Share this page!

BlockSec Profile picture
Twitter logo
Sep 29 4 tweets 2 min read
1/ We are thrilled to launch a powerful transaction explorer: Phalcon (phalcon.blocksec.com), which aims to provide comprehensive data on invocation flow, balance changes, and fund flows. Currently, it supports #Ethereum, #BSC, and #Cronos. Image
2/ Invocation Flow
Phalcon can parse the invocation flow of transactions and provide powerful search and filtering functions. Image
3/ Balance Changes
Phalcon can calculate the balance changes of all addresses involved and present intuitive results. Image
4/ Fund Flows
Phalcon can track fund transfers and generate easy-to-understand fund-flow graph. This feature will be launched soon.

Free to give us feedback If you have any better suggestions of product features, user experience, and others.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with BlockSec

BlockSec Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @BlockSecTeam

BlockSec Profile picture
Aug 15
BlockSec Academy | How to Use Digital Signature and Use It Right in #NFT?

Digital signature has been widely used in #smartcontracts , e.g., in allowlist mint and order-book NFT marketplaces. However, the misuse of the developers also introduces risks in the NFT marketplaces. Image
2/#Whitelist Mint
A digital signature is used to distinguish the WL mint and public mint. Below is an example of the implementation of WL mint.
This code snippet is from the Association NFT (Which has a vulnerability — do not copy this code). Image
2.1/Whitelist Mint
The function mint_approved() intends to implement the allowlist mint: the project owner signs a mint message (info variable) and sends the message to the permitted minter (who can mint NFTs). Then the minter can invoke approved_mint with the signed variable.
Read 8 tweets
BlockSec Profile picture
Aug 2
Exploit | Our monitoring system reported that Nomad Bridge @nomadxyz_ was attacked (etherscan.io/address/0xb923…), and the loss is around 150M USDT.

#crosschain #CryptoSecurity
2/ As a cross-bridge project, Nomad adopts a merkle-proof technology to verify that user requests are valid. By calling **process** function, a user can pass the request message to the contract.
3/ The verification procedure in the **process** function firstly finds the corresponding Merkle root by the hash of the message and the Merkle root is then passed into the **acceptableRoot** function to see if it is legal or not.
Read 6 tweets
BlockSec Profile picture
Jul 13
1/ Wash trading to arbitrage on LooksRare

Today, our NFT monitoring system detected a "wash trading" example on LooksRare with Uniswap V3 Lp token #199908(etherscan.io/token/0xc36442…)

@LooksRare
2/ Two addresses (0x1efdcdcb and 0xb773b412) continuously trade the token at a very high price (100 ETH). As a result, the total wash trading volume is up to 600 ETH! Image
3/ Wash trading is usually used to mislead users/investors. However, wash trading Uniswap V3 Lp tokens seems to be odd because Uniswap V3 Lp token only represents a position in the Uniswap pool. We performed a further investigation to find out the facts.
Read 9 tweets
BlockSec Profile picture
Jul 1
1/ How to sell an NFT to a buyer with a high price without the buyer's consent (and how to buy an NFT with a low price without the seller's consent)

The code(optimistic.etherscan.io/address/0x065e…) is to exchange NFT. However, the function fillSellOrder does not check the buyer's signature.
2/ As a result, an attacker can sell a worthless NFT to a buyer (as a parameter passed to the function) without the buyer's consent, in case the buyer has approved to this contract.
3/ This contract has another similar vulnerability that an attacker can buy a seller's NFT using a very low price without the seller's consent (the NFT should be approved to this exchange). That's because fillBuyOrder does not check the seller's signature.
Read 4 tweets
BlockSec Profile picture
Apr 12
1/ the attack to the @ElephantStatus is a traditional price manipulation attack. We will use the following transaction(versatile.blocksecteam.com/tx/bsc/0xec317…) to illustrate the process.

@defiprime @bbbb @Mudit__Gupta @bantg
2/ the attacker borrowed 131,162.00 WBNB and 91,035,000.00 using the flash loan.

Then the attacker swapped the 131,162.00 WBNB to 34,244 ELEPHANT Token.
3/ the attacker mint TURNK token by providing BUSD. In particular, the vulnerable contract will first swap BUSD to WBNB and then use ELEPHANT to buy ELEPHANT. During this process, the price of ELEPHANT will raise. The attacker got TRUNK token.
Read 7 tweets
BlockSec Profile picture
Mar 16
1/5) We have seen the cases that the cat-mouse game is happening in the crypto world. One case is that the token is trying to obfuscate its logic.

This token Moonpro (Moonpro) bscscan.com/address/0xd4c6… has an "interesting" logic to obfuscate its 'transfer' function.
2/5) first, only Elon() can transfer the token
3/5) Then the onlyElon() will invoke Tesla() function, which further fires(DOGE()). During the fire function, it's a delegratecall to another contract.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

Email the whole thread instead of just a link!

Separate emails with commas

:(