Decurity @DecurityHQ Twitter profile

Last Seen Profiles

@chiho_0109

@KorhanDeniz

@Cc1230817

@ana_ayman1

@mouzlt

@veganomi

@Mattbklee

@SiMcderm

@Melaksei

@ChristalSa27524

@LisaOwen326457

@santhoshman123

@Cc1230817

@LEODMZC

@LaPepena

@pijush357ray

@IvyWilliam26737

@lKLDz

@IvyWilliam26737

@tansdesty

@Xcxcunt1Xcxcunt

@IvyWilliam26737

@sitm_hsbflash

@coveo

@Jeff_Wilson_

@KassandraS45380

@A_hashlan

@misuzusefu60073

@HAYLEYWlLLIAM

@hibaro2005

@dinobabycute

@tobrut_only

@inariVLR

@michellemcb2530

Decurity

@DecurityHQ

1 year

This is a story about how we found a critical vulnerability in @dxsale , helped rescuing more than $5 million, and got offered a $500 bounty.

Dx Protocol Vulnerability Disclosure: Mitigation of a $5,200,000 Smart Contract Exploit

A curious story about how our researcher looked up a seemingly random smart contract and ended up saving $5,200,000 USD a few hours later

blog.decurity.io

16

19

117

Decurity

@DecurityHQ

4 months

bridge was exploited for ~8M USD. The root cause is a possibility of an arbitrary call with user controlled data via `depositToGasZipERC20()` in GasZipFacet which was deployed 5 days ago! One of hack txs:

15

20

82

Decurity

@DecurityHQ

1 year

pETH belonging to @JPEGd_69 has just been exploited for 11 million USD with a Curve read only reentrancy. An attacker was frontrunned by a MEV-bot: A screenshot from our monitoring system:

4

30

75

Decurity

@DecurityHQ

7 months

🔬New tool for onchain bug hunters: tx-coverage allows to reveal unused code of live smart contracts by collecting coverage from historical transactions. With it you can discover code that was never executed onchain and may contain potential bugs.

3

10

75

Decurity

@DecurityHQ

1 year

c0ffeebabe.eth executed a front-run hack for 1.9k $ on pbtc-sbtc-f Curve pool compiled with vulnerable Vyper 0.2.15: This time a reentrancy was possible due to a ERC-777 callback in sBTC instead of a fallback on eth transfer.

3

8

67

Decurity

@DecurityHQ

7 months

. @PrismaFi hacked for 8 million USD

Attack Transaction: 0x00c503b595946bccaea3d58025b5f9b3726177bbdc9674e634244135282116c7 on mainnet

Details and analysis of attack transaction 0x00c503b595946bccaea3d58025b5f9b3726177bbdc9674e634244135282116c7 on mainnet

defimon.xyz

3

11

38

Decurity

@DecurityHQ

1 year

Looks like Tornado Governance got eventually exploited:

Ethereum Transaction Hash (Txhash) Details | Etherscan

Ethereum (ETH) detailed transaction info for txhash 0x65fa5b475f34a954a10f88f2c84f316a048a0e67d273c7abb098717b1a4a46a3. The transaction status, block confirmation, gas fee, Ether (ETH), and token...

etherscan.io

Spreek

@spreekaway

1 year

Possible governance attack (?) underway at TORN. Someone creating hundreds of contracts atomically and then passing zero TORN transfers through before transferring on to gov vault, very weird activity.

9

23

101

4

7

29

Decurity

@DecurityHQ

1 year

Looks like @OnyxProtocol has been exploited for $2 million!

Attack Transaction: 0xf7c21600452939a81b599017ee24ee0dfd92aaaccd0a55d02819a7658a6ef635 on mainnet

Details and analysis of attack transaction 0xf7c21600452939a81b599017ee24ee0dfd92aaaccd0a55d02819a7658a6ef635 on mainnet

defimon.xyz

6

10

31

Decurity

@DecurityHQ

2 years

Our audit reports for the @1inch Fusion contracts are out now! During development and testing, the 1inch contributors' team has resolved the following issues reported by us: ✅ 3 high severity bugs ✅ 1 medium severity bug ✅ 7 low ✅ 16 info Check it out:

7

9

26

Decurity

@DecurityHQ

1 year

We continue our series of the articles on the security of the DeFi patterns, this time we examined the common vulnerabilities in the AMMs. Check it out:

Typical vulnerabilities in AMM protocols

This article discusses the fundamental security aspects of the AMM (automatic market maker) protocols.

blog.decurity.io

4

11

29

Decurity

@DecurityHQ

6 months

Today we detected an exploit targeting @SonneFinance Comptroller contract on the Base chain deployed by a Tornado funded address that could drain other markets.

Exploit Contract: 0xf460163b44b8bfeb05aaf6e651ae513a70475c9e on base

Details and analysis of exploit contract 0xf460163b44b8bfeb05aaf6e651ae513a70475c9e on base

defimon.xyz

3

5

27

Decurity

@DecurityHQ

11 months

Elephant Money Treasury @ElephantStatus has just been hacked for $114k!

Attack Transaction: 0xd423ae0e95e9d6c8a89dcfed243573867e4aad29ee99a9055728cbbe0a523439 on bsc

Details and analysis of attack transaction 0xd423ae0e95e9d6c8a89dcfed243573867e4aad29ee99a9055728cbbe0a523439 on bsc

defimon.xyz

1

4

26

Decurity

@DecurityHQ

1 year

Our monitoring solution detected an exploit that stole 20 000 USDT from an unlucky smart contract developer.

1

2

27

Decurity

@DecurityHQ

1 month

. @OnyxProtocol has experienced an exploit: $3.2 million lost from oVUSD lending market.

Attack Transaction: 0x46567c731c4f4f7e27c4ce591f0aebdeb2d9ae1038237a0134de7b13e63d8729 on mainnet

Details and analysis of attack transaction 0x46567c731c4f4f7e27c4ce591f0aebdeb2d9ae1038237a0134de7b13e63d8729 on mainnet

defimon.xyz

8

2

24

Decurity

@DecurityHQ

4 months

. @DefiPlaza have been hacked for nearly $200k. Luckily an MEV-bot front-runned the original attacker. Original attacker:

1

4

22

Decurity

@DecurityHQ

3 months

. @Convergence_fi hacked for $200k! The vulnerable contract was deployed 17 days ago and was intended to distribute CVX rewards.

Attack Transaction: 0x636be30e58acce0629b2bf975b5c3133840cd7d41ffc3b903720c528f01c65d9 on mainnet

Details and analysis of attack transaction 0x636be30e58acce0629b2bf975b5c3133840cd7d41ffc3b903720c528f01c65d9 on mainnet

defimon.xyz

1

5

21

Decurity

@DecurityHQ

5 months

📣 New Solidity semgrep rule: `oracle-uses-curve-spot-price` Detects vulnerable price oracles that rely on Curve's get_p() which was the root cause of the $22 million @UwU_Lend hack. Check it out:

GitHub - Decurity/semgrep-smart-contracts: Semgrep rules for smart contracts based on DeFi exploits

Semgrep rules for smart contracts based on DeFi exploits - Decurity/semgrep-smart-contracts

github.com

1

5

20

Decurity

@DecurityHQ

1 year

Yesterday we prevented an exploit on protocol after we noticed a suspicious contract that created a governance proposal which turned out to be malicious.

Exploit Contract: 0x0d88d9dfa623e93f7f41c19051d50d1d24e20140 on bsc

Details and analysis of exploit contract 0x0d88d9dfa623e93f7f41c19051d50d1d24e20140 on bsc

defimon.xyz

1

2

20

Decurity

@DecurityHQ

1 year

🔥 A new article is hot off the press! This time we delved into the security of the Liquid Staking Derivatives (LSD) protocols, check it out:

Typical vulnerabilities in LSD protocols

In this article, we will examine the security aspects of widely used Liquid Staking Derivatives (LSD) protocols.

blog.decurity.io

1

6

17

Decurity

@DecurityHQ

11 months

@ElephantStatus The root cause of the vulnerability is the same as in another hack that happened today with @BEARNDAO : no slippage protection on swap!

1

2

18

Decurity

@DecurityHQ

1 year

USDTStakingContract28 lost 21k USDT to a Tornado funded attacker who exploited an unprotected token approval to any address in the function `tokenAllowAll`

3

2

13

Decurity

@DecurityHQ

7 months

This is our first security review in the @Scroll_ZKP ecosystem. Feel free to get in touch with us for audit if you're launching a project on Scroll!

Bungee

@BungeeExchange

7 months

The wait is over! @Scroll_ZKP is now live, bringing the fastest bridging experience to Scroll on your favourite app 💛 Shoutout to @DecurityHQ for a super-fast audit & helping us ensure the highest security for our users.

26

46

329

0

3

15

Decurity

@DecurityHQ

8 months

We are glad to announce that @unoreinsure has finished an audit with us. Here is a technical analysis of a potentially exploitable vulnerability found in the VotingEscrow contract of the Uno Re DAO. 🧵👇

Uno Re DAO

@unoreinsure

8 months

Thanks to the awesome team at @DecurityHQ for flagging an issue with the way our yieldDistributor contracts were configured to work with the vote escrow contracts, potentially allowing users to reduce their lock time and still continue streaming their rewards. However, this

1

3

32

2

7

16

Decurity

@DecurityHQ

1 year

Our monitoring system has detected another deflationary token attack: An attacker called `deliver` function to shrink `_rTotal` value which increased the BUNN token balance of the Pancake pair and allowed them to perform the swap with 52 BNB profit

3

2

16

Decurity

@DecurityHQ

1 year

A contract of @cexiswap has been hacked for 30k USDT by exploiting an unprotected initialize() funtion. The attacker became the owner of the contract and called upgradeAndCall() which transferred USDT out of the vulnerable contract.

Exploit Contract: 0x8c425ee62d18b65cc975767c27c42de548d133a1 on mainnet

Details and analysis of exploit contract 0x8c425ee62d18b65cc975767c27c42de548d133a1 on mainnet

defimon.xyz

0

5

15

Decurity

@DecurityHQ

1 year

Yesterday several staking contracts were exploited using the same attack vector: ⚠️ @FloorDAO lost 65k$ ⚠️ @heavensgatev3 lost 10k$ ⚠️ @jumpfarm lost 4k$ ⚠️ @QuantumWN lost 1k$

1

5

15

Decurity

@DecurityHQ

2 years

Decurity team partnered with @hexensio under the name "Hexurity" and scored 2nd place worldwide in the hardest web3 hacking competition — Paradigm CTF. Contact us on and get audited by the top smart contract security auditors in the world!

0

4

15

Decurity

@DecurityHQ

11 months

TheNFT Project () has been hacked for $20,000 because of a logic error in the transferFrom function.

Exploit Contract: 0x85301f7b943fd132c8dbc33f8fd9d77109a84f28 on mainnet

Details and analysis of exploit contract 0x85301f7b943fd132c8dbc33f8fd9d77109a84f28 on mainnet

defimon.xyz

2

6

13

Decurity

@DecurityHQ

9 months

Another ERC404 project has been hacked, this time @ERC404_loogn A tornado funded attacker exploited an input validation error which allowed to transfer "loogn" tokens to them for free.

Exploit Contract: 0x3559ee265fc9c5c9a333b07e0199480b4a84f369 on bsc

Details and analysis of exploit contract 0x3559ee265fc9c5c9a333b07e0199480b4a84f369 on bsc

defimon.xyz

1

4

13

Decurity

@DecurityHQ

6 months

TCH token has been exploited for 18k due to a CTF-style signature malleability:

Attack Transaction: 0xa94338d8aa312ed4b97b2a4dcb27f632b1ade6f3abec667e3bf9f002a75dabe0 on bsc

Details and analysis of attack transaction 0xa94338d8aa312ed4b97b2a4dcb27f632b1ade6f3abec667e3bf9f002a75dabe0 on bsc

defimon.xyz

1

2

13

Decurity

@DecurityHQ

1 year

Reach us out today and tomorrow at our booth during @token2049 in Singapore to talk about web3 security!

0

2

13

Decurity

@DecurityHQ

2 months

Penpie protocol fell victim to a $27 million smart contract exploit. There were no references of the victim address, however Defimon instantly identified interactions with the Pendle protocol (Penpie is built on top of it):

Exploit Contract: 0x4af4c234b8cb6e060797e87afb724cfb1d320bb7 on mainnet

Details and analysis of exploit contract 0x4af4c234b8cb6e060797e87afb724cfb1d320bb7 on mainnet

defimon.xyz

1

2

13

Decurity

@DecurityHQ

1 year

Little time left before @EthCC and @summit_defi in Paris! We will give away free tickets to both conferences for hacking this contract: Note: the task requires Chainlink tokens on Sepolia:

2

8

12

Decurity

@DecurityHQ

2 months

📣 New release: tree-sitter grammar for the circom language It is already integrated by @semgrep in the latest 1.86.0 release, so now you can write custom semgrep rules for your ZK circuits in circom.

GitHub - Decurity/tree-sitter-circom: Circom grammar for tree sitter

Circom grammar for tree sitter. Contribute to Decurity/tree-sitter-circom development by creating an account on GitHub.

github.com

1

4

12

Decurity

@DecurityHQ

8 months

Check out our new blog post about doing security reviews of the "web2.5" systems — web2 apps with web3 integrations:

Web2.5 Security

This is an article about pentesting blockchain infrastructure, wallets, and custodial apps. We did numerous security reviews of such…

blog.decurity.io

0

5

11

Decurity

@DecurityHQ

1 year

Proud to be sponsoring @TheTrustX conference in Istanbul during the @EFDevconnect week! Meet Decurity at our sponsor zone and come for our content: 13 November, 16:15: Omar Ganiev, Web2.5 Security: pentesting blockchain infrastructure, wallets, and custodial apps, 13 November,

0

3

11

Decurity

@DecurityHQ

3 months

Pleased to announce our collaboration with @ether_fi — a liquid restaking protocol on Ethereum. No high-risk or critical bugs were found during the audit. Check out the report —

0

2

11

Decurity

@DecurityHQ

11 months

We've prepared a couple entry-level smart contract hacking challenges for the @ETHAbuDhabiConf hackathon running for the next 2 days. Register here for practice and swag:

2

3

10

Decurity

@DecurityHQ

1 year

Another small hack on BSC network: In the function `claim` 0xac899 mistakenly approves msg.sender the whole amount of BUSD it possesses (around 6k USD). The victim contract is not verified on Bscscan.

1

5

11

Decurity

@DecurityHQ

8 months

Our team of auditors yet again proves to be among the strongest in the world 💪💪💪 Thanks @OpenZeppelin for organizing the event!

OpenZeppelin

@OpenZeppelin

8 months

Ethernaut CTF 2024 has wrapped up! 🥇 @ambergroup_io 🥈 @DecurityHQ 🥉 @statemindio Stay tuned for rewards and POAPs via email this week👀 Until next time! Check out challenges & solutions here:

5

11

66

1

3

10

Decurity

@DecurityHQ

1 year

APEDAO has been just hacked for $7k using multiple flashloans due to the incorrect calculations in the `_transfer` function. An attacker repeatedly transferred the tokens to the Pancake pair and called skim():

0

2

9

Decurity

@DecurityHQ

2 years

We have recently finished an audit of @Givethio smart contracts together with @PowerInsideLab , this vuln could be exploited to grab all the rewards from the staking pool (now fixed)

0

2

10

Decurity

@DecurityHQ

1 year

The front page of now features the list of automatically detected attacks and exploits. New attacks will be revealed with a delay, if you need real-time threat intelligence feed contact us 👇

0

6

9

Decurity

@DecurityHQ

2 years

⛽ We have added a bunch of gas optimisation @semgrep rules to 🔎 You can use them in smart contract audits as well as in CI workflows. Just clone & run: `semgrep --config solidity/performance /path/to/repo`

1

4

8

Decurity

@DecurityHQ

1 year

As a result of the CDP analysis we have started compiling security checklists for the auditors: Stay tuned for more checklists for other DeFi patterns!

GitHub - Decurity/audit-checklists

Contribute to Decurity/audit-checklists development by creating an account on GitHub.

github.com

0

1

9

Decurity

@DecurityHQ

5 months

We are excited to announce a partnership with @YieldNestFi — a Liquid Restaking Protocol. Now we are monitoring YieldNest with Defimon for suspicious transactions. Get protection from DeFi hacks —

0

4

10

Decurity

@DecurityHQ

1 year

Recently we concluded the security audit of CDP and ZK pool contracts for @zkBob_ ! The report is public:

0

5

9

Decurity

@DecurityHQ

1 year

We have thoroughly analyzed hacks and audits of a popular DeFi pattern: collateralized debt position (CDP). Here is an overview of the CDP security:

Typical vulnerabilities in lending and CDP protocols

This article explains the security of a popular pattern in the decentralized finance — the CDP (collateralized debt position)

blog.decurity.io

4

6

9

Decurity

@DecurityHQ

1 year

"9419 Token" and "6827 Token" were exploited on the BSC network for around $80k and $74k in LP tokens in two flashloan transactions: 1) 2)

1

3

7

Decurity

@DecurityHQ

2 months

. @BaseBrosFi (now deleted) apparently did a rug pull disguised as a hack Tornado funded address deployed a smart contract on Base that was set as a new vault for several strategies using seemingly stolen private key. @SeamlessFi reported previously as the victim is not affected

Seamless Protocol 🅢 #BuildOnBase

@SeamlessFi

2 months

GM All, important immediate update: 1. Funds on Seamless are SAFU. 2. Seamless contributors have investigated claims of a hack on the protocol and confirmed the protocol was NOT exploited. 3. Seamless contributors are working with security teams and other Base projects to

5

23

74

7

0

9

Decurity

@DecurityHQ

2 years

A story of an unusual ERC721 implementation that could be exploited for $270,000

0

6

8

Decurity

@DecurityHQ

1 year

Another hack detected by Defimon — a skim attack on deflationary token '3913'. An attacker gained $31k, here's how 👇

Attack Transaction: 0x8163738d6610ca32f048ee9d30f4aa1ffdb3ca1eddf95c0eba086c3e936199ed on bsc

Details and analysis of attack transaction 0x8163738d6610ca32f048ee9d30f4aa1ffdb3ca1eddf95c0eba086c3e936199ed on bsc

defimon.xyz

1

2

9

Decurity

@DecurityHQ

2 years

Another week — another partnership!

Thales

@thales_io

2 years

The security audit report for Thales Liquidity Pool contracts (also used in @OvertimeMarkets AMM Liquidity Pool contracts) by @DecurityHQ is ready 🫡 Check it here:

1

7

19

0

2

8

Decurity

@DecurityHQ

1 year

@pcaversaccio The main question why the lock did not have any effect.

1

0

9

Decurity

@DecurityHQ

1 year

We have updated : 🗄️added new repositories to the simhash db: • periphery of Uniswap v2 and v3 • compound-finance/compound-protocol • aave/protocol-v2 • vectorized/solady ⛓️ added new networks: Polygon, Arbitrum and Optimism

1

5

9

Decurity

@DecurityHQ

2 years

Had fun at @Web3Dubai this week! Contact us to learn more about the DeFiMon solution and the top-tier security audits:

0

4

9

Decurity

@DecurityHQ

8 months

What can go wrong in this Solana->Ethereum burn-and-mint bridge scheme? Can you spot the bug? Learn this simple yet powerful attack from one of our security reviews 👇👇👇

3

5

8

Decurity

@DecurityHQ

1 year

We have informed @dAppSocial team about the exploit that gained about 16k $ from the DAppSocialPoolModel contract in the tx:

Ethereum Transaction Hash (Txhash) Details | Etherscan

Ethereum (ETH) detailed transaction info for txhash 0xbd72bccec6dd824f8cac5d9a3a2364794c9272d7f7348d074b580e3c6e44312e. The transaction status, block confirmation, gas fee, Ether (ETH), and token...

etherscan.io

dAppSocial

@dAppSocial

1 year

This morning, we discovered an exploit on the CrossX contracts. All user funds lost to this exploit will be reimbursed shortly. We have identified the vulnerability and will deploy a new contract soon. We will go over this in detail on Tuesday’s AMA.

5

21

57

1

4

8

Decurity

@DecurityHQ

2 years

✨New rule: `uniswap-callback-not-protected` Will find unprotected Uniswap v2/v3 callbacks that do not check if the caller is a correct pool (including faulty tx.origin checks). At least one project on @immunefi was vulnerable, can you find more?

@bertcmiller ⚡️🤖

@bertcmiller

3 years

Fatal flaws in a bot, a sort of on-chain virus, a trojan horse token, and arbitrage gone wrong Join me in looking at the latest MEV bot exploit in this thread 👇🏻

23

173

739

4

2

7

Decurity

@DecurityHQ

2 months

We are proud to announce that we completed two thorough audits for @ClearpoolFin previously this year 🛡️ We have successfully collaborated with their team to ensure the protocol is fully secure and there are no issues. Check out the reports:

1

8

Decurity

@DecurityHQ

2 months

We are honored to secure @GearboxProtocol 🫡 You can find the report for this audit and other ones in our repository:

GitHub - Decurity/audits: Security Audit reports by Decurity

Security Audit reports by Decurity. Contribute to Decurity/audits development by creating an account on GitHub.

github.com

Gearbox ⚙️🧰

@GearboxProtocol

2 months

The borrow limits for @mellowprotocol 's LRT vaults are set to increase tomorrow. To bolster the safety of the contracts, an integration audit has been conducted by @DecurityHQ . 🛡️ Decurity has previously conducted audits for @yearnfi , @compoundfinance & other notable protocols.

1

5

24

0

8

Decurity

@DecurityHQ

1 year

A Tornado funded address looted 20 BNB from an unverified contract on the BSC network that allowed making arbitrary calls via functionCallWithValue

Attack Transaction: 0xf77c5904da98d3d4a6e651d0846d35545ef5ca0b969132ae81a9c63e1efc2113 on bsc

Details and analysis of attack transaction 0xf77c5904da98d3d4a6e651d0846d35545ef5ca0b969132ae81a9c63e1efc2113 on bsc

defimon.xyz

1

7

Decurity

@DecurityHQ

4 months

The hacker crafted special calldata with transferFrom() calls and passed it as swapData to depositToGasZipERC20 to steal approved tokens from the bridge. Vulnerable contract:

GasZipFacet | Address 0xf28a352377663ca134bd27b582b1a9a4dad7e534 | Etherscan

The Contract Address 0xf28a352377663ca134bd27b582b1a9a4dad7e534 page allows users to view the source code, transactions, balances, and analytics for the contract address. Users can also interact and...

etherscan.io

0

7

Decurity

@DecurityHQ

1 year

Our monitoring system detected a bunch of token hacks: ⚠️ UMG2.0 lost $1.2k ⚠️ LoongKing lost $5k ⚠️ ETHDOGE lost $11k ⚠️ LadyPepe lost $2k

Ethereum Transaction Hash (Txhash) Details | Etherscan

Ethereum (ETH) detailed transaction info for txhash 0x96caaaeda4eec683f303079cbff81925f185856cf3ab94d622a72e8b949456e1. The transaction status, block confirmation, gas fee, Ether (ETH), and token...

etherscan.io

1

3

7

Decurity

@DecurityHQ

1 year

An exploiter who was active yesterday doing a series of small hacks attacked @ConicFinance CNCETH pool just now and stole 3 million USD:

3

2

7

Decurity

@DecurityHQ

2 years

This is our write-up about one of the hardest Paradigm CTF 2022 tasks. It involves auditing and exploiting a real protocol (which was luckily deprecated):

0

1

7

Decurity

@DecurityHQ

1 year

@pashovkrum

Typical vulnerabilities in lending and CDP protocols

This article explains the security of a popular pattern in the decentralized finance — the CDP (collateralized debt position)

blog.decurity.io

0

7

Decurity

@DecurityHQ

1 year

Our semgrep rules for smart contracts () are now part of the semgrep registry! Thanks to @semgrep for their amazing tool ✨

GitHub - Decurity/semgrep-smart-contracts: Semgrep rules for smart contracts based on DeFi exploits

Semgrep rules for smart contracts based on DeFi exploits - Decurity/semgrep-smart-contracts

github.com

Semgrep

@semgrep

1 year

We're thrilled to introduce our new Semgrep ruleset for smart contracts. Special thanks to @DecurityHQ for the incredible contributions 🙌. Check out the ruleset here:

0

4

21

0

7

Decurity

@DecurityHQ

2 years

Our audit of @1inch farming contracts has been published: 🟡 4 medium severity bugs 🔵 1 low ⚪ 6 info Check it out:

GitHub - Decurity/audits: Security Audit reports by Decurity

Security Audit reports by Decurity. Contribute to Decurity/audits development by creating an account on GitHub.

github.com

0

4

6

Decurity

@DecurityHQ

1 year

Another malicious tx , the loss is more than 60k so far

Ethereum Transaction Hash (Txhash) Details | Etherscan

Ethereum (ETH) detailed transaction info for txhash 0xdf9dbfe14f7bfb2c7280cb4de6dfc211064c9d88c22be5ff3dc5647a96cdd4d1. The transaction status, block confirmation, gas fee, Ether (ETH), and token...

etherscan.io

1

6

Decurity

@DecurityHQ

1 year

PointFarm contract belonging to @uniclyNFT has been attacked via a classic reentrancy by a malicious actor funded from FixedFloat:

1

2

6

Decurity

@DecurityHQ

1 year

As a Compound fork Onyx fall victim to the same vulnerability as Hundred Finance and Midas

15/04/23 Hundred Finance Hack Post-Mortem

At 2:12pm UTC on April 15th, 2023, the Optimism deployment of the Hundred Finance lending protocol was exploited by an attacker, who…

blog.hundred.finance

1

0

6

Decurity

@DecurityHQ

18 days

We are happy to share that @MortgageFiApp completed the audit with Decurity. All the findings are fixed. Check out the report:

0

7

Decurity

@DecurityHQ

10 months

We have just pushed `exact-balance-check` semgrep rule that will help to catch strict balance equality issues during audits automatically:

pashov

@pashovkrum

10 months

If you are doing a smart contract security audit and see this `require(token.balanceOf(address(this)) == ….` You’ve most probably found an issue. Anyone who can get 1 wei worth of `token` can send it to the contract as a front-run attack, forcing the method call to revert

18

19

300

0

1

4

Decurity

@DecurityHQ

2 years

We're glad to announce that our grant proposal for enhancing our @semgrep solidity rulepack has been approved by @compoundgrants . The purpose is to develop new static analysis rules and adapt them for the Github pipelines of @compoundfinance . We'll tweet soon about our progress!

0

4

6

Decurity

@DecurityHQ

1 year

Preliminary investigation suggests that this is a precision loss issue

1

0

6

Decurity

@DecurityHQ

1 year

As CTF veterans ourselves, we think that bringing competitive events in the web3 security space is very beneficial for the industry

DevsOnChain 🥷⛓️

@DevsOnChain

1 year

🎉 We are proud to announce the Security Partners for QuillCTFs 🤝 They have helped us with the CTFs and contributed immensely to Web3Security. 👥 Form your 𝟯-𝗽𝗲𝗿𝘀𝗼𝗻 teams and bring your A-game to the bug hunt. 🖊️ 𝗥𝗲𝗴𝗶𝘀𝘁𝗲𝗿 𝗡𝗼𝘄 -

0

17

32

1

2

6

Decurity

@DecurityHQ

1 year

This attacker went on a spree, the vulnerability is nearly the same — a flawed `transferFrom` in a closed source contract: This time they grabbed more than 23k USD by swapping stolen STRAC tokens.

BNB Smart Chain Transaction Hash (Txhash) Details | BscScan

Binance (BNB) detailed transaction info for txhash 0x1147b3c0f3ebdd524c4e58430bb736eba9f7fa522158f5ad81eb3e2394b466d0. The transaction status, block confirmation, gas fee, Binance, and token transfer...

bscscan.com

Decurity

@DecurityHQ

1 year

The attacker got initial funding from Tornado cash 12 days ago, watch out:

0

4

0

3

6

Decurity

@DecurityHQ

1 year

We have also compiled the audit checklist tailored for LSD: Which DeFi pattern shall we examine next?

0

1

6

Decurity

@DecurityHQ

7 months

We detected the hack and the victim 70 seconds before it happened based on the static analysis of the deployed exploit contract. We also detected a copy-cat exploit someone has deployed but not yet used:

Contract Address 0x2b80bf785b4739527b7b9515c0f39cf1772fa109 | Etherscan

The Contract Address 0x2b80bf785b4739527b7b9515c0f39cf1772fa109 page allows users to view the source code, transactions, balances, and analytics for the contract address. Users can also interact and...

etherscan.io

0

2

6

Decurity

@DecurityHQ

1 year

Hey @MIM_Spell looks like someone exploited YVUSDCSwapperFlat and grabbed 4396 MIM

3

2

5

Decurity

@DecurityHQ

1 year

@ConicFinance The attack is a read-only reentrancy via get_virtual_price() on a Curve pool as seen from our monitoring dashboard

1

0

5

Decurity

@DecurityHQ

1 year

And as always here is an audit checklist for the AMMs:

GitHub - Decurity/audit-checklists

Contribute to Decurity/audit-checklists development by creating an account on GitHub.

github.com

0

1

5

Decurity

@DecurityHQ

1 month

Two more attacks: 1) (presumably MEV/whitehat - $300k) 2) (same attacker - $400k)

4

0

5

Decurity

@DecurityHQ

1 year

While our previous CTF challenge is still out (some people are close to solving!), here's an easier one for you: Solve it and grab free tickets to @EthCC & @summit_defi conferences in Paris!

SuperRareNFT | Address 0xe2e3d8fbbc78070379bd3a7487577d0990cd9400 | Etherscan

The Contract Address 0xe2e3d8fbbc78070379bd3a7487577d0990cd9400 page allows users to view the source code, transactions, balances, and analytics for the contract address. Users can also interact and...

sepolia.etherscan.io

2

3

5

Decurity

@DecurityHQ

1 year

An attacker discovered an empty PEPE pool that was created 5 days ago

OErc20Delegator | Address 0x5fdbcd61bc9bd4b6d3fd1f49a5d253165ea11750 | Etherscan

The Contract Address 0x5fdbcd61bc9bd4b6d3fd1f49a5d253165ea11750 page allows users to view the source code, transactions, balances, and analytics for the contract address. Users can also interact and...

etherscan.io

0

5

Decurity

@DecurityHQ

2 months

Relevant tx:

Attack Transaction: 0xa0bd1f66141d00fb9340e91403066f49d02cbbdcacd6a499f64834dd5f2d269e on base

Details and analysis of attack transaction 0xa0bd1f66141d00fb9340e91403066f49d02cbbdcacd6a499f64834dd5f2d269e on base

defimon.xyz

5

0

5

Decurity

@DecurityHQ

1 year

Original failed tx by the attacker:

Ethereum Transaction Hash (Txhash) Details | Etherscan

Ethereum (ETH) detailed transaction info for txhash 0xb5d91f1e0afc96a52f8c6c28eae405eda7fcc5d34d6d03bdd8b16bd58089e939. The transaction status, block confirmation, gas fee, Ether (ETH), and token...

etherscan.io

2

0

2

Decurity

@DecurityHQ

1 year

Another governance attack — this time on @finance_build

Attack Transaction: 0xc89adad6860d5fdb58b357432e3b113e2ecf2c50f53ae18edcc70d3c7119e525 on mainnet

Details and analysis of attack transaction 0xc89adad6860d5fdb58b357432e3b113e2ecf2c50f53ae18edcc70d3c7119e525 on mainnet

defimon.xyz

1

2

5

Decurity

@DecurityHQ

3 months

The vulnerability was possible because the input parameter claimContracts can be controlled by a malicious user. The attacker passed their own contract which returned arbitrary value in `cvgClaimable`.

1

2

5

Decurity

@DecurityHQ

7 months

@PeckShieldAlert The victim is not real @ethena_labs but a scam token created 17 hours ago! Details:

Attack Transaction: 0x577e978ef733edb4c5db558d70744c0f1d503ab43cac9f3bd64c30f677272d90 on bsc

Details and analysis of attack transaction 0x577e978ef733edb4c5db558d70744c0f1d503ab43cac9f3bd64c30f677272d90 on bsc

defimon.xyz

4

0

4

Decurity

@DecurityHQ

11 months

@ElephantStatus @BEARNDAO Another $49k has been stolen!

Attack Transaction: 0x7ccb189c78376bdc35294f1779e7156233bcbc65f8681b3d6a7f512c1c2d5218 on bsc

Details and analysis of attack transaction 0x7ccb189c78376bdc35294f1779e7156233bcbc65f8681b3d6a7f512c1c2d5218 on bsc

defimon.xyz

1

0

4

Decurity

@DecurityHQ

6 months

As a result we can confirm that the team followed the safe procedure to launch the new lending market and the exploit is no longer viable 🙌

0

5

Decurity

@DecurityHQ

1 year

The dev created a contract 3 years ago, approved a large amount of USDT to this contract and forgot about it. Today it was exploited, although it's not verified on Etherscan! Victim contract:

Contract Address 0x76577603f99eae8320f70b410a350a83d744cb77 | Etherscan

The Contract Address 0x76577603f99eae8320f70b410a350a83d744cb77 page allows users to view the source code, transactions, balances, and analytics for the contract address. Users can also interact and...

etherscan.io

1

0

4

Decurity

@DecurityHQ

6 months

With the help of @_SEAL_Org 911 Team we shared the threat intel with the Sonne team which confirmed that they are aware of this Compound vulnerability and minted a small amount of sobAERO before setting collateral factor.

1

0

4

Decurity

@DecurityHQ

2 years

New @semgrep rule: `proxy-storage-collision` Detects contracts that inherit common proxies (like TransparentUpgradeableProxy) and declare a state var (which is not constant or immutable) that might overwrite implementation storage. Check it out 👇

Audius 🎧

@audius

2 years

Post-mortem from this weekend's attack is now live: Highlights: - Audited contracts were compromised due to an exploit in the contract initialization code that allowed repeated invocations of the "initialize" function.

19

33

139

0

3

4

Decurity

@DecurityHQ

2 years

This year we're sponsoring @ETHDubaiConf and hosting a CTF contest for the participants. Meet us at our booth, at our lightning session, the CTF workshop, and the Panel on Security on March 16! See our products and services: #ETHDubai

Decurity: Decentralized Finance Security

Security for the decentralized systems: web3 security monitoring, smart contract audits, advisory and consulting

www.decurity.io

0

3

4

Decurity

@DecurityHQ

29 days

Decurity was included in the Audits Hub of the @Optimism L2: If you're launching a project on Optimism, contact us to apply for a grant, and the audit costs can be covered!

0

4

Decurity

@DecurityHQ

1 year

MyAi token on BSC got hacked for about 10 BNB because of a wrong approval that was given to the MultiSender contract which allowed to transfer any allowed tokens:

1

3

4

Decurity

@DecurityHQ

1 year

@ConicFinance Fun fact is that an attacker did an unsuccessful tx 10 min before the attack (was also marked as a read only reentrancy).

Ethereum Transaction Hash (Txhash) Details | Etherscan

Ethereum (ETH) detailed transaction info for txhash 0x97a8315e942dd180fb90a17b92f7dabd6e8a2e5b9fd5e4a95ee4049ff33d2f16. The transaction status, block confirmation, gas fee, Ether (ETH), and token...

etherscan.io

1

0

4