BlockSec

2.2K posts

BlockSec banner
BlockSec

BlockSec

@BlockSecTeam

Smart Contract Audit | Security Monitoring | AML/CFT (KYA/KYT) | Crypto Investigation | @Phalcon_xyz @MetaSleuth @MetaDockTeam 👉TG: https://t.co/owokTLanv5

Katılım Aralık 2020
150 Takip Edilen27.2K Takipçiler
BlockSec retweetledi
BlockSec Phalcon
BlockSec Phalcon@Phalcon_xyz·
Pulled the full event history behind last week's observation. USDC froze 549 TRON wallets in 10h on Mar 24. USDT froze 521 of them in 9 days (plus 14 it froze earlier). USDT has unfrozen 90. USDC, 4. 87 sit USDT-unfrozen but USDC-frozen. One just moved ~201K USDT to @binance.
BlockSec Phalcon tweet media
BlockSec Phalcon@Phalcon_xyz

1/3 USDT has been quietly unfreezing addresses that @circle's USDC still has frozen. In multiple cases, funds moved directly to @Binance within hours of removal.

English
0
4
3
2.8K
BlockSec retweetledi
BlockSec Phalcon
BlockSec Phalcon@Phalcon_xyz·
ALERT! Our system detected a series of unusual transactions involving @wasabi_protocol on #Ethereum and #Base, with total abnormal fund movements of roughly $5.15M. Preliminary traces suggest that Tornado Cash-funded accounts were later granted ADMIN_ROLE-related privileges and were involved in the relevant WasabiLongPool, WasabiShortPool and WasabiVault flows. We are sharing the related transactions for visibility and encourage the team to review and clarify the associated fund movements and role changes. WasabiLongPool & WasabiShortPool: 1) app.blocksec.com/phalcon/explor… 2) app.blocksec.com/phalcon/explor… WasabiVault: 1) app.blocksec.com/phalcon/explor… 2) app.blocksec.com/phalcon/explor…
English
0
3
19
4.1K
BlockSec retweetledi
BlockSec Phalcon
BlockSec Phalcon@Phalcon_xyz·
.@AftermathFi on #SUI was reported being attacked several hours ago, with direct losses of about $1.14M. According to the team, only Aftermath Perps was affected, while the exploit was caused by the protocol incorrectly allowing negative builder fees. Based on our analysis of the on-chain disassembled Move bytecode, the underlying implementation issue was a semantic mismatch: builder fees were expected to be user-approved, non-negative values, but were validated through a signed fixed-point comparison over a u256 interface. In the disassembled calculate_taker_fees path, the critical check was: // Builder fee is only checked against an upper bound. // Missing invariant: fee must also be non-negative. assert!( ifixed::less_than_eq( v5.taker_fee, account::get_integrator_max_taker_fee( account::get_integrator_config(arg1, v5.integrator_address) ) ), errors::invalid_integrator_taker_fee() ); Semantically, both values were expected to represent non-negative fee rates. However, ifixed::less_than_eq() performs a signed comparison. This means that once the attacker set max_taker_fee = 0, they could pass a value such as 2^256 - 10^16, which is interpreted under signed semantics as a negative fee, i.e. -10^16. Since -10^16 <= 0 holds, the check passed. public fun create_integrator_info(arg0: address, arg1: u256): Option { let v0 = IntegratorInfo { integrator_address : arg0, taker_fee : arg1, }; option::some(v0) } The exploit path was further exposed because create_integrator_info() was publicly callable and did not enforce any permission or fee-bound validation on the supplied taker_fee. let (v7, v8, v9) = calculate_taker_fees(...); // v6 = taker PnL // v7 = normal taker fee // v8 = builder fee // // Intended effect: // collateral += pnl - taker_fee - builder_fee // // If v8 is negative, subtracting it turns it into a positive credit. position::add_to_collateral_usd( arg0, ifixed::sub(v6, ifixed::add(v7, v8)), arg2 ); As a result, the negative builder fee was not merely accepted; it was transformed into a direct positive collateral credit during taker settlement. The attacker then deallocated that inflated free collateral back into the account balance and withdrew real USDC from the protocol. Some thoughts: 1) This was not just a fee bypass: the negative builder fee was converted into positive collateral during settlement. 2) The exploit was permissionless: the attacker could self-configure the taker-side cap and inject the negative fee through a public path. 3) The actual loss was realized through the normal deallocate-and-withdraw flow, meaning the inflated collateral became real withdrawable USDC from the vault.
Aftermath Finance (🥚, 🥚)@AftermathFi

Attention Aftermath community - We’ve identified an exploit affecting the protocol. Our team is actively investigating alongside leading security partners. As a precaution, the protocol has been paused and measures are being taken to minimize potential impact to user funds. We’ll continue to share updates as we learn more. Thank you for your patience.

English
3
3
19
5.1K
BlockSec retweetledi
BlockSec Phalcon
BlockSec Phalcon@Phalcon_xyz·
ALERT! Our system detected a suspicious transaction targeting an unverified contract (0x143a737bffc6414b61134f513ceed1a64390181a) on Ethereum a few hours ago, with an estimated loss of ~$983K. The root cause was a missing access-control check in the contract’s execute() function, which enabled arbitrary call execution. By abusing a pre-existing unlimited yvWETH approval from the victim address (0x98289e90d6fc92a8769bc892d006a2baa7705afe), the attacker drained 384.67 yvWETH and later unwound the position for about 429.2 ETH. Attack TX: app.blocksec.com/phalcon/explor… 🟦 Found by #PhalconSecurity, 🟦 Analyzed via #PhalconExplorer.
English
5
21
117
16.5K
BlockSec retweetledi
Mpost Media Group
Mpost Media Group@mpost_io·
Kevin Lee (@kevinlee_gate), CBO at @Gate - came as a guest today and ended up on stage for the panel on "Regulating a Fragmented World" Attendance has its privileges 😄 Moderator: Matthew Jiang (@realMatthewJ), CSO @BlockSecTeam Speakers: Chris Barford, Partner, Financial Services Consulting at @EYnews Julia Charlton, Principal Partner at @Charltonslaw Joy Lam (@Jl0082021), Founder at Clarient Advisory Regulatory fragmentation isn't temporary — it's the permanent operating environment. Build for it
Mpost Media Group tweet media
English
1
1
11
1.5K
BlockSec retweetledi
BlockSec Phalcon
BlockSec Phalcon@Phalcon_xyz·
.@arbitrum Security Council took emergency action to freeze 30,766 ETH held at the Arbitrum One address linked to the @KelpDAO exploit. The key technical point is how this was executed: it was not a normal transfer signed by the exploiter's key. Based on the on-chain trace, this appears to have been executed from Ethereum (L1) via governance-level emergency upgrade powers. The Upgrade Executor temporarily upgraded DelayedInbox, invoked a temporary entrypoint to enqueue a delayed L1→L2 message via Bridge.enqueueDelayedMessage(kind=3, ...), and then restored the original implementation. The critical logic change was that the sender input shifted from the standard msg.sender path to a caller-controlled parameter (then transformed via L1→L2 aliasing), allowing the injected message to carry exploiter-linked sender context. Also, kind=3 maps in Nitro to L1MessageType_L2Message, which allows L2MessageKind_UnsignedUserTx execution on L2, i.e., this path does not require a user signature check. So the L2 transaction view (“from exploiter to 0x…0DA0”) reflects a chain-level forced state transition, not a standard user-signed transfer. TX on L1: app.blocksec.com/phalcon/explor… TX on L2: app.blocksec.com/phalcon/explor…
BlockSec Phalcon tweet media
Arbitrum@arbitrum

The Arbitrum Security Council has taken emergency action to freeze the 30,766 ETH being held in the address on Arbitrum One that is connected to the KelpDAO exploit. The Security Council acted with input from law enforcement as to the exploiter’s identity, and, at all times, weighed its commitment to the security and integrity of the Arbitrum community without impacting any Arbitrum users or applications. After significant technical diligence and deliberation, the Security Council identified and executed a technical approach to move funds to safety without affecting any other chain state or Arbitrum users. As of April 20 11:26pm ET the funds have been successfully transferred to an intermediary frozen wallet. They are no longer accessible to the address that originally held the funds, and can only be moved by further action by Arbitrum governance, which will be coordinated with relevant parties.

English
11
14
67
10.4K
Orlando
Orlando@Jack24klove·
Hi guys, I've left @BlockSecTeam for a while and I'm excited to share that I'm joining @abf_finance. I graduated last year and it was my first formal job in crypto, which was a great start to my career. Here I deepened my knowledge of blockchain through hands-on root cause analysis, and gained a front-row view of the evolving global regulatory landscape, especially in the AML space. We served top protocols and CEXs, competed with leading institutions like @chainalysis and @trmlabs, and even collaborated with global law enforcements including the @FBI. I was lucky to be fully trusted and supported by the team at BlockSec even though I was young. And I'm proud that I brought extensive partnerships and business deals to the company in quite a short time despite the challenges, including many top chains @Plasma @monad @megaeth @StoryProtocol and top protocols on @BNBCHAIN like @lista_dao @flapdotsh @Hertzflow_xyz. I've built my expertise in marketing and BD here and made lots of great friends along the way. I have no regrets, only gratitude for this experience. In the days ahead, I'll share my updates at @abf_finance. Here I'll leverage my understanding, judgement, and resources in the US crypto market. Together with @helen_abfinance and the team, we're building toward becoming the tier-1 CEX in the US. The summer is comming!
Orlando tweet media
English
3
0
10
558
BlockSec
BlockSec@BlockSecTeam·
A sad day... Hopefully the funds can be recovered and this won't leave bad debt that triggers cascading contagion.
BlockSec Phalcon@Phalcon_xyz

.@KelpDAO was reported attacked hours ago, with total losses estimated around $290M. Based on community on-chain analysis (e.g., @banteg), the likely root cause is a compromise of the configured DVN/verifier on the Unichain→Ethereum rsETH bridge route: the route relied on a 1-of-1 check, which may have let a forged/unbacked bridge message pass verification and trigger a drain from the protocol's rsETH Adapter. The exploiter then deposited rsETH into Aave/Compound/Euler and borrowed roughly $236M in assets (WETH, wstETH, WBTC), which is the attacker’s tracked profit so far. @aave has frozen rsETH markets (V3/V4). The incident is still under investigation. The main risk now is contagion: thin rsETH liquidity could turn collateral exposure into bad debt.

English
1
1
5
2.6K
BlockSec
BlockSec@BlockSecTeam·
🤝 BlockSec × @Jumio — Now in one workflow. KYC + KYT, finally stitched together. > Off-chain identity verification (Jumio) > On-chain transaction monitoring (BlockSec Phalcon Compliance) @Phalcon_xyz Built for exchanges, custodians, stablecoin issuers, Web3 projects — ready for FATF, MiCA & beyond. 🚀 #Web3 #KYC #KYT #Compliance #BlockSec
BlockSec tweet media
English
0
1
2
788
BlockSec retweetledi
BlockSec Phalcon
BlockSec Phalcon@Phalcon_xyz·
🗓 Weekly Web3 Security Roundup | Apr 6 - Apr 12 4 incidents | ~$928.6K lost this week Full analysis with vulnerability breakdown 👇 blocksec.com/blog/weekly-we… Starting this week, we highlight one incident at the top of each report. The selection is not necessarily based on loss amount — it may be chosen for its novel protocol design, clever attack technique, or broader lessons for the community. #Web3Security
BlockSec Phalcon tweet media
English
1
1
10
2.9K
BlockSec
BlockSec@BlockSecTeam·
Always proud to stand with our community!
Findlay@0xboo

2/ The Ethereum Security Subsidy Program is proud to be launching with access to 20+ of the leading audit providers active in the Ethereum ecosystem: @AdevarLabs, @bailsecurity, @BlockSecTeam, @Certora, @chain_security, @cyfrin, @dedaub, @GuardianAudits, @hackenclub, @HackenProof, @Hashlock_, @hexens, @immunefi, @LeastAuthority, @lethalspoons, @NethermindSec, @Quantstamp, @QuillAudits_AI, @rv_inc, @SecurityOak, @sherlockdefi, @spearbit, @statemindio, @zellic_io, and @zokyo_io. These top-tier security providers make the program possible through their commitment to support Ethereum mainnet.

English
0
0
1
1.6K
BlockSec retweetledi
BlockSec Phalcon
BlockSec Phalcon@Phalcon_xyz·
Update: Further investigation indicates the root cause is proof forgery due to missing input validation in the VerifyProof() function of @hyperbridge ’s HandlerV1 contract. Specifically, the verifier does not enforce leaf_index < leafCount. If an attacker submits leafCount = 1 and leaf_index = 1, CalculateRoot() in the MMR path never incorporates the request commitment into root computation, so the proof can pass for arbitrary request content. This fully decouples the proof from the message it is meant to authenticate, enabling attackers to forge seemingly valid cross-chain messages against any historical overlayRoot.
BlockSec Phalcon tweet media
BlockSec Phalcon@Phalcon_xyz

ALERT! Our system detected suspicious transactions targeting tokens managed by @hyperbridge’s HandlerV1 contract on #Ethereum, with estimated losses of ~$242K. The likely root cause is a Merkle Mountain Range (MMR) proof replay vulnerability caused by missing proof-to-request binding. This flaw allows an attacker to replay a previously accepted proof and pair it with a newly crafted request, enabling privileged actions (such as changing admin permissions) for profit. Specifically, in HandlerV1, replay protection only verifies that a request commitment (request.hash()) has not been used before. However, the proof verification process does not bind the submitted request payload to the validated proof. Because of this disconnect, a valid historical proof can be reused with a different malicious request. For example, in the transaction with the largest loss observed so far, the attacker changed the admin of the #Polkadot (#DOT) Token, then used admin privileges to mint #DOT and profit by swapping the newly minted tokens. app.blocksec.com/phalcon/explor… Other Attack TXs: • app.blocksec.com/phalcon/explor…app.blocksec.com/phalcon/explor…app.blocksec.com/phalcon/explor…app.blocksec.com/phalcon/explor…app.blocksec.com/phalcon/explor…app.blocksec.com/phalcon/explor…app.blocksec.com/phalcon/explor… 🟦 Found by #PhalconSecurity, 🟦 Analyzed via #PhalconExplorer.

English
11
35
174
52.5K
BlockSec retweetledi
BlockSec Phalcon
BlockSec Phalcon@Phalcon_xyz·
ALERT! Our system detected suspicious transactions targeting tokens managed by @hyperbridge’s HandlerV1 contract on #Ethereum, with estimated losses of ~$242K. The likely root cause is a Merkle Mountain Range (MMR) proof replay vulnerability caused by missing proof-to-request binding. This flaw allows an attacker to replay a previously accepted proof and pair it with a newly crafted request, enabling privileged actions (such as changing admin permissions) for profit. Specifically, in HandlerV1, replay protection only verifies that a request commitment (request.hash()) has not been used before. However, the proof verification process does not bind the submitted request payload to the validated proof. Because of this disconnect, a valid historical proof can be reused with a different malicious request. For example, in the transaction with the largest loss observed so far, the attacker changed the admin of the #Polkadot (#DOT) Token, then used admin privileges to mint #DOT and profit by swapping the newly minted tokens. app.blocksec.com/phalcon/explor… Other Attack TXs: • app.blocksec.com/phalcon/explor…app.blocksec.com/phalcon/explor…app.blocksec.com/phalcon/explor…app.blocksec.com/phalcon/explor…app.blocksec.com/phalcon/explor…app.blocksec.com/phalcon/explor…app.blocksec.com/phalcon/explor… 🟦 Found by #PhalconSecurity, 🟦 Analyzed via #PhalconExplorer.
English
3
10
42
44.1K
BlockSec
BlockSec@BlockSecTeam·
Excited to partner with @InterlaceMoney to enhance the compliance and risk control of agentic payment. 🤖 By integrating BlockSec's KYT capabilities into Interlace's payment infrastructure, we're enabling real-time transaction monitoring across the full payment lifecycle. #AI #Web3 #agenticpayments #digitalpayments
interlace.money@InterlaceMoney

We’re excited to announce a strategic partnership between @InterlaceMoney and @BlockSecTeam, a leader in blockchain security. Together, we’re advancing the future of stablecoin payments by collaborating on security across the entire transaction lifecycle. By combining Interlace’s payment infrastructure with BlockSec’s cutting-edge security solutions, we aim to enhance real-time monitoring, risk evaluation, and on-chain safety,especially on agentic payment field. This partnership reinforces our shared commitment to building a more secure, trustworthy foundation for institutions and individuals in the next digital financial system driven by AI. #AI #AIAgent #Web3 #interlace #digitalpayments #agenticpayments #aipayments

English
0
0
1
859

Keşfet

@binance @wasabi_protocol @AftermathFi @kevinlee_gate @Gate @realMatthewJ @EYnews @Charltonslaw