Marco Croc

I just published Unleashing the Hound: How AI Agents Find Deep Logic Bugs in Any Codebase medium.com/p/unleashing-t…

@Jun1on @Cointelegraph 😆

@Cointelegraph x.com/elonmusk/statu…

Which altcoin will be the best performer this bull run? 🔥 $ETH or $SOL

We found that the hacker targeted a code section that was out-of-scope for the audit contest. Here’s a comparison: This is the Dispatcher.sol from the April audit And this is the Dispatcher.sol where the hack has happened. Notice the difference? As you can see, the Commands.KYBER_SWAP is not there in the scope of the audit contest codebase and it became an entry point for the attack🚫

@KupiaSecurity On security incidents, @AnciliaInc is quick in detecting hacks and also provide brief technical explanation

A great analysis of what has been happening in web3 security lately

Vyper just leveled up by joining the Ethereum Foundation’s bounty program! This is a great opportunity for developers to sharpen their security, something we always value in smart contract audits.

Scams in crypto are real. Don't fall for unverified projects or too-good-to-be-true offers. Secure your wallet, enable multi-factor authentication, and stay informed to protect yourself. ethereum.stackexchange.com/questions/1642…

@DavidPereDotBtc well, the runtime frameworks of Bitcoin and Solana prevent reentrancy, not languages themselves. they are just tools and YES, reentrancy is the root of all evil

Reentreancy. Why we need Languages like Clarity and more of Rust in the scene

@KupiaSecurity @sherlockdefi @code4rena 🧐🤓what do u want me to say? it's terrific

@malicator @sherlockdefi @code4rena Yo Marco, how's life as our lead auditor? must be good, huh?😌

Can we do a bit of bragging here? We have nailed several public contests held by platforms like @sherlockdefi & @code4rena. Resting is not in our vocabulary. We keep grinding and grinding in every single contest we have participated in.

@KupiaSecurity security is achieved through iterations audit original, then forks audit base code, then updated parts every update - not only code updates, but also configuration changes by governance actions - should go through security check

🔍 Inside Our Audit Process: Uncovering a Hidden Vulnerability in Curve Learn how our lead security researcher @malicator discovered a flaw in Curve Finance during an audit back in November 2023. This vulnerability could have unbalanced the pools by moving funds to the fee collector, potentially harming the protocol's reputation and affecting the price of CRV tokens. Let's dive into what happened and how it was fixed! 🚨👇 📚 Behind the Scene Curve is a leading DeFi protocol with numerous Solidity-based forks such as Geode Finance, Ellipsis, and LeetSwap. These forks often inherit the strengths and weaknesses of the original protocol. During a routine assessment, @malicator discovered that Geode Finance, which uses the ERC1155 token gAVAX, had a weak spot in its withdrawAdminFees function 🐛The Exploit The core of this bug was a reentrancy flaw. The withdrawAdminFees function did not have proper reentrancy locks, making it vulnerable to manipulation during token transfers. This could allow attackers to disrupt token balances and potentially drain the pool. 🧩 Step-by-Step Exploitation The attack relies on carefully crafted steps involving liquidity manipulation: 1. Prepare Tokens: Deposit one-sided liquidity using the add_liquidity function. 2. Remove Liquidity: Use remove_liquidity_imbalance, specifying a minimum ETH withdrawal amount (e.g., 1 wei) to trigger the fallback function. 3. Trigger Reentrancy: Within the fallback function (receive), call withdrawAdminFees. This exploit takes advantage of missing re-entrancy locks in the withdrawAdminFees function, temporarily disrupting the pool balance. It reduces the pool's token balance while causing little loss to the attacker (swap fee + add/remove liquidity rounding). You can see that the balance has become lower than the balance state variable. 💥 Potential Impact This vulnerability could cause temporary but severe disruptions in token accounting within the pool. If used in conjunction with flash loans, the exploit could magnify the impact, allowing attackers to funnel significant amounts of tokens to the fee collector, putting user funds at risk. 🛠️ How To Fixed It Immediate steps were taken to secure the vulnerable pools: - Enhanced Security: Reentrancy checks were added to key functions handling ETH and token transfers. - Permanent Fixes: Governance votes approved additional protections, to ensure functions such as withdrawAdminFees are no longer exploitable. These fixes restore the security of user funds and strengthen Curve's defenses against similar attacks. Our lead audit researcher also shared insights on this issue in his thread, providing additional context on the vulnerability. Kudos to our security researchers who work tirelessly to uncover these hidden threats! 🛡️ Check out @malicator insight here: x.com/malicator/stat…

@KupiaSecurity @HackenProof nice joke, haha we first identify valuable parts of the target where money is stored, tokens minted is important cos our goal is to protect value

@HackenProof Stopping myself because that's not who we are

What's the first thing you do when you start hacking a new target?

@cholakovv @eulerfinance @Penpiexyz_io well, well, well isn't euler hacker doxxed?

WOW, just check the on-chain message the @eulerfinance exploiter sent to the @Penpiexyz_io exploiter. 'Good job, bro. Haven’t seen a hack like this in a while. Glad you kept all the money and didn’t let them get a dollar back. You won, they lost.' 👀

@demicuan @penguinpecker1 @PopPunkOnChain @KupiaSecurity 😼

@penguinpecker1 @PopPunkOnChain @malicator has a great rep. he also own an audit firm called @KupiaSecurity

Don't let CertiK extort your company for an audit. Even though the real ones know to ignore their rankings, they still have VERY strong SEO that ranks high on search engines. A lot of people asked how I got g8keep removed so fast. I strongly encourage everyone to do this: 1. Go to their website and click "request a quote" 2. What you put here doesn't really matter, but make sure you put your REAL email. 3. They will send you an automated email asking you for information so they can quote you for an audit (good one). 4. Take the telegram username of the CertiK BD bozo that emailed you and message them this on telegram: "My company was not audited by CertiK therefore you have no right to give a security score to my protocol. Remove my company from your platform or we will take legal action as this is defamation." It took about a 30 minutes for them to respond, message the "leaderboard team" and remove my company from their platform. Fuck CertiK.

Dear founders, teams & project leads: Here’s 3 reasons why you should choose @KupiaSecurity for your audit services: ↓ 1) 𝗣𝘂𝗯𝗹𝗶𝗰 𝗣𝗿𝗼𝘃𝗲𝗻 𝗘𝘅𝗽𝗲𝗿𝘁𝗶𝘀𝗲: Our team isn’t just talking the talk - we’re walking the walk. A standout example is the $250k reward @malicator - our lead security researcher secured by identifying a critical vulnerability in @CurveFinance - one of DeFi’s heavyweight protocols. This isn’t just a win, but rather - a testament to our deep understanding and expertise in the field. Think about the hype your project could get from auditing with a team with such solid public proof of work - I mean, @CurveFinance isn’t a small name in DeFi. Don’t you want to brag about auditing with a team that responsibly disclosed a vulnerability in @CurveFinance? 👀 Moving on: ↓ 2) 𝗖𝗼𝗻𝘀𝗶𝘀𝘁𝗲𝗻𝘁 𝗦𝘂𝗰𝗰𝗲𝘀𝘀 𝗶𝗻 𝗕𝘂𝗴 𝗕𝗼𝘂𝗻𝘁𝗶𝗲𝘀: @KupiaSecurity isn’t new to the spotlight. Our track record in bug bounty competitions speaks volumes - with multiple top placements that showcase our ability to pinpoint & mitigate vulnerabilities that others might miss. Some recent notable ones are: -> We secured 1st place at the @telcoin audit contest on @sherlockdefi -> We secured 5th place in the @Curvance contest at @cantinaXyz And many more 🫡 𝟯) 𝗖𝗼𝘀𝘁-𝗘𝗳𝗳𝗲𝗰𝘁𝗶𝘃𝗲 𝗔𝘂𝗱𝗶𝘁𝘀: We believe that securing your project shouldn't break the bank. Compared to other top tier audit firms - Kupia offers the same high-level security audits at more affordable rates. We’re here to protect your project and your budget 😉 As you know, in Decentralized finance (DeFi), securing protocols against vulnerabilities is an absolute necessity. At @KupiaSecurity we understand this better than anyone. Our team's unique blend of experience, demonstrated expertise, & dedication to quality makes us the go-to partner for your auditing needs. To crown it all - our top-tier quality services are relatively affordable: Especially when compared to other top-tier quality audit firms. To get in-depth technical details of how we operate: Visit our website linked in bio or PM directly via @KupiaSecurity 🫡

Because other avenues of handling this exploit closed, our team halted the sequencer to prevent additional funds bridging out. This was the last resort action to protect users on Linea. x.com/WuBlockchain/s…

🔍 We're on the hunt for a Head of Marketing to join KupiaSec! 🚀 If you're passionate about blockchain, web3, and crafting innovative marketing strategies, we want to hear from you. Join us in securing the future of web3. #Web3 #MarketingJobs #BlockchainSecurity #JoinOurTeam

I'm done with this crap. It's 2024, and L2s are still spewing the same bullshit about their core values being "permissionless" and "censorship-resistant" after being live for over a year but are still running centralised sequencers. Give me a break. They act all high and mighty, claiming to uphold these principles, but the moment it suits them, they flip the switch and keep the blockchain running their way. It's a joke. L2 folks, your claims of permissionless and censorship-resistance are nothing but a meme at this point.

Gala Games has not publicly confirmed the identity or method of the exploit, but some community members claim Gala had said the attack was from a security contractor who slipped up after connecting to the wallet without a VPN. cointelegraph.com/news/gala-game…