ret2basic.eth

Holiday season is here, and we @taichiaudit are starting a DeFi source code walkthrough campaign: one article every 1–2 days, from now until the end of January 2026. If you're a dev or security researcher leveling up in the bear market, this is for you.

@ACai_sec 你zk了平台和项目方怎么压榨你？小同志还是太天真😈😈

@ret2basic 我觉得这个领域最应该zk一下😡我能证明有漏洞，你愿意提供多少赏金，到账以后解密漏洞报告。

搞安全给项目方提交漏洞真的是干乞讨一样 自从把漏洞报告发给项目方以后，他们就像变了个人似的，也不回我消息了 收到报告是立马转发工程师团队的，线上的漏洞是几个小时后就更新修复了的，收到报告后我发的消息是两天都不回的... 我真的是欠啊我😩整天干这些傻逼事情

@Fav_Truffle Convert all the code to the most compact form (single line) to avoid the nsloc quoting cost and convert back to normal in fixes

What keeps surprising you in 2026 security researchers? On the business side, I keep getting surprised by how many teams value audit reports more than the actual findings lol.

@HackenProof 🇹🇭

@hklst4r 哥你比黑客赚得还多 羡慕了

@MartinMarchev Make their brain smooth

Unpopular opinion: the biggest risk AI poses to security researchers is not replacing them. It's making them comfortable.

@sahuang97 特朗普是重庆人

重庆逛完了 去成都住一两个月

🤣🤣AGI

@DeFiHackLabs 🤣🤣🤣

This is pretty much what actually happened

@ACai_sec 想你了，快回来提交报告再被标dup我们就白嫖了

分开了就不要再联系我了好吗，你现在说想我是什么意思，当初对我爱搭不理的态度呢，这么快就忘了吗…

@nisedo_ nisedo 是 Trail of Bits 的贡献者。

I set up a google alert for “nisedo”. No idea what’s going on but apparently I’m making it big in Asia.

"FailSafe's agentic security system helped us catch an important issue and provided us with a great threat model which we can utilize for further development." @megabyte0x, Co-Founder @bitmor_btc Thank you to the Bitmor team and @base for the incredible commitment to security. getfailsafe.com/bitmor-agentic…

Because of that, localResults.maxCloseableBorrowAmount_TargetUnderwaterAsset can be positive even when the account is healthy. So the attacker does not need to wait for genuine insolvency. They can supply an asset, borrow that same market, then call liquidateBorrow() on themselves with the same asset as both debt and collateral and harvest bogus internal collateral credit.

There is a second bug that makes this path reachable much more easily: the insolvency gate is broken. The comments say liquidation should depend on the borrower’s shortfall (the underwater amount), but calculateDiscountedRepayToEvenAmount() reads the target account’s shortfall and then never uses it. You can ctrl+f for accountShortfall_TargetUser and see it is not used anywhere in the contract. Instead, the close cap (the maximum amount of the borrower’s debt that this liquidation is allowed to repay in one call) is effectively derived from close factor and borrow balance.

On March 10th, 2026, AlkemiNetwork was hacked because liquidateBorrow() allows a user to liquidate their own position specifying the same asset as both debt and collateral via user input. In Alkemi's liquidation design, seized collateral is reassigned by internal accounting rather than transferred out as ERC-20 tokens directly. That means self-liquidation can alias the borrower's collateral accounting and the liquidator's collateral accounting to the same storage slot, so the protocol repays debt while crediting extra internal collateral instead of performing a neutral self-transfer in the book. A second bug makes that path reachable even for healthy accounts: calculateDiscountedRepayToEvenAmount() reads the borrower's shortfall but never uses it, so liquidation can proceed without real insolvency. Attack tx: app.blocksec.com/phalcon/explor… Vulnerable code: vscode.blockscan.com/ethereum/0x85a…