adeolu 🐤

Balancer Hack Part 4: Breaking the protocol was the easy part. Escaping with the money was the hard part. Every successful exploit needs three things: 1. The right state. 2. The exploit. 3. A way to get out with the profit. Most researchers focus on #1 and #2. But #3 is often what determines whether a bug is actually exploitable. In Part 4 of my Balancer hack series, I break down how the attacker escaped after manipulating the invariant. They had to overcome two major obstacles: • Internal defences: Balancer reverting with errors • External defences: MEV bots waiting to steal the opportunity The result is a practical playbook for turning a theoretical vulnerability into a feasible exploit. If you've ever found a bug and wondered, "Could this actually be exploited?" this article will change how you think. Read it here: open.substack.com/pub/rehackt/p/… Your next high-severity finding may not need a bigger bug. It may just need a better escape route.

@Afriauditor @only01Essential 🔥🔥🔥

My entire ethos of hunting has been to find only Critical and Highs but every now and then I keep pumping on these but of all the lows I have found am most proud of this coz it came from very reputable project. Shout out to @only01Essential for always being 1 call away

1/ Introducing purrtrace.com We're building the only explorer purpose-built for HyperEVM. Trace CoreWriter calls, view unified EVM+Core state, and bridging flows- all in one explorer.

@0xjuaan great work man

@LanreBayode1 @immunefi

@adeoluwami__ @immunefi Cracked!!!

@immunefi #immunefitribe immunefi.com/s/ss/?severity…

@0xpetrate @immunefi 🤝🏽

@adeoluwami__ @immunefi 🫡

@Afriauditor @immunefi thanks bro!

@adeoluwami__ @immunefi Congrats ser!

@mylifechangefa1 @immunefi 🤝🏽🤝🏽

@adeoluwami__ @immunefi LFG

1/ Diamond proxies share storage across all facets. When two facets accidentally land at the same slot, writes from one silently corrupt the other, no revert, no error, just bad state. I shipped a tool that catches this statically. Link: github.com/jayeshy14/Diam…

layerzero solosig dependency check in if you haven't hardened your config, you are sitting on an unnecessary dependency on layerzero 3/5 solosig. if it gets compromised, it could instantly drain all the adapters that rely on the default receive library. after the kelp exploit, the vulnerable adapters tallied to $3.13 billion. after some outreach, the number has dropped to $178 million. good progress, but still not enough. there is still a long tail of projects that have ignored this advice. i will make this simple for you. here is a full list with exact calls for how to pin the default library. gist.github.com/banteg/cbf7505…

This is getting serious. We learned from Covid that too soft measures too late were no good. It's time for a full lockdown. Also, null and void the football season. It's harsh on Arsenal, obviously, but sadly health and safety comes first.

NEW: Balancer Hack, Part 3 is live. Title: Turning Rounding Errors into Invariant Collapse. This is where we stop theorising about the rounding bug and start weaponising it. The article walks through the exact swaps that force Balancer to undervalue its own pool and repeatedly crush the invariant. What makes this stage fascinating is that Balancer fights back hard: • swap overflow errors • Newton-Raphson quote failures • repeated transaction reverts The hacker still manages to bend the protocol into a stable exploit loop. Full breakdown: open.substack.com/pub/rehackt/p/…

@josh_my_man @sherlockdefi @Pelz_Dev @adeolRxxxx @mylifechangefa1 Haha I predict you'll be there too

@sherlockdefi XRP is ending today. Where is the prediction market for Top 10. I have sure bankers to enter. @adeoluwami__ @Pelz_Dev @adeolRxxxx @mylifechangefa1 and more

Ethereum needs more security engineers. Attackers are scaling faster than defenders, and the pipeline of qualified researchers is too small. Guild Academy is building that pipeline — 5 cohorts in. We're in @thedaofund 500 ETH Ethereum Security round on @Giveth, and it uses Quadratic Funding. That means $1 from 100 donors > $100 from 1 donor. Your small donation unlocks much more from the matching pool. If our work matters to you, even $1 helps.👇 🔗 qf.giveth.io/project/guild-…

@adeolRxxxx @sherlockdefi @Pelz_Dev 🔥🔥🔥

I am happy to say i topped 6 out of 500+ participants in the Move contest on @sherlockdefi > I didn’t touch the code once. > I built an algorithm from absolute scratch. > It found 4 out of the 6 issues that made the top 6. > I never opened the source > I and @Pelz_Dev only wrote the reports and submitted the findings. > I’ve been building this in silence. No clout. No noise. > Because I don’t talk about shit I can’t prove. > This isn’t here to replace auditors. > It’s here to show the beauty of hacking live contracts on-chain in real time. No lowballing. No shortcuts. Just straight, undeniable proof of work, exactly how black hats are already using AI. > I built this because I’ve been cheated on, played, and ignored too many times. It runs in 3 phases: 1. Contests: This was my backtesting ground. 2. Bug bounties: where I show real results. 3. Live chains: Instances deployed on mainnet, auto-targeting protocols that push unaudited commits straight to chain. Currently at 50% complete. still building and implementing. One of its features is that when it hits a protocol with closed-source code on-chain, it automatically decompiles the bytecode back into clean, human-readable source, then throws its entire knowledge graph and reasoning engine at it. It systematically breaks down every layer until the protocol is fully reverse-engineered and every vulnerability is exposed. This is just the beginning.

Do all your coding inside a VM. Seriously. UTM for Mac is free, works fantastically, and lets you run Mac inside Mac. Get into the habit now before you get rekt by library supply chain issues you cannot control or anticipate. mac.getutm.app Or buy a second laptop. Not having separation nowadays is lunacy.

@mylifechangefa1 welldone bro! GG

EFCC life e no easy. More to come sir. #hacking #Blockchain #web3 #web2 #hackenproof

We're supposed to believe that both of these are true: 1. Anthropic trained an LLM so smart at security that it will usher in a cybersecurity apocalypse. 2. Anthropic's security is so bad that they had multiple failures & data leaks in the span of a few weeks.