1/ I usually refrain from commenting on the buzz around competitors in the space, but I was disappointed by @LayerZero_Labs's aggressive response to @_prestwich's reasonable criticism, so would like to leave a few comments about bridge design features

https://twitter.com/_prestwich/status/1620089892087947264

2/ The primary function of a bridge is to provide a secure and reliable validation layer that participants cannot collude to forge. The goal is to make the validation layer as reliable as possible and maximize its financial guarantees.

1/ @deBridgeFinance has been the subject of an attempted cyberattack, apparently by the Lazarus group.

PSA for all teams in Web3, this campaign is likely widespread. 2/ The attack vector was via email, with several of our team receiving a PDF file named “New Salary Adjustments” from an email address spoofing mine.

@adrianhetman 1/ The value actually can be transferred across chains without the need of wrapping assets.

That requires having the natively deployed stablecoin asset which is as secure as the consensus/validation layer of the blockchain

All tokens on DEXs to be paired with this stablecoin @adrianhetman 2/ Then all wrapped assets of different bridges only act as an intermediary step in the routing for liquidity across chains

Governance must assign limits on conversion from intermediary wrapped assets of bridges into the natively deployed stablecoin

1/ ETH devs, have you ever seen a discrepancy between the gas amount estimated by an arbitrary @ethereum node and the amount the transaction actually consumed? We’ve faced underestimations of 2-3x, but deBridge Solidity lead @alexeychr made an interesting discovery. A 🧵⤵️ 2/ Years ago, two major implementations (geth, ganache) were performing transaction executions during the eth_estimateGas call to obtain the amount of gas consumed.

This approach may have led to underestimation because of internal gas refunds.

1/ A quick analysis of what happened with Optimism and how the hacker managed to create a @gnosisSafe wallet in @optimismPBC with the same address as Wintermute has on Ethereum 🧵 2/ @wintermute_t Gnosis Safe wallet was created on the Ethereum chain 561 days ago through the old Gnosis factory contract 0x76E2c (version 1.1.1). The addresses of all wallets created through this version of the factory only depended on its' nonce (the serial number).

1/ Web3 projects, you can now offer seamless cross-chain experiences by adding a few lines of code into your Apps🙌

Our new deSwap Widget can be used to drive revenue, improve liquidity inflows, and give your users powerful new cross-chain journeys🧵

https://twitter.com/deBridgeFinance/status/1534520253518336000

2/ deSwap Widget is a capital-efficient solution allowing you to easily offer cross-chain swaps + transfers of arbitrary assets from within your app or site.

Integration is as simple as injecting the Widget code, and then customizing the appearance/chains/tokens desired.

1/ Since the @wormholecrypto vulnerability was patched here are some details that our Rust team discovered. The attack was performed through Rust contracts in Solana. This is the transaction where the attacker minted ETH tokens
solscan.io/tx/2zCz2GgSoSS… 2/ This is the transaction where signatures verification was performed for this minting:
solscan.io/tx/25Zu1L2Q9uk…

Quick view in the Wormhole code. There is a public method `publishMessage` that makes validators sign any arbitrary payload. Theoretically, an attacker could form a payload that withdraws a specific token and get it signed through this function

github.com/certusone/worm… The only protection from that is this verifyBridgeVM check during the claim, which validates the correctness of the address that initiated this message. It seems that the hacker managed to make Solana Smart Contract sign a message on behalf of the contract
dashboard.tenderly.co/tx/mainnet/0x2…