ChainLight
@ChainLight_io
Followers
4K
Following
2K
Media
294
Statuses
2K
smart contract audit & token regulation and compliance | 8-time winner @defcon | winner @paradigm_ctf 23 | member @_SEAL_Org | est. 2016
Joined September 2022
We did it again. We are thrilled to announce that ChainLight has won @defcon 32, the Olympics of CTF. This marks our 8th victory and the first time any team has won 3 consecutive years in the DEF CON history. 🧵For those new to ChainLight, here’s a little thread about us:
24
14
185
🤝 New partnership: Theori x @okta
https://t.co/fezhAKqeJW We’re bringing red-team firepower + automated pentesting as Okta’s trusted security service provider. Raising the bar for identity threat resilience 🚀
3
6
24
Thank you for reading. To stay up-to-date with the latest report and research from our award-winning security researchers: 👉 Subscribe Newsletter: https://t.co/C4miHX1FMI 👉 Join Discord: https://t.co/JLtmTXIXXr (6/6)
discord.com
Discord is great for playing games and chilling with friends, or even building a worldwide community. Customize your own space to talk, play, and hang out.
1
0
2
3️⃣ @th3r0ar Loses $780K • Using a backdoor function in the staking contract, the deployer manipulated the token balance of a specific address by directly altering the storage. • The team attributed the responsibility to an external developer. (5/6)
Earlier today, the $1R0R staking contract had tokens removed and dumped on the open market. At this stage, we do not believe this to be an external exploit. One nefarious developer, external to R0AR core team, is seemingly behind the drain. They have been removed from the
1
0
3
2️⃣ @zksync Loses $5M • Due to the private key leakage, zkSync allowed $5M worth of $ZK, which was remained unclaimed from the airdrop program. • Stolen assets still remains on an EOA, `0xb1027ED67f89c9F588E097f70807163feC1005d3`. (4/6)
ZKsync security team has identified a compromised admin account that took control of ~$5M worth of ZK tokens — the remaining unclaimed tokens from the ZKsync airdrop. Necessary security measures are being taken. All user funds are safe and have never been at risk. The ZKsync
1
0
4
1️⃣ @KiloEx_perp Loses $8.4M • The victim contract inherited the OZ forwarder contract but mistakenly left the execute method permissionless. • This allowed the exploiter to open a position at an artificially low price. (3/6)
1
0
2
Table of Contents: 1️⃣ KiloEx Loses $8.4M 2️⃣ zkSync Loses $5M 3️⃣ R0AR Loses $780K (2/6)
1
0
0
Which rug pulls, exploits, and security breaches happened this week? Read this 2-minute weekly summary to stay in the loop 🧵👇 (1/6)
3
1
17
When we released the ZK Book over a year ago, we took the ZK education space a huge step forward. Our book pioneered the approach of "just enough math" to learn ZK. Today we do it again with a new addition to the ZK Book. "Circom and Constraint Design Patterns" This new
4
30
160
Thank you for reading. To stay up-to-date with the latest report and research from our award-winning security researchers: 👉 Subscribe Newsletter: https://t.co/C4miHX1FMI 👉 Join Discord: https://t.co/JLtmTXIXXr (12/12)
discord.com
Discord is great for playing games and chilling with friends, or even building a worldwide community. Customize your own space to talk, play, and hang out.
0
1
3
9️⃣ A security engineer exposed as a DPRK scammer • Further investigations of @tanuki42_ revealed his activities: @aqualoan_io, which he contributed to, rugged and deleted its GitHub. • Nick Franklin initially denied the allegations but has now deleted his X and TG. (11/12)
@0xNickLFranklin UPDATE: The liquidity protocol @aqualoan_io which @0xNickLFranklin was a contributor to has pulled all of it's liquidity overnight (~$800k) and deleted it's Github. https://t.co/Hd7puf49LS hxxps[://]aqualoan[.]io/ (site still online) H/t @blackbigswan
1
0
0
8️⃣ A Security Engineer Exposed as a DPRK Scammer • A security engineer named Nick Franklin, active in the Ethereum security community, was revealed to be a DPRK-related scammer. • He attempted to scam @k06a, the @1inch cofounder, and was subsequently exposed. (10/12)
Meet Nick Franklin @0xNickLFranklin - Blockchain Security Engineer…. or RGB operative hacking for DPRK? Seemingly this guy has had the entire industry fooled for years.
1
0
0
7️⃣ A Governance Attack on @Polymarket • A UMA tycoon exploited their voting power, holding about 25% of the total votes, to settle false results for profit. • Polymarket has vowed to prevent this from happening again. (9/12)
A governance attack occurred on Polymarket, where a UMA tycoon used his voting power to manipulate the oracle, allowing the market to settle false results and successfully profit. The tycoon cast 5 million tokens through three accounts, accounting for 25% of the total votes.
1
0
0
6️⃣ @leveragesir Loses $354K • To bypass the checks, the exploiter bruteforced the vanity address by create2, and set the amount variable the same as the address. • After that, exploiter called its malicious contract by callback and drained the assets. (8/12)
Synthetics Implemented Right @leveragesir has been hacked for $355k This is a clever attack. In the vulnerable contract Vault ( https://t.co/RycDbFY5Xq) there is a uniswapV3SwapCallback function that uses transient storage to verify the caller. Specifically, it loads an address
1
0
0
5️⃣ @leveragesir Loses $354K • The Uniswap v3 callback function verified the caller using transient storage. • However, this storage was overwritten by the minted token amount at the end of the execution. (7/12)
IMPORTANT SIR has been hacked, do not deposit any further funds. We will post more asap.
1
0
0
4️⃣ @MIM_Spell Loses $13M • Abracadabra Money's cauldron contract, which leverages GMX's GM token, had a vulnerability. • Although details are scarce, @BlockSecTeam's initial analysis suggests the insolvency check logic was misimplemented. (6/12)
$13M exploit. 50% repaid in less than 36h. Zero user funds lost. Abracadabra isn’t backing down We are rebuilding stronger with @berachain , @NibiruChain, and @PurrSwap_ expansions. SPELL emissions on pools are uninterrupted, with new avenues arriving. Full remediation by
1
0
0
3️⃣ The Second Exploit on @HyperliquidX • Although the delisting process was done by governance, centralization concerns arouse as HyperLiquid's action forcedly closed other users' positions. • Regarding this, HyperLiquid promised full compensation for affected users. (5/12)
Yesterday is a good reminder to stay humble, hungry, and focused on what matters: building a better financial system owned by the people. Hyperliquid is not perfect, but it will continue to iterate and grow through the collective efforts of builders, traders, and supporters.
1
0
0
2️⃣ The Second Exploit on @HyperLiquidX • Understanding the situation, community started buying $JELLYJELLY, and the unrealized loss of HLP has surged. • To prevent massive loss, HyperLiquid closed the position at its entry price and delisted $JELLYJELLY. (4/12)
After evidence of suspicious market activity, the validator set convened and voted to delist JELLY perps. All users apart from flagged addresses will be made whole from the Hyper Foundation. This will be done automatically in the coming days based on onchain data. There is no
1
0
0
1️⃣ The Second Exploit on @HyperliquidX • A whale established a large leveraged short position in $JELLYJELLY, which had relatively low liquidity. • By removing margin, the exploiter triggered forced liquidation from HLP and handed over the illiquid position. (3/12)
Hyperliquid just got exploited. What happened? A trader deposited $7.167M on 3 separate Hyperliquid accounts within 5 minutes of each other. He then made leveraged trades on an illiquid coin, JELLYJELLY. However, he ended up losing money, and is down almost $1M unless
1
0
0
Table of Contents: 1️⃣ - 3️⃣ The Second Exploit on HyperLiquid 4️⃣ Abracadabra Money Loses $13M 5️⃣ - 6️⃣ Sir Trading Loses $354K 7️⃣ A Governance Attack on Polymarket 8️⃣ - 9️⃣ A Security Engineer Exposed as a DPRK Scammer (2/12)
1
0
0
Which rug pulls, exploits, and security breaches happened this week? Read this 2-minute weekly summary to stay in the loop 🧵👇 (1/12)
1
0
15