Quote Tweet
As a @Quantstamp HH0 resident I might be biased, but the QS HH is bound to be vibes 
lu.ma/tlu8u5pw AA+ snacks provided 
lu.ma/tlu8u5pw AA+ snacks provided Show this thread
1
3
10
Follow
Quantstamp
@Quantstamp
The leader in blockchain security 
Securing the future of web3 
Securing the future of web3 Quantstamp’s Tweets
👋 We’re looking for an Applied Cryptographer to join the team!
Check out our careers page below or email us at careers@quantstamp.com if you or someone you know may be a good fit 👇
quantstamp.com/careers
5
10
The topic requires a wide surface of knowledge and deeper technical explanations to understand it completely.
Check out Pavel’s full blog post with detailed explanations, PoC scripts, test cases, PoC videos, and more 👇
1
8
Show this thread
To summarize the exploitation steps:
1. Execute malicious dApp to post session metadata
2. Wrap malicious deep link into open redirect link on the legitimate dApp
3. Wait for user to proceed with authentication
4. Send arbitrary TX directly into their wallet 😈
1
4
Show this thread
More complex web3 applications have actual server-sides with logic beyond the on-chain logic.
So, if this kind of app is vulnerable to open-redirect vulnerability, it may serve as a delivery point for our malicious deep link.
1
2
Show this thread
The link above is actually injected into your crypto wallet.
What does wallet do with that information? It pulls session metadata from the WC bridge, where the dApp has just posted session metadata to.
Do you see an attack vector now? 🤔
1
3
Show this thread
Crypto wallets implement deep links handlers to catch the incoming links and process their information, such as WC links.
"metamask://wc?uri=wc:21401659-09e2-4d30-8332-6e56ac00fa5c@1?bridge=https%3A%2F%2F0\.bridge.walletconnect.org&key=351f50236d7[...]"
1
3
Show this thread
Following the link in your web browser, the browser knows what resource you want to open. The same occurs here…deep links are registered within mobiles, letting you navigate to desired apps.
1
3
Show this thread
WC-integrated wallets implement the following metamask://wc?uri= deep link specification to process the WC protocol links.
How many people know what a deep link is and how it is processed? 🙋
2
1
5
Show this thread
Wallets support two options to inject session parameters: through QR code scanning, or following a deep link.
So, users can choose to scan the QR code by camera, or copy the link to the clipboard.
Read more about what this looks like 👇
eips.ethereum.org/EIPS/eip-1328
1
3
Show this thread
So how would a user initiate a session with a malicious dApp? 🤔
When someone connects with a dApp through WC, the dApp displays a QR code to start the authentication process.
1
3
Show this thread
The problem? WC doesn’t verify that session metadata is posted from a legitimate origin (dApp).
This means that ANY malicious dApp can pretend to be a legitimate dApp.
1
3
Show this thread
Unfortunately, their architecture design does not support the security mechanisms to mitigate the attack surface for malicious dApps and users 😈
1
2
Show this thread
WalletConnect (WC) is integrated with around 450+ dApps and 170+ crypto wallets.
They support 1B+ WebSocket connections per day. Just imagine how many users actually use them 🤯
1
1
Show this thread
Do you know what is happening behind the scenes when you connect your crypto wallet to dApps?
In this thread, Pavel Shabarkin, Blockchain Security Engineer at Quantstamp, explains how all your crypto can be stolen 💸
3
17
35
Show this thread
We proudly announce that is a Silver Sponsor for the 2023 🙌
Quantstamp is a blockchain security company which has protected over $200B in digital asset risk from hackers. 🔐
🤝Thank you for joining us!
12
9
24
Excited to announce that applications are now open for Quantstamp HH1 Denver ⚒️🥳
Have your housing + meals taken care of while earning prizes and hacking alongside the Quantstamp team and other leading devs.
Get more details and apply below 👇
lu.ma/tlu8u5pw
6
24
Heading to ? 🛠️🦬
We’ve compiled a list of all the side events going on 👇
See you there!
2
6
9
Excited to announce that we’re hosting another hacker house 👀
Keep your eyes peeled for details on date and location coming soon!
3
5
26
We’re in the process of conducting another audit for Sturdy Finance, so keep a lookout for further announcements 👀
8
Show this thread
We audited ’s sturdy repository at commit d5a1660 and 0828965.
Sturdy Finance is a DeFi lending protocol for interest-free borrowing and high yield lending 🧱
For audit scope and results, view the full report 📝
certificate.quantstamp.com/full/sturdy
8
4
21
Show this thread
Today I am the new President & CEO of Y Combinator, an organization that is a true magnet for smart ambitious high integrity people who believe technology can solve the problems facing humanity.
And those that believe are those that do.
Looking forward to an epic 2023. 🙏
223
183
3,925
Show this thread
PSA—LastPass Users 🚨
We’ve encountered reports of information stored in LastPass being compromised, leading to theft of crypto assets. We urge caution around storing mnemonics & private keys in LastPass.
As a precaution, consider moving assets into newly generated addresses.
Quote Tweet
I think the situation at @LastPass may be worse than they are letting on.
On Sunday the 18th, four of my wallets were compromised. The losses are not significant.
Their seeds were kept, encrypted, in my lastpass vault, behind a 16 character password using all character types.
Show this thread
6
6
20
We audited 's lending-borrowing-smart-contracts repo at commit fea59e1, f7c110c and 9b7f7cf.
Pine Protocol offers permissionless NFT-backed loans and NFT financing 🌲
For audit scope and results, view the full report 📝
certificate.quantstamp.com/full/pine
5
13
We have partnered with — a leader in Web3 security with over $200bn in value secured.
Our portfolio companies will have priority access to Quantstamp audits and will receive additional support for audit preparation and security workshops.
2
16
32
DM us to learn more or apply for a future cohort of select venture partners!
1
6
Show this thread
These partners—and their portfolio companies—will have access to a suite of security services that will provide an unparalleled advantage in securely launching and scaling their projects 🚀✨
1
2
11
Show this thread
We're excited to announce a first of its kind security partnership with the best investors in web3.
Promising web3 companies can now ship faster and be first to market without compromising security 🛠️🛡️
4
18
48
Show this thread
How do blockchain bridges get exploited? ⛓️💥
Check out our research summary of the co-authored paper:
SoK: Not Quite Water Under the Bridge: Review of Cross-Chain Bridge Hacks 📝
smartcontractresearch.org/t/research-sum
3
10
12
"People overstate how rapid a change technology can be, & grossly underestimate the impact.
The tech will make life so easy that if you don't use it, you're disadvantaged." , partner
AC joins Curated podcast🧵
YouTube👉bit.ly/3UFVLcr
7
9
33
Show this thread
In this 2-part interview, Martin discusses mitigation strategies and how to stay one step ahead 👇
Part 1: bankinfosecurity.com/how-to-carry-o
Part 2: bankinfosecurity.com/hacked-whats-n
2
10
Show this thread
Martin Derka, Senior Researcher and Head of New Initiatives at Quantstamp, recently chatted with from on how bad actors find and exploit vulnerabilities in web3 systems 👨💻🚨
2
4
14
Show this thread
Quantstamp will be partnering with EkoLance to host their upcoming hackathon - identifying the best smart contract auditors amongst the Community!
The best auditors will receive bounties and have the opportunity to get hired by Quantstamp 🚀
⌚ Dec 8, 2 weeks long!
2
6
19
Excited to announce "Slashing Insurance" via our regulated insurance carrier ⛓️
If you’re a professional Asset Manager or Node Validator, please reach out to co-develop the best solutions to insure your clients' funds 💰
chainproof.co
#web3 #insurance
6
18
Sebastian Banescu (), CEO of & Head of Quantstamp Germany will be speaking at ’ session today about “The relation between NFTs, DeFi, and Smart Contracts” 📅
1
1
12
Show this thread
Thank you to everyone who joined us this week with !
Sebastian Banescu (), CEO of Chainproof & Head of Quantstamp Germany discussed smart contract bugs and how to protect against such bugs.
Check out some of our snaps from the event 📸
1
1
16
So how was this attack possible? 🤔
The attacker MUST HAVE known the private key of the ProxyAdmin owner (i.e., Ankr deployer address) since the function upgrade() was protected by the modifier onlyOwner.
7
Show this thread