QuillAudits Profile picture
Nov 5 10 tweets 4 min read
⚠️⚠️

$625 million worth of cryptocurrencies were stolen from the Ronin Bridge protocol in March 2022 as a result of an attack by hackers.

In June, Harmony One’s Horizon Bridge lost over $100 million in an attack.

🧵👇..
In August, the Nomad Bridge lost another $200 million as a result of an exploited vulnerability in its smart contracts.

Hackers exploited the BSC Token Hub, a cross-chain bridge, on October 6 and drain $570 million.

⬇️⬇️
What are the common in all the above hacks?
They all are blockchain bridge hacks.
Let’s understand how these Bridges are Hacked.

#cybersecurity

⬇️⬇️
Fake Events:

A cross-chain bridge often monitors deposit events on one blockchain to transfer funds to the other.
If an attacker can generate a deposit event without making a real deposit or by depositing with a valueless token, they can withdraw value from bridge at other end.
Message Verification Bug:

Cross-chain bridges confirm the legitimacy of a deposit or withdrawal prior to beginning any transactions.
A missed signature validation is often all it takes for hackers to gain access to millions of dollars.

⬇️⬇️
Lack of cross-contract access control in blockchain bridges:

It is important to have access control validations on critical functions that execute actions like modifying the owner, transferring funds and tokens, pausing and unpausing the contracts, etc.

⬇️⬇️
Validator Takeover:

Some cross-chain bridges have a set of validators that vote whether or not to approve a particular transfer. If the attacker controls most of these validators, they can approve fake and malicious transfers.

⬇️⬇️
Admin Private Key Leak:

If the admin key of the smart contract is leaked, all the funds and operation of the smart contract will be at great risk. Recently, the Harmony bridge was exploited via the theft of two private keys.

⬇️⬇️
To understand the in-depth of Bridge Security in Blockchain.
Follow the article: quillaudits.medium.com/bridge-securit…
Follow
@QuillAudits on Twitter and telegram to stay updated

Protect your Web3 Project with us - audits.quillhash.com/smart-contract…

#cybersecurity #blockchain #quillaudits #smartcontract #security #smartcontractaudit

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with QuillAudits

QuillAudits Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @QuillAudits

Nov 4
#WAGSI🛡️
Exploiters minted over 1 Billion in $GALA tokens on BSC & fears caused a 20% drop in GALA.

The problem is caused by a misconfiguration of the @pNetworkDeFi bridge.

#GALA #galatoken #breach

🧵👇 $1B Crypto Hack Fears Spur ...
➡️ Hackers immediately sent the freshly minted GALA to #PancakeSwap.

➡️ The attacker dumped a total of 10.72 billion $GALA and earned a total of 12,977 billion $BNB ($4.4 million) by draining the PancakeSwap pool to zero.

#news #Hack
@pNetworkDeFi stated that a new pGALA token will be created to replace the old compromised one and will be airdropped to those who had pGALA before the pool was drained in the coming days.

#DeFi #cryptocurrecy
Read 4 tweets
Nov 4
#WAGSI🛡
A new exploit on the old Opensea contract is being used to steal your NFTs.

⚠ Signing this seemingly innocent transaction could drain your wallet.

Here's a simple breakdown. ⬇⬇
This new exploit dupes the user into signing a transaction, granting the attacker control over the user's proxy contract.

#NFTs #opeansea #artwork
It can steal any NFT that users listed on Opensea before May 2022 (i.e. before Seaport upgrades), primarily through the Wyvern protocol, which grants proxy contracts the ability to withdraw user NFTs.
Read 5 tweets
Jul 29
⚠️⚠️

On July 28, Solana-based DeFi protocol @nirvana_fi lost $3.5M to a Flash Loan attack.

After the attack, Nirvana’s native token $ANA lost 85% of its value.

Its #stablecoin $NIRV lost 90% of its US dollar value in the process

👇👇
This hack was similar to previous flash loan attacks, such as one on @Crema_Finance ($6M loss).

#Nirvana | #Crypto
In the current scenario,

The hacker used flash loans to manipulate the $ANA price from $8 to $24.

The hackers then siphoned off 3,490,563.69 $USDT after claiming $USDC and $USDT at this inflated price.

#Crypto
Read 4 tweets
Jul 28
📌📌

Decoding #Ethereum Rollups: zk, zkVM, zkEVM

Last week, a trio of @Scroll_ZKP, @0xPolygon, and @zksync announcements had something in common:

Each company implied it would be the “first” to bring a zkEVM to market.

🔽MEGA...🧵👇
TL; DR

➚➚There are several applications for zero-knowledge proof in blockchain scaling and privacy since it can ensure computational integrity, accuracy, and privacy.

➚➚Both zk-SNARK and zk-STARK have advantages, but their combination offers more possibilities.

#ETH
➚➚ZkVM provides zero-knowledge proofs for applications, and it can be divided into the mainstream, #EVM, and newly-built instruction sets.

➚➚Equivalence, specification-level compatibility, and EVM compatibility are all types of EVM compatibility.

$ETH $BTC
Read 16 tweets
Jul 27
🥷

This Blog Covers—

✔️What Are #NFT Phishing Scam And Their Types?

✔️How Do NFT Phishing Scams Take Place?

✔️5 Most Infamous Phishing Attacks On #NFTs In 2022

✔️Preventive Measures For NFT Security Issues

🔽MORE↓ ↓
🪡Security threats surfacing the #Web3 ecosystem are throwing off challenges at the monetary level to the crypto and NFT community.

Among all, the phishing link scam is the most well-known and that almost anyone would have faced.

#Ethereum | #Crypto
🪡FIVE Most Infamous Phishing Attacks On NFTs In 2022

‣‣@OpenSea hack - $1.7M

‣‣BAYC hack - $40M

‣‣@Beeple Phishing hack - $438,000

‣‣@SethGreen Phishing link hack - $60k

‣‣@deekaymotion's Phishing Link hack - $150,000

#NFTs | #Crypto | #Ethereum
Read 4 tweets
Jul 27
SEVEN Questions Blockchain developers and security professionals must ask in advance—🧵

1/ What are the highest impacted areas of code?

2/ How could incident response protocols be affected?

3/ How will vulnerabilities be reported?

4/ How will users be supported to elevate risks?



#cryptocurrecy
5/ How will user permissions be managed, and what kind of interoperability across wallets, chains, etc., should be accounted for?

6/ Is the organization prepared for community-participant governance?

Follow➡️@QuillAudits for the latest #Web3 security updates!


#cybersecurity
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(