-
Web3 Security Portal
🚨 Liquidity risk of wstETH on Aave
There are $7 billion worth of wstETH locked in Aave, but only $16 million liquidity in the Uni v3 pool.
A $10 million trade causes 30% slippage, which is dangerous during large liquidations.
Liquidity for stETH on Curve is also limited — around $170 million.
Such a liquidity shortage in AMMs creates high risks for protocol safety.
🔗 Details
🛡️ Sui Move: A New Model for Secure Contracts
Sui uses objects with unique IDs and explicit ownership, unlike EVM and Solana. This simplifies rights management and reduces the risk of data forgery.
Decentralized access control in Move is built on "capabilities" — special objects that must be owned to perform an action. This ensures compile-time security without complex runtime checks.
🔗 Details
🚨 Tether Identified and Frozen $1.6 Million Linked to Terrorism Financing
Tether assisted U.S. authorities in freezing $1.6 million in digital assets connected to terrorist operations in Gaza. Over the past year, the company has blocked more than 5,000 wallets and frozen over $2.9 billion in suspicious funds.
The platform acts swiftly, leveraging blockchain transparency to combat financial crimes worldwide.
🔗 Details
📉 Investigation into a Major $ALT Scandal
The investigation revealed how @cryptobeastreal deceived followers by denying involvement in the market crash of $ALT from $190M to $3M.
More than 45 related insider wallets sold crypto worth over $11M on July 14, 2025.
This led to a sharp collapse in market capitalization and loss of trust among investors.
🔗 Details
🛡 Malicious Solana Bot Steals Private Keys from .env Files
In July 2025, a dangerous open-source project was discovered on GitHub that disguises the theft of Solana private keys.
The bot’s code secretly sends the keys to the attacker’s server using a fake URL, while simultaneously slowing down the program through infinite loops to hide the attack.
The project appears legitimate with functional features, but on startup, a malicious module activates, resulting in users losing their funds.
Attacker’s IP address: 103.35.189.28, domain: storebackend-qpq3.onrender.com. Always verify repositories before running them.
🔗 Details
🛡️ Recovering Funds from Compromised Wallets with EIP-7702
With EIP-7702, you can recover all assets from a hacked wallet without sending ETH to it. This is done using a paymaster that covers the gas fees and a trusted delegator to manage the recovery.
A Bash script go_eip7702.sh has been released to automate the process with multi-call functionality and owner protection. The script is not fully tested yet, so caution is advised.
🔗 Details
🛡️ Why Wallet UX Is Setting Up Web3 Users for Failure
Signature requests in MetaMask and other wallets often display confusing hex data, misleading users.
Signature attacks are not code bugs, but social engineering and poor UX that can cause users to lose assets by signing malicious transactions.
Many dApps and wallets don’t explain the meaning of signatures, allowing scammers to gain broad permissions to manage tokens and NFTs.
The problem is that users click "Sign" without understanding the risks — opening the door to attacks without any complex hacks.
🔗 Details
🛡️ CoinDCX launched a reward program after a $44 million hack
The $44 million hack affected CoinDCX’s internal reserves, but user funds were not impacted.
The exchange is offering up to 25% of the recovered amount to ethical hackers who help return the stolen stablecoins.
The CEO emphasized the importance of identifying the perpetrators to prevent future attacks.
🔗 Details
🚨 Oracle Drift Assessment Tool
A new tool calculates the maximum price deviations between two oracles before an update is triggered.
This helps identify potential economic losses caused by inaccuracies in oracle data.
Monitor the impact of Oracle Drift on Web3 security.
🔗 Details
💸 Excessive Withdrawal in Notional Finance V3
A vulnerability has been found where the contract withdraws too many funds from the market — instead of the required 100 USDC, it outputs 1,000,000 USDC.
Because of this, assets remain idle in Notional and do not generate income, reducing the interest rate for users.
This leads to a significant loss of income and missed opportunities.
🔗 Details
🛡️ Guardian Defender — new Web3 protection with rewards
Guardian Defender offers free protection after an audit with cash prizes for discovered vulnerabilities.
For clients, it provides an additional layer of security with code review by top researchers.
For hackers — 30-day contests with rewards for critical bugs.
It’s almost like insurance for your smart contracts, paid for by Guardian.
🔗 Details
🚨 Loss of $1.23M due to phishing on Uniswap V3
The victim signed a phishing multi-operation including setApprovalForAll, which gave scammers access to Uniswap V3 position NFTs.
The NFTs were stolen through a smart contract, and the assets were drained.
The main threat — carelessness when signing transactions and approving permissions.
Check all requests carefully and beware of phishing.
🔗 Details
☠️ Detective ZachXBT has claimed that Indian exchange CoinDCX was likely hacked for $44,200,000.
Читать полностью…
🚨 USDT Analysis: Blacklists and Links to Terrorism
Since 2016, over 5,188 addresses have been blocked with frozen assets totaling $2.9 billion, of which 90% are on the Tron blockchain.
41% of the addresses were new, and 54% had already withdrawn the majority of their funds before the block, indicating a high efficiency of laundering.
Financing of terrorist acts was identified through close cooperation between Tether and law enforcement — some addresses were blocked in advance, on average 28 days before public orders.
Exchanges Binance and OKX frequently appear in the movement of funds as both sources and recipients, pointing to weaknesses in controls.
🔗 Details
🛡️ Quantum Attack on Web3 Is Already Near
The cryptography of most smart contracts and wallets based on ECC is vulnerable to quantum computing and Shor’s attack.
The attack is possible even years later — attackers are already collecting encrypted data to crack it later on powerful quantum machines.
Post-Quantum Cryptography (PQC) is the new standard for protection, which has already been approved by NIST and will soon become mandatory for Web3.
Auditors are checking protocols for quantum vulnerability, crypto-adaptability, and support for hybrid signatures.
🔗 Details
🚨 Phishing Attack on X (Twitter)
A fraudulent email is being circulated about a "new login" to your X account.
The "Change Password" link leads to a fake website where you are asked to grant access to an app called "X Helper".
This app can publish fraudulent posts on your behalf and spread malicious links.
The emails look convincing, but you need to carefully check the URL and connected applications.
🔗 Details
🛑 Lost $10K due to a fake MEV bot
A user deployed a malicious contract following a fake tutorial on YouTube and immediately lost nearly 3 ETH.
Funds instantly transferred to the scammer’s wallet after calling the start function.
This is an example of how promises of easy profits lead to big losses.
Be cautious with any smart contracts.
🔗 Details
🚀 OpenZeppelin Solidity Contracts 5.4 Released
Version 5.4 introduces standard Account Abstraction primitives, extended signature schemes, and new security utilities.
A fully audited Account has been added for easy customization and support of multisignatures according to ERC-7821 and ERC-7579.
Now you can use only the necessary code for operation verification and integration with popular modules.
🔗 Details
💰 Funds can get stuck in smart contracts due to errors in the withdrawal logic or improper access control.
The absence of a withdraw() function leads to collected fees or proceeds from NFT sales being permanently locked in the contract.
For example, in the MetaTagNFT contract, ETH from minting accumulates but cannot be withdrawn without a dedicated function.
This is a common error that is easy to avoid by adding a proper withdraw() function.
🔗 Details
🛡️ New large theft of $254K USDT from a wallet
The user gave a malicious approval 50 days ago, and the attacker waited for the exchange of 69 ETH to USDT to immediately steal the funds.
Previously, smaller amounts of USDT were transferred from the wallet, but this time the loss was much larger.
If the approval is not revoked, losses may happen again.
🔗 Details
💀 Danger for DeFi: Fraud in Google Search
Popular queries like Aave, PancakeSwap, and Pendle are filled with fake ads leading to scam websites.
At the core are Punycode attacks, where malicious domains look like the real ones but are traps for users.
Google profits from showing these scams, creating risks for wallets.
🔗 Details
🦅 Pro-Israel Hackers Stole $81 Million — But It Wasn’t About the Money
On June 18, the Iranian exchange Nobitex lost $81 million due to an attack on its hot wallets. The hacker group Gonjeshke Darande stated that this was a political action, and the stolen funds were sent to “one-time” addresses and are lost forever.
Nobitex is connected to the Iranian military and sanctioned groups, making this hack part of the shadow war between Israel and Iran. This incident is an example of using crypto for political cyberattacks in the conflict.
🔗 Details
🛡️ Assessing the Security Maturity of Blockchain Code
In-depth security analysis reveals not only errors but also hidden issues that affect the long-term protection of projects.
Key categories for assessment — arithmetic, authentication, auditing, documentation, and others — help improve maturity and reduce the number of bugs.
Without automated testing and monitoring, the level of security often remains average or lower.
These recommendations will help teams and leaders understand and improve the security of their products.
🔗 Details
⚙️ Ethereum is preparing the Fusaka hard fork in November
The next major hard fork, Fusaka, will be released in November, promising to improve the network’s scalability and security.
Glamsterdam — the next upgrade after Fusaka — will be announced on August 1.
Developers plan to increase the gas limit to 150 million and optimize network performance.
The Fusaka testnet will start at the end of September, with the mainnet launch expected by mid-November.
🔗 Details
🛡️ Dangerous peculiarity of outdated cTokens
Some old compound cTokens return false on failure instead of reverting the transaction.
As a result, a staking contract may incorrectly handle a failed operation, leading to a vulnerability.
This warning is important for those interacting with such tokens.
🔗 Details
🛡️ New Proxy Attack Threatens Millions
The attack intercepts contracts at the moment of deployment, resets initialize(), and silently redirects users to fraudulent logic, while block explorers display everything as usual.
The vulnerability arises from the lack of atomic initialization in OpenZeppelin proxies, creating a narrow front-running window in the mempool.
🔗 Details
🛡️ Invariants in Smart Contracts: Code-Level Protection
Invariants are key properties that must always hold true in a contract to ensure its security.
The article explains how to implement and verify invariants in Solidity using fuzzing frameworks (Echidna, Medusa, Foundry).
Examples based on the ERC4626 standard are considered, including checks on balances and share prices in pools.
Fuzz testing helps to uncover bugs that could lead to vulnerabilities.
🔗 Details
💥 13 Billion RMB Disappeared: The Collapse of the Xinkangjia DGCX Scam Platform
The Xinkangjia DGCX platform froze withdrawals, deceiving over 2 million investors and stealing approximately 13 billion RMB.
The project used fake contracts, a 9-level MLM system, and promised unrealistically high returns of up to 2% per day.
On-chain analysis revealed a classic Ponzi scheme with centralized control of funds and hidden commissions of up to 50% on withdrawals.
Russian and Chinese regulators had warned about the risks, but the platform continued actively attracting investors through deception and fakes.
The collapse of Xinkangjia is a vivid example of the threats in Web3 from services with fake licenses and aggressive marketing.
🔗 Details
🔍 Sherlock launches an audit for Fusaka Upgrade Ethereum
Sherlock has announced a contest to audit the Fusaka upgrade for the Ethereum network.
The @ethereumfndn project always makes security its priority.
New details about the contest and participation conditions are expected.
🔗 Details
🎙️ New episode of the BOUNTYHUNT3RZ podcast
In this episode, they discuss the launch of the bug bounty program in Origin, combating LLM spam, and setting up rewards.
They talk about the challenges of choosing auditors, the differences in crypto security between the early days and now, as well as the importance of ethics in Web3.
Topics include cross-training developers and auditors, and even a love for PHP.
🔗 Details