QuillAudits

GM! Buidlers

In this latest issue of HashingBits, we're diving deep into Ethereum's Core Developers meetings, covering all the major updates in the Ethereum ecosystem. But that's not all—we'll explore the latest happenings in the Polygon, Starknet & Avalanche ecosystems, along with advancements in the AI & Web3 space. For developers, we're highlighting new tools designed to assist smart contract developers and auditors. And, of course, we'll delve into the headlines about the $235M WazirX Multisig wallet hack and LiFi Protocol’s $9.7M loss in smart contract vulnerability.

EtherScope: Core Developments 👨‍💻

All Core Devs - Execution (ACDE) call #192 Recap

Brief History and Current Situation of RIP-7212: review async & decide on inclusion (soon)

Verkle implementers call #21: proposal to reduce witness size, updates to EIP6800 & EIP2935 and cost of code chunking

Better geographic diversity is optimal, particularly outside of North America & Europe

Blocknative: data viz of self-built blocks, unintentionally increase base fee volatility

EIP7732 ePBS breakout #5: short call, proposer IP leaks requesting headers from builder and consensus spec tests fixes in progress

Nethermind EVMYulLean: EVM + Yul specification, executable, in Lean

Layer1 & Layer2

DefiLlama: narrative tracker features longer lookbacks

Based preconfs is now live on testnet Helder

Shutterized Gnosis Chain is live

Chromia MVP Mainnet is live

Announcing the Nexus 2.0 zkVM

Simple DVT Update: SSV Goes To Mainnet

TPRO Chain, a new Virtual Chain launches on Aurora

Viction DA testnet is live

Apechain Testnet Curtic launches

Announce the release of Ceramic-One

Covalent native token migration successful

Blockscan Multichain Explorer (Beta) is here

Tangem launches new cold wallet ring

Introducing Gwyneth — a based rollup synchronously composable with Ethereum

Introducing Polynomial Chain

Introducing Henez - OmniDeFi Liquidity layer

NEAR House of Stake Governance Proposal

Shape testnet is live

LYNC is building a Movement L2

LI.FI compensation scheme

Season 2 ETH.FI claims are live

Curve PegKeeper Assets Regulatory Brief

A Note On Securely Finding Minimum Mean Cycle

Return of the Delegation Voucher

The Fat Bera Thesis

Chainalysis Operation Spincaster

Scroll delayed finalization to investigate potential ecosystem incident, confirmed Rho Markets was application specific

L2BEAT Badges: visual display of L2 features

Announcing the Avail Foundation

ERCs

ERC7743: Multi-owner non-fungible tokens (MO-NFT)

ERC7744: Code index (index contract bytecode)

ERC7746: Composable security middleware hooks

EIPs

EIP7745: Two dimensional log filter data structure

EIP.tools adds RIPs (rollup improvement proposals)

EcoExpansions: Beyond Ethereum 🚀

Polygon

Aggregation Summit is here

Deep dive into Polygon Plonky3

What do Polygon PoS transactions look like if we strip them to app-action transactions?

Weekly Gaming Roundup on polygon

Polygon sets September 4th date for migration to POL

Starknet

Take a look at Starknet’s Roadmap

All reasons why you should build on Starknet

Starknet Wallet<>Dapp API is getting a major update with Starknet-js V6!

Layerswap x Starkent $STRK Rewards Program is here

Arbitrum

Avalanche’s ACP-77 Reawakening? Everything you need to know about ACP-77

Avalanche Interchain Token Transfer Explained

Get started with Avalanche ICTT Starter Kit

DevToolkit: Essentials & Innovations 🛠️

rindexer - opensource, fast EVM ndexing tool in Rust

spice - python client for extracting data from the Dune Analytics API

Lodestar v1.20.2: patch for publishing blinded blocks using Lodestar beacon node & Lighthouse/Nimbus validator client with MEV-Boost

Reth v1.0.3: fix for Base mainnet & async Backfill stream

Rindexer, EVM indexing tool in Rust, beta

Echidna v2.2.4: improves fuzzing speed & user experience, adds support for transient opcodes

Audit Wizard adds Cyfrin Aderyn (Solidity static analyzer)

Damn Vulnerable DeFi v4: migrated to Foundry, new challenges: curvy puppet, shards, withdrawal & rewarder

Hackathons, Workshops & Events

Arthur Hayes’ Maelstrom announces Bitcoin grant program of up to $250K per developer

Scroll bounty winners ETHGlobal Hackathon

ETHGlobal Hackathon Uniswap Bounty winners

Hyperlane bounty winners ETHGlobal Brussels

Superhack on the Superchain hackathon

Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖

Twitter

Nexus 2.0 zkVM is here

Nic's Stablecoin Syllabus

The Risks and Rewards of (re)staking

How many Web3 users are real

Don't Build an Onchain Game

ELI5 - L3s

IoTeX has released its 2.0 whitepaper

Horizontal Scaling with ZKThreads

The Sink L2 whitepaper thread

Are Rollups Overvalued or Undervalued? An Analysis of Rollup’s Revenue and Cost Structure

A major update to FRI-Binius yields better batching, faster recursion, and smaller proofs

The Economics of L3s

ERC-7739: Readable Typed Signatures for Smart Accounts

Ethereum’s Scalability Crisis: The Execution Layer

A Deep Dive into DeAI Protocol

Deep Dive into Move Smart Contracts

Simple Explanation of EigenDa

Articles

Solidity via-IR compilation pipeline explainer: translates Solidity into Yul (intermediate representation) for optimization rather than direct to bytecode, plan to make default with EOF

Solidity hidden overflow: math expression types cast to highest type used by variables

Solady (Solidity snippets): adds ERC1967 minimal proxies with immutable args, auto verified on Etherscan

Z0r0z sstore3, read/write contract storage using balance & address, license: AGPL v3

Reth Execution Extension (ExEx) examples

OpenAI Scale Ranks Progress Toward ‘Human-Level’ Problem Solving

Research Papers

Anders Elowsson: sealed execution auction, Vickrey slot auction of execution proposal rights, attesters supervise commit/reveal scheme facilitated by builders & beacon proposer

Multi-round MEV-Boost: mitigate negatives of based preconfs & retain benefits of based rollups

Private Heterogeneous Federated Learning Without a Trusted Server Revisited: Error-Optimal and Communication-Efficient Algorithms for Convex Losses

FBChain: A Blockchain-based Federated Learning Model with Efficiency and Secure Communication

Black-Box Opinion Manipulation Attacks to Retrieval-Augmented Generation of Large Language Models

Watch 🎥

Web3 Security Watch 🛡️

Articles

Same Mistake Twice? Decoding LiFi Protocol’s $9.7M Exploit: Post Mortem Report

Another Lazarus Group Attack? Decoding Wazirx Multisig Wallet’s $235M Exploit: Post Mortem Report

Minterest $1.4M exploit on Mantle L2 via reentrancy

Security Alliance (SEAL): incident response to Squarespace domain compromise

The $230 million crypto theft at Wazirx a wake-up call for Indian regulators, government

WazirX Files Police Complaint After $230M Hack, Engages With India's Cyber Crimes Unit

Research Papers

Identifying Smart Contract Security Issues in Code Snippets from Stack Overflow

Detect Llama -- Finding Vulnerabilities in Smart Contracts using Large Language Models

Improving the Accuracy of Transaction-Based Ponzi Detection on Ethereum

The Feasibility of a Smart Contract "Kill Switch"

Twitter

A Comprehensive analysis on how the Wazirx exploit happened

WazirX: PSA on hack

Chain analysis of $230M+ WazirX hack, likely Lazarus linked - ZachXBT

Blood bath in WazirX exchange due to the fact there is no Buy Side liquidity currently

Mudit Gupta’s analysis on Wazirx Exploit

Zachxbt analysis & fund tracing after Wazirx Exploit

Hacks and Scams 🚨

WazirX

Loss ~ $235M

WazirX’s multisig wallet, managed with Liminal, was exploited, losing $235M out of $451M on-chain assets.

The multisig wallet had 6 signatories: 5 from WazirX and 1 from Liminal.

Attackers compromised 3 WazirX and 1 Liminal signatory using phishing.

They directly compromised 2 WazirX signatories and used a fake Liminal UI to trick the others into signing malicious transactions.

Attackers upgraded the multisig wallet to a malicious contract, continuously transferring funds.

ZachXBT traced transactions to Tornado Cash, found test transactions, and linked Bitcoin deposits to the hack.

WazirX blamed Liminal’s system, suspecting payload replacement during transaction verification.

Liminal stated the breach involved a wallet created outside their platform.

Read the Post mortem report to know more details about the whole exploit.

Li.Fi Protocol

Loss - $9.7M

The LiFi team deployed the GasZipFacet contract five days prior to the attack to enable gas refueling for bridging transactions.

The attacker exploited an arbitrary call vulnerability via depositToGasZipERC20() in the GasZipFacet contract, allowing unauthorized transactions.

Users with infinite approvals for specific LiFi contract addresses were targeted, enabling the attacker to perform unauthorized transferFrom operations.

The attacker crafted arbitrary transaction calls to execute unauthorized transfers instead of legitimate asset swaps. This drained significant amounts of USDT, USDC, and DAI from the users who had given infinite approval to LiFi Diamond contract.

Stolen funds were converted into approximately 2,857 ETH using platforms like Uniswap and Hop Protocol, then dispersed across multiple wallets.

Tornado Cash was used to obscure the origins of the stolen funds, making it challenging to trace their final destination.

Exploited Tokens: The primary tokens the attacker got away with include:

6,335,889 USDT

3,191,914 USDC

169,533 DAI

Read the Post Mortem report to know more about the exploit.

Community Spotlight

https://x.com/quillaudits_ai/status/1812741356387016828

https://x.com/quillaudits_ai/status/1813845595788120405

https://x.com/quillaudits_ai/status/1813944615613219277

https://x.com/icphub_VN/status/1813873185127031109

https://x.com/quillaudits_ai/status/1814607085612483046

جنرال موتورز! بناة

في هذا العدد الأخير من HashingBits، نتعمق في اجتماعات مطوري Ethereum الأساسيين، ونغطي جميع التحديثات الرئيسية في نظام Ethereum البيئي. ولكن هذا ليس كل شيء - سنستكشف آخر الأحداث في أنظمة Polygon وArbitrum وOptimism، إلى جانب الأحداث الأخيرة في ETHCC والتطورات في مجال الذكاء الاصطناعي وWeb3. بالنسبة للمطورين، نسلط الضوء على أدوات جديدة مصممة لمساعدة مطوري ومدققي العقود الذكية. وبالطبع، سنتعمق في العناوين الرئيسية حول اختراق محفظة Bittensor بقيمة 8 ملايين دولار وخسارة Dough Finance البالغة 1.94 مليون دولار في هجمات القروض السريعة.

برعاية QuillAudits

جنرال موتورز! بناة

في هذا العدد الأخير من HashingBits، نتعمق في اجتماعات مطوري Ethereum الأساسيين، ونغطي جميع التحديثات الرئيسية في نظام Ethereum البيئي. ولكن هذا ليس كل شيء، فسنستكشف آخر الأحداث في الأنظمة البيئية Sui وAptos وSolana وzkSync، إلى جانب التطورات الحديثة في مجال الذكاء الاصطناعي وWeb3. للتطوير…

اقرأ أكثر

GM! Buidlers

In this latest HashingBits issue, we're diving deep into Ethereum's All Core Developers Consensus Call #135, covering all the major updates in the Ethereum ecosystem. But that's not all, we will dive into what's happening in zkSync, Polygon, and Solana ecosystems, along with recent advancements in the AI & Web3 space. For developers, we're highlighting new updates in tools designed to assist Smart contract developers and auditors. And of course, we're also digging into the headlines about UwU Lend's whopping $23.1M exploit and Loopring's recent $5M loss due to vulnerabilities in Guardian 2FA.

EtherScope: Core Developments 👨‍💻

Summary of All core devs - consensus Call(ACDC)#135

Naming F-starname Upgrade: Discussions for Post-Electra upgrade.

Updates on PeerDAS breakout #1

Lido Finance introduces Restaking for $stETH.

MetaMask launches pooled staking for Ethereum, excluding US and UK users.

Twiga for the coming Electra upgrade is here!

Devcon tickets & tracks: Ticketing types, timelines & tracks are live!

Uniswap Labs acquired Crypto: The Game (onchain Survivor)

SEC Chair Gensler expects spot ETH ETFs S-1s to be approved over US summer.

Over 27% of the ETH supply is now staked, up from 24% in January.

**Ethereum Transactions Over Radio? How does that work?**

Layer1 & Layer2

Stable Coin $wcgUSD is now live on Linea!

Update on the TVL of Layer 2 Ethereum Scaling Solutions.

Huge Liquidation causes 25% drop in CRV

Blobs, Reorgs, and MEV-Boost: Analyzing Ethereum's Latency and Security Dynamics

Vitalik proposes a New Approach to Layer 1 Transactions.

Preconfirmation designs compatibility with proposed ePBS

Proposal to use torrents for distributing pre-merge data (EIP4444 history expiry)

OP Stack Permissionless Fault Proofs live on OP mainnet, now a stage 1 L2 (limited training wheels)!

A look into the RIP 7212 Deployment status on Layer 2 chains

Based preconfs are now live on devnet!

ERCs

**ERC-7720:** Deferred Token Transfer

ERC838 (resurrected): ABI specification for REVERT reason string

ERC7721: Lockable extension for ERC1155

ERC7722: Opaque token

EIPs

Meta EIP7723: Network upgrade inclusion stages

RIPs

RIP7724 (clone of EIP7667 for zk rollups): Raise gas costs of hash functions

EcoExpansions: Beyond Ethereum 🚀

zkSync

zkSync introduced the $ZK token. Check your airdrop eligibility.

ZK Nation was introduced.

zkSync’s mainnet deployment of v24 is now complete!

Deep Dive Analysis: Allocation of ZK Tokens to 13,000 Wallets with 0 tx in zkSync.

A look into ZK Tokenomics

Matter Labs (zkSync) is dropping all trademark applications for the ZK term!

zkSync is now live on Uniswap!

Polygon

Polygon Creates New Grants Program**, 1B POL Unlocked Over 10 Years** for Buidlers!

Agglayer-rs repository is now open-sourced.

Toposware, along with Polygon, is building a type 1 zkEVM prover.

Introducing - Polygon Governance Hub!

Have a look into Polygon’s DeFi Roundup!

Solana

Solana’s first Smart Wallet is here!

**Circle’s Programmable Wallets now supports** @solana!

Solana-Based Startup TipLink Launches Wallet Adapter.

**Phantom acquires Bitski to accelerate crypto adoption.**

Solana Pay is now on Shopify!

SolanaFM’s Explorer 2.0.0 is here.

Solana got an update: v1.18 is here!

Rise In and WBA Launch Developer Education Program to Train New Solana Developers

IslandDAO presents Koh Solana (Sep 25th - Oct 25th)

DevToolkit: Essentials & Innovations 🛠️

Etherscan now features a Card for Tokens to display security risks!

Remix v0.50.0 is here: Pin plugins and use ZK-ethers in JS/TS scripts!

RustRover is out now!

Quicknode launched a Builder’s guide.

Here are some Tips to rewrite EVM contracts to support Solana.

Lighthouse v5.2.0 is here: adds in-memory tree-states, optimized epoch & block processing and execution client version in graffiti.

Besu got an update: v24.6.0: Java v21 now minimum version and historic trie log data removed by default.

Foundry show-progress flag is here: live progress of fuzz & invariant tests

Take a look at the EF JavaScript team roadmap

PBS Snapshot is here : Create MEV data snapshots

Hello World EigenLayer AVS is now also available in Rust!

Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖

Twitter

Vitalik suggests which narratives to focus on

Ripple introduces the XRPL EVM Sidechain & Ripple USD (RLUSD)

Zapper announces Zapper Protocol : Powered by $ZAP

How has EIP-4844 impacted L2 costs?

Helius CEO talks about Hivemapper!

The ULTIMATE Solana Reading List!

A Deep Dive into DePIN

Articles

Quantifying code complexity: CK, Martin & Halstead metrics using Slither printers

Guide to create a simple Solidity linter using Slang (Nomic Foundation’s compiler APIs)

Crypto and AI: A $20 Trillion Megatrend?

ERC-7201 Storage Namespaces Explained

Ethena: Delving into the Mechanics and Risks of USDe

Blob Adoption and Utilization - Insights from the first 85 days

**Forced Transactions vs Based Sequencing:** Whats it all about?

How does Everclear : The First Clearing Layer work?

How Crypto is Shaping the Future of Online Shopping!

Open Access Supercomputing Foundation announces the tokenomics of AO, the decentralized supercomputer!

The Restaking Wars: Eigenlayer vs Symbiotic

Research Papers

**Should my Blockchain Learn to Drive? A Study of Hyperledger Fabric.**

Demystifying the Characteristics for Smart Contract Upgrades

Blockchain Integrated Federated Learning in Edge-Fog-Cloud Systems for IoT based Healthcare Applications: A Survey

**Optimizing Exit Queues for Proof-of-Stake Blockchains:** A Mechanism Design Approach

SAMM: Sharded Automated Market Makers

Watch🎥

Web3 Security Watch 🛡️

Articles

A Deep dive into Security Tips & Devices for Digital Nomads.

Identifying Red Flags in Smart Contracts: A Guide to Spot Security Risks in Solidity Smart Contracts

Nirvana Finance co-founder recounts the ‘worst day’ of his life.

A Guide on how to recover Funds with HackedWalletRecovery Tool

**Awesome On-Chain Investigations HandBook 2.0: A MUST Read!**

Research Papers

Benchmarking of Jailbreak Attacks on LLMs

Security of AI Agents

Scalable UTXO Smart Contracts via Fine-Grained Distributed State

Twitter

Root cause analysis of UwU Lend : A Deep Dive

Yolo Games exploited for $1.5M

Ronkathon - rust implementation of a collection of cryptographic primitives

Hacks and Scams 🚨

UwU Lend

Loss ~ $23.1M

UwU Lend, launched by Frog Nation's former CFO Sifu, was hacked for $23.1M via Price manipulation.

The first attack on June 10, 2024, resulted in a $19.4M loss; the second attack within two days caused a $3.7M loss.

The attacker used three transactions to convert stolen $WBTC and $DAI into $ETH , funded by Tornado Cash.

UwU Lend paused the protocol for investigation an hour after acknowledging the exploit.

Despite a recent security audit from Peckshield, the hack exposed a price discrepancy in UwU Lend's oracles.

The attacker used a flash loan to manipulate the price feed, exploiting the difference between sUSDe borrowing and liquidation rates.

Curve founder Michael Egorov lost over 23.5M CRV ($9.85M) deposited into UwU Lend.

The attacker deposited tokens into Curve’s Llama Lend and borrowed over 8M crvUSD ($8.11M).

LlamaLend's CRV market lenders hard-liquidated the hacker's position.

UwU Lend offered a $5M bounty to catch the exploiter.

Find more details about the exploit - here

Loopring

Loss ~$5M

Loopring, a ZK-rollup based protocol on Ethereum, revealed a hack compromising its two-factor authentication Guardian wallet recovery service on June 9, 2024

Approximately $5 million was drained from wallets protected by Loopring’s Guardian service.

The Guardian service allows users to name trusted wallets for security tasks, like locking or restoring a compromised wallet.

The hacker bypassed Loopring's Official Guardian service, initiating recoveries on wallets with a single guardian without user consent.

According to Loopring, wallets with multiple guardians or third-party guardians remained secure, as transactions require more than half of the guardians.

Loopring disclosed two wallet addresses involved in the breach, with one wallet draining about $5 million from affected accounts.

The protocol is collaborating with Mist security experts to understand the 2FA service compromise and has suspended Guardian-related operations temporarily.

Loopring stated that after suspending these operations, the breach was contained.

The protocol is working with law enforcement to track the hacker.

Community Spotlight

#NYCTechWeek is an absolute whirlwind of innovation!

GM! Buidlers

This issue of Hashingbit features a detailed writeup on Ethereum All Core Developers Consensus Call #134, highlighting the integration of peerDAS into Electra. It also covers StarkWare's plans to bring ZK scaling to both Bitcoin and Ethereum. The issue includes ecosystem updates on Solana, Aptos, and Polygon, as well as insights on AI & ML for Web3. Additionally, it provides developer tools for smart contract auditing and Solidity developers. Furthermore, it offers insights into how DMM Exchange was exploited for $305M and Velocore's loss of $6.8M due to a smart contract vulnerability.

EtherScope: Core Developments 👨‍💻

ENSv2: The Next Generation of ENS

Ethereum All Core Developers Consensus Call #134 Writeup - peerDAS is going into electra!

Ethereum futures hit record highs following spot ETF approval

Bolt – Enabling trustless pre-confirmations on Ethereum

Ethereum's UX Improvements

Dynamic Ethereum Roadmap

Potential process improvements for AllCoreDevs

The Ethereum Government : How Code Changes Are Made to the World’s Most Sprawling Blockchain

Layer 1 & Layer 2

Iota launched the mainnet of IOTA EVM, an EVM-compatible Layer 2 for the Iota network.

Fhenix: Building a Confidential Future for Ethereum

StarkWare plans to bring ZK scaling to Bitcoin alongside Ethereum

The current state of SNARKs

Layer 2s as cultural extensions of Ethereum - Vitalik

Introducing RISE pevm: EVM execution on steroids!

Rollup.wtf dashboard: L2 real-time performance showing TPS, MGas/s & KB/s

EIPs

EIP-7718: Portal Wire Protocol a framework for discv5

EIP-7719: P2P History Network

EcoExpansions: Beyond Ethereum 🚀

Solana

Solana saw nearly half a million tokens launched last month

Solana To Ditch Token Burning and Divert 100% Of Priority Fees To Validators

Solana Staking Protocol Sanctum Announces $CLOUD Tokenomics

Polygon

Polygon Labs acquires Toposware, pushing total ZK investment to $1B

v2 of the polygon miden alpha testnet

QiDaoProtocol integrates $MAI on Polygon PoS

zapit_io integrates Polygon PoS, letting users on/offramp assets on their P2P exchange

Aptos

IONet and Aptos: Redefining AI Performance and Scale

Discussing Aptos Unity SDK: Simplified Logins & Transactions

Mereo Revolutionizes Fan Engagement with On-Chain Journeys on Aptos

Aptos Integrates Chainlink's CCIP and Data Feeds to Boost Decentralized App Development

DevToolkit: Essentials & Innovations 🛠️

Announcing Lita's Valida zkVM & C Compiler

Monomer SDK – Cosmos Tech on Ethereum Rollups

Compiler Fingerprinting in EVM Bytecode

Runtime Verification Simbolik: Solidity debugger VS Code extension, private beta

Tevm (TypeScript EVM toolkit): in browser devnet & Solidity scripting

Foundry adds Vyper support: deploy, test, debug & write scripts

Hardhat v2.22.5: adds limited support for blob transactions & hardhat-tracer reenabled

Slither v0.10.3: reduces false positives & improves performance

Snekmate (Vyper building blocks): module-friendly contracts, uses Vyper v0.4.0rc6

Prool: simulate local/bundler/indexer node over HTTP for TypeScript test runners, e.g. Vitest

EVMole: improved accuracy in function argument extraction

Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖

Twitter

Thoughts on Polygon Miden

Bringing transparency to DePIN token incentives

Evaluating token economics for DePINs: cost estimation

Can crypto help solve the walled garden challenges around data for AI products?

Proof of Virality - Some thoughts on socialfi, memecoins, and consumer crypto below.

Curious how Coinbase’s new smart wallet works?

Why are there so many L2s coming out? Do we need yet another chain? When will it all end?

Articles

How Would a Blockchain-Based Decentralized AI System Work?

Telegram-Based Wallet Bot Introduces Stricter KYC Rules

Electric Capital: 2024 Crypto Insights

EigenLayer: Intersubjective Faults, Token forking, bEIGEN & more

Real World Assets - All assets will move on-chain

Research Papers

Federated TrustChain: Blockchain-Enhanced LLM Training and Unlearning

FACOS: Enabling Privacy Protection Through Fine-Grained Access Control with On-chain and Off-chain System

Fantastyc: Blockchain-based Federated Learning Made Secure and Practical

Decentralized Physical Infrastructure Network (DePIN): Challenges and Opportunities

Blockchain-aided wireless federated learning: Resource allocation and client scheduling

Model-based Analysis of Mining Fairness in a Blockchain

Watch🎥

Web3 Security Watch 🛡️

Articles

Decoding the Role of Artificial Intelligence in Metaverse and Web3

Simplifying & Understanding Real-World Assets

Ebury Botnet Expanding: Malware Continues to Steal Cryptocurrency

The Web3 Security Tool That CHANGES THE GAME — Glider Tutorial.

Research Papers

Fast and Secure Decentralized Optimistic Rollups Using Setchain

It Takes Two: A Peer-Prediction Solution for Blockchain Verifier's Dilemma

Stealing Trust: Unraveling Blind Message Attacks in Web3 Authentication

All Your Tokens are Belong to Us: Demystifying Address Verification Vulnerabilities in Solidity Smart Contracts

Twitter

Have you ever wondered how auditors manage to keep track of all the records and notes?

Just a bunch of freshly released web3 security tools!

The Emergence of AI Agents

Github

awesome-oracle-manipulation

Crypto-OpSec-SelfGuard-RoadMap

Proxies, Upgradeable Smart Contracts and their Security

Hacks and Scams 🚨

DMM Exchange

Loss ~ $305 M

The exploit occurred on May 31, 2024, resulting in a loss of 4,502.9 BTC, valued at approximately $304,529,100.

The breach occurred around 1:26 p.m. and involved unauthorized access to the exchange's wallet.

The root cause of the exploit is currently unknown.

The exploit may have involved a private key compromise or an exploitation of DMM’s signature services.

An address spoofing attack is another possible explanation, where the attacker mimicked a legitimate DMM address to deceive wallet operators.

The stolen funds were distributed to ten different bitcoin addresses in batches of 500 BTC.

DMM Bitcoin implemented measures to prevent further unauthorized access, including suspending new account openings, crypto asset withdrawals, and new buying orders for spot trading.

Withdrawals in Japanese yen may take longer than usual due to the incident.

Japan's Financial Services Agency has ordered DMM Bitcoin to investigate the breach and implement protective measures for customers.

The police have started their own investigation into the matter.

DMM Bitcoin assured customers that their Bitcoin deposits are fully guaranteed and will be covered by the exchange.

Velocore

Loss ~ $6.8M

Velocore experienced a security breach on June 2nd, 2024, resulting in financial losses of approximately $6.8 million in ETH.

The breach was due to vulnerabilities in the Balancer-style CPMM pool contract.

Niv from Hexagate reported the issue and facilitated communication with Velocore Mods. Gal of Hypernative and Ironblock assisted in setting up a war room for investigation.

All volatile CPMM pools in Linea and zkSyncEra Velocore were affected, but no stable pools were impacted.

Telos Velocore shared the same vulnerabilities but mitigated the issue before exploitation.

Blade, a fork of Velocore using a simple XYK pool, was not affected by this vulnerability.

The primary cause of the incident was faulty logic in the ‘velocore__execute()’ function of the ConstantProductPool.

The ‘feeMultiplier’ variable's miscalculation allowed the ‘effectiveFee1e9’ to exceed 100%, causing logic malfunctions.

There was potential for underflow during single-token withdrawals, leading to erroneous large deposits.

The ‘velocore__execute()’ function did not verify whether the caller was the Vault, simplifying the exploit.

The attacker used Tornado for funds, exploited the vulnerability, bridged funds with Across Bridge, and redeposited them into Tornado.

The attacker used flash loans to manipulate LP tokens and pool sizes, leading to an abnormal minting of LP tokens.

Community Spotlight

QuillCon VC Dinner

GM! Buidlers

This issue of Hashingbit features the launch of Ethereum Layer 2 Taiko, new cross-chain standards from Uniswap Labs and Across, the introduction of PayPal USD on Solana, and Fantom's collaboration with Google Cloud. It also covers ZK security advancements for AggLayer and Atoma's AI tools on Sui. Additionally, it includes developer tools for smart contract auditing and Solidity developers, and highlights QuillAudit’s AI agents detecting vulnerabilities in the $NORMIE token.

EtherScope: Core Developments 👨‍💻

Ethereum Layer 2 Taiko goes live on mainnet

The problem with eip4337

Low Ethereum Gas Fees Inflate Supply By 50k ETH In One Month

Suave Proposal: Implementing EIP-712 for Confidential Compute Requests

Layer 1 & Layer

Vitalik Compares the L2 and Ethereum Sharding Visions

Upcoming Feature: Starknet Applicative Recursion (SNAR)

Introducing the Pessimistic Proof for the AggLayer: ZK Security for Cross-chain Interoperability

Introducing Kakarot Sepolia

StarkWare introduces ZKThreads: A canonical ZK sharding framework for dApps

All Core Developers Execution Call #188 Writeup

Unifying VMs with Blended Execution

Zeth Brings Validity Proofs to Optimism’s OP Stack

EIPs

EIP-7716: Anti-correlation attestation penalties

ERC-7683: Cross Chain Intent

ERCs

ERC-TBA: Deterministic AA wallet

ERC-x: Readable Typed Signatures for Smart Accounts

ERC-7715: Request Permissions from Wallets

EcoExpansions: Beyond Ethereum 🚀

Solana

LayerZero is live on Solana!

Solana validators voted to stop burning half the priority fee and will now keep 100% of it.

PayPal USD (PYUSD) is live on Solana!

Fantom

Opera Network Upgraded: Sonic Nodes Power 10,000 TPS and 1-Second Finality

Fantom Partners with Google Cloud to Boost Next-Gen dApp Development and Launch Validator

Polygon

Introducing the Pessimistic Proof for the AggLayer: ZK Security for Cross-chain Interoperability

Polygon Labs is using Succinct’s zkVM SP1 for building the AggLayer, their flagship interoperability protocol.

Sui

Atoma Enabling AI for Builders on Sui

Sui Overflow: Sui’s first global virtual hackathon

AUSD Stablecoin from AgoraDollar Launches on Sui, Enhancing Network Liquidity and Efficiency

DevToolkit: Essentials & Innovations 🛠️

Solidity v0.8.26: require with custom errors (via-IR only), Yul optimizer improved default sequence and JSON output format slightly changed

Clap: a Rust eDSL for PlonKish Proof Systems with a Semantics-preserving Optimizing Compiler

Batcher Contract on Aztec

Remix v0.49: RemixAI improvements & TOML syntax highlighting

Kontrol (formal verification) adds support for native Foundry cheatcode assertions

Snekmate (Vyper): adds Halmos symbolic tests for ERC20/721/1155 & math contracts

Ape-AWS: Ape plugin to use AWS Key Management Service & IAM access

Viem adds EIP4361 Sign-In with Ethereum support

EVM Diff: adds all chain comparison table to existing side by side compare

micro-eth-signer v0.9: fetch account history & token balances from archive node, SSZ in 900 lines

Vacp2p stealth-address-kit v0.1: derived from ERC5564, Rust & C bindings

Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖

Twitter

12 examples of how Chainlink is powering the tokenization megatrend

Farcaster vs. Lens Protocol: A Deep Dive 🧵

Unlocking the Power of Stylus: A Game-Changer for Arbitrum and EVM

Some more up to date thoughts the next hard fork after Cancun, Pectra

The Bitcoin L2 landscape

How do DEX aggregators actually work?

High FDV is not inherently bad.

Zero knowledge vs. Optimistic rollups

Advice for Builders Seeking Grants

Modular thesis comeback

Articles

How EigenLayer’s Restaking Enhances Security and Rewards in DeFi

Secure Voting on Blockchain with Zero-Knowledge Proofs (ZKPs)

Introducing the ENS L2

Atomicals Virtual Machine (#AVM) Whitepaper

A Two-Part Approach To Understanding Zk Coprocessors

Github Repos

Reusable workflows for GitHub Actions

Merkle Multiproof (Solidity): generate inputs for OpenZeppelin MerkleProof library for fuzz testing

Research Papers

A Dual-functional Blockchain Framework for Solving Distributed Optimization

On Fairness Concerns in the Blockchain Ecosystem

Collaborative Access Control for IoT -- A Blockchain Approach

The Writing is on the Wall: Analyzing the Boom of Inscriptions and its Impact on EVM-compatible Blockchains

Tools

Introducing Recon: Invariant Testing Made Easy**.**

EVM Diff adds cross-chain comparison.

Eth95.exe - An Instant UI for Smart Contracts.

GoAlert - Open source on-call scheduling, automated escalations, and notifications so you never miss a critical alert.

Watch🎥

Web3 Security Watch 🛡️

Articles

Beginner’s Guide to Web3 Security: Guide to Avoiding Fake Wallets and Private Key/Mnemonic Phrase Compromises

How to Identify and Prevent Address Poisoning Attacks

Research Papers

DataSafe: Copyright Protection with PUF Watermarking and Blockchain Tracking

Remeasuring the Arbitrage and Sandwich Attacks of Maximal Extractable Value in Ethereum

Decentralized Virtual Research Environment: Empowering Peer-to-Peer Trustworthy Data Sharing and Collaboration

Twitter

Arguments Against FIT21

Zero Knowledge Proofs Use Cases

Malicious Aggr Chrome Extension

Investigation $CAT meme team is connected to GCR's X.com hack last night

Introducing Trident - fuzz testing framework for Solana programs written in Anchor

Tools

Security Alliance - Drill Template - the tools that the SEAL Chaos Team uses to coordinate drills with protocol teams.

Simbolik: Solidity Debugger VS Code plugin by Runtime Verification.

Introducing shadow-reth

Introducing Open-Binius!

Hacks and Scams 🚨

NORMIE

Loss ~ $881K

NORMIE memecoin on the Base network exploited, resulting in a loss of 224.98 ETH (approx. $881,686).

Our QuillShield AI agent detected the same vulnerability in just one second.

Exploit due to a smart contract vulnerability that allowed unauthorized minting of tokens.

Attacker used 2 ETH from Sushi Router to swap for 171,955 NORMIE tokens, then matched the token deployer’s balance by swapping 5 million NORMIE tokens.

Vulnerable _get_premarket_user function added attacker’s address to the premarket user list by matching the team wallet balance.

Flash loan of 11,333,141 NORMIE tokens taken, with 9,066,513 swapped for 65.97 ETH to manipulate token supply.

Remaining tokens used in Uniswap V2 pair and skim function to withdraw assets.

Logic flaws in _transfer and swapAndLiquify functions allowed bypassing checks and minting additional tokens.

Token supply inflated to 650 billion NORMIE tokens; attacker profited 224.98 ETH (approx. $881,686).

Exploiter manipulated contract permissions, used flash loan to drain the contract, bought tokens at no cost, and sold them.

Meta Dragon

Loss ~ $180k

Over 4000 NFTs were compromised in the MetaDragon hack on 28th May 2024, with community members losing approximately 2400 NFTs after deductions for the META fund and marketing.

The NFT contract remains insecure; users are advised to refrain from minting new NFTs.

Significant losses were incurred by community members, investors, and liquidity providers.

MetaDragon plans to compensate each NFT at a rate of "10,000 META + 0.15 BNB".

Total compensation amounts to approximately 24 million META and 360 BNB.

The compensation process will begin gradually with updates provided on progress.

Some partners and major holders have expressed willingness to postpone their claims, prioritizing the compensation of other members, which is deeply appreciated by the MetaDragon team.

Community Spotlight

QuillAudits at Consensus 2024

GM! Buidlers

This edition of Hashingbit covers important updates in the world of web3. Ethereum is getting a potential efficiency boost with Vitalik Buterin's proposed EIP-7706 for a new call data gas type. Developments are also underway at Solana and EigenLayer. Sui users will soon be able to claim their own Web3 phone numbers. QuillCheck is expanding its services to include Base Chain tokens, allowing users to evaluate the risks of new crypto tokens before investing. The newsletter also brings attention to new developer tools available in the web3 space, such as Immune-fi Terminal, Create Chimera App, eth-easy, and Metasleuth. Security remains a major concern, as highlighted by recent attacks on Sonne Finance ($20 million), Pump.fun ($1.9 million), and PiiPark (rugpull for $490,000). Hashingbit keeps you informed about the latest happenings in blockchain technology and security.

EtherScope: Core Developments 👨‍💻

Ethereum Ecosystem Value Prop

Ethereum has been increasingly inflationary for over a month as fees hit all-time low

Ethereum L2 Usage Surges

Ethereum gas under 5 gwei, the lowest daily average since February 2020

Why 4337 and 3074 authors are disagreeing, and who got it right

Vitalik Buterin drafts EIP-7706, proposing a new call data gas type for Ethereum

Paul O’Leary on how Polygon’s zkEVM will enhance Ethereum scalability

Ethereum account abstraction to catalyze crypto mass adoption

Grandine v0.4.0/1: optimizations, new attestations packer, in-memory mode, improved compatibility with other validator clients, integrations with Eth-docker & Ethereum on Arm

Geth v1.14.3: block processing & RPC API improvements

Etherscan: address poisoning attack explainer

Overview on based sequencing & preconfirmations

EIPs

EIP-7704 - Align incentives for access list provisioning

EIP-7706 - Separate gas type for calldata

EIP-7707 - Incentivize Access List Provisioning

EcoExpansions: Beyond Ethereum 🚀

Sui

The Move programming language on Sui incorporates three fundamental innovations

NetkiCorp Brings Digital Identity Verification Expertise to Sui, Enhancing Decentralized Financial Systems

ChainIDE Launches for SuiNetwork: Compile, Deploy, and Interact with Sui Move Contracts in Your Browser!

Claim your Web3 phone number – coming soon to Sui!

Eigen Layer

EigenLayer Opens Claims for Airdrop of EIGEN Token, Though It's Non-Transferable

EigenDA accepts staking delegations as Eigen token claims open

ICYMI - Check out Awesome AVS if you'd like to learn more about how to build on EigenLayer.

Omni Network; Using Eigenlayer to Unleash Ethereum Liquidity

EigenLayer Launches @buildoneigen for the Latest Ecosystem Updates!

Solana

Solana DEX Drift opens airdrop claims for 120 million tokens with bonus

Solana Devs, Wake Up! 🛠️🦀 Join the Free 6-Week Solana Bootcamp by @encodeclub Starting June 3rd!

Introducing Solana's First Liquidity Layer: The Evolution of Marginfi for Performant DeFi

Squads Validator is Now Live: Stake Your SOL Directly from the App

AgriDex & Solana Launch RWA Marketplace This Summer!

DevToolkit: Essentials & Innovations 🛠️

Forge-std v1.8.2: adds cheat codes including prompt, blobhashes & ensNamehash

Mastering Solidity: Control Structures And Error Handling

Solady (Solidity snippets): adds UpgradeableBeacon for ERC1967 beacon proxies

Frangio: Solidity compiler code generation for stack-based EVM & stack too deep errors

Viem experimental adds ERC6492 signature utilities

Slitherin (custom Slither detectors) v0.7.0: adds detectors for Arbitrum Chainlink sequencer uptime, read-only reentrancy with Balancer/Curve & price manipulation via token transfers

Betterscan: inspect verified contracts

Profiling Echidna found a memory leak in hevm

Guide to building a tracer using Geth for transactions involving a set of addresses

Etherscan converter tools: Base64, block & date, UTF-8 and method ID

Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖

Twitter

Types of Smart Contract Design Patterns

Secureum RACE #29: answers to 8 question Solidity quiz

Articles

Vitalik Proposes EIP-7702 for Externally Owned Accounts

Exploring Consensus With Parallel Proposals: The Difference Between PBFT and BBCA-Chain

Mastering the Final Boss in Blockchain Scalability: State Growth

No-Code Blockchain Development: Pros and Cons

Omni Network: Using Eigenlayer to Unleash Ethereum Liquidity

Using Ethereum to Understand the Protocol Economy

Research Papers

Temporarily Restricting Solidity Smart Contract Interactions

T-Watch: Towards Timed Execution of Private Transaction in Blockchains

Cross-Blockchain Communication Using Oracles With an Off-Chain Aggregation Mechanism Based on zk-SNARKs

Permissioned Blockchain-based Framework for Ranking Synthetic Data Generators

BitVMX: A CPU for Universal Computation on Bitcoin

Implementation Study of Cost-Effective Verification for Pietrzak's Verifiable Delay Function in Ethereum Smart Contracts

Tools

eth easy! - easy-to-use, flexible, and blazing-fast toolkit that helps accelerate Ethereum development by 0xrusowsky. Recent features include ABI encoding/decoding and call data debugging. Very cool!

MetaSleuth adds support for Solana.

Watch🎥

Web3 Security Watch 🛡️

Articles

Reentrancy attacks in smart contracts explained

Verifiable Compute: Scaling Trust with Cryptography

Cosmos IBC Reentrancy Infinite Mint

Blast Integration Bugs - Part 1

Hamburger Factory Validity

Research Papers

StateGuard: Detecting State Derailment Defects in Decentralized Exchange Smart Contract

BeACONS: A Blockchain-enabled Authentication and Communications Network for Scalable IoV

An Approach for Decentralized Authentication in Networks of UAVs

Foundational Verification of Smart Contracts through Verified Compilation

Twitter

Web3 Phishing Attacks you must know about

Tools

**Immunefi-terminal** - The only crypto bug bounty terminal you'll ever need by shortdoom.

Create Chimera App - The Foundry template allows you to bootstrap a fuzz testing suite using a scaffolding provided by the Recon tool by Recon-Fuzz. It extends the default Foundry template used when running forge init to include example property tests using assertion tests and boolean property tests supported by Echidna and Medusa.

Hacks and Scams 🚨

Sonne Finance

Loss ~ $20M

Hackers stole $20 million in cryptocurrency from Sonne Finance on May 14th.

Hackers targeted USD Coin (USDC), Wrapped Ether (WETH), Velo (VELO), soVELO and Wrapped USDC (USDC.e).

Sonne Finance paused operations and is investigating ways to recover funds, including a bug bounty.

The hacker seems uninterested in negotiations and is moving stolen funds.

Hack exploited a known bug in Sonne's Compound v2 forks.

Sonne Finance is criticized for using the known vulnerable code.

Pump.fun

Loss ~ $1.9M

A former employee exploited pump.fun, a platform for creating Solana meme coins, resulting in a loss of nearly $2 million through a "bonding curve" attack.

The exploit involved the ex-employee leveraging their insider access to compromise the platform's internal systems.

Approximately $1.9 million was stolen out of a total of $45 million held in pump.fun’s bonding curve contracts.

Trading on the platform was temporarily halted but has since resumed, with assurances that the smart contracts remain secure.

To carry out the attack, the exploiter utilized flash loans on a Solana lending protocol to borrow tokens, which were then used to inflate the bonding curve.

A user named "STACCoverflow" is suspected to be involved, as hinted in cryptic posts suggesting a foreknowledge of the incident.

Pii Park

Loss ~$490K

A project called Pii Park (different from others with similar names) has likely run an exit scam.

Their token's value plummeted by around 99%, indicating a potential rug pull.

Investors lost approximately ~$490,000 throughout the project's existence.

Avoid rug pulls with QuillCheck's easy token safety checks on multiple chains.

Visit QuillCheck

Predy Finance

Loss ~$464K

Hackers exploited a vulnerability on Predy Finance on Arbitrum, stealing ~$464,000.

Predy Finance is a DEX for perpetual trading and token swaps.

The exploit was due to a lack of access control in a function allowing anyone to add trading pairs.

Hackers added a fake pair, deposited funds, and then withdrew everything.

Some stolen funds (~$304,640) were bridged to Ethereum Mainnet.

Predy Finance acknowledged the exploit and offered a 10% bounty to return the funds.

They also disabled the vulnerable functions and advised users to revoke access.

Community Spotlight

GM! Buidlers

In this edition of Hashingbit, we explore several critical updates in the Web3 ecosystem. Discover Vitalik Buterin's latest proposals, including a novel efficiency-boosting method, multidimensional gas pricing, and the major update EIP 7702 for externally owned accounts. The Ethereum community also welcomes EIP-3074, designed to enhance crypto wallet usability. In other ecosystem news, Polygon tests its ZK-based Ethereum scaling solution Miden, Arbitrum launches Millicent One to merge traditional finance with DeFi, and Polkadot introduces asynchronous backing to improve network performance. Additionally, we review the Carpediem Pension Smart Contract audit by QuillAudits and report on significant security breaches, including a $71M WBTC Loot and a $1.27M loss in GnusAi on the Fantom chain. Keep informed with Hashingbits, your essential resource for the latest in blockchain technology and security updates.

EtherScope: Core Developments 👨‍💻

Vitalik Buterin proposes method to increase Ethereum capacity

Ethereum Developers Target Ease of Crypto Wallets With 'EIP-3074’

Vitalik Buterin Proposes ‘Multidimensional Gas Pricing’ For Ethereum

EIP List for peerdas-devnet-0

Pectra Interop Testing Requirement Tracker

Pectra-devnet-0: plan to launch in ~5 days, client teams making good progress, attestation refactoring for EIP7549 taking extra time

ERCs

ERC-7280 : NFT Metadata Extension like JSON-LD

ERC-7699 : Soul Resonance Token

EIPs

EIP-7701: Native Account Abstraction with EOF

EIP-7702: Set EOA account code for one transaction

EIP-7703: Increase call data cost

EIP-7705: NONREENTRANT and REENTRANT opcodes

EcoExpansions: Beyond Ethereum 🚀

Polygon

Polygon launches ZK-based Ethereum scaling solution Miden on testnet

Espresso Systems Collaborates With Polygon Labs To Develop AggLayer For Enhancing Rollup Interoperability

Polygon ranks 1st for having more than 19.6 million contracts deployed on Polygon in the last 180 days.

Seeking Seasoned Grant Allocators: Join the Polygon Community Grants Program!

Polygon DeFi 101: What Are Smart Contracts and How Will They Work in an Aggregated Network?

Arbitrum

Arbitrum surpasses $150 billion in total transaction volume on Uniswap

Introducing Millicent One: Bridging TradFi and DeFi with Arbitrum's Support!

ALIENX and Anomaly Games joins the Arbitrum Ecosystem

Arbitrum Stylus Floats Giga Update

Introducing inEVM: Revolutionizing Interoperability with Injective, Cosmos, and Arbitrum Orbit

Polkadot

Polkadot rolls out asynchronous backing to boost network efficiency and transaction speed

OpenZeppelin Launches Polkadot Runtime Templates for Blockchain Projects

Pendzl: Transforming Blockchain Development with Enhanced Ink! Smart Contracts

Polkadot Introduces Asynchronous Backing, Paving the Way for Polkadot 2.0

DevToolkit: Essentials & Innovations 🛠️

EIP5792 site (wallet call API): API reference, capabilities & ecosystem support

Wagmi v2.8.0: adds experimental EIP5792 actions & hooks

Reth Execution Extensions (ExEx): post-execution hooks for building offchain infrastructure

Introducing the Helius Rust SDK

The go-ethereum live tracer

ERC420 - a tokenized multisig vault

wFRIEND POC - bypassing Friend.techs 3% embedded dex fees

Releasing Reth Execution Extensions

CreateX now deployed (and verified) on 70 EVM chains

Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖

Twitter

Vitalik released EIP-7702 - a new alternative to EIP-3074

How to Raise the Gas Limit, Part 2: History Growth

Implications of EIP-3074 inclusion

Why 4337 and 3074 authors are disagreeing, and who got it right

Overview of Solana's Liquid Staking Market

Structuring Blobspace Futures for Fun and Profit

Liquid crypto is the biggest untapped investable segment for crypto funds

Understanding the Berachain Governance Token (BGT)

Articles

Mastering Solidity: A Comprehensive Guide to Contracts

EIP-3074 and Maintaining Permissionless Innovation

Horizontal vs Vertical Scaling: The New Modular vs Monolithic

The Power of Eigen Token

How to tokenize real-world assets (RWAs)

Unlocking Decentralized AI’s Potential with Morpheus AI by Chris Sotraidis

Opepen v0.2: Decentralizing Curation by LJW

What Tokens Are & What Tokens Aren’t

Research Papers

Advancing Blockchain Scalability: A Linear Optimization Framework for Diversified Node Allocation in Shards

Blockchains for Internet of Things: Fundamentals, Applications, and Challenges

Fully Automated Selfish Mining Analysis in Efficient Proof Systems Blockchains

CAKE: Sharing Slices of Confidential Data on Blockchain

MBCT: A Monero-Based Covert Transmission Approach with On-chain Dynamic Session Key Negotiation

TetraBFT: Reducing Latency of Unauthenticated, Responsive BFT Consensus

Watch🎥

Web3 Security Watch 🛡️

Articles

Top 3 Multi-Chain Security Issues

Decoding Pike Finance Exploit

How AI Can Help Detect Money Laundering and Enhance Blockchain Security

Web3 Security: Dangers & Precautions To Take

Research Papers

Enhancing Data Integrity and Traceability in Industry Cyber-Physical Systems (ICPS) through Blockchain Technology: A Comprehensive Approach

PoW Security-Latency under Random Delays and the Effect of Transaction Fees

WALLETRADAR: Towards Automating the Detection of Vulnerabilities in Browser-based Cryptocurrency Wallets

A2-DIDM: Privacy-preserving Accumulator-enabled Auditing for Distributed Identity of DNN Model

Enabling Privacy-Preserving and Publicly Auditable Federated Learning

Stochastic behaviour of an n-node blockchain under cyber attacks from multiple hackers with random re-setting times

Distributed Estimation in Blockchain-aided Internet of Things in the Presence of Attacks

Twitter

Carpediem Pension Audit Case Study

Vulnerability Report: Binance PoR Dummy User Attack

Introducing Bounty.vision

Hacks and Scams 🚨

WBTC Loot

Loss ~ $71M

Over $71 million worth of wrapped bitcoin (WBTC) was lost in an address poisoning attack.

The victim transferred 1,155 WBTC ($71.1 million) to the alleged attacker.

The attack was executed through the creation of a fake wallet address resembling the victim's.

Hacker spammed victim with numerous transactions to increase chances of address copy error.

Hacker's address is now labeled "fake" and "phishing" on Etherscan.

Wrapped bitcoin (WBTC) is an ERC token pegged 1:1 with bitcoin for use in the Ethereum ecosystem.

WBTC traded at $61,644.23 at 11:13 a.m. ET on May 3, with a 3.95% increase in the past 24 hours.

In poisoning attacks, attackers often mimic the first and last digits of the victim's wallet address.

GnusAi

Loss ~$1.27M

Token minting exploits on Genius (GNUS) AI network on May 5, resulting in a $1.27 million attack.

Highlights challenges in blockchain security.

The attacker accessed a private GNUS team account starting with 0x18.

The attacker obtained salt data for token creation, allowing the minting of 100 million fake GNUs.

Fake GNUs bridged to Ethereum and sold in the market.

The hack occurred via a breach of the team's private Discord communications.

GNUS CEO "SuperGenius" confirmed the hack and Discord vulnerability.

GNUS to release new token version, warning against old version purchase.

The compensation plan includes $500,000 worth of Ether deposited into the liquidity pool for the new tokens.

The remaining $500,000 compensation is locked until February 2025.

Community Spotlight

GM! بناة

في هذا العدد من Hashingbit، نستكشف التطورات الرئيسية داخل نظام web3 البيئي. تعرف على تفضيل فيتاليك بوتيرين للأمان متعدد التوقيعات، والذي يزعم أنه أبسط وأكثر موثوقية من النسخ الاحتياطي لشامير. كما نغطي تجاوز إيثريوم الأخير لسولانا في حجم تداول DEX، مما يشير إلى تحول كبير في ديناميكيات التداول اللامركزية. يتم تسليط الضوء على التحديثات من Starknet وSolana وPolygon وPolkadot وEigen Layer، مع التركيز على أحدث التطورات التكنولوجية والتوسعات الاستراتيجية. يتناول هذا العدد أيضًا حوادث الأمان الأخيرة، بما في ذلك اختراق بقيمة 1.68 مليون دولار في Pike Finance واستغلال بقيمة 181 ألف دولار في Yield Protocol. بالإضافة إلى ذلك، نلخص حدث QuillAudits في دبي. ابق على اطلاع دائم مع Hashingbits، مصدرك الشامل لتحديثات تقنية blockchain وأخبار الأمان.

GM! Buidlers

In this edition of HashingBits, we explore critical developments within web3. Discover the latest on the anticipated Bitcoin halving and its expected market effects. We bring you detailed updates from Starknet, Zetachain, Polygon, and Solana, emphasizing their recent technological progress and strategic collaborations. This edition also covers the distressing $33M rugpull at ZKASINO on zkSync, and a phishing scam targeting ANDY token holders on Solana, which resulted in a loss of $180k. Additionally, we are proud to announce the debut of QuillShield in Dubai, a new security solution aimed at bolstering digital asset protection. Dive into these important updates and more, ensuring you remain informed and secure in the ever-evolving realm of blockchain technology, courtesy of QuillAudits.

EtherScope: Core Developments 👨‍💻

Ethereum Ecosystem Activity Soars to All-time High

Reth's Path to 1 Gigagas per Second - Ethereum Scaling Roadmap

Introducing Ethereum Blobspace Derivatives.

Ether Inflates After Gas Fees Plummet.

Top Ethereum Layer-2 networks adopt Avail DA to boost rollup efficiency and security.

Vitalik Buterin backs ETH PoS transition amid PoW debate

RIPs (Rollup Improvement Proposals):

RIP-7696 : Precompile for generic DSM (double scalar multiplication)

EIPs (Ethereum Improvement Proposals):

EIP-7698: EOF - Creation transaction

EIP-7697: AUTHCREATE opcode

EIP-7693: Backward-Compatible Post-Quantum Migration

EIP-7692: EVM Object Format (EOF) Meta

ERCs (application layer):

ERC7699: ERC20 payment reference extension

EcoExpansions: Beyond Ethereum 🚀

Starknet

Starknet Tokenbound V2 - The latest implementation of ERC6551 on Starknet is live!

Starknet Releases it roadmap and targets for the upcoming months

Introducing the Starknet Propulsion Program!

The Ark Project NFT Bridge is live on Starknet Mainnet.

The Avail DA solution is coming for MadaraStarknet builders!

ZetaChain

The ZetaScan TX counter nears 100 million in <90 days!

Bitcoin is coming to gaming! Multiplayer web3 gaming hub upcade_xyz is live on ZetaChain

ZetaChain announces 5% of total ZETA supply to power the next generation of native Bitcoin applications!

Tezos

Beyond Collectibles: Making Web3 Games That Players Truly Value Using Tezos Unity SDK

AlphabotApp has completed their #Tezos integration. You can now whitelist your NFTs built on Tezos!

Now you can deploy Tezos-based quests and campaigns with DMission!

Polygon

Polygon Ecosystem Token (POL): What It Is and Its Role in Polygon 2.0.

How the AggLayer Unlocks a New Age of Blockchain Economics

Solana

Digital payments giant Stripe to enable USDC payments via Solana!

jito_sol Foundation’s Stakenet has undergone a UI upgrade for validators.

Institutional self custody platform Safeheron integrates Solana.

DevToolkit: Essentials & Innovations 🛠️

Remix v0.48: supports using multiple browser wallets (EIP6963), added PLONK scripts to zk proof templates and added CREATE2 factory for deploying

Guide to Hardhat Ignition contract verification on Etherscan

Safe singleton factory deployer (Solidity): for using the factory with Foundry deployment scripts

Forge AlphaNet (Solidity): libraries for AlphaNet, EIP2537 BLS precompiles, RIP7212 Secp256r1 precompile and EIP3074 invokers

Snekmate (Vyper contracts): added Echidna-based property tests for ERC20/721 contracts

Guide to integrate Permit2 into Vyper contracts

Dpack-py (EVM packaging format): share addresses & artifacts to interact with contracts

web3.py: guide to Bloom filters

Tenderly virtual testnets for dapp developers, uses mainnet state, with a faucet, RPC, explorer & debugging tools

Privacy and Scaling Explorations core program: 8 week hybrid course for students in Japan, South Korea, Taiwan, Costa Rica, Ecuador & Argentina, apply by April 30

Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖

Twitter

How do you choose which rune tokens to trade/mint?

Miners are making more money than before the Halving

What can we expect post halving?

The L2 Endgame Isn't Fee Revenue.

introducing BIP-420: formal Bitcoin Improvement Proposal for OP_CAT

GPU-EVM: The Most Performant Parallel-EVM by 100x

GitHub Repos

***Rust*** library for writing NEAR smart contracts

Articles

Engaging Safely in Web3 Communities.

Bitcoin Layer 2 Coins, STX, ELA, SAVM, Outperform BTC After Halving

How Real-World Assets Will Survive (and Evolve) in the Bull Market.

Degeneracy to the Third Degree.

PayPal and Energy Web Team Up To Incentivize Green Bitcoin Mining.

Research Papers

Leverage Staking with Liquid Staking Derivatives (LSDs): Opportunities and Risks.

zkLLM: Zero Knowledge Proofs for Large Language Models.

Zero-Knowledge Location Privacy via Accurate Floating Point SNARKs.

Byzantine Attacks Exploiting Penalties in Ethereum PoS.

Watch🎥

Web3 Security Watch 🛡️

Articles

Post Mortem: Augustus V6 Vulnerability of March 20th, 2024

New Technique to Trick Developers Detected in an Open Source Supply Chain Attack by Yehuda Gelb (Checkmarx).

One More Problem with ERC777.

GitHub Repos

Not So Smart Contract

Research

Gateway Free Web3 Security Course

Replacing Cryptopuzzles with Useful Computation in Blockchain Proof-of-Work Protocols

Demystifying Invariant Effectiveness for Securing Smart Contracts

Tweets

Secureum Race-29

Tools

Smart Contract Inspector - Inspect the source code of a Smart Contract with your preferred Web IDE with just one click (or keyboard shortcut) by StErMi.

Simbolik - Next-Generation Smart Contract Debugging.

tx-coverage - Reveal unused code of a live smart contract by collecting coverage from historical transactions by Decurity.

Hacks and Scams 🚨

ZKASINO

Loss ~ $33M

ZKasino, a crypto betting site, faced rug pull allegations when its developer diverted $33 million worth of investor funds to Ethereum staking platform Lido.

The ZKasino network launched on April 20, attracting over 10,000 users who bridged 10,515 ETH with expectations of receiving extra $ZKAS tokens and having their ETH returned.

However, on launch day, ZKasino altered its plan, converting all bridged ETH to $ZKAS at a rate of $0.055 and vesting it for 15 months without indicating if the Ether would be returned.

Despite demands for ETH refunds, ZKasino dismissed concerns as "FUD," and its founders disappeared, along with the official Telegram channel.

The situation is dubbed potentially the biggest rug pull of 2024, resulting in over $33 million in losses for investors.

Additionally, Lido, the platform where the funds were sent, is embroiled in controversy, with Big Brain Holdings denying any investment in ZKasino and alleging fraudulent claims of backing.

MEXC exchange, citing community concerns, canceled the listing of $ZKAS token.

Blockchain analyst ZachXB labeled ZKasino's founder, Derivative Monke, and the team as "proven bad actors."

Meanwhile, Mega Dice, a reputable crypto casino, gained attention after raising over $438k in its DICE token presale, offering an alternative for investors disillusioned by ZKasino's actions.

Avoid rug pulls with QuillCheck's easy token safety checks on multiple chains.

Visit QuillCheck

ANDY(Token)

Loss ~180k

A cryptocurrency investor lost over $180,000 in USD Coin (USDC) and ANDY, a meme coin inspired by Pepe, due to a phishing attack on Ethereum.

The attack took place on April 23, lasting nearly one hour, from 05:39 to 06:29 UTC.

Perpetrators executed a multi-call phishing attack, combining multiple function calls into a single transaction, appearing benign when viewed separately but malicious when combined.

Transaction data reveals outflows from the victim’s address to multiple wallets belonging to the hackers, some identified as phishing wallets by Etherscan.

The victim lost over 1.6 billion ANDY tokens valued at $162,400 and 17,913 USDC.

The attack emptied the victim’s account, leaving a balance of only $32 worth of Ethereum (ETH) and Arbitrum (ARB).

One of the attacker’s addresses retained the loot, while the second immediately swapped the received ANDY tokens for WETH on Uniswap and transferred them to a new address.

Community Spotlight

QuillAudits at Dubai Launching QuillShield !

GM! Buidlers

In this edition, we spotlight the latest pivotal updates from the blockchain world. Discover Solana’s newly implemented congestion patch, explore Polygon’s collaboration with OKX through the X Layer, and learn about Subsquid’s launch of BeraChain. We also cover Arbitrum's bold moves toward greater decentralization, and address the serious implications of recent security breaches which have led to significant financial losses of over $47M. Get all the details on these critical developments and more, ensuring you stay ahead in the evolving landscape of blockchain technology and security, courtesy of QuillAudits.

EtherScope: Core Developments 👨‍💻

Token2049: Crypto experts highlight Ethereum blockchain problems

Ethereum aims for $1 billion annual profit as DeFi gains momentum in Q1

Layer 2

L2BEAT Costs: breakdown of L2 transaction costs

XEN spam is 68% of Base state

Steven Goldfeder: technical & financial benefits end at L3

ZeroPool: zk native sharded storage protocol

Prooφ: SNARK prover market mechanism

RollCall (L2 standards) call video

EIPs:

EIP7684: Return deposits for distinct credentials

EIP7685: General purpose execution layer requests

EIP7686: Linear EVM memory limits

EIP7688: Forward compatible consensus data structures

RIPs (Rollup Improvement Proposals):

RIP7696: Precompile for generic DSM (double scalar multiplication)

ERCs (application layer):

ERC7680: Valued tokens with layered liquidity

ERC7681: Dual nature multi-token protocol (ERC20 & ERC1155)

ERC7682: Auxiliary funds capability

ERC7689: Smart blobs (state machine on top of blobs)

ERC7695: Ownership delegation and context for NFTs

ERC7683: The Cross-Chain Intents Standard

Tools

Guide to using Kurtosis & ethereum-package to launch local devnets

Tracoor: beacon data & execution trace explorer to identify & address network problems

Assertoor: cross-client integration testing tool, higher abstraction level than Hive

EcoExpansions: Beyond Ethereum 🚀

Solana

Solana releases mainnet beta update v1.17.31 to resolve congestion issues

Solana rallies 9% as developers launches update to tackle network congestion

Solana AI projects to watch as io.net's launch draws near.

Solana DEX Drift to Airdrop 100M Tokens in Weeks

Polygon

OKX Launches X Layer, Built with Polygon CDK, Enabling 50M+ Users to Tap Unified Liquidity of the AggLayer

OraProtocol’s onchain AI oracle (OAO) is integrating with Polygon PoS

Polygon Labs Awarded ISO 27001 Certification, the Gold Standard of Compliance for Information Security Management Systems

IBC, meet AggLayer, for cross-chain transactions and inter-network communication

Polygon aims to bridge Solana with Ethereum as analysts eye new AI altcoin

Berachain

Berachain's Meme Marketing Leads to $100M Raise

Subsquid Unleashes BeraChain Indexing for Enhanced Decentralized Data Access

ZOTH Atlas (Incentivized Testnet) is Now Live on Berachain

Arbitrum

Arbitrum BOLD Testnet Live: The Next Step in Decentralization

Arbitrum Foundation Grant Program Phase Three is NOW OPEN!

DevToolkit: Essentials & Innovations 🛠️

A beginner's guide to Runes

Learn, integrate, and build on a new modular EVM with Berachain.

Slither v0.10.2: slither-mutate support for Foundry projects, unused imports detector and supports aliases

Guide to writing efficient DuneSQL queries

Remix v0.47.0: adds Solidity Copilot using SolCoder LLM, pin contracts deployed to Remix VM and DappDraft plugin to generate a front end

Fuzzing smart-contracts practical aspects: Echidna

Sub Zero: mine vanity addresses using CREATE2, tokenized as ERC721 NFTs

inkmate , a set of gas-efficient smart contracts written in Rust .

Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖

Good Reads 📚

Runes Will Help Bitcoin DeFi ‘Close the Gap’ on Ethereum, Solana: Franklin Templeton

2024 Q1 Crypto Industry Report

Zero Knowledge Summit (zkSummit) 2024: Field notes

WorldCoin to launch Layer 2

Layer 2 Scroll zkEVM Introduces Points Program

Tweets

Introducing Subscription Minting

The Decentralized Compute Narrative

Runes - Bitcoin's new Fungible Token Standard

20 of the Most Innovative Onchain Experiments From the Last 3 Years

HyperspaceZK: A fast and free browser-based ZK engine for AI agents

GitHub Repos

Theoretical and technical aspects of tokenisation of real world assets.

Zero-Knowledge-Mastery

Research Papers

Privacy-Preserving UCB Decision Process Verification via zk-SNARKs

Performance Analysis of Decentralized Physical Infrastructure Networks and Centralized Clouds

mABC: multi-Agent Blockchain-Inspired Collaboration for root cause analysis in micro-services architecture

SoK: Decentralized Finance (DeFi) -- Fundamentals, Taxonomy and Risks

Watch🎥

Web3 Security Watch 🛡️

Good Reads 📚

Privacy by default on L1s?

SEAL-ISAC (database of blackhat info): free membership for whitehats via application

Heimdall Security Bug Fix

Demistifying account abstraction ERCs

Tweets

Zelic found critical vulnerability in Gains network

Concept of Stealth Addresses

Github Repos

DeFi, Blockchain and crypto-related OpSec researches and data terminals

Research Papers

Evaluating the Security of Merkle Trees in the Internet of Things: An Analysis of Data Falsification Probabilities

Larger-scale Nakamoto-style Blockchains Don't Necessarily Offer Better Security

Tools

Mempool Dumpster :- Dump all the mempool transactions 🗑️ ♻️ (in Parquet + CSV)

Hacks and Scams 🚨

Hedgey Finance
Loss ~ $44.7 million

Hedgey Finance experienced two hacks, losing a total of $44.7 million across the Arbitrum and Ethereum networks.

The larger hack on the Arbitrum network resulted in a loss of approximately $42.8 million in ARB tokens, with some funds moved to Bybit exchange.

A smaller exploit on the Ethereum network earlier led to a loss of $1.9 million in cryptocurrencies.

Hedgey Protocol confirmed the exploits and is working with auditors to identify the underlying vulnerabilities.

Following the attack announcement, fake accounts appeared, posting harmful links under the guise of offering help, leading to potential further scams.

Grand Base
Loss~$1.7 million

Grand Base, a real-world asset tokenization protocol on Coinbase's layer-2 blockchain, lost $1.7 million due to a private key compromise.

The incident occurred on April 15, with PeckShield confirming the private key leak allowed the theft and on-chain swap of tokens for Ether, then sent to an external address.

The protocol’s native token value plummeted by 99% within 24 hours of the exploit.

Grand Base admins warned users via Telegram to avoid interacting with the compromised token contract.

Analysis by CertiK revealed the hacker gained control of deployer contracts, minted GB tokens unauthorizedly, and withdrew them.

Grand Base staff are monitoring the hacker’s wallets and coordinating with exchanges to potentially freeze any transferred funds.

Users in the protocol's Telegram expressed frustration and distrust, advising against further investment.

MASA Token
Loss~$502.0K

Fake Masa $MASA on Ethereum dropped -100%. The deployer 0xEB35...80a71 dumped 1,769,800,761,000,000 $MASA for ~142.8 $WETH (worth ~$502K).

Community Spotlight

QuillAudits has recently launched a GitHub repository that covers everything that you need to know about Real World Assets. We have created this repo with a very comprehensive and detailed approach for the developers.

Real World Assets (RWAs) refer to physical and financial assets—ranging from cash and commodities to intellectual property and artworks—that are tokenized on the blockchain. By leveraging blockchain technology, these assets can be digitized, enabling more accessible, secure, and efficient transactions. The RWA approach opens up numerous possibilities for asset management, investment, and exchange in a decentralized and transparent manner.

We’ll also be doing a YouTube live on 19th April (Friday) on QuillAcademy in which we’ll go through the whole theoretical and practical explanation of the repository.

What Can You Find in This Repository?

The RWA repository is a comprehensive resource hub where you can find:

Beginner Friendly Theory: Provides a foundational understanding of how real-world assets can be tokenized and managed on the blockchain, featuring simple explanations, introductory guides

Code Examples: We'll be diving deep into the technicalities of tokenisation of Real-World Assets by developing an Apple Coin (AAPL) ERC-20 token.

Technical Guides: Whether you're a beginner or an advanced user, our guides provide detailed insights into the functionalities and implementations of RWAs. FYI: We have portrayed how Apple Shares can be tokenized on the blockchain as an example.

Resources: Connect with a wealth of knowledge through curated links, articles, and papers that expand your understanding and capabilities in the blockchain space.

Visit the RWA GitHub Repository

Join Our Community

This repository is not just a resource; it's a community. We encourage you to dive in, experiment with the code, propose enhancements, and share your discoveries. Whether you're looking to develop new applications or simply curious about the technology, there’s something here for everyone.

We believe that the tokenization of real-world assets represents a significant leap forward in how we think about and interact with traditional assets. With this repository, we aim to facilitate a deeper understanding and broader adoption of blockchain technology in mainstream asset management.

Get Involved!

Linkedin - https://www.linkedin.com/company/quillaudits/

Twitter - https://twitter.com/QuillAudits

GitHub - https://github.com/Quillhash

GM! Buidlers

Welcome to the latest edition of HashingBits! This edition is packed with exciting developments in Ethereum, particularly in Layer 2 scalability solutions and other ecosystems like Solana, EigenLayer, Polygon, NEAR, and Tezos. Dive into the latest Developer Updates, including Polkadot's Ink v5 release, Cyfrin Updraft for web3 DevOps and solidity updates. Stay updated on recent blockchain hacks, including $62.5 million lost by Munchables and $16 million by CURIO due to Smart Contract vulnerabilities.

EtherScope: Core Developments 👨‍💻

Checkout how BlackRock plans to start a new RWA tokenisation fund on Ethereum

Mainnet successfully upgraded to Dencun

Consensus-specs v1.4.0 for Dencun mainnet release

Layer 2

L2 fees drop to cents & below: L2 Fees, Gas Fees & grow the pie

Optimism fault proofs are now live on OP Sepolia testnet

Arbitrum upstages Ethereum as Daily transactions are through the roof amidst L2 Networks’ surge

EIPs:

EIP7657: Sync committee slashings

EIP7658: Light client data backfill

EIP7659: Stepwise blob throughput increase

ERCs (application layer):

ERC7656: Generalized token-linked contracts

EcoExpansions: Beyond Ethereum 🚀

Solana

Solana’s first liquidity bootstrapping platform 1intro launched

Solana developers can natively swap USDC tokens from Ethereum and other ecosystems

The next-gen standard for NFTs, Core is now presented by Metaplex

Polygon

The first rollup improvement proposal with the Napoli Upgrade

Polygon AggLayer to facilitate Astar’s zkEVM Mainnet launch with Ethereum interoperability

NEAR

Chain signatures to facilitate cross-blockchain transactions from your NEAR account, now secured by Eigenlayer and NEAR stakers

Tezos

Oxford 2 now activated by Tezos to enhance flexibility and security for Blockchain

Created by artists Agoria, the collection comprises five unique NFTs minted on the Tezos blockchain.

Eigen Layer

EigenLayer has reached $11.2B in total value locked (TVL). The Ethereum restaking protocol jumped Aave to become the 2nd largest protocol by TVL.

Introducing Edgeless Network: A Fee-Free Ecosystem on Arbitrum Nitro Chain with EigenLayer's DA Solution

DevToolkit: Essentials & Innovations 🛠️

web3py middleware (v7 beta): class-based middleware replaces functional programming paradigm

Buidl on Aptos and Sui with the move book

Here is how to make your own ERC-404 Token!

Polkadot’s strengthened security with upgradeable contracts, implementing fallible methods.

Solidity v0.8.25: Cancun default EVM version, MCOPY used in code generator and TSTORE usage warnings reduced to once per compilation

Ethernaut-cli (toolbox): built on Hardhat tasks, AI requires OpenAI API key; beta

Cyfrin Updraft adds web3 DevOps & Assembly & Formal Verification courses

Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖

Articles

How EigenLayer’s Restaking Enhances Security and Rewards in DeFi

EIP-4844 Explained: The Key to Ethereum’s Scalability with Protodanksharding

Tokenomics: A Method for Assessing Tokens

BitVM 2: Permissionless Verification on Bitcoin

Tweets

Master ECDSA: Elliptic Curve Digital Signature Algorithm.

EigenLayer: On Liquid Restaking: Risks & Considerations

Proof of concept for verifying a plonky3 proof in plonky2

EIP-3074 Explained

Research Papers

Privacy-Preserving Energy Trading Using Blockchain and Zero Knowledge Proof

An Account Selection Model for Identifying Valuable zkSync Users

Watch🎥

Web3 Security Watch 🛡️

Articles

These PyPI Python Packages Can Drain Your Crypto Wallets.

A Practical Guide On Honeypot Attacks in Smart Contracts

Attackers abuse cloud accounts to spawn thousands of crypto CDN nodes.

Sepolia Incident

GitHub Repos

Smart Contract Auditing Roadmap

OpenZeppelin Ethernaut CTF 2024 challenges & solutions

Research

How to securely transfer unclaimed tokens from a compromised wallet by Phoebe.

Cryptocurrency Privacy Technologies: Bulletproof Range Proofs by patrickd.

Censorship, Latency, and Preconfirmations in the Blob Market by Primev.

Tools

deExplorer - A tool designed to monitor cryptocurrency movement across multiple blockchains, providing insights into investor behavior. It allows observation of the blockchains where investors deposit and withdraw funds, offering valuable data on cross-chain transaction patterns.

Aderyn - Aderyn is a Rust-based static analyzer specifically designed for Web3 smart contract security and development. It takes a bird's eye view over your smart contracts, traversing the Abstract Syntax Trees (AST) to pinpoint suspected vulnerabilities. Developed by Cyfrin.

Hacks and Scams 🚨

Visit Quill Monitor

1. Munchables

Loss ~ $62.5M

Blockchain data shows that Munchables, a Web3 project on the Blast blockchain, was drained of an estimated $62.5 million worth of ether early Wednesday after a contract was maliciously manipulated.

Munchables said on X that the developer had shared all private keys to recover the funds.

The attacker apparently transferred the stored users’ funds to themselves before upgrading the platform’s smart contracts. Blockchain sleuth ZachXBT said the attacker was likely North Korean, based on their GitHub commit activity. They are listed on GitHub as “Werewolves0493” and allegedly worked for the Munchables team.

2. CURIO

Loss ~ $16M

Real-world asset (RWA) liquidity firm Curio suffered a smart contract exploit involving a critical vulnerability related to voting power privileges, allowing the attacker to steal $16 million in digital assets.

On 25th March 2024, Curio reported an exploit due to a flaw in their system's access control, allowing the unauthorized minting of 1 billion Curio Governance Tokens (CGT). They aim to compensate affected parties through the introduction of CGT 2.0.

The company informed its community about the breach, attributing it to a vulnerability in a MakerDAO-based smart contract's permission logic, which enabled the attacker to mint 1 billion CGT.

Community Spotlight

Decentralized Derby, started by QuillAudits, is a hub for showcasing new Web3 ideas and connecting entrepreneurs with top investors and the wider community. It's designed for creators ready to pitch, investors looking for the next big thing, and anyone keen on the latest in blockchain.

If you've got an idea or project that could shape the future of technology, we'd love to hear from you. Sign up to pitch your project here.

Check Out Our Past Derby Pitchers' Insights!

In brief ⚡

Miner Token Exploited for $463.4k: ERC-X Vulnerability Leads to 87% Price Drop

DeFi Exploits Strike BSC: @particle_trade and @dualpools Suffer Losses Totalling $180k

Crypto Casino Duelbits Loses $4.6 Million in Exploit; Hacker Utilizes Asset Swaps to Obfuscate Trail

Visit QuillMonitor

Hacks and Scams⚠️

MinerCx

Amount of Loss:  ~ $463k

Analysis

Miner ERC-X token, following an exploit on Feb 14, lost approximately 168.8 ETH (valued around $463.4k), leading to an 87% drop in its price.

The exploit was attributed to a vulnerability in the smart contract, specifically in the _update function, which erroneously awarded free tokens when users transferred tokens to themselves.

The attacker exploited this flaw by sending tokens to themselves in multiple transactions, causing the balance calculation to double the tokens in the attacker's account.

The Miner Team responded by announcing plans to re-audit the vulnerable contract and redeploy it after rectification. They intend to use the remaining liquidity of approximately 130 ETH for redeployment and plan to take a pre-exploit snapshot of current holders.

Additionally, the team attempted to negotiate with the attacker through an on-chain message, offering a 30% reward (~$120k) in return for returning the stolen funds, but as of now, the attacker has not responded to the offer.

Particle Trade and Dual Pool

Amount of Loss:  ~ $139k and $41k

Analysis

Two DeFi protocols, @particle_trade and @dualpools, experienced exploits resulting in significant losses, approximately $139k and $41k respectively.

@particle_trade confirmed the exploit, attributing it to unchecked user input on their previously deprecated NFT contract, while asserting that their current protocol remained unaffected.

@dualpools, however, has yet to officially acknowledge the hack, despite details of the exploit being shared publicly.

The breakdown of stolen funds from the @dualpools exploit includes various cryptocurrencies such as BNB, BTCB, ETH, ADA, and BSC-USD.

Specific transaction and contract addresses associated with the @dualpools exploit have been identified and shared, providing insight into the malicious activity.

DuelBits

Amount of Loss:  ~ $4.6M

Analysis

On February 13th, the crypto casino platform Duelbits experienced a significant exploit resulting in approximately $4.6 million worth of crypto assets being lost.

The exploit targeted Duelbits' wallets on both the Ethereum ($ETH) and Binance Smart Chain ($BNB) networks.

While Duelbits has not yet released an official statement regarding the hack, speculation suggests a compromised private key or loss of wallet access control as potential causes.

Stolen funds included various tokens such as USDT, APE, and SHIB, with the attacker attempting to obfuscate the trail by swapping assets from the BNB chain to Ethereum.

To overcome gas fee limitations during asset bridging, the hacker utilized the FixedFloat service for quick cryptocurrency exchanges.

Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖

Tweets

ALPHA ALERT :  I just found a cool, well articulated way to approach a codebase while auditing smart contract.  𝐒𝐨𝐮𝐫𝐜𝐞𝐬 𝐚𝐧𝐝 𝐒𝐢𝐧𝐤𝐬  This is used in Web2. They call it as Taint Analysis.

 𝐇𝐨𝐰 𝐝𝐢𝐝 𝐈 𝐟𝐢𝐧𝐝 𝐚 𝐰𝐚𝐲 𝐭𝐨 𝐛𝐥𝐨𝐜𝐤 𝐭𝐡𝐞 𝐋𝐚𝐲𝐞𝐫𝐙𝐞𝐫𝐨 𝐩𝐚𝐭𝐡𝐰𝐚𝐲?

This new ERC404 hype seems to have a funny side-effect in its _transf

Every blockchain or smart contract language should be aware of the “tutorial avalanche” and do their best to trigger it.

3 mandatory checklists to go through before doing a smart contract security audit on your codebase:

GitHub Repos

 uniswap-resources

Articles 

6 security sins of Web3 bridges

Exchange Rate Manipulation in ERC4626 Vaults

ZK-Audit

Vulnerable Spots of Lending Protocols

Ethereum Executes Blockchain Hard Fork to Return DAO Funds

Web3 Community Spotlight🔦

Transforming Assets: Unlocking Real-World Asset Tokenization

Thanks for reading HashingBits! Share a summary of our newsletter on your social media platforms, tag us, and use the #AwareToEarn hashtag, and you could win 10 USDT as a reward! Help us build a safer Web3 ecosystem and have a chance to earn rewards and support our work.

Subscribe now