samczsun Profile picture
research @paradigm, founder @_SEAL_Org. art by @Keiseeaaa/@vincywp emergency help: https://t.co/uDNDg1xCgR https://t.co/1IDOUbRX6v
9 subscribers
May 20, 2023 6 tweets 4 min read
On 2023/05/20 at 07:25:11 UTC, Tornado Cash governance effectively ceased to exist. Through a malicious proposal, an attacker granted themselves 1,200,000 votes. As this is more than the ~700,000 legitimate votes, they now have full control.

openchain.xyz/trace/ethereum… Image First, what does this mean for Tornado Cash?

Through governance control, the attacker can:
- withdraw all of the locked votes
- drain all of the tokens in the governance contract
- brick the router

However, the attacker still can't:
- drain individual pools
Apr 3, 2023 12 tweets 6 min read
Block 16964664: A user managed to drain five MEV bots by exploiting a bug in mev-boost-relay.

Here's the block: etherscan.io/block/16964664
Here's the user: etherscan.io/address/0x3c98…
Here's the patch: github.com/flashbots/mev-…
Here's the longer explanation: One of the core ideas behind Proposer-Builder Separation is that proposers cannot be allowed to see the contents of the block they're signing until they've signed the block. Proposers must trust mev-boost to return the most profitable header to them.
Dec 2, 2022 4 tweets 2 min read
uh oh ummm
Oct 6, 2022 21 tweets 9 min read
Five hours ago, an attacker stole 2 million BNB (~$566M USD) from the Binance Bridge. During that time, I've been working closely with multiple parties to triage and resolve this issue. Here's how it all went down. It all started when @zachxbt sent me the attacker's address out of the blue. When I clicked into it, I saw an account worth hundreds of millions of dollars. Either someone had pulled off a huge rug, or there was a massive hack underway
Aug 1, 2022 12 tweets 5 min read
1/ Nomad just got drained for over $150M in one of the most chaotic hacks that Web3 has ever seen. How exactly did this happen, and what was the root cause? Allow me to take you behind the scenes 👇 Image 2/ It all started when @officer_cia shared @spreekaway's tweet in the ETHSecurity Telegram channel. Although I had no idea what was going on at the time, just the sheer volume of assets leaving the bridge was clearly a bad sign Image
Jul 5, 2022 17 tweets 7 min read
1/ Today, someone tried to hack me with a crypto stealer, so I guess I've finally made it

Fortunately, they weren't successful, but all it would've taken was three clicks. Read on to learn about how the attack works, how to protect yourself, and some basic malware analysis🕵️ 2/ The first step is to create an urgent and compelling hook. When placed under pressure, even trained security professionals might act instinctively instead of rationally. This DM does both.

If you clicked the link, then you're only two clicks away from being pwned
Mar 24, 2022 7 tweets 4 min read
I need to make a correction! Thanks to @madergaser and @siintemal for pointing out that I completely missed the other half of the exploit.

So as I mentioned earlier, the two token accounts must hold the same token. The attacker forged accounts to bypass the validation on common.crate_collateral_tokens, but what about depositor_source?

Mar 23, 2022 7 tweets 3 min read
Another day, another Solana fake account exploit. This time, @CashioApp lost around $50M (based on a quick skim). How did this happen? Image In order to mint new CASH, you need to deposit some collateral. This cross-program invocation (CPI) will transfer tokens from your account to the protocol's account, but only if the two accounts hold the same type of token. Otherwise, the token program will reject the transfer. Image
Feb 3, 2022 15 tweets 7 min read
How did the @wormholecrypto exploit work? I joined forces with @gf_256 and @ret2jazzy to reverse engineer the exploit, and now that it's been patched we can finally share it with you👇 Image First, we had to determine where the exploit occurred. Ethereum, or Solana? A quick check of the encoded VM that the attacker submitted showed that it contained valid signatures from the guardians. This meant that either they got the private keys, or they exploited the bridge. Image