Duc Cuong

859 posts

Duc Cuong

Duc Cuong

@ducnst

Founder @ThemisLabs

Earth Katılım Ocak 2011
566 Takip Edilen359 Takipçiler
MEXC
MEXC@MEXC·
How safe is Web3 today? Join our YouTube Live with @ducnst, founder of @ThemisLabs, as we discuss the biggest cybersecurity challenges facing crypto. 🛡️ 📅 Jul 14, 12:00 PM (UTC) 👉Join LIVE: youtube.com/live/aP4JsUTj-…
YouTube video
YouTube
MEXC tweet media
English
16
12
65
22.6K
Duc Cuong
Duc Cuong@ducnst·
@InverseFinance governance proposal executed a few minutes ago. One transaction, 12 calls. Themis decoded the tx, so @InverseFinance was adding a new lending market where sDOLA (their yield-bearing DOLA) can be used as collateral to borrow DOLA, with an 87% LTV and a $5M debt ceiling. The interesting part: the collateral is sDOLA, so the new market expands borrowing capacity on top of existing DOLA exposure rather than introducing new collateral. That also makes recursive leverage (looping) possible. IMO, this changes the protocol's risk profile. etherscan.io/tx/0x926db1e45…
Duc Cuong tweet media
English
0
0
2
62
Duc Cuong
Duc Cuong@ducnst·
On-chain: @MetronomeDAO Synth upgraded its msETH implementation on Base and Ethereum within ~1 min, each via the proxy's 3-of-5 governance multisig. Both new impls verified as SyntheticToken. Coordinated cross-chain upgrade. etherscan.io/tx/0x46905958e…
English
0
0
1
127
Duc Cuong
Duc Cuong@ducnst·
I searched Google for @Uniswap today. The first result is a wallet drainer. The real app is second. The sponsored slot points to *uniswap-dashboard-v4.ustorage3.com*. I pulled the page before writing this. It returns an empty HTML shell with the title "Uniswap" and nothing else. The clone renders client-side in JavaScript. Static scanners see a blank page. Type the URL. Bookmark it. Never trust the ad slot.
Duc Cuong tweet media
English
1
0
1
138
Duc Cuong
Duc Cuong@ducnst·
During @MIM_Spell's active MIM depeg, our security posture monitor at @ThemisLabs flagged a fresh address (0x5C3923…) being added as a signer to a controlling multisig. From 3/5 to 3/6, threshold held at 3, so the signing ratio eased 60%→50%. The address has no prior transaction history and owns no other Safe. Added through the existing signer quorum. Could be an emergency-response signer the team spun up, yet still worth watching. A new key gained control-plane authority during an active incident, which is the exact moment authority changes deserve attention. tx: etherscan.io/tx/0x30a2dfede…
Duc Cuong tweet media
English
1
0
1
168
Lynn
Lynn@LynnWWins·
Women-led, lean & mean team
Superteam Vietnam@SuperteamVN

Superteam Vietnam now runs on a team of two - @LynnWWins and @dieubui2522. Today, meet the second half! Daphne is our Operations Lead, focused on community programs, ecosystem partnerships, and helping local builders plug into Solana. With over 5 years across traditional brand marketing and digital assets, plus growth leadership at Saros, Viction, and Coin98, she brings a hands-on, builder's approach to scaling in fast-moving markets. She genuinely believes Vietnam has a real role to play in the global builder ecosystem, and she's the type to let the work do the talking. Welcome, Daphne 🇻🇳

English
3
0
40
2.5K
Duc Cuong
Duc Cuong@ducnst·
Humanity Protocol's compromised proxy changed implementation again today. Themis Scan flagged it within seconds. Initially, I thought it was an attack. The proxy's upgrade history is three events. The original implementation, live for a year. The malicious one installed during the June 9 hack. And today, the protocol restoring the original. Today's change reverted to the year-old verified launch code, undoing the attacker's upgrade. We are building Themis Scan to catch the changes that matter, upgrades, authority transfers, threshold changes, before it becomes security incident Hold tight, more is coming
Duc Cuong tweet media
English
1
1
3
540
Defi Nerd
Defi Nerd@Defi_Nerd_sec·
🚨 DIP on BNB Chain was exploited for `111,097.596667856001191208 USDC` after a token transfer bug let `skim(router)` double-drain DIP reserves and rewrite the AIC-DIP price. 💰 Impact: The attacker drained `29,037,659.001700876485419035 #AIC` from the manipulated AIC-DIP pair and cashed out `111,097.596667856001191208 USDC`. ⏰ Time: 2026-06-16 16:28:38 UTC, BNB Chain block `104598279` 🔎 Root cause: DIP `_transfer(address,address,uint256)` executed `super._transfer(from, to, amount)` inside the `isRouter` branch and then executed it again unconditionally, so any transfer where `from == uniswapV2Router || to == uniswapV2Router` moved tokens twice. 🧭 Attack trace: 1. The attacker used helper contract `0xddef10a85a5c67a9af8398d297aa51f8716383c7` to flash-swap `19,000,000 AIC`. 2. The helper bought DIP, then sent DIP surplus into the AIC-DIP pair. 3. Calling `skim(router)` triggered DIP's router path twice, then `sync()` locked the pool at only `1,045 wei` DIP reserve. 4. The helper sold remaining DIP into the broken price, drained AIC, repaid the flash swap, and exited through AIC-USDC for USDC. 📌 Key addresses: - Attacker EOA: `0x0d4024cd27538350a911d9b7ee90811fa4875ba3` - Attack Contract: `0xddef10a85a5c67a9af8398d297aa51f8716383c7` - Vulnerable Contract: `0x6c60bf5db0670ae94489d3dde2c60f271625db50` - Vulnerable Contract: `0xf7d8267d01d1104da2dd30828aa9c0e1647919ef` 🧾 Tx: bscscan.com/tx/0x1c0939584… 🛡️ Takeaway: Fee-on-transfer and router-special-case token logic must preserve one-transfer semantics across AMM `skim`, `sync`, and router paths, or reserve accounting becomes attacker-controlled. Powered by #DarkNavy Web3 AI Agent
Defi Nerd tweet mediaDefi Nerd tweet media
English
3
5
24
2.3K
Duc Cuong
Duc Cuong@ducnst·
Themis Scan gave Aztec Connect a control-plane score of 100. However, the protocol was drained for roughly 2.1 million dollars on June 14. Does that mean Themis got it wrong? Spoiler alert: No. The score was right. Funds left through the proving layer, which on-chain analysis alone cannot see into. Let's take a dive into the onchain analysis. The contract had been immutable since the 2024 sunset. No upgrade key, authority renounced. This is confirmed on-chain. We then traced how a contract with no live operator lost everything: The attacker made 14 processRollup calls. Each carried a SNARK proof. The contract's original, never-modified verifier checked all 14 and returned valid, with the real precompiles running. No upgrade, no setVerifier, no admin call, no approval drain. Around 909 ETH and six tokens left through the rollup's own withdrawal path, gated by nothing but a valid proof. The contract did exactly what it was built to do, for the attacker. The problem most likely sits in the proving system. Our onchain trace cannot prove why the proofs were forgeable. It needs the off-chain circuit and proving key analysis. Those are not public.
Duc Cuong tweet media
Aztec Labs@AztecLabs_

We are investigating a potential exploit affecting Aztec Connect. ~$2.1m was transferred from the immutable smart contract in transaction: etherscan.io/tx/0x074ec9317… Aztec Connect was deprecated 3 years ago. Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us. We will share further updates in due course.

English
0
1
2
304
Duc Cuong
Duc Cuong@ducnst·
@therealchaseeb no “current” users? how about the money in the contract? was that printed
English
0
0
0
15
chase
chase@therealchaseeb·
Sorry to see this. Thankfully no current users are affected. But this is a warning. Fable is out and people are actively using it to exploit legacy code and contracts. Don't wait to secure your shit.
Infra | Raydium@0xINFRA

Raydium is aware of an exploit involving unauthorized removal of liquidity from its legacy AMM V3 program which was previously phased out in 2021. No current users of Raydium are affected by this exploit or would have been able to interact with these pools through the UI since their deprecation. Raydium’s SDK and DAPP do not support mainnet interactions with legacy AMM V3 pools. The exploiter’s address is: 4WnPebowR4HHfumvNPaDjG6Pa5Hi1jxLm6xmmBq33QVk There were 5 pools affected: Sollet USDT - RAY Sollet ETH - RAY SRM - RAY USDC - RAY RAY - SOL An initial review of exploited assets of value are: ~150,177 RAY ~5,603 SOL ~893,700 USDC The market value of assets exploited is ~$1.34m. Full compensation will be handled by Raydium’s treasury. Legacy AMM V3 was previously only enabled to use deposited funds to place orders on the Serum order book. The program did not provide swap functionality and following the deprecation of Serum, the associated liquidity remained idle. For proportion checks, the program relied on the LP token supply. The vulnerability stemmed from insufficient validation of the LP mint. Because the program did not properly verify the LP mint address, an attacker was able to create a new mint and use it as the LP token, bypassing the intended proportion checks. By contrast, all other Raydium mainnet programs use a virtual supply mechanism for proportion checks and correctly verify the LP mint along with all other relevant account information, preventing this class of vulnerability. It is important to note that the vulnerability was caused by a self-contained logic flaw, not a key compromise or authority-level issue, so there is no propagation risk. Raydium's current programs are unaffected by this exploit. @Raydium core contributors are conducting a security review on all mainnet programs.

English
5
9
82
21K
Duc Cuong
Duc Cuong@ducnst·
@VietnamNewsVNS the risks of pirated softwares is that they most likely contain different kinds of malware/backdoors. Better use licensed or open-sourced :)
English
0
0
2
181
Việt Nam News
Việt Nam News@VietnamNewsVNS·
⚠ Việt Nam has launched its first-ever criminal case involving several companies over the alleged installation of pirated Microsoft Windows and Office software, with estimated losses to copyright holders running into tens of billions of đồng. 👉 vietnamnews.vn/society/178323…
Việt Nam News tweet mediaViệt Nam News tweet mediaViệt Nam News tweet media
English
2
4
30
3.5K
Duc Cuong
Duc Cuong@ducnst·
@f12sec It's like going to a bank to exchange money. The only catch is the money you bring is fake.
English
0
0
2
256
F12
F12@f12sec·
🚨 SOLVED: ~$1.3M Raydium-AMM exploit on Solana We traced every hop on-chain The bug? A FAKE LP token (supply=1) → Withdraw → 100% of the pool drained. ~$1.3M bridged via deBridge → 810 ETH straight into Tornado Cash. Here's exactly how 🧵👇
F12 tweet mediaF12 tweet media
F12@f12sec

🚨 Raydium drained of ~$1.3M (reported by @PeckShieldAlert / Specter) Attacker funded from KuCoin → bridged Solana to ETH → laundered 810 ETH via Tornado Cash + 7 ETH to FixedFloat. Tracing the on-chain flow now. 👇

English
4
6
48
18.5K
Duc Cuong
Duc Cuong@ducnst·
Raydium lost $1.34m yesterday to a program it "retired" in 2021. "No current users affected" only helps comforting users. The money was still there, contract was still live. The only thing that changed in 2021 was that Raydium stopped looking at it. In short, the legacy AMM V3 pools never verified the LP mint. So the attacker minted their own LP token, presented it as the real one, and withdrew against a supply they controlled. It's like going to a bank to exchange money. The only catch is the money you bring is fake. The same bug we found when audited the Saros DLMM reward program in 2025. We caught this class in an audit. Raydium found it in production, years later. Link to our previous DLLM reward report (first bug, 5.1): github.com/cybring-xyz/au…
English
1
0
0
87
Blockhay
Blockhay@blockhaydotcom·
JUST IN: Humanity Protocol: Attacker Obtained Seven Private Keys from a Committed Device Humanity Protocol ethereum:0xcf5104d094e3864cfcbda43b82e1cefd26a016eb stated in an investigative report that the June 8 attack was due to a security vulnerability after a developer's computer was infected with malware, allowing the attacker full root access. Several private keys were inadvertently backed up to the device during the project's mainnet launch around June 2025, including the administrator hot wallet key, three ETH Safe owner keys, and three BSC Safe owner keys, allowing the attacker to obtain all seven keys from a single point of entry. The report stated that this incident was not a smart contract exploit, as there were no flaws in the bridge, token, or Safe, and the attacker's transfers, Safe transactions, and proxy upgrades were all authorized using valid private keys. Prior to this, the protocol had already suffered losses of over $31 million in this attack.
Blockhay tweet media
English
4
0
7
189
Steven | Crypto Research
Steven | Crypto Research@Steven_Research·
Ai tin là bị hack chứ tôi thì không 🫡 Dự án @Humanityprot dùng ví đa chữ ký (multisig) nhưng lại để 1 người cầm nắm giữ nhiều private key trong cùng multisig. *Các bác đã biết thì ví đa chữ ký cần có nhiều người ký thì mới thực hiện được - Ví bridge trên Ethereum: 3-of-6 multisig (cần 3/6 key để ký). - Ví trên BNB Chain: 3-of-5 multisig (cần 3/5 key để ký). => Vấn đề là 1 người này phải cầm tối thiểu 3/6 và 3/5 key để có thể ký được thành công. => Và thật là chính người này bị hack máy (nguyên nhân chưa rõ). Kết quả là hacker drain >17 ví liên quan (holding, bridge, staking…). => Sau đó bán tháo H token lấy ETH/BNB trên DEX. Mint thêm 100 triệu token H mới trên BNB Chain (giá trị ~11 triệu USD) rồi bán ngay để tăng áp lực bán. Hơn 19 triệu USD bị hack *Điều châm biếm ở đây là Humanity là dự án làm bảo mật xác thực ZK bằng user identity (quét lòng bàn tay, chứng minh bạn là người thật mà không lộ dữ liệu) - Cuối cùng chính họ lại không bảo mật được ví dự án của mình? Vừa vi phạm nguyên tắc bảo mật khi để 1 người cầm hết key, vừa không có công nghệ bảo mật nào đa tầng phức tạp hơn khi mà chính dự án của mình làm về bảo mật 💀
Steven | Crypto Research tweet media
Steven | Crypto Research@Steven_Research

CÁC VỤ HACK THÁNG 5 VẪN ĐANG TIẾP DIỄN Tháng 5/2026 tiếp tục chứng kiến nhiều vụ exploit nhắm vào cross-chain bridge và DeFi protocol, với Verus-Ethereum bridge và THORChain là hai ví dụ nổi bật nhất. 1. Verus-Ethereum Bridge Hack (18/5/2026) - Thiệt hại: Khoảng 11.58 – 11.6 triệu USD. Tài sản bị drain: 103.6 tBTC, 1.625 ETH, ~147.000 USDC (sau đó swap thành ~5.402 ETH). - Cơ chế: Attacker giả mạo cross-chain transfer message (forged message), khai thác lỗ hổng validation trên bridge. Không có kiểm tra xác thực đầy đủ nên bridge tự động chuyển tài sản từ reserve ra ví attacker - Tình trạng: Exploit vẫn đang active khi được phát hiện bởi Blockaid và PeckShield. Attacker chuẩn bị qua Tornado Cash trước đó vài giờ. 2. THORChain (THORSwap/Asgard Vault) Exploit (15/5/2026) - Thiệt hại: Khoảng 10 – 10.8 triệu USD (một số báo cáo ban đầu ~7.4M, sau cập nhật lên cao hơn). - Tài sản: 36.75 BTC (~3M USD) + ~7M USD các token EVM (USDT, USDC, WBTC, DAI… trên Ethereum, BSC, Base, Avalanche, DOGE, Litecoin, Bitcoin Cash, XRP). - Cơ chế: Malicious node (mới churned) khai thác Asgard vaults, thực hiện unauthorized outbound transactions trên ít nhất 9 chain cùng lúc. Nghi ngờ liên quan đến threshold signature scheme (GG20). - Tình trạng: THORChain ngay lập tức halt trading để bảo vệ các vault còn lại. Đội ngũ xác nhận exploit, mở compensation portal ~10M USD cho victim (không phải toàn bộ loss). RUNE dump mạnh ~12-15%. => Đây là vụ lớn thứ 2 của THORChain trong năm (trước đó có incident nhỏ hơn năm 2025). 3. Các vụ hack nhỏ hơn khác trong tháng 5/2026 (theo DefiLlama hacks database ) *Những vụ này nhỏ hơn nhưng vẫn đáng chú ý vì diễn ra liên tục: - TrustedVolumes (7/5): ~6.7 triệu USD – Forged RFQ orders (protocol logic). - Ekubo (5/5): 1.4 triệu USD – Improper access control. - Renegade (10/5): 209K USD – Unprotected initializer. - INK Finance (11/5): 140K USD – Whitelisted address impersonation. - SmartCredit (4/5): 72K USD – Flashloan exploit. - SharwaFinance (1/5): ~33K USD – Oracle price manipulation. => Hầu hết các vụ gần đây đều khai thác bridge/cross-chain messaging (forged message, validation bypass) hoặc operational compromise (malicious node, social engineering). Bridge vẫn là “điểm yếu chí mạng” của DeFi. => Các bác hết sức lưu ý khi sử dụng các bridge nhé!

Tiếng Việt
5
2
32
4.1K