gandu
@gandu_whitehat
Followers
1,033
Following
506
Media
10
Statuses
65
Smart contract auditor | whitehat @immunefi
Joined September 2022
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Adalet
• 203112 Tweets
Gazze
• 119644 Tweets
ベイマックス
• 106032 Tweets
Chester
• 101089 Tweets
#サクサクヒムヒム
• 53867 Tweets
NANON LETSGO NYFW
• 46808 Tweets
#笑うマトリョーシカ
• 46341 Tweets
HAPPY BIRTHDAY TANNIE
• 39129 Tweets
#ساعه_استجابه
• 33501 Tweets
#dilanpolat
• 31415 Tweets
E. Jean Carroll
• 28909 Tweets
#2KDay
• 28903 Tweets
#DAY6_9th_Page
• 26759 Tweets
#4MINUTES_EP7
• 26706 Tweets
#浦島坂田船11周年
• 26285 Tweets
Franco Escamilla
• 26207 Tweets
#HAPPY_EJ_DAY
• 24461 Tweets
Game Day
• 22481 Tweets
Ayşenur Ezgi Eygi
• 18723 Tweets
#데이식스_청춘의_9번째_페이지
• 15949 Tweets
おぱんちゅうさぎ
• 15600 Tweets
BGYO DESERVES BETTER
• 10857 Tweets
Ocak
• 10025 Tweets
Last Seen Profiles
Pinned Tweet
🧵 $22.7M loss across three projects due to one lazy nature: "We, as a protocol, will make sure that we are the first depositor."
Bug : Share inflation on empty vaults escalated to Hundred Finance type attack.
2
6
82
4th Whitehat hack and the first on
@immunefi
, the journey of being a solidity security engineer is amazing. thanks,
@RektHQ
for the overviews of every hack.
thanks to
@Mudit__Gupta
for all the fast and initial analysis threads and those security videos.
17
5
128
Here’s a thread about a bug I discovered in the
@SovrynBTC
codebase and submitted on
@immunefi
. The issue was swiftly addressed, and I was awarded $15k by the project. A detailed thread on the thought process that led to the bug’s discovery.
5
11
112
Be me
-some stats from last month
> Week 1: 10k bug bounty payout on
@immunefi
> Week 2-3: 10k + 1.2k + 3k bug bounty
payout (personally contact the team)
> Week 4: 15k for private audit
🤞 for this month
11
3
106
Thank you
@immunefi
and everyone for the wishes! Here is a detailed thread about the bug I submitted.
Congratulations
@gandu_whitehat
on your recently paid reports for finding a medium severity bug on Sovryn on
@immunefi
. It’s an awesome achievement!
#ImmunefiTribe
73
6
233
7
2
77
@samczsun
is a true inspiration for being a security engineer, don’t want to say this but because of you, I am more passionate about this line "hey you up?😂".
2
0
18
This incident shows why Web3 needs platforms like
@immunefi
,
@sherlockdefi
, and
@code4rena
, which ensure every aspect of protocol security is thoroughly addressed before and after a bug is discovered.
0
0
12
A slight negligence resulted in a financial loss of $22 million.
BackStory:
0
0
9
and last thanks to my friend and colleague
@kankodu
for establishing the
@warroomEth
idea and helping me out to become the solidity security engineer.
thanks,
@nem_veer
and
@hoshiyari420
for the support.
1
0
8
Middas Protocol:
Contacting them on 25th May 2023 about a bug, they didn't acknowledge it and stop responding. On 17th June 2023, Middas Capital got rekt, losing $600K. Here's a snapshot of my conversation with their c0-founder before the incident
Bug :
1
0
7
Before the attacks, I had already reached out to all three projects, warning them far in advance. Despite my reports about this bug, protocols didn't updated their codebases.
My main recommendation: Mint some shares directly through code to be fully secure.
Here’s what happened:
1
1
7
SonneFinance:
On 27th November 2022, I submitted a bug which they acknowledged. They rewarded me with $3k. However, during an upgrade, they argued that they were already doing instant deposits before creating the markets and didn't change the code.
2
0
7
Onyx Protocol:
On 28th March 2023, I submitted a bug via email. At that time, two live vaults' funds were at risk. The protocol resolved it by manually burning the LP but didn't update their factory contract.Thus, only these two pools were secure, while new ones remained at risk
1
0
5
So on 2nd Nov 2023 attacker exploited this via the new oPEPE pool, stealing $2.2M. Onyx Protocol paid me a bounty of $10k, but unfortunately, they were unable to change the code and got rekt.
Bug description :
1
0
5
This led to a huge loss of around $20M on 14th May 2024 by attacker executing scheduled operations leading to share inflation on empty vault.
1
0
5
This is how the initial condition can be achieved to carry out the inflation of share price. Such inflation opens up various attack vectors, particularly in lending protocols. See how it was done in wise lending here:
Yesterday's complete hack of Wise Lending was far more complex than reported. Very worth examining.
The protocol had added explicit defenses against this style of attack, which the attack then either bypassed or used against the protocol. 🧵 1/21
21
98
519
1
0
5
Projects :
SonneFinance : Loss $20M.
OnyxProtocol : Loss $2.1M.
MidasCapitalXYZ : $600K.
1
1
5
0
0
4
A while back,
@kankodu
published a thread explaining a new bug pattern. It showed how an attack could inflate prices even with internal tracking of totalAssets. The key requirement is having totalSupply = 1 and totalAssets = 2.
Here's a 🧵 about a bug pattern I've used to get paid across 5 bug reports totaling $150k. This very bug pattern has been the culprit behind significant hacks, leading to losses of $464k in Wise lending and a staggering $6M in MIM (the protocols I missed 😅)
5
41
220
1
0
4
@dev_chinmayf
@Rizary_Andika
@immunefi
@RektHQ
@Mudit__Gupta
ya that two videos also samcsun's this video is very helpful
0
0
3
Now the totalAssets would have been increased to 11+1 = 12, and totalSupply stays at 1+0= 1. See below table to see what happens if a user continues to deposit an amount = totalAssets -1 in a loop. See below to visualize it. With only 75 loops, it increases to more than 10k ether
1
0
2
0
0
2
here, Specifically, if the user's balance after a burn or redeem operation is less than or equal to 10 Wei, their balance is set to zero, effectively turning the amount into dust.
1
0
2
This discrepancy is the main reason the system is attackable.
How?
Here's a detailed step-by-step explanation of how the bug can be exploited when the total supply of shares is zero, using two different accounts:
1
0
2
New Exchange Rate: The total amount of underlying tokens is 11 wei, and the total supply of shares is 1 wei. Therefore, the new exchange rate is 11:1 (11 underlying tokens for 1 share).
1
0
2
This led me to explore . While examining the Sovryn codebase, I discovered an issue in the burn function's dust amount calculation, which appeared to be to this attacks.
1
0
2
0
0
2
3. Account 1 initiates a redeem operation:
• Account 1 then redeems 1 wei of tokens. After this operation, the balance of Account 1 is 10 Wei, which is at the dust threshold.
1
0
2
1. Account 1 deposits a small amount:
• Account 1 deposits a small amount of underlying tokens into the pool, ensuring that the resulting balance will be just above the dust threshold. For example, Account 1 deposits 11 wei, Given the 1:1 ratio, Account 1 receives 11 shares.
1
0
2
Using this, the attacker can inflate the price of a share even if total assets are being tracked internally.
1
0
2
2. Account 2 Exploits the Dust Mechanism:
• Account 2 deposits 1 wei of the underlying token.Account 2 gets 1 share, given the 1:1 ratio.This action is to manipulate the pool's state and take advantage of the dust amount created by Account 1.
1
0
1
4. Dust Mechanism Triggered:
• The redeem function checks if the remaining balance of Account 1 is less than or equal to 10 wei. Since it is, the function sets Account 1's balance to zero and considers the remaining 10 wei as dust.
1
0
1
Final State:
• Total shares: 1 wei (held by Account 2).
• Total Deposits: 11 wei (10 wei from Account 1 + 1 wei from Account 2), due to the dust amount created when Account 1's balance was zeroed.
1
0
1
@BirnbaumPaulPro
@immunefi
Thank you!
I submitted my 1st bug in August 2022
Before that, I was a solidity developer and had 2 years of experience.
0
0
1
Above, we have achieved the initial conditions where totalSupply = 1 and totalAssets = 11. Now, if a user deposits 1 wei of assets, the shares minted to them would be calculated as (amount * totalSupply) / totalAssets = (1 * 1) / 11 = 0.09, which rounds down to 0.
1
0
1
0
0
1
0
0
0
@BowTiedHand
@immunefi
hey, happy to help ping me if you need anything
thanks for the sweet suggestion.
1
0
1