4 Ether after accounting for costs such as gas fees.
The attacker initially
DeFi Attack | Our monitoring system reported that $ROI (Ragnarok Online Invasion) was attacked (), and the loss is around 157.98 BNB (44,222.5 BUSD).
It is a typical access control vulnerability of ownership transfer.
#DeFi
#BSC
🎉 Exciting news! BlockSec has partnered with
@Conflux_Network
to provide top-notch security services and insightful tools for the Conflux ecosystem. 💪 Together, we are committed to creating a more secure and robust on-chain network. 🚀
#blockchainsecurity
#Conflux
#BlockSec
1/5 MetaDock's hidden gem? Transaction Simulation powered by
@Phalcon_xyz
🚀.
You can pre-execute or simulate any transaction using MetaDock.
E.g., before minting an NFT, quickly gauge the right gas limit and costs with MetaDock's Simulation feature.
But how? ⬇️
A bot was attacked due to the lack of access control of a public function 0xf6ebebbb, which could be exploited to manipulate swaps in Curve pools. The loss was ~$2M.
Hence the attacker could first abuse the flawed function to pump the asset price (e.g., WETH) and then make a
1/ The Binance cross-chain bridge has been attacked. The root cause is due to the vulnerability in the message verification, as reported by
@samczsun
().
In fact, bridges have been valuable targets for attackers. The figure shows the representative ones.
Five hours ago, an attacker stole 2 million BNB (~$566M USD) from the Binance Bridge. During that time, I've been working closely with multiple parties to triage and resolve this issue. Here's how it all went down.
We are assisting
@Era_Lend
to this issue, and the root cause has been identified. The total loss is ~$3.4M.
Specifically, this is a read-only re-entrancy attack.
Another attack tx is:
Attacker address:
0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a
This is a killer feature for (security) researchers, you can now view private variables on Etherscan.
Thanks to
@MetaDockTeam
. Install the MetaDock extension and enjoy the feature now.
Yesterday, our system detected an attack on the
@hypr_network
's OP Stack Bridge. We promptly reached out to their team to share our findings. As always, we are glad to help:)
Now that the team has taken actions and disclosed it publicly, we'd like to provide some insight into
📢Hypr's OP Stack Bridge experienced an exploit on Dec 12th, 2023. This postmortem details the incident.
Post Here:
TLDR;
⚡️Hypr’s OP Stack Bridge experienced an exploit. This does not affect $hypr holders.
⚡️2 Users were affected, with a total of 2.57M
1/ Rumors said that everyone could hack the Ethdev contract (0xde0b295669a9fd93d5f28d9ec85e40f4cb697bae -- with $532M). Lots of trials have been observed to change the owner of this contract. We will use Phalcon's simulation to tell you the truth that the contract is NOT hacked.
.
@MidasCapitalXYZ
has been exploited with losses ~$600K. The Midas is a fork of Compound and this attack is similar to
@HundredFinance
and
@SiloFinance
(the vulnerability disclosed today). Here's an attack transaction:
oops,
@safemoon
has been attacked due to a public burn issue (in 2023!!) with a loss of around 8M.
The original attack tx (0xbcf5e30c164837b5d7c42fd7e33e47a0072dc014e7f0a67aa7710af49d0ce53b) was front-run by an MEV bot.
Happy to be the security parter of Stratos
@Stratos_Network
.
BlockSec has audited a couple of representative projects in the
#Cosmos
ecosystem
@cosmos
. Work with Stratos is one step further to commit to the Cosmos ecosystem.
🎉 We’re thrilled to announce that Stratos will work with
@BlockSecTeam
for security auditing.
🔒 Their innovative research, vast project experience, and reliable security services will help pave the way for the successful launch of the
#Stratos
Decentralized Storage Mainnet.
2 weeks ago,
@Balancer
and its fork
@beethoven_x
sufferd attacks, with total losses ~$2.1M. The subtlety of the bug and its exploitation have remain under-analyzed. In this report we deliver a comprehensive community-engaging analysis.
1/ Hey community, we have been performing a whitehat rescue of vulnerable addresses generated by the vanity tool for a few days. Even though our optimized algorithm can recover a private key in 2 to 30 minutes, we still need more time to search for vulnerable addresses.
Hey community, we are performing a whitehat rescue. We cannot share the details at the current stage (to protect the users from being attacked), but we have documented it in a pdf file (md5: 286b4c040bda356eb685c2ec24d575e0).
We will release this pdf when the rescue is done.
1/ UniswapV2Pair WETH-BCI was attacked in many TXs: . The profit is ~$11K.
It is due to the flawed logic in the internal _transfer() function of the BCI token contract, i.e., it burns 1% BCI tokens from the pool every 10 mins (triggered by a transfer).
1/ Today, we wanna talk about MEV Bot. With the evolution of MEV Bot, the most recent explorations have been front-run by Bot. However, Bots are getting wilder, including anonymous deployments, refusal to return funds (in most cases), and aggressive tx fee strategies.
1/ Our investigation shows that Bo Shen's (
@boshen1011
) wallet attacker abused an MEV bot to transfer funds between his/her addresses (0x24b93...bc2e and 0x66F6...Ae14). We suspect it is to make the fund tracing harder.
Here is how the trick works:
Due to the affected protocol being paused, here is a preliminary analysis of this
@Platypusdefi
incident:
1. It's a Flashloan attack, with a total loss of ~$2M. The Hacker manipulated 'cash' and 'liability' which affected the swap price.
2. The first attack tx is:
#PhalconAttackAlert
@Platypusdefi
on Avalanche got hacked with~$575K loss.
Join Phalcon Block Waitlist, get precise alert before attack tx was executed, and take automatic actions to fight hackers back. 🦾
.
@Wise_Lending
has been attacked (notable white-hat c0ffeebabe.eth managed to front-run successfully), and the Pool has been drained. In this incident, the attacker exploited two issues to successfully carry out the attack:
1. Manipulating the value of each shares through
.
@bitpaidio
on BSC has just been exploited. The root cause of the issue was that Lock_Token() did not properly update the lock times. The exploiter made a lock() 6 months ago, which led to an over-calculation of rewards during the withdraw().
The loss from this attack amounts to
1/ The $BRA token on BSC was attacked, and the total loss reaches 819 $WBNB. The root cause is due to a logic flaw of the BRA contract, which doubles reward the tax fee to the pancake pair without invoking the sync() function after transferring.