Earlier today, Euler Finance was exploited for over USD 190M. One transaction in particular yielded USD 110M.
We've reverse engineered this transaction trace to recreate the attacker's extract exploit.
Follow
Click to Follow farazsth98
Faith
@farazsth98
blockchain hacker | ctfs w/ | prev: vuln researcher (0days in chrome, android) | @farazsth98@infosec.exchange
Faith’s Tweets
It looks like the Hedera hack happened due to insecure handling of delegatecall in its precompiles: github.com/hashgraph/hede. Same bug class that disclosed in multiple chains.
2
10
New year, new job, new bugs. Published a write-up about an interesting integer overflow issue in BNB Chain, the 4th largest blockchain.
Quote Tweet
We are now sharing the technical write-up of the vulnerability in @bnbchain that @_fel1x (a security researcher at @jump_) discovered and responsibly disclosed earlier this week: jumpcrypto.com/helping-secure
14
27
175
Due to an unfortunate turn of events, I'm still looking for a remote VR position (browsers). DMs open.
RTs appreciated.
Quote Tweet
I’m really happy to announce that I finally finished the writeup about CVE-2020-9802 a JavaScriptCore JIT bug ¹.
Huge thanks to @antoniofrighez and @cutesmilee__ for all the help they provided.
__
¹ shxdow.me/cve-2020-9802/
Show this thread
4
9
Building on Cosmos?
Check out our latest blog post for a security focused introduction to Cosmos.
Exploring Cosmos: A Security Primer
zellic.io/blog/exploring
1
12
30
idea for an actual useful feature for twitter to put out: allow users to opt out of these new features. i dont want my timeline to be polluted with random bs :(
1
Show this thread
So, project on ImmuneFi uses signatures incorrectly, resulting in a high severity issue. I report it. Them - "this is a side-effect of a decentralized system using signatories, therefore it's out of scope, but we will give you $500 in good faith". I post a fix, and.... silence...
6
1
28
Just leaving this here before I forget: 6f1b964f4bdc76001a901a0e4af1ec891629da2a9e4e897d3a8c0ce69627c89b
1
1
Show this thread
... Reminder to myself to never mention "question" and "M*tamask" in the same tweet..
10
You only need 1 good hit for it to be profitable. Doesn't matter how long the bot runs for does it?
2
Show this thread
This begs the question: why does metamask (and other wallet providers, I assume) use dictionary words for their mnemonics? 12 words is a good amount but surely someone has a bot running that randomly generates dictionary mnemonics and checks if theres money on those addresses..
Quote Tweet
9/ 
Wild-west
Similarly, the @trufflesuite default mnemonic
"candy maple cake sugar pudding cream honey rich smooth crumble sweet treat"
is still being used in the wild in Ethereum today
Wild-west
Similarly, the @trufflesuite default mnemonic
"candy maple cake sugar pudding cream honey rich smooth crumble sweet treat"
is still being used in the wild in Ethereum todayShow this thread
1
2
Show this thread
1/ 🫡💿💵🫰
With the advent of digital money, there is a lot of free money floating around waiting to be picked up
Some have made hundreds of thousands
Below are three of my favorite examples:
GIF
read image description
ALT
8
13
95
Show this thread
Honestly this is probably one of the best ways to find "novel" targets for bug hunting. If you're one of the first to be able to figure out how to set up a testing environment that others don't have access to, testing out assumptions and figuring out the system becomes so easy.
Quote Tweet
Replying to @RightNowIn
Aha that was the difficult part :p that's what I would be blogging about. It's hard to put it into a tweet, but you basically need to set up nodes for each network locally + relayers to communicate between the networks + the bridge nodes + deploying contracts. A lot of setup..
11
Mostly because it's very easy to confirm a smart contract bug by testing it on a forked network. However, it's not so easy to just "fork" a bridge, since it spans multiple networks. Testing on the mainnet / testnet is also obviously out of the question.
1
3
Show this thread
Here's to hoping I don't get shafted by the project on Immunefi now. Surely being able to stop the bridge from functioning counts as a critical?😅
Will more than likely blog about this later down the line to make auditing bridges more accessible to all auditors.
1
6
Show this thread
Spent the last few days setting up a fully local testing environment for a bridge (multiple nodes + the bridge + relayers), and found a crit. I'm convinced more people don't hunt for vulns in bridges simply due to the sheer complexity of setting up the needed testing environment.
3
3
31
Show this thread
I know I don't do browser vuln research anymore, but it's nice to see glazunov is still a beast at it. Honestly a role model to vuln researchers in any field. The work ethic of this man and the results he puts out is insane
Quote Tweet
Chrome: Design flaw in Synchronous Mojo message handling introduces unexpected reentrancy and allows for multiple UAFs bugs.chromium.org/p/project-zero
2
8
68
Is it time for twitter to die? Find out by following me on m*stodon (not-linked on my profile at all)
1
7
Moved over to a new blog (built using gatsby.js) for easier maintenance. I moved over the web3 related blog posts for now: faith2dxy.xyz
Old blog will still stay up for a long time to come though!
4
24
Finally getting comfortable with Rust by using the Advent of Code 2022. FeelsGoodMan
1
21
Could wrapped tokens like WETH be forced Insolvent? This bug I reported in frontier EVM can depeg the native wrapped tokens in and . $150M+ funds in ecosystem were secured!
40
71
324
My #blackhatusa talk is available. If your into hardcore Java exploitation then I highly recommend checking it out!
1
52
179
Happy to announce that I'll be joining the team at as an auditor and researcher soon 😄 can't wait to have a fresh start back into security, especially with some old CTF teammates of mine 😩
8
8
107
Short analysis of the SportsDAO flash loan attack from yesterday is out: faraz.faith/2022-11-22-spo
The full exploit is linked in the blog post :)
2
5
20
Recreated the exploit for this here: github.com/farazsth98/rea
Will write a (much shorter this time) blog post about this tomorrow. The bug is actually so stupid lol, no idea why this code even exists..
Quote Tweet
#CertiKSkynetAlert 
We are seeing a #flashloan exploit on @SportsDao1.
Contract BSC: 0x6666625Ab26131B490E7015333F97306F05Bf816
Exploit txn: bscscan.com/tx/0xb3ac111d2
The attacker took advantage of the rewards system and gained ~$13.6k
We are seeing a #flashloan exploit on @SportsDao1.
Contract BSC: 0x6666625Ab26131B490E7015333F97306F05Bf816
Exploit txn: bscscan.com/tx/0xb3ac111d2
The attacker took advantage of the rewards system and gained ~$13.6k
8
Several young CTF players have asked me about working at . Great place to work, I learned immensely.
Pros: highly-paid, cutting-edge VR job. full remote and async. coworkers are rock stars
Cons: you may have to look at the same code bases for long periods of time
3
13
172
Show this thread
Just found out about dashboard.tenderly.co, works even better than etherscan / snowtrace for getting detailed data on transactions. Would've saved me a lot of time when analyzing the Nereus Finance flash loan attack if I knew about this.
2
10
Blog post on the Nereus Finance flash loan attack is out! Contains a very detailed analysis of the attack, as well as a recreation of the exploit and how to do it.
Any feedback is appreciated, and don't hesitate to ask me any questions!
2
16
#CertiKSkynetAlert 🚨
Read our full analysis of the flash loan exploit on @novodefi token, Novo, which took place on May 29, 2022.
The incident caused a loss of ~$83K
Read more below 👇
7
13
It was also the perfect exercise to fully understand how lending/borrowing platforms work, as well as how the Curve ecosystem works on the Avalanche chain.
My messy notes from the analysis are here:
4
9
Show this thread
Just finished analyzing the Nereus Finance flash loan attack. This was the perfect exercise for me to figure out how to break down a complex transaction step by step, and recreate it.
New blog post coming very soon :) transaction here for the curious:
1
8
26
Show this thread
faraz.faith/2022-11-15-tem
Just so the link is clearer sorry. Twitter just removed the link above so the preview looks like it's my mastodon profile lol
1
5
Show this thread
It has been a while indeed.
Also I made a mastodon (don't know how to use it yet lol): mastodon.au/@farazsth98
2
4
27
Show this thread
I‘m excited to announce is offering a security research internship next summer. Work with the best in the field! If you are a student or PhD, find the details at dfsec.com/#summer-intern US applicants on a student visa are welcome.
2
25
89
Show this thread