🚨 Hack alert: $DEI was exploited on Arbitrum just a few hours ago.

It was a simple, yet hidden bug that caused a loss of $5,000,000. How many other contracts have this same problem?

Read below: 👇🧵 Dissecting the original exploit transaction (arbiscan.io/tx/0xb1141785b…), there's 3 main steps:

Earlier this morning, @safemoon's Liquidity Pool was compromised and USD 8.9M worth of tokens were withdrawn.

After looking at the transaction trace and the recent contract changes, we can tell you what happened: In bscscan.com/tx/0xcb8573807… the SafeMoon token was updated to include 4 new functions.

Thread: How thousands of Slope wallets were hacked and how other wallets can avoid this 👇 1/ First, the following theories are considered very unlikely and entirely rejected:

- issues in Solana core
- issues in SPL token
- crypto issues (e.g. weak RNGs)
- widespread user devices compromise
- supply chain (compromised libraries)

1/ We forked Geth to compile a list of all 23,897,838 Ethereum contract addresses—a snapshot of every contract EVER deployed on Ethereum.

We found some pretty interesting addresses out there...and you might have already interacted with some of them!

Here's what we found 👇 Addresses are 20 bytes in size. Back of the napkin calculation:

24 million * 20 bytes = 480000000 bytes = .48GB

At least half a gigabyte in the Ethereum blockchain is just occupied by contract addresses.

(This calculation isn't 100% precise, but it's a useful estimate)

1/ Nomad was just hacked for $190M, making it the 5th largest DeFi hack of all time. How did this happen? We break down not just the exploit, but also HOW THE VULNERABILITY WAS INTRODUCED IN THE FIRST PLACE.

Understanding bugs isn't enough. We need to stop merging them.👇 2/ The hack a mess. Most hacks occur instantly. For Nomad, the bridge was slowly drained over the course of an hour.

This was the first exploit transaction.

It was simple: it interacted directly with the bridge, calling a single function, process().

etherscan.io/tx/0xb1fe26cc8…

$10,000,000 is the highest bug bounty reward ever given.🏆

Earlier this year, Wormhole awarded it for a critical finding.

Let's dive into a $10M vulnerability: 👇🧵 1/ First, let's understand what proxies are.

Blockchains are immutable, meaning deployed smart contract code cannot be changed.

Even if:
- Vulnerabilities are found
- Other bugs exist
- You want to ship new features

Proxies solve this issue.

An attacker drained $6,000,000 from Audius $AUDIO <72 hours ago.

Yet again, smart contracts remain rekt.

How did this happen?

Let's take a look: 1/ The Audius smart contracts use a pattern called the "Proxy Upgrade Pattern".

This means you can update the logic of a smart contract.

Pro: users don't need to interact with new contracts.

Con: Proxy upgrade patterns are easily misused, as proven here.

Let's dive deeper:

Want 500 $USDT for FREE?

Crypto scammers know you do.

🚨 SCAM ALERT: If you see someone "leak" a private key, don't act on it too quickly.

Here's how it works 👇 1/ First, the attacker shares a private key or mnemonic.

Either by:
a) asking for help in Twitter DMs
b) pretending to be naïve & leaking it in a Telegram chat.

To dig deeper,

In one of our recent engagements with a customer, we were asked to audit some code which depended on BokkyPooBah's DateTime library. The contract calculates the day of the month from block.timestamp, and it does this to ensure an operation happens only up to once a month. This wasn't our first seeing BokkyPooBah's DateTime library. Many other projects depend on this code as well. This made me wonder--with a magic looking formula like this, has this code been actually verified? If there were a bug, it would be a vulnerability across many projects.