hexens

1.9K posts

hexens banner
hexens

hexens

@hexens

Security for those who cannot afford a mistake.

Katılım Eylül 2021
3 Takip Edilen9.1K Takipçiler
Sabitlenmiş Tweet
hexens
hexens@hexens·
1/ we found a bug in the Aptos Move VM that put up to $70B at systemic risk. type confusion at the execution layer. a ~90% success rate across hundreds of simulated runs on a 30+ validator cluster. cost to build the attack infrastructure: $3,000. Conducted by @kemmio , to our knowledge this is the first public research that showcases how to land a sophisticated multi-block attack in real-world environments. It includes mempool feng shui, block production specifics and about a dozen of other primitives and tricks chained to get to near-perfect exploitation results. Nonetheless, Aptos called it "extremely low exploitability." [hexens.io/research/aptos…]
English
10
46
322
80.2K
hexens
hexens@hexens·
Join us here in 2 hours on Hexens X Live with @kemmio. We'll discuss the Aptos Move VM bug and all the details, discovery, attack chain, and more. Bring your questions.
hexens@hexens

Breaking down the Aptos bug - LIVE Sitting down with @kemmio, CTO of Hexens, to talk through the Aptos Move VM bug that put up to $70B at systemic risk. We'll go through how it was discovered, what the real attack chain looked like, and how something that cost $3K to build hit a ~90% success rate in simulations. Tomorrow, July 14 at 15:00 UTC, live right here. Set a reminder and bring your questions.

English
0
5
10
705
hexens
hexens@hexens·
Breaking down the Aptos bug - LIVE Sitting down with @kemmio, CTO of Hexens, to talk through the Aptos Move VM bug that put up to $70B at systemic risk. We'll go through how it was discovered, what the real attack chain looked like, and how something that cost $3K to build hit a ~90% success rate in simulations. Tomorrow, July 14 at 15:00 UTC, live right here. Set a reminder and bring your questions.
English
0
8
38
3.7K
hexens
hexens@hexens·
Audit Completed: @AlienBaseDEX We're glad to have supported Alien Base with a security review of Alienbase Epsilon, their on-chain order execution engine on Base. Our audit covered the order and matching layer (limit, DCA, trailing-stop and stop-loss orders), the swap routing flow, and oracle-based price validation across Redstone and Uniswap V3 TWAP sources. Wishing the Alien Base team the best as they continue building Full report below:
English
1
6
26
1.9K
hexens
hexens@hexens·
@KerneProtocol joins our Builder Support Program. Excited to kick off this partnership
Kerne@KerneProtocol

We've engaged @hexens for an independent security audit of Kerne's core protocol (kUSD, skUSD, PSM, vault), as part of their Builder Support Program. Fieldwork begins July 13. Hexens' research team recently identified a critical vulnerability in the Aptos Move VM that put up to $70B at systemic risk, the kind of depth and rigor we wanted behind this audit. The code stays unaudited until the report is public. kerne.fi/security/audits

English
0
1
8
528
hexens retweetledi
kemmio
kemmio@kemmio·
as some may have noticed - i didn’t reveal this hash after recent aptos case. theres a bigger disclosure to come, and sadly its *many* times worse (from the technical standpoint though, i personally like it more than aptos one). this is whats made me rethink both mine and Hexens’ exposure to web3.
kemmio@kemmio

dfc82c649a0808e5083eb38871fdfcdfb28600a43880dbc21ee3625cf20a5b2f

English
6
8
112
21.4K
hexens retweetledi
Charles Guillemet
A single missing line broke type safety on Aptos. The story matters more than the bug. 1. To go fast, the Aptos VM refers to each data type by a number instead of its full name, and caches which number maps to which storage slot. When it clears memory, one cleanup path resets the numbers but forgets to clear that cache. So an attacker can publish a struct that inherits a number still pointing at someone else's data. Same number, different type. The attacker writes to their own struct and actually overwrites the victim's vault. Because Aptos stores raw bytes with no type label, nothing notices. The code is valid, the audit passes, and the state gets hijacked from underneath. This is type safety broken below the verifier, at the base layer, where no individual protocol can defend itself. 2. Cost Not much. Around 840 cheap accounts, a few thousand pre-signed transactions, and precise timing around an epoch change. Setup is a few hundred APT of gas. The prize is mint authorities and cross-chain bridge capabilities. Billions in reach for pocket change. An attacker here would not be limited by cost, only by choice. 3. The cost of finding bugs is trending to zero This came with full VM traces, two working PoCs, and a calibrated multi-validator exploit. That kind of depth used to take a rare specialist months. With AI it is fast and cheap, and getting cheaper. The uncomfortable part: if the good guys can now enumerate every code path and produce a working exploit for near nothing, so can Lazarus. Assume both sides already do. 4. This time the good guys won the race The disclosure was clean. A SEAL911 war room, direct vendor notice, downstream projects warned with runnable PoCs, and a validator patch shipped before the public PR. A flaw no single protocol could have caught was closed anyway, because researchers found it before an attacker cashed in. That is the system working as intended. But winning a race is not the same as removing the risk. One forgotten flush() put type confusion into a live chain. The only real exit is the same as always: guarantees you can check, not caches you have to trust. In that world this whole class of bug becomes cryptographically impossible rather than caught just in time...
hexens@hexens

1/ we found a bug in the Aptos Move VM that put up to $70B at systemic risk. type confusion at the execution layer. a ~90% success rate across hundreds of simulated runs on a 30+ validator cluster. cost to build the attack infrastructure: $3,000. Conducted by @kemmio , to our knowledge this is the first public research that showcases how to land a sophisticated multi-block attack in real-world environments. It includes mempool feng shui, block production specifics and about a dozen of other primitives and tricks chained to get to near-perfect exploitation results. Nonetheless, Aptos called it "extremely low exploitability." [hexens.io/research/aptos…]

English
6
49
39
7.1K
hexens
hexens@hexens·
1/ we found a bug in the Aptos Move VM that put up to $70B at systemic risk. type confusion at the execution layer. a ~90% success rate across hundreds of simulated runs on a 30+ validator cluster. cost to build the attack infrastructure: $3,000. Conducted by @kemmio , to our knowledge this is the first public research that showcases how to land a sophisticated multi-block attack in real-world environments. It includes mempool feng shui, block production specifics and about a dozen of other primitives and tricks chained to get to near-perfect exploitation results. Nonetheless, Aptos called it "extremely low exploitability." [hexens.io/research/aptos…]
English
10
46
322
80.2K