I just published Unleashing the Hound: How AI Agents Find Deep Logic Bugs in Any Codebase medium.com/p/unleashing-the-…

We found that the hacker targeted a code section that was out-of-scope for the audit contest. Here’s a comparison: This is the Dispatcher.sol from the April audit And this is the Dispatcher.sol where the hack has happened. Notice the difference? As you can see, the Commands.KYBER_SWAP is not there in the scope of the audit contest codebase and it became an entry point for the attack🚫

Vyper just leveled up by joining the Ethereum Foundation’s bounty program! This is a great opportunity for developers to sharpen their security, something we always value in smart contract audits.

Scams in crypto are real. Don't fall for unverified projects or too-good-to-be-true offers. Secure your wallet, enable multi-factor authentication, and stay informed to protect yourself. ethereum.stackexchange.com/q…

🔍 Inside Our Audit Process: Uncovering a Hidden Vulnerability in Curve Learn how our lead security researcher @malicator discovered a flaw in Curve Finance during an audit back in November 2023. This vulnerability could have unbalanced the pools by moving funds to the fee collector, potentially harming the protocol's reputation and affecting the price of CRV tokens. Let's dive into what happened and how it was fixed! 🚨👇 📚 Behind the Scene Curve is a leading DeFi protocol with numerous Solidity-based forks such as Geode Finance, Ellipsis, and LeetSwap. These forks often inherit the strengths and weaknesses of the original protocol. During a routine assessment, @malicator discovered that Geode Finance, which uses the ERC1155 token gAVAX, had a weak spot in its withdrawAdminFees function 🐛The Exploit The core of this bug was a reentrancy flaw. The withdrawAdminFees function did not have proper reentrancy locks, making it vulnerable to manipulation during token transfers. This could allow attackers to disrupt token balances and potentially drain the pool. 🧩 Step-by-Step Exploitation The attack relies on carefully crafted steps involving liquidity manipulation: 1. Prepare Tokens: Deposit one-sided liquidity using the add_liquidity function. 2. Remove Liquidity: Use remove_liquidity_imbalance, specifying a minimum ETH withdrawal amount (e.g., 1 wei) to trigger the fallback function. 3. Trigger Reentrancy: Within the fallback function (receive), call withdrawAdminFees. This exploit takes advantage of missing re-entrancy locks in the withdrawAdminFees function, temporarily disrupting the pool balance. It reduces the pool's token balance while causing little loss to the attacker (swap fee add/remove liquidity rounding). You can see that the balance has become lower than the balance state variable. 💥 Potential Impact This vulnerability could cause temporary but severe disruptions in token accounting within the pool. If used in conjunction with flash loans, the exploit could magnify the impact, allowing attackers to funnel significant amounts of tokens to the fee collector, putting user funds at risk. 🛠️ How To Fixed It Immediate steps were taken to secure the vulnerable pools: - Enhanced Security: Reentrancy checks were added to key functions handling ETH and token transfers. - Permanent Fixes: Governance votes approved additional protections, to ensure functions such as withdrawAdminFees are no longer exploitable. These fixes restore the security of user funds and strengthen Curve's defenses against similar attacks. Our lead audit researcher also shared insights on this issue in his thread, providing additional context on the vulnerability. Kudos to our security researchers who work tirelessly to uncover these hidden threats! 🛡️ Check out @malicator insight here: x.com/malicator/status/17853…

Can we do a bit of bragging here? We have nailed several public contests held by platforms like @sherlockdefi & @code4rena. Resting is not in our vocabulary. We keep grinding and grinding in every single contest we have participated in.

Dear founders, teams & project leads: Here’s 3 reasons why you should choose @KupiaSecurity for your audit services: ↓ 1) 𝗣𝘂𝗯𝗹𝗶𝗰 𝗣𝗿𝗼𝘃𝗲𝗻 𝗘𝘅𝗽𝗲𝗿𝘁𝗶𝘀𝗲: Our team isn’t just talking the talk - we’re walking the walk. A standout example is the $250k reward @malicator - our lead security researcher secured by identifying a critical vulnerability in @CurveFinance - one of DeFi’s heavyweight protocols. This isn’t just a win, but rather - a testament to our deep understanding and expertise in the field. Think about the hype your project could get from auditing with a team with such solid public proof of work - I mean, @CurveFinance isn’t a small name in DeFi. Don’t you want to brag about auditing with a team that responsibly disclosed a vulnerability in @CurveFinance? 👀 Moving on: ↓ 2) 𝗖𝗼𝗻𝘀𝗶𝘀𝘁𝗲𝗻𝘁 𝗦𝘂𝗰𝗰𝗲𝘀𝘀 𝗶𝗻 𝗕𝘂𝗴 𝗕𝗼𝘂𝗻𝘁𝗶𝗲𝘀: @KupiaSecurity isn’t new to the spotlight. Our track record in bug bounty competitions speaks volumes - with multiple top placements that showcase our ability to pinpoint & mitigate vulnerabilities that others might miss. Some recent notable ones are: -> We secured 1st place at the @telcoin audit contest on @sherlockdefi -> We secured 5th place in the @Curvance contest at @cantinaXyz And many more 🫡 𝟯) 𝗖𝗼𝘀𝘁-𝗘𝗳𝗳𝗲𝗰𝘁𝗶𝘃𝗲 𝗔𝘂𝗱𝗶𝘁𝘀: We believe that securing your project shouldn't break the bank. Compared to other top tier audit firms - Kupia offers the same high-level security audits at more affordable rates. We’re here to protect your project and your budget 😉 As you know, in Decentralized finance (DeFi), securing protocols against vulnerabilities is an absolute necessity. At @KupiaSecurity we understand this better than anyone. Our team's unique blend of experience, demonstrated expertise, & dedication to quality makes us the go-to partner for your auditing needs. To crown it all - our top-tier quality services are relatively affordable: Especially when compared to other top-tier quality audit firms. To get in-depth technical details of how we operate: Visit our website linked in bio or PM directly via @KupiaSecurity 🫡

Because other avenues of handling this exploit closed, our team halted the sequencer to prevent additional funds bridging out. This was the last resort action to protect users on Linea. x.com/WuBlockchain/status/17…

🔍 We're on the hunt for a Head of Marketing to join KupiaSec! 🚀 If you're passionate about blockchain, web3, and crafting innovative marketing strategies, we want to hear from you. Join us in securing the future of web3. #Web3 #MarketingJobs #BlockchainSecurity #JoinOurTeam

I'm done with this crap. It's 2024, and L2s are still spewing the same bullshit about their core values being "permissionless" and "censorship-resistant" after being live for over a year but are still running centralised sequencers. Give me a break. They act all high and mighty, claiming to uphold these principles, but the moment it suits them, they flip the switch and keep the blockchain running their way. It's a joke. L2 folks, your claims of permissionless and censorship-resistance are nothing but a meme at this point.

Gala Games has not publicly confirmed the identity or method of the exploit, but some community members claim Gala had said the attack was from a security contractor who slipped up after connecting to the wallet without a VPN. cointelegraph.com/news/gala-…

Curve Finance awards dev $250K for finding reentrancy vulnerability cointelegraph.com/news/curve… #CurveFinance #Hackers #Hacks #Awards #Rewards

Brothers Anton and James Peraire-Bueno arrested for a sophisticated $25M MEV-boost hack on April 2, 2023. collective.flashbots.net/t/p… Two MIT graduates now facing up to 20 years in prison. Caught laundering stolen crypto and googling how to do it. justice.gov/usao-sdny/pr/two…

BlockThreat - Week 18, 2024 open.substack.com/pub/blockt…

May 1, 2024: Need Cash Fast? 💸🙏 Three extraordinary ways Curve users found profit amidst chaos! Don’t worry… we have no financial advice for you. Just three extraordinary tales of three Curve users enjoying unlikely profits! Behold… 🧵1/12👇

Anyone could trigger it, but funds would go to fee receiver. After that, some recovery procedures would have been needed

Was addressed some months ago. Went smooth, despite code not being upgradable by design. Although recovery would have been possible, I still decided to give a big bounty to incentivize future researchers and to set an example

Big thanks for the disclosure! Grieving attacks are not as dangerous (funds would be anyway recoverable, and no profit for attacker) - could have caused serious panic if happened. This is an example of a very professional work