Daniel Tan รีทวีตแล้ว
Daniel Tan
416 posts
Daniel Tan
@DanielSlothx
Senior smart contract auditor | on-chain hacks analysis | Saved $200K tokens from the Phemex CEX hack
Blockchain เข้าร่วม Şubat 2010
569 กำลังติดตาม206 ผู้ติดตาม
#AAVEMisconfig A misconfiguration on Aave's CAPO oracle caused wstETH E-Mode liquidations, resulting in a loss of 345 $ETH.
Omer Goldberg@omeragoldberg
1/ stETH CAPO Misconfiguration Today, a misconfiguration on Aave's CAPO oracle caused wstETH E-Mode liquidations, resulting in a loss of 345 ETH. No bad debt was incurred, and all affected users will be fully reimbursed. More below.
English
A high-level perspective to look at the security in #zkcircuits that abstracts away from specific languages and proving system
docs.google.com/presentation/d…
English
#ZKVerifierBug on March 10th, the @CertiK Sr. Staff Security Engineer, #XifengJin, will dive into the ZK verifier attack patterns targeting DSL circuits, zkVMs, and proving systems with practical mitigation insights, in the X Space.
#CertiK #ZKVM #DSLCircuit #Audit
CertiK@CertiK
As ZK adoption accelerates, verifier-side security is increasingly critical. In this X Space, CertiK Sr. Staff Security Engineer Xifeng Jin examines attack patterns targeting DSL circuits, zkVMs, and proving systems with practical mitigation insights. Set a reminder below👇
English
#Makina $4M #PriceManipulation hack. The MIM-3CRV pool was manipulated by inflating the MIM price through a flashloan, which affects DUSD Caliber to reflect an inflated value, then propagated to the Machine AUM, the DUSD exchange rate, and ultimately to the DUSD/USDC Curve pool.
Makina@makinafi
English
#TruebitProtocol exploit. The root cause of this $26M hack was that the price calculation #overflow and was manipulated.
In the vulnerable smart contract, the SafeMath library is not used, and the Solidity version 0.8.0 or higher is also not used.
CertiK Alert@CertiKAlert
#CertiKInsight 🚨 On 8 January 2026, @Truebitprotocol was exploited due to an overflow issue, resulting in a loss of ~$26.6M. To learn more about what happened, read our full analysis here 👇 certik.com/resources/blog…
English
More details from @Foresight_News foresightnews.pro/article/detail…
English
🔟GMX Reentrancy $42M Exploit
On Jul 15, 2025, #GMX V1 lost $42M to a reentrancy attack. Ironically, the vulnerability was introduced by the team's own 2022 bug fix, which lacked proper audit. The hacker exploited a time gap in price updates. Most funds were later returned.
English
#Top10HacksIn2025
1⃣Bybit Supply Chain $1.46B Attack
On Feb 21, 2025, #Bybit suffered the largest single hack in web3 history, losing $1.46B, due to the North Korean #LazarusGroup executing a supply chain attack, compromising a Safe Wallet developer's machine.
CertiK@CertiK
You’ve read the stats. Now see the scale. This video from the 2025 Skynet Hack3d Report brings Web3’s most critical security data into focus. Watch the key trends that defined the year.
English
@MetaTrustLabs @QuickNode 1. The `beforeSwap` function misses access control, so users can call it directly and bypass the pool manager;
2. It also misuses the parameter `sender` to track if a user does a swap or not, resulting in DoS, due to all users sharing the same counter.
x.com/DanielSlothx/s…
Daniel Tan@DanielSlothx
They implemented a "Swap Limiter" hook that restricts the number of swaps a single address can perform within a certain time frame. But the `beforeSwap` function is without access control, so anyone can call it and bypass the pool manager. Source: quicknode.com/guides/defi/de… 2/n
English
#FindVulnerability It is amazing that @QuickNode wrote a collection of step-by-step guides to help developers build their own application.
But, could you find bugs in the following `SwapLimiterHook` contract that use the Uniswap v4 hook to restrict the number of swaps a single address can perform within a certain time frame.
Source: quicknode.com/guides/defi/de…
English
@QuickNode Glad to hear feedback from @DIMIDJ at #QuickNode and see the update on each guide. Now there is alert info that recommends devs to audit the code before using it in production.
English
Again, it is wonderful that @QuickNode shares a collection of step-by-step guides to help people.
But it is highly recommended to add an explicit comment for each guide/blog that all the code is not recommended for production use before an audit.
English
#Vulnerability when combined with #UniswapV4Hook. It is great that @QuickNode published a collection of step-by-step guides to help developers. I love it too.
But it turns out that the following contract misuses the Uniswap v4 hook. 1/n
English