ChainLight
@ChainLight_io
Followers
4K
Following
2K
Media
293
Statuses
2K
smart contract audit & token regulation and compliance | 8-time winner @defcon | winner @paradigm_ctf 23 | member @_SEAL_Org | est. 2016
Joined September 2022
We did it again. We are thrilled to announce that ChainLight has won @defcon 32, the Olympics of CTF. This marks our 8th victory and the first time any team has won 3 consecutive years in the DEF CON history. π§΅For those new to ChainLight, hereβs a little thread about us:
15
13
174
Saving $1.9B. On September 15th, we discovered and reported a critical bug in @zkSync Era's ZK-Circuits that could have drained all the tokens passing through the bridge. This bug allows a malicious prover to produce "proofs" for invalidly executed blocks, which the verifier
23
54
314
Introducing Lumos, the platform that enables you to track all web3 hacks with just one click. Our goal is simple: to illuminate the shadows of web3 hacks.
10
31
249
Hello, Mr. President. After winning the @defcon CTF for two consecutive years, the @paradigm CTF, and the @dragonfly_xyz CTF, ChainLight had the honor of being invited to the Blue House and conversing with South Korea's President Yoon Suk Yeol. 1/4
8
26
231
We are excited to announce that we are releasing our 150-page internal research to the public. This report includes:. β 112 hacks' scale, root cause, and underlying chain analysis.β Correlation between security audits and hacks. β Post-incident responses from the team.β
46
57
216
Exploiting ZK-EVM. After discovering a @zkSync Era bug on September 15th, we intentionally produced a false "proof" to battle-test our findings. Spending 100 GPU hours on A100s to generate the exploit, we turned a ZK soundness bug into a full token-stealing exploit. As this
8
37
200
We are thrilled to announce the successful completion of @Moca_Network's audit. β Zero critical risks detected.β All suggested improvements implemented. Thrive without fear, Mocaverse.
12
30
136
Cracking the @paradigm_ctf in 33 hours. We were able to solve all challenges 15 hours earlier than the closing time, making us the first team to complete the CTF. (1/5)
3
18
133
Draining $32M in 5 Minutes. On October 3rd, 2022, we discovered and reported a critical bug in @perpprotocol that could have drained $32M, the entire deposited USDC in the pool. The critical bug was discovered in the "AccountBalance" contract, which serves as the protocol's
17
13
128
In 2023, CertiK audited 22.1% of projects that suffered hacks amounting to $500k or more. Now, their X account is compromised.
14
19
109
Happy to announce that we solved all 23 challenges first in Remedy CTF 2025 - the biggest Web3 security challenge competition ever!. 1,839 TEAMS with 2,000+ players attended, including industry-leading security researchers. We appreciate @hexensio for hosting this amazing CTF.
12
8
118
We are thrilled to announce that we have been awarded $157,696.85 USDC from @code4rena's @zksync Era audit for identifying two high-severity vulnerabilities in the zkEVM circuit. Everyone's a gangster until getting hacked. We are always impressed by @the_matter_labs' commitment
7
8
109
Are you bullish in web3 projects utilizing TEEs? If so, do you really know what TEE is and how they work?. Today, we are publicly releasing our internal report on projects utilizing TEEs. Currently, various projects, especially AI agents, that promotes to leverage Trusted
9
22
101
Here's a quick 30-second guide to protect yourself from the @Ledger library hack:. Summary: Clear your browser cache. This will help prevent compromised libraries from being fetched from the cache. 1. Go to 2. Make sure the version is 1.1.8. 3. Press F12
10
34
87
If you're a Telegram user, your funds are at risk. Currently, Telegram's 'auto-download' feature allows files camouflaged as video formats to be executed once clicked within the app. If such a file is malicious, it can take control of your system, potentially compromising your
5
31
81
Today, a total of $4.78M could have been saved if @RDNTCapital and @ChannelsFinance had taken just 3 minutes to read our write-up. During the Curta Cup 2023, we authored a puzzle called 'LatentRisk', which replicates incidents that occurred in the Compound V2 forks. The purpose
4
15
77
Web3 Hack Postmortem 2024. We are excited to announce that we are releasing our annual report again, with 330 pages this year!. This report includes:. β Statistics of 204 exploits: scale, root cause, . β Correlation between security audits and hacks. β Post-incident
5
21
80
Saving Akash from Unauthorized Access. In May 2024, we discovered and reported a critical bug in @akashnet_ that allowed an attacker to impersonate a deployment owner on the network, granting unauthorized access to execute commands, access logs, and other sensitive information.
4
10
71
We are thrilled to announce that ChainLight and our CEO, @brian_pak, have been awarded the Presidential Commendation for their contributions to Information and Communications Technology in South Korea. After years of collaboration with DARPA and the South Korean governments,
5
10
71
We are thrilled to announce the successful completion of the security audit for @Blast_L2. Raising $20M from @Paradigm and @StandardCrypto, Blast is the only Ethereum L2 with native yield for ETH and stablecoins. With zero client compromise, we are deeply honored to have
11
7
64
βπ» Did you know "A < B" is not always the same as "B > A" in Solidity?. One of our team members (@yechan_bae) found a bug in the Solidity language. We're proud to share another piece of evidence that our team pays attention to even the smallest details!. #Ethereum #ETH #Solidity
3
10
66
Thrive without Fear, Abstract. We are proud to announce the security partnership with @AbstractChain!. The partnership aims to strengthen the overall security of Abstract ecosystem, with comprehensive audits by our industry-leading researchers. More details to be announced.
10
8
65
2024 will be the year of $3.1B, locked on ZK solutions, getting hacked. This year, following our discovery of a critical bug on zkSync Era, numerous protocols with scaling solutions have reached out to us for an audit. Through our conversation with the protocols, we've realized.
8
8
59
We are thrilled to announce that we are releasing a Remastered version of our 155-page internal research to the public. This time, security firms, researchers, and protocol engineers from different parts of the globe have proactively contributed to aggregating and validating
3
17
50
The South Korean law enforcement agencies are currently investigating the Orbit Bridge incident, and we have been asked to assist in the investigation. As a result, we are unable to share extensive information at this time. However, we have received confirmation that the.
4
9
55
Account Abstraction Security Guide. Today, we are making our internal report on account abstraction and security approach available to the public. In recent months, we have observed a growing number of projects implementing account abstraction. However, while exploring various
1
11
55
Good Game. As soon as we landed in Istanbul, we wasted no time and headed straight to the CTF Showdown, one of the biggest CTF events at @EFDevcon. A big shoutout to @TenderlyApp and @ConsensysAudits for hosting this incredible event.
10
4
54
We are thrilled to announce that we have received a commendation plaque from the Minister of Public Administration and Security of South Korea in honor of the 78th Police Day. We are witnessing an exponential growth in the use of blockchain technology for criminal activities.
5
2
51
We are thrilled to announce that ChainLight has joined @zksync's Security Council. As one of the three bodies in the ZKsync governance system, the Security Council will serve as the first line of support for escalated security issues, respond to critical security threats, and
7
2
51
You Ask, We Deliver. Here is the write-up for all Curta Cup puzzles we have authored:. It was our honor to author the puzzles for the inaugural @curta_ctf Cup and connect with security researchers and CTF players from around the globe. See you next year.
6
9
52
It was a quite fun challenge. π. Bug: Solution:
Here is the CTF with the 0.1Ξ prize. Vulnerable contract: Test: Please retweet so everyone can have fun!.
3
6
51
We are thrilled to announce that we have won first place at @secconctf, one of the most competitive Web2 CTFs in the world. As Web3 technology continues to advance and the bridge to onboard the masses solidifies, having expertise in both Web2 and Web3 security domains will
5
4
47
We are thrilled to announce that ChainLight has secured the first place in Line CTF 2024, one of the most prestigious CTF competitions in Web2. As blockchain technology and projects continue to evolve, an increasing number of Web2 elements are being incorporated. It is
2
10
45
Introducing EVM DAY by @curta_ctf, @ChainLight_io, and @gasliteGG. A day-long event of networking, CTF puzzles, and gas optimization challenges dedicated to devs and security experts. And, of course, catering served by a 3 Michelin-Star trained private Head Chef. RSVP belowπ
5
5
45
100+ white hat hackers under one roof. We recently concluded a workshop to reflect on the year 2023 and set our objectives for 2024. This year, ChainLight's main focus will be:. - Promoting the public good.- Standardizing due diligence. In 2023, Web3 lost $1.8 billion to hackers
0
2
47
On January 11th, 2024, we made our 150-page internal research available to the public. Within 24 hours, over 500 security researchers and protocol engineers joined our community and accessed the report. We sincerely appreciate everyone who took the time to read our research.
4
6
47
That's a wrap!. Thank you for joining us at the inaugural Curta CTF. It was our honor to author CTF challenges for @curta_ctf and connect with security researchers and CTF players from around the globe. Goodbyes are not forever. We'll meet again.
3
2
46
ChainLight is coming to @EFDevconnect IST!. Catch our team in Istanbul and get our first limited edition T-shirts and hoodies. We'll be participating in various panels, authoring CTF puzzles, and running a booth. Let's finally connect off-chain and discuss all things blockchain.
7
1
43
We're thrilled to announce that ChainLight has secured first place in the @defcon 32 CTF (Capture The Flag), Olympics of hacking competition, qualifiers. We're coming for that 8th gold medal.
3
3
45
@ckksec @realgmhacker Behind the scenes of this year's @paradigm_ctf:. playing CTF at our CEO's wedding
4
5
41
βHow did we get here?β by @nickwh8te from @CelestiaOrg and @xparadigms from @FourPillarsFP starting now. Discover more about the Modular Blockchain and the past, current and future plans of the Celestia ecosystem.
6
4
35
Ticking Bombs. Today, we are releasing our internal report on Interchain Operability Protocols and their Security Measures to the public. In recent months, we have observed a growing number of interchain operability protocols designed to enhance interaction between different
2
6
42
"Chain Abstraction / Near DA" by @mraltantutar from @nearfoundation is starting now!. Learn how Near is scaling Ethereum with DA and improving user experience through chain abstraction at Modular Harmony.
5
8
37
We are thrilled to stand alongside @samczsun as a member of the Security Alliance. The open nature of cryptocurrency has allowed hackers worldwide to target funds flowing through bridges and protocols without constraints. Conversely, white-hat hackers, often restricted by their
3
6
39
β
Check out our recent @RareSkills_io Gas-Puzzle write-up!. π Shout out to RareSkills and other challengers. 𧡠The key aspect of the optimization was reducing the code size. Here's our approach beyond what @RareSkills_io explained. #Solidity #CTF #GasGolfing.
We have reviewed 22 submissions. Here are the final scores. π₯this-is-chainlight 203,386 @chainlight_io.π₯jinukaloshaechi 215,354 @lj1nu.π₯0xevm 232,671 @RJin2018. Happy to see the broad participation!. Hope you learned something in this contest!. Winner instructions below:.
1
9
37
We've just published an in-depth post-mortem of the Vyper / Curve Finance attack. Join us as we unravel the critical insights, tactics involved, and lessons learned from this unique cybersecurity incident.
1
12
38
Introducing unwrap_let. Pattern matching on Rust simplified. @RustLang is one of the most popular Web3 programming languages being used on Solana, Near, Aptos, and Sui. (1/8)
1
5
38
A $32M Guide. After unveiling our discovery of the critical bug on @perpprotocol that could have drained $32M in 5 minutes, many journalists have reached out to us with a question. "Why does this space keep getting hacked?". The Web3 space is still in its infancy. With new
3
5
38
As 2023 draws to a close, let's look back at everything we've accomplished this year. From CTF victories to ZK circuit bug discovery, here's a look back at our eventful yearπ. (1/9)
3
7
33
$10K golden floppy disk. @ChainLight_io won the $10K golden floppy disk in the ao-Effect game contest, hosted by @aoTheComputer on the @ArweaveEco network at @EthereumDenver. Here's the breakdown of the critical bug we've uncovered π§΅
1
4
35
We are thrilled to announce that we have decided to award $1,000 USDC to the overall winner of the Curta Cup Leaderboard. Congratulations to @tonyke_bot from @hackthedefi. Here's why we made this decision to incentivize security researchers through @curta_ctfπ§΅. (1/9)
4
6
36
AI tokens are being listed on major exchanges, but are they really safe?. Today, we are releasing our internal report on the security analysis of 'AI x Blockchain' projects to the public. Our research analyzes the structures of projects that are creating 'decentralized AI'
3
11
33
π₯³ We're excited to announce that we WON a Web3 CTF competition!. β
Check out the NumenCTF scoreboard and take a look at our impressive performance!. β³ Even though we were ~15 hours late to the party compared to other teams, we managed to take the lead.
After an intense 48-hr rollercoaster of excitement, we are excited to officially announce the winners of #NumenCTF π. Congratulations to the Winning Teams π.π₯ #ChainLight @chainlight_io @theori_io .π₯ #KALOS @kalos_security @sqrtrev .π₯ #AmberLabs @ambergroup_io @chiachih_wu.
4
2
33
The world's first trustless oracle for Ethereum's historical data, brought to you by ChainLight. @a16zcrypto has emphasized that the mainstream adoption of SNARKs in 2024 is an exciting topic for numerous crypto partners. Since 2022, we've been preparing for this moment. (1/8)
3
10
32
0/ On December 31, 2023, at 9:07:59 PM UTC, an unauthorized transaction was detected in the @Orbit_Chain Ethereum L1 Vault, involving assets like DAI, USDC, USDT, ETH, WBTC. We are actively investigating this issue.
2
11
34
We are excited to announce our first BEACON2023 event in Seoul, South Korea. BEACON is a Web3 networking event that provides a platform for thought leaders in the Web3 space to share the latest trends, market insights, and effective strategies.
2
5
31
We're thrilled to announce that ChainLight is the two-time champion of @RareSkills_io's Gas Contest. Thank you RareSkills, for organizing this contest and highlighting the importance of gas optimization, a persistent and fundamental concern on the blockchain. See you next year.
Top 5 winners for the first gas contest:. π₯@ChainLight_io .π₯@lj1nu .π₯Unknown address.(4) nanoproxy.eth.(5) zumzoom.eth. Prizes will be directly distributed to the addresses that signed the submissions. Thanks everyone for participating! More to come!.
3
1
33
βThe Future of Rollupsβ by @0xJESSIE_ from @initiaFDN starting now!. Discover more about interwoven rollups in the Initia Ecosystem at Modular Harmony.
0
1
31
π Congrats to @Blur for launching their new NFT lending feature!. We audited #Blend's contract to ensure the safety for #Blur users. We found total of 9 issues, including 2 high severity issues. All of them have been addressed. β
Check out our report:
9/ The smart contracts for Blend have been audited by Code4rena and Chain Light. Audits will be available on the Blur Foundation website shortly.
2
7
31
We were the first to solve the "Magic of Solidity" challenge in the @Quill_Academy CTF. And we woke up to a magic wand waiting for us in front of our office. A big thank you to @lj1nu for this generous gift. It will be proudly displayed alongside our collection of CTF trophies.
2
1
32
We are thrilled to announce that we have won QuillCTF Dubai 2023. A big thank you to @Quill_Academy for organizing this contest and providing entertaining challenges. ChainLight will continue to explore effective blockchain technologies and push the boundaries of Web3 security.
0
5
30
You can go faster alone but further together. ChainLight believes that consistent research in exploits and prevention methods is the core foundation of a cybersecurity firm, especially in a fast-paced industry like Web3. We release our research every week for free to assist.
Great write up by @ChainLight_io team on the Liquidation Fee Vulnerability , they found in Perpetual Protocol.
1
3
33
"Blur has been around for nearly a year, and the Blur bid pool has over $100m in it. That's a decent testament to their security.". Having completed the security audit of @blur_io Exchange V2 and Blend, we take immense pride in maintaining zero compromise. source: @niftyportal
3
3
30
10 Puzzles. 1 Winner. We had the honor of authoring 6 puzzles for the first Curta Cup, a hybrid CTF competition on Nov 18th. Co-hosted by @LineaBuild & sponsored by @BuildOnBase and Zuzalu, the @Curta_ctf Cup will be the ultimate playground for Web3 CTF players. See you there.
5
2
31
"Solving Rollup Fragmentation" by @anuragarjun from @AvailProject is starting now. Learn more about how Avail is working to unify the modular space at Modular Harmony.
0
7
26
Is Modular Blockchain at Risk?. Discover more about the security perspective of modular architecture at Modular Harmony, co-hosted by @ChainLight_io, @DecipherGlobal, @FourPillarsFP, and @radius_xyz. Summary thread coming soon.
2
3
30
In the fast-paced world of crypto, responding to a hack is a daunting task and finding the right experts in a crisis can be challenging. We're joining forces with other security leaders, facilitating rapid connections between experts and projects when emergencies strike.
Over the past few days I've been working with a group of whitehats, auditors, and other security leaders to try and solve the hardest part of responsible disclosure: finding the right person to talk to.
0
8
30
We are thrilled to partner with @Official_Upbit to launch UPSide Academy, a blockchain cybersecurity talent development program. Following the inauguration ceremony, the 19 selected trainees from the first cohort will begin a 4-month program focused on blockchain cybersecurity.
1
3
30
π£ First Blood (again)! π©Έπ₯. πͺ We solved all 11 puzzles with 7 FBs on @curta_ctf, as shown by the πs. β‘οΈ It is the 1st ZKP chal on #Curta by @leonardoalt!. βπ» We show our expertise in ZK with @RelicProtocol, the trustless oracle for Ethereum's historical data. Check it out!
2
5
28
Itβs time for blockchain security firms to join forces. From independent researchers to large firms, multiple security teams have been operating independently to recover and protect user funds. These fragmented efforts are causing redundant efforts and delayed response time,
1
1
27
We are excited to announce that we have secured the second place in Blaz CTF 2023. A big thank you to @hackthedefi for organizing this incredible event, along with the co-organizers, authors, and sponsors who made it all possible. See you next year.
Blaz CTF 2023 has concluded π₯³π₯³. Congrats to @Offside_Labs @ChainLight_io and Amber Labs for securing the Top 3, and kudos to everyone who participated.
1
2
29
Your palms are sweaty, hands are shaking, and your mind is blanking. There, you've let your protocol to be hacked without a flinch. Without being prepared to handle a war against your protocol, without finding comfort in the most stressful situations, your protocol becomes.
In a war room, every second counts. But without having been in one, how could you know what to expect or how to respond? Blog posts and tweet threads can only take you so far. Today, I'm excited to announce a new option: SEAL Drills.
1
3
28
π₯ We crushed yet another CTF held by @RareSkills_io, a gas optimization challenge this time!. #ETH #Solidity.
We have reviewed 22 submissions. Here are the final scores. π₯this-is-chainlight 203,386 @chainlight_io.π₯jinukaloshaechi 215,354 @lj1nu.π₯0xevm 232,671 @RJin2018. Happy to see the broad participation!. Hope you learned something in this contest!. Winner instructions below:.
4
0
28
The event was organized to encourage the efforts of young white-hat hackers and to listen to various voices from the field of cybersecurity. ChainLight was the sole team specializing in Web3 among numerous skilled cybersecurity experts from diverse sectors. 2/4
3
2
25
10 Puzzles. 1 Winner. We had the honor of authoring puzzles for the @Curta_ctf Cup. Solving these puzzles involves techniques that we not only use every day to secure our clients' products but also believe all security experts and engineers should master. The puzzles'.
1
2
24
KEYNOTE SPEAKER #1 - Retail and Mass Adoption. @Tytaninc | Co-Founder, @NFTYFinance & @SocialPass_io
2
3
24
KEYNOTE SPEAKER #3 - Retail and Mass Adoption: Cryptocurrency as a Currency. @reicannon | CEO, @projectPXN & @gmdotco
2
9
23
π₯³ We have successfully minted Alpha Goat Club NFT! This CTF was an interesting attempt and very fun. π We would like to thank the @RareSkills_io team for giving us this experience by hosting this CTF!. Our mint hash: #Polygon #Web3 #CTF
3
0
25
In 2023, 81.1% of hacking incidents with exploited amounts exceeding $500k originated from audited projects.
6
1
22
Why do projects keep getting hacked? How is ZK tech's security different?. Join ChainLight's CTO, @andrewwesie, as he shares our insights, approach, and focus with @Ashton_Addison_ on the @CryptoCoinShow.
1
3
23
Which rug pulls, exploits, and security breaches happened this week?. Read this 2-minute weekly summary to stay in the loop π§΅π. (1/10)
1
2
23
Defusing Bombs. Whenever we accept a security audit application, it feels like approaching a ticking bomb ready to detonate in a heartbeat. Every line of code we overlook becomes a kill switch, capable of not only destroying the project but also jeopardizing our entire
0
3
21
π₯ Our team scored the first blood in Dragonfly CTF and won the coveted Milady NFT! π. Huge thanks @dragonfly_xyz for hosting such an exciting CTF. We can't wait to join again next time! π. Ready to rock with this pretty Milady NFT! πͺ #DragonflyCTF #Milady #MiladyNFT #NFT
3
3
23
Dear @github, we have discovered a bug. The comment function on the new file is completely disabled when there is a "typechange," replacing one file with another file type (e.g., symlink). We believe the following has happened:.1. The typechange results in two distinct entries
2
3
23
π¨ ChainLight Patch Thursday, the first week of July!. The content we introduce in this Patch Thursday is "Identifying Vulnerabilities in #TON: Killing All Nodes"!. β¨ ChainLight has uncovered a Denial-of-Service (DoS) vulnerability in the TON networkβs node that can lead to the
0
5
23
We sincerely appreciate South Korea's invitation and efforts in communicating with and encouraging cybersecurity experts. ChainLight will continue to explore new and effective blockchain security technologies, share our research, and make Web3 a safer place. 3/4
1
1
21
Join ChainLight's CTO, @AndrewWesie, as he shares the story of how ChainLight started in 2016 and our journey to discover some of the best talents in cybersecurity.
1
1
21
ChainLight is here to secure Denver. Visit our booth, connect with our security experts, and get a chance to win 5 x Ledger Nano S Plus. β Location: Booth #505.β Date: Feb 29th - March 3rd, 8 AM - 7 PM
2
4
18
@xyz_remedy Having completed all the challenges six hours before the deadline, we now have to wait a bit to get the result finalized. At least weβre happy to head home and get some sleep now! π
0
0
21
π₯³ We got the first blood on @curta_ctf Puzzle #9!.π We would like to thank @vex_0x for the fun challenge!. Now the source code for the challenge is released since we solved it. But try solving without it! That's how we did it π. #Huff #Web3 #CTF.
First blood for Puzzle #9 by @chainlight_io!. The @huff_language source code has now been added for Phase 1.
1
2
20
Which rug pulls, exploits, and security breaches happened this week?. Read this 2-minute weekly recap to stay in the loop π§΅π. 1/9
2
3
19
Which rug pulls, exploits, and security breaches happened this week?. Read this 2-minute weekly summary to stay in the loop π§΅π. (1/9)
2
3
20