@Scallop_io Appreciate the quick response and commitment to cover all losses. Transparency and a clear post-mortem will matter a lot here.
English
LX Labs|链析安全
649 posts
LX Labs|链析安全
@lianxi_tech
专注Web3安全与链上风险分析,提供地址风险识别、资金流向追踪、智能合约审计、安全咨询与应急响应。 BlockX地址风险分析工具内测中:https://t.co/oDoLgI8qfa
Katılım Ağustos 2024
131 Takip Edilen944 Takipçiler
🚨 SECURITY INCIDENT NOTICE
We have identified an exploit affecting a side contract related to Scallop’s sSUI spool rewards pool, resulting in a loss of approximately 150K SUI.
The affected contract has been frozen. Our core contracts remain safe and only the sSUI rewards pool was impacted. All other pools are safe.
Scallop will fully cover 100% of the loss.
We are actively investigating and will share further updates soon. Thank you for your patience and continued support. 🐚
English
@CoinMarketCap Any "official representative" who messages you directly to ask for a money transfer or wallet authorization should be treated as a scam. The first step toward true security is to never trust direct messages.
English
🚨 Be aware of scammers!
🔹 CoinMarketCap will NEVER DM you first. If you receive a message claiming to be from CMC & asking for funds, it's a scam!
Always verify before sending out your funds!
Stay #SAFU
English
@Cointelegraph This wasn’t just a rewards pool issue.
Once reward accounting can be turned into redeemable value, it becomes part of the protocol’s real asset surface.
English
🚨 TODAY: SUI-native DeFi lending platform Scallop suffered an exploit on its sSUI rewards pool, losing approximately 150K SUI.
The protocol has since resumed operations and pledged to cover 100% of the loss.
English
安全不能只盯借贷、交易、权限这些核心逻辑,凡是会影响积分、份额、奖励结算的路径,都应该按资金路径的标准去审。
只要最后能换成真金白银,它们本身就是资产安全的一部分。
中文
这类问题最麻烦的地方在于,它不像直接转走资产那样显眼。
更像是先把一段本来不该成立的状态写进系统里,再把这段异常状态换成真实奖励。
表面看是reward pool出了问题,底层其实是状态归属和类型约束失效。
攻击者盯上的,不只是资金池,还有协议怎么记账、怎么算权益、怎么发奖励。
中文
🚨🚨安全警报
4月26日,@Scallop_io在Sui上发生一起与sSUI rewards pool相关的安全事件,造成约15万SUI损失。
攻击方式与根因如下:
攻击者地址:0x27bc7a3c4f406cfa91551c32490ad7f5029414578c0649ab4ddbd232e76ef44e
攻击交易哈希:
suivision.xyz/txblock/6WNDjC…
中文
从目前公开信息看,问题出在update_points这条路径。
更新积分前,没有先确认SpoolAccount和当前spool是不是真的对应,也没有检查stake type是否一致。
结果就是,一个本来属于某个池子的账户,可能被拿去按另一个池子的参数累计积分,给后面的异常兑现留出了空间。
中文
Litecoin这次,不只是网络被DoS了一下这么简单。
更麻烦的是,部分没更新的节点接受了无效的MWEB交易,让资产一度流向第三方DEX。
虽然后来靠13个区块重组把这些交易回滚,但这也提醒大家,链上在异常时期,短时间里看到的“已确认”,未必就是最后的有效结果。
这种时候,平台和用户都要更重视风控。
Litecoin@litecoin
Litecoin update: • A zero-day bug caused a DoS attack that disrupted major mining pools. • Non-updated mining nodes allowed an invalid MWEB transaction allowing them to peg out coins to third party DEX’s • A 13-block reorg reversed those invalid transactions — they will not be included in the main chain • All valid transactions during that period remain unaffected • The bug is now fully patched, and the network continues to operate normally
中文
真正值得关注的,不只是USDe市值回撤了多少,而是一次抵押品冲击如何沿着AAVE的杠杆循环、资金拥挤和跨协议敞口持续扩散。
这说明在DeFi里,安全问题一旦进入抵押体系,后果往往会从技术事件迅速升级为流动性事件。
Duo Nine ⚡ YCC@duonine
Ethena's USDe market cap dropped by over 1.5 billion since the AAVE liquidity crisis started on April 19th. When will this stop? Crazy to think rsETH impacted so many markets, mostly due to AAVE's leverage loops that got trapped.
中文
@whale_alert The amount is substantial, but assessing the risk requires examining the source, destination, and subsequent actions.
English
🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 3,609 $BTC (281,408,183 USD) transferred from unknown wallet to unknown wallet
whale-alert.io/tx/bitcoin/8f1…
English
@rhea_finance For users, the most important thing is not restoring normal operations, but rather ensuring the quality of the recovery and establishing secure boundaries after the restart.
English
能一起救火当然重要。
但 DeFi 要好起来,还是得先把隐患降得更少。
動區動趨 BlockTempo@BlockTempo
Aave 危機靠 Golem 續命?還好有 Defi 願意協助捐款,但本質上他們也是在救自己...🫥 老牌「以太坊」項目 @GolemFoundation 宣布,將與 Golem Factory 共同從金庫提撥 1000枚 $ETH (價值約 180 萬美元),支援 Aave 針對 rsETH 事件發起的 DeFi 災難,目的是恢復 rsETH 的資產支撐,讓受影響的用戶能有序退場。 👉目前 DeFi United 已募集超過 1.35 萬 ETH,Golem 的 1,000 ETH 正是最新一筆公開承諾。 但整起事件最糟的問題,是 DeFi 生態「互助」是相當脆弱的,其實是用各家協議自己的金庫當防火牆。 一旦某個熱門 LST、LRT 失去錨定,抵押品價值崩盤,貸方協議就必須面對壞帳,壞帳若不處理,又會引發擠兌、TVL 斷崖式下滑,過去幾天 Aave 已流出超過 84.5 億美元,全 DeFi 總鎖倉價值蒸發 132 億美元。 DeFi 當前的設計高度依賴跨協議的抵押品循環。想要真正成熟,或許該思考的不是誰來救誰,而是如何從源頭降低這種連鎖風險的可能,嚴格的抵押品隔離之類的...而不是每次都靠臨時捐款來止血。
中文
@DeFi_Andree @aave @KelpDAO @LayerZero_Core @StaniKulechov @LidoFinance @ether_fi @ethena @GolemFoundation @inkfndhq @Mantle_Official @fraxfinance Unity is important, but avoiding accidents is even more important.
English
DeFi United is an emergency coordination effort led by @aave and its service providers after the April 18 @KelpDAO x @LayerZero_Core bridge exploit.
It aims to protect users, reduce bad debt, and restore confidence in DeFi by coordinating donations and loan facilities from across the ecosystem.
So far, the initiative has secured 43,500+ ETH in commitments, covering around 63% of the estimated 68,900 ETH shortfall.
In times of crisis, DeFi shows its real strength through coordination, unity, and collective protection. That’s exactly why DeFi will win.
Stani@StaniKulechov
Aave is my life's work and we're working nonstop to find the best possible outcome for users. I’m personally contributing 5000 ETH to DeFi United as we continue working together with partners on formalizing more commitments. I’m working to see this resolved and market conditions normalized as soon as possible. DeFi United.
English
安全事件复盘|Giddy Finance 披露
约 $1.25M 资产在 BTC 相关收益 vault 中被盗。公开信息显示,事件与 keeper 权限被滥用及 compound() 执行参数约束不足有关。
关键问题不只是密钥失陷,而是关键执行路径验证了 authority,却没有完整约束 intent。
Tx: etherscan.io/tx/0x5edb66a4c…
中文
⚠️Bitwarden 官方披露
@bitwarden/cli@2026.4.0 曾在 npm 分发链路中短时出现恶意包。
受影响范围限于美国东部时间 4 月 22 日 17:57–19:30 期间通过 npm 安装该版本的用户。
相关用户应立即卸载该版本、清理缓存、轮换凭证并升级至 2026.4.1。
community.bitwarden.com/t/bitwarden-st…
中文
KelpDAO相关事件的救援进展:
按目前公开流出信息整理:
Lido 2500 ETH
EtherFi 5000 ETH
Stani / Aave Labs 5000 ETH
Golem Foundation 1000 ETH
Mantle 提供 30000 ETH 贷款
Arbitrum 冻结约 71M
rsETH 回收约 35M
缺口约 112,204 rsETH,按当前折算约 2.58 亿美元,剩余缺口约 5000 万美元左右。
中文
真遇到大事故,最后保护用户的,往往不只是代码,还有治理、协同和可信的应急力量。
这不是 DeFi 失效了,而是说明真正的安全,本来就应该包含项目的恢复能力。
Kelp@KelpDAO
Community Update The past few days have been relentless. With the support of our partners, allies and community, discussions are moving in the right direction. We want to address our community directly. We are actively progressing towards a suitable resolution. Kelp was built on the core principle that users will always come first. This has been evident in our initial actions and will continue to be reflected in the updates to come, which we aim to deliver in a way that benefits everyone. Over the past four days, our team, alongside partners and allies, has been operating around the clock and engaging closely with all involved parties. We have made meaningful progress across several paths forward in collaboration with key ecosystem partners. This progress is reflected in concrete actions, including measures taken by the @arbitrum Security Council to freeze stolen funds and the swift involvement of @_SEAL_Org's SEAL 911 force in the initial investigation, providing all parties with clear and impartial insight into what occurred. While not all of this is visible publicly, the work continues steadily and with substance. At present, all our attention and efforts are directed towards safeguarding our users and strengthening the protocol. Moments like this are defining not only for us but for the broader ecosystem. We believe it is our responsibility to pursue the most appropriate outcome for our users. We are grateful for the support and collaboration we have received from partners and the wider community. We will continue to share concrete updates through our official channels as they become available. - Team Kelp
中文