HackenProof

We built AI Powered Triage Assiatant 👇

Most “needs more info” comes from missing start state👇

Written by @gneiss2meetU , Security Analyst at HackenProof. 👉 Read Part 1 now: hackenproof.com/blog/for-hacke…

Think Move fixed all of Solidity’s bugs? Think again. Real exploits prove otherwise. Let’s break it down 👇 🚀 The Ultimate Guide to Move Smart Contract Security A new series on how Move protocols actually get exploited and what auditors should look for.

i found chain halting bug on a network carrying $120M in stablecoins and $1.85B in market value. anyway, good morning! @HackenProof #HackenProof

@byte_altar Payable not needed

@HackenProof deposit missing a "payable" plus what everyone is saying concerning using what contract receives in updating shares like what webrainsec says

Spot the Bug 🧠 ERC20 deposit accounting What’s the issue in this code?👇

@rajafaaiz127 Correct

@HackenProof fee on transfer token will always revert

@0xCanvie Right

@HackenProof If it's a deflationary token, then require will revert every time.

@bakii0094 Exactly - never trust amt for accounting

@HackenProof uint256 before_ = token.balanceOf(address(this)); token.transferFrom(msg.sender, address(this), amt); uint256 received = token.balanceOf(address(this)) - before_; shares[msg.sender] += received; Developer Lesson: 👉 Never trust amt, always calculate received.

@0xSafer Right idea — shares should track actual received

@HackenProof The transferFrom function credits shares based on the requested amount, instead of the actual amount therein, therefore an attacker can deposit malicious or fake tokens and then go ahead to dilute the contract's balance.

@nooz0x Exactly

This is an accounting bug, not just a token edge case. The contract implicitly trusts amt as the deposited value, while the only safe value is the actual balance delta. For fee-on-transfer / deflationary tokens, shares must be minted from balanceAfter - balanceBefore, not from user input.

@ziko29504803 Closer issue is amount-vs-received accounting

@HackenProof Dos via donation

✅ [New bug bounty] Earn up to $10,000 with @idOS_network You will be rewarded based on these tiers: Critical: $10,000 High: $5,000 Medium: $2,000 Low: $200 Start the #bugbounty hunt right now! hackenproof.com/programs/idos-…

✅ [New bug bounty] Earn up to $2,000 with @pumbua You will be rewarded based on these tiers: Critical: $1,000 - $2,000 High: $700 - $900 Medium: $200 - $500 Low: $50 - $100 Start the #bugbounty hunt right now! hackenproof.com/programs/pumb-…

@veritas_web3 The best flavour

@HackenProof Like crits

What would the “Bug Bounty” flavor taste like?

📢 Big news from @suidevelopers and @SuiNetwork! A new bounty target is live: Bella Ciao — next-generation Sui VM execution layer rewrite with enhanced performance and new Move capabilities — offers a wide range of bounties: Critical: $100,000 - $1,000,000 High: $10,000 - $50,000 Medium: $5,000 - $10,000 Low: $2,500 - $5,000 Start the #bugbounty hunt right now: hackenproof.com/programs/sui-p…

📢 New opportunity for security researchers!

✅ [New bug bounty challenge] Earn up to $250,000 with @flipcash Flipcash is offering up to $250,000 to the first researcher who successfully exploits Reserve — its autonomous on-chain smart contract on Solana. A $50,000 referral bonus is also available. Read the full details and join here: hackenproof.com/programs/the-f…

@0xb4dg0d Hello, please, join discord server and open a ticket at # bug-bounty-support request. Our support team will be happy to assist you discord.com/invite/NHX6yt7…

@HackenProof I found an IMO high-severity bug in your web app, but I only have 82 rep points instead of the >99 required. Is there any way to submit the bug bounty report before farming rep points on other BBPs first?