TradeLots
1.8K posts
@tradelots No. We will continue to invest in safechain. And Intel will remain open!
English
TeamPCP is back.
The xinference PyPI package (680K downloads, 9.3K stars) was hijacked. Import it and your cloud credentials, SSH keys, and .env secrets are instantly harvested and exfiltrated.
Versions 2.6.0–2.6.2 are malicious. If you installed them, assume compromise and rotate everything now.
Full technical breakdown 👇
English
Despite 271 bugs massacred by Anthropic, our renderer rce and sbx escape alive and well ready unless there is sudden patch before p2o ( mean we dont have enough time for prepare new one ) - wish us luck!
blog.mozilla.org/en/privacy-sec…
English
@citrini U.S relies on compute spend so if everything freezes as of now - no major improvement of capability
China relies on efficiency and real-world usage, so if everything freezes now Chinese capability and real world deployment & economic, social value of AI will continue
English
A lot of the answers to this question were “well that’s what China is doing” which is interesting because I don’t really think that’s true. Most of the innovations from the Chinese side have the starting point of existing models from US labs that are the result of hundreds of billions of dollars of investment in compute by US companies. DeepSeek was trained on Nvidia chips.
English
@robert_ivanhoe coz Trump Admin and Treasury secretary are max short Oil futures to maintain the optics of winning
GIF
English
Equity markets have priced in AI, which might happen. Whereas, oil markets have NOT priced in what has already happened. ~ 1 billion barrels of oil has been lost to date… and oil prices are up only ~50%.
English
“The security council” just froze your assets.
Ethereum combines the rug risk of crypto with the centralized control of Communist China.
Worst of both worlds.
Arbitrum@arbitrum
The Arbitrum Security Council has taken emergency action to freeze the 30,766 ETH being held in the address on Arbitrum One that is connected to the KelpDAO exploit. The Security Council acted with input from law enforcement as to the exploiter’s identity, and, at all times, weighed its commitment to the security and integrity of the Arbitrum community without impacting any Arbitrum users or applications. After significant technical diligence and deliberation, the Security Council identified and executed a technical approach to move funds to safety without affecting any other chain state or Arbitrum users. As of April 20 11:26pm ET the funds have been successfully transferred to an intermediary frozen wallet. They are no longer accessible to the address that originally held the funds, and can only be moved by further action by Arbitrum governance, which will be coordinated with relevant parties.
English
@p6rkdoye0n "it's just a DoS"
but we have seen in recent days that "just a DoS" chained with other sploits can be lethal
😁😆
English
I’m disclosing a 0-day vulnerability in the Cosmos consensus layer (CometBFT).
This is a CVSS 7.1 (High) severity issue that can cause nodes in the Cosmos ecosystem—which secures over $8B+ in assets—to stall during the block synchronization phase. However, direct asset theft is not possible using this vulnerability.
I made every effort to follow Coordinated Vulnerability Disclosure (CVD) for the safety of the ecosystem; however, due to the vendor’s lack of cooperation and irresponsible decisions, I have decided to proceed with disclosure.
This action is taken in accordance with the vendor’s final decision. All resulting security risks are solely the responsibility of the vendor, and I will therefore disclose both the vendor’s irresponsible handling and the detailed vulnerability information in this thread.
English
@AikidoSecurity wasn't even aware of safe-chain until digging into this announceent....
neither the free vuln + malicious packages DB
👏 thank you for your service
English
Introducing Aikido Endpoint Protection.
Developer devices have been under attack. In the last few months alone, Shai Hulud, TeamPCP, Axios, and Vercel were all compromised through developer devices.
Aikido Endpoint Protection secures everything your devs install before it reaches the device. Powered by Aikido Intel.
Build fearlessly.
English
@0xriptide Nothing ever changes.
Crypto bounty platforms will always:
-Need POC
-Need KYC
-Need to pay $100 to submit bug
-Can ban you if 3 bug submissions were closed as invalid
-No theoretical bugs
English
@YuvalRooz Oh no, i do know your opinion and agree with it.
My comment was a tongue-in-cheek remark based on the debate you had yesterday with the zksync guy
Maybe that wasn’t clear
English
@tradelots Clearly you have no idea what is my opinion. See my comment. I agree with arb’s decision. Clearly the guy I’m responding to doesn’t. Next.
English
A couple months back, the team and I were debating what was our most commonly used piece of software. We landed on Chromium. So we wanted to see if we could find live vulnerabilities in it with our AI.
Today, I'm excited to share that not only did our AI find a live vulnerability in Chromium – which powers Google Chrome, Brave, Microsoft Edge, and other browsers – but we also found live bugs in Safari and Firefox.
You can also find Octane Security in Chrome's latest stable release: chromereleases.googleblog.com/2026/04/stable…
Check out the video for the details...
Octane Security@octane_security
Just three engines handle 99.7% of browser traffic. Octane found vulnerabilities in all of them. This is the same security analysis we've used to secure smart contracts. Now we're targeting the mission-critical applications the rest of the world runs on.
English
@Dogetoshi All L2s are decentralisation and permissionless theatre 🎭
English
Couple of questions on the Arbitrum recovery:
1) Are all future hacks on Arbitrum open to being frozen and moved to the DAO address?
2) Are past hacks eligible for fund recovery by the security council?
3) What’s the dollar cut off for the involvement of the council?
English
Claude explains the $71M @arbitrum clawback:
What this transaction is
Tx: 0x5618...0f6b on Arbitrum, block 454686044, April 21, 2026 03:35 UTC
From: 0x5d39...7Ccc — labeled on Arbiscan as “Kelp DAO Exploiter 1”
To: 0x0000000000000000000000000000000000000DA0 — a special system/recovery sink (not the normal 0x...dEaD burn address)
Value: 30,765.667 ETH (~$71M) — effectively the entire Arbitrum-side balance of the attacker’s hub wallet
Tx type: ArbitrumUnsignedTxType (EIP-2718 type 0x65 / 101)
The “type 101” is the key. That is not a user-signed transaction — a normal EOA physically cannot produce one. ArbitrumUnsignedTxType is an ArbOS system transaction that only the chain itself (via the sequencer / ArbOS upgrade path controlled by the Arbitrum Security Council) can inject. It bypasses the attacker’s private key entirely.
The remediation (this tx): Arbitrum’s Security Council used its emergency powers to inject an ArbitrumUnsignedTxType that forcibly moved the attacker’s full 30,765 ETH from the hub address into a protocol-controlled recovery sink (0x...0DA0).
Why it’s “extraordinary”
Arbitrum did not perform a reorg or historical rewrite — the chain’s ordering is intact. Instead, the Security Council used a privileged state-override transaction type that is part of ArbOS but has essentially never been used before. It is functionally a state-level clawback: the attacker’s private key still signs txs, but that address’s ETH was moved by the chain itself.
This is the mechanism Arbitrum’s progressive-decentralization docs reserve for “catastrophic” emergencies (12-of-N Security Council action), and this is one of the clearest public demonstrations of it being invoked. Note that it only recovered the Arbitrum leg of the theft — the ~75,700 ETH on Ethereum is outside Arbitrum’s control and remains with the attacker, which is why Aave is still facing up to ~$230M of potential bad debt on the Ethereum side.
Sources:
Arbiscan tx: arbiscan.io/tx/0x561804424…
Arbitrum Docs — ArbOS / Sequencer forced inclusion: docs.arbitrum.io/run-arbitrum-n…
Arbitrum Foundation — progressive decentralization & Security Council: docs.arbitrum.foundation/state-of-progr…
Steven@Dogetoshi
@hosseeb @david_lee2085 @arbitrum How did Arbitrum move the hacked funds?
English
Found multiple 0days in a basedband , reported to a well known broker ;) but seems that they are on resource limitations
Any suggestions or any brokers ???
English
@CraigHRowland it may be awesome, but not impressive as @0xcharlie was stating/questioning.
the density of bugs in products and pointing that out doesn't materially move infosec forward.
large scale fixes or novel mitigations, on the other hand, is what would be impressive
English
This bug was there for six months and nobody else bothered to find it, so yeah it's actually awesome an AI system found it and I hope we have a lot more of this. What's funnier is you have unsafe sprintf usage, then an unsafe popen call right after. This is so bad that you have to wonder if it's deliberate.
Charlie Miller@0xcharlie
Should I be impressed an AI can find command injection?
English