OtterSec
@osec_io
Followers
19K
Following
2K
Media
205
Statuses
1K
Audits that protect blockchain ideas.
Joined February 2022
Thread of interesting audits we have done, blog posts for a quick read, and more!.
26
89
256
In light of our recent partnership with @xNFT_Backpack, we are giving away 20 invite codes to the Backpack Beta! 🎒. To enter:.-Follow @xNFT_Backpack and @osec_io.-Like and retweet this tweet. 20 people will be randomly selected on October 29th @ 3PM PST! #WAO
208
282
372
🦦 🤝 🎒. Bag Secured. We're proud to keep @xNFT_Backpack safe with ongoing security audits. To celebrate our ongoing partnership, we’re giving away 5 @MadLadsNFT madlist. To participate simply:. 🦦 Like & RT.🦦 Follow @osec_io and @xNFT_Backpack
477
887
1K
Closed source @Solana programs used to be safe. We’ve changed that. Learn how to hack Solana programs with our open-source #BinaryNinja plugin 👇.
24
168
737
Over $4M was drained from Solana wallets over the past 2 days. We’ve been working directly with @solana and @slope_finance to investigate. Here’s what we found.
56
176
424
Over 5000 Solana wallets have been drained in the past few hours.
29
151
451
SPL-token-swap:. This February, we discovered a critical rounding exploit in the Solana Program Library token-swap implementation. With over $74 M at risk, this was one of the most impactful bugs we’ve reported. Let’s take a deep dive: 1/
11
81
389
We’re continuing to investigate the recent Mango Markets hack. Let’s clear up some misinformation. 🧵
12
69
271
It appears the attacker was able to manipulate their Mango collateral. They temporarily spiked up their collateral value, and then took out massive loans from the Mango treasury.
12
34
247
Over the past two weeks, we’ve worked closely with @slope_finance, @phantom, and @solana to investigate the root cause of the drained wallets. Here’s what we found.
17
60
225
Rent Thief:. 1/ An MEV bot has been stealing rent from @solendprotocol by abusing the account initialization process. This is the story of the curious rent thief ; 🧵.
3
33
208
Building on Move? Let’s talk about the Move Prover. The complete guide for formally verifying your smart contracts 👇.
2
52
196
Want to learn how to hack smart contracts? We're excited to release our introduction to Solana (from an auditor's perspective)!.
3
61
232
A large MEV bot was recently hacked for almost 20M. It all happened in one block. Here's what we know 🧵
9
32
187
Hackers stole $44.6M this month. The best threads to understand each exploit:
3
36
192
1/ Alameda has been a long-standing, loyal security audit client of ours. We also work closely with many projects on Solana, many of which are directly or indirectly affected by FTX’s insolvency. Here’s our perspective.
9
72
178
Credit goes to @TomGeshury for alerting us. This is an ongoing investigation, follow us @osec_io to stay up to date on the latest.
5
8
156
1/ In our recent audit report on @JetProtocol’s governance program, we listed 13 findings and 4 vulnerabilities. One of these vulnerabilities stand out from the others: OS-JET-ADV-01. Let’s take a deep dive into this rounding error, the implications, as well as its exploitability
3
27
159
.@SushiSwap's RouteProcessor2 contract was recently hacked. Let's dive into what happened. 🧵.
10
33
146
We’ve spent hundreds of hours auditing Solana protocols. There are several unique aspects of Rust that developers should keep in mind to write secure contracts. An otter’s complete guide to Rust 🧵 🦦
7
29
154
We’ve been following the recent Solana wallet draining. Let’s clear up some misinformation. 🧵
5
62
134
We have independently confirmed that Slope’s mobile app sends off mnemonics via TLS to their centralized Sentry server. These mnemonics are then stored in plaintext, meaning anybody with access to Sentry could access user private keys.
12
31
129
As part of a routine audit, we found a critical memory corruption issue in Solana’s onchain SDK. If you’ve ever used account reallocation, pay close attention ⏰. Here’s how it all happened.
6
38
135
New blog post: Jumping Around In The VM. We explore low-level Solana VM behavior, leveraging Jump Oriented Programming inside the Solana VM, and look at how to escalate from a powerful memory corruption primitive to full program control. Read more here →
3
34
118
Maintain security. Maintain transparency. 🦦🤝🏼🎒.
We've made a ton of progress here, partnering with an incredible team of security researchers at @osec_io. In fact, the proofs are done, but we need to integrate them into our general system. We need to run verification from the wallet. We expect to be held to this standard.
6
17
111
NEW: A few months ago, we uncovered an authentication bypass in Web3Auth that could have led to full account takeover. In this deep dive, we break down how we found the issue and expose other authentication misconfigurations lurking in Web3.
4
36
120
We’ve spent hundreds of hours auditing protocols on Aptos and Sui. There are several unique aspects of the Move language that developers should keep in mind to write secure contracts. An otter’s complete guide to writing safer contracts in Move:
7
26
111
@Crema_Finance was recently hacked for over $6M. Unlike previous attacks, this hacker used Solend flashloans to drain the pool. We’re working closely with the Crema team to help resolve this issue. In the meantime, we’ll be sharing what we know about the exploit 🧵
8
54
115
We present a novel framework for formally verifying Solana smart contracts — and a case study application to @SquadsProtocol. A story about bounded model checking, practical specifications, and Anchor macro internals.
4
32
112
@RaydiumProtocol just got hacked. It doesn't seem like a smart contract vulnerability. Here's our analysis.
3
44
115
Over the next few days, we will be publishing our analysis of two critical vulnerabilities in spl-lending and spl-token-swap. Turn notifications on to get them first.
7
10
110
Safe contracts start with clean code. Here are three cheat sheets to write better contracts in Solidity ⬇️ 🦦
4
17
112
Over 5,300 private keys which were not a part of the exploit were found in the Sentry instance. 2,358 of these addresses have tokens in them. If you used Slope, PLEASE MOVE YOUR FUNDS.
This affects multiple wallets - Phantom, Slope, Solflare, TrustWallet - across a wide variety of platforms. FOR USERS, please move your assets to a hardware ledger or a centralized exchange.
7
48
103
Calling all Move devs and security engineers 🗣️. We are holding a space with @TsunamiFinance_ and @STARSPACEio to discuss the current state of cybersecurity on Aptos and Sui!. If you are developing in Move or have interest in how we operate, tune in:.
7
22
90
🚨Announcement🚨. OtterSec has added @ArkhamIntel to our tech stack in order to track, recover, and blacklist stolen funds across all ecosystems in the event of an exploit. Their alert system and API will allow us to take action swiftly and return user funds quicker than ever.🤝
6
22
85
These transactions are being signed by the actual owners, suggesting some sort of private key compromise.
8
22
86
Congrats to @AptosLabs on mainnet launch! 🎉. Join @cuffyCapital, @EVNFT, and @cyber_porter in our AMA tomorrow for all community members and projects building in the space! . Looking forward to hearing from everyone about #Aptos and #Move👂🏼.
4
10
79
Head of Accounts, @cuffyCapital, presenting on the importance of Formal Verification for @StellarOrg. We are excited to make @SorobanOfficial a more secure place to develop smart contracts!. #Meridian2023 #StellarSocialClub
2
17
76
Excited to share our work pushing for a more transparent, verifiable @Solana! Feel free to reach out if you have any questions about getting your program verified.
Introducing Solana Verifiable Builds — a new era of transparent, verifiable programs on Solana.
13
7
87
Are you attending the Solana Hacker house in Stockholm?. Look out for our panel on August 25 (4:30 to 5:00pm) where we are joined by @goFYEO, @HalbornSecurity, and @QuickNode to discuss security and digital trust in web3!.
0
6
50
At a high level, . 1. This was not a flashloan attack.2. The attacker addresses were funded 5.5M via FTX.3. It appears the attacker manipulated prices across all exchanges, not just Solana oracles
6
6
76
OtterSec and Sui Foundation announce the SuiTF Challenge for Denver #SuiBuilderHouse attendees!
7
16
77
Aptos' Fungible Asset model aims to improve security and flexibility over the legacy Coin standard. But does it eliminate all risks?. In our latest blog, we analyze its design, security implications, and hidden vulnerabilities. Full breakdown →
6
21
82
NEW: Rounding Problems, published January 18th, 2024. Rounding-related hacks are having a moment in the spotlight. We explore these exploits, correct some popular misunderstandings, and provide mitigations. Read more here:.
3
15
75
Excited to announce our partnership with @SuiNSdapp!. We will be hosting a community AMA tomorrow to discuss the Sui Ecosystem and Security 💧🦦.
1
15
62
OtterSec is excited to introduce what we’ve been cooking lately: OtterChain! . OtterChain is a new L3, built with security in mind. We’re more than a multisig: we’re two multisigs!. Going forward, every protocol we audit will exclusively launch on OtterChain 🦦.
8
5
81
We caught over $840M in critical exploits over the last 12 months. How? . One audit at a time. Line by line. Day by day. For 12 months. 🦦.
3
4
73
We’re thrilled to have audited @PancakeSwap Infinity, resolving 2 high-impact vulnerabilities ahead of its launch!. Dive into the details in our full audit report:
🐰♾PancakeSwap Infinity is NOW LIVE! (Formerly PancakeSwap v4) 🔹Multiple pool types for capital efficiency & low price impact .🔹Customize fees & Hooks for better rewards .🔹Save gas on every transaction.🫵Swap & LP on Infinity, starting with @BNBCHAIN
6
13
70
NEW: Supply chain attacks are increasing in popularity in Web3. Lavamoat has emerged as a robust defense mechanism - but it’s not perfect. This blog spills the beans on some sneaky bypasses, and show how tricky it is to lock down JavaScript ecosystems.
4
27
69
We are excited to announce the release of our open-source Binary Ninja plugin for Solana EBPF. We’ve been developing it internally for a few weeks and it is finally mature enough to be useful for actual program analysis:
1
5
61
A member of our team spent three days arguing with a guy in german to bring you these lego otters as @osec_io merch. find @bonecondor at eth cc to be blessed with a new protection talisman that will actually fit in your suitcase.
11
1
63
We had a great team bonding activity during our Japan offsite today: otters 🤝 otters!!!
6
2
60
Approximately 1,400 of the addresses in the exploit were present in Sentry logs. Notably, this does not account for all the hacked addresses. We are still investigating this discrepancy and possible other vectors.
3
3
55
Introducing our first CTF challenge of 2023: The ISTM List!. . The challenge is now live till 20th January, more info below 👇
3
14
56
Yo 🚨🦦.Join Episode [01] of “Otters On-Chain”, where we sit down with some of the biggest names in crypto to chat market conditions, protocol development, and security. Our first guest is @VRRBFounder, he is the creator of @VRRBLabs and will be joining
7
18
54
🚨Otters On-Chain: Episode 07🚨. 💰Solana DeFi Edition: @DriftProtocol, @marginfi, @cypher_protocol, @jito_labs, and more💰. Drop everything you’re doing and start providing liquidity💦. July 12th at 3PM EST
5
14
51
Been hearing a lot about Metamask Snaps? Let's take a look at what they are, how they work, and some of the vulnerability research OtterSec has done, including a bug we found in the sandboxing layer. More technical details can be found in our blog post:.
Metamask Snaps: Playing in the Sand.Published November 1st, 2023 .
1
14
48
Excited to partner with @getcode on their timelock program, a novel approach to Solana transaction UX.
On Code, transactions are always instant. This is enabled through a novel on-chain program called the Timelock program. @osec_io just completed their audit of the Timelock program, found here: Next up is the Splitter program.
0
14
47
Hackers switched it up in June. It's important to remember that not all attacks stem from bad code. Here are the top 4 most unique hacks from last month.
1
13
50
OtterSec is excited to announce that our audit of the restaking vaults has been completed! We’re proud to have partnered on supporting the first restaking vaults on Solana 🔥.
1/ 🎨 Restaking Vaults on @Solana are now live!. 🗓️ Experience the first instance of Restaking on @Solana. ⚔️ Dive into the MANTIS Games Competition. 🤝 Time to build or join a team. 🖥️ Live on
2
8
44
What does "memory-safe" actually do? . Join us on an exploration into the Solidity compilation pipeline, optimization assumptions, and how it all relates to "memory-safe" assembly 🦦 .
0
12
51
We’ve audited 60+ leading protocols. Yet 66% of audits contain at least one critical vulnerability. Why blockchain security is so difficult for world-class teams:.
1
10
51
NEW blog post: Netfilter Universal Root 1-day. Our latest blog dives deep into the state of Linux kernel security and the open-source patch-gap, exploring how we monitored new bug fixes and achieved 0day-like capabilities by exploiting a 1-day vulnerability. Read more here →.
Earlier this year, I used a 1day to exploit the kernelCTF VRP LTS instance. I then used the same bug to write a universal exploit that worked against up-to-date mainstream distros for approximately 2 months.
1
8
48
Metamask Snaps: Playing in the Sand.Published November 1st, 2023 .
1
16
45
Hey crypto security researchers. will you be our valentine?. We’re excited to help spread the word about the Safe Harbor Agreement, along with sending love to our security crushes @samczsun and the @_SEAL_Org ❤️
Hello world!.
3
12
48
Slope has been very helpful in sharing data related to the hack. We received the database 4:45 PM UTC August 3rd and immediately began our investigation. The Sentry logs spanned between July 28th and August 3rd.
4
3
38
Going to Lisbon for @SolanaConf?. We'd love to see you there along with some of our amazing partners :).@saydialect.@SquadsProtocol.@marginfi.@clockwork_xyz.@jito_labs
3
5
43
Security companies unite? 👀.
2
4
35
Oracle attacks are responsible for over $590M in smart contract exploits. But oracle security is largely seen as a black box. We’ve been busy helping protocols develop new risk mitigation techniques to keep users safe. An otter’s guide to preventing oracle attacks 🧵
1
5
43
We would also like to state that LFG has not worked with us, and the report on their page is fake. If you want to find our reports, they are available here:.
Warning: @lfgexchange is falsely claiming to have worked with us on an audit. The report on their page is fake. If you want to verify the authenticity of a @trailofbits report, find it on our publications repo, the authoritative source straight from us.
3
9
42
Security is always evolving. If you stop learning, you expose yourself to vulnerabilities. Let’s explore two of the newest mitigation technique on the block: 🧵
1
5
41
NEW: The hidden dangers of lamport transfers. How many different ways can a lamport transfer fail on Solana? Read our new article to find out.
2
9
44
Hackers stole $214M last month. A summary of March’s seven biggest exploits 🧵:
1
3
40
ICYMI: On Wednesday's spaces, we talked about how our CEO @notdeghost, in partnership with @rimeissner, @AckeeBlockchain, @HatsFinance, @chain_security, and @OpenZeppelin introduced ERC-7512 in response to the critical need for onchain access and verification of audits.
1
9
28
We’re proud to announce that the @mrgntrade blackbox vault is now live! Always a pleasure to work with teams that put an emphasis on security!.
6
2
41
. @Aptos_Network just launched a novel approach to storage: Move Objects. Working closely with both Aptos projects and the Foundation, our auditors have caught dozens of bugs before they hit mainnet. Here are 3 key security tips to help you launch safely 🧵.
1
5
40
OtterSec is proud to support the Cypher team as they embark on the next chapter of their journey!.
The time is here. The IDO is around the corner. Lets dive in to how the IDO will be conducted. cypher will use a liquidity bootstrapping curve (LBC) from @ArmadaFi. Why?. Dynamic Price Discovery: The LBC ensures a gradual & organic valuation. The market will find its rightful
2
10
30
1/ We were engaged by @port_finance to audit their fixed-rate lending program, Sundial. In our audit, we found 3 bugs that could lead to loss of funds for Port and its users. Let’s take a deep dive into OS-PRT-ADV-00, a surprisingly subtle rounding bug in the liquidation handler
2
2
37
The attacker created a ~480M MNGO-PERP position and countertraded themself on another account. They then manipulated the price of MNGO up across a number of exchanges, borrowing against their unrealized MNGO gains to drain the protocol.
1
1
37
Excited to partner with @solendprotocol on the new v2!.
Solend V2 is rolling out in 3 phases, the first of which has completed audit with @osec_io. Phase 1 features include borrow weights, TWAP oracles, and outflow rate limits. The rollout of Phase 1 will enable the Main pool to reopen. Stay tuned for more details!.
2
4
32
🗣️ZK-Security panel moderated by @claudijd of @jump_. Accompanied by Founder @NotDeGhost, @mpfzajac, and @evanashapiro with @MinaProtocol, all on one stage at @thepit. 🦦🕳️
1
5
36
PSA: Web3 is plagued by the same bugs that threatened the internet over 2 decades ago. We compiled 3 case studies on how "old" bugs continue to reappear in the new era of decentralization and blockchain. Check out the deep dive here 👉🏼
0
9
38
