Phạm Tiến Minh Đức
500 posts
🧵 Summary:
Owner = 0x0 enabled signature bypass
Invalid signatures (r=0, s=0) bypassed ecrecover
Attacker registered fake chains
Unlimited token minting occurred
Users lost millions
Thread ends here. Stay safe! 🛡️
English
🚨 We analyzed a CRITICAL vulnerability in $PORT3
A perfect storm of 3 bugs allowed attackers to:
✓ Bypass authorization with EMPTY signatures
✓ Register fake chains
✓ Mint UNLIMITED tokens
✓ Drain bridge liquidity
The root cause? Owner = 0x0
What happened 🧵
English
With fake chain registered:
tokenContracts[23] = 0x4644bbcfd26... // Attacker's contract
Now attacker can:
Forge Wormhole message from "chain 23"
Set emitter = their contract
Set amount = UNLIMITED
Call bridgeIn()
Contract mints tokens ✓
FUNDS DRAINED
English
The Attack Transaction
Here's the actual exploit transaction: bscscan.com/tx/0xe3391f444…
Attacker calls with:
Valid custodian (themselves)
Valid timestamp
INVALID signature (all zeros)
Transaction succeeds 🔥
English
Critical bug: Signature verification doesn't check for zero address
Here's the trap:
Invalid signatures return 0x0 from ecrecover
If authority = 0x0
Then: 0x0 == 0x0 → TRUE ✗
Authorization BYPASSED with invalid signature
English
When a non-owner wants to call sensitive functions, they must provide:
✓ Valid custodian address
✓ Non-expired timestamp
✓ VALID SIGNATURE
English
CATERC20 is a cross-chain token bridge using:
Wormhole for cross-chain messaging
Signature verification for governance
registerChains() to whitelist token bridges
Problem: The authorization mechanism had a critical flaw.
English
Phạm Tiến Minh Đức retweetledi
let’s do a quickie😈
💎 Lifetime Access to @Bheem_Lounge (worth $2,500)
Will pick anyone from likes/retweets or comment section randomly
Ends in 60 minutes, goodluck😼
English
Phạm Tiến Minh Đức retweetledi
$Btc Perfectly Reclaim & Retest 110.5k Level 🎯 Already Shared 🫰
That's How We Play Perfect Setup With Patience 👽
Now Flip 112k We Can Play Swing Till Ath.
Trader Arpit@ArpitTrader
$Btc Break Down The Crucial Level ‼️ No Longs For Now Till We Reclaim 110.5k Level Clearly 🎯
English
Phạm Tiến Minh Đức retweetledi
bheem is happy so $1,000 USDT giveaway😗
To top it off, Lifetime Access to @Bheem_Lounge vip (worth $2,000)
discord.gg/wAdxTBYbBS
Just like this tweet & join above, winner in 24h- glhf🤝
English
Phạm Tiến Minh Đức retweetledi
$BTC update:
>Must remain above 63.3k
>Key level 66.1k
Change in MS depending on reaction at 66.1k📌 rejection and PA similar to left shoulder or immediate reclaim depending on news day.
Right shoulder valid once 1D close below 63.3k otherwise opt for upside (my long open)
Ahmed@CryptoBheem
$BTC update: 66,128 is the pivot now. As long as above it, 70k next. Upon loss on H4, retest of 64.3k.
English
Phạm Tiến Minh Đức retweetledi
Do you want to make consistent profits each month?
Participate to win a lifetime subscription to @Bheem_Lounge worth $1500.
Still not enough? Win an additional $1000 in USDT by becoming a ByBit user: forms.gle/Ur4Jd6GcEBoZTv…
❤️ & ♻️ to enter !!
English
Phạm Tiến Minh Đức retweetledi
English