Paladin Blockchain Security
@0xPaladinSec
Followers
7K
Following
248
Media
37
Statuses
300
Smart contract audits with a focus on safety from the consumer's perspective. Audited projects are not an endorsement nor financial advice. https://t.co/hm7Cmh5u6t
Joined June 2021
๐ Exciting news from Paladin! ๐.We now audit smart contracts written in Move. ๐ก๏ธ. Looking to secure your project? Or are you a Move auditor? Letโs connect!. ๐ฉ #Blockchain #SmartContracts #MoveLanguage
2
5
9
We are working hard with the @starsarenacom team to get the audit published ASAP. We understand that the community is looking forward to the audit report -- rest assured that both our teams are working very hard on this. We appreciate your patience.
UPDATE:. We've relaunched the platform w/o trading. It's been amazing seeing everyone jump back into the Arena and have fun. Our tech team led by @0xlocrian has been working hard on scaling our infrastructure and handling the traffic. Trading functionality will only resume.
36
53
171
๐ฃ We are excited to announce our newly onboarded project: BlackrockFund. ๐ก๏ธ As a leading auditing firm in the cryptocurrency space, #Paladin is committed to ensuring transparency and security. Stay tuned for updates on our collaboration with @BlackRockFi!
17
44
111
(I) The exploit of @CreamdotFinance is a strong reminder about the importance of collateral management for lending protocols. In this situation, the code of the core protocol was correct. Instead, small-cap, easily manipulated collateral lies at the cause.
2
23
95
We've now finished returning all of the tokens we were able to white-hat during the Nomad Bridge exploit!. In cooperation with @RugDocIO we were able to recover over $1M in tokens. Deep respect to all white-hats who have been doing the same and have already returned $17M+ ๐ฅ.
3
11
69
Pleased to announce the successful conclusion of our audit for @BlackRockFi. Check out the audit report here: Users, kindly ensure contract addresses match with our audit. Our audits cover code-related risks; additional due diligence is advised on other
19
30
64
@0xArbiter @samczsun A very messy list of mistakes from our internal issue library. Hopefully this helps ๐ฅ There are also many resources and blog-posts that write these out nicer.
1
15
70
Nomad bridge is now completely drained. Together with @RugDocIO we did a whitehat of the remaining large token balances (about $1.5m, we were definitely late) which will be returned to the affected projects. @IagonOfficial @GeroWallet @covalent_hq please DM.
8
14
64
Paladin is excited to become the security partner for the @elastosinfo ecosystem!. Following several intriguing audits within Elastos, Paladin will leverage its careful knowledge of auditing methodologies and security experts to provide peace of mind to the Elastos' users.
The Elastos Ecosystem has partnered with blockchain security firm @0xPaladinSec to provide audits and oversight for the Elastos Smart Chain (ESC) and its native applications, bolstering trust for both developers and users alike.
5
14
58
Our team helped DEUS to make this space a safer place๐ฅ. Together with the amazing sec engineer @pcaversaccio , @paladin_marco and he helped secure over $100k during the @DeusDao DEI exploit. We are delighted to see that the actual exploiter has chosen to return funds as well ๐.
๐จ Deus DEI exploiter just returned 2023 ETH worth almost $4m ๐จ. Together with my, @pcaversaccio, @adamb83024264 and the BSC whitehat's returns, that's almost $6m in recovered funds!.
4
11
50
We are delighted to share that Paladin has officially commenced the audit of contracts for MBD Financial @mbdfinancials. Stay tuned for progress updates! #cryptocurrency #audit #blockchainsecurity
5
14
51
Within our audit with @traderjoe_xyz, we carefully went through the importance of collateral quality. They have only added the most reputable currencies as collateral and refrained from using on-chain oracles. We hope that all lending protocols can learn from them.
3
6
47
Ongoing phantom Wallet Exploit Drains Millions in #Solana Tokens. We are tracking the exploiting wallets here:. Total funds stolen: $5m and counting.
3
27
48
๐จ Temple DAO's was exploited 1 hour ago for a total value of $2.3m (1,831 ETH). We have reached out to the team to assist and have contacted Binance which the wallet was funded by. Funds are presently on-chain in eth.
6
15
42
#Fantom Reaper Farm multistrat vaults got exploited a few hours ago through a trivial mistake in the code. The exploiter called withdraw with any "owner" and their own address as "receiver" as nothing is checked, stealing stakes from anyone. Impact: $1.7m+
6
11
42
Did you know it is possible for users to profit from their swaps?. We had the honor to audit @wallchain_ launching on @ape_swap. The new ApeSwap router launching today uses WallChain to backrun user swaps with arbitrage opportunities and sends rewards to the user for it!.
The #ApeSwap DEX just got a major upgrade today! ๐ต. Introducing the Bonus Router, a new feature that gives users an opportunity to earn a bonus on qualifying swaps๐ช. Available on our #BNBChain & #Polygon DEX. โก๏ธ
5
16
34
1) PolyYeld Layer1's Masterchef was exploited using a similar method to the fall of Cerberus, Garuda, Ketchup, Piggy, CaramelSwap and others. @RugDocIO.
4
13
36
๐ขWe are an official Cronos accelerator partner @cronos_chain ๐ข. Weโll be supporting teams in the Cronos accelerator where you can apply for the 3-month program supporting the advance of Web3 Dapps ๐ฅ.
4
8
29
๐ก๏ธ We proudly welcome @RugDocIO as a strategic advisor within our leadership. We are proud to partner with an organization with a near identical mission to ours:. Making DeFi as safe as possible for users.
1
3
32
/1 Thank you @RugDocIO for hosting the intense white-hat war-room with our team. Thank you @IagonOfficial @GeroWallet for quickly responding to this emergency and taking the right actions to safeguard and protect the value of your tokens.
4
1
29
Hotdog Cart Finance just SOFT RUGGED using a clever method trick investors for a total of $22K. Scammer's address: 0x7a267d46438743c23c16d8b3021e678db1b845bc. Read below to learn how they did it.
2
5
28
For any lending protocols that might be panicking right now: .1. Disable the supply of any illiquid token which the previous exploit might be profitable with. 2. Do not use oracles which can change value within a single block.3. Consider collateral caps.
1
4
31
1/ We have found irrefutable linkage between PolyKoala and SigmaSwap. PolyKoala has since deleted their Telegram and we do not expect them to launch.
2
8
27
๐จDogeChain bridge alledgedly exploited๐จ. DogeChain has been paused for about 9 hours since an alleged bridge exploit occurred on their own bridge which is solely responsible for managing dogecoin from the actual doge network. Other bridged currencies are currently unaffected.
DogeChain native bridge allegedly exploited for a <$1m amount. Chain is currently halted and a hardfork is being proposed. Only bridged doge is likely vulnerable as the stablecoins are bridged using synapse and anyswap which are unlikely to be affected.
2
6
23
We had the pleasure of auditing @Colonylab's contracts โ we really enjoyed working with them as communication was top-notch. Wishing them all the best with their project!.
4
3
27
Cream yUSD oracle value around exploit. "For the following tokens, we fetch price from contracts directly: yUSD (v1) . yUSD (v2)". @CreamdotFinance
0
6
21
@RugDocIO 2) xYeld token contains a transfer tax and was added to pid 16 on the Yeld L1 Masterchef, which unfortunately could not support tokens with transfer taxes. The referral system minted 4.9 trillion Yeld tokens which were then dumped on the market.
3
4
22
Did you know @UMAprotocol allows contracts to request any off-chain calculation imaginable?. We had the chance to audit @0xCovenant which uses UMA's Optimistic Oracle to allow for conditional payouts with complex conditions. Covenant plans to be a generic DAO bribing platform!.
๐ฅณ Final audit is completed by @0xPaladinSec & the contracts are currently being tested on Mumbai while we prepare the front end!
3
11
23
Did you know that as part of Paladin's audit process, we always include a "live match verification" at the end of the audit?.
3
2
18
(VI) LENDING PROTOCOLS:.1. Avoid illiquid, low market-cap assets at all costs.2. Avoid tokens which can be minted freely.3. Avoid giving any asset in your protocol the power to be used to borrow all others.
1
4
19
We are delighted to share that Paladin has officially commenced the audit of contracts for @SageERC314. Track their audit progress here: Stay informed and remember to conduct thorough Due Diligence before investing in any cryptocurrency projects! ๐ผ๐
4
2
16
Weโve successfully concluded the audit for @CryptoAlgebraโs Integral โ the newest modular-based AMM solution for DEXes. Check out the audit report here: Our audits cover code-related risks; additional due diligence is advised on other project aspects.
1
4
17
Pleased to announce the successful conclusion of our audit for @imgn_ai . Check out the audit report here: Users, kindly ensure contract addresses match with our audit. Our audits cover code-related risks; additional due diligence is advised on other
0
2
17
We are thrilled to announce our partnership with @axon_finance, the latest award-winning project of @avax @AvaLabs CodeBase. Axon is the world's first liquid fiat<>crypto protocol, which seamlessly fuses your bank accounts and crypto wallets and executes low-cost, non-custodial,
13
3
14
We are pleased to announce the successful conclusion of our audit for @IHFund . ๐ Check out the audit report here: โ๏ธ Users, kindly ensure contract addresses match with our audit. Our audits cover code-related risks; additional due diligence is advised
2
3
14
3/ Scammers are always findings ways to rug and this may be a revival of presale rugs. Therefore we would like to remind community to exercise extreme caution when participating in presales, especially when the project team is not KYC'd. Find us at
1
4
15
We realise that most of the DeFi community may not know whatโs the process of our audits, and what we look out for. Hereโs a quick overview of how we keep help projects keep user funds safe! ๐งต.
3
4
13
(II) All lending platforms with weak collateral are vulnerable:.1. Search a coin with the lowest market-cap.2. Price should be easily manipulated.3. Create an inflated collateral position by supplying from one wallet and borrowing the coins back from a second wallet repeatedly.
1
3
12
/5 Revoking approvals is unlikely to work. The working theory is likely that there's some compromise in the private key generation of many of the wallets out there. Moving to an offline wallet or CEX is likely the safest way to mitigate risk!.
2
1
11
(III).4. Inflate the price by either:.- Buying the remaining tokens from the market (a fraction of your inflated supply).- Increasing the token value through other means.5. Use your inflated collateral to borrow all tokens including your second wallet's collateral.
1
2
12
We are pleased to announce the successful conclusion of our audit for @Hypercycle_AI . ๐ Check the report here: โ๏ธ Users, kindly ensure contract addresses match with our audit.
6
1
7
(V) This exploit furthermore requires a token which can be cheaply manipulated in price. This often means a low marketcap. yUSD only had a marketcap of about $15m at the time of the exploit. This means one could simply transfer it $15m of the underlying token to double the price.
1
1
11
Did you know Paladin is one of the only auditors who actually ensures that the deployed contracts match what was audited? ๐.
1
2
10
@torskergodt @Monomol4 @evolution_bsc Hi there, I checked in our records for you: The audit officially commenced yesterday. Please keep in mind that bridges like Evodefi's are centralized.
4
4
10
We definitely enjoyed working on this with our good partners at @ape_swap!.
The new EIP-5725 standard for transferable vesting #NFTs created by @ape_swap and @0xPaladinSec allows for flexible vesting curves and custom #NFT art. This is a game changer for the NFT market! . $BANANA.
1
1
7
The first step of any security audit within our firm is evaluating the code on-paper โ๏ธ๐. Good auditors tackle a codebase from many angles:. Being able to highlight, link and annotate code is one of the most effective ways to get a deep initial understanding of the codebase ๐.
1
3
9
/4 As visible in @samczsun 's degenerately good tracing tool, this is exactly what happened. The exploiter simply called the function and withdrew the underlying LP tokens from the vault. One of the most trivial exploits at scale in a while.
1
1
9
Glad to work with the @dragonswap_dex team to secure their protocol!.
0
2
7
We are especially proud during times like these to be working together with talented people from across the industry to help and make the space safer for all users!. We are excited to do this together with the teams building on #Elastos.
1
1
7
(IV) This exploit requires a larger collateral for the second wallet if the price manipulation is smaller. It is therefore often only economically done if this collateral can be flash-loaned. yUSD is ideal because its a vault which can be instantly increased in value freely.
1
1
9
Recently, we have worked with @SageERC314 on their new token Sage. We would like to highlight an issue that we validated by using a simple fuzz test implemented with Foundry.
1
0
7
By extracting arbitrage opportunities directly after a swap, @ape_swap reduces the overall opportunity cost for users swapping on their platform. Read more about how they are able to do this safely within our audit report:.
1
2
8
A vulnerability allowing for theft of assets has been discovered in DeBankโs EVM walletโs swap contracts. If youโve used Rabby in the past, revoke ASAP as your approvals to the contract might soon get drained as well.
There is an exploit on Rabby Swap smart contract. If you have used it, please revoke all existing approvals on all chains for Rabby Swap. For those who haven't used Swap, your wallet is safe and unaffected. We are actively working to solve it and we will keep you updated.
2
1
5
1
0
6
We have received several enquiries about a project Metavatars that say they have an audit by us. We do not have any audit on Metavatars. Reminder to all that any audit will be onboarded on
3
0
4
Helping to keep funds safe is always our priority โ do follow our senior auditor @PaladinCharles!.
At @0xPaladinSec we are always assigning at least one senior auditor and one junior auditor to each audit. For larger codebases it can be up to 5 senior auditors! . The next free spots start at the 5th of june.
1
0
6
This month we had the chance to audit @CIAN_protocol . ๐ค A limit order that unstakes the AVAX from Benqi once the desired price is met? No problem. ๐ค Topping up your collateral if you are about to be liquidated? No problem. Cian's goal is to become the IFTTT of defi ๐ฅ.
1/ In light of recent market conditions, @avalancheavax, @BenqiFinance, @0xPaladinSec, and @CIAN_protocol decided to create the โAutomated Protection Weekโ to promote onchain security as well as the automation of DeFi. Start building today to earn great APY and secure an airdrop.
1
5
7
/6 The contract is very old and has had value for ages:. The contract was deployed over 100 days ago with the vulnerability and only got exploited just now. The vulnerability has always been present. "if it's exploitable it will get exploited" might sometimes have a delay
1
1
7
2/ Here at Paladin, we are a user safety audit company and one of our aims is to make defi safer, and today we are have accomplished this by preventing a malicious dev from performing another possible malicious incident.
1
0
7
/3 The crucial best practice here is to NEVER give users strictly more flexibility than they need. Minimizing the attack surface is a crucial heuristic and smart contract best practice. Mistakes like this should never reach production.
1
0
5
Join our auditing team lead, Marco, in the round-table discussion with @CIAN_protocol on Twitter where we discuss this vision of a generic defi execution engine!.
0
4
6
Nomad bridge is allegedly being exploited. Example tx:
1
1
6
We just got word that users are posting on Drip's CMC page that we audited Drip. We would like to clarify that we DID NOT audit Drip, though we did audit manor. All completed audits can be found on our website.
2
0
4
Pleased to announce the successful conclusion of our audit for @dragonswap_dex. Check out the audit report here: Users, kindly ensure contract addresses match with our audit. Our audits cover code-related risks; additional due diligence is advised on
0
1
5
Glad to help out where we can, @IagonOfficial ๐. Our condolences to everyone affected by this exploit.
There has been an exploit on the @nomadxyz_.bridge. We will take down our UI front end that supports the bridge. We have blocked any ERC20 token transactions to centralized exchanges. CNT tokens are safe. @0xPaladinSec Has secured 179,221,101 ERC20 tokens. We appreciate them!.
1
1
5
/3 Phantom has confirmed they do not believe this incident is isolated to their wallet.
We are working closely with other teams to get to the bottom of a reported vulnerability in the Solana ecosystem. At this time, the team does not believe this is a Phantom-specific issue. As soon as we gather more information, we will issue an update.
1
2
2
We are pleased to announce the successful conclusion of our audit for @Datnoid_Dapp . ๐ Check out the audit report here: ๐ท Users, please ensure contract addresses match with our audit.
4
1
3
We are glad to have completed the audit for @Reflect_rfl's token contract. More information can be found at
Exciting news for our community! . Our token has successfully passed a comprehensive security audit by @0xPaladinSec reinforcing our commitment to transparency and trust. Please find more information in the following tweet.
2
0
4
1/ The StaxLPStaking contract which was exploited allowed for migrating stakes from an older contract using `migrateStake`. This way users could move to the new contract in a single call.
1
0
4
Ty ser! Love it when our clients appreciate our work โฅ๏ธ.
We are proud to work with some of the best auditors in the space to protect our users!.
0
0
4
@RugDocIO @peckshield Looks like it's not a new exploit:
1) PolyYeld Layer1's Masterchef was exploited using a similar method to the fall of Cerberus, Garuda, Ketchup, Piggy, CaramelSwap and others. @RugDocIO.
0
0
4
The Uniswap V3 exploit appears to just be a phishing attack that was detected due to Binance's automated detection systems which detects large flows of funds. Our cornerstone protocol is *hopefully* still safe.
/1 Currently the most likely scenario is that the hacker was able to get people to approve their Uniswap V3 LPs and the hacker was simply able to steal them.
1
1
4
Check in tomorrow to hear our CTO talk #DeFi at the @CIAN_protocol round-table! ๐ฅ. Our CTO will be sitting down with some exceptional minds. - The BD of @avalancheavax .- The CEO of @CIAN_protocol .- The CEO of @BenqiFinance . #Avalanche.
0
0
4
/5 UPDATE We deleted a few posts as they we're referencing the exploit of Grim Finance which is not the same team. Our apologies for the mix-up and spread of misinformation. This is the first exploit of its kind by Reaper Farm.
1
0
3
1) While there is a lot to be said about the iron tokonomics and the way they handled their collapse, the reentrancy exploit mentioned in this article is incorrect.
โ Iron Finance, the story of the fastest crash in DeFi history, continues to unravel. Report from Herbert Eng @nullscientist suggests the collapse was more than a bank run and that knowing hackers exploited a re-entrancy bug in the code. Read here ๐.
1
0
4
We are pleased to announce the successful conclusion of our audit for @MusingNetwork . ๐ Check out the audit report here: โ๏ธ Users, kindly ensure contract addresses match with our audit. Our audits cover code-related risks; additional due diligence is
0
0
2
/5 There are two interesting things about this exploit:. 1. The contract is very old and has had value for ages. 2. The transaction did not get stolen by MEV.
1
1
4
@Kurt_M_Barry @PourjafarNima @transmissions11 @paradigm_ctf Legend says that our job interview is just hacking Random.sol.
1
0
4
Congrats to Avalanche on this partnership! We love working with your team and are happy to see Avalanche grow and progress.
Itโs official! @Amazon #ChoseAvalanche to bring scalable blockchain solutions to enterprises and governments ๐บ. #AWS fully supports Avalancheโs infrastructure and dApp ecosystem, including one-click node deployment, offering the best tooling for these high compliance use cases.
0
1
3
2) But this visible owner is only a dummy. When we actually look in the code, we see that the ownership protection functions are actually linked to another variable then the one that is publically visible.
1
0
4
There can be legitimate reasons when a team needs to retain the ability to remove funds from the protocol, however, and if they wish to keep the ability to do so, we indicate this clearly in our reports. โ ๏ธ.
1
0
3
/6 A very similar exploit occurred to Grim Finance, which is a different and to our knowledge unrelated team on Fantom.
0
0
4
They have since clarified that the audit is by 'Paladin Tech from Switzerland'. We are not linked and have no idea of said company. DYOR and exercise caution.
1
1
2
0
0
4
/2 Working theory is that there's an approval abuse ongoing. Revoking access to all websites in your wallet seems like a good first step (settings -> trusted sites).
1
1
2
We are pleased to announce the successful conclusion of our audit for @ebixyzdex . ๐ Check out the audit report here:. โ๏ธ Users, kindly ensure contract addresses match with our audit. Our audits cover code-related risks; additional due diligence is
5
0
2
1) If you looked at their code, you could have been tricked into thinking that the token ownership was transferred neatly to the MasterChef. This means that there is no party but the mining contract that can mint new tokens.
1
0
3
Did you know -- we also have what we call the โPaladin Live Matchโ, where we verify that the audited contracts match the deployed contracts.
1
0
2
Thank you for the love!.
Would love to see our friends over at @0xPaladinSec added to this list of auditors. Theyโre strong ๐ช๐ผ, fast ๐๐ปโโ๏ธ, and very, very smart ๐ง .
0
0
3
We believe that this is especially valuable for users as they can be assured that the contracts they're interacting with have indeed been audited.
2
0
2
โก๏ธCian will already be going live soon with an initial version of their product. Long term- things will become even more interesting. Cian plans to develop a generic execution engine that can execute complex automation workflows created through a drag and drop front-end.
1
3
3
In such cases, we usually recommend that the team use a multi-signature wallet with known or reputable signers and/or place the contract under a timelock.
1
0
2
/3 This means that the exploiter literally just needs to call this function with a fake address as the first parameter and shares of the underlying vault contract are minted to the exploiter. The exploiter then subsequently withdraws these and dumps the value.
1
1
3
@Ape_tastic @wallchain_ @ape_swap ๐๐ I heard a rumor they might even start writing technical blog posts soon?!.
1
0
2
We're looking forward to working with @polyquity_org to create a safer protocol for everyone!.
@0xPaladinSec has started auditing @polyquity_org's contracts. They have a strong collaboration with @RugDocIO, which is an important indicator in the #Polygon ecosystem. #Safety comes first in any protocols, and should never rush it. Read More๐๐ผ
0
0
3