G2

A detailed analysis of the @GMX_IO attack. (1) The "refund" logic makes a malicious -> The attacker jail-break the restrictions to perform multiple actions in 1 transaction. As my previous tweet analyzed, the attacker fooled the frontend (the keeper bot) to hijack the control flow. When a normal user positions an order, the system works as: - tx1: user (eoa) send ETH (gas) to keeper; - tx2: keeper (off-chain bot) calls `decreasePosition`, and refund eoa. However, in this attack case: tx1: user (malicious contract) send ETH (gas) to keeper; tx2: keeper calls `decreasePosition`, and refund malicious contract. --> This makes the control flow hijacked by the malicious contract at the middle of an execution. Side note: Any user can import a smart contract address into rabby wallet to fool the frontend to treat a contract address as a normal user. (2) Manipulation of GLP's price The second part of the attack is simple. there're mainly 3 actions: - A. mint GLP. - B. open short position. - C. withdraw GLP. The AUM calculation (P1) also checks the total short position in the markets. Although the total short size is updated in step B (P2), the average short price was not updated. This fools the system to think the short position was opened at the previous average price (a much lower one, P3). and thus the AUM is considered larger. It's like the attacker was able to open a "virtual" short position at a much lower price to make GLP think it earned a lot (but in fact didn't). This makes a difference in the price of GLP between minting and withdrawing. The attacker withdrew multiple times to multiple assets to drain the entire GLP pool.

We're thrilled to be celebrating 10 years of Solidity! Let's look at some highlights from the past decade and get a glimpse into the future. 🧵↓

1/ I found an AMM bug in screenshot in my X feed. ZAMM is a hyper gas-optimized AMM. A malicious user can create a new AMM/Coin pair multiple times, allowing them to stash away hidden LP tokens to later rug the pool. Here’s how the bug works:

Solidity v0.8.30 just landed! This latest version is a maintenance release in light of the Pectra Ethereum network upgrade and changes the default EVM version from cancun to prague. 📝 Blog: soliditylang.org/blog/2025/05/0… 💾 GitHub: github.com/ethereum/solid… Some important things to know in the thread 🧵↓

🚨 There’s a vulnerability hidden in this code 🚨 Can you find it and secure the protocol? CodeHawks First Flight #39 starts now. With special thanks to yeahChibyke for contributing to this repo. 👇

The root cause of the @ImpermaxFinance attack is the mispricing of Uniswap V3 NFTs. The way it's pricing its NFT is using fair-pricing (which is robust against flashloan attacks!), but the fees' value are directly calculated: price = (amount0_after_fair_pricing + fee0) * price0 + (amount1_after_fair_pricing + fee1) * price1 However, when the fees are much larger than the position itself, things start to fall apart. Here's what the attacker did: 1. Flashloan a large amount of USDC and WETH. 2. Mint a position (and deposit it into IMX) on a small USDC-WETH Uniswap V3 pool with 200 fee tier, and push the tick to an extreme where ETH/USDC is very expensive. 3. Perform numerous swaps to accummulate fees. 4. Borrow WETH from the pool aginst the Uniswap V3 position NFT. 5. Call "reinvest" to collect all the fees and the contract will collect fees and then mint at the original NFT’s tick (it's a wrong tick!). This step sharply reduces the value of the fees because of fair-pricing. 6. Call restructBadDebt to self-liquidate. 7. After that, it's simple: withdraw and profit. The key part of the attack is actually (5). Before the reinvest, the fees' value are calculated separately but after reinvest, the fees are minted as positions at a wrong tick, making the value decrease sharply. Ironically, 5 years ago, they claimed that they're not vulnerable to flashloan attacks (p2) because of fair pricing... but today, they paid their cost.

Exactly 1 year since my first contest. A lot can happen in a year - keep grinding 🫡

A vulnerability is hidden in this code. Rock. Paper. Scissors. Exploit? Spot the vulnerability and secure the protocol! Special thanks to @m3dython for contributing this repo. 👇

#PeckShieldAlert The $TRUMP dev withdrew 4.6M $USDC from the liquidity pool, bridged the funds to #Ethereum, and deposited them into #Coinbase within the last 14 hours

uWu Protocol was exploited for $19 million. They used Curve's spot price `get_p` function to calculate token prices. Here’s how one Glider query could’ve caught the entire thing:

After 9 wonderful months with Guardian Audits, I decided to pivot into Solana security 3 months ago and spent 2 months preparing without competing. Here comes the result of my first Solana competition: Third win, with 100% coverage in each, at @sherlockdefi Can't wait for the leaderboard update 💪 Very solid codebase btw, but unfortunately, I can't disclose the sponsor.

What a great night at the Web 3 Developers Underground Meetup @Web3_Devs 🚀 Had the honour to be a speaker at the event, talk about Web3 security and connect with some great professionals in the industry in person🤝Definitely excited to speak at more meetups to come🎙️

3:55am wake up 3:56am hire a developer

This is the most detailed journey of a smart contract you'll ever find! By @0xGojoArc

🚨 ALERT! Our system has detected a suspicious transaction on @SonicLabs, resulting in a loss of ~$45K. While the relevant unknown contracts are not open source, the issue appears to be an accounting flaw that allows repaying 0 to withdraw collateral and profit. The 'hacker' is also requesting a bug bounty—possibly a proactive whitehat? app.blocksec.com/explorer/tx/so… #Phalcon #Sonic

🚨 Eagles and Hawks! The original message was published with an incorrect start date. Actual start date: 3 April, 12pm UTC. Thank you for your understanding. Total prize pool: $80k USDC Eagles pool: $6k to lead Eagle, $6k for all Eagles Code: @CairoLang ➡️ Requires KYC 👇

.@zachxbt just published a list of tools he uses for sleuthing Bookmark it

.@GMX_IO @MIM_Spell related contracts have been hacked for ~6,260 ETH (worth ~$13M)

An initial analysis of the @MIM_Spell attack 👇 The CauldronV4 contract allows user to perform multiple actions while the solvency check is at the end of all actions. (P1) The user made 7 actions (P2), where: - 5 = borrow MIM - 30 = call attack contract - 31 = liquidation

Announcing: $250,000 @OPLabsPBC Competition 🪐 We're working with @Optimism and @OPLabsPBC to secure their next scalability improvement: Superchain interop. 💰 $225,000 USDC + $25,000 private pot for Fellowship Stewards 📅 Live now - April 7 🔗 Below