LinkedIn and 3rd parties use essential and non-essential cookies to provide, secure, analyze and improve our Services, and to show you relevant ads (including professional and job ads) on and off LinkedIn. Learn more in our Cookie Policy.
Select Accept to consent or Reject to decline non-essential cookies for this use. You can update your choices at any time in your settings.
The future of cross-chain will never be the same.
Introducing CCTP V2 – the next evolution of CCTP coming to Ethereum, Base, and Avalanche and in early 2025, with many more chains to follow.
⚡Faster-than-finality cross-chain USDC transfers
⌛Low latency settlement in seconds vs. minutes
🔒All cross-chain transactions secured by Circle
Join the waitlist today: console.circle.com/cctp
The future of cross-chain will never be the same.
Introducing CCTP V2 – the next evolution of CCTP coming to Ethereum, Base, and Avalanche and in early 2025, with many more chains to follow.
⚡Faster-than-finality cross-chain USDC transfers
⌛Low latency settlement in seconds vs. minutes
🔒All cross-chain transactions secured by Circle
Join the waitlist today: console.circle.com/cctp
With the recent Fireblocks integration, users can now stake their ETH, get rewards, and use stETH for on-chain activities - including the Fireblocks Off Exchange - allowing Fireblocks users to lock their stETH in a self-custodial collateral wallet to trade on exchanges like Deribit and Bybit.
Learn how to get the most out of using stETH as collateral on Fireblocks below:
https://lnkd.in/dDiSYGHp
🚀🔧 Filecoin (FIL) announced a mainnet upgrade to nv23 (code-named "Waffle") on Aug. 6 at 12:00 UTC. This upgrade will introduce BLS aggregate signatures to the Filecoin Virtual Machine (FVM), support for Homestead and EIP-155 Ethereum transactions, and non-interactive Proof of Replication (PoRep). #BitcoinWorld#CryptoNews#Filecoin#MainnetUpgrade#Waffle
Discover the potential of Rollblock (RBLK) as it gears up for a monumental surge in 2024, surpassing current ICOs and aiming to be the next 100x token.
https://lnkd.in/d_vrtcxv
This is a classic example of incomplete access control. The issue is that while the contract implements a 𝘭𝘰𝘤𝘬𝘛𝘰𝘬𝘦𝘯𝘴 modifier on the transfer function to prevent token transfers for 10 years, it fails to protect against other ERC20 transfer methods.
The key vulnerability is that the contract doesn't override the approve and 𝘵𝘳𝘢𝘯𝘴𝘧𝘦𝘳𝘍𝘳𝘰𝘮() functions from the ERC20 standard!
While direct 𝘵𝘳𝘢𝘯𝘴𝘧𝘦𝘳() is locked for 10 years, an attacker can simply:
1️⃣ Call 𝘢𝘱𝘱𝘳𝘰𝘷𝘦() to authorise another address to spend their tokens.
2️⃣ Use that second address to call 𝘵𝘳𝘢𝘯𝘴𝘧𝘦𝘳𝘍𝘳𝘰𝘮() to move the tokens
Here's how to exploit it:
// 𝘈𝘴𝘴𝘶𝘮𝘪𝘯𝘨 𝘺𝘰𝘶'𝘳𝘦 𝘵𝘩𝘦 𝘱𝘭𝘢𝘺𝘦𝘳 𝘩𝘰𝘭𝘥𝘪𝘯𝘨 𝘢𝘭𝘭 𝘵𝘰𝘬𝘦𝘯𝘴
// 1. 𝘈𝘱𝘱𝘳𝘰𝘷𝘦 𝘢𝘯𝘰𝘵𝘩𝘦𝘳 𝘢𝘥𝘥𝘳𝘦𝘴𝘴 𝘵𝘰 𝘴𝘱𝘦𝘯𝘥 𝘺𝘰𝘶𝘳 𝘵𝘰𝘬𝘦𝘯𝘴
𝘯𝘢𝘶𝘨𝘩𝘵𝘊𝘰𝘪𝘯.𝘢𝘱𝘱𝘳𝘰𝘷𝘦(𝘢𝘵𝘵𝘢𝘤𝘬𝘦𝘳𝘈𝘥𝘥𝘳𝘦𝘴𝘴, 𝘯𝘢𝘶𝘨𝘩𝘵𝘊𝘰𝘪𝘯.𝘣𝘢𝘭𝘢𝘯𝘤𝘦𝘖𝘧(𝘱𝘭𝘢𝘺𝘦𝘳𝘈𝘥𝘥𝘳𝘦𝘴𝘴));
// 2. 𝘍𝘳𝘰𝘮 𝘵𝘩𝘦 𝘢𝘵𝘵𝘢𝘤𝘬𝘦𝘳 𝘢𝘥𝘥𝘳𝘦𝘴𝘴, 𝘤𝘢𝘭𝘭 𝘵𝘳𝘢𝘯𝘴𝘧𝘦𝘳𝘍𝘳𝘰𝘮
// 𝘛𝘩𝘪𝘴 𝘣𝘺𝘱𝘢𝘴𝘴𝘦𝘴 𝘵𝘩𝘦 𝘭𝘰𝘤𝘬𝘛𝘰𝘬𝘦𝘯𝘴 𝘮𝘰𝘥𝘪𝘧𝘪𝘦𝘳 𝘴𝘪𝘯𝘤𝘦 𝘪𝘵'𝘴 𝘯𝘰𝘵 𝘪𝘮𝘱𝘭𝘦𝘮𝘦𝘯𝘵𝘦𝘥 𝘰𝘯 𝘵𝘳𝘢𝘯𝘴𝘧𝘦𝘳𝘍𝘳𝘰𝘮
𝘯𝘢𝘶𝘨𝘩𝘵𝘊𝘰𝘪𝘯.𝘵𝘳𝘢𝘯𝘴𝘧𝘦𝘳𝘍𝘳𝘰𝘮(𝘱𝘭𝘢𝘺𝘦𝘳𝘈𝘥𝘥𝘳𝘦𝘴𝘴, 𝘢𝘵𝘵𝘢𝘤𝘬𝘦𝘳𝘈𝘥𝘥𝘳𝘦𝘴𝘴, 𝘯𝘢𝘶𝘨𝘩𝘵𝘊𝘰𝘪𝘯.𝘣𝘢𝘭𝘢𝘯𝘤𝘦𝘖𝘧(𝘱𝘭𝘢𝘺𝘦𝘳𝘈𝘥𝘥𝘳𝘦𝘴𝘴));
The lesson here is:
1️⃣ When implementing access controls, you need to protect ALL possible paths
When inheriting from a contract (especially ERC20), you need to be aware of all the functionality it provides.
2️⃣ Simply protecting 𝘵𝘳𝘢𝘯𝘴𝘧𝘦𝘳() isn't enough if 𝘵𝘳𝘢𝘯𝘴𝘧𝘦𝘳𝘍𝘳𝘰𝘮() remains unrestricted.
This is why it's often recommended to use OpenZeppelin's 𝘌𝘙𝘊20𝘗𝘢𝘶𝘴𝘢𝘣𝘭𝘦 or similar patterns that properly handle all transfer methods when implementing transfer restrictions.
Smart Contracts Security Researcher | Making Web3 safer | Ex. Senior SEM & SEO
#SpotTheBug nr. 6
The code below is taken from Ethernaut's CTF.
Here is the context of the challenge
"NaughtCoin is an ERC20 token and you're already holding all of them. The catch is that you'll only be able to transfer them after a 10 year lockup period. Can you figure out how to get them out to another address so that you can transfer them freely? Complete this level by getting your token balance to 0."
Do you see the issue? 🙂
#solidity#smartcontracts#smartcontractsecurity#web3
#SpotTheBug nr. 6
The code below is taken from Ethernaut's CTF.
Here is the context of the challenge
"NaughtCoin is an ERC20 token and you're already holding all of them. The catch is that you'll only be able to transfer them after a 10 year lockup period. Can you figure out how to get them out to another address so that you can transfer them freely? Complete this level by getting your token balance to 0."
Do you see the issue? 🙂
#solidity#smartcontracts#smartcontractsecurity#web3
Aayush Giri and Juan Obligado caught this one. You can find their answers in the comments of the original post.
The TL;DR is that the contract below doesn't prevent the `player` from approving a 2nd wallet to spend the tokens on their behalf.
By approving a 2nd wallet, they can call the `transferFrom` function and bypass the lockup period.
Smart Contracts Security Researcher | Making Web3 safer | Ex. Senior SEM & SEO
#SpotTheBug nr. 6
The code below is taken from Ethernaut's CTF.
Here is the context of the challenge
"NaughtCoin is an ERC20 token and you're already holding all of them. The catch is that you'll only be able to transfer them after a 10 year lockup period. Can you figure out how to get them out to another address so that you can transfer them freely? Complete this level by getting your token balance to 0."
Do you see the issue? 🙂
#solidity#smartcontracts#smartcontractsecurity#web3
🔥Top 10 blockchains with highest TVL ranking from YTD, apart from Ethereum
Tron remains to stand among the top positions with $7.9B (approx. 10% of all market’s TVL)
Chains like Scroll and Hyperliquid also emerged recently to make it into the ranking
Offchain Labs' Arbitrum One is the first L2 to hit $20B in TVL (Total Value Locked) 🔒
Paving the way for cheap transactions and high throughput on Ethereum.
Which L2 will hit $20B next?
Imagine having a Company that more than Securing your Crypto Assets, can also Unlock their Potential.
Imagine having a company that more than Maximising Rewards, it’s also Secure by Design & Fully EU Compliant.
That’s Sub7 Security.
🛡 Sub7 - Node Operator & Staking Infrastructure
👉 600+ ETH Staked
👉 14+ Operating Networks
👉 200+ Individual Stakes
👉 4 Hosting Locations
📈 All our services and products run out of our bare-metal infrastructure, managed and operated by us, including 24x7 monitoring and secure by design principals.
🔓 Unlock the potential of your crypto assets today: https://nodes.sub7.xyz/
Benchmarking for Web3 infrastructure
1wJenna Teeman does your team have any plans to publish all your contracts and pre-min addresses in structured format? https://www.linkedin.com/feed/update/urn:li:activity:7272174596773097472/