Sam Eiderman (sameid.eef)

49 posts

Sam Eiderman (sameid.eef)

@_eiderman

CTO @ Utila Opinions are mayo

Beigetreten Ocak 2019

166 Folgt59 Follower

Sam Eiderman (sameid.eef)@_eiderman·5d

Before I go in depth to explain the booster rocket stage of the Durable Nonces and how some architectural design of this feature played a crucial part in the exploit, I would just like to bring attention to the fact that wallet software should do more and invest more in the display of the transactions being signed. If you can’t read the “fine print” of the transaction payload you are signing - might as well just sign with your eyes closed. Read more on our blog: utila.io/blog/drift-pro… Stay safe

English

Sam Eiderman (sameid.eef)@_eiderman·5d

A quick recap of the Bybit hack to show the remarkable resemblance. Bybit’s treasury, secured by a multi-sig account (Gnosis Safe), on Ethereum - hacked ($1.4B) by compromising the Gnosis Safe UI, delivering an obfuscated payload instead of a legitimate transaction to signers - the transaction looked like a regular transfer, but was in fact reassigning the ownership of the entire Safe to the attacker. This was amplified by the use of an “advanced feature” of the Gnosis Safe. The use of this advanced feature probably went unnoticed by the signers, most likely because the wallet software did not emphasize it (link in comments for previous post). Now, Drift’s treasury, secured by a multi-sig account (Squads), on Solana - hacked by making 2 out of the 5 Squads admins sign a transaction that reassigned the ownership of the entire Squads mutil-sig to the attacker. This was amplified by the use of an “advanced feature” of Solana - Durable Nonces. And again, the use of this advanced feature probably went unnoticed by the signers, again - most likely because the wallet software did not emphasize its usage.

English

Sam Eiderman (sameid.eef)@_eiderman·5d

🚨 Drift Protocol on Solana - Compromised, 250M$ Stolen 🚨 Statement from Drift: "Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers. This was a highly sophisticated operation that appears to have involved multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution."

English

147

Sam Eiderman (sameid.eef)@_eiderman·24 Şub

@YaelSherer בינתיים כל העכבישים עזבו לי את הבית

עברית

115

Sam Eiderman (sameid.eef)@_eiderman·24 Şub

@YaelSherer זה נכון גם לביצי תרנגולות שקרפדה דגרה עליהם?

עברית

126

yael sherer@YaelSherer·24 Şub

אני לא יכולה כבר לספור כמה אנשים עם אלרגיה לחתולים שמעו ממני ולא מהרופאים שלהם על האפשרות להאכיל את החתול שלהם בביצים של תרנגולות שנחשפו לחתול וזה פתר או הטיב אצלם בהרבה את התסמינים. למה רופאים בישראל לא מכירים את זה? בחו"ל זה כמעט טיפול קו ראשון

Israel 🇮🇱 עברית

438

58.3K

Sam Eiderman (sameid.eef)@_eiderman·22 Şub

IMO this is an insecure design choice by the @safe team, `operation` should have never been a parameter to execTransaction method but should have been moved to its own execDangerousTransaction method to avoid UI/phishing attacks.

English

103

Sam Eiderman (sameid.eef)@_eiderman·22 Şub

There's only one thing worse than "no simulation" and that's "wrong simulation", I wonder how many wallets that simulate Safe's contract calls, flag contract calls with "operation = 1" as a parameter (instead 0). This was literally a one bit attack. 🤯

English

119

Sam Eiderman (sameid.eef)@_eiderman·22 Şub

Holy sh!t @safe multisig simulations are hard, especially when done in STDv4 setting, in those cases simulators should use the embedded `to`, `value` and `data` parameters - a zero value transfer(address,uint256) in this case - no simulation effects even, HOWEVER...

Ben Zhou@benbybit

Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from @safe . However the signing message was to change the smart contract logic of our ETH cold wallet. This resulted Hacker took control of the specific ETH cold wallet we signed and transfered all ETH in the cold wallet to this unidentified address. Please rest assured that all other cold wallets are secure. All withdraws are NORMAL. I will keep you guys posted as more develops, If any team can help us to track the stolen fund will be appreciated. etherscan.io/tx/0xb61413c49…

English

383

Sam Eiderman (sameid.eef)@_eiderman·28 Oca

@LindellYehuda I agree, it's a purist approach The alternative from UX perspective is to tell users: "just keep those keys somewhere less safe forever", which is always worse. Better to allow import and set "imported: true; attestation: null"

English

286

Yehuda Lindell@LindellYehuda·8 Oca

Why does the Apple secure enclave not enable importing keys? The documentation (developer.apple.com/documentation/…) says that not being able to import or export keys is fundamental to security. I understand that for export, but for import this is very limiting.

English

1.9K

Sam Eiderman (sameid.eef)@_eiderman·15 Oca

Now can someone explain to me how USDT, the most popular stablecoin, does not get upgraded to support such capabilities as well...

English

144

Sam Eiderman (sameid.eef)@_eiderman·15 Oca

UPDATE: PYUSD now migrated from betaDelegatedTransfer to transferWithAuthorization - consolidating the capabilities offered by USDC - a small win for standardization. Even added transferWithAuthorization[Batch] to making batching simpler and not use an external contract.

Sam Eiderman (sameid.eef)@_eiderman

PayPal's PYUSD For some reason, they implemented their own betaDelegatedTransfer[Batch] for gasless transfers instead of just implementing a 3-years old EIP-3009 - TransferWithAuth which does not use nonces I would rather pay for that extra memslot than use nonces.

English

228

Sam Eiderman (sameid.eef) retweetet

TON 💎@ton_blockchain·23 Ara

Secure, seamless, and institutional-grade staking is now more accessible on TON with @utila_io

Utila@utila_io

Utila Partners with Twinstake to Empower Institutions with TON Staking We are excited to announce a strategic partnership with @twinstake_io - the leading institutional-grade, non-custodial staking provider. This collaboration combines Utila’s institutional crypto operations platform with Twinstake’s secure staking expertise to unlock seamless TON staking for institutions. 🔑 Key Benefits: ✅ Stake TON directly through Utila platform for a streamlined experience ✅ Robust security with MPC wallets & non-custodial staking infra ✅ Transparent transaction tracking via Utila’s mobile app and console This partnership makes it easier than ever for institutions to capitalize on TON’s potential while maintaining the highest standards of security and compliance. ⏭️ Read the joint announcement here: utila.io/blog/utila-twi… #TON #Staking #InstitutionalCrypto @ton_blockchain

English

170

250

25.5K

Sam Eiderman (sameid.eef) retweetet

hinkal@hinkal_protocol·8 Tem

We're excited to have @utila_io and @Protokols_io at our X Spaces 📡 Pre-save the link for tomorrow! 👇 twitter.com/i/spaces/1RDxl…

English

1.3K

Sam Eiderman (sameid.eef) retweetet

hinkal@hinkal_protocol·4 Tem

Get ready for our X Spaces with @utila_io, save the link for tomorrow! 👉 x.com/i/spaces/1mrxm… @Protokols_io will also join our discussion on privacy in DeFi and the Hinkal Lords Challenge 🗣️ PS: You can learn more about the challenge from @prz_chojecki's video! Click ⤵️

Przemek Chojecki | PC@prz_chojecki

Hinkal @hinkal_protocol is a protocol that makes your blockchain transactions anonymous. > Trade on Uniswap > Stake on Convex & Lido > Yield Trade on Pendle and more! Watch my review here: youtube.com/watch?v=s_P1w4…

English

2.4K

Sam Eiderman (sameid.eef)@_eiderman·2 Nis

@ZacharyDeWitt 😍

QME

Sam Eiderman (sameid.eef)@_eiderman·9 Ağu

English

378

Sam Eiderman (sameid.eef)@_eiderman·3 Tem

נשמה זה לא אני פוסל אותך אלו הם חוקי הפרומפט

עברית

161

Entdecken

@YaelSherer @safe @LindellYehuda @utila_io @Protokols_io @prz_chojecki @ZacharyDeWitt @elonmusk