Shogoki

The recent @Bybit_Official hack hits hard - Lazarus stole $1.5B in ETH from their cold wallet. First of all, big props to Bybit and Ben Zhou for jumping on the hack fast - livestreaming answers and keeping it real shows how serious they're taking this. Ben Zhou said signers saw a masked transaction in the UI, showing the right URL (Safe). Details are a bit murky, but it seems clear this was a more sophisticated attack on Bybit's signers. I won't fuel speculation any more than what is already going on, yet. What's saddest? Even with sophistication, it boils down to a lack in OpSec - a topic close to my heart. Multiple folks basically "blind-signing" on wallets with massive funds? That's bad! With a multi-year background in (Web2) security-related positions in enterprise-scale orgs before diving into Web3, it's still kinda staggering to see how much work we've got left to do on OpSec in this industry. I saw a lot of people gripe about low CEX bug bounties - fair, they should rise - but that's not the fix here. A bigger payout wouldn't have stopped this; better OpSec could've. Some key points? - Why aren't cold-wallet signers on dedicated devices? (Cheap ones work!) - Why blind-sign without a sync-up? - Every signer should be capable of decoding transactions and spot red flags - like that delegate-call they approved. It is easy to implement a training for them, if they need it. This incident shows us once more that we still have a lot of work to do in Web3 Security. Not only in securing code, but also in educating people to up our operational security game.

End of an era. I've never had a front-row seat to a product going from 0 to 100 back to 0 before. I still remember in 2022 when @sockdrawermoney said audit contests are a great thing for the Web3 space and that others should launch contest platforms. That was part of the green light that encouraged us to create Sherlock's audit contest platform. The irony is that I truly think Code4rena died due to competition. Sherlock was the 2nd entrant to the field, and Cantina and Immunefi came 1-1.5 years later and turned the space into a bloodbath where fees to audit contest platforms approached zero. I think if there had only been one audit contest platform (impossible I know), it would have been a very healthy, lucrative business. And the irony is that I think we'd see more contests and higher SR payouts in that scenario than we do today. On the bright side, I think competition made Sherlock's audit contest platform a much better product. Our customer-facing dashboards are more user-friendly. We reinvented our judging process 4x and it's now 10x better than it was 3 years ago. And our team as a whole was forged by fire thanks to the intense competition. I am a better founder and CEO because of the experience. I'm really grateful for the lessons that we learned by competing against Code4rena. Their team was truly mission-driven and cared about security outcomes in a way that some others sadly didn't (and still don't). Sherlock has fought hard to keep the security-first ethos in the audit contest space and in all our products. And we'll continue to fight hard for this. For any team that experiences a gap in the market due to Code4rena's exit, I hope you'll ask protocol teams and security researchers you trust for their recommendation. I'm grateful for everything Code4rena has given to the space and our team. And I look forward to Sherlock continuing to carry the torch of a security-first approach in audit contests.

‼️🚨 BREAKING: An AI found a Linux kernel zero-day that roots every distribution since 2017. The exploit fits in 732 bytes of Python. Patch your kernel ASAP. The vulnerability is CVE-2026-31431, nicknamed "Copy Fail," disclosed today by Theori. It has been sitting quietly in the Linux kernel for nine years. Most Linux privilege-escalation bugs are picky. They need a precise timing window (a "race"), or specific kernel addresses leaked from somewhere, or careful tuning per distribution. Copy Fail needs none of that. It is a straight-line logic mistake that works on the first try, every time, on every mainstream Linux box. The attacker just needs a normal user account on the machine. From there, the script asks the kernel to do some encryption work, abuses how that work is wired up, and ends up writing 4 bytes into a memory area called the "page cache" (Linux's high-speed copy of files in RAM). Those 4 bytes can be aimed at any program the system trusts, like /usr/bin/su, the shortcut to becoming root. Result: the next time anyone runs that program, it lets the attacker in as root. What should worry most: the corruption never touches the file on disk. It only exists in Linux's in-memory copy of that file. If you imaged the hard drive afterwards, the on-disk file would match the official package hash exactly. Reboot the machine, or just put it under memory pressure (any normal system load that needs the RAM), and the cached copy reloads fresh from disk. Containers do not help either. The page cache is shared across the whole host, so a process inside a container can use this bug to compromise the underlying server and reach into other tenants. The original sin was a 2017 "in-place optimization" in a kernel crypto module called algif_aead. It was meant to make encryption slightly faster. The change broke a critical safety assumption, and nobody noticed for nine years. That bug then rode every kernel update from 2017 to today. This vulnerability affects the following: 🔴 Shared servers (dev boxes, jump hosts, build servers): any user becomes root 🔴 Kubernetes and container clusters: one compromised pod escapes to the host 🔴 CI runners (GitHub Actions, GitLab, Jenkins): a malicious pull request becomes root on the runner 🔴 Cloud platforms running user code (notebooks, agent sandboxes, serverless functions): a tenant becomes host root Timeline: 🔴 March 23, 2026: reported to the Linux kernel security team 🔴 April 1: patch committed to mainline (commit a664bf3d603d) 🔴 April 22: CVE assigned 🔴 April 29: public disclosure Mitigation: update your kernel to a build that includes mainline commit a664bf3d603d. If you cannot patch immediately, turn off the vulnerable module: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead 2>/dev/null || true For environments that run untrusted code (containers, sandboxes, CI runners), block access to the kernel's AF_ALG crypto interface entirely, even after patching. Almost nothing legitimate needs it, and blocking it shuts the door on this whole class of bug...

@unhappyben @peerxyz Why did you not list @RAILGUN_Project as an alternative to privacy pools?

Major Announcement: The XRP Ledger roadmap is getting a $550K audit contest! In collaboration with @RippleXDev, we’re putting upcoming XRPL features under a two-week, feature-unlock security review. Contest starts Monday. Prepare yourselves!

Big news: the @Aave V4 bug bounty is officially live on Sherlock! One of the biggest DeFi upgrades is now open to hunters, with up to $500K USDC on the table for valid findings. More details in the reply below. Let’s go!

Today, we’re introducing the Sherlock Referral Program - a simple way for anyone to connect Sherlock with protocol teams that need auditing and ongoing security support. The goal is to get more teams covered across the full security lifecycle (dev → pre-launch → live). First-month Lifecycle Bonus: +$1,000 when a referred team purchases both auditing + Sherlock AI within 30 days.

Please, no. Don't let DeFi be closed source. There's no point of DeFi that's closed source. I agree that the threats are real though and they should be mitigated by other methods 1) Onchain rate limits 2) Onchain firewalls 3) Better auditing using the same AI used for offense

Folks, please don't build bots that automatically reply to stuff on X, or use AI to reply. It makes this site annoying to use, I can barely keep up with the blocking. If you use AI to "tweak" your real replies, it will still smell like AI. Embrace typos and imperfect grammar.

i genuinely think everyone in this space should immediately switch to using Vim. DPRK started abusing VS Code hooks that run _automatically_ in the background when you open a folder. ZERO fucking user interaction required _after_ trusting the repo (the trusting part is important here). Yes, read it again. ZERO. INTERACTION. REQUIRED. so what happens is the following: they (in the usual case the Contagious Interview group, meaning some fake recruiting guy) share GitHub, Bitbucket, and GitLab repos containing a `.vscode/` subdirectory with malicious hooks. the one example I share here executes a fake font that's actually heavily-obfuscated JS and will absolutely rek you. all your fancy software that feels "convenient" makes tradeoffs. those tradeoffs are now being abused to silently rek your devices. use Vim. and use Qubes. Thx.

#Chatkontrolle und ihre Nebenwirkungen. Die EU will verpflichtende #Altersnachweise und Jugendliche aus Social Media aussperren. Passen wir uns jetzt an Autokratien an, oder stehen wir hier in Europa noch für etwas?

Immer wieder wird versucht uns #Massenüberwachung wie die #Chatkontrolle als Sicherheit zu verkaufen, dabei ist es das Gegenteil von Sicherheit.

Chat Control trilogue negotiations to start 9 December – the EU Commission continues to spread misinformation about the Chat Control proposal. Today, EU Commissioner Magnus Brunner visited the European Parliament and announced that the trilogue negotiations on Chat Control will begin next week, on 9 December, with the ambition of being completed before April 2026. During the questions from the MEPs, it was obvious that Magnus Brunner is following in the exact footsteps of former Commissioner Ylva Johansson. He stated that he is not satisfied with the Council’s compromise proposal; in his view, the scanning does not go far enough. During the questions from the MEPs, Brunner continued to spread the Commission’s Chat Control misinformation. Markéta Gregorová, from the Czech Pirate Party, compared the Commission’s proposal to the police opening all envelopes in the physical world and asked Brunner a direct question: “Since both the Parliament and the Council have decided to question your approach (no mandatory scanning), will you play an honest broker in the negotiations in the upcoming trilogues or will you be pushing for more scanning?” Magnus Brunner: “I think our scanning suggestion was quite … we were suggesting a targeted scanning. I don’t quite understand … is that really what you are saying, that you want to compare protecting our children to privacy of opening up envelopes?” Markéta Gregorová: “That’s what’s in your proposal.” Magnus Brunner: “First of all, we must protect our children from this harm, to be honest, there are criminals, I think we have to do everything to protect them, I don’t quite understand why you sort of always balance … in this case I’m really clear, our first of all priority is to protect our children from this abuse. We don’t have to agree on everything. Me as a father … it’s incredible, what’s happening in this world. It’s not about Chat Control, it’s a complete misunderstanding, no it’s not about Chat Control it’s about protecting our children and it’s about fighting against pedophiles, that’s what it’s about. That’s my approach, it’s not about open envelopes or Chat Control.” Magnus Brunner follows the Commission’s tradition of just answering “what about the children” on every question, and continues to spread the misinformation that Chat Control is targeted scanning. Birgit Sippel, from the Social Democratic Party of Germany, also asked for figures never mentioned in the discussion: “There’s one figure I didn’t hear, and that’s just how many children have been saved from these situations of abuse, because of digital investigations, how many have been protected from these cases of abuse? I haven’t found any figures on that." Magnus Brunner: “On identified victims, I don’t have any specific figures.” Since Chat Control has been up for discussion for almost four years now, it would be remarkable if Magnus Brunner did not understand what his own commission is proposing. Therefore, the only plausible explanation is that he is consciously following in Ylva Johansson’s footsteps, striving to mislead the EU population. It seems certain that he, in the event of a “failed” Chat Control negotiation, will continue working toward mandatory mass surveillance through the ProtectEU initiative. We remind once again of the corrupt origins of Chat Control and what truly lies behind the legislative proposal: mullvad.net/blog/mullvad-v… The European Commission will not be an honest party when they lead the negotiations next week. We can only hope that the Parliament stands firm. Javier Zarzalejos, who is the chairman of LIBE (Committee on Civil Liberties, Justice and Home Affairs) in the Parliament, was straightforward on the Parliament’s position: ”The proposition from the Commission was very problematic in some areas. All political groups finally supported report of the Parliament and we will to the trilogues with such strong mandate of the Parliament.”

Im Schatten der vorgeblich entschärften #Chatkontrolle kommt eine verpflichtende #Alterskontrolle.

Das Briefgeheimnis (einschließlich des Post- und Fernmeldegeheimnisses) ist ein zentrales Grundrecht jeder Demokratie. Fällt es, fallen auch Versammlungs und Pressefreiheit, weil die Bürger sich dann weder unbeobachtet organisieren noch Hinweise geben können. Das Briefgeheimnis wurde im deutschen Sprachraum seit 1918 nur dreimal gebrochen. Von den Nazis, den Austrofaschisten und dem DDR Regime. Mit der Chatkontrolle steht Ursula von der Leyen in der Tradition der übelsten europäischen Diktaturen. report24.news/die-eu-auf-der…

#Chatkontrolle #Altersverifizierung das dient nicht dem Schutz der Kindern, das höhlt die Demokratie aus. Sagt NEIN! dazu! #contact-tool" target="_blank" rel="nofollow noopener">fightchatcontrol.eu/de/?country=Ge…

An important victory – but we still need to stop Chat Control. The Council of Ministers in the EU has, after three years, now reached a common position on Chat Control. The requirement for mandatory scanning (including end-to-end encrypted messaging services) has been removed, which is a major victory. The EU Council failed to implement mandatory mass surveillance. However, in its proposal, they are laying the groundwork for mass surveillance in the future. What happens now? The Council will now enter negotiations with the European Parliament, led by the European Commission. We urge the Parliament to stand firm in the trilogue negotiations and not deviate an inch from its previous position, demanding: no mass surveillance whatsoever without suspicion and a court order, no ID-verification requirements, and no censorship of legal content. The EU Council is preparing for mandatory mass surveillance and censorship The Council’s version of Chat Control includes voluntary scanning, vaguely worded legislation that may entail requirements for age verification and mandatory ID checks (even for end-to-end encrypted services), and an article stating that the requirement for mandatory scanning shall be reconsidered every three years. They also introduce a new infrastructure for blocking material, where it is up to each member state to block what they consider illegal. At the same time, a massive EU center is being established to work exclusively on this. All in all, this indicates that the EU Council is aiming to build an infrastructure for mass surveillance, and the legislative proposal is written in a way that opens the door to it. The EU Council’s Chat Control version - The EU Council’s Chat Control version introduces a new type of scanning for so-called new material and grooming. This means that AI will scan people’s conversations, photos and videos, in search of criminal content. This will result in enormous numbers of false positives, and people’s private lives will move from an AI detection to being examined by employees at a new EU center. This is mass surveillance and people’s private lives will be scanned without any suspicion and without a court order. This scanning is carried out in cooperation with American companies and can at any time be used to scan for virtually anything; Europol has already requested broader scanning and wants access to material that is not illegal. - Every three years, the European Commission will challenge the law and attempt to force mandatory scanning (even for end-to-end-encrypted services). Messaging services (including end-to-end encrypted) must take “all reasonable measures” to reduce the risk of their services being misused, including implementation of age verification. This means that the EU may require ID checks and ban anonymous use of messaging services and social media. This poses problems for people who criticize those in power in authoritarian countries, for whistleblowers who want to leak documents, and for sources who wish to speak anonymously with journalists. - A new infrastructure for blocking material is introduced, where it’s up to each of the member states to issue blocking orders for what they consider illegal. This implies that content that is illegal in one country will also be blocked in a country where it is legal. Once this infrastructure is in place, it also opens the door to a slippery slope when it comes to censorship. Stop Chat Control From the outset, Chat Control was a proposal that aimed to introduce mass surveillance. That ambition is clearly still present within the Commission and among many of the member states in the Council. The Council failed to introduce mass surveillance but has succeeded in paving the way for new attempts. This applies not only to future proposals for mandatory chat control scanning every three years. This is part of a broader development in which private and secure communication is being challenged by forces seeking to introduce mass surveillance. ProtectEU is a rebranded Chat Control, aimed at banning encryption. National laws are trying to do the same. We need to put a stop to these attempts here and now.

Updating Mastering Ethereum and releasing it for free has got to be one of the greatest public goods in the Ethereum eco. Even a few months ago I was still recommending folks to read the post-merge V1. This type of content will onboard tens of thousands to the space 🔥

Proof of security was the best event to connect with auditors and people from the crypto security space. Thank you for the organization! @sherlockdefi @stevienipz #Devconnect

this is disastrous that you needed to be terminally online and had less than 24h heads up to switch away from twitter showing your country to everyone. awful rollout with no user choice or consent whatsoever. this was the exact case for a terms of service update email that would have allowed some time to delete if you disagreed with the new policy. sad seeing people cheering on further erosion of pseudonymity. such a massive gift for oppressive regimes, im sure this will have chilling effects. remember there were times when it was up to platforms to dismantle manipulation networks and proudly post about it. hasn't been a case since 2022.