Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Immunefi Profile picture
Immunefi
@immunefi
Immunefi is the leading security platform for blockchains. Over $180B of user funds protected across 650+ protocols.
Feb 26, 2025 8 tweets 2 min read
How to run a Proof-on-Concept on @Stacks 🛠️

Find bugs and earn from their $250k reward pool

#StacksxImmunefi Image 2/ 🛠️ What is a Proof-of-Concept (PoC)?

A Proof-of-Concept (PoC) environment is the perfect starting point to explore its architecture, test its functionality, and uncover potential vulnerabilities.

Learn how to set it up here: immunefi.com/academy/stacks…
Feb 25, 2025 9 tweets 3 min read
⚡Introducing Magnus: The bridge to a trillion-dollar onchain future ⚡

Magnus is the first platform to unify the onchain security tech stack in a single command center, delivering 360° hack prevention with AI-optimized SecOps.

Discover the future of onchain security👇

#ImmunefiMagnus

🧵1/8Image Onchain security today is fragmented — and dangerously reliant on manual workflows.

Protocols juggle siloed security tools and processes, making them inefficient, slow, and vulnerable to catastrophic attacks. ⚠️

This is the main blocker to the next trillion dollars moving onchain.

Until now. Find out more: [Blog link]

🧵2/8
Jun 20, 2024 15 tweets 4 min read
The #FuelAttackathon has started and 50 reports have come in so far!

Education continues.

Today's topic:

Common SR Fuel Questions

Read on 👇Image In this thread, we will cover common questions you may run into developing on Fuel.

Let’s get started!
Mar 22, 2024 12 tweets 3 min read
Here’s another #ImmunefiAnalysis for one of the hacks in early 2024:

On Jan 13, 2024, @Wise_Token was exploited for 178 ETH ($466k). This is a novel attack vector, in which the attacker used the protocol's own rounding logic to manipulate share price and incur bad debt. Image @Wise_Token As a decentralized lending protocol and yield aggregator, loans on Wise Lending must first be collateralized by depositing some assets before being allowed to borrow funds. Users are liquidated if repayment does not occur, or collateral value drops below a certain health factor.
Dec 29, 2023 14 tweets 5 min read
1/ Time for another #ImmunefiAnalysis.

On 2nd December 2023, Fulcrum, created by @bZxHQ, was exploited for 99 ETH (~$230,000). This wasn’t the first attack bZx experienced, but it might be the last.

Let's dive into the details of this hack👇 Image @bZxHQ 2/ Fulcrum was launched in June 2019, and its official website is also inaccessible. The project has not been updated since 2020.

Though the protocol is inactive, an attacker was still able to abuse a price manipulation vulnerability to make a hefty profit.
Nov 30, 2023 9 tweets 2 min read
Join us for another #ImmunefiAnalysis!

1/ On November 23, 2023, Kyberswap experienced a significant attack resulting in a loss of over $40M. The attack exploited tick manipulation and the counting of liquidity twice, leading to substantial financial damage.

Let's dive deeper 👇 Image 2/ The attack on Kyberswap was caused by a precise manipulation of liquidity math in their implementation. This manipulation tricked the pool into falsely believing that it had more liquidity than it possessed.
This deception played a crucial role in the attacker's strategy.
Sep 18, 2023 21 tweets 4 min read
It’s time for a #whitehatsuccess story.

Meet GothicShanon. He currently holds the #5 position on the Immunefi leaderboard, and has made more than $2.8 million from bug-hunting.

Here’s his story. 👇(1/20) Image If you had passed him on the street one day, you’d never realize that you were in the presence of a pro who quit his job to hunt bugs full-time.

A few years ago, he was just an ordinary computer science student in his twenties from East Asia. But before long, (2/20)
Feb 27, 2023 4 tweets 2 min read
On Feb 27th, an attacker leveraged an unverified contract to drain $700,000 from BNB-based protocol @launchzoneann.

An approval had been made to the unverified contract 473 days ago by the LaunchZone deployer.

TX: bscscan.com/tx/0xaee8ef10a…

Human-readable hack analysis below

👇 Image The attacker called the function `0x4f1f05bc` on the unverified contract, which lacked access control.

This allowed the attacker to transfer 9,886,961 LZ of LaunchZone’s funds to the Biswap LZ-BUSD pool.
Jan 20, 2023 9 tweets 3 min read
#ImmunefiSchool

Did you know you can broadcast a transaction from a completely random address without the need for a private key? 🤯

Here's how.

👇 We all know that every broadcasted TX is signed by a private key from a wallet.

The way that raw TX is crafted is by composing every TX param (to, nonce, value, etc.) along with the (r, v, and s) parameters from the signature.
Jan 19, 2023 4 tweets 2 min read
#ImmunefiSecurityAlerts

Looks like @ThoreumFinance's been hacked (1047176.6 Thoreum tokens stolen).

Thoreum's token contract fell victim to an exploit after the deployer upgraded its implementation.

Exploit TX: bscscan.com/tx/0x908525966…

Thread

👇 Within 2 hours after the upgrade made to the token contract, the attacker was able to create a malicious contract and interact with the Thoreum contract, ultimately stealing a significant amount of THOREUM ~1047176.6 tokens.
Jan 18, 2023 4 tweets 1 min read
Hats off to @davidyat_es for the right answer here!

Check out the details:



Longer explanation below

👇 A fixed 300 million BLA tokens are assigned to the company (blaFundDeposit address) when the crowdsale contract is deployed.
Jan 13, 2022 19 tweets 5 min read
This is part 3 of the thread about signatures in Ethereum.

In this thread, we will learn:

- Replay attacks
- Signature Malleability
- EIP-2
- Nonces

Ok, let's get started! 🏃‍♂️

With signatures in Ethereum, there may be an issue if a valid signature might be used several times in other places where it’s not intended to be used.

This types of security issues are called Replay Attacks. ⏮🤺

More about them 👇
Jan 10, 2022 13 tweets 3 min read
This is part 2 of a thread on signatures in Ethereum.

In this thread we will learn:

- What is a digital signature in the context of Ethereum?
- ECDSA
- Meta-transactions
- ERC20-Permit

Ok, let's get started! 🏃‍♂️

A digital signature can be created to sign any message.

For Ethereum transactions, the details of the transaction itself are used as the message.

The mathematics of cryptography provides a way for the message (i.e. the transaction details) to be combined with the private key👇
Jan 6, 2022 11 tweets 3 min read
This is part 1 out of a 2 part thread series dedicated to Signatures in Ethereum.

It was inevitable that sooner or later, we would need to talk about this.

But bear with us, as we're going to make this as digestible as possible!

First stop, Public Key Cryptography 🔐👩‍🏫

👇 There are two main purposes of cryptography

- prove knowledge of a secret without revealing the secret
- prove authenticity of data (digital signature)

Cryptography is used extensively within Ethereum, and one place that users meet with cryptography is via Ethereum accounts.👩‍💻