MoveBit

🚨 On-Chain Forensics | Ink Finance @inkfinance @0xPolygon On May 11, 2026, an attacker drained $165,162 USDT0 from Ink Finance's Treasury — by impersonating a "legitimate" claimer and walking right through claimPayroll(3). Net profit: ~$140K. Cost to attacker: a flash loan and a fake interface. Full breakdown 🧵👇

Two upgrades shipping on Claw Wallet 🐾 🔀 Smarter routing — swap & bridge auto-routes across Li.Fi / OKX / Uniswap on EVM and Jupiter on Solana, with automatic fallback when a path fails. ⛽ Gasless by default — on most EVM chains + Sui + Solana, no need to prep native gas. A dedicated sponsor service handles estimation, validation and execution. Pay fees in stablecoins, or nothing at all. Less manual switching. More reliable fills. Smoother first-tx for every new user. Join us 👇 🌐 clawwallet.cc 💬 t.me/clawwalletcc

Balancer V2 deployed ONE contract to hold every token across every pool. Looks like a single point of failure. It's actually why cross-pool arbitrage moves zero tokens, and why a flash loan can tap the entire protocol's liquidity. A thread on the Vault 🧵👇

🔬 New from BitsLab Research Balancer V2 deployed ONE contract to hold every token across every pool. Looks like a single point of failure. It's actually why: → Cross-pool arbitrage moves zero tokens → Flash loans tap the entire protocol's liquidity → A 2-token swap completes in just ONE SSTORE We spent weeks dissecting the Vault contract line by line. Part 1 of our 3-part Balancer V2 deep dive is live — covering every gas trick, every safety check, and the trade-off no one talks about (the Aug 2023 Boosted Pool incident wasn't an accident of architecture). If you're building a DeFi protocol, auditing one, or investing in one — this one's worth 15 minutes. 📖 Read Part 1 ↓ linkedin.com/pulse/balancer… Part 2 (Pool math) and Part 3 (real vulnerability post-mortems) coming next.

"split('|') was added for Telegram compatibility." That single line — promoted into the base Channel class — is now CVE-2026-31977. One `|` in a sender address bypasses nanobot's allowlist entirely. BitsLab's first nanobot disclosure. Full write-up ↓

🌍 New Partnership: Claw Wallet × TagAI We are excited to announce our collaboration with TagAI @TagAIDAO! By integrating Claw Wallet’s secure, AI-native infrastructure with TagAI's social prediction-driven community layer, we are setting a new standard for the AI Agent ecosystem. Together, we’re making on-chain AI interactions more seamless, secure, and social. 🛡️ Proudly building the future of AI Agents together on @BNBCHAIN ! 🟡 #ClawWallet #TagAI #Web3AI #AIAgents #Crypto #TagClaw #BNBChain #BuildOnBNB

🎉 We’re excited to share that MoveBit will be presenting today at the Web3 Scholars Conference 2026 in Hong Kong. web3scholar.org Our presentation: “Beyond Guesswork: LLM Driven Semantic Distillation to Fuzz and Exploit Smart Contracts” 🏆 Presenting on site today: Ziqiao Kong and Wanxu Xia Authors: Ziqiao Kong (Nanyang Technological University) Wanxu Xia (Beihang University) Borui Li (Jilin University) Yi Lu (MoveBit) Pan Li (BitsLab) Yang Liu (Nanyang Technological University) Proud to contribute to smart contract security research at the intersection of LLMs, fuzzing, DeFi semantics, and vulnerability discovery. See you at #Web3Scholars2026 in Hong Kong. @DRK_Lab #MoveBit #BitsLab #SmartContractSecurity #BlockchainSecurity #DeFiSecurity #Web3

Static code audits cannot catch attacks that use legitimate entry points. The Volo incident wasn't a contract bug — it was a privilege design flaw. When a single Keeper holds both `OperatorCap` and oracle submission rights, the loss_tolerance check becomes a self-validating loop the moment that key is compromised. Move's type system protects you from many things. It does not protect you from trusting the wrong signer.

🚨 Incident Analysis: Volo Protocol (Sui) Vault Exploit On 2026-04-21, Volo Protocol on Sui suffered a vault theft resulting in ~$3.27M in direct losses, plus ~$230K in LP share-ratio collapse — combined impact of ~$3.5M. BitsLab's post-incident analysis below. 👇

$292M vanished in a single transaction. Not from a complex zero-day. Not from a reentrancy bug. From one number set wrong in a config file. Here's what happened to Kelp DAO's rsETH bridge — and why it matters for every cross-chain protocol.

DVN misconfiguration is the new "approve unlimited allowance." It looks harmless in code review. It's catastrophic in production. 1-of-1 DVN on a $292M bridge path — this is exactly the class of architectural risk our audits flag before it ships, not after. Read the full breakdown by @0xbitslab

对 tagclaw的产品一直很 respect！ tagclaw 在 agent 社交分发和 agent swam 上面走在行业前沿，@0xNought 一直是DAO社区的OG，现在在探索 agent 自治世界，很高兴 tagclaw在用 claw wallet 底层沙箱管理私钥分片和安全风控。

Claw Wallet 🤝 TagClaw We are excited to announce our collaboration with TagClaw @TagClaw! 🦀 TagClaw is an on-chain Social & Collaborative Network for AI Agents. By integrating TagClaw’s skills into Claw Wallet, we are setting a new standard for the AI Agent ecosystem—enabling smarter coordination and modular capabilities for digital entities. 🔥We are honoured to be building this future together on BNB Chain @BNBCHAIN. Let’s push the boundaries of decentralised AI! #BNBChain #Crypto #AI #AIAgents #TagClaw #ClawWallet #TagAI

🤝 Claw Wallet x GoPlus Security Safeguarding the Future of the AI Agent Economy We are proud to announce a strategic partnership with @GoPlusSecurity, marking a pivotal milestone in building the foundational security layer for the #AIAgent era. 🌐 Redefining the Agent Infrastructure: 🔹 SafuSkill Integration: Revolutionising how AI capabilities are valued by turning "Skills" into tokenised on-chain assets with sustainable revenue streams for creators. 🔹 AgentGuard Protection: Deploying industry-leading security intelligence to provide real-time scanning and risk visualisation for every autonomous interaction. Together, we aren't just building a wallet—we are securing the next evolution of decentralised intelligence. 🛡️ #Web3 #ArtificialIntelligence #AI #CryptoSecurity #FutureTech #ClawWallet #GoPlus

🔒 Bitcoin Depot Security Incident Analysis On March 23, 2026, Bitcoin Depot @Bitcoin_Depot suffered a cyberattack that resulted in the theft of 50.903 BTC (~$3.665M) from its digital asset settlement accounts. The incident was disclosed via SEC 8-K filing on April 8. Our team at BitsLab has completed a full breakdown 👇

Today, Claw Wallet is live 🎉 Install now → clawwallet.cc 2026 — the year of Agentic Finance. Also, the year Agents dumped $250K due to a "misunderstanding" and were tricked into draining their own wallets. 250,000+ Agents on-chain. $52B market. Most of them? Swimming naked. We built #ClawWallet to end that — Claw Wallet Launches to Shield On-Chain Assets for AI Agents 🔐 Key sharding — no single point of compromise 🛡️ Policy-layer risk control that reads Agent behaviour before signing ⚡ One-click setup, auto mode, SDK for advanced ops 🚫 Malicious contracts blocked by default Your Agent runs fast. Your keys stay in YOUR hands. You spent the time building your Agent. Now give it a secure home. Install now → clawwallet.cc

@PawtatoFinance We are pleased to have completed the comprehensive security audit for @PawtatoFinance 🔐 At MoveBit, we remain committed to upholding the highest security standards to ensure the safety and integrity of the Sui ecosystem.

𝗣𝗮𝘄𝘁𝗮𝘁𝗼 𝗟𝗮𝗻𝗱 𝗔𝘂𝗱𝗶𝘁 𝗖𝗼𝗺𝗽𝗹𝗲𝘁𝗶𝗼𝗻 ✅ We mark a major step as our smart contracts have successfully passed a comprehensive audit by @MoveBit_ This reflects our commitment to building a gaming ecosystem where trust, transparency, and protection come first. Through rigorous review and reinforcement of our systems, we’re ensuring that your Pawtato Lands and Heroes assets remain exactly where they belong - in your hands. As we continue to grow, so does our responsibility to you. It is our duty to meet higher security standards and build a stronger foundation where our community can play, build, and grow with confidence, knowing that what they earn, own, and create is protected every step of the way. 🌱