Smart Contracts, Off-chain Components and AI Integrations Security Reviews Worked with: @LidoFinance @UniswapFND @redstone_defi @YieldNestFi @0xOthentic

Let us help ๐Ÿ”Ž๐Ÿ›
We are proud to announce the release of the updated ๐—ฆ๐—บ๐—ฎ๐—ฟ๐˜ ๐—–๐—ผ๐—ป๐˜๐—ฟ๐—ฎ๐—ฐ๐˜ ๐—ฆ๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜† ๐—ฉ๐—ฒ๐—ฟ๐—ถ๐—ณ๐—ถ๐—ฐ๐—ฎ๐˜๐—ถ๐—ผ๐—ป ๐—ฆ๐˜๐—ฎ๐—ป๐—ฑ๐—ฎ๐—ฟ๐—ฑ (๐—ฆ๐—–๐—ฆ๐—ฉ๐—ฆ)! โœ… The best and most comprehensive checklist available for Solidity based smart contract projects.
5
43
117
32,542
Some time ago we worked on a project which was integrating with @LayerZero_Labs Omnichain Tokens and we were not able to find an all-in-one security checklist that could facilitate the whole process. Thatโ€™s why in our new blog post you will find such a checklist. Check it out here: composable-security.com/blogโ€ฆ
3
6
73
91,927
Congratulations on 1st ๐Ÿฅ‡ place in War Room Games for @drdr_zz from our team and other Team16 members @mestevez @dgrabec @danielvf Networking during @EthCC ๐Ÿ‡ซ๐Ÿ‡ท is great, but hacking together is another level of friendship ๐Ÿพ @TenderlyApp @yAuditDAO @yearnfi
5
7
49
8,011
NoBullSh*T Security Guide is live! CTOs, Lead Devs, and all Security Freaks! We created a comprehensive resource which cuts straight to the chase delivering effective and practical security strategies without the fluff. Get the Security Guide from here: composable-security.com/secuโ€ฆ
1
3
29
8,737
Thanks to the grant received from @UniswapFND, we have created the most comprehensive article on #Uniswapv4 hooks security and their threats ๐Ÿซก You will find different #hooks use cases and threat model that can be used to create hooks. Read it here ๐Ÿ‘‡ composable-security.com/blogโ€ฆ
2
3
28
3,971
On the blockchain, security should always come first! As the creators of Smart Contract Security Verification, we will thoroughly test your project ๐Ÿงต
1
5
23
12,599
The research on #UniswapV4 hooks proved that hooks have great potential, but at the same time, their space is full of threats. With the development of the hooks space, there will be a growing need for tools and standards to help developers build. Find suggestions and proposals for solutions to be created in the future. Get to know already available tools and resources which were also supported by @UniswapFND: - Static Tool Analyzer created by @BlockSecTeam - Builders Perspective on UniV4 hooks by @BrokkrFinance - โ€œUniswap V4 hooks Guideโ€ created by @0xUmbrella and more! Read the article ๐Ÿ‘‡ composable-security.com/blogโ€ฆ
2
2
19
3,573
While everyone is happy about the ETF, we shouldn't miss the SEC's glaring oversight and another high-profile account on X being compromised. Here is an article explaining sim swap and showing many other attack vectors and recommendations on how to protect against them. credit: @wh01s7 composable-security.com/blogโ€ฆ
2
17
1,831
Meet @Composable_Sec at @ETHWarsaw! Letโ€™s connect if: - You want to be among the first to access the โ€œNo Bullsh*t Security Guideโ€ - Learn the basics of threat modeling which can be introduced to your team - Meet and chat You can reach out to us via DM or just drop a comment ๐Ÿ“ฉ
1
15
2,195
Build smarter, not harder โ› The sooner a project starts building on good security assumptions, the easier it is to protect it from vulnerabilities. . Thatโ€™s why, we consider threat modeling a valuable process that saves not only time and funds but also a great amount of stress.
1
14
493
Ciao from @eth_milano ๐Ÿ‡ฎ๐Ÿ‡น Look for @drdr_zz and letโ€™s connect!
1
13
1,023
Calling all the #EthWarsaw Hackers! Each project that was created during the @EthWarsaw hackathon and is to be continued is invited for a FREE security consultation. DMโ€™s open. Build with a long-term vision and let nothing stand in your way! ๐Ÿ› ๏ธ๐Ÿ‘ทโ€โ™‚๏ธ
2
14
2,418
Better safe than sorry! If we were to give one reason to use the SCSVS thatโ€™s how we would describe it. With the SCSVS we provide a checklist to standardize the security of smart contracts which helps to address security issues and vulnerabilities at all development stages.
1
13
521
Hi from #Web3SecurityConference2023! ๐Ÿ‡ฎ๐Ÿ‡น Weโ€™re glad to be among the Security Projects that are leading the biggest discussions on Web Security! Especially with @drdr_zz having a panel about โ€œSmart Contract Security, Spotting Exploits Before They Happenโ€. What a great day to be in blocksec space!
1
11
6,320
Should exploiting 100 million dollars from the contract in good faith be considered a white hack? ๐Ÿค” Questions like this and doubts about whether white hacks should be commonly accepted regularly occur in security space. Our view on the topic is firm. Check out what we think in the last blog article: composable-security.com/blogโ€ฆ
1
2
13
1,998
Verify and mitigate potential threats when integrating with Uniswap V4! Uniswap recently launched V4 and weโ€™re threat modeling that will come in handy for both builders and users interacting with the dapp. Read it here: ๐Ÿ”—composable-security.com/blogโ€ฆ
10
1,403
Big heads up to @eulerfinance for such a comprehensive security approach ๐Ÿ‘ Even though we did not have a chance to help secure EVC, we find it crucial to promote such an approach! Letโ€™s spread the word about projects emphasizing security and minimizing risks as much as possible.
One of the goal's for the EVC is for it to become one of the most audited smart contracts on Ethereum. We partnered with @alcueca and @StErMi + @cmichelio from @SpearbitDAO for security reviews and advice on formal verification with @certora pre-audit. Formal audits began with @yAuditDAO @certora @hntrsec. No critical or high issues found so far. Certora also helped build formal verification tests. Another audit is presently underway with @trailofbits. The EVC will be audited many more times alongside Euler v2 when the latter goes into audit. There is an open bug-bounty today upto $100k in conjunction with @encodeclub. Then there will be code competitions in the future. Stay tuned for those. And there will be a bug bounty with @immunefi on launch. Please check out the EVC GitHub and review its documentation if you think you've got what it takes to break the code. If you find anything out of place or have recommendations for how we can do more, we'd love to hear from you. You will be rewarded for your efforts.
1
5
10
2,692
๐Ÿ“ฃ Big announcement! Weโ€™re thrilled to share that our work is being supported by the grant from @UniswapFND ๐Ÿฆ„ What bad hooks look like? Our team is contributing to research exploring the "malicious design space" of hooks and how protocol stakeholders should reason about their security. The aim of the research is to raise awareness about potential threats and provide resources that will help understand the threat landscape and analyze the security of the hooks. Weโ€™re looking forward to sharing our findings through blog articles, the new SCSVS category, and more!
๐Ÿ“ข Announcement: Grant Recipients Selected Today, we're unveiling the teams and projects that have that have been selected for round 1 of V4 RFPs! We are excited to see how each of these teams will contribute to Uniswap V4. ๐Ÿฆ„ Let's dive in! ๐Ÿงต
1
11
1,261
It takes more than an audit to make your protocols secure. Preparing to act in a crisis may be your life vest when your project is being exploited. Now, by doing SEAL Drills, you can go through such a situation and learn how to act when it happens. With the next update of the Security Guide, we will ensure to mention doing SEAL Drills and performing other actions that can be done before anything happens.
In a war room, every second counts. But without having been in one, how could you know what to expect or how to respond? Blog posts and tweet threads can only take you so far. Today, I'm excited to announce a new option: SEAL Drills.
2
1
10
8,284
100+ pages. ๐Ÿ˜ฑ Many excellent frens have signed up for our guide. We believe that it will bring a change for the better in the security context of many projects. Don't have it yet? Get it now!
NoBullSh*T Security Guide is live! CTOs, Lead Devs, and all Security Freaks! We created a comprehensive resource which cuts straight to the chase delivering effective and practical security strategies without the fluff. Get the Security Guide from here: composable-security.com/secuโ€ฆ
2
10
1,079
Weโ€™ve just published the third article about #UniswapV4 Bad Hooks! This time @Drdr_zz explains a threat scenario in which a malicious hook owner updates the oracle parameters resulting in an invalid price. Read the article here ๐Ÿ‘‡ composable-security.com/blogโ€ฆ
1
4
10
3,329
As a result of a bug in the @bananagun contract, located in the "transfer" function, the following issues occurred: * Contract subtracted from sender's balance fewer tokens than expected * The `fee` tokens were technically minted to the token contract (and later used to pump the price in the Uniswap pool). This issue could be detected by following the check G12.2 of SCSVS: Verify that sensitive functions of the verified contract are covered with tests in the development phase.
1
10
2,522
Meet us at #Web3SecurityConference2023 in Milan! On October 4th, @DeDotFiSecurity is hosting a conference during which @drdr_zz and other leaders from known security projects will give speeches on topics related to the block sec sector. Let us know if youโ€™ll be there!
1
3
9
812
With the @ethWarsaw coming on the 31st of August, letโ€™s go back to last year! @drdr_zz and Certora, Quantstamp, and Halborn's representatives participated in the security panel. Watch it here and get the expert knowledge: ย ๐Ÿ”—composable-security.com/blogโ€ฆ
1
1
10
693
Happy to help @CCCTRX20 with mitigating threats and improving their security. We value the desire for a comprehensive approach from an early stage! ๐Ÿ›ก๏ธ
2
1
8
281
Have you ever wondered how smart contract auditors identify threats while performing an audit? ๐Ÿค” In Composable Security we divide the process into 3 stages, using different resources to ensure we find as many threats as possible ๐Ÿงต
1
3
8
860
In September 2023, @wh01s7 published an article to start discussions about White Hack Policy. At the same time, a dedicated group was working on something similar independently in the shadows. Today is the day to start discussions again! โœ…Check the WHITEHAT SAFE HARBOR AGREEMENT โœ…Check out all the initiatives of great people who are dedicated to keep the ecosystem safe! Big things are coming! ๐Ÿ›ก๏ธ Follow @_SEAL_Org and stay secure!
2
9
4,336
๐Ÿ“ฃ Key Takeaways from EthCC & DeFi Security Summit! The insights and connections we gathered from these conferences were invaluable. For a deeper dive, stay tuned for our detailed blog post. ๐Ÿ“ธ Check a few photos to relive some of these moments with us! ๐Ÿงต
2
2
9
1,211
We found a vulnerability in a hook created during @EthCC Paris Hookathonย ๐Ÿ•ต๏ธ We challenge you to also find it! Comment the bug below if you did it!ย ๐Ÿ‘‡
1
2
9
567
Currently, @LayerZero_Labs is one of the most discussed protocols in the space. We took a closer look at how this omnichain interoperability protocol is built and as a result next week you may expect an article on โ€œSecure integration with LayerZeroโ€ on our blog! Like this post to get a message once itโ€™s published and ensure to not miss it ๐Ÿ“ฉ
2
8
735
The founder of Composable Security, @drdr_zz, found a valid attack scenario in Uniswap V4, enabling all LP tokens to be withdrawn. Find the vulnerability description and threat modeling for Uniswap V4 here ๐Ÿ‘‡
When I was doing TM for UniswapV4 (described here: composable-security.com/blogโ€ฆ) I came across a valid attack scenario that allowed to steal all LP tokens on withdrawal (described here: github.com/Uniswap/v4-core/iโ€ฆ).
1
8
590
Fast reaction is one of the most important things when a security crisis happens. Thanks to the โ€œSEAL 911โ€ Telegram group, projects can now get first-hand help from the group of experienced blockchain security specialists. 1/2
Over the past few days I've been working with a group of whitehats, auditors, and other security leaders to try and solve the hardest part of responsible disclosure: finding the right person to talk to.
1
8
379
The 7 different hook use cases we analyzed, included: - Median Oracle @saucepoint - Multi-sig @adamtj_eth - KYC @jwpark02 - Hedge @andry_r99 - Limit order @Uniswap - Locking liquidity @BrokkrFinance - Dynamic fees @ArrakisFinance Thank you for creating these use cases!
1
6
473
Today at 12 pm EST, @drdr_zz is one of the speakers during @DeDotFi Security Spaces devoted to Preventative Security Tactics! Join it and learn from experts about steps you can take to secure your project.
Preventative Security Tactics ๐Ÿ‘€ Join us @ De.Fi Security Spaces, Aug 29โœจ๏ธ Steps you can take to prevent the next major exploit. Learn from the experts. Link ๐Ÿ‘‰ nitter.app/i/spaces/1yNxaNLโ€ฆ @hackenclub @Composable_Sec @zokyo_io @HackenProof @LayerZero_Labs @immunefi @AvascanExplorer @aleph @DeDotFiSecurity
1
7
579
Merry Christmas!๐ŸŽ…๐ŸŽ„ Best wishes from the ๐—–๐—ผ๐—บ๐—ฝ๐—ผ๐˜€๐—ฎ๐—ฏ๐—น๐—ฒ ๐—ฆ๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜† ๐—ง๐—ฒ๐—ฎ๐—บ โ›“๏ธ๐Ÿ‡ต๐Ÿ‡ฑ! #solidity #christmas #DeFi #security #smartcontractaudits #wishes
1
7
8
199
๐Ÿ”’ Join the @summit_defi livestream ๐Ÿš€ For frens who won't make it this year - no worries! You are covered with a live stream link. ๐ŸŽฅ Reserve 2 days on your ๐Ÿ“… and prepare for an incredible feast of the latest attacks, research, and emerging threats๐Ÿ›ก๏ธ piped.video/watch?v=QhY9T-6Qโ€ฆ
1
4
8
786
Another week in blockchain security is behind us! What did it bring? Letโ€™s see ๐Ÿงต
1
3
8
1,186
Replying to @divaprotocol_io
Congratulations @divaprotocol_io๐Ÿ‘๐Ÿš€ We had the pleasure of working with the team behind this project and they definitely put #security as one of priorities Detailed docs and numerous cross-checks demonstrate the security centric approach that we would like to see more often๐Ÿ›ก๏ธ
5
390
We are very excited to announce that we have successfully completed our security audit for @Milky_icecream_ tokenized ice cream business. Full report available here: github.com/ComposableSecuritโ€ฆ
4
8
697
The Median oracle hook is the first one we described in research about #UniswapV4 hooks ๐Ÿฆ„ Read @wh01s7 to learn how this hook works and what are possible threat scenarios related to it ๐Ÿ‘‡
Uncovering research on #UniswapV4 hooks ๐Ÿฆ„ Learn aboutย Median Oracle hook ๐Ÿงต Median Oracle hook is an alternative to TWAP oracle that saves the current tick on each swap and mitigates some risks as when using TWAP โ€œlower-liquidity pools are prone to manipulationโ€. 1/13
1
7
392
At the moment, there is no single checklist or standard on the market according to which all auditors operate. ๐Ÿงต1/4
1
1
6
450
Today at Degen Meetup! Congratulations to @DegenHouse_for another great event ๐Ÿ™Œ๐Ÿผ It is an amazing initiative that enables to onboard more users to web3 and at the same time create a place for the ones who are already in the space to meet, educate and network! Weโ€™re looking forward for more!
1
2
7
465
Some time ago we had the pleasure to share our knowledge at theย @ETHWarsaw meetup. @drdr_zz talk titled Security Sins of Web3 Bridges is now available for you to view. ๐ŸŽฅ ๐Ÿฟ composable-security.com/blogโ€ฆ
1
2
7
815
Last week we published an article about โ€œSecure integration with Layer Zeroโ€ ๐Ÿ’ป Based on it we also added a new category to SCSVS. The I4: Cross-Chain category is dedicated for projects integrating with external cross-chain protocols such as @LayerZeroLabs. Check it out here: ๐Ÿ”—github.com/ComposableSecuritโ€ฆ
2
2
7
625
Fill in the form below and be the first to receive a guide: composable-security.com/secuโ€ฆ
1
7
12,297
Stay ahead of the curve in #smartcontract security with our upcoming Smart Contract Security Verification Standard v2, featuring advanced checks and categories for comprehensive vulnerability detection. โœ… Follow us for updates and be the first to know when it's released.
1
7
581
๐Ÿ“ขTop 10 blockchain hacking techniques 2022 by @OpenZeppelin Read and learn from the mistakes of others ๐Ÿš€ #blocksec #hackingtechniques #Top10 openzeppelin.com/security-auโ€ฆ
2
7
348
/1 We listened to a discussion led by @CryptoFeesInfo about the state of bridge security Frens from @immunefi and @lifiprotocol shared their observations and tips. It is very important to exchange such experiences, so we were happy to add something from ourselves in the comments
1
7
Are you aware that you can increase the security of your project by small changes in the process, and reduce the costs of time-consuming corrections after audits? Thatโ€™s possible with threat modeling!
1
1
7
265
Do you want to learn how to securely use #bridge? Meet us on March 21st in Warsaw! @drdr_zz is going to talk about โ€œSecurity sins of Web3 bridgesโ€ ๐Ÿ‘พโ›“๏ธ
๐Ÿ“ข Web3 builders! Join us for #EthWarsawMeetup on March 21st to learn about Web3 Security. Our first speaker @drdr_zz will share insights on "Security sins of Web3 bridges". Don't miss out! Sign up here ๐Ÿ‘‡ meetup.com/ethwarsaw-meetup/โ€ฆ
6
383
We believe that our research will bring many good practices and help you explore the hooks landscape in a safe way. Stay tuned and follow us for more! Including a new UniswapV4 Hooks SCSVS category, and a series of bad hooks illustrating the problems we discuss here.
5
207
Security always starts in-house ๐Ÿ›ก๐Ÿ’ป However, if you want to take it to the next level you should definitely contact us!
2
5
421
Echidna 2.2.0 released โšก๏ธ
Today's release of our Echidna smart contract fuzzer is more than 20x faster, thanks to multicore support and optimized coverage collection. github.com/crytic/echidna/reโ€ฆ
1
5
316
2023 has ended with a $81.5M loss for @Orbit_Chainโ€™s Ethereum bridge. It is presumed that the hack happened due to compromised keys of signer addresses on the Orbitโ€™s ETH Vault multisig. A similar possible threat scenario was described in the article we published some time ago about โ€œ6 security sins of Web3 bridgesโ€. It is worth reading to learn how to increase security awareness and prevent the recurrence of the most common bugs and mistakes.
It wasnโ€™t just fireworks blowing up on New Yearโ€™s Eve. The final hours of 2023 saw @Orbit_Chainโ€™s Ethereum bridge lose $81.5M. With the presumed culprits already responsible for losses totaling $250M in 2023... ...what will 2024 bring? rekt.news/orbit-bridge-rekt/
1
1
6
633
A single hack cost on average in 2022 was $14,264,506. Rethink your budget and invest in #security.
5
460
Do you want to quickly and regularly improve your code quality without the involvement of outside companies? ๐Ÿ’ป Introduce peer review through which you get your team to examine each other's smart contract code. This way you will remove repetitive bugs and increase the overall smart contractโ€™s quality ๐Ÿ“ˆ Get the Security Guide for more tips you can apply within your team to enhance security: ๐Ÿ”— composable-security.com/secuโ€ฆ
1
5
256
Letโ€™s dive into another part of Bad Hooks implementations- Liquidity Theft via Hook Fee! If the hook is not implemented properly, the attacker can steal the whole liquidity during their withdrawal processย ๐Ÿคฏ See the theft process in the diagram belowย ๐Ÿ‘‡
1
5
751
There is a bug in this code! Can you spot it? ๐Ÿ•ต๏ธ In the last article about #Uniswapv4 bad hooks implementations, we referred to the EulerMedianOracle hook. Something we have yet to mention is that there is a vulnerability in the original implementation of this hook. Let us know if you find it!
1
1
6
840
Day 1 of @ETHWarsaw ๐Ÿ™Œ๐Ÿผ Weโ€™re glad to meet all the builders and welcome a new member in our team ๐Ÿงธ Weโ€™re more than ready for day 2!
1
6
304
Do you want to perform threat modeling but have no clue how to do it? We got you! Or..Actually, AI does ๐Ÿ“ฑ In our blog article, we explain how to use ChatGPT for threat modeling and bring it to the next level! Read it here: composable-security.com/blogโ€ฆ
6
183
What to do when you can not afford to perform an audit and additional cross-checks? Thereโ€™s a solution! Instead of requesting two or three audits, you can opt for key threat-based cross-checks adjusted to your needs and capabilities that focus on key threats and scenarios.
6
137
Excatly Protocol, an Optimism-based lending platform, suffered from a $7.2 million hack! Attack was made due to vulnerability of an insufficient check in the DebtManager contract as to whether the market address was valid. It enabled a hacker to pass a fake market address by inserting the victimโ€™s address as _msgSender, which led to draining usersโ€™ collateral. Check G5.9 of SCSVS minimizes potential threats of such attacks. Check out the whole section โ€œG5: Access controlโ€ to secure your contract: ๐Ÿ”—github.com/ComposableSecuritโ€ฆ
6
257
We would like to thank everyone who contributed to building this standard, especially @deliriusz_eth, @LewellenMichael and @saxenism. ๐Ÿ™Œ
5
1,070
A successful cooperation with the codefunded team (codefunded.com), allowed for the removal of 22 vulnerabilities from their codebaseย ๐Ÿซก The full report is available here: ๐Ÿ”—github.com/ComposableSecuritโ€ฆ
1
5
294
Merry Christmas ๐ŸŽ„ The Composable Security team is wishing you all a festive season filled with warmth, happiness, and unbreakable security! ๐ŸŽ๐Ÿ›ก
2
7
282
โ€œA large portion of exploitable bugs in the wild (i.e., 80%) are not machine auditableโ€. These are words that ring out quite clearly from a great study by @i2huer. ๐Ÿงต1/5
1
2
6
579
The first week of the year is coming to an end! Letโ€™s recap what happened in the blockchain security space at the end of 2023 and the beginning of 2024 ๐Ÿงต
1
1
4
284
Security starts within your team and a lot can be done in this matter. To help you introduce secure practices within your team and increase your projectโ€™s security, we created a Security Guide. Here youโ€™ll find tips on incorporating good security practices in your company. Get it here: composable-security.com/secuโ€ฆ
1
6
750
What can projects do to reduce funds and time spent on smart-contract audits? ๐Ÿ›ก
25% Use checklists
8% Introduce threat modeling
17% Do peer reviews
50% All of the above
12 votes โ€ข Final results
1
1
6
250
๐Ÿ”๐Ÿš€ Gearing up for the @summit_defi & @EthCC ! Exciting discussions, workshops, and announcements lie ahead. Who are we meeting on site? Let's connect and share insights! Comment below or send us a DM if you're attending. See you there! #DeFiSecuritySummit #EthCC #Paris
2
6
446
A Must-Read for Devs and Auditors dealing with Bridges. If you're working with cross-chain protocols, you need to be aware of security sins. @drdr_zz put together an in-depth overview based on REAL hacks that will help you protect your DeFi assets. composable-security.com/blogโ€ฆ
4
5
532
Replying to @pashov
You may also find interesting this article about threat modeling when integrating with Uniswap V4: composable-security.com/blogโ€ฆ
1
1
5
411
Read an article starting the series in which we present implementations of #UniswapV4 โ€œBad hooksโ€. In todayโ€™s article, @drdr_zz covered โ€œRe-Initialization Leading to Funds Lockedโ€ ๐Ÿ”“ Read it here๐Ÿ‘‡ composable-security.com/blogโ€ฆ
1
1
5
680
This Wednesday @drdr_zz participated in @DeDotFi Security Spaces ๐Ÿ›ก The opening question was: โ€œHow do you envision the future of blockchain security?โ€. In the answer, Damian pointed out that blockchain security may develop in a similar way as it happened in Web 2. With the progressing adoption and development of projects, in a decade, instead of reading code line by line and searching for bugs in code - security experts will have to focus on specific parts of the systems and such vulnerabilities like using libraries with known ones will be more common. What is more, we may expect the creation of open foundations that will be recognized by the whole community and promote: standards, tools, and best practices. This is a great chance for web3 security experts to take part in this process and outline the path. Do you agree with this vision? Would you add something? Let us know! Listen to the full spaces here ๐Ÿ‘‰ nitter.app/DeDotFi/status/1โ€ฆ
1
5
236
A smart contract audit is a balance between the cost on the client's side and the best performance of our work. That's why, to save time and money, we recommend preparing for it using our checklist to improve the code quality. Find the checklist here: ๐Ÿ”—composable-security.com/blogโ€ฆ
1
5
395
This is what shifting left means. That's why we built the Security Guide ๐Ÿ› ๐Ÿ›ก Be the next one, introduce a change, introduce a security-centric approach. Start by getting the Guide here: composable-security.com/secuโ€ฆ
5
1,498
Kyber Network experienced a major security exploit last night. All the users were advised to withdraw their funds and wait for further updates and information from the team..
๐ŸšจUrgent๐Ÿšจ Dear KyberSwap Elastic Users, We regret to inform you that KyberSwap Elastic has experienced a security incident. As a precautionary measure, we strongly advise all users to promptly withdraw their funds. Our team is diligently investigating the situation, and we commit to keeping you informed with regular updates. Thank you for your understanding and cooperation during this challenging time.
1
2
5
1,953
Let's meet at @ETHWarsaw this year!
Last year's flagship #ETHWarsaw conference was a smashing success ๐Ÿง 50 expert speakers ๐Ÿ‘จโ€๐Ÿ’ป1000+ participants ๐Ÿ”ง130 hackers on 35 teams ๐Ÿ’ก30 innovative projects ๐Ÿ’ฐ$69,420 in prizes Here's a run down of the event & why you should join us August 30th - September 3rd ๐Ÿงต๐Ÿ‘‡
1
2
5
626
Results of a recently performed smart contract audit for one of our clients in which we verified 31 threat scenarios. Detected: 1 MEDIUM 2 LOW Now, we are working together to remove the detected threats ๐Ÿซก
1
5
217
A few months ago we published an article โ€œ6 security sins of Web3 bridgesโ€. In Sin, #1 we describe the issue of improper key management which may lead to minting by someone who acquires keys an unlimited amount of tokens or withdrawing all locked tokens and that is what happened with @MixinKernel. Key management is often related to the web2 component which is why itโ€™s significant to include it in your threat model. Read the full article here: composable-security.com/blogโ€ฆ
Regarding the @MixinKernel security incident, we have the following findings. First, a large number of deposit addresses have been drained. The attacker transferred funds in order from the highest to the lowest balance, involving 10,000+ transactions, lasting several hours. Second, we suspect that a couple of addresses drained were Mixin's hot wallet. Third, Mixin had a policy to change a new hot wallet address daily. Although we are not clear about Mixin's internal security architecture, based on these facts, combined with the previously disclosed information that the database was compromised, it can be inferred that: 1) the private keys of Mixin deposit addresses are stored in a recoverable manner. 2) the attacker compromised the cloud and recovered the private keys of deposit addresses (and hot wallet addresses).
5
284
Just a reminder that 2FA is a basis of organization security ๐Ÿ›ก๏ธ
We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation. Based on our investigation, the compromise was not due to any breach of Xโ€™s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party. We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised. We encourage all users to enable this extra layer of security. More information and tips on how to keep your account secure can be found in our Help Center: help.x.com/en/safety-and-secโ€ฆ
1
5
141
We are thrilled to announce that our smart contract security auditing company has recently become a partner of the @PLBlockchainA ! We look forward to continuing to serve the blockchain community. #partnership #blockchain #security
4
407
๐Ÿ“ฃNew SCSVS category alert! As a part of #UniswapV4 hooks research, weโ€™ve added a new category to SCSVS ๐Ÿฆ„ You will find there a list of checks you can follow to securely integrate with Uniswap V4. Check it out here: ๐Ÿ”—github.com/ComposableSecuritโ€ฆ
5
755
Have you heard about reentrancy reintroduced by Transient Storage (TSTORE)? Thatโ€™s true and similar case was with EIP-1283 (eips.ethereum.org/EIPS/eip-1โ€ฆ) just before Constantinople upgrade. Am I vulnerable? Only if you plan to use (it is not deployed yet) TSTORE and transfer/send functions. However, if you consider transfer and send functions as reentrancy is safe, please stop. I am a dev. How to be safe? Do not use transfer and send functions as reentrancy protections. Rethink the flow of external calls in your contract and follow Check-Effects-Interactions pattern or use modifiers to protect from reentrancy. What is Transient Storage? It is something between memory and storage. Those variables are stored in the contract for the whole execution of the transaction, including reentrant calls (unlike memory which is kept only for the current call context) and cleared after the transaction is finished (unlike storage which is kept permanently). Whatโ€™s the issue? Basically, the pricing of opcodes. SSTORE price was lowered in some cases in EIP-1283 and TSTORE is going to be cheaper by design (thatโ€™s actually one of the reasons why it was created). On the other hand, transfer and send functions were considered reentrancy safe, because they were limited by 2300 gas (docs.soliditylang.org/en/v0.โ€ฆ). When the storage manipulation becomes cheaper, you can fit these operations in 2300 limit. That resulted in cancellation of EIP-1283 and introduction of itโ€™s fixed version in EIP-2200. Should TSTORE be โ€œfixedโ€? As in case of EIP-1283 it would result in reentrancy for existing contracts and their storage, in case of TSTORE the vulnerable scenario would be valid only for new type of storage - transient storage. In the end, nowadays we see very rarely transfer and send functions as most of the calls are made through safeTransfer (which is the call function). So it does not change much anyway ๐Ÿ™‚
1
5
309
During #Web3SecurityConference2023 organized by @DeDotFiSecurity, @drdr_zz mentioned that over 2 billion dollars were stolen in the bridgesโ€™ hacks ๐Ÿ˜ฑ After recent events to this number, we can add another 99 million lost during the HTX (Huobi) exchange and the Heco bridge hack.
1
5
1,429
Before we share with you the first results from the ongoing research supported by the @UniswapFND grant about the โ€žmalicious design space" of hooks, we recommend you read our previous work. An article about secure integration with Uniswap v4 packed with potential threats that you should be aware of. Read the article at the link below: composable-security.com/blogโ€ฆ
1
5
264
Yesterday we had the pleasure of sharing our knowledge at the #ETHWarsawMeetup. @drdr_zz gave a presentation full of lessons learned from others' mistakes and amazing security tips. We are grateful to the @ETHWarsaw team for this opportunity and for gathering such a community.
1
2
5
1,816
How do you choose an audit firm?
19% Methodology and Approach
50% Portfolio and experience
19% Contest leaderboard
12% Other (comment)
16 votes โ€ข Final results
1
5
261
๐Ÿ‘‰ Read our ๐Ÿญ๐Ÿฐ ๐—ฒ๐˜…๐—ฝ๐—ฒ๐—ฟ๐˜ ๐˜๐—ถ๐—ฝ๐˜€ on how to take care of #NFT security. โ€ข learn the most important risks related to NFT โ€ข understand in which areas there may occur vulnerabilities โ€ข learn how to eliminate the indicated threats โœ… composable-security.com/blogโ€ฆ
1
4
381
Impersonating other users on @github is a relatively easy thing to do ๐Ÿ˜ฑ Even though it is not a critical safety issue, being aware of how itโ€™s done and how to protect from being impersonated is important to build multiple layers of security and introduce good security practices in your mail work basis. Read our recent blog article to learn more about it: composable-security.com/blogโ€ฆ
5
1,548
๐Ÿ‘บHackers are waiting for your lack of vigilance Stay safe during the holidays with these 5 tips ๐ŸŽ 1. Make sure someone is supervising the monitoring. Prepare with: 2. securityalliance.notion.siteโ€ฆ 3. securityalliance.notion.siteโ€ฆ 4. securityalliance.notion.siteโ€ฆ 5. In case of problems - contact SEAL 911 t.me/seal_911_bot Stay safe, be ready and don't let your users down. As @samczsun said, you have no excuses.
1
5
1,016
Is your multi-sig really multi-sig? The short story by @drdr_zz about the Ronnin Bridge hack ๐ŸŽฌ
1
1
4
258
We look forward to @summit_defi, and YOU should too! Last time there were lots of interesting presentations full of high quality knowledge and technical details โ›“๏ธ It would be great to contribute and share something special this year.
1/ The DeFi Security Summit (DSS) is an annual event that brings together experts in blockchain security to discuss the latest developments and best practices for protecting your code.
5
400
Let us present you with a Multi-sig hook ๐Ÿ˜Ž How does it work and what are the threats related to using it? Read @drdr_zz thread๐Ÿ‘‡
Introducing Multi-sig hook found in #UniswapV4 hooks research๐Ÿงต This hookโ€™s contract leverages hook functionality to require multiple signatures from authorized signers before executing a swap. It provides an additional layer of security and control. 1/15
5
290
We're committed to providing the highest level of quality and accuracy for our clients so our methodology is constantly evolving to keep up. We're always here to help you increase the security of your project. ๐Ÿ‘‰ Read how we do it composable-security.com/blogโ€ฆ
2
4
12,909
Do post-audit corrections cost you a lot of time&money? If you answered โ€œyesโ€ then you ๐—ฑ๐—ผ๐—ปโ€™๐˜ ๐˜„๐—ฎ๐—ป๐˜ ๐˜๐—ผ ๐—บ๐—ถ๐˜€๐˜€ ๐—ผ๐˜‚๐—ฟ ๐—ฎ๐—ฟ๐˜๐—ถ๐—ฐ๐—น๐—ฒ about AI-driven threat modeling. ๐Ÿ‘‰ Be ahead of the competition and try this innovative approach composable-security.com/blogโ€ฆ #DeFi #TM
1
5
1,554