ThomasKing2014/blocksec_academy

BlockSec Academy

Attack Analysis

• [Aug 5, 2022] How Unchecked Mapping Makes $200M Losses of Nomad Bridge
  [Nomad Bridge | Ethereum]

• [Jun 16, 2022] Our Take on the Inverse Finance Security Incident: Price Manipulation Attack
  [Inverse Finance | Ethereum | Oracle vulnerability]

• [Jun 7, 2022] How a Critical Bug in Solana Network was Detected and Timely Patched
  [Solana Network | Solana | CWE-682]

• [May 31, 2022] How the Mirror Protocol got Exploited
  [Mirror Protocol | Ethereum | Double Claiming Attack]

• [May 18, 2022] The Analysis of FEGtoken Security Incident: Devil’s in the Details
  [FEGtoken | Ethereum | Access Control, Untrusted External Call]

• [May 16, 2022] Revisiting the CashioApp Security Incident [CashioApp | Solana | Access Control]

• [May 6, 2022] How to exploit the same vulnerability of MetaPool in two different ways (Nerve Bridge / Saddle Finance) — What you see is not what you get
  [MetaPool | Near | Pricing Mechanism]

• [Apr 23, 2022] How Akutar NFT loses 34M USD
  [Akutar NFT | Ethereum | DoS Attack]

• [Apr 21, 2022] How to verify a signature in a wrong way — the AssociationNFT case
  [The Association NFT | Ethereum | Double Claiming Attack, Signature Verification]

• [Apr 4, 2022] The Race Against Time and Strategy: About the AnySwap Rescue and Things We Have Learnt
  [Anyswap | Fantom | Access Control]

• [Mar 31， 2022] Tracing the Stolen Fund of the Ronin Bridge [Ronin Bridge | Ronin | Private Key Leakage]

• [Mar 31, 2022] Revest Finance Vulnerabilities: More than Re-entrancy
  [Revest Finance | Ethereum | Reentrancy, Access Control]

• [Mar 13, 2022] [Not All Tokens Are Good] The quick analysis of the Paraluni attack
  [Paraluni | Ethereum | Reentrancy, Unchecked Input Token]

• [Mar 22， 2022] Revisiting the Wormhole Attacks [Wormhole Network | Solana | Access Control]

• [Mar 21, 2022] LI.FI Attack: a Cross-chain Bridge Vulnerability? No, It’s Due to Unchecked External Call!
  [LI.FI | Ethereum | Unchecked External Call]

• [Mar 17, 2022] The short analysis of the flashloan attack to the APE AirDrop
  [BAYC | Ethereum]

• [Feb 3, 2022] When “SafeMint” Becomes Unsafe: Lessons from the HypeBears Security Incident
  [HyperBears NFT | Ethereum | Untrusted External Call, Reentrancy]

• [Jan 28, 2022] When “SafeTransfer” Becomes Unsafe: lessons from the QBridge security incident
  [Qubit Finance | Ethereum]

• [Jan 16, 2022] How a vulnerability is silently fixed by Coin98
  [Coin98 | BSC | Unchecked Input Parameters]

• [Dec 30, 2021] New Integer Overflow Bug Discovered in Solana rBPF [Solana Network | Solana | Interger Overflow]

• [Nov 18, 2021] The analysis of Nerve Bridge Security Incident
  [Nerve Network | BSC]

• [Nov 6, 2021] The Initial Analysis of the bZx Security Incident
  [bZx Protocol | Ethereum | Possible Private Key leakage]

• [Oct 22, 2021] The analysis of Indexed Finance Security Incident
  [Indexed Finance | Ethereum | Price Manipulation]

• [Oct 10, 2021] [The Butterfly Effect] The Compound Security Incident Caused by a Bugfix
  [Compound Finance | Ethereum]

• [Sep 22, 2021] The Real Root Cause of the Vee Finance Security Incident
  [Vee Finance | Ethereum | Unchecked Input Parameters]

• [Aug 28, 2021] A short analysis of the wild exploitation of CVE-2021–39137
  [Ethereum Network | Ethereum | CVE-2021–39137]

• [Aug 15, 2021] The Retrospection of the Poly Network Hack from a Security Researcher perspective
  [Poly Network]

• [Aug 12, 2021] The Further Analysis of the Poly Network Attack
  [Poly Network]

• [Aug 11, 2021] The initial analysis of the PolyNetwork Hack
  [Poly Network]

• [Aug 9, 2021] The analysis of the Zerogoki attack
  [Zerogoki | Ethereum | Price Manipulation]

• [Aug 4, 2021] The Analysis of the Popsicle Finance Security Incident [Popsicle Finance | Ethereum | Double Claim Attack]

• [Jul 21, 2021] The Analysis of the Sanshu Inu Security Incident [Sanshuinu | Ethereum | Deflation Token]

• [Jul 19, 2021]The Analysis of the Array Finance Security Incident [Array Finance | Ethereum | Price Manipulation]

• [May 9, 2021]Price manipulation attack in reality (again): RariCapital incident [RariCapital | Ethereum | Price Manipulation]

• [Jan 3, 2021]Security incident on Seal Finance
  [Seal Finance | Ethereum | Reentrancy]

• [Jan 3, 2021]Deposit Less, Get More: yCREDIT Attack Details [YCredit | Ethereum]

• [Dec 18, 2020]Flash Loan Attack on Plouto Vault
  [Plouto| Ethereum]

• [Dec 3, 2020]Loopring(LRC) Protocol Incident
  [LRC Protocol| Ethereum | Price Manipulation]

Secure Contract Development

Secure the Solana Ecosystem

• [Mar 9, 2022]Secure the Solana Ecosystem (1) — Hello Solana

• [Mar 18, 2022]Secure the Solana Ecosystem (2) — Calling Between Programs

• [Mar 27, 2022]Secure the Solana Ecosystem (3) — Program Upgrade

• [Apr 6, 2022]Secure the Solana Ecosystem (4) — Account Validation

• [Apr 10, 2022]Secure the Solana Ecosystem (5) — Multi-Sig

• [Apr 24, 2022]Secure the Solana Ecosystem (6) — Multi-Sig2

• [Apr 29, 2022]Secure the Solana Ecosystem (7) — Type Confusion

Rust

• [Oct 12, 2021]Rust智能合约养成日记（1）合约状态数据定义与方法实现

• [Oct 17, 2021]Rust智能合约养成日记（2）编写Rust智能合约单元测试

• [Oct 24, 2021]Rust智能合约养成日记 （3）Rust智能合约部署，函数调用及Explorer的使用

• [Oct 31, 2021]Rust智能合约养成日记（4）Rust 智能合约整数溢出

• [Nov 12, 2021]Rust 智能合约养成日记（5）合约安全之重入攻击

• [Nov 23, 2021]Rust 智能合约养成日记（6）拒绝服务攻击

• [Dec 9, 2021]Rust 智能合约养成日记（7）合约安全之计算精度

• [Jan 13, 2022]Rust 智能合约养成日记（8）合约安全之权限控制

• [Feb 25, 2022]Rust 智能合约养成日记（9）合约升级

• [Mar 25, 2022]Rust 智能合约养成日记（10-1）Spuntnik DAO

• [Apr 1, 2022]Rust 智能合约养成日记（10-2）Sputnik DAO::Factory合约解读

• [Apr 24, 2022]Rust 智能合约养成日记（10-3）Sputnik DAO::提案介绍

NFT

• [Aug 5, 2022]Secure Smart Contract Development — Code Reentrancy in NFT Contracts

• [Aug 12, 2022]Secure Smart Contract Development (2) — How to Use Digital Signature and Use It Right in NFT (Markets)

Misc

AML

• [Sept 13, 2021]暴露出来的只是冰山一角：深度挖掘Colonial Pipeline事件背后隐藏的故事

• [Oct 02, 2021][BlockSec AML研究分析之二] Colonial Pipeline事件分析展示界面

Others

• [Sep 18, 2022] Reveal the “Message’’ Replay Attacks on EthereumPoW

• [Sep 8, 2022] A new memory overwrite vulnerability discovered in Wyvern Protocol

• [Aug 24, 2022] BlockSec and GoPlus Reached Strategy Partnership to Explore the Field of “Web 3.0 Security”

• [Mar 7, 2022]How to Make the BlockChain Attack “Blockable”

• [Aug 17, 2021]Tradeoff Between Convenience and Security: Unlimited Approval in ERC20

Twitter

• [Sep 18, 2022] Reveal the “Message’’ Replay Attacks on EthereumPoW

• [Sep 16, 2022] BlockSec Academy | About 61.8% (67.1K / 108.5K) of the #NFT projects are suffering from the holder pooling risk

• [Sep 14, 2022] BlockSec Academy | NFT Assets Off-Chain Risk

• [Sep 9, 2022] DeFi Alert [0xEd850799CF22b66cb4911539425f8A41423D0933 | BSC]

• [Sep 9, 2022] NFT Security Report 2022

• [Sep 8, 2022] A new memory overwrite vulnerability discovered in Wyvern Protocol

• [Sep 8, 2022] $ROI(Ragnarok Online Invasion) Attack Analysis [Ragnarok Online Invasion | BSC | Access Control Vulnerability]

• [Sep 8, 2022] No-Open Source Contract Attack [0x8b068e22e9a4a9bca3c321e0ec428abf32691d1e | BSC]

• [Sep 6, 2022] DeFi Alert

• [Sep 5, 2022] DeFi Alert [0xea41bbd80ac69807289d0c4f6582ab73e96834d0 | BSC | Price Manipulation]

• [Aug 31, 2022] No-Open Source Contract Attack
  [0x40c994299fb4449ddf471d0634738ea79c734919 | BSC | Logic Vulnerability]

• [Aug 24, 2022] KaoyaSwap Attack Analysis
  [KaoyaSwap | BSC | Logic Vulnerability]

• [Aug 17, 2022] Where is the $190M? --An Initial Analysis of the Nomad Bridge Attack Lost Funds [Nomad Bridge | Ethereum | Logic Vulnerability]

• [Aug 16, 2022] Do not directly sell NFT airdrop after ETH merge

• [Aug 12, 2022] Secure Smart Contract Development (2) — How to Use Digital Signature and Use It Right in NFT (Markets)

• [Aug 10, 2022] ANCH Attack [ANCHStake Protocol | BSC | Logic Vulnerability]

• [Aug 10, 2022] XSTABLE.PROTOCOL Attack [XSTABLE.PROTOCOL | BSC | Logic Vulnerability]

• [Aug 8, 2022] EGD_Finance Attack [EGD_Finance | BSC | Price Manipulation]

• [Aug 4, 2022] Freedom Protocol Rug&Pull [Freedom Protocol | BSC | Rug]

• [Aug 2, 2022] Nomad Bridge Exploit [Nomad Bridge | Ethereum | Logic Vulnerability]

• [Jul 14, 2022] SpaceGodzilla Attack
  [SpaceGodzilla NFT | Ethereum | Price Manipulation]

• [Jul 13, 2022] Wash trading to arbitrage on LooksRare
  [LooksRare | Ethereum | Wash trading]

• [Jul 10, 2022] ParallelFi Attack
  [Parallel Finance | Ethereum | Reentrancy]

• [Jul 1, 2022] How to sell an NFT to a buyer with a high price without the buyer's consent
  [Quixotic | Ethereum | Access Control, Signature Verification]

• [Jun 26, 2022] XCarnival_Lab Attack
  [XCarnival_Lab | Ethereum | Access Control]

• [Jun 2, 2022] CoFiXProtocol Exploit
  [CoFiX Protocol | Ethereum | Access Control]

• [May 26, 2022] How is a honeypot contract trapped by an MEV bot
  [Honeypot]

• [May 24, 2022] Hackerdao Attack
  [Hackerdao | BSC]

• [May 21, 2022] bDollarFi Attack
  [bDollar Finance | BSC | Price Manipulation]

• [May 9, 2022] Fortress Protocol Attack
  [Fortress Protocol | BSC | Price Oracle Manipulation]

• [Apr 27, 2022] BnBBrokers Attack
  [BnBBrokers | BSC | Reentrancy]

• [Apr 23, 2022] AkuDreams Exploit
  [Akutars | Ethereum]

• [Apr 21, 2022] Zeed Protocol Exploit
  [Zeed Protocol | BSC | Reward Distribution Vulnerability]

• [Apr 18, 2022] BeanstalkFarms Attack
  [Beanstalk Farms | Ethereum]

• [Apr 13, 2022] ElephantStatus Attack
  [Elephant Money | BSC | Price Manipulaiton, Reentrancy]

• [Apr 10, 2022] Gym Network Attack
  [Gym Network | BSC | Price Manipulaiton]

• [Apr 2, 2022] Inverse Finance Attack
  [Inverse Finance | Ethereum | Price Manipulaiton]

• [Mar 31, 2022] Ola Finance Attack
  [Ola Finance | Ethereum | Reentrancy]

• [Mar 27, 2022] Classic Single-contract Re-entrancy Attack [Rena | Ethereum | Reentrancy]

• [Mar 24, 2022] CashioApp Attack
  [Cashio App | Solana | Access Control]

• [Mar 20, 2022] Scam token BmDoge
  [BmDoge | BSC | Backdoor Function]

• [Mar 15, 2022] Agave Lending Attack
  [Agave Fiannce | Gnosis Chain | Untrusted external call]

• [Mar 15, 2022] Deus Finance Exploit
  [Deus Finance | Fantom | Price Manipulation]

• [Mar 9, 2022] PXPNFTsGame Attack
  [PiratexPirate | Ethereum | Private Key Leakage]

• [Mar 4, 2022] The rough analysis on the BTC donation to Ukraine

• [Mar 3, 2022] How to shop free for NFT

• [Jan 18, 2022] Crosswise Finance Attack
  [Crosswise Finance | Ethereum | Access Control]

• [Dec 30, 2021] SashimiSwap Attack
  [SashimiSwap | Ethereum]

• [Nov 30, 2021] MonoXFinance Attack
  [MonoX Finance | Ethereum]

• [Nov 21, 2021] FormationFi Attack
  [Formation Finance | Ethereum]

• [Oct 28, 2021] CreamFinance Attack
  [Cream Finance | BSC | Oracle Vulnerability]

• [Sep 15, 2021] NowSwap Attack
  [NowSwap Protocol | Ethereum | Semantic Inconsistenty]

• [Sep 14, 2021] KlondikeFinance Attack
  [Klondike Finance | Ethereum]

• [Sep 3, 2021] Siren Protocol Attack
  [Siren Protocol | Ethereum | Reentrancy]

• [Aug 17, 2021] XSURGEDEFI Attack [Xsurge | Ethereum | Reentrancy, Price Manipulation]

Media Coverage

-[Sep 19, 2022] BlockSec detects replay exploit with ETHPoW tokens

• [JULY 10, 2022] Hacker drains $1.4 million worth of ETH from NFT lender Omni

• [JUN 17, 2022] Inverse Finance exploited again for $1.2M in flash loan oracle attack

• [MAY 13, 2022] How to protect yourself from the recent spate of ‘crypto muggings’

• [May 3, 2022]Spate of Exploits Snares Rari Capital and Saddle Finance for $90M Escalation of Malicious Attacks Shows No Sign of Abating

• [May 1, 2022] Fei Protocol Offers $10M Bounty After $80M Rari Capital Exploit

• [APR 22, 2022] Hacker bungles DeFi exploit: Leaves stolen $1M in contract set to self destruct

• [APR 22, 2022] Finance Redefined: Hacker bungles DeFi exploit, dYdx's decentralization goals, and more