https://twitter.com/dWalletLabs/status/1663492997005074433
对项目方有用,对我们来说妹什么用。至少有一个多签名的私钥才能利用,现实情况是做不到的
之前TetherToken的isTrusted也是,Tether根本没添加任何地址
对项目方有用,对我们来说妹什么用。至少有一个多签名的私钥才能利用,现实情况是做不到的
之前TetherToken的isTrusted也是,Tether根本没添加任何地址
Twitter
0d, our superstar cybersecurity research team, discovered a vulnerability in TRON multisig accounts putting over $500M of digital assets at risk - it was disclosed and fixed so there are no user assets at risk now.
A technical breakdown:
https://t.co/nMj6kV6Oc3
A technical breakdown:
https://t.co/nMj6kV6Oc3
https://polygonscan.com/address/0x000000005bccee35410752d9bb942e8d3fd28e85
这家伙复制得挺快啊
HashflowRouter(在ETH、BSC、ARB、POL、AVA)未检查caller是否是authorized
对比OPT上的router (
这家伙复制得挺快啊
HashflowRouter(在ETH、BSC、ARB、POL、AVA)未检查caller是否是authorized
对比OPT上的router (
0xFb1b9A97f1836173390D8bdEaF9004727311A8e1)检查了Polygon (POL) Blockchain Explorer
Contract Address 0x000000005bccee35410752d9bb942e8d3fd28e85 | PolygonScan
The Contract Address 0x000000005bccee35410752d9bb942e8d3fd28e85 page allows users to view the source code, transactions, balances, and analytics for the contract address. Users can also interact and make transactions to the contract directly on PolygonScan.
Dedaub反编译波场:
首先确保你拿到的是runtime bytecode,看里面没有CODECOPY
从开头搜索十六进制50 D3和50 D2,都改成50 34,替换之后就是合法的EVM bytecode可以直接反编译
首先确保你拿到的是runtime bytecode,看里面没有CODECOPY
从开头搜索十六进制50 D3和50 D2,都改成50 34,替换之后就是合法的EVM bytecode可以直接反编译
https://twitter.com/AnciliaInc/status/1681902951168884736
_airdrop exploit,他标出(not yet)的地址攻击不了
ETH上的TADPOLE和GELDPEPE、LadyPepe垃圾币大概1小时前被攻击,获利4个ETH
_airdrop exploit,他标出(not yet)的地址攻击不了
ETH上的TADPOLE和GELDPEPE、LadyPepe垃圾币大概1小时前被攻击,获利4个ETH
Forwarded from bupt.moe
#security
Libbitcoin Explorer 使用了 PRNG 而非 CSPRNG 作为随机数初始源,导致私钥强度不够可能被攻击者猜出。
Libbitcoin Explorer 开发者否认这是一个bug。
编者评:开发者行为很奇怪,据披露文件说在 v2.3.0 (2017年) 的时候还是使用的
https://milksad.info/disclosure.html
Libbitcoin Explorer 使用了 PRNG 而非 CSPRNG 作为随机数初始源,导致私钥强度不够可能被攻击者猜出。
Libbitcoin Explorer 开发者否认这是一个bug。
编者评:开发者行为很奇怪,据披露文件说在 v2.3.0 (2017年) 的时候还是使用的
std::random_device + std::uniform_int_distribution 来作为随机数源的(也不安全), v3.0.0 之后就改成 get_clock_speed() + std::mt19937 作为随机数源了。这个刻意的修改我认为应该是故意削弱随机数发生器的安全性。https://milksad.info/disclosure.html
Exactly Protocol Exploiter 1: 0x3747DbBCb5C07786a4c59883E473A2e38F571af9
exploiter 2: 0xE4f34a72d7c18b6f666d6cA53fBC3790bc9da042
exploiter 3 大部分交互都是3发出的 0x417179df13bA3ed138B0A58eaA0C3813430a20e0
contract: https://optimistic.etherscan.io/address/0x6dd61c69415c8ecab3fefd80d079435ead1a5b4d
给他装到了,操作太多我看不懂呀
exploiter 2: 0xE4f34a72d7c18b6f666d6cA53fBC3790bc9da042
exploiter 3 大部分交互都是3发出的 0x417179df13bA3ed138B0A58eaA0C3813430a20e0
contract: https://optimistic.etherscan.io/address/0x6dd61c69415c8ecab3fefd80d079435ead1a5b4d
给他装到了,操作太多我看不懂呀
Optimism Network Explorer
Contract Address 0x6dd61c69415c8ecab3fefd80d079435ead1a5b4d | Optimistic Etherscan
The Contract Address 0x6dd61c69415c8ecab3fefd80d079435ead1a5b4d page allows users to view the source code, transactions, balances, and analytics for the contract address. Users can also interact and make transactions to the contract directly on Optimistic…
恶俗·茶话会 / 万象更新
https://vxtwitter.com/anciliainc/status/1647374021745606656 [AI Smart Contract Auditor]'s contract rekt
https://x.com/AnciliaInc/status/1701355439504720228
https://etherscan.io/tx/0x00b375f8e90fc54c1345b33c686977ebec26877e2c8cac165429927a6c9bdbec
https://etherscan.io/tx/0x00b375f8e90fc54c1345b33c686977ebec26877e2c8cac165429927a6c9bdbec
X (formerly Twitter)
Ancilia, Inc. on X
.@0x0Audits You probably want to take a look at a tx ending with 65429927a6c9bdbec, Contact us for details.
恶俗·茶话会 / 万象更新
https://x.com/AnciliaInc/status/1709352941541630049 Attack contract: 0x0bb02653ca1c3c4915cae217aa02c16e68ae381a Victim: 0x6705d8196D06DA351371b6E0692fC18504ed4864 (bridge)
out存在重入,每个uuid的签名可多次提款
该bridge同时存在于ETH BSC POL ARB OP AVA CRO FTM BASE网络,只有BSC被搞,其他链上资产已转移
该bridge同时存在于ETH BSC POL ARB OP AVA CRO FTM BASE网络,只有BSC被搞,其他链上资产已转移
BSC上刚创建两天的币LTCW (
txn: https://bscscan.com/tx/0x3f374107c769e924177461700a9eca2cd25f1180b83b203bffa7635bd3be153d
原因是可以调用rebase函数固定销毁池子130个币,总共只有18000多个币
reported by @mload in blocksec chat
0xe96a1c406bb7094f93b47a525cba2e957d2d8b82)爆了,损失10万utxn: https://bscscan.com/tx/0x3f374107c769e924177461700a9eca2cd25f1180b83b203bffa7635bd3be153d
原因是可以调用rebase函数固定销毁池子130个币,总共只有18000多个币
reported by @mload in blocksec chat
BNB Smart Chain Explorer
BNB Smart Chain Transaction Hash (Txhash) Details | BscScan
Binance (BNB) detailed transaction info for txhash 0x3f374107c769e924177461700a9eca2cd25f1180b83b203bffa7635bd3be153d. The transaction status, block confirmation, gas fee, Binance, and token transfer are shown.
https://twitter.com/Phalcon_xyz/status/1732581441278824773
不保密了,直接公开 ThirdWeb exploit
Forwarder.execute -> TargetContract.multicall -> TargetContract.PriviledgedFunction
根本原因:multicall delegatecall自己保留msg.sender为Forwarder,在calldata结尾添加bytes20 address可伪造任意_msgSender
不保密了,直接公开 ThirdWeb exploit
Forwarder.execute -> TargetContract.multicall -> TargetContract.PriviledgedFunction
根本原因:multicall delegatecall自己保留msg.sender为Forwarder,在calldata结尾添加bytes20 address可伪造任意_msgSender
Forwarded from ₿izFeed - DeFi focused Crypto, Business and Finance news
DEFI Scam Check (🔗Telegram)[🌐RU🔀EN]
How to Masterfully Decorate $243m and Get Caught
This is the story of how Grievis (Malone Iam), Wiz (Veer Chetal) and Box (Jandiel Serrano) stole $243m at the victim in August using a sophisticated social engineering attack.
On August 19, 2024, attackers targeted one Genesis lender:
1) Call pretending to be Google support from a fake number to hack personal accounts
2) Call to Gemini support about account hacking
3) Social engineering forced the victim to reset 2FA and send Gemini funds to the hacked wallet
4) Victim used AnyDesk to screen sharing and leaked private keys from Bitcoin Core.
Gemini txn hash
59.34 BTC - August 19 at 1:48 UTC
e747b963a463334c164b0a8fff844f73693272bb2b331adbe2147d70ec196360
14.88 BTC - August 19 at 2:30
UTC
7c7ebed785f0b4d4335d559b14b8215862fbe29db329e3ee0f2a7e64a16ce9e3
txn hash
4064 BTC - August 19 at 4:05 UTC
4b277ba298830ea538086114803b9487558bb093b5083e383e94db687fbe9090
Initial analysis showed that $243m was divided between each party, after which the funds were quickly distributed to over 15 exchanges where they were instantly exchanged between Bitcoin, Litecoin, Ethereum and Monero.
Viz (Vir) received a large percentage of the theft but his dementia and courage allowed him to make a mistake during the screen sharing, revealing his full name during the theft.
Accomplices called him Vir in audio recordings and in chats, special respect to them for their conspiracy
$34.5m
0x3c7a5f2795e73d2b94a9120a643f608cfc45c935
6Friend Visa Light/Dark (Aakaash ) helped him launder money using eXch and Thorswap.
Like Wiz, he also revealed his name during the screen sharing.
Wiz TC address confirmed in the video
0xa212d7441fed6db9ab666ba34e8c4
Greavis (Malone) lives a luxurious lifestyle, buying more cars with stolen money and going to clubs in Los Angeles and Miami with friends, spending $250-500k a night and giving girls Birkin bags.< br />
In videos and chats, many called him Malone and said that he was trading stolen funds on Discord.
Currently $3.5m tied to Grievis is here
0x21d7d256be564191a43553e574c06a4d0
Grivis was found through OSINT in Los Angeles/Miami thanks to friends/girls who posted his location every night on social media.
He also has Instagram account, where he posted photos of himself under his own name earlier this year.
Box (Jandiel/John) played his part by identifying the victim as a representative of the Gemini exchange.
On Discord, Telegram and other Box platforms reuse the same PFP.
Currently $18m is here
0x98b0811e2cc7530380caf1a17440b18f71f51f4e
Danny Trauma (Dane) was active in the internal Telegram chat under the pseudonym Mitch, although his exact role is not entirely clear, although he is known to have access to several bankruptcy databases.
However, his ex-girlfriend leaked all his photos on social media network, so his information became public.
Over the past few weeks, a cluster of Ethereum addresses tied to Box/Wiz received more than $41m from two exchanges that trade luxury goods.
Although most of the funds were converted to XMR, both Box and Wiz accidentally linked the laundered funds.
a) During the screen sharing, Wiz showed the address to which he sent funds for designer clothes
b) Box linked dirty money with clean funds, accidentally reusing the deposit address.
0x6d865235ebb2504d3478fc1dd839100d210144df
12/ With the assistance of the security team, the cyber crimes department and Binance, over $9m was frozen, and over $500k has already been returned.
As a result of the investigation, Box and Grievis were arrested last night in Miami and Los Angeles.
Law enforcement is believed to have seized additional funds during the arrests due to large transfers to that period
https://x.com/zachxbt/status/1836753473343259058&t=0kEtp7M29ov5I RUYfIeIlQ
How to Masterfully Decorate $243m and Get Caught
This is the story of how Grievis (Malone Iam), Wiz (Veer Chetal) and Box (Jandiel Serrano) stole $243m at the victim in August using a sophisticated social engineering attack.
On August 19, 2024, attackers targeted one Genesis lender:
1) Call pretending to be Google support from a fake number to hack personal accounts
2) Call to Gemini support about account hacking
3) Social engineering forced the victim to reset 2FA and send Gemini funds to the hacked wallet
4) Victim used AnyDesk to screen sharing and leaked private keys from Bitcoin Core.
Gemini txn hash
59.34 BTC - August 19 at 1:48 UTC
e747b963a463334c164b0a8fff844f73693272bb2b331adbe2147d70ec196360
14.88 BTC - August 19 at 2:30
UTC
7c7ebed785f0b4d4335d559b14b8215862fbe29db329e3ee0f2a7e64a16ce9e3
txn hash
4064 BTC - August 19 at 4:05 UTC
4b277ba298830ea538086114803b9487558bb093b5083e383e94db687fbe9090
Initial analysis showed that $243m was divided between each party, after which the funds were quickly distributed to over 15 exchanges where they were instantly exchanged between Bitcoin, Litecoin, Ethereum and Monero.
Viz (Vir) received a large percentage of the theft but his dementia and courage allowed him to make a mistake during the screen sharing, revealing his full name during the theft.
Accomplices called him Vir in audio recordings and in chats, special respect to them for their conspiracy
$34.5m
0x3c7a5f2795e73d2b94a9120a643f608cfc45c935
6Friend Visa Light/Dark (Aakaash ) helped him launder money using eXch and Thorswap.
Like Wiz, he also revealed his name during the screen sharing.
Wiz TC address confirmed in the video
0xa212d7441fed6db9ab666ba34e8c4
Greavis (Malone) lives a luxurious lifestyle, buying more cars with stolen money and going to clubs in Los Angeles and Miami with friends, spending $250-500k a night and giving girls Birkin bags.< br />
In videos and chats, many called him Malone and said that he was trading stolen funds on Discord.
Currently $3.5m tied to Grievis is here
0x21d7d256be564191a43553e574c06a4d0
Grivis was found through OSINT in Los Angeles/Miami thanks to friends/girls who posted his location every night on social media.
He also has Instagram account, where he posted photos of himself under his own name earlier this year.
Box (Jandiel/John) played his part by identifying the victim as a representative of the Gemini exchange.
On Discord, Telegram and other Box platforms reuse the same PFP.
Currently $18m is here
0x98b0811e2cc7530380caf1a17440b18f71f51f4e
Danny Trauma (Dane) was active in the internal Telegram chat under the pseudonym Mitch, although his exact role is not entirely clear, although he is known to have access to several bankruptcy databases.
However, his ex-girlfriend leaked all his photos on social media network, so his information became public.
Over the past few weeks, a cluster of Ethereum addresses tied to Box/Wiz received more than $41m from two exchanges that trade luxury goods.
Although most of the funds were converted to XMR, both Box and Wiz accidentally linked the laundered funds.
a) During the screen sharing, Wiz showed the address to which he sent funds for designer clothes
b) Box linked dirty money with clean funds, accidentally reusing the deposit address.
0x6d865235ebb2504d3478fc1dd839100d210144df
12/ With the assistance of the security team, the cyber crimes department and Binance, over $9m was frozen, and over $500k has already been returned.
As a result of the investigation, Box and Grievis were arrested last night in Miami and Los Angeles.
Law enforcement is believed to have seized additional funds during the arrests due to large transfers to that period
https://x.com/zachxbt/status/1836753473343259058&t=0kEtp7M29ov5I RUYfIeIlQ
vxTwitter / fixvx
💖 3.87K 🔁 163
💖 3.87K 🔁 163
ZachXBT (@zachxbt)
14/ My post will be updated as the legal case progresses.
In the meantime mint a free collectible to commemorate the investigation of the stolen $243M below on Zora.
https://zora.co/collect/base:0xb445b5c8deadb38458b857a96cb8b74305a903cd/2
In the meantime mint a free collectible to commemorate the investigation of the stolen $243M below on Zora.
https://zora.co/collect/base:0xb445b5c8deadb38458b857a96cb8b74305a903cd/2
恶俗·茶话会 / 万象更新
DEFI Scam Check (🔗Telegram)[🌐RU🔀EN] How to Masterfully Decorate $243m and Get Caught This is the story of how Grievis (Malone Iam), Wiz (Veer Chetal) and Box (Jandiel Serrano) stole $243m at the victim in August using a sophisticated social engineering…
笑死,Windows 11 一瞬出道
自己电脑,真实姓名,当场下载比特币钱包,当场订外卖,discord连麦。这么离谱的计划居然让他们成功了
自己电脑,真实姓名,当场下载比特币钱包,当场订外卖,discord连麦。这么离谱的计划居然让他们成功了