Decurity

>BlockSec Phalcon flagged it as a copycat of a near-identical exploit on Veil Cash, a smaller Base-network privacy protocol drained just days earlier for 2.9 ETH. Seems you missed this: x.com/Veildotcash/st…. The total amount was 4.5 eth, we detected the first attack and then rescued the other pools - eventually all the funds were returned (even the original attacker decided to return).

One skipped CLI step left @FOOMCASH's zk verifier broken from day 1. Someone read the Veil Cash post-mortem, scaled it up, & drained $2.26M. Decurity recovered $1.84M, for $100K fee. $320K kept under the protocol's own code is law bounty. Net loss $420K. rekt.news/the-unfinished…

>For four days, the entire Ethereum-side recovery sat in plain sight on-chain, unspent and unobscured, while the protocol and the security firm quietly negotiated the terms of return. That's not correct, you should better check the onchain data: we returned the rescued funds within 3 hours, the bounty was offered by the protocol - we didn't demand anything.

$2.26M Exploit on foom.cash On February 27th at 7:30 AM, foom.cash was hit for $2.26M. We have successfully recovered ~81% of the funds ($1.84M) thanks to an elite white-hat response. The Damage & Recovery Total Drained: $2.26M Recovered: $1.84M (90% of Ethereum funds) via @DecurityHQ. Bounty/Costs: $420k total. $320k to @duha_real (White-hat/Researcher). $100k to @DecurityHQ (Security fee). From Contestant to White-hat The exploit was first triggered by @duha_real. Interestingly, he was the winner of our Bitcointalk hacking contest held a year ago. He identified the vulnerability and moved to secure the funds on Base before malicious actors could strike, while @DecurityHQ handled the rescue operation on Ethereum.

Amid the AI frenzy, how healthy is the web3 security VC and M&A pipeline? Judge yourself! Here's a review of the past exits and future IPOs in the web3 security market: blog.decurity.io/web3-security-…

gh search prs --language solidity --involves claude

USDT quirk that bricks contracts The reason why Tether destroyed balances of SimpleAssetWithdrawer and DiamondStakingV3 is not because they are malicious, but because of a mistake in these contracts. It's a known fact that USDT contract is ancient and does not conform with ERC20. Namely, it does not return a boolean value in transfer() and transferFrom(). We specifically monitor events when Tether destroys USDT balances of the smart contracts for this particular quirk. In this case both contracts have a require() for the return values of transfer() and transferFrom() calls, which makes it impossible to withdraw USDT from them (i.e. USDT balance is locked forever). As we have observed Tether just silently destroys balances and reimburses the contract owners, usually after they contact Tether directly. Some very well-known projects made this mistake before and had millions of USDT locked until Tether manually erased their balances. You can easily find it onchain 😉 References: #missing-return-values" target="_blank" rel="nofollow noopener">github.com/d-xo/weird-erc…

Cryptotwitter misses all but the biggest and most visible hacks. There's a steady stream of protocols affected by hacks. Shout out to @DefimonAlerts for these excellent alerts. (Please refrain from cynical or unempathetic replies to this post)

Most audits miss Web2.5 Smart contract auditors focus onchain. Backend devs trust the blockchain. But the real attack surface is the interaction between them. Case study from our recent audit: double-spend via reverted tx secret leak + ECDSA mismatches. blog.decurity.io/a-web2-5-vulne…

🧐 Your protocol was audited in 2022? That's exactly why it got hacked in 2025. 2025 was the year hackers went hunting through old, audited code — and rounding errors became million-dollar exploits. Our breakdown of top 10 DeFi incidents of this year: 2025-recap.decurity.io

Open source and ready to use: github.com/Decurity/ancho…

anchor-constraints-analyzer parses your constraints and shows: 🟢 constants/system addresses 🔴 undefined accounts (potential vulns) 🟠 needs manual review No more tracing has_one and seeds by hand.

Ever audited Solana Anchor constraints with 20+ accounts and cross-checks everywhere? Our own @passkeyra built a tool that turns them into visual graphs - red flags for missing checks pop out immediately. blog.decurity.io/auditing-solan…

Hack Happens: Decoding Yearn with @DecurityHQ ⚙️ Bitcoin Security Council has a new job to do: join our DevRel, @MidlBigG, and @theRaz0r, CTO & Co-Founder of Decurity debriefing the recent @yearnfi exploit. As usual, we will have a deep dive into the circumstances and outcomes of Yearn’s incident and run through the security management under high pressure. See you December 2, 13:00 UTC!

❤️‍🔥

3/4 We’re happy to introduce the founding members of the council: @AckeeBlockchain, @bailsecurity, @blocksecteam, @DecurityHQ, @defense_audits, @HalbornSecurity, @Hashlock_, @hexensio, @QuillAudits_AI, @sherlockdefi, @cantinaxyz, @Sub7Security

Garden Finance @gardenfi has been hacked for $6.4 million

Unprotected uniswapV3SwapCallback callback in 0xc0ffee's MEV-bot contract was exploited The callback verifies msg.sender against input arguments which makes it trivial to bypass it. As a result the attacker stole $218k worth of LINK tokens. basescan.org/tx/0x83da47641…

Post-mortem: notion.so/Post-Incident-…

This alert helped @eth_strategy to quickly mitigate an incident by pulling funds from the vulnerable contract. Follow @DefimonAlerts to get notified on DeFi security incidents in real-time.

Defimon alerts are now broadcasted to X 🤩 @DefimonAlerts