Head of Research at @wintermute_t, Research Collaborator at @paradigm, ex @TheBlockCo 𝝪(𝞂ₜ, 𝝩) → 𝞂ₜ₊₁ Views are my own

LOOOOL, @VitalikButerin removed liquidity from the SHIB pool
Replying to @FrankResearcher
2/8 49.5% of the token supply was added to Uniswap after token creation. LP tokens from this pool were sent to @VitalikButerin along with the remaining SHIB. Therefore, Vitalik, instead of selling, can simply withdraw 93% of the pool liquidity without any price impact ($118M).
163
530
2,112
Imagine stealing 600 million 6 days ago and depositing money on @FTX_Official
Replying to @Ronin_Network
The Ronin bridge has been exploited for 173,600 Ethereum and 25.5M USDC. The Ronin bridge and Katana Dex have been halted.
113
338
1,628
How many people want to learn how to do on-chain analysis like a pro?
194
25
1,592
IronBank ($CREAM) was exploited on $37.5M, let’s take a quick look at what happened.👇 1/ Attacker used Alpha Homora for borrowing sUSD from IronBank. Each time they borrow twice as much as in the previous one.
63
409
1,373
Looks like @CreamdotFinance is dead boys
146
306
1,348
1/5 The new popular @beanstalkfarms protocol lost $181M+ in today’s exploit, but the attacker only gained $76M. Let’s figure out what happened👇
76
314
1,227
Before the hack, the BNB bridge exploiter registered as a relayer for this bridge
26
258
1,078
Ok, new DeFi exploit. Victim: - @iearnfinance Attacker profit: - 513k DAI - 1.7M USDT - remaining 506k 3CRV (~$1) To obtain such a profit, the attacker executed 11 transactions. Below is a very superficial explanation of what was happening in these transactions👇
48
298
1,117
1/8 Everyone has been waiting for this for a long time, and now @paraswap practically launched his token (PSP), which includes a retroactive airdrop and, apparently, some staking for Paraswap pools Let’s see what we can learn from these unverified contracts👇
61
259
1,072
1/5 Let’s look at how @jump_ tried to defend the UST peg a week ago. They used at least three addresses on Ethereum and spent $682.5M+ in various stablecoins. Basically, they were adding one-side liquidity in USDC since the Curve DAI/USDC/USDT pool was already imbalanced.
45
258
985
1/6 Some personal news. Today is my last day at @TheBlock__ and I’m joining @wintermute_t as Head of Research and @paradigm as Research Collaborator
57
42
959
Not impressed Another guy put 37.65 ETH and now it's worth $2.05 billion
276 days ago someone put 10 ETH into SHIB and now it's worth $460 million. How's your life going?
46
142
859
Should @a16z' Github account be suspended for using the Tornado code?
My @GitHub account was just suspended 🤷 Is writing an open source code illegal now?
22
108
888
1/9 Today we have witnessed the manipulation of XVS price —  the governance token of Venus Protocol on BSC. This incident resulted in $200M+ DeFi liquidations and a $100M+ of protocol bad debt. As usual, let’s analyze this situation below👇
45
301
861
1/7 Many post-mortems after the Terra events have focused on “Wallet A” which played a large role in UST depegging "Wallet A" swapped 85M UST for USDC and imbalanced the UST/3CRV Curve pool There is a good chance this wallet is related to @JaneStreetGroup
42
218
947
558,498
1/7 Another flash loan attack on a major DeFi protocol on BSC. Today $7.2M was stolen from @burger_swap in 14 transactions. Let’s see what’s happened👇
49
220
801
1/8 In the past few days, meme token SHIB has been a source of high gas prices and incredible profits for some early adopters. Let’s take a look at some data to understand what’s going on👇
15
195
749
1/8 New weekend - a new attack on BSC DeFi protocol. Today $6.2M in BUSD was stolen from Belt Finance in 8 transactions. Below is what happened👇
33
201
727
1/6 Today, BUNNY tokens worth $1B+ were minted from Bunny Finance on BSC, resulting in $40M+ was stolen: - 114k WBNB ($40M) - 697k BUNNY For this reason, the BUNNY price fell from $146 to $6👇
38
196
672
1/6 Many talk about the @0xPolygon success and the record number of transactions, but is everything really so good? Let’s see how arbitrage bots spammed Polygon with failed transactions👇
41
135
665
1/12 Alright, I've been sitting on this news all day, but let's look at the @BaldBaseBald deployer. This is definitely someone from Alameda, but I don't think we can safely say that this is @SBF_FTX (even though he is a psycho) Let's go👇
22
124
631
265,254
1/7 Rari Capital lost a lot of funds as a result of a complex exploit, right? However, things are far from simple, and we witnessed the first cross-chain exploit, so let’s see how it went👇
12
159
630
1/6 It seems like @pumpdotfun lost ~2k SOL ($300k+) and a bunch of memecoins through a possible private key leakage So let me share evidence of it👇
And now; Magick: everybody be cool, this is a r o b b e r y. What it do, staccattack? I'm about to change the course of history. n then rot in jail. am I sane? nah. am I well? v much not. do I want for anything? my mom raised from the dead n barring that: /x
33
127
600
728,982
1/3 Looks like Larry Sukernik, one of the multi signers behind the $20M DeFi education fund, dumped UNI five hours before the $10M OTC sale.
29
84
587
1/5 We’re back to interesting exploits, and @InverseFinance users lost money today. As a result, $15.6M was stolen in the form of: - 1588 ETH - 94 WBTC - 4M DOLA - 39.3 YFI
26
158
569
1/10 So, Uranium Finance (another Uniswap v2 fork on BSC) was exploited for $51M, right? Nope, everything is much more complicated. Let’s figure out what happened.👇
20
161
552
So what happened to Furuсombo👇 An attacker using a fake contract made Furuсombo think that Aave v2 has a new implementation. Because of this, all interactions with ‘Aave v2’ allowed transfers approved tokens to an arbitrary address.
26
165
516
Below is the code that was used in today's attack through ads on crypto websites like @coingecko or @etherscan The attacker wanted to get tokens approvals or perform swaps through DEXs to their address (it is not hardcoded, since it was pulled from API) gist.github.com/ivigamberdie…
25
171
482
I even started to get a little bored, but half an hour ago $31M were stolen from @MonoXFinance on Polygon and Ethereum. - 5.7M MATIC ($10.5M) - 3.9k WETH ($18.2M) - 36.1 WBTC ($2M) - 1.2k LINK ($31k) - 3.1k GHST ($9.1k) - 5.1M DUCK ($257k) - 4.1k MIM ($4.1k) - 274 IMX ($2k)
55
127
454
1/9 Another DeFi protocol xToken was exploited today and almost $25 million was stolen. The attacker was smart enough (or close enough to this project) to use two different exploits for two projects’ tokens.👇
26
130
446
Looks like @jack's exchange of preference is Kraken. I don’t know if Jack uses Ethereum, but he used a fresh address specifically to dump the ETH he made from selling his NFT tweet. Good wallet privacy management
20
46
436
Since launching MetaMask Swaps in October, MetaMask earned almost $2.5M in ETH and $1.5M in various tokens. This is 3x Kyber Network fees for the same period. Wen Metamask token?
22
60
439
1/2 Ok, the first connect-kit version with the drainer (1.1.6) was added to the npm registry at 9:44am UTC Better to check that you have not interacted with any UIs starting this time
I don't think that @Ledger made all these updates...
20
114
400
259,950
1/3 Today @Moola_Market has been exploited for $8.4M: - 8.8M CELO ($6.5M) - 765k cEUR ($0.7M) - 1.8M MOO ($0.6M) - 644k cUSD ($0.6M) It was an incredibly simple attack👇
43
94
374
1/6 Big Data Protocol on crazy hype, huh? BDP contract now holds $6.2B, collected in just a few days, which puts the project on par with MakerDAO and WBTC. Let’s take a look at the four addresses that collectively own 41% of this TVL and dump BDP as soon as they claim it.
14
82
368
It seems that @justinsuntron did not really like that I disclosed his address for BDP farming, and therefore he began to use a new one. h/t @DeBankDeFi
Replying to @FrankResearcher
2/6 One of the addresses deposited 25% of the current TVL ($1.6B). This is a lot of money and most likely belongs to @justinsuntron, who tried to buy @jack NFT tweet from this address. He added to the BDP farm contract: - 661.8k WETH - 228.9M USDT - 161.6M USDC - 150 WBTC
20
49
358
1/11 Okay, MEV is coming MEV is a consequence of the fact that miners (pool operators) have the right to choose the tx order in a block. They can be the first to: - execute arbitrage - get access to token offerings - perform liquidation Plus, they may not pay a fee for this.
22
133
377
1/8 Another weekend with a DeFi exploit on BSC, and this time the AMM called vSwap from @value_defi is in trouble. About $11M was stolen today from non 50/50 pools, in addition to $6M already lost this week as a result of contract reinitialization. Let’s see what happened👇
11
103
381
1/5 Two hours ago, someone sold a huge amount of social tokens issued on Roll platform. As a result, an attacker earned almost 3k ETH ($5.7M), of which 700 have already been sent to Tornado Cash. Most of social token prices dumped as a result.
24
126
355
10/10 Since the team fixed this bug that led to the exploit, they should have known about it for sure. In this case, the best option would be a white hack not to jeopardize users’ funds. Since there was no white hack, I tend to believe that it was a rug pull.
17
25
364
1/7 DeFi exploits have recently picked up significantly. So far, there has been at least ~$370M withdrawn from DeFi due to exploits. In the first part of my latest report, you can quickly look at how the attack proceeds and how it is investigated. theblockcrypto.com/research/…
13
91
346
1/7 Euler lost $197M in 6 tokens: - 73.8k wstETH ($116M) - 34.2M USDC - 846 WBTC ($18.6M) - 8k WETH ($12.6M) - 8.9M DAI - 3.8k stETH ($6M) Also, EULER price fell by 52%👇
We are aware and our team is currently working with security professionals and law enforcement. We will release further information as soon as we have it.
16
107
332
160,489
Looks like a stable bank run from @AaveAave v2 Mainly thanks to @justinsuntron😎
21
47
334
1/6 Today, we’re launching The Alpha Challenge, a two-week experiment for the crypto community to test their on-chain analysis skills and for Wintermute to hire top talent We've also collaborated with six companies to provide exciting awards for those who will not be hired👇
18
50
336
114,249
Each time the attacker had more 3crv tokens, which he was later able to swap for stablecoins. Lol, it's funny how so many flash loans have been used. This means that my new research piece about flash loans, which will be released very soon, will be relevant.
10
9
332
1/12 I’m finally home, which means it’s time for a thread about a four-hour attack on Spartan Protocol that resulted in $30.5M being stolen. @Peckshield has already written about the root cause, but there will be more details here as usual. Enjoy👇
11
93
321
How confident do you need to be to buy USDC on one of the ETH POW forks?
25
16
289
5/5 What do we know now?👇 - Despite the use of capital almost equal to the entire UST pool size, it was impossible to keep the peg. - Jump lost hundreds of millions, which doesn’t even include CEXs. - They control 36% of the total staked LUNA.
20
29
286
One of the dumbest things I've seen
It seems like the @THORChain team were well aware of the danger of using tx.origin but they were okay with it 🤔
7
32
285
Sorry, I was rugged by Dune, the actual amount is at least 12.3k SOL (~$2M)
1/6 It seems like @pumpdotfun lost ~2k SOL ($300k+) and a bunch of memecoins through a possible private key leakage So let me share evidence of it👇
17
24
273
113,717
3/8 The top 50 ‘diamond hands’ by the number of tokens have a paper profit ranging from $5M to $2.5B, with an average of $65M. Btw, someone turned $17 into $6.5M, and they can get $4.2M with current liquidity.
6
36
257
8/8 The final tokenomics and the ability to claim tokens are not yet available (due to the absence of Merkle data), but it has already become clear that $WEN is really coming soon
$WEN ⁉️

ALT Intensifies Sooning GIF

20
10
236
1/5 Do you like fancy words like MEV and Flashbots and want to have ‘stress-free passive income’? Then be careful, and don’t get caught by scammers like @mevbots. For half a year of existence, 4.4k addresses independently transferred 1.8k ETH ($2M+) to them👇
12
58
219
Over the past two and a half years, the number of addresses interacting with DeFi protocols has grown from several thousand to over three million. For this reason, over the past few months, I have been fascinated by researching the various characteristics of protocol userbases.
6
60
243
The Wintermute exploiter has one day to return funds👀
27
24
239
1/6 I’m very excited to release new “DeFi Protocol Revenue” charts in @TheBlock__ data dashboard. I have been collecting this data from Ethereum in parallel with all other work for two months now, so the release of these charts is very important for me.
8
64
251
1/6 Sad, but @raft_fi was exploited, and the attacker was able to mint 6.7 uncollateralized R stablecoin The twist is that they converted them into ETH, which was sent to the null address, but first things first👇 nitter.app/raft_fi/status/1723057…
9
48
247
165,606
1/5 How can Defi live without new hacks, right? The new victim is ForceDAO, who didn’t provide the necessary checks in a contract code. Anyone could call the function “making a deposit” even without having FORCE. However, the received xFORCE could be used to obtain real FORCE.
11
60
244
1/9 I looked at my calendar and realized that it was time for a little personal story. It is about how exactly a year ago I quit my job at the most unsuitable moment and what happened in the end. 🧵
20
36
240
1/9 Today I’m starting a new chapter in my life by joining @TheBlock__ family as a Research Analyst. I am very grateful to @lawmaster and all the rest of the team who supported the materials that I published here. Also from today, I will be using my real name Igor on Twitter.
14
19
229
I don't think that @Ledger made all these updates...
🚨🚨🚨 RED ALERT 🚨🚨🚨: Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.
11
34
210
291,893
.@justinsuntron trivially put about a $1B into @LiquityProtocol. Another $2B are in @Ellipsisfi on BSC. The rich get richer, right?
🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 440,000 #ETH (938,057,953 USD) transferred from unknown wallet to unknown wallet whale-alert.io/transaction/e…
14
37
221
Two failed transactions, why not use admin privileges?
11
17
205
1/9 One of the largest crypto market makers is Wintermute (@wintermute_t). They are currently #1 on Bitfinex based on current month volume, also very active on FTX, and responsible for 40% of dYdX volume in 2020. Let’s see what we can find out from their Ethereum addresses.👇
2
33
214
$ENM hacker used Tornado to fund his address a week ago. Right after that, he claimed $UNI tokens for one of arbitrage contracts and withdrew them to himself in another tx by simulating arb. In theory, this claim could be a hack, which is why a mixer might have been used.
10
53
200
1/9 The @Starknet Provisions Program is here, and 1.3M addresses can claim their part of 720M STRK in one week With the pre-launch price from @aevoxyz, the program size is $1.2B, nearly matching @arbitrum’s So let’s extract insights from the distribution data
12
21
202
52,543
What was stolen ($14M+): - 3,9k stETH - 2.4M USDC - 649k USDT - 257k DAI - 26 aWBTC - 270 aWETH - 296 aETH - 2.3k aAAVE - 4 WBTC - 90k CRV - 43k LINK - 7.3k cETH - 17.2M cUSDC - 69 cWBTC - 142.2M BAO - 38.6k PERP - 30.4k COMBO - 75k PAID - 225k UNIDX - 342 GRO - 19k NDX
16
43
181
9/9 I am sure that the actual damage from this case is greater than this figure, but the continuation of the analysis takes more time. Perhaps later, I will find time to calculate all losses, as I did with Black Thursday. medium.com/@whiterabbit_hq/b…
17
12
180
Looks like casual rug pull. PAID deployer made an attacker the owner of PAID admin contract. This attacker deployed a new implementation contract for PAID token and minted almost 60M tokens.
22
41
172
8/8 According to Nansen, out of the Top 10 traders’ balances, only one sold tokens in the last week. As already mentioned, the main reason for this is the very low liquidity, which will not allow to cash out in size. Let’s see what happens when retail interest disappears
17
16
178
1/6 MakerDAO community was able to convince @a16z to start participating in governance. Five days ago, a16z locked 20k MKR and voted for the current executive proposal. But no one seems to have noticed that before that they also locked in some profits from their investments.👇
5
37
175
6/6 While scaling solutions have successfully lowered fees, they are already starting to run into problems due to adverse activity. My user experience on BSC continues to deteriorate with each day, so it seems like the same will happen with Polygon.
18
12
175
FinNexus (FNX) contract deployer changed the token owner to some address on Ethereum and BSC. This address minted: - 323M FNX ($6M) on Ethereum - 60M FNX ($1.6M) on BSC and started dumping tokens. Rug pull or StOlEn PrIvAtE kEy?
20
26
163
.@1inchExchange token is almost launching. In addition to the 1inch token, 1inch distribution contract and a set of governance and staking contracts were deployed. Get ready to give liquidity into pools with YFI, USDT, USDC, WBTC, DAI, and ETH on Mooniswap to farm 1inch.
11
28
169
2/8 49.5% of the token supply was added to Uniswap after token creation. LP tokens from this pool were sent to @VitalikButerin along with the remaining SHIB. Therefore, Vitalik, instead of selling, can simply withdraw 93% of the pool liquidity without any price impact ($118M).
18
14
157
The question is how did the exploiter validate a Merkle proof that he initiated a large deposit in one of the extremely old blocks? (Bug in a MerkleProof contract?)
7
15
154
1/ Flash loaned 116k ETH from dYdX 2/ Flash loaned 99k ETH from Aave v2 3/ Borrow 134M USDC and 129M DAI using ETH as collateral on Compound 4/ Add 134M USDC and 36M DAI to 3crv Curve pool 5/ Withdraw 165M USDT from 3crv Curve pool 6/ Repeat five times👇
4
10
157
If you don't like Ethereum so much, why, instead of supporting DeFi copycats on your blockchain, you make money on competitor's blockchain?
9
8
154
In the meantime, it seems like @LeetSwap has been exploited
9
23
152
34,307
1/5 Imagine if you could bet on a coin flip but couldn’t lose anything This is how someone stole around $25k from dice9win today, with another $200k was saved by SEAL 911 members Let’s figure out how it works (we have the team's approval)👇
Today is a historic moment for SEAL 911 as it was the first incident where we were able to prevent damage _before_ the attack was carried out. h/t @FrankResearcher for helping with this incident & the anon community member for the intel!
12
21
155
53,961
9/ Stablecoins have been deposited to Aave v2, 1k ETH to IronBank deployer, 1k ETH to Homora deployer, 220 ETH to Tornado, 100 ETH granted to Tornado and almost 11k ETH remain on the exploiter balance. etherscan.io/address/0x90531…
17
6
146
8/8 This is not the first and far from the last time that project teams fork someone else’s code without a deep understanding of its work. It’s pretty foolish to think that CZ will save you if you mindlessly deposit money into projects with anon devs or obscure teams.
7
17
152
1/10 For more than a week, someone has been trying to carry out a governance attack on @SwerveFinance (a dead Curve clone) and steal $1M+ in various stablecoins Let’s figure out why he didn’t succeed and also find out who the exploiter is👇
🚨Swerve Finance is facing a likely governance attack. If for some reason you still have money there, would recommend withdrawing immediately.
9
23
152
167,370
7/7 The interoperability between DeFi protocols is becoming more complex, which opens up new vectors of attacks. This attack was similar in difficulty to the Pickle Evil Jar and will become even more frequent in the future.
7
6
145
1/8 I noticed a few days ago the use of MEV sandwiching and was preparing a Twitter thread but got frontran by @fifikobayashi. In any case, I have additional insights regarding this situation and the current MEV state in general. Let’s go👇
For those of you wondering what MEV sandwiching looks like in the wild: 1. Hop onto block #11955959 etherscan.io/txs?block=11955… 2. Go to the last page and look at the 3 oldest tx's 3. It starts with the victim's tx in the middle buying POLK tokens on uniswap etherscan.io/tx/0x3a6cce1578…
5
46
152
Replying to @FTX_Access @jump_
They withdrew stablecoins from CEXs, and I think you have more answers than I...
5
2
143
He dumped SHIB
12
12
132
7/8 The second one (0x3b45...) also had a lot of activity on Paraswap and made five deposits in Tornado Cash a few minutes before they were withdrawn to a new address. Bad opsec😢
3
4
141
3/3 Consider four transactions: - Larry received UNI from UGP address (18 days ago) - sent 0.05 ETH on DeFi education fund address (16 hrs ago) - swapped UNI on $50k using Uni v3 (15 hrs 55 mins ago) - executed the $10M OTC deal (10 hrs 45 mins ago)
5
6
140
Preparing to SHIB dump on Uni v3
12
15
134
1/8 Time to do a quick overview of my research on DeFi liquidations. Why are liquidations needed, how they work, how keepers harm the Ethereum ecosystem, and as always you can learn much more in 5–10 minutes of reading this piece. But a summary here: theblockcrypto.com/genesis/9…
4
24
140
Donation to Gitcoin
1
8
129
Lol, VIP farmer left
4
11
130