Joined January 2019
- Tweets 49
- Following 166
- Followers 59
- Likes 135
6 Photos and videos
🚨 Drift Protocol on Solana - Compromised, 250M$ Stolen 🚨
Statement from Drift:
"Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers.
This was a highly sophisticated operation that appears to have involved multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution."
1
1
1
191
A quick recap of the Bybit hack to show the remarkable resemblance.
Bybit’s treasury, secured by a multi-sig account (Gnosis Safe), on Ethereum - hacked ($1.4B) by compromising the Gnosis Safe UI, delivering an obfuscated payload instead of a legitimate transaction to signers - the transaction looked like a regular transfer, but was in fact reassigning the ownership of the entire Safe to the attacker. This was amplified by the use of an “advanced feature” of the Gnosis Safe. The use of this advanced feature probably went unnoticed by the signers, most likely because the wallet software did not emphasize it (link in comments for previous post).
Now, Drift’s treasury, secured by a multi-sig account (Squads), on Solana - hacked by making 2 out of the 5 Squads admins sign a transaction that reassigned the ownership of the entire Squads mutil-sig to the attacker. This was amplified by the use of an “advanced feature” of Solana - Durable Nonces. And again, the use of this advanced feature probably went unnoticed by the signers, again - most likely because the wallet software did not emphasize its usage.
1
1
64
Before I go in depth to explain the booster rocket stage of the Durable Nonces and how some architectural design of this feature played a crucial part in the exploit, I would just like to bring attention to the fact that wallet software should do more and invest more in the display of the transactions being signed. If you can’t read the “fine print” of the transaction payload you are signing - might as well just sign with your eyes closed.
Read more on our blog:
utila.io/blog/drift-protocol…
Stay safe
19
21 Feb 2025
Holy sh!t
@safe multisig simulations are hard, especially when done in STDv4 setting, in those cases simulators should use the embedded `to`, `value` and `data` parameters - a zero value transfer(address,uint256) in this case - no simulation effects even, HOWEVER...
Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from @safe . However the signing message was to change the smart contract logic of our ETH cold wallet. This resulted Hacker took control of the specific ETH cold wallet we signed and transfered all ETH in the cold wallet to this unidentified address. Please rest assured that all other cold wallets are secure.
All withdraws are NORMAL.
I will keep you guys posted as more develops, If any team can help us to track the stolen fund will be appreciated.
etherscan.io/tx/0xb61413c495…
3
3
392
21 Feb 2025
There's only one thing worse than "no simulation" and that's "wrong simulation", I wonder how many wallets that simulate Safe's contract calls, flag contract calls with "operation = 1" as a parameter (instead 0).
This was literally a one bit attack.
🤯
1
1
121
21 Feb 2025
IMO this is an insecure design choice by the @safe team, `operation` should have never been a parameter to execTransaction method but should have been moved to its own execDangerousTransaction method to avoid UI/phishing attacks.
1
1
105
Sam Eiderman (sameid.eef) retweeted
27 Jan 2025
I agree, it's a purist approach
The alternative from UX perspective is to tell users: "just keep those keys somewhere less safe forever", which is always worse.
Better to allow import and set "imported: true; attestation: null"
1
1
288
15 Jan 2025
UPDATE:
PYUSD now migrated from betaDelegatedTransfer to transferWithAuthorization - consolidating the capabilities offered by USDC - a small win for standardization.
Even added transferWithAuthorization[Batch] to making batching simpler and not use an external contract.
9 Aug 2023
PayPal's PYUSD
For some reason, they implemented their own betaDelegatedTransfer[Batch] for gasless transfers instead of just implementing a 3-years old EIP-3009 - TransferWithAuth which does not use nonces
I would rather pay for that extra memslot than use nonces.
1
230
15 Jan 2025
Now can someone explain to me how USDT, the most popular stablecoin, does not get upgraded to support such capabilities as well...
147
Sam Eiderman (sameid.eef) retweeted
23 Dec 2024
Secure, seamless, and institutional-grade staking is now more accessible on TON with @utila_io
Utila Partners with Twinstake to Empower Institutions with TON Staking
We are excited to announce a strategic partnership with @twinstake_io - the leading institutional-grade, non-custodial staking provider. This collaboration combines Utila’s institutional crypto operations platform with Twinstake’s secure staking expertise to unlock seamless TON staking for institutions.
🔑 Key Benefits:
✅ Stake TON directly through Utila platform for a streamlined experience
✅ Robust security with MPC wallets & non-custodial staking infra
✅ Transparent transaction tracking via Utila’s mobile app and console
This partnership makes it easier than ever for institutions to capitalize on TON’s potential while maintaining the highest standards of security and compliance.
⏭️ Read the joint announcement here: utila.io/blog/utila-twinstak…
#TON #Staking #InstitutionalCrypto @ton_blockchain
33
170
251
25,453
Sam Eiderman (sameid.eef) retweeted
8 Jul 2024
We're excited to have @utila_io and @Protokols_io at our X Spaces 📡
Pre-save the link for tomorrow! 👇 x.com/i/spaces/1RDxllAAVXjxL
4
4
10
1,321
Sam Eiderman (sameid.eef) retweeted
4 Jul 2024
Get ready for our X Spaces with @utila_io, save the link for tomorrow!
👉 x.com/i/spaces/1mrxmyBdmmdxy
@Protokols_io will also join our discussion on privacy in DeFi and the Hinkal Lords Challenge 🗣️
PS: You can learn more about the challenge from @prz_chojecki's video! Click ⤵️
3 Jul 2024
Hinkal @hinkal_protocol is a protocol that makes your blockchain transactions anonymous.
> Trade on Uniswap
> Stake on Convex & Lido
> Yield Trade on Pendle
and more!
Watch my review here: youtube.com/watch?v=s_P1w4bY…
9
6
21
2,377
9 Aug 2023
PayPal's PYUSD
For some reason, they implemented their own betaDelegatedTransfer[Batch] for gasless transfers instead of just implementing a 3-years old EIP-3009 - TransferWithAuth which does not use nonces
I would rather pay for that extra memslot than use nonces.
2
382
2 Jul 2023
נשמה זה לא אני פוסל אותך
אלו הם חוקי הפרומפט
1
3
162
New Feature: Connect to Exchange Accounts!
You can now connect your accounts from your favorite exchanges and manage them directly from Utila’s platform.
Protect your funds and empower your team by enforcing spend limits, setting approval quorums or any other policy using Utila’s policy engine. Apply any policy to making transactions TO, FROM or WITHIN your exchange accounts without ever leaving the platform!
#madeforhumans #MPC
3
9
450
7 Jun 2023
Launching COINmunism - Algorithmic stablecoin that will really work this time, because all other attempts were not really a correct implementation
2
59
10 May 2023
The cycle will soon be complete:
1. Cryptographic secrets are used to verify identity on Bitcoin (aka private keys / seed phrases)
2. Backlash - "you can not expect your grandma to safely keep 12 words on a piece of paper, identities should be owned by BigCorp"
1/2
1
2
121
10 May 2023
3. Some services such as GitHub/Google workspace ask admins to backup login with pass codes to hard-verify idenitites
4. AI will soon be able to roam free on the internet 🚨
5. Soon we will all be "storing" secrets to verify we're not bots on the web 🤖
2/2
111