Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Mudit Gupta Profile picture
Mudit Gupta
@Mudit__Gupta
CISO @0xPolygon Labs | co-founder @deq_fi | Tech @Deltabc_fund | Blockchain Security Researcher | Ethereum & Web3 dev | Advisor & Angel Investor πŸ¦‡πŸ”Š
1π–“π–™π–Šπ–—π–‹π–†π–ˆπ–Š Profile picture 1 subscribed
Jul 18 β€’ 9 tweets β€’ 2 min read
WazirX hacked for over $230m USD (2,000 cr INR)

Their safe multisig was compromised and drained.

The hackers started practicing the hack onchain at least 8 days ago and finally executed it today.

It's a very methodical and organized attack, pointing towards DPRK as the hacker. Image The attackers upgraded the multisig to a malicious version that allowed them to drain the multisig.

Why did they upgrade it instead of just draining?
May 16, 2023 β€’ 6 tweets β€’ 2 min read
Ledger just released a new update for Nano X that allows social recovery of your seed phrase.

It encrypts your seed in 3 shards and sends it to different entities that can then reconstruct the seed for you post ID verification.

It's a horrendous idea, DON'T enable this feature. Image Oh but it is secured by ID verification!

You know what else is secured by ID verification? Mobile number porting.

Do you know how many high profile sim jacking cases happen every day? Too many.

Anything secured by "ID verification" is inherently insecure. Too easy to fake.
Apr 3, 2023 β€’ 12 tweets β€’ 3 min read
A rogue validator on Flashbot seems to be exploiting MEV bots. Over 25m USD already stolen.

The validator takes a sandwich bundle from the MEV bot and replaces the victim transaction with it's own that exploits the MEV bot instead.

Here's how it works - First, let's understand how a normal sandwich attack works.

Uniswap uses a price curve that prices the assets based on the demand and supply. If people buy lots of asset A, the price of asset A goes up. If people sell lots of asset A, the price goes down.
Nov 9, 2022 β€’ 7 tweets β€’ 1 min read
What now?

FTX customers and Alameda likely rekt but this might have a spiraling domino effect.

Here are my predictions. Not financial advise:

- Alameda might have to liquidate their positions so their liquid holdings like FTT, Sol, Crv, Uni, Sushi etc may have a hard time. - FTX ventures <> FTX relationship may cause the ventures arm to liquidate their holdings. Their investments like Near and Aptos may struggle.

- Investors of FTX will have a hard time but unless they were degen too, they should be fine.
Oct 7, 2022 β€’ 7 tweets β€’ 2 min read
BSC Token Hub bridge was exploited a few hours ago. The hacker took 2,000,000 BNB worth about $570m.

Most of the stolen funds got blacklisted/paused and the hacker is now left with about $80m of stolen funds.

Hacker's main address - debank.com/profile/0x489a… Image The exploit could've been theoretically used to drain all assets on BSC totaling over ten billion dollars but the hacker only took 2,000,000 BNB ($570m) for practical reasons.

The hacker was able to bridge out about $110m from BSC to other chains before BSC got paused.
Aug 16, 2022 β€’ 13 tweets β€’ 5 min read
@Justin_Bons We discussed this a few months ago already but you decided to post the same thread again hmm. Anyway, I'll answer the questions once again - @Justin_Bons 1) Polygon co-founders are doxxed public figures. It'll be a scam, not a hack if they rug pull. This means, they'll have tons of legal liability. It makes no sense for them to pull something like this by their own.
Jun 24, 2022 β€’ 7 tweets β€’ 2 min read
Harmony Protocol's Horizon bridge was hacked and $100 million were drained earlier today.

The bridge was essentially a 2 of 5 multisig. If any 2 addresses told it to transfer funds to someone, it did.

The hacker compromised 2 addresses and made them drain the money. πŸ§΅πŸ‘‡ Details aren't public yet but here's my guess of what happened -

The two addresses were likely hot wallets used to listen for and process legit bridging transactions.

The attacker compromised the server(s) that these hot wallets were running on.
Jun 23, 2022 β€’ 5 tweets β€’ 1 min read
⚠️Spicy content ahead. Turn away if you can't handle spice⚠️

- Appchains kill composability. Not great for DeFi.

- Consensus algorithms are not bottlenecks. Swapping them won't increase throughout. Eth's consensus algo is basically "biggest numba win". Computers are good at it. - Governance tokens are retail traps

- Code is not law

- 99% of the projects started during bull cycle won't survive the bear

- Governments have no idea how to regulate this space and they are taking help from people who have no idea either.
May 8, 2022 β€’ 5 tweets β€’ 2 min read
UST fiasco is very fishy.

- Terraform Labs removed $150m of UST liquidity from Curve yesterday
- 1 minute later, a freshly funded address bridged $84m of UST to Ethereum (Initiated bridging before TFL removed liquidity)
- 4 min later, it dumped the UST, triggering the sell-off - Terraform Labs removed another $100m of UST liquidity from Curve soon after
- As UST started to depeg, an unknown actor started dumping ETH and buying UST ($100m+)
- As UST was trading below peg, they made a profit all while avoiding bad optics around dumping Ether
Mar 15, 2022 β€’ 7 tweets β€’ 2 min read
Agave and Hundred Finance were exploited today on Gnosis chain (formerly xDAI).

The underlying reason for the hack is that the official bridged tokens on Gnosis are non-standard and have a hook that calls the token receiver on every transfer. This enables reentrancy attacks. Image Hundred Finance is a fork of Compound and apparently compound does not follow the recommended checks-effects-interactions pattern even though it refers to it.

The code executes interactions before applying the effects which make the reentrancy attacks impactful. Image
Feb 3, 2022 β€’ 10 tweets β€’ 2 min read
An attacker left a 120k ETH (~$320m) hole in Wormhole today.

The Wormhole team has promised to cover the loss to save users from bearing the cost.

Let's explore how Wormhole works and how it was exploited (Bonus Wonderland / Sifu connection and memes inside)πŸ§΅πŸ‘‡ Wormhole allows users to bridge assets across blockchains. A user can deposit an asset on one chain (source) and claim it on another (target).

Users can only claim what they have deposited earlier so that the overall supply of the asset remains constant & fungible across chains.
Dec 17, 2021 β€’ 7 tweets β€’ 3 min read
What new feature do you want in your wallet?

Here's my wishlist πŸ§΅πŸ‘‡

- On-demand bridging of assets, without requiring going to dodgy websites and manually bridging tokens.
- Allows apps to access multiple networks via a single API. - Aggregated quotes from all supported bridges. (@1inch for bridges)
- Queue transactions that are submitted when bridging completes. No need to wait for bridging to complete before doing the next steps.
- Aggregated view of your portfolio across all chains. (Inbuilt @zapper_fi)
Nov 30, 2021 β€’ 9 tweets β€’ 3 min read
An attacker stole $30m from MonoX across their ethereum and polygon deployments a few hours ago.

One of the tx: polygonscan.com/tx/0x5a03b9c03…

The exploit was caused by a smart contract bug that led to incorrect price updates when doing token swaps. πŸ§΅πŸ‘‡ When a swap happens, the price of the token sent by the user drops, and the price of the token received by the user increases. This is known as price impact.

Sending a token for swap and receiving the same token back doesn't make much sense and shouldn't be allowed, however.....
Nov 27, 2021 β€’ 8 tweets β€’ 3 min read
Visor Finance was hacked multiple times over last 2 days.

User funds were lost in the first incident but will be reimbursed. The rest of the pools were apparently test pools with only team funds (100k+).

Hello, one of DeFi's oldest exploits - Trusting spot price of a DEX. πŸ§΅πŸ‘‡ Image Unlike what Visor claims, It was absolutely a bug in the smart contract.

It was an exploit/hack, not an arbitrage.

Nov 13, 2021 β€’ 8 tweets β€’ 2 min read
Great example of risk analysis for v3's TWAP.

I would like to clarify that these parameters are specific to Euler's requirements, other protocols should do their own research.

Some key assumptions and points for discussion - The safe price is assumed to be 1.35. However, in a protocol like AAVE with 85% liquidation threshold, the safe price is 1/0.85 = 1.17

Manipulating price to 1.17 requires 110k per block vs 330k to manipulate to 1.35.

You must carefully select safe price relevant to you.
Nov 2, 2021 β€’ 12 tweets β€’ 3 min read
All TWAPs are subject to manipulation.

Devs must carefully analyze and monitor pools for which they use TWAPs.

Concentrated liquidity makes it cheaper to manipulate TWAPs. Even the most liquid stablecoin pool is manipulatable.

A community pool in Rari paid the price today πŸ§΅πŸ‘‡ The attacker manipulated the USDC-VUSD Uni v3 pool by adding $0.1 liquidity at a range that values VUSD at ~infinity and then swapping 232k USDC to 222k VUSD to move the current price/tick to that price range. Thus, making VUSD worth ~infinity.

etherscan.io/tx/0x89d0ae4dc…
Oct 27, 2021 β€’ 8 tweets β€’ 2 min read
Cream hack early analysis -
1. Using account A, Flash Borrow 500m DAI
2. Deposit 500m dai into yDAI
3. Deposit ~500m yDAI into yUSD
4. Deposit ~500m yUSD into yUSDVault
5. Mint ~$500m crYUSD (it used yUSDVault as underlying) 6. Account A now has $500m crYUSD
7. Using account B, flash borrow $2b ETH
8. Mint cETHER
9. Borrow 500m yUSDVault
10. Mint $500m crYUSD
11. Transfer $500m crYUSD to account A
12. Borrow 500m yUSDVault
13. Mint $500m crYUSD
14. Transfer $500m crYUSD to account A
Oct 15, 2021 β€’ 4 tweets β€’ 1 min read
Hot take: Events were a good stopgap solution to help offchain indexers but they should die. There's no need to raise events during general exec.

Rather, indexers should move to using a breakpoint solution where they trace transactions and capture data at certain breakpoints. Indexers have had 7 years to catch up but there's still no good solution to do this. @streamingfastio has made good progress but there's more work to be done before we can kill off events.
Oct 15, 2021 β€’ 16 tweets β€’ 4 min read
Indexed Finance was exploited today and ~$16m of tokens were stolen from their Indices.

There's already a good post mortem published by the team - ndxfi.medium.com/indexed-attack…

However, let's dive a bit deeper from a technical perspective πŸ§΅πŸ‘‡ Indexed Finance's Indices allow trading between the underlying tokens on a constant product curve. It's basically a modified version of Balancer.

The swaps affect the balances and the weights of the tokens.
Sep 30, 2021 β€’ 8 tweets β€’ 2 min read
Compound Incident Analysis:

Compound upgraded their comptroller contract to etherscan.io/address/0x374a… which had a one letter bug on L1217.

This led to a reverse rug pull in which Comptroller is giving away more rewards to (past) Suppliers than expected. πŸ§΅πŸ‘‡ About 240k COMP tokens (~$70m) have been given away already and another 40k (~$13m) will likely be given away soon. If you had supplied tokens before today, go try your luck.

It will be interesting to see if Compound requests users to return the extra tokens (like Alchemix did)
Sep 4, 2021 β€’ 7 tweets β€’ 4 min read
DaoMaker was exploited for ~$4m. They left the `init` function unprotected. The attacker re-initialized the contract with malicious data and then called `emergencyExit` to get away with the funds.

The source code is not public and some messaging by DaoMaker is questionable πŸ§΅πŸ‘‡ Image DaoMaker claimed that they had audits from 3 firms but looking at learn.daomaker.com/audits, 2 of the audits seem to be for unrelated contracts while the third one from @certik_io points to a dead link.
Image