ExVul

🚀 We just open-sourced exvul-solana-skill — a prompt-native security auditor for Solana smart contracts. One command. Zero scripts. Full audit report. It runs a 7-stage pipeline inside Claude Code: scope → deep sweep → candidate generation → adversarial verification → report. Every finding starts as "likely false positive" and has to prove itself. Less noise, more signal. github.com/exvulsec/exvul… #Solana #Security #AI #OpenSource #web3security

🚀 We're hiring! @exvulsec is looking for a Business Development Lead to drive growth across Web3 security. exvul.com/careers/busine…

🚨NEW: We found a previously unknown bug in Anchor Framework (v0.31.0+) A single-byte custom discriminator can silently kill the entire event system. discriminator = [] captures ALL instructions. Zero warnings from compiler, IDL, or runtime. Writeup + PoC: exvul.com/blog/anchor-on…

🚨@InverseFinance Related contracts of crvUSD/sDOLA have been compromised (DOLA is issued by , with no exploitation of InverseFinance's own contracts). The stolen asset is crvUSD, with an initial estimated loss amounting to 2,347,964.436417844103988417 crvUSD. In a single transaction, the attacker first manipulated the oracle price, then exploited the vulnerability where the list of liquidatable users relies on real-time prices to conduct batch liquidation arbitrage, and additionally created a substantial new borrowing exposure. Tx: app.blocksec.com/phalcon/explor… Attacker Addresses: etherscan.io/address/0x33a0… The attacker first obtained USDC and WETH funds through flash loans, mortgaged WETH to borrow 25 million crvUSD, then successively called functions such as savedola.exchange, LLAMMA.exchange, sDOLA.redeem and DolaSavings.stake. They triggered a LLAMMA price refresh with an in_amount of 0 to drive up the price_w, artificially creating a large number of liquidatable users with negative health scores. Next, the attacker deployed an auxiliary contract and injected initial funds into it; the auxiliary contract then executed batch liquidations on 27 users, exploited the spread arbitrage generated by stablecoin_received exceeding debt during liquidation, and funneled all liquidation proceeds back to the main attack contract. Preliminary analysis shows that the core cause of the vulnerability lies in the flawed price dependency mechanisms of the crvUSD Controller and LLAMMA contracts. Functions including users_to_liquidate, liquidate and min_collateral all rely on the amm_oracle.price_w, a price that can be atomically manipulated within a single transaction, and do not adopt a cross-block stable price feed. A critical logical flaw is that liquidation eligibility is determined solely by calculating user health scores based on the manipulated price at a single point in time. Furthermore, the liquidate function does not conduct secondary verification of abnormal price fluctuations and user health scores during execution, which enabled the attacker to complete a closed loop of "price manipulation - liquidation arbitrage" within a single transaction.

Furthermore, since there are no other on-chain protections: The contract only checks whether nullifierHashes[_nullifierHash] has been used. For new sequential integers, this check will always pass.

Here’s a professional, precise, audit-style English translation for your technical analysis: At this point, the attacker can: 1.Fix arbitrary values of A and B. 2.Compute vk_x for each target pubSignals (including any nullifierHash). 3.Solve backwards for a value C that satisfies the equation: C = f(A,B, alpha, beta) - vk_x. (elliptic curve group operation). 4.Submit the proof tuple (A, B, C), which will pass verifyProof.

🚨 FOOM Lottery Attack Analysis 🚨 On February 26, 2026, the FOOM Lottery protocol @Foomclub_ was attacked. The attacker exploited a critical flaw in the Groth16 Trusted Setup within the ZK verifier and called collect() 30 times consecutively in a single transaction, ultimately stealing approximately 19,695,576,757,802 FOOM and nearly draining the entire contract balance. FOOM Lottery in this incident is an anonymous reward claiming contract based on Zero-Knowledge Proofs (Groth16). Users can claim rewards by submitting a zk proof. The contract validates the proof via WithdrawG16Verifier and uses nullifierHash to prevent double-spending. However, due to incorrect verification key parameters, the soundness of the entire proof system was compromised. Attack Transaction Hash: 0xce20448233f5ea6b6d7209cc40b4dc27b65e07728f2cbbfeb29fc0814e275e48 Attacker Contract: 0x256a5d6852fa5b3c55d3b132e3669a0bde42e22c

Fix： The best practice is to always use the canonical bump as the unique identifier for a PDA and enforce canonical bump validation for incoming PDAs. Under the Anchor framework, use the seeds + bump constraint and let Anchor automatically compute the canonical bump using find_program_address. Anchor will store the canonical bump in the account data during initialization and automatically validate it in subsequent instructions. This ensures that when the program verifies a PDA, the seeds and bump exactly match the canonical bump.

Issue： The init_vault() function generates a PDA with an externally supplied bump, only checking for PDA address match but not validating if the bump is canonical.

🚨 Solana Smart Contract Bug Hunt 🚨 In #Solana programs, Program Derived Addresses (PDAs) are generated using a set of seeds and an additional byte called a bump seed. While different bump values can produce valid PDAs (albeit with distinct addresses), programs that accept arbitrary valid bumps without validating against the canonical bump risk exploitation by attackers. Malicious actors may leverage this vulnerability to create "shadow PDAs", leading to logical inconsistencies or unauthorized asset theft.

Check out this article: In-Depth Security Risk Analysis of the Fingerprint Browser Industry exvul.com/blog/fingerpri…

The start of the Chinese New Year ushers in new opportunities and renewed confidence, inspiring us to move forward with strength and clarity. 🎉 Wishing you a peaceful, steady, and prosperous year ahead. ExVul Security remains committed to strengthening Web3’s security infrastructure, reinforcing long-term resilience and trust across the ecosystem.🛡️

Real value creation isn't possible without a secure foundation. 🛡️ It was a pleasure joining the conversation at #TheSilentRise. As AI empowers the next wave of Web3 apps, we are committed to ensuring that infrastructure is as safe as it is innovative. Great meeting everyone! 🤝 #Consensus2026!

Fix: Modify mul_div() to use rounding up for calculations.

Issue： The vesting function calculates and deducts a 2% fee using the mul_div utility function. Integer division in Move automatically rounds down, so if the passed-in amount is sufficiently small, the fee check will be bypassed.

🚨 Move Smart Contract Bug Hunt 🚨 In smart contract development, the order of mathematical operations and the method of rounding are crucial. This challenge demonstrates a common vulnerability in a vault protocol written in #Move.