Defi Nerd

Over the past few weeks we've been building AI-powered security skills for Web3, covering smart contract auditing, blockchain client auditing, and onchain exploit investigation. Here is the skills repo👇 github.com/DarkNavySecuri…

@forefy 🫡🫡salute

@Defi_Nerd_sec Added! As a megacollector of skills I love to see niche ones, still did not see any equivalents of client-auditor or exploit-investigator Keep up the great work!

Over the past few weeks we've been building AI-powered security skills for Web3, covering smart contract auditing, blockchain client auditing, and onchain exploit investigation. Here is the skills repo👇 github.com/DarkNavySecuri…

@PashovAuditGrp Hi Pashov, will you be willing to checkout our web3 skills kit including contrat auditing, blockchain client auditing, and exploit investigator?😃 github.com/DarkNavySecuri…

5 new AI security tools added to the Web3 Security AI tools and Skills Collection🫡 Free, Open Sourced, Paid, Closed Sourced - everybody is building one, they are all listed here. 50 stars already and counting⭐️

@immunefi @XRPLF @RippleXDev exploit analysis artifacts here github.com/DarkNavySecuri…

@immunefi @XRPLF @RippleXDev These skills are under active and frequent maintenance. We are also going to release all the past analyzed incidents' details based on the skill in a separate repo.

@MayaStone420 llm also capable :) we just want to make them not make mistakes with facts of call trace, etc.

@Defi_Nerd_sec The contract is not verified so how do you get all these information?

🚨An unverified escrow-like contract at on Ethereum Mainnet was fully drained in block 24,707,679 (timestamp 2026-03-22 UTC) through an **integer overflow** in its deposit function `0x317de4f6`. The deposit function accumulates entry amounts into a running total using unchecked arithmetic before passing that total to `transferFrom`. By supplying two entries whose amounts sum to `1 mod 2^256`, the attacker caused only 1 raw USDT unit to be pulled from them via `transferFrom`, while the per-entry amounts stored in the claim mapping remained uninflated — giving the attacker a stored claimable balance of 97,812,920,709 raw USDT (the full pool) at a cost of 1 raw unit. The attacker then called `claim()`, which faithfully transferred the stored amount, draining ~97,812.92 USDT. The stolen USDT was swapped to approximately 45.34 ETH via the Uniswap V3 USDT/WETH pool, and sent to the attacker EOA through two self-destructing disposable contracts.

@johnny651269898 I suppose many AI hackers are deployed for backward scanning or real time monitoring

@Defi_Nerd_sec How they find these types of logical bugs?

😿On 2026-03-18, the dTRINITY @dTRINITY_DeFi dLEND lending protocol (an Aave v3 fork deployed on Ethereum mainnet) was exploited through a **flash loan abuse combined with a logic error** in the flash loan repayment accounting. An attacker manipulated the cbBTC reserve's liquidity index from ~1.0 RAY to 6,226,622 RAY in a preparatory transaction, then used that inflated index to borrow 257,328 dUSD against phantom collateral in the exploit transaction. The protocol lost **257,328.63 dUSD (~$257,000)** in outstanding undercollateralized debt; the cbBTC aToken is additionally insolvent by 7.86 cbBTC (~$786,000 at $100k/BTC) due to extraction of phantom cbBTC during the exploit. The attacker's net cost was approximately 0.1245 cbBTC (~$12,500) paid as a flash loan premium in the setup transaction, yielding a net profit of approximately $257,000 in dUSD transferred to the attacker EOA.

@MayaStone420 strongly recommend @dedaub, which has great capability decompiling evm bytecode

Related URLs - Transaction: bscscan.com/tx/0x2b7efdac5… - CyrusTreasury contract: bscscan.com/address/0xb042… - Attacker contract: bscscan.com/address/0x938d… - Attacker EOA: bscscan.com/address/0xf96e… Source: x.com/deeberiroz/sta…

Call trace:

🚨On March 22, 2026, the CyrusTreasury @Cyrus_finance protocol on BNB Chain was exploited through a price manipulation attack against its `withdrawUSDTFromAny` function, which is called internally by `exit()`. The vulnerable contract (`CyrusTreasury`, `0xb042ea7b35826e6e537a63bb9fc9fb06b50ae10b`) reads the live PancakeSwap V3 pool `slot0` price to determine how much liquidity to remove from managed LP positions, with no TWAP or manipulation-resistant oracle. By flash-borrowing 1,798 ETH and executing a large ETH→USDT swap that moved the ETH/USDT price dramatically, the attacker forced the protocol to remove the LP position almost entirely in the high-ETH-price direction, collecting approximately 1,827 ETH and 1,707 USDT from two `exit()` calls against a single Cyrus position NFT. After restoring the price via a reverse swap and repaying the flash loan, the attacker netted **~28.14 ETH and ~454,169 USDT** at the expense of the protocol's PancakeSwap V3 liquidity pool.

@TenArmorAlert Thanks for alert, our analysis on case etherscan.io/tx/0x73bd1384e…: x.com/Defi_Nerd_sec/…

🚨TenArmor Security Alert🚨 Our system has detected two suspicious attacks involving two unverified contracts 0xf0a1/0x39ed on #ETH by an attacker, resulting in an approximately loss of $108K. Attack transactions: etherscan.io/tx/0x73bd1384e… etherscan.io/tx/0x1382e898a… With TenArmor’s TenMonitor, you get early detection and automated response to on-chain attacks. Need protection? Reach out anytime! #TenArmorAlert #TenArmor

Related URLs - Transaction: etherscan.io/tx/0x73bd1384e… - Victim contract: etherscan.io/address/0xf0a1… - Attacker EOA: etherscan.io/address/0x7bd7… - Uniswap v4 PoolManager: etherscan.io/address/0x0000… Source: x.com/TenArmorAlert/…

Financial impact: