Juno | ChainLight
@junorouse
Followers
2K
Following
4K
Media
219
Statuses
1K
@chainlight_io intern, team lead. Building an essential risk management platform for Web3.
Seoul
Joined April 2019
gg.
This effectively makes # of unsolved challenges to be 0 for The Duck :) It was a fun weekend activity that allowed Theori researchers to show off their deep knowledge and strong skills in Web3 security. Thanks to @paradigm_ctf for hosting the CTF!
1
1
13
Go go go go.
The ultimate K-pop experience is coming to Abstract. Abstract is partnering with @triplescosmos, the winner of Best New Female Artist at the MAMA Awards, to bring the K-pop experience on-chain. More information below.
0
0
7
RT @theori_io: šØ 19 critical flaws found in South Koreaās mandatory financial security software. Research by Theori, KAIST, and partners reā¦.
0
11
0
RT @theori_io: š¤ New partnership: Theori x @okta .Weāre bringing red-team firepower + automated pentesting as Oktaāā¦.
0
7
0
RT @ChainLight_io: Thank you for reading. To stay up-to-date with the latest report and research from our award-winning security researcheā¦.
discord.com
Discord is great for playing games and chilling with friends, or even building a worldwide community. Customize your own space to talk, play, and hang out.
0
1
0
RT @LindellYehuda: I am excited to announce that @Coinbase has just released its MPC engine as open source The libā¦.
github.com
Coinbase MPC Library. Contribute to coinbase/cb-mpc development by creating an account on GitHub.
0
133
0
1. Had spent a day for Pectra cantina this weekend. 2. Reported false positive as (A) I didnāt spend much time to read C# code w/o IDE, (B) it was really impossible to make PoC because every e2e testing guide does not work with multiple EL clients (found a silly bug on their.
4
0
27
Btw the cantina character looks like the creeper of Mickey 17ās so cute.
Cantina will have the highest quality security findings in the world. We're using LLMs to give security researchers early feedback on their findings and helpful hints on what they may be missing.
2
0
9
RT @SiwonHuh: @Bybit_Official "only" losing $1.4B returns to be an optimistic outcome for crypto. This attack could have nearly erased theā¦.
0
4
0
Bybit Hack Forensics Report.As promised, here are the preliminary reports of the hack conducted by @sygnia_labs and @Verichains .Screenshotted the conclusion and here is the link to the full report:
0
0
0
It's little bit far from the root cause of the @Bybit_Official hack, but yeah @safe was exploited š see?.
One hypothesis that blew my mind regarding the recent @Bybit_Official hack:.The hacker may have created a malicious proposal within @safe backend (somehow a bug on the SAFE side, or they hacked one of the signers), and FE failed to show the correct info about it.
2
0
10
Abstract LFG.
5ļøā£ @cardex_space Users Lose $400K. ā¢ We at ChainLight assisted in identifying the signer key exposure and facilitated further actions. ā¢ While it is not the vulnerability of AGW itself, Abstract team promised the integration of Blockaid's tx simulating tool to AGW. (7/10).
1
0
9
RT @ChainLight_io: Which rug pulls, exploits, and security breaches happened this week?. Read this 2-minute weekly summary to stay in the lā¦.
0
3
0
anyway, if it is not a bug on the safe's backend, I can say one of the signers was hacked :(.it will be the hard time to do an IR the whole system to find out any backdoors.
0
0
2
I tested some scenarios, but safe validates when proposing the tx:.- it requires the sig of at least one of the signers.- if I remove the signature field, the server returns ok, but it doesn't put it in the queue.- **it shows the warning if the tx works with the delegatecall**
1
0
1
One hypothesis that blew my mind regarding the recent @Bybit_Official hack:.The hacker may have created a malicious proposal within @safe backend (somehow a bug on the SAFE side, or they hacked one of the signers), and FE failed to show the correct info about it.
2
0
14
because as Kaia, previously known as Klaytn has a contract code on 0x0 address, which returns the team image. cast code --rpc-url 0x0000000000000000000000000000000000000000 > /tmp/out && ls -al /tmp/out
0
0
3
I sometimes found a ownership check/signature verification bypass when their validator module is not set. such as:. require(module.check(msg.sender), "not authorized");. I always recommend them adding a extra initialization check as defense-in-depth perspective,.
1
0
1
Quite interesting exploit method to bypass the signature verification and the return value validations.
2ļøā£ @odosprotocol Loses $50K. ā¢ A flawed verification mechanism for user signatures resulted in an arbitrary call vulnerability. ā¢ The exploiter used a precompile (0x4) to bypass the signature verification. ā¢ The team mentioned that the victim contract had been audited. (4/5).
2
0
24