BitsLab

💡 The one-line takeaway: For high-value payment paths, supportsInterface() is just a surface signal. The real boundary of risk is identity verification, duty/permission checks, and beneficiary binding — applied at the moment of payout, not just upstream. Follow for more on-chain forensics 🔔 Join our community 👇 t.me/BitsLabHQ

8/9 🛠 What teams should do — for Ink Finance, and as a general lesson: P0 — NOW ▸ Pause affected workspace claim entries ▸ Audit all registered claimers / executors / beneficiaries ▸ Add real beneficiary-binding validation at the Treasury payout layer P1 — SHORT TERM ▸ Stop treating supportsInterface() as sufficient authorization ▸ Verify deployer, implementation, workspace, and duty for every claimer ▸ Block the pattern: fresh contract + same-tx claim + large Treasury outflow P2 — MID TERM ▸ Add timelocks / multisig / circuit breakers for sensitive claims ▸ Real-time anomaly monitoring on Treasury outflows ▸ Post-upgrade auto-checks for registry & binding consistency

2/9 TL;DR — what actually happened: 1️⃣ Flash-loan 24,982 USDT0 from Balancer Vault 2️⃣ Push that same amount into the Treasury 3️⃣ Deploy a malicious contract that fakes a claimer interface 4️⃣ Call claimPayroll(3) → Treasury pays out 165,162 USDT0 5️⃣ Repay the flash loan 6️⃣ Walk away with 140,180 USDT0 One transaction. One business path. Eligibility check bypassed.

4/9 📍 The exploit transaction: 0xb469a24ec737be16fe41367a7b5b315c7f03b4e0ff3af50b3a2db03b3066b982 Everything — flash loan, Treasury deposit, interface spoof, claimPayroll(3), payout, loan repayment, profit extraction — happens in this single tx on Polygon. Atomic. Clean. Devastating.

🚨 On-Chain Forensics | Ink Finance @inkfinance @0xPolygon On May 11, 2026, an attacker drained $165,162 USDT0 from Ink Finance's Treasury — by impersonating a "legitimate" claimer and walking right through claimPayroll(3). Net profit: ~$140K. Cost to attacker: a flash loan and a fake interface. Full breakdown 🧵👇

Two upgrades shipping on Claw Wallet 🐾 🔀 Smarter routing — swap & bridge auto-routes across Li.Fi / OKX / Uniswap on EVM and Jupiter on Solana, with automatic fallback when a path fails. ⛽ Gasless by default — on most EVM chains + Sui + Solana, no need to prep native gas. A dedicated sponsor service handles estimation, validation and execution. Pay fees in stablecoins, or nothing at all. Less manual switching. More reliable fills. Smoother first-tx for every new user. Join us 👇 🌐 clawwallet.cc 💬 t.me/clawwalletcc

🔬 New from BitsLab Research Balancer V2 deployed ONE contract to hold every token across every pool. Looks like a single point of failure. It's actually why: → Cross-pool arbitrage moves zero tokens → Flash loans tap the entire protocol's liquidity → A 2-token swap completes in just ONE SSTORE We spent weeks dissecting the Vault contract line by line. Part 1 of our 3-part Balancer V2 deep dive is live — covering every gas trick, every safety check, and the trade-off no one talks about (the Aug 2023 Boosted Pool incident wasn't an accident of architecture). If you're building a DeFi protocol, auditing one, or investing in one — this one's worth 15 minutes. 📖 Read Part 1 ↓ linkedin.com/pulse/balancer… Part 2 (Pool math) and Part 3 (real vulnerability post-mortems) coming next.

5/5 Concentrating all assets in one Vault is brilliant. It also means: if the Vault breaks, the whole protocol is exposed. The Aug 2023 Boosted Pool incident is exactly this risk realized. Full breakdown by @0xbitslab — every gas trick, every safety check 👇 linkedin.com/pulse/balancer…

4/5 How do you simulate a swap without executing it? Balancer V2's answer: execute it for real, then revert with the result. Self-call → real execution → revert with deltas → outer caller decodes. The only Vault function NOT marked nonReentrant. Reentrancy IS the feature.

Balancer V2 deployed ONE contract to hold every token across every pool. Looks like a single point of failure. It's actually why cross-pool arbitrage moves zero tokens, and why a flash loan can tap the entire protocol's liquidity. A thread on the Vault 🧵👇

It took one character to break it. `|` — that's all an attacker needs to bypass nanobot's Channel allowlist and slip into the Agent Loop with full access to whatever tools the deployment exposes. CVE-2026-31977. The first vuln BitsLab found in nanobot. Read on ↓

Grateful for the kind words @superpowerdotio. 🏆 It's a privilege to stand behind a team pushing the frontier of autonomous agents. Excited for everything ahead 🔥