Skilled Professional (most days). Defends against the bad guys.

East Coast
Kinda laughing right now because I spent almost five years working on a stablecoin named OUSD, that hit 280 million TLV. I minted the first OUSD dollar ever 2,111 days ago.
4
67
3,673
In a dazzling reverse hack, a substantial chunk of the Playtpus hack stolen funds have been recovered. Here's how it worked: (1/4)
85
310
1,419
439,643
Yesterday's sophisticated 50 million Radiant Capital hack happened after attacker's trojaned the computers of multiple team members. Team members saw and verified good multisig data on screens, but their hardware wallets signed evil data. 1/7
98
292
1,312
764,009
The 750 ETH hack from EFLeverVault a few hours ago happened because the contract did not verify that flashloan callbacks where actually initiated by the protocol, allowing the attacker to tell the protocol to withdraw large amounts of funds. 1/4
14
183
756
I built a tool to visualize the bytecode executed inside a single ethereum transaction.
29
85
710
Here’s how signature malleability attacks work. Two attacks. If a user signs the same message multiple times, they get a different signature each time. If your code uses a signature as an identifier for blocking actions, users can repeat that action. 1/3
27
146
640
Today's Inverse Finance hack happened because the protocol used Curve pool balances to calculate the value of their LP tokens. This is bad. As the attacker bends the pool, the sum of the balances goes higher. You think you are richer, but then the attacker can reverse it. 1/n
19
144
606
Yesterday's complete hack of Wise Lending was far more complex than reported. Very worth examining. The protocol had added explicit defenses against this style of attack, which the attack then either bypassed or used against the protocol. 🧵 1/21
22
103
608
109,594
Found a config bug in multiple projects, totaling billions of dollars in assets, allowing a single key to take over all powers from governance and multi-sigs! 1/7
14
111
551
Things I tell people about AMMs: (running list)
26
72
573
99,739
1/2 Found a critical bug today that could have blocked all future actions from a contract-owning governance system. Everyone knows you shouldn't loop over an unbounded array. But this sample contract below can become impossible to run, even without any for loops!
20
82
553
🤣🦜🦜Some people say that the code behind Curve is difficult to understand. Hard to grasp and unintuitive in behavior. With the new deploy of the Curve dollar, devs addressed this directly in the comments. 🤣
34
82
528
68,586
After 4.7 years as a security focused smart contract engineer, tomorrow will be my last day at Origin Protocol. 7 products spread out on 5 chains, mid 9-figure TVL, 540+ deploys and upgrades, with 0 user funds lost since I started that role. 1/8
78
17
528
32,908
In the two hour old Platypus hack, it looks the attacker deposited 44 million, borrowed 42 million, and then used the emergencyWithdraw(), which happily gave the attacker the full original deposited funds back - no deductions for the borrow.
22
69
504
216,243
I've open sourced my tool to draw contract bytecode. It's intended to provide a quick human readable view of the size and shape of the contract - input to the human visual neural net for contract classification.
27
65
487
Today’s LiFi hack happed because its internal swap() function would call out to any address using whatever message the attacker passed in. This allowed the attacker to have the contract transferFrom() out the funds from anyone who had approved the contract.
19
81
471
1/6 I found a smart contract vuln while reading a blog post! Bacon Protocol published their post-hack writeup, including a snippet of their fixed code, but the fix introduced a new bug.
7
68
457
Over the past two weeks I have been deep diving into Curve's price oracles and have found extremely strange behavior. The oracles don't act like you think they do. They are far more manipulatable than expected. And can be wrong in normal life. Mega 👉🧵
10
82
456
151,070
The AzukiDAO, formed to sue Azuki, has had their governance token hacked in a classic signature malleability attack. Remember, an attacker can take a valid, signed signature, and make another, different valid signature over the same data. Sigs are not unique identifiers! 1/3
13
85
440
133,090
1/6 Today’s 120 million C.R.E.A.M. finance attack was not a bug in the traditional sense - rather two, otherwise normal, blockchain constructs mixing together explosively. A thread:
15
72
389
Obscure auditing tool day: Pyrometer is a static analysis program that parses solidity code and builds up constraints and relationships between variables as it goes. This allows you to see what possible values variables could hold, or see how data changes code paths.
15
48
390
26,953
1/12 Crypto bug bounties have a dark side that is not talked about. A thread:
34
75
375
Last night's 20 million hack of Sonne was more layered than just an empty market bug. The real attack innovation was at the governance layer. If you are using a multisig + timelock governance, you need to check that are not vulnerable! Here's how it worked. 🧵 1/8
14
97
369
92,964
Last night's hack of Arbitrum USDS (9.8 billion created) was caused by a bug in auto-changing users between internal accounting systems. The code half changed the account to the new style, then used that half data to calculate the remaining half of the switch over. 1/5
12
81
357
63,749
Here's how CertiK's 3 million dollar hack on Kracken worked. The core trick is that the overall blockchain transaction must succeed in order for the reverted deposit to count. So the attacker raw external called their own contract and ignored their own later revert. 1/n
8
63
361
72,981
Heads up! Some Curve ETH pools have a major bug that allows an attacker to manipulate the virtual_price. This includes the largest pool on Curve. 1/5
15
77
344
91,859
In ethereum, only contracts that mark themselves with payable methods can have ETH transferred to them. Like most of these rules, it has a glaring exception: Funds from a self destructing contract skip the target contract's logic that would stop the transfer. I automated this.
14
42
353
The Audius hack this week involved two contracts that overlapped the same storage slot (for three different variables). The end of the admin address on the proxy was used by the implementation contract as value of the initializing and initialized variables. 1/6
15
76
333
The 80 million Fuse hack was a traditional reentrancy bug. Fuse added a fairly sophisticated system for global reentrancy protection on top of the forked Compound contracts, but the exitMarket() method was missing a reentrancy check. (Credit to @samczsun for tracking it down)
9
74
349
A sneaky scam coin has been yoinking its tokens right out of people's wallets, while simultaneously avoiding detection by scam coin detection services. Let's break down how it cloaks its shenanigans. 1/8
28
59
331
58,106
Agave (AAVE clone) and Hundred Finance (Compound Clone) attacked on Gnosis chain. The XDAI token allowed the attacker to run code after a transfer (callAfterTransfer), and this was used attack reentrancy in each protocol.
13
56
317
Visor finance hack today came down to the victim contract simply asking the attacker if it was authorized to transfer funds on its behalf. Attacker said yes. #Ethereum #hack
20
50
307
This was some magnificent recovery work by @BlockSecTeam. Definitely people to have on your side when things go bad. 5/5
5
7
295
16,494
FYI: The version of solidity used to compile the contract is hidden near the the end of the contract bytecode (since solidity 0.5.9). Fun way to help track your favorite MEVbot writers.
7
31
301
27,114
Yesterday's uwulend 19 million dollar hack involved such a complex attack, combined with such a pile of contract stupidity, that I've not seen a writeup yet that completely explains the attack. 🧵 1/n
5
40
272
29,797
PSA: The live Compound codebase has a reentrancy bug. Many forks have been hacked from the same bug. Did you fork Compound? Either fix this bug or never list a token that allows reentrancy. (Above all else, do not modify Compound code to support even more reentrancy.)
9
46
260
I'm going to live tweet some comments as I look over the new EulerSwap code. 1/n
8
13
268
40,098
These two ways of transferring ETH below are functionally identical - but there can be surprising difference in gas usage. In fact the call() version can pay approximately three times more in extra gas per 32 bytes of data returned! 1/5
7
41
250
Security comes from simplicity. 108K lines of solidity for your new protocol - this is not the way.
33
8
252
33,389
Had a fantastic weekend doing the @paradigm_ctf challenge. Here's how I solved "Vanity", in which you needed a valid signature from an address with 16 leading zeros: 1/n
13
25
243
1/9 Todays C.R.E.A.M. Hack Explained Imagine a bank so traditional, that it only loans funds it has… A thread:
6
42
240
1/ I found an AMM bug in screenshot in my X feed. ZAMM is a hyper gas-optimized AMM. A malicious user can create a new AMM/Coin pair multiple times, allowing them to stash away hidden LP tokens to later rug the pool. Here’s how the bug works:
12
17
239
21,184
North Korea hijacking multisigs is now the biggest loss category in crypto hacks. After talking with teams and building three prototypes, I think I know the next security layer in fixing this, and it requires less from signers, not more. 🧵 1/14
20
42
232
23,914
Someone tried to attack our protocol today. Hilariously enough attempting to use the same Curve read only reentrancy that I tweeted about. They failed. 1/3
8
12
218
38,466
1/6 Yesterday I found that the Frax Convex AMO contract - holding 1.2 billion dollars of stablecoin collateral - was allowing massive slippage when the protocol moved funds in and out - up to 24% in some cases. On a 200 million dollar withdraw that could be a loss of 48 million.
8
27
203
How to protect against this? Two things: First, Timelock plus governance process for production protocols. Would have given monitoring systems time to fire off, mitigations to be taken, and for users to secure funds / revoke approvals. 6/7
6
14
197
24,574
Classic read only reentrancy on Conic today. The Curve pool is buggy, in that it hands off execution to the attacker with only partial updates to its internal state Thus when the attacker interacts with Conic, and Conic reads from the Curve pool, it gets bad answers. 1/3
7
23
189
37,499
Second, if you are signing, and a HW signature doesn't result in a signature visible to others in Gnosis safe, stop the signing process and investigate. 7/7
14
14
188
21,313
New bounty hunters have been asking for what a smart contract vulnerability report submission should look like on @immunefi. I made a sample vulnerability report tonight using a recent hack as an example: gist.github.com/DanielVF/66f…
4
47
182
The single greatest thing that has ever happened for EVM security is the OpenZeppelin contract library. Its two current current maintainers @frangio_ and @Amxx are unsung heroes of the the security space. But there's something you may not realize. 1/6
8
34
181
17,728
Welcome to the smallest bug ever. The compound GovernorBravo timelock cannot handle two identical actions that that try to queue on the same block.
3
16
178
The single most important advice for a new bug bounty hunter was dropped by infosec_us_team in the Immunefi discord: "Rewire your brain so that instead of hunting for 'bugs' or 'mistakes', you hunt for a specific 'impact'..." Your income will go way up because... 🧵 1/5
4
34
184
13,368
I've been using call graphs more and more in internal audits. They are a fantastic way to spot things that are missing, clean up architecture, and view the big picture. I threw together a diagram of the Morpho Blue lending code. What can we learn from this view of the code? 1/n
10
21
175
18,067
Here's how the USDC contract avoids making today's 300,000 billion mistake by PayPal. USDC authorizes selected address ahead of time for limited total amounts that they can mint, and the subtracts that when they do mint. No fat fingers.
10
15
184
16,338
2 million dollar bug bounty. Bug that could take over an entire chain and steal a billion dollars of native tokens. Epic find by a great researcher.
In April I reported two bugs to @SeiNetwork. One that would’ve compromised their $SEI token and another that would’ve halted block production on their network. Both were caught just before the vulnerable code was shipped to production. Details: usmannkhan.com/bug%20reports…
4
9
161
17,463
Here it is! "How to find all the bugs in code review" Live audio recording of my unauthorized talk from the top of the stairs, Mont des Arts, Brussles. This goes into my process and philosophy on finding bugs by looking at code, and how to find deep bugs.
13
22
168
21,461
Today's Hundred Finance attack has a pretty unique attack loop. Mint, redeem it all - 2, transfer it back to the ctoken contract(!), borrow a lot(!), take the target funds, redeem the big pile of the original currency(!), liquidate the child attack contract, and redeem 1.
7
30
157
91,083
Today’s bug in rsETH minted a cool $31,220,047,901,664,100,000 to the Kelp Treasury as a protocol fee. A rewrite of the protocol fee calculations did not take into account that the code was using 1e36 based numbers for the assets. Here’s the details: 🧵 1/6
6
15
163
15,080
The 3.4 million dollar Paraswap whitehat rescue across eight chains had an unusual twist in it. Front running by MEVbots was a big concern - some chains don't have private txs. So the team added a new bug that only they could exploit, then used it for the rescue. MEV impossible.
12
14
158
17,991
So, it turns out that the Nick L Franklin account was run by DPRK, tied to the Radiant attack, and attempting to hack security researchers. If anyone has conversation screenshots, I'd encourage sharing them. If you haven't screenshotted yet, they have probably been deleted. 🧵
19
25
165
53,776
ERC777s actually reenter differently when sending coins vs receiving them! Reentrancy is the classic evil surprise when writing for the EVM. But just when you thought you knew how to defend against it, the ERC777 standard for callbacks on ERC20’s adds this new layer of hurt...
4
26
152
The most basic bug finding skill is splitting up the code into every possible execution path, and then checking each one. Bonus: Each code universes created by splitting if's is simpler and easier to check than the original
9
18
162
11,698
Having been on the receiving end of a bug bounty program and audits, this is easy: Severity: High - Permanent freezing of funds. ETH sent to the contract via self-destruct calls cannot be withdrawn from the contract and is cannot be recovered.
11
5
152
10,251
I have had enough. It is possible - barely - to securely do onchain multisig stuff. Most have no idea how much work. The problem is the tools. The only way to be secure is to wire together many different tools, use them painfully, and never make a mistake. Rethink time🧵
10
14
149
28,635
The number of bugs found in your code is a good indicator of the number of bugs left in your code. More auditors should say this when its true:
12
17
146
10,062
Here's the bug in Senaca's code that is getting users drained. Revoke approvals to them immediately. I've been kicked out of their Discord for trying to warn users, and they are actively deleting messages about this there.
10
30
145
33,013
This attack involved far more skills than the average attack. Trojaning, HW wallet interception software, smart contract writing, understanding the org and signing process. Plus a money laundering exit plan. And now these attackers are plus 50 million. They will be back. 5/7
4
11
138
24,959
I recently saw a transaction that spent a cool hundred million gas.... for one transfer of an ERC20. Let’s look at what went wrong, and how to save 99,950,000 gas the next time. 1/4
16
11
145
17,645
Hospo LP pool rekt from a publicly accessible burn function. This classic attack allowed the attackers to purchase, a few tokens, burn the rest of Hospo tokens on Uniswap, inflating the worth of their tokens such that they could swap them for almost all the ETH in the pool.
8
25
140
Replying to @P3b7_
There's a typo in the tweet above: Multisig is a paid service, as indicated in the doc and announced during Ledger Op3n. The EVM version of Multisig is built on Safe, but we went much further, adding Clear Signing, Transaction Check, and Trusted Name to make create the security layer. That requires significant engineering work, ongoing infrastructure, 3rd party paid services, and audits to maintain enterprise-grade security. The service fee reflects the cost of sustaining and evolving that protection over time.
5
9
142
18,329
The recent hacks on several rebasing, fee-on-transfers tokens happened because the tokens were "cheating" by rebasing out far more dollars than the transfer fees they charged. 1/5
2
29
137
22,617
Eggs is the ponzi of the day on Sonic. The smart contract code allows one EOA to permanently lock all collateral inside the contract. Here's how it works: 1/4
7
13
123
17,429
Here's the story on how reporting yesterday's deployer timelock takeover issue to projects went. 1/18
7
13
127
We got first place, fastest solve, highest speed bonus, and led all the way on the wargames CTF at EthCC! Amazing team with @mestevez, @drdr_zz, and @BazziBazzani. Booyah!!!
12
6
129
8,032
Well, I just went three rounds with a "security researcher" (who was chatGPT in disguise) making reports on our smart contracts. Plausible text and impacts wrapped in magnificent misunderstandings of the basics. gist.github.com/DanielVF/993…
6
21
122
A bug made it to production. A white hat reported it. You know how to keep the bug from being triggered, so no big deal right? Here’s the deal! That the bug made it to production shows that every. single. security. layer. in your contract development process has failed! 1/4
4
27
122
2/2 When you pass a `storage` array in to a function that takes a `memory` type argument, the solidity compiler adds a hidden loop to (expensively) read each slot of the array from storage into memory, before running the function code.
8
8
119
The hardware wallets actually signed `transferOwnership()`, giving control of the lending pool to the attackers. The attackers then integrated these signatures into their attack, so that the transfer of ownership, contract upgrades, and initial theft all occurred atomically. 2/7
4
5
121
27,892
“Lord, if my protocol gets hacked, please at least let it be from a new bug that no one has ever seen before, and not because I missed something dumb.” ~me
6
1
122
5,901
The attacker forgot to code any way collect the funds after stealing them, so the funds were locked in the attack contract. They also neglected Flash Loan 101 and allowed anyone to call the flash loan callback code. No check that they had started the flash loan. 2/4
3
2
117
18,140
Apple found out that regular users don't install security updates, but do love emoji updates, so they save up emoji's to release with important fixes to security. So now when I see an update start with "new emoji", I have a little panik.
164,000 employees and this “this update introduces 8 new emojis”
4
6
120
7,482
There were two root causes of the Hundred Finance attack. First, the project setup two wBTC cTokens, one of which was used by the UI, one of which was empty. 1/4
Today's Hundred Finance attack has a pretty unique attack loop. Mint, redeem it all - 2, transfer it back to the ctoken contract(!), borrow a lot(!), take the target funds, redeem the big pile of the original currency(!), liquidate the child attack contract, and redeem 1.
3
23
121
52,175
Replying to @nntaleb
More than five million, per Boeing.
4
120
29,791
TLDR: Never use a signature as a key on a mapping! Know that there can be multiple valid signatures for the same message. 5/5
6
8
116
What everybody wants: - Transaction batching What EIP-7702 delivers: - Accidentally DELEGATECALL your entire account, and all the money, and your identify to the DPRK.
10
11
120
9,978
There is no indication at this time that the actual hardware wallets were compromised. It appears that some software was running on computers that intercepted and replaced signing requests. Signatures on the HW wallet did not result in signatures in gnosis. 4/7
6
5
111
26,707
This allowed @BlockSecTeam and the project to retrigger the hack, but with one major twist - the project contracts had been upgraded to steal back from the attacker during the hack. 3/4
2
5
107
20,383
Here's a visualization I made of my commits on a new contract feature in Solidity. I almost always work this way, with code expanding first as I find more edge cases, then code shrinking as I beat elegance into it by finding better, safer ways to frame the problem. 1/3
5
1
108
7,277
I call it a "two parser bug". Two different implementations tracking the same input, and parsing differences cause diverging behavior from different parts of a system. Here's two recent examples used in hacks, and how to avoid. 🧵1/5
8
15
109
15,982
Controversial take: Tooling is far more impactful for security than teaching/writing. People use stuff that makes their life easier. Low-skill devs may not read about the safe way to handle ERC4626 rounding, but they will grab OZ's code all day long.
6
7
109
21,230
The new code that the attackers deployed is transferFrom stealing assets from users that have approvals to the lending pool contract. They still continue to steal funds whenever any vulnerable user transfers funds in to their wallet. Please revoke approvals. 3/7
1
4
102
26,506
The 1inch Fusion router hack two days ago was impressively difficult to track down. AMM routers are of the few places that can legitimately use extreme gas optimization. But as a rule don't optimize things that don't need it. Great write up by Decurity - link below.
1
10
109
7,561
Response to my first real crit bug bounty, years ago: “After review, most of our methods that [can get rekt] are marked as adminOnly. Therefore, we estimate that this attack is unlikely. Hence we cannot accept this report.” That's... not how secure contracts work. (Immunefi made them pay)
9
4
110
8,500
Bacon Protocol hacked this morning via reentrancy. From a preliminary look, it looks like the contract: 1. Did its transfers in a way that allowed a reentrancy attack 2. Did not have reentrancy locks 3. Intentionally called out to any address durning the middle of the lend
9
19
101
So, @devtooligan, here's a cursed ERC20 that puts all logic inside events AND passes the solmate tests. Gist in the usual location. Thanks to @drdr_zz for pointing out bugs in the first draft.
12
7
107
11,384
Chainlink has a fascinating nested multisig ownership system for its CCIP Bridging platform. Here is the current setup for the permissions to instantly bypass all governance on Arb. TLDR: 6 sigs for instant action. 4 sigs 24h timelock, 2 sigs veto. 1/7
3
7
103
12,528
9/12 Daniel’s Second Law: The more likely a crypto project is to write critical bugs, the less likely they are respond to a bug report or actual pay a bug bounty.
2
8
108
The sneakier attack is that you can modify other people's signatures - just one time - to get an another equally valid signature for a same message The math behind this is here in a great article by @bmancini55 derpturkey.com/inherent-mall… 3/5
3
11
91
If I find bug that allows users to steal from a protocol, I contact the team first. But if I find a bug that allows a team to steal from users, it's twitter first.
4
7
100
4,943
The Astaria project destruction vuln was because a core contract would do a *delegatecall* out to any user/attacker controlled contract. All vaults could be broken by using this to destroy the contract the vaults called. 1/3 *Yes I renamed all the contracts for this diagram.
4
13
100
17,447