Funds were successfully rescued, the issue has been patched and contracts are now secure. Special thanks to @cove_fi, @1inch, @seal_911 and @devops199fan in particular for their exemplary professionalism throughout this entire process.

The response was incredible. Shortly after reported, a warroom was assembled with top security researchers. Suddenly I went from solo bug hunting to running whitehat ops with people I admire. A surreal and amazing experience.

This wasn't just theoretical - it was an unconditioned and fully executable attack that could have been performed atomically to drain all rewards. While the COVE token is currently locked, this attack could have disrupted its future launch or forced a complete token replacement.

Here's the attack flow:. 1) Attacker registers malicious hook + target hook.2) Calls removeAllPlugins().3) During execution, malicious hook reenters to call removePlugin().4) This causes double-removal, breaking accounting and minting rewards from thin air.

In particular, @cove_fi used the FarmingPlugin contract to distribute incentives for their new CoveUSD protocol. The implementation of farmed() uses an integer type to offset the user's rewards. By shifting this negatively it would be possible to fake an invalid distribution.

This issue would allow an attacker to register a malicious hook alongside the target hook and, depending on the particular implementation, execute the attack while the bad hook is being called in removeAllPlugins().

Note how the balance variable is stored locally in line 135 and then hooks are iterated to notify the change using this cached value.

Hooks are permissionless and can be freely configured by end users. While there were some guards in place to protect against potential malicious hooks, the removeAllPlugins() had a reentrancy vector that could allow an attacker to gain control while state is being modified.

This design provides a generic solution to different use cases that depend on token balances, such as rewards (farming plugin or governance voting (delegation plugin .

The token-hooks ( contracts developed by @1inch are in essence an ERC20 implementation that notifies hooks on balance changes.

A critical vulnerability I found in code forked from @1inch could have drained ~650k COVE tokens from @cove_fi contracts. Here's how the attack worked and how it was responsibly disclosed 🧵.

RT @cove_fi: On June 12, 2025, a critical reentrancy vulnerability was identified by @adrianromero @yAuditDAO @electisec in Cove’s liquidit….

If you think finding an issue in a bug bounty is hard, trust me, getting a fair payment for it is much more difficult.

RT @electisec: New security report is out! 🥷. You think @OlympusDAO is cool? Well, it got cooler 😎. We reviewed Olympus Cooler V2, a lendin….

RT @electisec: Just dropped a new report 📝. This one covers @origami_fi's hOHM, a cross-chain solution built on top of @OlympusDAO’s Cooler….

RT @twynexyz: Audits are necessary, but not all are equal. Twyne got audited by @electisec (prev. yAudit). The only team to find critical i….

RT @electisec: ⚡Electisec has shaped many security gigabrains… but we're not done!. We're soon kicking off our Smart Contract fellowship to….

RT @electisec: New audit report is live! 🔍. We've been securing @vfat_io since 2023, and we're excited to continue this partnership. Bugs….

RT @electisec: ⚠️ Attention @Uniswap V4 Integratoors ⚠️. Creating and managing liquidity positions that involve native ETH on Uni V4? Read….

I'm a match with @0xteddav on Co-Match!!! ❤️ .Private dating made possible thanks to Noir and coSNARKs🪄🥳 .Thanks @TACEO_IO @NoirLang @0xteddav