Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Vazi Profile picture
Vazi
@0xVazi
Researcher @HypernativeLabs prev. @Zengo

Jul 18, 9 tweets

1/ The exploiter of the @WazirXIndia Multisig was able to drain it after changing the implementation of the Multisig, that couldn't have been done without compromising the signers EOA, but here's a closer look on the attack flow 🧵

2/ after the following tx of the Safe the attacker starts to drain, let's analyze the Msig tx params
* to - the to address is the address we want to call
* data - the data including the selector of the "to" we are calling
* operation - That's a very important one - Safe supports an Operation Enum which can be either 0 - Call or 1 - Delegatecall etherscan.io/tx/0x48164d3ad…
github.com/safe-global/sa…

3/ so in the attack tx the Attacker executes a delegate call from the msig (they were able to do it by compromising the signers keys) to a proprietary contract that was deployed 8 days ago etherscan.io/address/0xfbfF…

4/ The delegate call data to the contract as seen on (2) is
0x804e1f0a000000000000000000000000ef279c2ab14960aa319008cbea384b9f8ac35fc6
so delegating a call to the 0x804e1f0a function with 000000000000000000000000ef279c2ab14960aa319008cbea384b9f8ac35fc6 as param - an address?

5/ in the Decompilation of the 0xfbfFEF83b1C172fE3BC86C1CCB036AB9F3efCAF2 - we can see that when calling 0x804e1f0a the slot0 is modified, with the input address. since the msig delegated a call to this contract it will modify to 0 slot of the multisig itself! because of the nature of delegate call

6/ Now let's check what was stored in the 0 slot of the Msig proxy before the malicious delegatecall using we can see that prior the attack tx it was the standard safe Impl and after it was a new proprietary deployed contract evm.storage

7/ Analyzing a tx that funds were stolen:
in this tx for example 95m worth of Shiba i nu were stolen, after the modification of the impl etherscan.io/tx/0x1e523051a…

8/ Using you can see that from now on every tx to the Safe Multisig redirects a delegatecall to the new implementation address specified in (4) openchain.xyz

9/ by decompiling the new malicious impl we can see it simply transfers assets to the attacker

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling