Joined March 2026
- Tweets 363
- Following 349
- Followers 97
- Likes 1,011
33 Photos and videos
The H token exploit on BSC shows what happens when proxy admin control is a single point of failure with no timelock. The attacker took over the admin key and minted $12.9M in fresh tokens.
If your upgradeable contract puts unilateral mint authority in one address, what stops this exact attack on your protocol?
1
7
Jun 9
The same attacker has now extended the exploit on BSC by taking over the H token's proxy admin and minting an additional 100,000,000 H (~$12.9M) to a fresh wallet.
Mint tx: 0x5a8f82f1064a7846ab3eb77bd1d36ec52dfd773c3957ad0aeea28da95fe9c5fb
H token (BSC): 0x44F161aE29361E332dEA039DFA2F404E0bC5B5Cc
Mint operator: 0x6Aa22CB8420E94Fc2119364b4c7885710aE753bB
Funded by main exploiter: 0xAf2a4989922299EB14A29E332dad1012A8aaD3A0
4
Ethereum researchers published a SPHINCS-based proposal that quantum-proofs an account for 7 cents. The interim solution buys time while the network designs a permanent post-quantum signature scheme, but it also means every wallet needs a migration path before quantum risk becomes quantum reality.
1
1
18
Token of Power lost $1.5M to a governance-takeover attack on a Balancer V1 pool. The attacker didn't exploit Balancer itself, they exploited the governance layer sitting on top of it and drained 944 WETH.
Governance isn't a feature you bolt on. It's an attack surface. Every token with admin functions and a governance mechanism is one proposal away from this outcome.
#web3security #DeFi
22
Jun 13
npm 12 will disable install scripts by default unless explicitly allowed. The change treats every dependency as untrusted until proven otherwise, which is the right baseline when the median package has a dozen transitive dependencies and auditors do not read postinstall hooks.
1
5
Jun 13
A $1.3 trillion fixed-income market is being tokenized on Solana, starting with a $250M AAA CLO fund.
The question is not whether TradFi can issue tokens onchain - it clearly can - but whether these instruments will actually compose with DeFi primitives or just sit in walled-garden brokerages. What does composability look like for a regulated CLO token?
2
20
Jun 13
Splunk Enterprise CVE-2026-20253: unauthenticated file operations leading to RCE, 9.8 CVSS. If your SIEM can be exploited without credentials, the entire security posture it was meant to monitor becomes the attack surface.
#cybersecurity #infosec
1
62
Jun 13
1
1
12
Jun 12
Over 400 packages in the Arch User Repository shipped a rootkit and credential stealer. The AUR trusts maintainers to self-police; that model assumes bad actors announce themselves before pushing malicious code.
Package repositories without mandatory review or signing turn every dependency into a potential supply chain risk. Trusting the crowd works until someone in the crowd stops being trustworthy.
1
31
Jun 12
16
Jun 12
The SEC proposed scrapping National Market System rules that currently block AMMs from trading tokenized US equities at scale. This is the regulatory unlock that makes onchain stock markets architecturally viable, not just a compliance workaround.
1
1
28
61
Jun 12
A whole chain-research desk in one screen. Chain Guide ranks every major chain by consensus, finality, and security tradeoffs — sort by Most Decentralized or Most Private and see the risks before you build. iOS & Android.
21
Jun 12
France's Tchap encrypted messenger was breached, exposing 73,000 government employee accounts.
The platform was built to keep state communications out of US tech company hands, then leaked them anyway. If you can't trust a sovereign encrypted messenger to not get breached, what's the point of building one?
#cybersecurity #infosec
44
Jun 11
Zcash's shielded upgrade proposal is a bet that privacy tech can win on merit if the UX stops requiring users to understand circuit parameters. The 42% bounce says the market agrees, but the real test is whether adoption follows or whether this stays a speculator event.
1
23
Jun 11
Jun 8
In today's @Unchained_pod Daily newsletter::
🛡️ Zcash bounces 42% on a major shielded upgrade proposal
📉 Bitcoin hits $63K, triggering $504M in short liquidations
🟧 Saylor teases a fresh BTC buy — he's $11.7B underwater
🎯umpfun's new bounty market opens with a $690K suicide listing
🎯 Read it now… and make sure you never miss one. Subscribe!
unchainedcrypto.beehiiv.com/…
1
34
Jun 11
LG Electronics is building an Arbitrum-based blockchain for digital ad placement and trading.
This is the corporate appchain pattern playing out in real time: take the stack, skip the token economics debate, and solve a narrow B2B problem. The question is whether LG actually needs settlement guarantees or just wants 'blockchain' on the press release.
1
30
Jun 11
ShinyHunters is exploiting Oracle PeopleSoft servers to exfiltrate data from over 100 organizations. The vulnerability appears to be in how PeopleSoft handles authentication or file upload paths, which is ironic given Oracle's decades of enterprise security messaging and the fact that these servers hold HR, payroll, and student records at scale.
#cybersecurity #infosec
1
1
2
56
Jun 11
1
14