📑 Root cause analysis from past DeFi incidents.
Hope this stuff can help devs to avoid the same mistakes as much as possible.
Now covered 95 incidents.
#DeFi
#Web3
Hey, I have released my second web3 repo DeFiVulnLabs! ⭐️
This repo will help you to learn common smart contract vulnerabilities using Foundry. Supported 16 test cases, I will add more cases in future.
@gakonst
@brockjelmore
#web3sec
#foundry
We will start to release web3 security tutorials in DeFiHackLabs. To train more ppl into web3 sec.
First one series will be OnChain transaction debugging & writing poc using Foundry.😀
#1
. Tools
#2
. Warm up
#3
. Writing p0c step by step
We will have English and Chinese version.
🔥Web3 Security Onboarding
Since the last time, 70+ DMs and many people who join the community often ask the same question:
"How can I learn web3 security?"
So, I have created an onboarding channel and added a lot of resources for them.
🤟
🔥[Release] DeFiVulnLabs Solidity Security Testing Guide.
🌀Supports 47 types of vulnerabilities.
🪧Includes vulnerability description, mitigation and how to test.
🔖:
I hope this stuff can help developers avoid the same mistakes as much as possible.
I made a simple one-page that includes root cause analysis and useful tools. Also, we have released a Mandarin version for root cause analysis.
✅中文版漏洞分析完成了.
Thanks to
@xrexinc
security team!
Feel free to re-tweet, lets build a better DeFi!
📑I spent four whole weekends on my personal hackathon for a month, dedicating a total of 62.5 hours to auditing 8 protocols.
It was really fun to read through the code and find issues, and I learned a lot in the process.
Keep learning!🤟
#audit
Currently, we have around 74 web3 white hats in the community, which has increased by 50% in Q1. We are very happy to see so many talented people joining the web3 security industry.
Join us:
Next team event: we will play CTF by
@numencyber
🔥I am ready to start writing "DeFiHackLabs Solidity Security Testing Guide".
Currently, it supports 47 types of vulnerabilities.
My todo:
1.Add missed vulnerability descriptions to the test cases written before.
2.Create a Notion version.
3.Create a PDF version.
🔥Root Cause Analysis Part 2 of Past DeFi Incidents.
We have covered another 101 incidents. We hope this information can help developers avoid making the same mistakes as much as possible.
👉
#Web3
#DeFi
⭐️DeFiVulnLabs - This repo will help you to learn common smart contract vulnerabilities using Foundry.
Supported 25 vulnerable types.
👉
#web3
#solidity
#security
🚀 DeFiHackLabs GitHub repository just hit 3K stars ⭐️
We couldn't have done it without the amazing contributions from our community. Thank you all for your hard work and support! 🙏
👉 Close to 200 past DeFi incidents and POCs for case studies.
📕Web3 Cybersecurity Academy - OnChain Transaction Debugging.
Lesson 4 - Write Your Own PoC (MEV bot)
We will use a MEV bot (private tx) for case analysis, and decompile the code to make a POC.
👉
Feel free to retweet and spread knowledge.
#web3sec
🔥 A new vulnerable type added: Phantom function in DeFiVulbLabs.
Phantom function: Accepts any call to a function that it doesn't actually define, without reverting.
👉
#web3sec
📕Web3 Cybersecurity Academy - Enhancing user asset security
Lesson 1 by
@evilcos
@SlowMist_Team
: Blockchain dark forest selfguard handbook.
This handbook is helpful in learning how to protect your funds and in implementing best security practices.
👉
🔥 DeFiHackLabs Repo has hit 4.7k stars and 400 PoCs.
Thanks all contributors.🫰
We see more than ten incidents each month, which indicates an unhealthy industry. Protocols must focus on security.🙏
MIMSpell - Arbitrary External Call Vulnerability
Lost: ~$17k
👉Poc:
Please remember this pattern and avoid it.
At least 9 protocols have incurred a total loss of ~$4.1 million due to this vulnerability. 🧵
🚨Top5 crypto drainers you should know:
1. Vemon drainer ~$27M
2. Monkey drainer ~$16.5M
3. Pussy drainer ~$14.2M
4. Inferno Drainer ~$7.1M
5. Pink drainer ~$1.7M
👇You can follow up with stats on the dune in the thread.
🔥DarkCat progress updates:
Automatic PoC generator:
1. Rewritten the server with nodejs (it was python before).
2.Using interfaces instead of low level calls.
3. Support run forge test directly on web.
Keep improving!
Web3 DevSecOps is very important!
I have learned a lot during the process of deploying the Protocol to the Mainnet recently.
I will share some thoughts on how to protect your protocol in🧵
#web3sec
#devops
#sre
🥳👏We are thrilled to welcome
#DeFiHackLabs
@1nf0s3cpt
leading Whitehat community to our
#BugBounty
platform.
Their expertise and dedication to security will be invaluable in helping us identify and address vulnerabilities in
#Web3
. Let's work together to make
#DeFi
safer ⛑️
🔥 A new vulnerable type added: Unsafe downcasting in DeFiVulbLabs.
Unsafe downcasting occurs when downcasting from a larger integer type to a smaller one is done without checks, which can result in unexpected behavior.
👉
🧵Short analysis
#web3sec
🔥DeFiHackLabs monthly recap. We released 19 PoCs in July.
Contributors:
🥇
@gbaleeeee
contributed to 9 of them.
🥈
@kam8617
contributed to 7 of them.
@eugenioclrc
, Niluke and foxing.
👉Github:
#web3sec
🔥 A new vulnerable type added: Empty loop in DeFiVulbLabs.
Empty loop: Due to insufficient validation, An attacker can simply pass an empty array to bypass the loop & signature verification.
👉
🧵 Short analysis
#web3sec
🔥Community Partners Announcement🚀
We extend our gratitude to our esteemed 22 partners for their unwavering support. The community shall persevere and flourish.
Please refer to this notion for the contributions made by our partners.
👉
🔥 A new vulnerable type added: Price manipulation in DeFiVulbLabs.
In the past, we have seen at least 10 or more hacking incidents targeting protocols that employ this pattern. It is strongly advised to avoid it.
👉
🧵Short analysis
#web3sec
We got 4th place in the
@NUMEN
48-hour CTFcontest 🚀 Made amazing new friends, learned a ton, and had a blast tackling challenges together 🌟
Our first community event playing
#CTF
was a huge success!
Can't wait for the next one! 🥳
#DeFiHackLabs
#web3security
#teamwork
🔥 A new vulnerable type added: 3⃣3⃣ecrecover returns address(0) in DeFiVulbLabs.
If v value isn't 27 or 28. ecrecover will return address(0).
👉
🧵Short analysis
#web3sec
🫡A victim's wallet got compromised, he DM'd me immediately. After guiding this victim, we rescued a total of $20,800.
The total loss was about $10,000.
Scammer's addresses:
0x2f59b36f9df917e1c19bba7a7fb2e70c262e1ad3
0x39cbef53fdca2b7c7ca4cd108739ec74a6318ac3
We are thrilled to announce that DeFiHackLabs has received its first sponsorship from SlowMist
@SlowMist_Team
@evilcos
.
👇Learn more about our vision and mission.
🔥 A new vulnerable type added: 3⃣7⃣ abi.encodePacked() Hash Collisions in DeFiVulbLabs.
Using abi.encodePacked() with multiple variable length arguments can, in certain situations, lead to a hash collision.
👉
🧵Short analysis
#web3sec
🔥Just finished DeFiHackLabs' first private online event.
Today's sessions:
1. Rescued over $600k for SushiSwap sharing by
@HYDNSecurity
2. Web3 Red Team Tactics sharing by
@fala133
Many alphas today. 🥳
📕Web3 Cybersecurity Academy - Enhancing user asset security
Lesson 3 by
@GoplusSecurity
: Learn Security Risks with a New Honeypot Scam.
Can you spot any suspicious in the code?
Details 👉
Feel free to retweet and spread knowledge.
#web3sec
Uniswap V4’s “hooks” feature will allow future developers to create on-chain limit orders, automatic deposits to lending protocols, auto-compounded (LP) fees, and many other innovations...
👀It is interesting to check for bugs and issues.
🥇DarkCat - Blockchain Security Guardian in CodeQuest Security Hackathon organized by
@Quill_Academy
.
🎁Reward: We got
@Phalcon_xyz
1 year Dev plan.
🔥Generate POC in 5 seconds.
🧵This tool may be opened to security analysts[TBD]
Project participants:
@1nf0s3cpt
@0xknot
🔥DeFiHackLabs Website:
You can find our Discord, Youtube, Academy, Github on the website.
Currently, the community has more than 2,852 members and 155 whitehats.
🫡 Join us to build together!
🔥DeFiHackLabs Incentive Program
We want to encourage more people to join the Web3 security space and for security researchers to contribute more to the ecosystem. Therefore, we are launching an incentive program.
#web3sec
#BUIDL
📑Web3 Cybersecurity Academy - OnChain Transaction Debugging
Lesson 2: Warm up
We will introduce how to use block explorers Etherscan and Phalcon to analyze on-chain transactions and write simple tests using Foundry.
#web3sec
#foundry
⭐️To learn how to participate in a CTF contest.
You must know how to utilize fork testing and broadcast your exploit on-chain. I use the Ethernaut challenges as an example.
👉Check ethernaut-foundry-solutions
🔥Added description for Read-only reentrancy in DeFiVulnLabs.
The Read-Only reentrancy is a flaw in smart contract design that allows attackers
to exploit the "read-only" nature of a function to make unintended changes to the contract's state.
👉
Web3 Cybersecurity Academy - OnChain Transaction Debugging
Lesson 6 by
@gbaleeeee
Write Your Own PoC (Reentrancy)
We use DFX Finance as an example to analyze cross-function Reentrancy.
👉
Feel free to retweet and spread knowledge.
#web3sec
#web3
📕Web3 Cybersecurity Academy - Enhancing user asset security
Lesson 7 by
@ZenGo
: Offline signatures can drain your wallet!
Check:
Part 1👉
Part 2👉
Feel free to retweet and spread knowledge.
#web3sec
Congrats to DeFiHackLabs CTF team takes 3 spots in top 5 🚀
ONLYPWNER is a platform focused on the security aspects of Ethereum and EVM smart contracts! Hands-on with real-world challenges:
🌟2023 Year-End Recap - Happy New Year!
Summary of my Web3 security achievements in 2023
DeFiHackLabs - compared to the end of 2022.
Stars from 2,000 to 4,332
Commits from 580 to 1,668
Incidents covered from 146 to 335
Contributors from 23 to 61
🧵(1/14)
A project on zkSync raised 921 ETH ($1.7M) in a token sale, but funds are stuck forever in the smart contract.
The transfer() function works on Ethereum and other EVM chains, but not on zkSync.
🔥 A new vulnerable type added: 3⃣8⃣ Struct Deletion Oversight in DeFiVulbLabs.
Incomplete struct deletion leaves residual data. If you delete a struct containing a mapping, the mapping won't be deleted.
👉
🧵Short analysis
#web3sec
The DeFiVulnLabs repository just hit a major milestone of 1K stars🌟! 🚀
Welcome everyone to contribute together if you want to add an unlisted vulnerable type.
#web3sec
⭐️DeFiVulnLabs - This repo will help you to learn common smart contract vulnerabilities using Foundry.
Supported 25 vulnerable types.
👉
#web3
#solidity
#security
🪧DeFiHackLabs web3sec community has generated two teams🚀
🔥Audit team - Team lead:
@akshaysrivastv
We are fortunate to have one of the best mentors coaching us.
🔥CTF team - Team lead:
@vinami
We are going to have a lot of fun in the CTF.
I’m honored to be one of the members. Everyone has the same goal: to make the Crypto industry more secure. DeFiHackLabs has always been committed to this belief.
Thanks
@samczsun
🔥
I'm back, did you miss me? I have some huge news!
Over the last year and a half, I've been working on something big in secret with the rest of the crypto security community. Today, we're finally ready to reveal ourselves to the world. We are
@_SEAL_Org
🔥 A new vulnerable type added: 4⃣0⃣txGasPrice manipulation in DeFiVulbLabs.
Manipulation of the txGasPrice value, which can result in unintended consequences and potential financial losses.
👉
🧵Short analysis
#web3sec
Two weeks ago, about 80 ppl DM'd me, and I shared resources on smart contract security with them. Last week, I created a TG channel to help them. Let's see how things will turn out in a month.
Current role distribution:
34% web3 sec
23% web3 dev
8% web2 dev
8% web2 sec
27% Others
To learn CosmWasm's common vulnerabilities.
New vulnerable type will update every week at least.
Contributed by whitehat
@pun1sh3ll
of the DeFiHackLabs.
#CosmWasm
#DeFiVulnLabs
🔥After a long wait, the Spanish version of "101 Root Cause Analysis of DeFi Hacks" is finally out.
Thanks to
@PolGallardo_
for the translation.
👉 Spanish version:
In 2 hours, my project
@UnitasProtocol
will start the audit contest on
@sherlockdefi
. I would like to invite all of you to join and participate in the audit. Have fun!
👉Check
Finally, we got 6st place MetaTrust CTF. The competition is getting more exciting with more skilled participants.🫡
We still need more cybersecurity talent for the web3 industry.
👉Join us DeFiHackLabs web3sec community:
🔥DeFiHackLabs' monthly recap: We released 13 PoCs in March.
Contributors:
@kam8617
and bznsix each contributed to 4 of them, followed by
@0xsha
, QiLOL, xkwang91, bixia and
@akshaynexust
.
⭐️DeFiHackLabs monthly recap.
We released 18 PoCs in December of which 14 incidents happened in this month.
🏆MVP:
@gbaleeeee
contributed 12 PoCs.
🔥Check p0c:
#web
#web3sec