Joined July 2024
- Tweets 355
- Following 101
- Followers 1,970
- Likes 213
109 Photos and videos
Pinned Tweet
Jun 12
🛑BitsLab builds AI-driven security infrastructure for digital assets.
We provide smart contract audits, penetration testing, formal verification, and AI-powered risk detection for Web3 teams, protocols, and enterprises.✅
What to expect here:
🟠Security Alert
🟢Exploit Breakdown
🟣Audit Insight
🟡Security Methodology
Ecosystem: @MoveBit_ | @scalebit_ | @tonbit_
🛡️Website: bitslab.xyz
Have a Web3 security topic you’d like us to cover? Let us know in the comments.🙌
1
41
🚀Move Web IDE — latest release✅
Auto Completion is now live in the LSP WASM build.
Get contextual suggestions as you type — keywords, variables, functions, structs, modules, and more.
View symbol types, icons, signatures, and type details in the suggestion popup.
🔘Press Enter or Tab to complete.
No install. No setup. Open and code.🙌
🔗ide.bitslab.xyz/
#Sui #Move #Web3 #DevTools
4
3
14
1,132
🚀 Move Web IDE — new release
Outline View is now live in the LSP WASM build. Browse Move modules, structs, and functions from a single panel — pinned to the bottom-left of the editor.
No install. No setup. Open and code.
🔗 movebit.xyz/MoveWebIDE
#Sui #Move #Web3 #DevTools
17
6
29
1,001
BitsLab retweeted
May 22
The future of crypto isn't humans clicking "Confirm."
It's agents executing on your behalf.
But here's the problem: every AI agent today asks you
to hand over your private keys. That's not autonomy —
that's surrender.
Claw is built differently:
🔐 Key-sharding — no single point of failure, not even us
🤖 Policy-driven controls — agents act within limits you define
🛡️ Anti-phishing at the wallet layer — not your job to spot the scam
⛓️ Multi-chain, gasless, swap-routed across the best DEX aggregators
The agent economy is coming.
The wallets we use today weren't built for it.
Claw was.
→ clawwallet.cc
#AIAgents #Web3 #CryptoWallet #DeFi
2
5
8
463
May 21
🚨 BitsLab Research: One forged email is enough to hijack a nanobot agent.
No clicks. No user interaction. No prior access.
We disclosed CVE-2026-33654 — a zero-click Indirect Prompt Injection chained with Authentication Bypass in the Email Channel.
Here's how it works 🧵👇
2
7
8
795
May 21
Tweet 11/12
Architectural takeaway for every AI Agent framework:
Email, Webhooks, RSS — any async channel — cannot rely on claimed identity. They need cryptographically verifiable signals at the boundary.
Trust must be earned at the door, not inherited from a header string.
1
1
92
May 21
Tweet 12/12
📄 Full technical write-up:
github.com/HKUDS/nanobot/sec…
CVE: CVE-2026-33654
Affected: nanobot ≤ 0.1.4.post5
For ongoing AI × Web3 security research from @BitsLabHQ, follow us 👇
t.me/BitsLabHQ
1
124
May 20
🚨 INCIDENT REPORT — Verus-Ethereum Bridge
$11.58M drained in a single transaction.
ETH 1,625.37 · tBTC 103.57 · USDC 147,658
Not a signature bug. Not a reentrancy.
It was a data-structure ambiguity that let the attacker walk through proof verification untouched.
BitsLab breakdown 👇
1
6
8
597
May 20
The attacker took it one step further.
They crafted the trailing reserveTransfers bytes so that — when the contract misreads them at the wrong offset as "hashReserveTransfers" — the value matches:
keccak(serializedTransfers)
= 0x00a37ecd...3d964581
Verification passes. Funds released.
1
1
104
May 20
Root cause stack:
🔴 Data structure ambiguity (supplemental vs full)
🔴 Fixed-offset parsing without flag validation
🔴 No binding between amounts and proof hash
Bridges aren't only vulnerable to logic bugs anymore. The next frontier is semantic mismatch between source and destination chains.
Stay safe on-chain.
1
73