Zyphernix Security | Smart Contract Audits 🛡

Wishing you a bright and prosperous Diwali!

🛡️GMX V1 Got Exploited for ~$40M on Arbitrum (July 9, 2025) GMX is a decentralized exchange (DEX) protocol for perpetual futures trading, operating on the Arbitrum and Avalanche blockchains. It enables users to trade leveraged positions on assets such as BTC, ETH, and others with low fees and no counterparty risk, leveraging smart contracts. 🔱Perpetual Futures Perpetual futures are a type of derivative instrument used in both traditional and decentralized finance (DeFi). They allow traders to speculate on the price of assets such as BTC or ETH without owning the actual asset. These contracts do not have an expiration date, so traders can hold their positions indefinitely, provided they maintain the required margin. 🔱Before we dive, the attack was on the chains of bugs Re-entrancy -> Unauthorised Access -> Broken Invariant -> State Manipulation -> Price/PnL Distortion -> Profit Extraction. 🔱Entry Point #L846" target="_blank" rel="nofollow noopener">github.com/gmx-io/gmx-con… 1⃣OrderBook.executeDecreaseOrder() This function reduces a trader's position and sends ETH back to the user via _transferOutETH. However, if the recipient is a malicious contract, it can re-enter GMX contracts (e.g., Vault) while executeDecreaseOrder() is still executing. Despite being marked nonReentrant, that protection only applies to the function itself, not to external calls made during its execution (like sending ETH to untrusted receivers). 2⃣Re-entrancy → Vault.increasePosition() globalShortAveragePrices[_indexToken] still held stale values from a valid previous position. This bypassed invariant assumptions: globalShortAveragePrices should be updated every time shortSize changes. But due to re-entrancy, the attacker could manipulate global short positions without resetting the price baseline. Internally, it calls _increaseGlobalShortSize() and inflates position size, breaking the invariant in P&L calculation. Creating a fake loss, depending on which direction the attacker wants. 3⃣Broken Invariant → Price and P&L Distortion This leads to a mismatch between the actual short position size and the average entry price, violating a key invariant used in profit/loss (PnL) calculations. 4⃣Price and P&L Distortion → Manipulated Profit Calculation The attacker broke the P&L calculation invariant by exploiting how GMX computes unrealized gains/losses. a. GMX uses getDelta() to calculate P&L based on: - averagePrice (which was stale/manipulated), - currentPrice (oracle-fed), - and positionSize. b. by manipulating globalShortAveragePrices and inflating globalShortSizes, the attacker made GMX think: - Short positions were deep in loss when they were actually profitable. => Result: - GMX overpaid when the attacker closed positions. - Attacker extracted excess funds from the vault by closing at fake losses, draining real assets. 5⃣AUM Distortion - GLP tokens are minted based on GMX’s AUM (Assets Under Management). - AUM = Pool Value + Unrealized PnL from Shorts - The attacker created fake short losses, which artificially inflated the AUM. - Using a 7.538M USDC flash loan, the attacker minted 4.1M GLP - significantly more than they should have received under normal conditions. 6⃣GLP Minting → Inflated AUM via Fake Shorts Loss - The GLP minting logic (GlpManager._addLiquidity()) uses AUM (Assets Under Management) to determine how much GLP to mint. - AUM includes unrealized P&L from short positions. - The manipulated fake loss in WBTC short inflated AUM dramatically. - So when the attacker minted GLP with 6M USDC, they received way more GLP than deserved, based on fake AUM. 7⃣GLP Redemption → Extracting Real Assets - The attacker closed short positions via executeDecreaseOrder(), and GMX overpaid due to manipulated unrealized P&L. - This was repeated using looped re-entrancy, amplifying the fake losses and payouts. - The attacker later burned the GLP tokens. - Since AUM was still artificially inflated, attackers could redeem significantly more USDC/WETH than the GLP was actually worth. - Massive profit extraction well beyond what their actual input should have entitled them to. 8⃣Flash Loan Repaid, Profit Secured After extracting ~$42M in real assets: - The attacker closed their large positions. - repaid the original flash loan 7.5M USDC. - left with clean profits and no open positions. They distributed the funds across multiple wallets and later returned a large portion to GMX. #Web3Security #SmartContractAuditing #DeFi #DailyVulnerabilitySeries

🛡️SuperRare Exploit Key Details 1. Incident Date: July 28, 2025 2. Loss: 11.9M RARE (~$730,000) 3. Exploited Component:updateMerkleRoot in RareStakingV1 smart contract 4. Vulnerability:Authorization logic reversed—anyone could modify Merkle root 5. Impact:11.9M RARE tokens drained (~$730K) 6. Strategy Used:Attacker’s transaction front-run by a higher-gas transaction On July 28, 2025, the SuperRare staking contract suffered a ~$730K loss due to a critical access control bug in the updateMerkleRoot function, allowing unauthorized updates to the Merkle root used for reward claims. 🛡️Access Control The exploit stemmed from a logical error in the access control condition of the `updateMerkleRoot` function This line is intended to restrict access to the contract's owner() or a specific hardcoded address. But it uses != instead of == with ||, resulting in a logic flaw. This allows anyone other than the owner to call this function from any specific address. 🛡️Impact on Merkle Root and Claims In RareStakingV1, the Merkle root (currentClaimRoot global variable) defines valid staking reward claims. Users call the claim() function with: a. Their claim amount b. A Merkle proof array Merkle proof validation relies on OpenZeppelin’s MerkleProof.verify method, comparing the proof against the mutable currentClaimRoot. The contract uses verifyEntitled() to verify the leaf against the currentClaimRoot (a state variable). Once the proof is successfully verified, the claim() function proceeds to transfer the entitled token amount to the user. 🛡️ Exploit Flow #Web3Security #SoliditySecurity #SmartContractAuditing #DeFi #DailyVulnerabilitySeries

@0x_Akira_ Agree

Auditors on X share tips for effective Web3 security auditing. Some recommend the Pomodoro technique for concentration, while others advocate exploring the many tools available. These approaches work for some auditors, but not everyone is suited to the same methods. The key to success is identifying and leveraging your unique strengths. Take @philbugcatcher, for example, who uses Excel to rewrite entire code bases, configure variables, and track changes to identify vulnerabilities. This unconventional method works for him because he knows the program well and is able to rewrite the code base in a short amount of time. Instead of blindly following all the general advice, experiment to find what works best for you. Hone your strengths and apply them consistently to become an outstanding Web3 security auditor.

Hello @PatrickAlphaC, @GuildAcademy_ would love to partner with @CodeHawks. We offer free online and onsite training for security researchers. I’m currently unable to send you a direct message. Please help retweet for visibility!

@0xaudron 😂

Web3 security firms getting web2 security contract and then asking SR having multiple CVE and bug bounty track record for OSCP certification is most ironical thing i have heard🤣

Stark Reminder — DeFi Security Is Not Optional The first half of 2025 has exposed critical security flaws in DeFi, resulting in over $1.7 billion in losses and a clear trend: basic measures like bug bounties and one-off audits are no longer sufficient. 🔍 Recent High-Profile Exploits 🔓 Cetus Protocol Hack (May 22, 2025) A logic bug combined with spoof tokens allowed attackers to drain up to $260 million from the Sui-based DEX. Swift action by Sui validators froze $162 million, but over $63 million had already been bridged to Ethereum. Labeled merely a "bug," the exploit revealed deeper security design flaws. 🔥 BitoPro Hot Wallet Breach (June 3, 2025) A compromise of hot wallets led to a loss of $11.5 million, showing that infrastructure-level security in DeFi still lacks hardening against common attack vectors. 🔐 DEGO & Cocos-BCX Private Key Compromises (June 5, 2025) Over $14.4 million was stolen via compromised private keys, draining funds from Uniswap and PancakeSwap. Centralized exchanges like Binance had to pause DEGO deposits in response. 📉 The Bigger Picture - $92M stolen in April across 15 attacks - $244.1M lost in May, with Cetus alone accounting for ~90% - Social engineering is rising (address poisoning, impersonation) - Traditional pentests aren't enough — attackers are evolving faster than defenses Zyphernix isn’t just an audit firm. We're a DeFi security partner offering: 🔬 Advanced fuzzing and logic testing 📊 Real-world exploit simulations 🛡️ Architecture-level threat modeling 🧠 Security design reviews, not just code scans We help founders build trust, ship secure products, and stay ahead of sophisticated threats. 💬 Ready to fortify your protocol? Get in touch for a free consultation or a sample audit report. Secure smart contracts = trusted community = long-term survival. Zyphernix Audits — Security Beyond the Surface. #DeFi #SmartContracts #Web3Security

Ethereum’s Storage Secret: Why Merkle Patricia Tries Matter | Episode 6 youtu.be/DGvRY9BjLRs?si… via @YouTube

Vyper's selector table is highly optimized, possibly some of the most optimized code in any web3 compiler. It can save dozens to hundreds of gas before even entering any user code! Interested in how? You can thank "Sparse, Constant Time Jump Tables", pioneered by Vyper lead @big_tech_sux! Read more below 👇 (link in reply for algo reasons)

🚨 Building in Rust or Move? Don’t Ship Without a Security Audit. 🔐 At Zyphernix Security, we specialize in smart contract audits for projects built on high-assurance blockchains like Solana, Aptos, and Sui. 🛠️ Whether you're launching DeFi protocols, gaming infrastructure, or custom dApps, we offer: ✅ Deep expertise in Rust and Move ✅ Manual + automated analysis for critical bugs ✅ Post-audit support to help you fix and ship with confidence 🎯 Our mission: help you go to the mainnet securely and with peace of mind. If you're building in Rust or Move, let’s talk. Your code deserves scrutiny before it hits production. 📩 DM us to schedule an audit. Telegram: @zyphernixsec #SmartContractSecurity #Rust #Move #BlockchainSecurity #Solana #Aptos #Sui #Web3Security #SmartContractAudit

DeFIHackLabs Incident Explorer - to view hacks, PoCs, and other stats defihacklabs.io/explorer/index…

OpenZeppelin Solidity Contracts v5.3 is here 🧑‍💻 This release introduces new token standards and governance improvements, along with new smart accounts and crosschain capabilities through the Community Contracts Library. Here's what's new 👇 📝 Core Contracts Highlights ERC-6909 – New multi-token standard with: • Minimal implementation • Metadata support • Supply tracking • Content URI extension Governor Improvements: • New Proposal Guardian role • Added Sequential Proposal IDs • New Super Quorum mechanism ❤️‍🩹 5.3 also packs quality-of-life upgrades such as:  • trySafeTransfer() for ERC20s (no more surprise reverts) • clear() for EnumerableSet and EnumerableMap • MerkleTree.update() for dynamic leaf management • 512-bit and saturating math operations (add512, mul512, etc) 🧪 Community Contracts Updates The Community Contracts Library is home to more experimental and community-driven implementations and now includes a new audited framework to develop ERC-4337 accounts with ERC-7579 modules, as well as new crosschain features. 🔐 Production-Ready ERC-4337 Account Implementation, featuring flexible signature validation, including: • ECDSA • RSA • P256 • ERC-7702 (yes, EOAs support!) 🧩 Modular Account Features with ERC-7579 • Support for fully pluggable modules: validators, executors, fallback handlers • Hook system for advanced customization • Batch execution support (ERC-7821) 🌉 Cross-chain Capabilities • ERC-7786 Meta Gateway Aggregator • ERC-7802 Bridgeable Token Interface github.com/OpenZeppelin/o…

PSA: If you're using `tx.origin == msg.sender` to prevent smart contracts from interacting with your contracts, please read this. The next Ethereum hardfork (Pectra on May 7th) includes a change that allows you to work around this check (EIP-7702). If you built your smart contracts to only be interactable from externally owned accounts (EOA), please double-check your assumptions. This was common in some early DeFi contracts. I heard from a founder of a DeFi protocol that blackhats are already testing for this. Do not wait!

I’ve created a complete up-to-date beginner-friendly roadmap to help you get started in Web3 security right away, covering everything from learning Solidity to landing your first bug bounty! 🎥 youtu.be/Uv16B0V0WMA 📃 medium.com/p/c68528179c6c

We just released Solarity 3.0! An important milestone in our ZK journey. Here is what's new: The V3 is a long-awaited upgrade that takes the Solarity library to a new level. We upgraded the OpenZeppelin dependency to 5.2.0, refactored the contracts to use "storage buckets", and shaped the library to be more ZK-oriented! - The minimal solidity compiler version is now 0.8.21. - Migrated the contracts to use custom solidity errors (saves gas). - The library got cleaner: a bunch of code has been removed. - A lot of refactoring, tech dept cleaning, and optimization. - The ZK helpers are now tightly integrated with the ZKit plugin. - Sprinkles of improvements here and there. Team, you are the best!

Missed the last Chainlink Bootcamp? Now’s your chance. 📚 Learn how to build a dApp using Solidity and Chainlink 🖥️ Deploy an ERC-20, NFT, and cross-chain token ⚙️ Get live support from expert Web3 developers 📅 April 14-16 (2 hrs/day)

Introducing Pay-Per-Bug Audits by Zyphernix Security Zyphernix Security is introducing a Pay-Per-Bug Audit Model, ensuring you only pay for real vulnerabilities in your codebase. Our expert security researchers meticulously analyze your smart contracts and Web3 applications, identifying critical flaws that could put your project at risk. 🔍 Expert-Led Audits – Our blockchain security specialists meticulously analyze your smart contracts and Web3 applications. 💰 No Upfront Costs – You only pay for real vulnerabilities we uncover—no wasted expenses. ✅ Cost-Effective & Results-Driven – Get elite security insights without hefty upfront fees. ⚠️ Limited Spots Available for the First Few Projects! 📩 DM us on Telegram: @zyphernixsec for more details and secure your spot now! 🔒 Your Security, Your Terms. Get started today—only pay for what truly matters! #Web3security #SmartContractAudits #ZyphernixSecurity

🚀 Q1 Milestone Achieved! Zyphernix Security completed 4 smart contract audits in Q1 – 3 in Solidity and 1 in Rust! 🔍✅ We're committed to securing Web3 projects by identifying vulnerabilities before they become exploits. If you're building in Solidity, Rust, Move, or Clarity, let’s connect and fortify your smart contracts! #Web3Security #SmartContractAudits #DeFi #ZyphernixSecurity