1. The attacker uses "oowner" to define the owner so that analysis considers the contract has no owner -- really benign in the eye of static analysis! twitter.com/i/web/status/1…
@GoplusSecurity@Token_Sniffer 2. The code for rug pull is inside "transfer" and "Approve" functions, very unconventional.
3. The attacker can only get infinite tokens by transferring tokens to themselves. Analysis by security companies misses this case and considers the token to have a constant total supply.
Technical details on how we made $10k/hr by mining $ORE via @bloXrouteLabs @jito_sol and GPUs.
[1/8] 🧵
@bloXrouteLabs @jito_sol [2/8] WTF is $ORE
ORE is a token on Solana with a mining program. One can claim ORE from the mining program by sending correct nonces (calculated by trying hashes) to it.
A mining tx looks like this:
@bloXrouteLabs @jito_sol [3/8] Initial Attempt for Landing Tx
Due to the massive amount of miners clogging the Solana network, it is extremely tough to land any tx.
We initially tried a strategy MEV bots used: blindly sending millions of txs every second to every open RPC on the Internet.
😝 Here is the full disclosure of the Twitter XSS + CSRF vulnerability.
Clicking a crafted link or going to some crafted web pages would allow attackers to take over your account (posting, liking, updating your profile, deleting your account, etc.)
On 12/11, @rabbit_2333 posted details about an XSS on the Twitter subdomain .