1-Bitcoin Lightning bug allows remote theft of bitcoin via LND nodes. protos.com/bitcoin-lightning… 2-Uncovering and Fixing an Inflation Bug in Aleo. zksecurity.xyz/blog/posts/al…

Use this list of fantastic telegram channels I've put together in order to discover them as your own personal Web3-Google! Feel free to use this folder to onboard your non-web3 friends to Web3, as the majority of the channels are maintained by independent researchers. There are also additional channels for news, CT reviews, and more!

MCP security issues are well-documented, and now new defensive tools and testing strategies are emerging to help developers secure their implementations. 🧵

Level up your blockchain security skills with hands-on shadow audits of real-world smart contracts. Get instant AI-powered feedback and track your progress. secudoku.statemind.io/

The hacker behind the Nomad hack has been arrested poor guy, he is responsible for hacking 2.8 $ M. hundreds of wallets participated in the nomad bridge exploit. he is 47 years old and going to jail for 50 years. note: do not change your name when leaving israel

1inch market maker @trustedvolumes got hacked for over $4.5M and a few smaller MMs got hacked for $0.5M yesterday. The root cause is that 1inch calls MM contract’s resolveOrders function to get funds to its settlement contract. Most bots only checked the msg.sender = settlement contract - and unfortunately there was an arbitrary call vulnerability in settlement contract. Thus the hacker could forge resolveOrders call and drain MM contracts. The funny thing is the hacker incorrectly transferred half of the stolen funds to the 1inch settlement contract, making the funds available for everyone to grab, and he spent quite sometime to get funds back. We were trying to compete but the hacker got it first unfortunately.

⚠️A critical vulnerability (GHSA-vjh7-7g9h-fjfh) has been discovered in the widely-used elliptic encryption library. 😈Attackers can exploit this flaw by crafting specific inputs to extract private keys with just a single signature, potentially compromising digital assets or identity credentials. ✍️In our latest article, we break down the vulnerability—its root cause, impact, and how to mitigate the risks. ❤️Special thanks to @Rabby_io for providing the vulnerability intelligence. 🔗Read the full analysis here: slowmist.medium.com/private-…

Certik makes 50.000.000 USD with token audits every year. We tend to think that contests are a good representation of the overall security market, but there is so much more then that.

Urgent Update for Geth Users! Attention validators! If you are running Geth v1.15.1, upgrade to v1.15.2 immediately to prevent potential financial loss! github.com/ethereum/go-ether…

Rounding Errors For Auditors 33audits.hashnode.dev/roundi… RCE bug in cosmos SDK maxwelldulin.com/BlogPost/st…

Defence against erc4626 inflation attacks blog.openzeppelin.com/a-nove… Diamond storage walkthrough gist.github.com/banteg/0cee2…

Check out the latest post on the MixBytes blog! Dive into the security and framework of the Morpho Blue lending protocol and gain insights into its architecture and implementation: mixbytes.io/blog/modern-defi…

- Theft of collateral tokens with fewer than 18 decimals github.com/Cyfrin/2023-07-fo… - The Vulnerable Nature of Decentralized Governance in DeFi arxiv.org/abs/2308.04267

Ronin bridge was hacked for 4000ETH by a Mevbot frontrunner. TX:app.blocksec.com/explorer/tx…

Denial-of-Service Attack caused by nonReentrant modifier The nonReentrant modifier is designed to prevent reentrancy attacks by ensuring that certain functions cannot be called again until the current execution is completed. In a reentrancy attack, an attacker can recursively call a contract's function before the previous call is completed, leading to unexpected behavior or manipulation of the contract's state. This can result in severe vulnerabilities, such as draining funds from a contract. By using a nonReentrant modifier, developers can ensure that a function cannot be re-entered while it is still executing. Here is an example of a custom nonReentrant modifier for clarity: However, the contracts in our examples use OpenZeppelin's ReentrancyGuard implementation, which is a standard and reliable solution. When a nonReentrant modifier is misused or misunderstood, it can inadvertently block legitimate access to a contract's functions, leading to a form of DoS attack. This can happen if the modifier is applied too broadly or if it is applied to functions that should remain callable under normal circumstances. Consider a scenario where the nonReentrant modifier is misapplied, leading to a situation that could be interpreted as a DoS attack: As you can see, the withdraw and updateBalanceInfo both have the "nonReentrant" modifier. If now the withdraw function is called it will invoke the updateBalanceInfo function but it will revert because of the nonReentrant modifier.

reports.yaudit.dev/reports/0… Auditors mentioned sone finance unclear approach!

On March 26, I found a serious vulnerability in the Binance Proof of Reserves (PoR) protocol and disclosed it to the team. Here's the report on the vulnerability: leku.blog/binance_vuln/ More on that ⬇️

Want to read about how we discovered that the foundational invariant of the Maker protocol was not, in fact, an invariant using @certora tech? Well, today you are in luck: hackmd.io/@SaferMaker/DAICer…

5️⃣ To shed light on this fascinating journey, I've written an in-depth article that dives into the nitty-gritty details of the vulnerability. Don't miss it! link.medium.com/BkflDhtWdJb

critical vulnerabilities found in optimism fraud proof medium.com/offchainlabs/secu… Hedgey finance Post-mortem 44 m $ blog.cube3.ai/2024/04/19/hed…