I am thrilled to announce that I'm joining
@0xPolygon
as the Chief Information Security Officer.
Polygon is the leading Ethereum scaling platform, and I'm stoked about our upcoming ZK rollups.
Security has been a priority at Polygon, and I will be pushing it to the next level.
The ledger issue is now fixed.
To make sure you don't have the malicious library cached, go to and ensure the version is 1.1.8.
If it's not, clear your cache. chrome- F12> Chrome Developer Tools > Application tab > Storage in left tree> Clear site data.
Ledger just released a new update for Nano X that allows social recovery of your seed phrase.
It encrypts your seed in 3 shards and sends it to different entities that can then reconstruct the seed for you post ID verification.
It's a horrendous idea, DON'T enable this feature.
UST fiasco is very fishy.
- Terraform Labs removed $150m of UST liquidity from Curve yesterday
- 1 minute later, a freshly funded address bridged $84m of UST to Ethereum (Initiated bridging before TFL removed liquidity)
- 4 min later, it dumped the UST, triggering the sell-off
I don't think the crypto space has ever seen anything of this magnitude and severity before.
Even the DAO hack feels nothing compared to the Terra crash.
This is going to have long-lasting consequences. It's bad for the whole space.
Prepare for a long bera. Winter is coming.
gm
- Andre and Frog Nation will launch a new product with a new token on Fantom in the next week.
- Hundred finance is paying 70% APY on DAI on Fantom.
- Gas price on Matic is being sustained at over 500 gwei due to a play-to-earn game.
FTM is looking really good right now.
- Alameda paid their DeFi debt (Abracadabra) before their CeFi debt (FTX) because DeFi positions are public, can affect optics and DeFi protocols WILL liquidate you without a warning. This cements the usefulness of DeFi. I'm more bullish than ever over long term.
Not a good day for Blockchains.
- Solana is currently down.
- Arbitrum went down, came back up, went down again.
- Someone tried a 550 bock reorg attack with fake PoW on Ethereum, managed to fool some nethermind nodes.
Buildooor: Yo, what if I took money from people, put it in anchor to earn 20%, and pay 13% back to investors?
Also, we'll sprinkle some false advertising to hide the risks, launch a token, and use web3 to avoid registering this mutual fund.
VC: Holy shit, take this 5m funding.
Cream hack early analysis -
1. Using account A, Flash Borrow 500m DAI
2. Deposit 500m dai into yDAI
3. Deposit ~500m yDAI into yUSD
4. Deposit ~500m yUSD into yUSDVault
5. Mint ~$500m crYUSD (it used yUSDVault as underlying)
A rogue validator on Flashbot seems to be exploiting MEV bots. Over 25m USD already stolen.
The validator takes a sandwich bundle from the MEV bot and replaces the victim transaction with it's own that exploits the MEV bot instead.
Here's how it works -
Harmony Protocol's Horizon bridge was hacked and $100 million were drained earlier today.
The bridge was essentially a 2 of 5 multisig. If any 2 addresses told it to transfer funds to someone, it did.
The hacker compromised 2 addresses and made them drain the money. 🧵👇
Market Cap of the coin and TVL in DeFi are two important KPIs for Blockchains but they can sometimes go out of sync in the short term. This table reenforces our believe in investing in multi chain
Poly Network hacked for over $600 million across Ethereum, Polygon, and BSC.
Poly network hasn't even verified their contracts on Ethereum so it's tedious to analyze. Here are my current thoughts 🧵👇
What now?
FTX customers and Alameda likely rekt but this might have a spiraling domino effect.
Here are my predictions. Not financial advise:
- Alameda might have to liquidate their positions so their liquid holdings like FTT, Sol, Crv, Uni, Sushi etc may have a hard time.
Wintermute was hacked for ~160m a few hours ago.
I took a quick look and my best guess is that it was a hot wallet compromise due to the Profanity bug that was publicly disclosed a few weeks ago.
I am excited to announce that I've joined
@SushiSwap
's
core dev team🍣
Sushiswap is one of my favorite projects in this space and I'm happy to be a part of their journey.
Tune back in on 20/07/21 for some exciting news 😉
Popsicle Finance exploited, hacker drained ~$25m. The hack was complex but the bug was simple. TX Hash:
Basically, Popsicle doesn't transfer the reward debt when users transfer their shares. This exposes multiple exploits, one of which was used here 🧵👇
I'm thinking of doing a live educational session where I review some smart contracts and explain my approach to audits. Who'd wanna watch that?
ps If you have a small contract that you'd like to be reviewed live, post the link below. I'll pick some random ones for the session.
@nicksdjohnson
@ensdomains
It was expected and a safe choice from PR perspective but I can't say I'm happy about this.
I hate his views and stance but I have never seen him treat anyone differently because of his views. I wish we judged people based on their actions, not their words.
Public RPC gateway provided by Ankr for Polygon () and Fantom () were comprised via DNS hijack earlier today.
Polygon and Fantom foundation have no control over services provided by others.
Use Alchemy or others while this is fixed.
Web3 is not about forced decentralization.
Web3 is about the ability to be decentralized. It's about having the choice.
Infura/Alchemy are not bad as long as you have the choice to run your own node.
Custodians are not evil as long as you can self custody as well.
Reminder that Testnet Ether is supposed to be free.
If you buy or sell it, you are part of the problem.
If you are draining faucets and trading it for profit, you are a piece of shit.
An attacker left a 120k ETH (~$320m) hole in Wormhole today.
The Wormhole team has promised to cover the loss to save users from bearing the cost.
Let's explore how Wormhole works and how it was exploited (Bonus Wonderland / Sifu connection and memes inside)🧵👇
OFAC just sanctioned this contract.
All it does is echo what you say to it.
This perfectly illustrates the subject matter expertise of the folks over there.
H/T
@wadeAlexC
SafeDollar was exploited today and dumped on the open market for ~$250k. It was an infinite mint exploit. The market cap of $SDO was ~$248mm but there was just $250k in exit liquidity,. The attack happened because SafeDollar incentivized a token that has a fee on transfer. 🧵👇
FTX has been hacked.
Their wallets are being drained, hundreds of millions of dollars have been stolen.
The website is non-functional.
The mobile app got a new update which might be malware. Uninstall it ASAP.
500m+ drained already. Might be the biggest hack or rug pull ever.
Visor Finance was hacked multiple times over last 2 days.
User funds were lost in the first incident but will be reimbursed. The rest of the pools were apparently test pools with only team funds (100k+).
Hello, one of DeFi's oldest exploits - Trusting spot price of a DEX. 🧵👇
People who aren't efficient will tell you that you can't make it without working 60 hours/week.
It's not their fault, they don't know what a determined person can achieve in 40 hours.
Don't listen to others' bullshit. Find the right balance for yourself. Everyone is different.
Goerli eth is trading for ~$0.69. Not nice.
Testnet ether is supposed to be free but is being marked up by speculators.
Keyboard warriors will tell you that the developers are buying it but no, they are not. Maybe 0.1% are buying for consumption.
Wild Credit was exploited earlier today and the hacker took 125k BNT tokens worth ~$650k. The hacker could have taken all of the 10m TVL locked in the system. The exploit happened due to a very basic issue in the smart contracts that I bet most of the followers can detect. 🧵👇
How to beat Casinos
1) Buy chips using credit card
2) cash out chips in cash
You just got free credit card points and cash withdrawal.
Super helpful when you're in a foreign country and don't want to pay ATM fees and fx charges on your debit card for cash withdrawal.
If someone does a porno to pay for their college / other bills, I have nothing but respect for them.
Shame on you if you throw dirt at someone because they hustled their way through the system rather than being born with a silver spoon.
As a brown guy who is often the youngest in the room, you wouldn't believe how many times people have underestimated me.
I've also noticed that women have it worse than me.
Mad props to all the ladies that have to put up with this shit.
Compound Incident Analysis:
Compound upgraded their comptroller contract to which had a one letter bug on L1217.
This led to a reverse rug pull in which Comptroller is giving away more rewards to (past) Suppliers than expected. 🧵👇
⚠️Spicy content ahead. Turn away if you can't handle spice⚠️
- Appchains kill composability. Not great for DeFi.
- Consensus algorithms are not bottlenecks. Swapping them won't increase throughout. Eth's consensus algo is basically "biggest numba win". Computers are good at it.
Curve is the largest Mafia in this space
- Takes bribes to protect your pools
- Has more liquidity/cash than anyone else
- Has killed off numerous competitors
- Makes the most money from wars and FUD
- Those who invest more in the mafia earn more
- For clarity, this is a joke
All TWAPs are subject to manipulation.
Devs must carefully analyze and monitor pools for which they use TWAPs.
Concentrated liquidity makes it cheaper to manipulate TWAPs. Even the most liquid stablecoin pool is manipulatable.
A community pool in Rari paid the price today 🧵👇
An attacker stole $30m from MonoX across their ethereum and polygon deployments a few hours ago.
One of the tx:
The exploit was caused by a smart contract bug that led to incorrect price updates when doing token swaps. 🧵👇
We need better critics in the space. The recent criticisms against Polygon make no sense.
Polygon bought and built on top of existing tech rather than reinventing the wheel. Imagine thinking rebuilding the wheel everytime is somehow better and smarter lmao.
Ronin network was hacked for $600m+ because the private keys of their validator were compromised.
My first thought is that the keys weren't directly compromised but the server running the validator was compromised and the keys were available in plain text on the server.
Top DeFi devs will soon be traded like football players.
Two transfer seasons, per year.
Free agents costing more in weekly wage but no transfer fee.
Buyout clauses that nobody expects to be met but then comes the next bull cycle.
Old devs retire and go work on BSC for money.
Agave and Hundred Finance were exploited today on Gnosis chain (formerly xDAI).
The underlying reason for the hack is that the official bridged tokens on Gnosis are non-standard and have a hook that calls the token receiver on every transfer. This enables reentrancy attacks.
An auditor just quoted $100k for 400 lines of code.
DM me if you wanna start a new auditing firm. We're gonna undercut these quotes and do 400 LOC for just $99k.
Solidity pro tip: Functions marked as payable are 24 GAS cheaper than their counterpart. Payable go brrrrr!
In non-payable functions, Solidity adds an extra check to ensure msg.value is zero.
It's right on the top in the list of dumbest things that Solidity does.
This was not a failure of crypto or defi. This was a failure of opaque and centralized tradfi.
Web3 and blockchains literally prevent situations like this.
The whole idea behind decentralized finance is that there's nobody like FTX in between that can misplace/misuse funds.
Hey
@techleadhd
, your videos were always clickbaity and shitty but at least you weren't committing a federal crime.
Your new token is a scam and a financial fraud.
Even if you don't care about others, at least think about your future. Stop and get some legal advice ASAP.
No context hot takes:
- Flat orgs don't work, there needs to be a hierarchy.
- Indecision is worse than wrong decision.
- Pudgy Penguins are the cutest PFPs.
- Teams need autonomy on their work, but should provide transparency.
- Nobody wins in a civil war.
It is and was always possible.
If a centralized company with closed source firmware tells you otherwise and you believe it, the joke's on you.
You also know that your browser wallet can be malicious and show you an innocent tx but make you sign a malicious one, right?
I have so much to say about the cream hack. Twitter threads aren't gonna cut it. Expect a blog post soon.
This was a cleanly executed attack. Fun to analyze.
*puts on tinfoil hat*: Two people involved, shared account. Attackers are DeFi devs, not traditional security folks.
gn
9 audits from top firms, yet all audits were able to find new bugs.
This proves that no audit guarantees 100% security.
Audits are super important and helpful, but everyone, please stop using them as certification.
A Lido V2 Audit Update:
Security is a top priority. To this end Lido DAO dedicated significant effort to 9 independent V2 audits.
These audits have uncovered important findings, all of which have been either acknowledged or fixed.
🧵
Jack rage quit because rest of the Twitter leadership wants to integrate NFTs, Ethereum tipping, Tokenization, and other Ethereum goodies.
Maxis will literally quit their company than go to therapy.
🚨 (Twitter) PHISHING SCAM ALERT 🚨
emails can be easily spoofed as they do not have their DMARC/DKIM records setup.
Do NOT interact with any email coming from
Twitter is still using…
Belt Finance got hacked today, losses worth ~$13mm. Withdrawals have been paused to prevent further losses. The exploit happened due to an incorrect valuation of 3eps shares. This was one of the more complex hacks in recent times🧵👇
This is the start of the end of Goerli testnet. It served us well.
My faucet distributed 6 million or so Goerli eth for free. Worth around 4 million USD at current prices 🙃.
My RPC node served over 100 billion requests.
They are both non functional now. I'll miss Goerli.
- Terraform Labs removed another $100m of UST liquidity from Curve soon after
- As UST started to depeg, an unknown actor started dumping ETH and buying UST ($100m+)
- As UST was trading below peg, they made a profit all while avoiding bad optics around dumping Ether
Oh but it is secured by ID verification!
You know what else is secured by ID verification? Mobile number porting.
Do you know how many high profile sim jacking cases happen every day? Too many.
Anything secured by "ID verification" is inherently insecure. Too easy to fake.
I feel like Balaji is most likely running a social experiment
Or he got hacked
Or he is going mad
Or he is defending a stupid liquidation price
Or something else but this week Balaji is quite different from the old Balaji.
This video portrays the past few months of Sushi quite well. Bearish sushi, sleeping in a dark time.
Can someone make a future version? Bullish sushi, being active in the daytime.
PSA: Verify the whole address rather than only first and last few characters when interacting with it.
We're seeing more and more phishing attempts where the attacker tries to impersonate a trusted address by vanity generating an address with same first few and last few chars.
dApps blocking OFAC sanctioned addresses on their official front-ends to fulfill regulatory requirements shows how broken the system is.
People can just use unofficial UIs, earlier versions of the UIs on IPFS, etherscan directly, and so on.
You are free to draw whatever conclusions you want from this data. You are also free to research more.
I have formed my own conclusion but do not feel confident/comfortable sharing it.
I will do live security reviews of Ethereum smart contracts and share my approach to auditing on a stream.
The live stream is scheduled to start in about 21 hours at 3.30 PM GMT on Sunday (22/08/2021)
Indexed Finance was exploited today and ~$16m of tokens were stolen from their Indices.
There's already a good post mortem published by the team -
However, let's dive a bit deeper from a technical perspective 🧵👇
Billions of dollars have been lost because projects transferred the flow of execution to an untrusted contract when all they wanted to do was to send some ether.
I'm proposing a new opcode that transfers ether without calling the recipient -