Confession: I and @tonyke_bot printed ~$20K in 4hrs by sandwiching @four_meme_ trade. Here are the technical details, code, and giveaways 🧵🧵

We saw a few high-profit sandwiches on Thursday at midnight. This is uncommon because the profit for most sandwiches today is less than $1.

Join our group to watch interesting MEV bots together: t.me/+GU0tYsLwVPs4M…

It is apparent that this bot is sandwiching @four_meme_ trades. @four_meme_ somehow became really popular on Thursday. A lot of people created and bought tokens.

We stopped a $2.8M hack targeting AllianceBlock.

Details👇🧵

Vulnerabilities: AllianceBlock upgraded one of its staking contracts to accept new tokens due to the Bonq DAO hack two years ago. Two storage variables were deleted in the new implementation, making the storage slot `initialized` (originally at 0x12, with value 1) aliased with a slot (0xf) holding an address. The value of `initialized` is important because it indicates whether the contract has been initialized. The contract is supposed to be only initialized once.

As an address is 160 bits, the leading 96 bits in the slot are all 0s. After aliasing, `initialized` is now at slot 0xf's 95th bit, which is 0, making the contract uninitialized.

Under the current state, an attacker can re-initialize the contract. In AllianceBlock's staking contract, re-initializing can reset the `rewardRate`, `rewardToken`, and `stakingToken`. To drain `rewardToken` in the contract, one can simply inflate the `rewardRate` such that by staking a very small amount of tokens, they can get an infinite amount of reward tokens back.

It becomes a bit tricky to steal `stakingToken`. One possible way would be resetting the `stakingToken` to a contract the attacker can control, and conduct a fake stake. As soon as the developer upgrades the contract again, the attacker can backrun the upgrade transaction to unstake real staking tokens, draining them without paying anything. There might be additional ways to exploit, as we did not dig too deep.

Upgrade Tx:
Decompiled New Implementation: etherscan.io/tx/0x48dcb38af…
app.dedaub.com/decompile?md5=…

What happened: Our bot saw a tornado-cash-funded account interact with the staking contract, staking a tiny amount of tokens. To determine its intention, our bot submitted the contract for analysis to identify all possibilities to backrun that transaction so that we could drain funds from it. In less than 1ms, our bot derived the exploit that could drain all reward tokens in the contract.

The contract was then submitted for further analysis with fuzzer and symbolic execution tools. In ~4s, our engineers got a notification about all vulnerabilities and exploits to drain all tokens in the contract.

We notified the team, and luckily, they managed to fix the contract immediately.

Technical details on how we made $10k/hr by mining $ORE via @bloXrouteLabs @jito_sol and GPUs.

[1/8] 🧵

@bloXrouteLabs @jito_sol [2/8] WTF is $ORE

ORE is a token on Solana with a mining program. One can claim ORE from the mining program by sending correct nonces (calculated by trying hashes) to it.

A mining tx looks like this:

@bloXrouteLabs @jito_sol [3/8] Initial Attempt for Landing Tx

Due to the massive amount of miners clogging the Solana network, it is extremely tough to land any tx.

We initially tried a strategy MEV bots used: blindly sending millions of txs every second to every open RPC on the Internet.

😝 Here is the full disclosure of the Twitter XSS + CSRF vulnerability.

Clicking a crafted link or going to some crafted web pages would allow attackers to take over your account (posting, liking, updating your profile, deleting your account, etc.)

On 12/11, @rabbit_2333 posted details about an XSS on the Twitter subdomain .

analytics.twitter.com

https://twitter.com/rabbit_2333/status/1734185386795205086

This XSS seems to be nothing beyond alert popper because:

1). Twitter's cookies are HttpOnly, meaning reading them using Javascript is impossible.

2). There are CSRF tokens, so no CSRF attacks.

3). Strict same site policy on , so no CSRF attacks to it. twitter.com

How to make $800k every day by rug pulling?

A tutorial 🧵[1/7]

Create an ERC20 token, preferably with some funky names.

Some examples 👇

[2/7]

Make your scam token tradeable by creating a liquidity pool (LP). You can use Uniswap / PancakeSwap for this.

You initially need to add ~$50k value of assets to LP to get victims' attention.

[3/7]

gg! Our fuzzer can solve all challenges automatically in <16hrs on single core with some fine tunings 🔥🔥

Will share the writeup

Try it out: github.com/fuzzland/ityfu…

https://twitter.com/dragonfly_xyz/status/1655366504626438144

And kudos to @publicqi for solving even faster than the fuzzer and using less gas

and big thank you to @merklejerk @dragonfly_xyz for organizing such a fun CTF!