Share this page!

Enter Twitter Thread URL to Unroll

Needs to be the full URL like: https://twitter.com/threadreaderapp/status/1644127596119195649

How to get URL link on Twitter App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
SlowMist Profile picture
@SlowMist_Team
May 19 6 tweets 2 min read Twitter logo Read on Twitter
🚨SlowMist Security Alert🚨

Recently, there have been a lot of asset thefts caused by shared #Apple IDs. We believe that the key is "apps are not bound to device codes".
1/ This is an issue prevalent in 99% of #wallets, trading apps,and other apps. It's a concern we've voiced a long time ago. However, due to it not being considered in the initial stages of app design, the majority of apps in the market have yet to rectify this issue.
2/ This lack of binding can lead to data being dragged off or maliciously synchronized to other devices, resulting in potential breaches. Combined with other techniques such as social engineering, brute force attacks to obtain passwords, this can lead to theft of assets.
3/ A word of caution for everyone: Do not use shared Apple IDs and be wary of screenshots being uploaded from your photo gallery. There have been instances where such actions led to losses.
4/ Additional note: There's possibly an element of decentralization here. If past device information is bound, it could lean towards centralization, so maintaining a balance here poses its own set of challenges.
5/ NEVER use shared Apple IDs. Not only is the risk of theft high, but your device could also become a problem. Good security awareness is paramount.

Shoutout to @IM_23pds.🫡

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with SlowMist

SlowMist Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @SlowMist_Team

SlowMist Profile picture
May 21
Brief Analysis of TornadoCash Governance Exploit

On May 20, 2023, @TornadoCash suffered a governance attack, in which exploiters took control of the governance of TornadoCash by executing a malicious proposal.

Let's see how it happened:

Exploiters first created the proposal… twitter.com/i/web/status/1… Image
On 2023-05-13 at 7:22 (UTC), exploiters initiated the #20 proposal and explained in the proposal that the #20 proposal is a supplement to the #16 proposal and has the same execution logic. Image
But in fact, the proposal contract has an extra self-destruct logic, and its creator, 0x7dC86183274b28E9f1a100a0152DAc975361353d, was created through create2 and has a self-destruct function, so after it self-destructed with the proposal contract, the exploiters could still… twitter.com/i/web/status/1… Image
Read 9 tweets
SlowMist Profile picture
May 19
🚨SlowMist Security Alert 🚨

On May 11th, a user reported a phishing attack leading to the loss of their wallet assets, raising security concerns around permit signatures. This thread is dedicated to understanding the nature of this theft and how we can stay secure.🔐👇

Full… twitter.com/i/web/status/1…
The victim reported that they inadvertently clicked on a phishing website (syncswap[.]network) and ended up losing over $100. As insignificant as this may seem, it emphasizes the potential security risks in the blockchain space.🔗

An analysis of the transactions reveals a… twitter.com/i/web/status/1… ImageImage
We found an additional permit operation related to the contract caller address. To understand its implications, we need to first understand what a permit is. In the ERC20 protocol, it allows users to interact with smart contracts using an authorization signature (permit). 📝💼… twitter.com/i/web/status/1…
Read 6 tweets
SlowMist Profile picture
Mar 21
How effective is GPT for auditing smart contracts?

We conducted a series of tests to assess the performance of GPT-3.5(Web), GPT-3.5-turbo-0301, and GPT-4(Web) in detecting vulnerabilities within Solidity smart contracts.

🧵👇 for TLDR
slowmist.medium.com/how-effective-…
Test Environment & Methodology:

We utilized simple vulnerability codes and moderately complex vulnerability codes as test cases.

The comparative analysis focused on the three GPT models' ability to identify these vulnerabilities.
Test Results:

For simple vulnerabilities, all three GPT models performed well. However, when it came to more complex vulnerabilities, the models fell short.

GPT-4(Web) showcased exceptional readability but didn't surpass GPT-3.5(Web) or GPT-3.5-turbo-0301 during auditing.
Read 8 tweets
SlowMist Profile picture
Mar 13
On March 13th, 2023, @eulerfinance, a lending platform that operates on the Ethereum blockchain, was attacked, resulting in the attacker making off with over $190 million.

🧵👇
The attacker used flashloans to deposit funds and then leveraged them twice to trigger the liquidation logic, donating the funds to the reserve address and conducting a self-liquidation to collect any remaining assets. Image
Two key factors contributed to the success of the attack:

1. Funds were donated to the reserved address without being subjected to a liquidity check. This created a mechanism that could directly trigger soft liquidation.

2. When the soft liquidation logic was triggered by high… twitter.com/i/web/status/1… Image
Read 4 tweets
SlowMist Profile picture
Feb 10
🚨SlowMist Security Alert🚨

On February 10th, the DeFi aggregator platform @dForcenet was attacked, and the attacker made a profit of approximately 3.65 million dollars.

Here is a brief report👇
1/ The attacker first borrowed 69665 WETH through a flashloan and swapped it into ETH, then added liquidity to the wstETH/ETH pool on Curve, earning 65343 wstETHCRV. Then deposited some of the wstETHCRV in the Curve wstETHCRV-gauge, receiving wstETHCRV-gauge tokens.
2/ The attacker used wstETHCRV-gauge to deposit in the dForce wstETH/ETH Vault and minted share tokens (dForce wstETHCRV-gauge) and USX tokens.
Read 12 tweets
SlowMist Profile picture
Feb 2
🚨SlowMist Security Alert🚨

On February 2, the @BonqDAO on the Polygon chain was attacked, the total profit of the exploiter is 113M WALBT and 98.6M BEUR.

Here is a brief report:👇
1/ The key restriction of the TellorFlex price oracle update process must stake 10 TRBs at first. However, the updateStakeAmount function in TellorFlex allows for the required staked amount of TRBs by the oracle to be regularly adjusted based on the value of the collateral. Image
2/ The TellorFlex oracle contract initialized the stake amount to 10 and is not updated by the updateStakeAmount function, the attacker only needs to stake 10 TRBs to become price reporter and change the price of the WALBT in the oracle by calling the submitValue function. Image
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(