QuillAudits

GM! Buidlers
In this latest issue of HashingBits, we're diving deep into Ethereum's Core Developers meetings, covering all the major updates in the Ethereum ecosystem. But that's not all—we'll explore the latest happenings in the Polygon, Starknet & Avalanche ecosystems, along with advancements in the AI & Web3 space. For developers, we're highlighting new tools designed to assist smart contract developers and auditors. And, of course, we'll delve into the headlines about the $235M WazirX Multisig wallet hack and LiFi Protocol’s $9.7M loss in smart contract vulnerability.
EtherScope: Core Developments 👨‍💻
All Core Devs - Execution (ACDE) call #192 Recap
Brief History and Current Situation of RIP-7212: review async & decide on inclusion (soon)
Verkle implementers call #21: proposal to reduce witness size, updates to EIP6800 & EIP2935 and cost of code chunking
Better geographic diversity is optimal, particularly outside of North America & Europe
Blocknative: data viz of self-built blocks, unintentionally increase base fee volatility
EIP7732 ePBS breakout #5: short call, proposer IP leaks requesting headers from builder and consensus spec tests fixes in progress
Nethermind EVMYulLean: EVM + Yul specification, executable, in Lean
Layer1 & Layer2
DefiLlama: narrative tracker features longer lookbacks
Based preconfs is now live on testnet Helder
Shutterized Gnosis Chain is live
Chromia MVP Mainnet is live
Announcing the Nexus 2.0 zkVM
Simple DVT Update: SSV Goes To Mainnet
TPRO Chain, a new Virtual Chain launches on Aurora
Viction DA testnet is live
Apechain Testnet Curtic launches
Announce the release of Ceramic-One
Covalent native token migration successful
Blockscan Multichain Explorer (Beta) is here
Tangem launches new cold wallet ring
Introducing Gwyneth — a based rollup synchronously composable with Ethereum
Introducing Polynomial Chain
Introducing Henez - OmniDeFi Liquidity layer
NEAR House of Stake Governance Proposal
Shape testnet is live
LYNC is building a Movement L2
LI.FI compensation scheme
Season 2 ETH.FI claims are live
Curve PegKeeper Assets Regulatory Brief
A Note On Securely Finding Minimum Mean Cycle
Return of the Delegation Voucher
The Fat Bera Thesis
Chainalysis Operation Spincaster
Scroll delayed finalization to investigate potential ecosystem incident, confirmed Rho Markets was application specific
L2BEAT Badges: visual display of L2 features
Announcing the Avail Foundation
ERCs
ERC7743: Multi-owner non-fungible tokens (MO-NFT)
ERC7744: Code index (index contract bytecode)
ERC7746: Composable security middleware hooks
EIPs
EIP7745: Two dimensional log filter data structure
EIP.tools adds RIPs (rollup improvement proposals)
EcoExpansions: Beyond Ethereum 🚀
Polygon
Aggregation Summit is here
Deep dive into Polygon Plonky3
What do Polygon PoS transactions look like if we strip them to app-action transactions?
Weekly Gaming Roundup on polygon
Polygon sets September 4th date for migration to POL
Starknet
Take a look at Starknet’s Roadmap
All reasons why you should build on Starknet
Starknet Wallet<>Dapp API is getting a major update with Starknet-js V6!
Layerswap x Starkent $STRK Rewards Program is here
Arbitrum
Avalanche’s ACP-77 Reawakening? Everything you need to know about ACP-77
Avalanche Interchain Token Transfer Explained
Get started with Avalanche ICTT Starter Kit
DevToolkit: Essentials & Innovations 🛠️
rindexer - opensource, fast EVM ndexing tool in Rust
spice - python client for extracting data from the Dune Analytics API
Lodestar v1.20.2: patch for publishing blinded blocks using Lodestar beacon node & Lighthouse/Nimbus validator client with MEV-Boost
Reth v1.0.3: fix for Base mainnet & async Backfill stream
Rindexer, EVM indexing tool in Rust, beta
Echidna v2.2.4: improves fuzzing speed & user experience, adds support for transient opcodes
Audit Wizard adds Cyfrin Aderyn (Solidity static analyzer)
Damn Vulnerable DeFi v4: migrated to Foundry, new challenges: curvy puppet, shards, withdrawal & rewarder
Hackathons, Workshops & Events
Arthur Hayes’ Maelstrom announces Bitcoin grant program of up to $250K per developer
Scroll bounty winners ETHGlobal Hackathon
ETHGlobal Hackathon Uniswap Bounty winners
Hyperlane bounty winners ETHGlobal Brussels
Superhack on the Superchain hackathon
Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖
Twitter
Nexus 2.0 zkVM is here
Nic's Stablecoin Syllabus
The Risks and Rewards of (re)staking
How many Web3 users are real
Don't Build an Onchain Game
ELI5 - L3s
IoTeX has released its 2.0 whitepaper
Horizontal Scaling with ZKThreads
The Sink L2 whitepaper thread
Are Rollups Overvalued or Undervalued? An Analysis of Rollup’s Revenue and Cost Structure
A major update to FRI-Binius yields better batching, faster recursion, and smaller proofs
The Economics of L3s
ERC-7739: Readable Typed Signatures for Smart Accounts
Ethereum’s Scalability Crisis: The Execution Layer
A Deep Dive into DeAI Protocol
Deep Dive into Move Smart Contracts
Simple Explanation of EigenDa
Articles
Solidity via-IR compilation pipeline explainer: translates Solidity into Yul (intermediate representation) for optimization rather than direct to bytecode, plan to make default with EOF
Solidity hidden overflow: math expression types cast to highest type used by variables
Solady (Solidity snippets): adds ERC1967 minimal proxies with immutable args, auto verified on Etherscan
Z0r0z sstore3, read/write contract storage using balance & address, license: AGPL v3
Reth Execution Extension (ExEx) examples
OpenAI Scale Ranks Progress Toward ‘Human-Level’ Problem Solving
Research Papers
Anders Elowsson: sealed execution auction, Vickrey slot auction of execution proposal rights, attesters supervise commit/reveal scheme facilitated by builders & beacon proposer
Multi-round MEV-Boost: mitigate negatives of based preconfs & retain benefits of based rollups
Private Heterogeneous Federated Learning Without a Trusted Server Revisited: Error-Optimal and Communication-Efficient Algorithms for Convex Losses
FBChain: A Blockchain-based Federated Learning Model with Efficiency and Secure Communication
Black-Box Opinion Manipulation Attacks to Retrieval-Augmented Generation of Large Language Models
Watch 🎥
Web3 Security Watch 🛡️
Articles
Same Mistake Twice? Decoding LiFi Protocol’s $9.7M Exploit: Post Mortem Report
Another Lazarus Group Attack? Decoding Wazirx Multisig Wallet’s $235M Exploit: Post Mortem Report
Minterest $1.4M exploit on Mantle L2 via reentrancy
Security Alliance (SEAL): incident response to Squarespace domain compromise
The $230 million crypto theft at Wazirx a wake-up call for Indian regulators, government
WazirX Files Police Complaint After $230M Hack, Engages With India's Cyber Crimes Unit
Research Papers
Identifying Smart Contract Security Issues in Code Snippets from Stack Overflow
Detect Llama -- Finding Vulnerabilities in Smart Contracts using Large Language Models
Improving the Accuracy of Transaction-Based Ponzi Detection on Ethereum
The Feasibility of a Smart Contract "Kill Switch"
Twitter
A Comprehensive analysis on how the Wazirx exploit happened
WazirX: PSA on hack
Chain analysis of $230M+ WazirX hack, likely Lazarus linked - ZachXBT
Blood bath in WazirX exchange due to the fact there is no Buy Side liquidity currently
Mudit Gupta’s analysis on Wazirx Exploit
Zachxbt analysis & fund tracing after Wazirx Exploit
Hacks and Scams 🚨
WazirX
Loss ~ $235M
WazirX’s multisig wallet, managed with Liminal, was exploited, losing $235M out of $451M on-chain assets.
The multisig wallet had 6 signatories: 5 from WazirX and 1 from Liminal.
Attackers compromised 3 WazirX and 1 Liminal signatory using phishing.
They directly compromised 2 WazirX signatories and used a fake Liminal UI to trick the others into signing malicious transactions.
Attackers upgraded the multisig wallet to a malicious contract, continuously transferring funds.
ZachXBT traced transactions to Tornado Cash, found test transactions, and linked Bitcoin deposits to the hack.
WazirX blamed Liminal’s system, suspecting payload replacement during transaction verification.
Liminal stated the breach involved a wallet created outside their platform.
Read the Post mortem report to know more details about the whole exploit.
Li.Fi Protocol
Loss - $9.7M
The LiFi team deployed the GasZipFacet contract five days prior to the attack to enable gas refueling for bridging transactions.
The attacker exploited an arbitrary call vulnerability via depositToGasZipERC20() in the GasZipFacet contract, allowing unauthorized transactions.
Users with infinite approvals for specific LiFi contract addresses were targeted, enabling the attacker to perform unauthorized transferFrom operations.
The attacker crafted arbitrary transaction calls to execute unauthorized transfers instead of legitimate asset swaps. This drained significant amounts of USDT, USDC, and DAI from the users who had given infinite approval to LiFi Diamond contract.
Stolen funds were converted into approximately 2,857 ETH using platforms like Uniswap and Hop Protocol, then dispersed across multiple wallets.
Tornado Cash was used to obscure the origins of the stolen funds, making it challenging to trace their final destination.
Exploited Tokens: The primary tokens the attacker got away with include:
6,335,889 USDT
3,191,914 USDC
169,533 DAI
Read the Post Mortem report to know more about the exploit.
Community Spotlight
https://x.com/quillaudits_ai/status/1812741356387016828
https://x.com/quillaudits_ai/status/1813845595788120405
https://x.com/quillaudits_ai/status/1813944615613219277
https://x.com/icphub_VN/status/1813873185127031109
https://x.com/quillaudits_ai/status/1814607085612483046

GM! Buidlers
In this latest issue of HashingBits, we’re diving deep into Ethereum’s Core Developers meetings, covering all the major updates in the Ethereum ecosystem. But that’s not all — we’ll explore the latest happenings in the Polygon, Arbitrum & Optimism ecosystems, along with recent events at ETHCC & advancements in the AI & Web3 space. For developers, we’re highlighting new tools designed to assist smart contract developers and auditors. And, of course, we’ll delve into the headlines about the $8M Bittensor wallet hack and Dough Finance’s $1.94M loss in flash loan attacks.
EtherScope: Core Developments 👨‍💻
Summary of All Core Devs — Consensus (ACDC)#137​
Why is Marius Van Der Wijden against EOF in Pectra?​
A look at PeerDAS breakout #3
Deep dive into Censorship Resistance Model​
Constantine v0.1: implementations of BLS signatures, BN254 & BLS12–381 precompiles
​Lido has implemented the Simple DVT Module powered by SSV
​Vitalik Buterin pushes for Ethereum to respond to 51% attacks in a more automated way​
​Deep Dive into Attestations — A quantitative analysis​
Layer1 & Layer2
Péter Szilágyi: SSZ library implemented in Go
​RollCall (L2 standards) #6: L1 blob basefee spike discussion & presentations on RIP7728 L1SLOAD precompile & RIP7740 preinstall deterministic deployment factories
Titan Builder eth_sendBlobs: send permutations of blob transactions from a single sender
​Kernel Protocol is live
Vesu is live on Starknet​
Worldcoin Foundation launches World Chain developer preview​
Introducing Puffer UniFi — Puffer’s Based Rollup​
​Penumbra is live
Skale introducing Pacifica V3 upgrade​
LayerZero and Initia are developing an interoperability standard for Cosmos​
Introducing Termina: the End State of SVM Scaling​
Reducing Evmos Inflation​
Announcing Usual public mainnet launch​
​OEV Network is live
Omni Network launches Streams​
Starknet will open staking by end of this year​
Introducing the Halliday Commerce Automation Network​
Exodus launches Passkeys Wallet​
Justin Sun: gas-less stablecoin coming in Q4 on Tron, followed by Ethereum & all EVM chains
TAC is teaming up with Polygon to bring EVM compatibility to TON ecosystem
​Notcoin, 1inch, and Sign launch accelerator for Telegram and TON ecosystems
Introducing the Fuel Points Program​
You can now track narratives on DefiLlama​
​dDocs: Onchain Google Docs is here
​Introducing Story Network, the World’s IP Blockchain​​
ERCs
​ERC7737: Custom data access model
​ERC7738: Permissionless script registry
​ERC7739: Readable typed signatures for smart accounts
​ERC7741: Authorize operator (via EIP712 secp256k1 signatures)
EIPs
​EIP7742: Uncouple blob count between CL and EL
​EIP.tools adds EIP-GPT, AI generated summary of an EIP/ERC
RIPs
• RIP7740: Preinstall deterministic deployment factories
EcoExpansions: Beyond Ethereum 🚀
Polygon
​Polygon Miden Alpha Testnet v3 is Live
​Weekly roundup for gaming on Polygon
Take a look at the weekly updates on Polygon
TON is building a zk-powered L2 using Polygon CDK that will connect to the AggLayer
The number of active addresses on @0xPolygon PoS is up 227% since the beginning of the year
Optimism
OP Stack Fjord upgrade is here, cheaper smart wallet passkey verification via RIP7212 secp256r1 precompile & 5–15% lower data availability costs via Brotli channel compression.
​SuperFest, the Superchain DeFi Festival, is officially here.
A simple explanation of the superchain​
​RIP-7212 is now available on the Superchain.
​Celo L2 Dango testnet is now on OP Stack
​
Arbitrum
​No-Code Deployer App for Rollups is live on collaboration with Arbitrum
Karak introducing restaking functionality for Arbitrum​
Arbitrum has integrated OKX Wallet on their bridge​
​Three Important ArbitrumDAO Proposals​
DevToolkit: Essentials & Innovations 🛠️
Lodestar v1.20.0: lodestar/api package changes exported types, flag to use SSZ APIs with validator client and testnet bootnode ENRs updated.
Besu v24.7.0: adds eth_maxPriorityFeePerGas support and improvements to sync, peering & startup performance
Erigon v2.60.3: adds optional include precompiles flag to tracing
Geth v1.14.7: hotfix for concurrent map read/write bug in v1.14.6
Reth v1.0.1: full node performance improvements, ExEx backfill & RPC fixes
Stereum v2.2: multi-setup support and connection check to test network stability & connectivity
gevm — EVM implementation from scratch written in go​
Hackathons, Workshops & Events
Updates on Devcon 2024: Speaker & volunteer applications are open
​Solana Summer Fellowship is here
Superteam Talent Olympics begins: Frontend & Rust track
Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖
Twitter
Mysticeti: Reaching the Limits of Latency with Uncertified DAGs​
RFC 9591: The Flexible Round-Optimized Schnorr Threshold (FROST) Protocol for Two‑Round Schnorr Signatures​
​Alice’s Ring Protocol Whitepaper V1.0 is out
​Slot-to-Ping and Another Descriptive Measure for Blockchains
​Deep Diving Attestations — A quantitative analysis
​Maximum Viable Security (MVS): a new framework for Ethereum Issuance
Report of Crypto & Blockchain Venture Capital — Q2 2024​
Introducing gas refunds from Flashbots​
EVIntent — Darkmatter in MEV​
​MEV resistant dynamic pricing auction of execution proposal rights
Take a look at the Flashbots Protect Explorer​
​BTC’s Security Model is Broken?​
Busting some myths about Bera Chain
Articles
Anders Elowsson: dynamic pricing auction of execution proposal rights, induces less new MEV & produces high aggregate MEV burn
Have a look at the guide to OpenZeppelin Contracts Initializable​
Nethermind Clear: formal verification framework for Yul code
​Byteracing: maze solver in Solidity, try to make it more gas efficient
​L2 Asset Interoperability via Two-way Canonical Bridges​
​All the problems in IP​
​Solana is the reason why L2 rollup chaos started on Ethereum​
​Improving Predictability in Arbitrum DAO’s Operations​
​AGI Will Obsolete Blockchains?
​On Orchestrating Parallel Broadcasts for Distributed Systems​
​Pointenomics 101: Mastering the New Language of Crypto Incentives​
​Multiple Concurrent Leaders​
​A blog post on how Family Wallet was built​
Research Papers
​eyeballvul: a future-proof benchmark for vulnerability detection in the wild
​SpiralShard: Highly Concurrent and Secure Blockchain Sharding via Linked Cross-shard Endorsement
​BriDe Arbitrager: Enhancing Arbitrage in Ethereum 2.0 via Bribery-enabled Delayed Block Production
Tactics, Techniques, and Procedures (TTPs) in Interpreted Malware: A Zero-Shot Generation with Large Language Models​
Enhancing Privacy of Spatiotemporal Federated Learning against Gradient Inversion Attacks​
Github
​Web-solc: adapter to fetch/run specific version of Solidity compiler in the browser
​ERC3770 (Rust): helper method for ERC3770 chain specific addresses
RicMoo’s Firefly Pixie: open source hardware wallet
Watch🎥
​
Web3 Security Watch 🛡️
Articles
Dough Finance $2M exploit via unvalidated calldata
Crypto’s Achilles’ Heels?
Scam Sniffer’s Mid year Phising report​
​Introducing Safe Harbor: Your Last Line of Defense Against Active Exploits​
​CryptoISAC launched as a community of CeFi, DeFi, audit, infrastructure, and other cryptocurrency-related projects.
​Twilio says hackers identified cell phone numbers of two-factor app Authy users​
​New OpenSSH Vulnerability Could Lead to RCE as Root on Linux Systems.
​After a 10-Year Wait, Mt. Gox Bitcoin Is Finally Being Returned.
​Karma served: Pink Drainer gets hit with address poisoning scam.
​Inferno Drainer is active again by SlowMist. The drainer group reportedly stopped operating in November last year.
​Coinbase-posing scammers steal $1.7M from a user amid a string of attacks.
Research Papers
​Abusing the Ethereum Smart Contract Verification Services for Fun and Profit
​Real-time Cyberattack Detection with Collaborative Learning for Blockchain Networks.
​Performance Evaluation of Hashing Algorithms on Commodity Hardware
​Vulnerability Detection in Smart Contracts: A Comprehensive Survey
Twitter
Tayvano: example of a Lazarus attack, contact via socials and then compromise via GitHub repo
​Multiple crypto projects had their domains hijacked following a DNS attack targeting web hosting service provider Squarespace.
​Fake X accounts lead to record-setting crypto phishing attacks of $341 million.
Are your funds SAFU?
Hacks and Scams 🚨
Bittensor
Loss ~ $8M
July 2, 7:06 PM UTC: The attacker begins transferring funds from compromised wallets to their own wallet.
July 2, 7:25 PM UTC: The Opentensor Foundation detects an abnormal increase in transfer volume and assembles a war room.
July 2, 7:41 PM UTC: Validators on the Opentensor chain are placed behind a firewall, and Subtensor is switched to safe-mode to halt all transactions.
July 3: The team identifies the attack source as a malicious package in PyPi Package Manager version 6.12.2, which compromised user security.
The malicious package masqueraded as a legitimate Bittensor package and intercepted unencrypted coldkey details when users decrypted their keys.
Affected users were those who downloaded the Bittensor PyPi package between May 22, 7:14 PM UTC, and May 29, 6:47 PM UTC, and performed operations involving key decryption.
The compromised package (6.12.2) was removed from the PyPi repository.
The Subtensor and Bittensor code on GitHub was thoroughly reviewed; no additional vulnerabilities were found.
OTF contacted several cryptocurrency exchanges to trace the attacker and attempt to recover stolen funds.
The Bittensor community actively supported the investigation and mitigation efforts.
After the code review, normal operations of the Bittensor blockchain will gradually resume, with regular updates provided to the community.
Users are advised to create new wallets and transfer their funds once the blockchain resumes operations and to upgrade to the latest version of Bittensor.
Future enhancements include stricter access and verification processes for packages, increased frequency of security audits, implementation of best practices in public security policies, and improved monitoring of package uploads and downloads.
Dough Finance
Loss — $1.94M
On the morning of July 12, 2024, Dough Finance suffered a flash loan attack, losing approximately $1.94 million in user funds.
Cyvers detected multiple suspicious transactions involving Dough Finance.
The hacker stole $1.8 million in USDC and swapped the funds to Ethereum (ETH) using the zero-knowledge (ZK) protocol Railgun, obtaining 608 ETH.
Olympix revealed the exploit was due to unvalidated calldata within the ConnectorDeleverageParaswap contract, allowing manipulation of contract data and fund transfers to an Externally Owned Account (EOA).
A second attack occurred, resulting in an additional loss of $141,000 in USDC.
Despite the attack, Cyvers confirmed that Aave’s pools remained unaffected.
Dough Finance urged users to withdraw their remaining funds and identified and closed the exploit.
The team reached out to the attacker via an on-chain message, offering to discuss a bounty if the exploit was conducted as a white or grey hat and requesting the return of the funds by July 15, 2024, at 23:00 UTC.
Dough Finance assured the community they are actively working to recover the funds and make investors whole.
This week, various DeFi projects, including Compound Finance, were compromised in a phishing attack involving a DNS domain redirecting users to a fake website that drained funds. Affected projects urged customers not to interact with the websites until further notice.
Community Spotlight
https://twitter.com/quillaudits_ai/status/1811290907922117015
https://twitter.com/quillaudits_ai/status/1810653169787220135?
https://twitter.com/quillaudits_ai/status/1809508585170178268?

Curated by QuillAudits
GM! Buidlers
In this latest issue of HashingBits, we're diving deep into Ethereum's Core Developers meetings, covering all the major updates in the Ethereum ecosystem. But that's not all—we'll explore the latest happenings in the Sui, Aptos, Solana & zkSync ecosystems, along with recent advancements in the AI & Web3 space. For devel…
Read more

GM! Buidlers
In this latest HashingBits issue, we're diving deep into Ethereum's All Core Developers Consensus Call #135, covering all the major updates in the Ethereum ecosystem. But that's not all, we will dive into what's happening in zkSync, Polygon, and Solana ecosystems, along with recent advancements in the AI & Web3 space. For developers, we're highlighting new updates in tools designed to assist Smart contract developers and auditors. And of course, we're also digging into the headlines about UwU Lend's whopping $23.1M exploit and Loopring's recent $5M loss due to vulnerabilities in Guardian 2FA.
EtherScope: Core Developments 👨‍💻
Summary of All core devs - consensus Call(ACDC)#135
Naming F-starname Upgrade: Discussions for Post-Electra upgrade.
Updates on PeerDAS breakout #1
Lido Finance introduces Restaking for $stETH.
MetaMask launches pooled staking for Ethereum, excluding US and UK users.
Twiga for the coming Electra upgrade is here!
Devcon tickets & tracks: Ticketing types, timelines & tracks are live!
Uniswap Labs acquired Crypto: The Game (onchain Survivor)
SEC Chair Gensler expects spot ETH ETFs S-1s to be approved over US summer.
Over 27% of the ETH supply is now staked, up from 24% in January.
**Ethereum Transactions Over Radio? How does that work?**
Layer1 & Layer2
Stable Coin $wcgUSD is now live on Linea!
Update on the TVL of Layer 2 Ethereum Scaling Solutions.
Huge Liquidation causes 25% drop in CRV
Blobs, Reorgs, and MEV-Boost: Analyzing Ethereum's Latency and Security Dynamics
Vitalik proposes a New Approach to Layer 1 Transactions.
Preconfirmation designs compatibility with proposed ePBS
Proposal to use torrents for distributing pre-merge data (EIP4444 history expiry)
OP Stack Permissionless Fault Proofs live on OP mainnet, now a stage 1 L2 (limited training wheels)!
A look into the RIP 7212 Deployment status on Layer 2 chains
Based preconfs are now live on devnet!
ERCs
**ERC-7720:** Deferred Token Transfer
ERC838 (resurrected): ABI specification for REVERT reason string
ERC7721: Lockable extension for ERC1155
ERC7722: Opaque token
EIPs
Meta EIP7723: Network upgrade inclusion stages
RIPs
RIP7724 (clone of EIP7667 for zk rollups): Raise gas costs of hash functions
EcoExpansions: Beyond Ethereum 🚀
zkSync
zkSync introduced the $ZK token. Check your airdrop eligibility.
ZK Nation was introduced.
zkSync’s mainnet deployment of v24 is now complete!
Deep Dive Analysis: Allocation of ZK Tokens to 13,000 Wallets with 0 tx in zkSync.
A look into ZK Tokenomics
Matter Labs (zkSync) is dropping all trademark applications for the ZK term!
zkSync is now live on Uniswap!
Polygon
Polygon Creates New Grants Program**, 1B POL Unlocked Over 10 Years** for Buidlers!
Agglayer-rs repository is now open-sourced.
Toposware, along with Polygon, is building a type 1 zkEVM prover.
Introducing - Polygon Governance Hub!
Have a look into Polygon’s DeFi Roundup!
Solana
Solana’s first Smart Wallet is here!
**Circle’s Programmable Wallets now supports** @solana!
Solana-Based Startup TipLink Launches Wallet Adapter.
**Phantom acquires Bitski to accelerate crypto adoption.**
Solana Pay is now on Shopify!
SolanaFM’s Explorer 2.0.0 is here.
Solana got an update: v1.18 is here!
Rise In and WBA Launch Developer Education Program to Train New Solana Developers
IslandDAO presents Koh Solana (Sep 25th - Oct 25th)
DevToolkit: Essentials & Innovations 🛠️
Etherscan now features a Card for Tokens to display security risks!
Remix v0.50.0 is here: Pin plugins and use ZK-ethers in JS/TS scripts!
RustRover is out now!
Quicknode launched a Builder’s guide.
Here are some Tips to rewrite EVM contracts to support Solana.
Lighthouse v5.2.0 is here: adds in-memory tree-states, optimized epoch & block processing and execution client version in graffiti.
Besu got an update: v24.6.0: Java v21 now minimum version and historic trie log data removed by default.
Foundry show-progress flag is here: live progress of fuzz & invariant tests
Take a look at the EF JavaScript team roadmap
PBS Snapshot is here : Create MEV data snapshots
Hello World EigenLayer AVS is now also available in Rust!
Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖
Twitter
Vitalik suggests which narratives to focus on
Ripple introduces the XRPL EVM Sidechain & Ripple USD (RLUSD)
Zapper announces Zapper Protocol : Powered by $ZAP
How has EIP-4844 impacted L2 costs?
Helius CEO talks about Hivemapper!
The ULTIMATE Solana Reading List!
A Deep Dive into DePIN
Articles
Quantifying code complexity: CK, Martin & Halstead metrics using Slither printers
Guide to create a simple Solidity linter using Slang (Nomic Foundation’s compiler APIs)
Crypto and AI: A $20 Trillion Megatrend?
ERC-7201 Storage Namespaces Explained
Ethena: Delving into the Mechanics and Risks of USDe
Blob Adoption and Utilization - Insights from the first 85 days
**Forced Transactions vs Based Sequencing:** Whats it all about?
How does Everclear : The First Clearing Layer work?
How Crypto is Shaping the Future of Online Shopping!
Open Access Supercomputing Foundation announces the tokenomics of AO, the decentralized supercomputer!
The Restaking Wars: Eigenlayer vs Symbiotic
Research Papers
**Should my Blockchain Learn to Drive? A Study of Hyperledger Fabric.**
Demystifying the Characteristics for Smart Contract Upgrades
Blockchain Integrated Federated Learning in Edge-Fog-Cloud Systems for IoT based Healthcare Applications: A Survey
**Optimizing Exit Queues for Proof-of-Stake Blockchains:** A Mechanism Design Approach
SAMM: Sharded Automated Market Makers
Watch🎥
Web3 Security Watch 🛡️
Articles
A Deep dive into Security Tips & Devices for Digital Nomads.
Identifying Red Flags in Smart Contracts: A Guide to Spot Security Risks in Solidity Smart Contracts
Nirvana Finance co-founder recounts the ‘worst day’ of his life.
A Guide on how to recover Funds with HackedWalletRecovery Tool
**Awesome On-Chain Investigations HandBook 2.0: A MUST Read!**
Research Papers
Benchmarking of Jailbreak Attacks on LLMs
Security of AI Agents
Scalable UTXO Smart Contracts via Fine-Grained Distributed State
Twitter
Root cause analysis of UwU Lend : A Deep Dive
Yolo Games exploited for $1.5M
Ronkathon - rust implementation of a collection of cryptographic primitives
Hacks and Scams 🚨
UwU Lend
Loss ~ $23.1M
UwU Lend, launched by Frog Nation's former CFO Sifu, was hacked for $23.1M via Price manipulation.
The first attack on June 10, 2024, resulted in a $19.4M loss; the second attack within two days caused a $3.7M loss.
The attacker used three transactions to convert stolen $WBTC and $DAI into $ETH , funded by Tornado Cash.
UwU Lend paused the protocol for investigation an hour after acknowledging the exploit.
Despite a recent security audit from Peckshield, the hack exposed a price discrepancy in UwU Lend's oracles.
The attacker used a flash loan to manipulate the price feed, exploiting the difference between sUSDe borrowing and liquidation rates.
Curve founder Michael Egorov lost over 23.5M CRV ($9.85M) deposited into UwU Lend.
The attacker deposited tokens into Curve’s Llama Lend and borrowed over 8M crvUSD ($8.11M).
LlamaLend's CRV market lenders hard-liquidated the hacker's position.
UwU Lend offered a $5M bounty to catch the exploiter.
Find more details about the exploit - here
Loopring
Loss ~$5M
Loopring, a ZK-rollup based protocol on Ethereum, revealed a hack compromising its two-factor authentication Guardian wallet recovery service on June 9, 2024
Approximately $5 million was drained from wallets protected by Loopring’s Guardian service.
The Guardian service allows users to name trusted wallets for security tasks, like locking or restoring a compromised wallet.
The hacker bypassed Loopring's Official Guardian service, initiating recoveries on wallets with a single guardian without user consent.
According to Loopring, wallets with multiple guardians or third-party guardians remained secure, as transactions require more than half of the guardians.
Loopring disclosed two wallet addresses involved in the breach, with one wallet draining about $5 million from affected accounts.
The protocol is collaborating with Mist security experts to understand the 2FA service compromise and has suspended Guardian-related operations temporarily.
Loopring stated that after suspending these operations, the breach was contained.
The protocol is working with law enforcement to track the hacker.
Community Spotlight
#NYCTechWeek is an absolute whirlwind of innovation!

GM! Buidlers
This issue of Hashingbit features a detailed writeup on Ethereum All Core Developers Consensus Call #134, highlighting the integration of peerDAS into Electra. It also covers StarkWare's plans to bring ZK scaling to both Bitcoin and Ethereum. The issue includes ecosystem updates on Solana, Aptos, and Polygon, as well as insights on AI & ML for Web3. Additionally, it provides developer tools for smart contract auditing and Solidity developers. Furthermore, it offers insights into how DMM Exchange was exploited for $305M and Velocore's loss of $6.8M due to a smart contract vulnerability.
EtherScope: Core Developments 👨‍💻
ENSv2: The Next Generation of ENS
Ethereum All Core Developers Consensus Call #134 Writeup - peerDAS is going into electra!
Ethereum futures hit record highs following spot ETF approval
Bolt – Enabling trustless pre-confirmations on Ethereum
Ethereum's UX Improvements
Dynamic Ethereum Roadmap
Potential process improvements for AllCoreDevs
The Ethereum Government : How Code Changes Are Made to the World’s Most Sprawling Blockchain
Layer 1 & Layer 2
Iota launched the mainnet of IOTA EVM, an EVM-compatible Layer 2 for the Iota network.
Fhenix: Building a Confidential Future for Ethereum
StarkWare plans to bring ZK scaling to Bitcoin alongside Ethereum
The current state of SNARKs
Layer 2s as cultural extensions of Ethereum - Vitalik
Introducing RISE pevm: EVM execution on steroids!
Rollup.wtf dashboard: L2 real-time performance showing TPS, MGas/s & KB/s
EIPs
EIP-7718: Portal Wire Protocol a framework for discv5
EIP-7719: P2P History Network
EcoExpansions: Beyond Ethereum 🚀
Solana
Solana saw nearly half a million tokens launched last month
Solana To Ditch Token Burning and Divert 100% Of Priority Fees To Validators
Solana Staking Protocol Sanctum Announces $CLOUD Tokenomics
Polygon
Polygon Labs acquires Toposware, pushing total ZK investment to $1B
v2 of the polygon miden alpha testnet
QiDaoProtocol integrates $MAI on Polygon PoS
zapit_io integrates Polygon PoS, letting users on/offramp assets on their P2P exchange
Aptos
IONet and Aptos: Redefining AI Performance and Scale
Discussing Aptos Unity SDK: Simplified Logins & Transactions
Mereo Revolutionizes Fan Engagement with On-Chain Journeys on Aptos
Aptos Integrates Chainlink's CCIP and Data Feeds to Boost Decentralized App Development
DevToolkit: Essentials & Innovations 🛠️
Announcing Lita's Valida zkVM & C Compiler
Monomer SDK – Cosmos Tech on Ethereum Rollups
Compiler Fingerprinting in EVM Bytecode
Runtime Verification Simbolik: Solidity debugger VS Code extension, private beta
Tevm (TypeScript EVM toolkit): in browser devnet & Solidity scripting
Foundry adds Vyper support: deploy, test, debug & write scripts
Hardhat v2.22.5: adds limited support for blob transactions & hardhat-tracer reenabled
Slither v0.10.3: reduces false positives & improves performance
Snekmate (Vyper building blocks): module-friendly contracts, uses Vyper v0.4.0rc6
Prool: simulate local/bundler/indexer node over HTTP for TypeScript test runners, e.g. Vitest
EVMole: improved accuracy in function argument extraction
Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖
Twitter
Thoughts on Polygon Miden
Bringing transparency to DePIN token incentives
Evaluating token economics for DePINs: cost estimation
Can crypto help solve the walled garden challenges around data for AI products?
Proof of Virality - Some thoughts on socialfi, memecoins, and consumer crypto below.
Curious how Coinbase’s new smart wallet works?
Why are there so many L2s coming out? Do we need yet another chain? When will it all end?
Articles
How Would a Blockchain-Based Decentralized AI System Work?
Telegram-Based Wallet Bot Introduces Stricter KYC Rules
Electric Capital: 2024 Crypto Insights
EigenLayer: Intersubjective Faults, Token forking, bEIGEN & more
Real World Assets - All assets will move on-chain
Research Papers
Federated TrustChain: Blockchain-Enhanced LLM Training and Unlearning
FACOS: Enabling Privacy Protection Through Fine-Grained Access Control with On-chain and Off-chain System
Fantastyc: Blockchain-based Federated Learning Made Secure and Practical
Decentralized Physical Infrastructure Network (DePIN): Challenges and Opportunities
Blockchain-aided wireless federated learning: Resource allocation and client scheduling
Model-based Analysis of Mining Fairness in a Blockchain
Watch🎥
Web3 Security Watch 🛡️
Articles
Decoding the Role of Artificial Intelligence in Metaverse and Web3
Simplifying & Understanding Real-World Assets
Ebury Botnet Expanding: Malware Continues to Steal Cryptocurrency
The Web3 Security Tool That CHANGES THE GAME — Glider Tutorial.
Research Papers
Fast and Secure Decentralized Optimistic Rollups Using Setchain
It Takes Two: A Peer-Prediction Solution for Blockchain Verifier's Dilemma
Stealing Trust: Unraveling Blind Message Attacks in Web3 Authentication
All Your Tokens are Belong to Us: Demystifying Address Verification Vulnerabilities in Solidity Smart Contracts
Twitter
Have you ever wondered how auditors manage to keep track of all the records and notes?
Just a bunch of freshly released web3 security tools!
The Emergence of AI Agents
Github
awesome-oracle-manipulation
Crypto-OpSec-SelfGuard-RoadMap
Proxies, Upgradeable Smart Contracts and their Security
Hacks and Scams 🚨
DMM Exchange
Loss ~ $305 M
The exploit occurred on May 31, 2024, resulting in a loss of 4,502.9 BTC, valued at approximately $304,529,100.
The breach occurred around 1:26 p.m. and involved unauthorized access to the exchange's wallet.
The root cause of the exploit is currently unknown.
The exploit may have involved a private key compromise or an exploitation of DMM’s signature services.
An address spoofing attack is another possible explanation, where the attacker mimicked a legitimate DMM address to deceive wallet operators.
The stolen funds were distributed to ten different bitcoin addresses in batches of 500 BTC.
DMM Bitcoin implemented measures to prevent further unauthorized access, including suspending new account openings, crypto asset withdrawals, and new buying orders for spot trading.
Withdrawals in Japanese yen may take longer than usual due to the incident.
Japan's Financial Services Agency has ordered DMM Bitcoin to investigate the breach and implement protective measures for customers.
The police have started their own investigation into the matter.
DMM Bitcoin assured customers that their Bitcoin deposits are fully guaranteed and will be covered by the exchange.
Velocore
Loss ~ $6.8M
Velocore experienced a security breach on June 2nd, 2024, resulting in financial losses of approximately $6.8 million in ETH.
The breach was due to vulnerabilities in the Balancer-style CPMM pool contract.
Niv from Hexagate reported the issue and facilitated communication with Velocore Mods. Gal of Hypernative and Ironblock assisted in setting up a war room for investigation.
All volatile CPMM pools in Linea and zkSyncEra Velocore were affected, but no stable pools were impacted.
Telos Velocore shared the same vulnerabilities but mitigated the issue before exploitation.
Blade, a fork of Velocore using a simple XYK pool, was not affected by this vulnerability.
The primary cause of the incident was faulty logic in the ‘velocore__execute()’ function of the ConstantProductPool.
The ‘feeMultiplier’ variable's miscalculation allowed the ‘effectiveFee1e9’ to exceed 100%, causing logic malfunctions.
There was potential for underflow during single-token withdrawals, leading to erroneous large deposits.
The ‘velocore__execute()’ function did not verify whether the caller was the Vault, simplifying the exploit.
The attacker used Tornado for funds, exploited the vulnerability, bridged funds with Across Bridge, and redeposited them into Tornado.
The attacker used flash loans to manipulate LP tokens and pool sizes, leading to an abnormal minting of LP tokens.
Community Spotlight
QuillCon VC Dinner

GM! Buidlers
This issue of Hashingbit features the launch of Ethereum Layer 2 Taiko, new cross-chain standards from Uniswap Labs and Across, the introduction of PayPal USD on Solana, and Fantom's collaboration with Google Cloud. It also covers ZK security advancements for AggLayer and Atoma's AI tools on Sui. Additionally, it includes developer tools for smart contract auditing and Solidity developers, and highlights QuillAudit’s AI agents detecting vulnerabilities in the $NORMIE token.
EtherScope: Core Developments 👨‍💻
Ethereum Layer 2 Taiko goes live on mainnet
The problem with eip4337
Low Ethereum Gas Fees Inflate Supply By 50k ETH In One Month
Suave Proposal: Implementing EIP-712 for Confidential Compute Requests
Layer 1 & Layer
Vitalik Compares the L2 and Ethereum Sharding Visions
Upcoming Feature: Starknet Applicative Recursion (SNAR)
Introducing the Pessimistic Proof for the AggLayer: ZK Security for Cross-chain Interoperability
Introducing Kakarot Sepolia
StarkWare introduces ZKThreads: A canonical ZK sharding framework for dApps
All Core Developers Execution Call #188 Writeup
Unifying VMs with Blended Execution
Zeth Brings Validity Proofs to Optimism’s OP Stack
EIPs
EIP-7716: Anti-correlation attestation penalties
ERC-7683: Cross Chain Intent
ERCs
ERC-TBA: Deterministic AA wallet
ERC-x: Readable Typed Signatures for Smart Accounts
ERC-7715: Request Permissions from Wallets
EcoExpansions: Beyond Ethereum 🚀
Solana
LayerZero is live on Solana!
Solana validators voted to stop burning half the priority fee and will now keep 100% of it.
PayPal USD (PYUSD) is live on Solana!
Fantom
Opera Network Upgraded: Sonic Nodes Power 10,000 TPS and 1-Second Finality
Fantom Partners with Google Cloud to Boost Next-Gen dApp Development and Launch Validator
Polygon
Introducing the Pessimistic Proof for the AggLayer: ZK Security for Cross-chain Interoperability
Polygon Labs is using Succinct’s zkVM SP1 for building the AggLayer, their flagship interoperability protocol.
Sui
Atoma Enabling AI for Builders on Sui
Sui Overflow: Sui’s first global virtual hackathon
AUSD Stablecoin from AgoraDollar Launches on Sui, Enhancing Network Liquidity and Efficiency
DevToolkit: Essentials & Innovations 🛠️
Solidity v0.8.26: require with custom errors (via-IR only), Yul optimizer improved default sequence and JSON output format slightly changed
Clap: a Rust eDSL for PlonKish Proof Systems with a Semantics-preserving Optimizing Compiler
Batcher Contract on Aztec
Remix v0.49: RemixAI improvements & TOML syntax highlighting
Kontrol (formal verification) adds support for native Foundry cheatcode assertions
Snekmate (Vyper): adds Halmos symbolic tests for ERC20/721/1155 & math contracts
Ape-AWS: Ape plugin to use AWS Key Management Service & IAM access
Viem adds EIP4361 Sign-In with Ethereum support
EVM Diff: adds all chain comparison table to existing side by side compare
micro-eth-signer v0.9: fetch account history & token balances from archive node, SSZ in 900 lines
Vacp2p stealth-address-kit v0.1: derived from ERC5564, Rust & C bindings
Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖
Twitter
12 examples of how Chainlink is powering the tokenization megatrend
Farcaster vs. Lens Protocol: A Deep Dive 🧵
Unlocking the Power of Stylus: A Game-Changer for Arbitrum and EVM
Some more up to date thoughts the next hard fork after Cancun, Pectra
The Bitcoin L2 landscape
How do DEX aggregators actually work?
High FDV is not inherently bad.
Zero knowledge vs. Optimistic rollups
Advice for Builders Seeking Grants
Modular thesis comeback
Articles
How EigenLayer’s Restaking Enhances Security and Rewards in DeFi
Secure Voting on Blockchain with Zero-Knowledge Proofs (ZKPs)
Introducing the ENS L2
Atomicals Virtual Machine (#AVM) Whitepaper
A Two-Part Approach To Understanding Zk Coprocessors
Github Repos
Reusable workflows for GitHub Actions
Merkle Multiproof (Solidity): generate inputs for OpenZeppelin MerkleProof library for fuzz testing
Research Papers
A Dual-functional Blockchain Framework for Solving Distributed Optimization
On Fairness Concerns in the Blockchain Ecosystem
Collaborative Access Control for IoT -- A Blockchain Approach
The Writing is on the Wall: Analyzing the Boom of Inscriptions and its Impact on EVM-compatible Blockchains
Tools
Introducing Recon: Invariant Testing Made Easy**.**
EVM Diff adds cross-chain comparison.
Eth95.exe - An Instant UI for Smart Contracts.
GoAlert - Open source on-call scheduling, automated escalations, and notifications so you never miss a critical alert.
Watch🎥
Web3 Security Watch 🛡️
Articles
Beginner’s Guide to Web3 Security: Guide to Avoiding Fake Wallets and Private Key/Mnemonic Phrase Compromises
How to Identify and Prevent Address Poisoning Attacks
Research Papers
DataSafe: Copyright Protection with PUF Watermarking and Blockchain Tracking
Remeasuring the Arbitrage and Sandwich Attacks of Maximal Extractable Value in Ethereum
Decentralized Virtual Research Environment: Empowering Peer-to-Peer Trustworthy Data Sharing and Collaboration
Twitter
Arguments Against FIT21
Zero Knowledge Proofs Use Cases
Malicious Aggr Chrome Extension
Investigation $CAT meme team is connected to GCR's X.com hack last night
Introducing Trident - fuzz testing framework for Solana programs written in Anchor
Tools
Security Alliance - Drill Template - the tools that the SEAL Chaos Team uses to coordinate drills with protocol teams.
Simbolik: Solidity Debugger VS Code plugin by Runtime Verification.
Introducing shadow-reth
Introducing Open-Binius!
Hacks and Scams 🚨
NORMIE
Loss ~ $881K
NORMIE memecoin on the Base network exploited, resulting in a loss of 224.98 ETH (approx. $881,686).
Our QuillShield AI agent detected the same vulnerability in just one second.
Exploit due to a smart contract vulnerability that allowed unauthorized minting of tokens.
Attacker used 2 ETH from Sushi Router to swap for 171,955 NORMIE tokens, then matched the token deployer’s balance by swapping 5 million NORMIE tokens.
Vulnerable _get_premarket_user function added attacker’s address to the premarket user list by matching the team wallet balance.
Flash loan of 11,333,141 NORMIE tokens taken, with 9,066,513 swapped for 65.97 ETH to manipulate token supply.
Remaining tokens used in Uniswap V2 pair and skim function to withdraw assets.
Logic flaws in _transfer and swapAndLiquify functions allowed bypassing checks and minting additional tokens.
Token supply inflated to 650 billion NORMIE tokens; attacker profited 224.98 ETH (approx. $881,686).
Exploiter manipulated contract permissions, used flash loan to drain the contract, bought tokens at no cost, and sold them.
Meta Dragon
Loss ~ $180k
Over 4000 NFTs were compromised in the MetaDragon hack on 28th May 2024, with community members losing approximately 2400 NFTs after deductions for the META fund and marketing.
The NFT contract remains insecure; users are advised to refrain from minting new NFTs.
Significant losses were incurred by community members, investors, and liquidity providers.
MetaDragon plans to compensate each NFT at a rate of "10,000 META + 0.15 BNB".
Total compensation amounts to approximately 24 million META and 360 BNB.
The compensation process will begin gradually with updates provided on progress.
Some partners and major holders have expressed willingness to postpone their claims, prioritizing the compensation of other members, which is deeply appreciated by the MetaDragon team.
Community Spotlight
QuillAudits at Consensus 2024

GM! Buidlers
This edition of Hashingbit covers important updates in the world of web3. Ethereum is getting a potential efficiency boost with Vitalik Buterin's proposed EIP-7706 for a new call data gas type. Developments are also underway at Solana and EigenLayer. Sui users will soon be able to claim their own Web3 phone numbers. QuillCheck is expanding its services to include Base Chain tokens, allowing users to evaluate the risks of new crypto tokens before investing. The newsletter also brings attention to new developer tools available in the web3 space, such as Immune-fi Terminal, Create Chimera App, eth-easy, and Metasleuth. Security remains a major concern, as highlighted by recent attacks on Sonne Finance ($20 million), Pump.fun ($1.9 million), and PiiPark (rugpull for $490,000). Hashingbit keeps you informed about the latest happenings in blockchain technology and security.
EtherScope: Core Developments 👨‍💻
Ethereum Ecosystem Value Prop
Ethereum has been increasingly inflationary for over a month as fees hit all-time low
Ethereum L2 Usage Surges
Ethereum gas under 5 gwei, the lowest daily average since February 2020
Why 4337 and 3074 authors are disagreeing, and who got it right
Vitalik Buterin drafts EIP-7706, proposing a new call data gas type for Ethereum
Paul O’Leary on how Polygon’s zkEVM will enhance Ethereum scalability
Ethereum account abstraction to catalyze crypto mass adoption
Grandine v0.4.0/1: optimizations, new attestations packer, in-memory mode, improved compatibility with other validator clients, integrations with Eth-docker & Ethereum on Arm
Geth v1.14.3: block processing & RPC API improvements
Etherscan: address poisoning attack explainer
Overview on based sequencing & preconfirmations
EIPs
EIP-7704 - Align incentives for access list provisioning
EIP-7706 - Separate gas type for calldata
EIP-7707 - Incentivize Access List Provisioning
EcoExpansions: Beyond Ethereum 🚀
Sui
The Move programming language on Sui incorporates three fundamental innovations
NetkiCorp Brings Digital Identity Verification Expertise to Sui, Enhancing Decentralized Financial Systems
ChainIDE Launches for SuiNetwork: Compile, Deploy, and Interact with Sui Move Contracts in Your Browser!
Claim your Web3 phone number – coming soon to Sui!
Eigen Layer
EigenLayer Opens Claims for Airdrop of EIGEN Token, Though It's Non-Transferable
EigenDA accepts staking delegations as Eigen token claims open
ICYMI - Check out Awesome AVS if you'd like to learn more about how to build on EigenLayer.
Omni Network; Using Eigenlayer to Unleash Ethereum Liquidity
EigenLayer Launches @buildoneigen for the Latest Ecosystem Updates!
Solana
Solana DEX Drift opens airdrop claims for 120 million tokens with bonus
Solana Devs, Wake Up! 🛠️🦀 Join the Free 6-Week Solana Bootcamp by @encodeclub Starting June 3rd!
Introducing Solana's First Liquidity Layer: The Evolution of Marginfi for Performant DeFi
Squads Validator is Now Live: Stake Your SOL Directly from the App
AgriDex & Solana Launch RWA Marketplace This Summer!
DevToolkit: Essentials & Innovations 🛠️
Forge-std v1.8.2: adds cheat codes including prompt, blobhashes & ensNamehash
Mastering Solidity: Control Structures And Error Handling
Solady (Solidity snippets): adds UpgradeableBeacon for ERC1967 beacon proxies
Frangio: Solidity compiler code generation for stack-based EVM & stack too deep errors
Viem experimental adds ERC6492 signature utilities
Slitherin (custom Slither detectors) v0.7.0: adds detectors for Arbitrum Chainlink sequencer uptime, read-only reentrancy with Balancer/Curve & price manipulation via token transfers
Betterscan: inspect verified contracts
Profiling Echidna found a memory leak in hevm
Guide to building a tracer using Geth for transactions involving a set of addresses
Etherscan converter tools: Base64, block & date, UTF-8 and method ID
Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖
Twitter
Types of Smart Contract Design Patterns
Secureum RACE #29: answers to 8 question Solidity quiz
Articles
Vitalik Proposes EIP-7702 for Externally Owned Accounts
Exploring Consensus With Parallel Proposals: The Difference Between PBFT and BBCA-Chain
Mastering the Final Boss in Blockchain Scalability: State Growth
No-Code Blockchain Development: Pros and Cons
Omni Network: Using Eigenlayer to Unleash Ethereum Liquidity
Using Ethereum to Understand the Protocol Economy
Research Papers
Temporarily Restricting Solidity Smart Contract Interactions
T-Watch: Towards Timed Execution of Private Transaction in Blockchains
Cross-Blockchain Communication Using Oracles With an Off-Chain Aggregation Mechanism Based on zk-SNARKs
Permissioned Blockchain-based Framework for Ranking Synthetic Data Generators
BitVMX: A CPU for Universal Computation on Bitcoin
Implementation Study of Cost-Effective Verification for Pietrzak's Verifiable Delay Function in Ethereum Smart Contracts
Tools
eth easy! - easy-to-use, flexible, and blazing-fast toolkit that helps accelerate Ethereum development by 0xrusowsky. Recent features include ABI encoding/decoding and call data debugging. Very cool!
MetaSleuth adds support for Solana.
Watch🎥
Web3 Security Watch 🛡️
Articles
Reentrancy attacks in smart contracts explained
Verifiable Compute: Scaling Trust with Cryptography
Cosmos IBC Reentrancy Infinite Mint
Blast Integration Bugs - Part 1
Hamburger Factory Validity
Research Papers
StateGuard: Detecting State Derailment Defects in Decentralized Exchange Smart Contract
BeACONS: A Blockchain-enabled Authentication and Communications Network for Scalable IoV
An Approach for Decentralized Authentication in Networks of UAVs
Foundational Verification of Smart Contracts through Verified Compilation
Twitter
Web3 Phishing Attacks you must know about
Tools
**Immunefi-terminal** - The only crypto bug bounty terminal you'll ever need by shortdoom.
Create Chimera App - The Foundry template allows you to bootstrap a fuzz testing suite using a scaffolding provided by the Recon tool by Recon-Fuzz. It extends the default Foundry template used when running forge init to include example property tests using assertion tests and boolean property tests supported by Echidna and Medusa.
Hacks and Scams 🚨
Sonne Finance
Loss ~ $20M
Hackers stole $20 million in cryptocurrency from Sonne Finance on May 14th.
Hackers targeted USD Coin (USDC), Wrapped Ether (WETH), Velo (VELO), soVELO and Wrapped USDC (USDC.e).
Sonne Finance paused operations and is investigating ways to recover funds, including a bug bounty.
The hacker seems uninterested in negotiations and is moving stolen funds.
Hack exploited a known bug in Sonne's Compound v2 forks.
Sonne Finance is criticized for using the known vulnerable code.
Pump.fun
Loss ~ $1.9M
A former employee exploited pump.fun, a platform for creating Solana meme coins, resulting in a loss of nearly $2 million through a "bonding curve" attack.
The exploit involved the ex-employee leveraging their insider access to compromise the platform's internal systems.
Approximately $1.9 million was stolen out of a total of $45 million held in pump.fun’s bonding curve contracts.
Trading on the platform was temporarily halted but has since resumed, with assurances that the smart contracts remain secure.
To carry out the attack, the exploiter utilized flash loans on a Solana lending protocol to borrow tokens, which were then used to inflate the bonding curve.
A user named "STACCoverflow" is suspected to be involved, as hinted in cryptic posts suggesting a foreknowledge of the incident.
Pii Park
Loss ~$490K
A project called Pii Park (different from others with similar names) has likely run an exit scam.
Their token's value plummeted by around 99%, indicating a potential rug pull.
Investors lost approximately ~$490,000 throughout the project's existence.
Avoid rug pulls with QuillCheck's easy token safety checks on multiple chains.
Visit QuillCheck
Predy Finance
Loss ~$464K
Hackers exploited a vulnerability on Predy Finance on Arbitrum, stealing ~$464,000.
Predy Finance is a DEX for perpetual trading and token swaps.
The exploit was due to a lack of access control in a function allowing anyone to add trading pairs.
Hackers added a fake pair, deposited funds, and then withdrew everything.
Some stolen funds (~$304,640) were bridged to Ethereum Mainnet.
Predy Finance acknowledged the exploit and offered a 10% bounty to return the funds.
They also disabled the vulnerable functions and advised users to revoke access.
Community Spotlight

GM! Buidlers
In this edition of Hashingbit, we explore several critical updates in the Web3 ecosystem. Discover Vitalik Buterin's latest proposals, including a novel efficiency-boosting method, multidimensional gas pricing, and the major update EIP 7702 for externally owned accounts. The Ethereum community also welcomes EIP-3074, designed to enhance crypto wallet usability. In other ecosystem news, Polygon tests its ZK-based Ethereum scaling solution Miden, Arbitrum launches Millicent One to merge traditional finance with DeFi, and Polkadot introduces asynchronous backing to improve network performance. Additionally, we review the Carpediem Pension Smart Contract audit by QuillAudits and report on significant security breaches, including a $71M WBTC Loot and a $1.27M loss in GnusAi on the Fantom chain. Keep informed with Hashingbits, your essential resource for the latest in blockchain technology and security updates.
EtherScope: Core Developments 👨‍💻
Vitalik Buterin proposes method to increase Ethereum capacity
Ethereum Developers Target Ease of Crypto Wallets With 'EIP-3074’
Vitalik Buterin Proposes ‘Multidimensional Gas Pricing’ For Ethereum
EIP List for peerdas-devnet-0
Pectra Interop Testing Requirement Tracker
Pectra-devnet-0: plan to launch in ~5 days, client teams making good progress, attestation refactoring for EIP7549 taking extra time
ERCs
ERC-7280 : NFT Metadata Extension like JSON-LD
ERC-7699 : Soul Resonance Token
EIPs
EIP-7701: Native Account Abstraction with EOF
EIP-7702: Set EOA account code for one transaction
EIP-7703: Increase call data cost
EIP-7705: NONREENTRANT and REENTRANT opcodes
EcoExpansions: Beyond Ethereum 🚀
Polygon
Polygon launches ZK-based Ethereum scaling solution Miden on testnet
Espresso Systems Collaborates With Polygon Labs To Develop AggLayer For Enhancing Rollup Interoperability
Polygon ranks 1st for having more than 19.6 million contracts deployed on Polygon in the last 180 days.
Seeking Seasoned Grant Allocators: Join the Polygon Community Grants Program!
Polygon DeFi 101: What Are Smart Contracts and How Will They Work in an Aggregated Network?
Arbitrum
Arbitrum surpasses $150 billion in total transaction volume on Uniswap
Introducing Millicent One: Bridging TradFi and DeFi with Arbitrum's Support!
ALIENX and Anomaly Games joins the Arbitrum Ecosystem
Arbitrum Stylus Floats Giga Update
Introducing inEVM: Revolutionizing Interoperability with Injective, Cosmos, and Arbitrum Orbit
Polkadot
Polkadot rolls out asynchronous backing to boost network efficiency and transaction speed
OpenZeppelin Launches Polkadot Runtime Templates for Blockchain Projects
Pendzl: Transforming Blockchain Development with Enhanced Ink! Smart Contracts
Polkadot Introduces Asynchronous Backing, Paving the Way for Polkadot 2.0
DevToolkit: Essentials & Innovations 🛠️
EIP5792 site (wallet call API): API reference, capabilities & ecosystem support
Wagmi v2.8.0: adds experimental EIP5792 actions & hooks
Reth Execution Extensions (ExEx): post-execution hooks for building offchain infrastructure
Introducing the Helius Rust SDK
The go-ethereum live tracer
ERC420 - a tokenized multisig vault
wFRIEND POC - bypassing Friend.techs 3% embedded dex fees
Releasing Reth Execution Extensions
CreateX now deployed (and verified) on 70 EVM chains
Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖
Twitter
Vitalik released EIP-7702 - a new alternative to EIP-3074
How to Raise the Gas Limit, Part 2: History Growth
Implications of EIP-3074 inclusion
Why 4337 and 3074 authors are disagreeing, and who got it right
Overview of Solana's Liquid Staking Market
Structuring Blobspace Futures for Fun and Profit
Liquid crypto is the biggest untapped investable segment for crypto funds
Understanding the Berachain Governance Token (BGT)
Articles
Mastering Solidity: A Comprehensive Guide to Contracts
EIP-3074 and Maintaining Permissionless Innovation
Horizontal vs Vertical Scaling: The New Modular vs Monolithic
The Power of Eigen Token
How to tokenize real-world assets (RWAs)
Unlocking Decentralized AI’s Potential with Morpheus AI by Chris Sotraidis
Opepen v0.2: Decentralizing Curation by LJW
What Tokens Are & What Tokens Aren’t
Research Papers
Advancing Blockchain Scalability: A Linear Optimization Framework for Diversified Node Allocation in Shards
Blockchains for Internet of Things: Fundamentals, Applications, and Challenges
Fully Automated Selfish Mining Analysis in Efficient Proof Systems Blockchains
CAKE: Sharing Slices of Confidential Data on Blockchain
MBCT: A Monero-Based Covert Transmission Approach with On-chain Dynamic Session Key Negotiation
TetraBFT: Reducing Latency of Unauthenticated, Responsive BFT Consensus
Watch🎥
Web3 Security Watch 🛡️
Articles
Top 3 Multi-Chain Security Issues
Decoding Pike Finance Exploit
How AI Can Help Detect Money Laundering and Enhance Blockchain Security
Web3 Security: Dangers & Precautions To Take
Research Papers
Enhancing Data Integrity and Traceability in Industry Cyber-Physical Systems (ICPS) through Blockchain Technology: A Comprehensive Approach
PoW Security-Latency under Random Delays and the Effect of Transaction Fees
WALLETRADAR: Towards Automating the Detection of Vulnerabilities in Browser-based Cryptocurrency Wallets
A2-DIDM: Privacy-preserving Accumulator-enabled Auditing for Distributed Identity of DNN Model
Enabling Privacy-Preserving and Publicly Auditable Federated Learning
Stochastic behaviour of an n-node blockchain under cyber attacks from multiple hackers with random re-setting times
Distributed Estimation in Blockchain-aided Internet of Things in the Presence of Attacks
Twitter
Carpediem Pension Audit Case Study
Vulnerability Report: Binance PoR Dummy User Attack
Introducing Bounty.vision
Hacks and Scams 🚨
WBTC Loot
Loss ~ $71M
Over $71 million worth of wrapped bitcoin (WBTC) was lost in an address poisoning attack.
The victim transferred 1,155 WBTC ($71.1 million) to the alleged attacker.
The attack was executed through the creation of a fake wallet address resembling the victim's.
Hacker spammed victim with numerous transactions to increase chances of address copy error.
Hacker's address is now labeled "fake" and "phishing" on Etherscan.
Wrapped bitcoin (WBTC) is an ERC token pegged 1:1 with bitcoin for use in the Ethereum ecosystem.
WBTC traded at $61,644.23 at 11:13 a.m. ET on May 3, with a 3.95% increase in the past 24 hours.
In poisoning attacks, attackers often mimic the first and last digits of the victim's wallet address.
GnusAi
Loss ~$1.27M
Token minting exploits on Genius (GNUS) AI network on May 5, resulting in a $1.27 million attack.
Highlights challenges in blockchain security.
The attacker accessed a private GNUS team account starting with 0x18.
The attacker obtained salt data for token creation, allowing the minting of 100 million fake GNUs.
Fake GNUs bridged to Ethereum and sold in the market.
The hack occurred via a breach of the team's private Discord communications.
GNUS CEO "SuperGenius" confirmed the hack and Discord vulnerability.
GNUS to release new token version, warning against old version purchase.
The compensation plan includes $500,000 worth of Ether deposited into the liquidity pool for the new tokens.
The remaining $500,000 compensation is locked until February 2025.
Community Spotlight

GM! Buidlers
In this edition of Hashingbit, we explore key developments within the web3 ecosystem. Learn about Vitalik Buterin's preference for multisig security, which he argues is simpler and more reliable than Shamir's backup. We also cover Ethereum's recent overtaking of Solana in DEX trading volume, signalling a significant shift in decentralized trading dynamics. Updates from Starknet, Solana, Polygon, Polkadot, and Eigen Layer are highlighted, focusing on their latest technological advancements and strategic expansions. This issue also addresses recent security incidents, including a $1.68M compromise at Pike Finance and a $181K exploit at Yield Protocol. Additionally, we recap the QuillAudits event in Dubai. Stay informed with Hashingbits, your comprehensive source for blockchain technology updates and security news.
EtherScope: Core Developments 👨‍💻
Ethereum All Core Devs Call #186 Summary - Christine Kim
Ethereum Foundation Wants To Use AI to De-Risk ETH Ecosystem
Azuki NFTs on Ethereum doubled in value in a month, with daily sales of over $1.1M, lifting the market cap to $146.78M, driven by recent project efforts.
Ethereum’s Buterin advocates multisig says Shamir backup is ‘way easier to screw up’
Ethereum overtakes Solana by DEX trading volume
ether.fi Joins THENA to Accelerate Ethereum’s Decentralization
Building Ethereum MEV Bots for Profit and Innovation
Ethereum Staking Weekly Report
Franklin Templeton lists Ethereum ETF on DTCC
Ethereum transaction fees overtake Bitcoin as Runes speculation subsides
zkSharding for Ethereum
ERCs
ERC - 6229 - Tokenized Vaults with Lock-in Period
ERC-7700 - Cross-chain Storage Router Protocol
EIPs
EIP-7699 - Soul Resonance Token
EIP-7569 - Hardfork Meta - Dencun
EcoExpansions: Beyond Ethereum 🚀
Starknet
Blobstream Starknet Project Enables Celestia DA for Developer-Built Starknet Appchains
The Integrity verifier: A leap toward Starknet hyperscaling
Solana
Jito becomes the largest protocol on Solana with $1.4 billion in TVL
Supporting Validators: Updates to the Solana Foundation Delegation Program
Sanctum, an algorithmic liquid staking protocol on Solana, Launches iceSOL
Polygon
Polygon leads in EVM efficiency as DeFi users favour low transaction costs
Polygon PoS Validator Spotlight: Meria
Polkadot
Polkadot parachain Peaq receives major migrations from decentralized mapping projects
Polkadot Ecosystem’s Daily active addresses hit an all-time high of 514,000
Eigen Layer
Eigen Foundation increased EIGEN airdrop by 100 tokens and clarified investor tokens unlock after September 30th to address community concerns.
The technical whitepaper on universal intersubjective staking is here.
DevToolkit: Essentials & Innovations 🛠️
How to Send User Operations using AA-SDK
Integrate Embedded Accounts in your app with these simplified React hooks
How Do I Get Started Becoming a Solidity Dev?
Securing Smart Contracts: A Dev's Guide, Part I
3074 Hosted Devnet
Block Builder Bids Poller
Unconventional Functional Solidity
Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖
Twitter
Analysis of 18 Past Airdrops
EIGEN Universal Intersubjective Work token explained
Binius: highly efficient proofs over binary fields - Vitalik
Articles
Voter Behavior in Blockchain Governance: A Comparative Study of Curve Finance and Polkadot
Solidity Memory Types In Depth: Part 1
Slashing Proofoor - On-chain slashed validator proofs
Research Papers
Web3 and the State: Indian state's redescription of blockchain
TRAC: a tool for data-aware coordination (with an application to smart contracts)
Machine Learning for Blockchain Data Analysis: Progress and Opportunities
Decentralized Peer Review in Open Science: A Mechanism Proposal
Decentralization of Ethereum's Builder Market
Watch🎥
Web3 Security Watch 🛡️
Articles
Unveiling a New Scam: Malicious Modification of RPC Node Links to Steal Assets
Decoding Pike Finance Exploit
5 Mistakes that are Compromising Your Crypto Wallet Security
NGFS Token Hack Analysis
Research
Static Application Security Testing (SAST) Tools for Smart Contracts: How Far Are We?
Solvent: liquidity verification of smart contracts
Improving Smart Contract Security with Contrastive Learning-based Vulnerability Detection
A Blockchain-Based Audit Mechanism for Trust and Integrity in IoT-Fog Environments
Tweets
Finding a Viper in the curved lawn
The pitfalls of EIP-3074, and how to avoid them
ZachXBT: How Lazarus Group laundered $200M from 25+ crypto hacks to fiat from 2020–2023
Tools
RugCheck :- RugCheck is the ultimate tool for ensuring the safety, analysis, and transparency of #Solana tokens. It thoroughly checks the contracts on #Solana to make sure you steer clear of any potential rugs.
Hacks and Scams 🚨
Pike Finance
Loss ~ $1.68M
Here are the key points regarding the Pike Finance hacks in April 2024:
Two Major Hacks: Pike Finance was hit by two significant security breaches, resulting in a total loss of approximately $1.9 million.
First Hack Details:
Date: April 26, 2024
Target: USDC pool of the Pike Protocol Beta
Vulnerability: Mismanagement of the Cross-Chain Transfer Protocol (CCTP), which is used for transferring USDC across blockchains.
Attack Mechanism: An error in the protocol allowed the attacker to manipulate the receiver addresses and the amount of USDC, enabling the theft of about $300,000.
Response to First Hack:
Protocol Update: In an attempt to secure the protocol, Pike updated their smart contracts.
Introduction of New Vulnerabilities: The updates inadvertently introduced new dependencies that altered the contract's storage layout.
Second Hack Details:
Consequence of Updates: The remapping caused by the updates made the “initialized” variable inaccessible.
System Misinterpretation: The protocol mistakenly believed the contracts were not initialized.
Exploitation: Attackers deployed a malicious version of the spoke contracts, gaining administrator access and subsequently stealing $1.6 million.’
Yield Protocol
Loss ~ $0.181M
Hackers exploited a smart contract vulnerability in Yield Protocol, a DeFi lending platform, stealing about $181,000 in crypto assets.
Yield Protocol ceased operations in December 2023 due to decreased demand and regulatory pressures but was still operational for closure procedures.
Despite advisories for investors to withdraw funds, the protocol suffered a breach where the attacker used a discrepancy in pool token balances on the Arbitrum blockchain.
The breach was initially disclosed by blockchain investigation firm PeckShield.
The stolen funds were facilitated through @ChangeNOW_io on the Arbitrum network and remained with the hacker.
Yield Protocol was also affected by a previous attack on the Euler Finance platform in March, which led to the temporary suspension of its operations.
The platform announced its return to full functionality on May 18, allowing resumed borrowing and lending for future series and outlining a timeline for users to claim replacement tokens.
Given the recent security breaches in the DeFi sector, as highlighted above with Pike Finance and Yield Protocol, thorough smart contract audits are crucial for safeguarding assets.
Secure your DeFi projects with thorough audits. Try QuillShield today for comprehensive protection from development to deployment.
Visit QuillShield
Community Spotlight

GM! Buidlers
In this edition of HashingBits, we explore critical developments within web3. Discover the latest on the anticipated Bitcoin halving and its expected market effects. We bring you detailed updates from Starknet, Zetachain, Polygon, and Solana, emphasizing their recent technological progress and strategic collaborations. This edition also covers the distressing $33M rugpull at ZKASINO on zkSync, and a phishing scam targeting ANDY token holders on Solana, which resulted in a loss of $180k. Additionally, we are proud to announce the debut of QuillShield in Dubai, a new security solution aimed at bolstering digital asset protection. Dive into these important updates and more, ensuring you remain informed and secure in the ever-evolving realm of blockchain technology, courtesy of QuillAudits.
EtherScope: Core Developments 👨‍💻
Ethereum Ecosystem Activity Soars to All-time High
Reth's Path to 1 Gigagas per Second - Ethereum Scaling Roadmap
Introducing Ethereum Blobspace Derivatives.
Ether Inflates After Gas Fees Plummet.
Top Ethereum Layer-2 networks adopt Avail DA to boost rollup efficiency and security.
Vitalik Buterin backs ETH PoS transition amid PoW debate
RIPs (Rollup Improvement Proposals):
RIP-7696 : Precompile for generic DSM (double scalar multiplication)
EIPs (Ethereum Improvement Proposals):
EIP-7698: EOF - Creation transaction
EIP-7697: AUTHCREATE opcode
EIP-7693: Backward-Compatible Post-Quantum Migration
EIP-7692: EVM Object Format (EOF) Meta
ERCs (application layer):
ERC7699: ERC20 payment reference extension
EcoExpansions: Beyond Ethereum 🚀
Starknet
Starknet Tokenbound V2 - The latest implementation of ERC6551 on Starknet is live!
Starknet Releases it roadmap and targets for the upcoming months
Introducing the Starknet Propulsion Program!
The Ark Project NFT Bridge is live on Starknet Mainnet.
The Avail DA solution is coming for MadaraStarknet builders!
ZetaChain
The ZetaScan TX counter nears 100 million in <90 days!
Bitcoin is coming to gaming! Multiplayer web3 gaming hub upcade_xyz is live on ZetaChain
ZetaChain announces 5% of total ZETA supply to power the next generation of native Bitcoin applications!
Tezos
Beyond Collectibles: Making Web3 Games That Players Truly Value Using Tezos Unity SDK
AlphabotApp has completed their #Tezos integration. You can now whitelist your NFTs built on Tezos!
Now you can deploy Tezos-based quests and campaigns with DMission!
Polygon
Polygon Ecosystem Token (POL): What It Is and Its Role in Polygon 2.0.
How the AggLayer Unlocks a New Age of Blockchain Economics
Solana
Digital payments giant Stripe to enable USDC payments via Solana!
jito_sol Foundation’s Stakenet has undergone a UI upgrade for validators.
Institutional self custody platform Safeheron integrates Solana.
DevToolkit: Essentials & Innovations 🛠️
Remix v0.48: supports using multiple browser wallets (EIP6963), added PLONK scripts to zk proof templates and added CREATE2 factory for deploying
Guide to Hardhat Ignition contract verification on Etherscan
Safe singleton factory deployer (Solidity): for using the factory with Foundry deployment scripts
Forge AlphaNet (Solidity): libraries for AlphaNet, EIP2537 BLS precompiles, RIP7212 Secp256r1 precompile and EIP3074 invokers
Snekmate (Vyper contracts): added Echidna-based property tests for ERC20/721 contracts
Guide to integrate Permit2 into Vyper contracts
Dpack-py (EVM packaging format): share addresses & artifacts to interact with contracts
web3.py: guide to Bloom filters
Tenderly virtual testnets for dapp developers, uses mainnet state, with a faucet, RPC, explorer & debugging tools
Privacy and Scaling Explorations core program: 8 week hybrid course for students in Japan, South Korea, Taiwan, Costa Rica, Ecuador & Argentina, apply by April 30
Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖
Twitter
How do you choose which rune tokens to trade/mint?
Miners are making more money than before the Halving
What can we expect post halving?
The L2 Endgame Isn't Fee Revenue.
introducing BIP-420: formal Bitcoin Improvement Proposal for OP_CAT
GPU-EVM: The Most Performant Parallel-EVM by 100x
GitHub Repos
***Rust*** library for writing NEAR smart contracts
Articles
Engaging Safely in Web3 Communities.
Bitcoin Layer 2 Coins, STX, ELA, SAVM, Outperform BTC After Halving
How Real-World Assets Will Survive (and Evolve) in the Bull Market.
Degeneracy to the Third Degree.
PayPal and Energy Web Team Up To Incentivize Green Bitcoin Mining.
Research Papers
Leverage Staking with Liquid Staking Derivatives (LSDs): Opportunities and Risks.
zkLLM: Zero Knowledge Proofs for Large Language Models.
Zero-Knowledge Location Privacy via Accurate Floating Point SNARKs.
Byzantine Attacks Exploiting Penalties in Ethereum PoS.
Watch🎥
Web3 Security Watch 🛡️
Articles
Post Mortem: Augustus V6 Vulnerability of March 20th, 2024
New Technique to Trick Developers Detected in an Open Source Supply Chain Attack by Yehuda Gelb (Checkmarx).
One More Problem with ERC777.
GitHub Repos
Not So Smart Contract
Research
Gateway Free Web3 Security Course
Replacing Cryptopuzzles with Useful Computation in Blockchain Proof-of-Work Protocols
Demystifying Invariant Effectiveness for Securing Smart Contracts
Tweets
Secureum Race-29
Tools
Smart Contract Inspector - Inspect the source code of a Smart Contract with your preferred Web IDE with just one click (or keyboard shortcut) by StErMi.
Simbolik - Next-Generation Smart Contract Debugging.
tx-coverage - Reveal unused code of a live smart contract by collecting coverage from historical transactions by Decurity.
Hacks and Scams 🚨
ZKASINO
Loss ~ $33M
ZKasino, a crypto betting site, faced rug pull allegations when its developer diverted $33 million worth of investor funds to Ethereum staking platform Lido.
The ZKasino network launched on April 20, attracting over 10,000 users who bridged 10,515 ETH with expectations of receiving extra $ZKAS tokens and having their ETH returned.
However, on launch day, ZKasino altered its plan, converting all bridged ETH to $ZKAS at a rate of $0.055 and vesting it for 15 months without indicating if the Ether would be returned.
Despite demands for ETH refunds, ZKasino dismissed concerns as "FUD," and its founders disappeared, along with the official Telegram channel.
The situation is dubbed potentially the biggest rug pull of 2024, resulting in over $33 million in losses for investors.
Additionally, Lido, the platform where the funds were sent, is embroiled in controversy, with Big Brain Holdings denying any investment in ZKasino and alleging fraudulent claims of backing.
MEXC exchange, citing community concerns, canceled the listing of $ZKAS token.
Blockchain analyst ZachXB labeled ZKasino's founder, Derivative Monke, and the team as "proven bad actors."
Meanwhile, Mega Dice, a reputable crypto casino, gained attention after raising over $438k in its DICE token presale, offering an alternative for investors disillusioned by ZKasino's actions.
Avoid rug pulls with QuillCheck's easy token safety checks on multiple chains.
Visit QuillCheck
ANDY(Token)
Loss ~180k
A cryptocurrency investor lost over $180,000 in USD Coin (USDC) and ANDY, a meme coin inspired by Pepe, due to a phishing attack on Ethereum.
The attack took place on April 23, lasting nearly one hour, from 05:39 to 06:29 UTC.
Perpetrators executed a multi-call phishing attack, combining multiple function calls into a single transaction, appearing benign when viewed separately but malicious when combined.
Transaction data reveals outflows from the victim’s address to multiple wallets belonging to the hackers, some identified as phishing wallets by Etherscan.
The victim lost over 1.6 billion ANDY tokens valued at $162,400 and 17,913 USDC.
The attack emptied the victim’s account, leaving a balance of only $32 worth of Ethereum (ETH) and Arbitrum (ARB).
One of the attacker’s addresses retained the loot, while the second immediately swapped the received ANDY tokens for WETH on Uniswap and transferred them to a new address.
Community Spotlight
QuillAudits at Dubai Launching QuillShield !

GM! Buidlers
In this edition, we spotlight the latest pivotal updates from the blockchain world. Discover Solana’s newly implemented congestion patch, explore Polygon’s collaboration with OKX through the X Layer, and learn about Subsquid’s launch of BeraChain. We also cover Arbitrum's bold moves toward greater decentralization, and address the serious implications of recent security breaches which have led to significant financial losses of over $47M. Get all the details on these critical developments and more, ensuring you stay ahead in the evolving landscape of blockchain technology and security, courtesy of QuillAudits.
EtherScope: Core Developments 👨‍💻
Token2049: Crypto experts highlight Ethereum blockchain problems
Ethereum aims for $1 billion annual profit as DeFi gains momentum in Q1
Layer 2
L2BEAT Costs: breakdown of L2 transaction costs
XEN spam is 68% of Base state
Steven Goldfeder: technical & financial benefits end at L3
ZeroPool: zk native sharded storage protocol
Prooφ: SNARK prover market mechanism
RollCall (L2 standards) call video
EIPs:
EIP7684: Return deposits for distinct credentials
EIP7685: General purpose execution layer requests
EIP7686: Linear EVM memory limits
EIP7688: Forward compatible consensus data structures
RIPs (Rollup Improvement Proposals):
RIP7696: Precompile for generic DSM (double scalar multiplication)
ERCs (application layer):
ERC7680: Valued tokens with layered liquidity
ERC7681: Dual nature multi-token protocol (ERC20 & ERC1155)
ERC7682: Auxiliary funds capability
ERC7689: Smart blobs (state machine on top of blobs)
ERC7695: Ownership delegation and context for NFTs
ERC7683: The Cross-Chain Intents Standard
Tools
Guide to using Kurtosis & ethereum-package to launch local devnets
Tracoor: beacon data & execution trace explorer to identify & address network problems
Assertoor: cross-client integration testing tool, higher abstraction level than Hive
EcoExpansions: Beyond Ethereum 🚀
Solana
Solana releases mainnet beta update v1.17.31 to resolve congestion issues
Solana rallies 9% as developers launches update to tackle network congestion
Solana AI projects to watch as io.net's launch draws near.
Solana DEX Drift to Airdrop 100M Tokens in Weeks
Polygon
OKX Launches X Layer, Built with Polygon CDK, Enabling 50M+ Users to Tap Unified Liquidity of the AggLayer
OraProtocol’s onchain AI oracle (OAO) is integrating with Polygon PoS
Polygon Labs Awarded ISO 27001 Certification, the Gold Standard of Compliance for Information Security Management Systems
IBC, meet AggLayer, for cross-chain transactions and inter-network communication
Polygon aims to bridge Solana with Ethereum as analysts eye new AI altcoin
Berachain
Berachain's Meme Marketing Leads to $100M Raise
Subsquid Unleashes BeraChain Indexing for Enhanced Decentralized Data Access
ZOTH Atlas (Incentivized Testnet) is Now Live on Berachain
Arbitrum
Arbitrum BOLD Testnet Live: The Next Step in Decentralization
Arbitrum Foundation Grant Program Phase Three is NOW OPEN!
DevToolkit: Essentials & Innovations 🛠️
A beginner's guide to Runes
Learn, integrate, and build on a new modular EVM with Berachain.
Slither v0.10.2: slither-mutate support for Foundry projects, unused imports detector and supports aliases
Guide to writing efficient DuneSQL queries
Remix v0.47.0: adds Solidity Copilot using SolCoder LLM, pin contracts deployed to Remix VM and DappDraft plugin to generate a front end
Fuzzing smart-contracts practical aspects: Echidna
Sub Zero: mine vanity addresses using CREATE2, tokenized as ERC721 NFTs
inkmate , a set of gas-efficient smart contracts written in Rust .
Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖
Good Reads 📚
Runes Will Help Bitcoin DeFi ‘Close the Gap’ on Ethereum, Solana: Franklin Templeton
2024 Q1 Crypto Industry Report
Zero Knowledge Summit (zkSummit) 2024: Field notes
WorldCoin to launch Layer 2
Layer 2 Scroll zkEVM Introduces Points Program
Tweets
Introducing Subscription Minting
The Decentralized Compute Narrative
Runes - Bitcoin's new Fungible Token Standard
20 of the Most Innovative Onchain Experiments From the Last 3 Years
HyperspaceZK: A fast and free browser-based ZK engine for AI agents
GitHub Repos
Theoretical and technical aspects of tokenisation of real world assets.
Zero-Knowledge-Mastery
Research Papers
Privacy-Preserving UCB Decision Process Verification via zk-SNARKs
Performance Analysis of Decentralized Physical Infrastructure Networks and Centralized Clouds
mABC: multi-Agent Blockchain-Inspired Collaboration for root cause analysis in micro-services architecture
SoK: Decentralized Finance (DeFi) -- Fundamentals, Taxonomy and Risks
Watch🎥
Web3 Security Watch 🛡️
Good Reads 📚
Privacy by default on L1s?
SEAL-ISAC (database of blackhat info): free membership for whitehats via application
Heimdall Security Bug Fix
Demistifying account abstraction ERCs
Tweets
Zelic found critical vulnerability in Gains network
Concept of Stealth Addresses
Github Repos
DeFi, Blockchain and crypto-related OpSec researches and data terminals
Research Papers
Evaluating the Security of Merkle Trees in the Internet of Things: An Analysis of Data Falsification Probabilities
Larger-scale Nakamoto-style Blockchains Don't Necessarily Offer Better Security
Tools
Mempool Dumpster :- Dump all the mempool transactions 🗑️ ♻️ (in Parquet + CSV)
Hacks and Scams 🚨
Hedgey Finance
Loss ~ $44.7 million
Hedgey Finance experienced two hacks, losing a total of $44.7 million across the Arbitrum and Ethereum networks.
The larger hack on the Arbitrum network resulted in a loss of approximately $42.8 million in ARB tokens, with some funds moved to Bybit exchange.
A smaller exploit on the Ethereum network earlier led to a loss of $1.9 million in cryptocurrencies.
Hedgey Protocol confirmed the exploits and is working with auditors to identify the underlying vulnerabilities.
Following the attack announcement, fake accounts appeared, posting harmful links under the guise of offering help, leading to potential further scams.
Grand Base
Loss~$1.7 million
Grand Base, a real-world asset tokenization protocol on Coinbase's layer-2 blockchain, lost $1.7 million due to a private key compromise.
The incident occurred on April 15, with PeckShield confirming the private key leak allowed the theft and on-chain swap of tokens for Ether, then sent to an external address.
The protocol’s native token value plummeted by 99% within 24 hours of the exploit.
Grand Base admins warned users via Telegram to avoid interacting with the compromised token contract.
Analysis by CertiK revealed the hacker gained control of deployer contracts, minted GB tokens unauthorizedly, and withdrew them.
Grand Base staff are monitoring the hacker’s wallets and coordinating with exchanges to potentially freeze any transferred funds.
Users in the protocol's Telegram expressed frustration and distrust, advising against further investment.
MASA Token
Loss~$502.0K
Fake Masa $MASA on Ethereum dropped -100%. The deployer 0xEB35...80a71 dumped 1,769,800,761,000,000 $MASA for ~142.8 $WETH (worth ~$502K).
Community Spotlight

QuillAudits has recently launched a GitHub repository that covers everything that you need to know about Real World Assets. We have created this repo with a very comprehensive and detailed approach for the developers.
Real World Assets (RWAs) refer to physical and financial assets—ranging from cash and commodities to intellectual property and artworks—that are tokenized on the blockchain. By leveraging blockchain technology, these assets can be digitized, enabling more accessible, secure, and efficient transactions. The RWA approach opens up numerous possibilities for asset management, investment, and exchange in a decentralized and transparent manner.
We’ll also be doing a YouTube live on 19th April (Friday) on QuillAcademy in which we’ll go through the whole theoretical and practical explanation of the repository.
What Can You Find in This Repository?
The RWA repository is a comprehensive resource hub where you can find:
Beginner Friendly Theory: Provides a foundational understanding of how real-world assets can be tokenized and managed on the blockchain, featuring simple explanations, introductory guides
Code Examples: We'll be diving deep into the technicalities of tokenisation of Real-World Assets by developing an Apple Coin (AAPL) ERC-20 token.
Technical Guides: Whether you're a beginner or an advanced user, our guides provide detailed insights into the functionalities and implementations of RWAs. FYI: We have portrayed how Apple Shares can be tokenized on the blockchain as an example.
Resources: Connect with a wealth of knowledge through curated links, articles, and papers that expand your understanding and capabilities in the blockchain space.
Visit the RWA GitHub Repository
Join Our Community
This repository is not just a resource; it's a community. We encourage you to dive in, experiment with the code, propose enhancements, and share your discoveries. Whether you're looking to develop new applications or simply curious about the technology, there’s something here for everyone.
We believe that the tokenization of real-world assets represents a significant leap forward in how we think about and interact with traditional assets. With this repository, we aim to facilitate a deeper understanding and broader adoption of blockchain technology in mainstream asset management.
Get Involved!
Linkedin - https://www.linkedin.com/company/quillaudits/
Twitter - https://twitter.com/QuillAudits
GitHub - https://github.com/Quillhash

GM! Buidlers
Welcome to the latest edition of HashingBits! This edition is packed with exciting developments in Ethereum, particularly in Layer 2 scalability solutions and other ecosystems like Solana, EigenLayer, Polygon, NEAR, and Tezos. Dive into the latest Developer Updates, including Polkadot's Ink v5 release, Cyfrin Updraft for web3 DevOps and solidity updates. Stay updated on recent blockchain hacks, including $62.5 million lost by Munchables and $16 million by CURIO due to Smart Contract vulnerabilities.
EtherScope: Core Developments 👨‍💻
Checkout how BlackRock plans to start a new RWA tokenisation fund on Ethereum
Mainnet successfully upgraded to Dencun
Consensus-specs v1.4.0 for Dencun mainnet release
Layer 2
L2 fees drop to cents & below: L2 Fees, Gas Fees & grow the pie
Optimism fault proofs are now live on OP Sepolia testnet
Arbitrum upstages Ethereum as Daily transactions are through the roof amidst L2 Networks’ surge
EIPs:
EIP7657: Sync committee slashings
EIP7658: Light client data backfill
EIP7659: Stepwise blob throughput increase
ERCs (application layer):
ERC7656: Generalized token-linked contracts
EcoExpansions: Beyond Ethereum 🚀
Solana
Solana’s first liquidity bootstrapping platform 1intro launched
Solana developers can natively swap USDC tokens from Ethereum and other ecosystems
The next-gen standard for NFTs, Core is now presented by Metaplex
Polygon
The first rollup improvement proposal with the Napoli Upgrade
Polygon AggLayer to facilitate Astar’s zkEVM Mainnet launch with Ethereum interoperability
NEAR
Chain signatures to facilitate cross-blockchain transactions from your NEAR account, now secured by Eigenlayer and NEAR stakers
Tezos
Oxford 2 now activated by Tezos to enhance flexibility and security for Blockchain
Created by artists Agoria, the collection comprises five unique NFTs minted on the Tezos blockchain.
Eigen Layer
EigenLayer has reached $11.2B in total value locked (TVL). The Ethereum restaking protocol jumped Aave to become the 2nd largest protocol by TVL.
Introducing Edgeless Network: A Fee-Free Ecosystem on Arbitrum Nitro Chain with EigenLayer's DA Solution
DevToolkit: Essentials & Innovations 🛠️
web3py middleware (v7 beta): class-based middleware replaces functional programming paradigm
Buidl on Aptos and Sui with the move book
Here is how to make your own ERC-404 Token!
Polkadot’s strengthened security with upgradeable contracts, implementing fallible methods.
Solidity v0.8.25: Cancun default EVM version, MCOPY used in code generator and TSTORE usage warnings reduced to once per compilation
Ethernaut-cli (toolbox): built on Hardhat tasks, AI requires OpenAI API key; beta
Cyfrin Updraft adds web3 DevOps & Assembly & Formal Verification courses
Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖
Articles
How EigenLayer’s Restaking Enhances Security and Rewards in DeFi
EIP-4844 Explained: The Key to Ethereum’s Scalability with Protodanksharding
Tokenomics: A Method for Assessing Tokens
BitVM 2: Permissionless Verification on Bitcoin
Tweets
Master ECDSA: Elliptic Curve Digital Signature Algorithm.
EigenLayer: On Liquid Restaking: Risks & Considerations
Proof of concept for verifying a plonky3 proof in plonky2
EIP-3074 Explained
Research Papers
Privacy-Preserving Energy Trading Using Blockchain and Zero Knowledge Proof
An Account Selection Model for Identifying Valuable zkSync Users
Watch🎥
Web3 Security Watch 🛡️
Articles
These PyPI Python Packages Can Drain Your Crypto Wallets.
A Practical Guide On Honeypot Attacks in Smart Contracts
Attackers abuse cloud accounts to spawn thousands of crypto CDN nodes.
Sepolia Incident
GitHub Repos
Smart Contract Auditing Roadmap
OpenZeppelin Ethernaut CTF 2024 challenges & solutions
Research
How to securely transfer unclaimed tokens from a compromised wallet by Phoebe.
Cryptocurrency Privacy Technologies: Bulletproof Range Proofs by patrickd.
Censorship, Latency, and Preconfirmations in the Blob Market by Primev.
Tools
deExplorer - A tool designed to monitor cryptocurrency movement across multiple blockchains, providing insights into investor behavior. It allows observation of the blockchains where investors deposit and withdraw funds, offering valuable data on cross-chain transaction patterns.
Aderyn - Aderyn is a Rust-based static analyzer specifically designed for Web3 smart contract security and development. It takes a bird's eye view over your smart contracts, traversing the Abstract Syntax Trees (AST) to pinpoint suspected vulnerabilities. Developed by Cyfrin.
Hacks and Scams 🚨
Visit Quill Monitor
1. Munchables
Loss ~ $62.5M
Blockchain data shows that Munchables, a Web3 project on the Blast blockchain, was drained of an estimated $62.5 million worth of ether early Wednesday after a contract was maliciously manipulated.
Munchables said on X that the developer had shared all private keys to recover the funds.
The attacker apparently transferred the stored users’ funds to themselves before upgrading the platform’s smart contracts. Blockchain sleuth ZachXBT said the attacker was likely North Korean, based on their GitHub commit activity. They are listed on GitHub as “Werewolves0493” and allegedly worked for the Munchables team.
2. CURIO
Loss ~ $16M
Real-world asset (RWA) liquidity firm Curio suffered a smart contract exploit involving a critical vulnerability related to voting power privileges, allowing the attacker to steal $16 million in digital assets.
On 25th March 2024, Curio reported an exploit due to a flaw in their system's access control, allowing the unauthorized minting of 1 billion Curio Governance Tokens (CGT). They aim to compensate affected parties through the introduction of CGT 2.0.
The company informed its community about the breach, attributing it to a vulnerability in a MakerDAO-based smart contract's permission logic, which enabled the attacker to mint 1 billion CGT.
Community Spotlight
Decentralized Derby, started by QuillAudits, is a hub for showcasing new Web3 ideas and connecting entrepreneurs with top investors and the wider community. It's designed for creators ready to pitch, investors looking for the next big thing, and anyone keen on the latest in blockchain.
If you've got an idea or project that could shape the future of technology, we'd love to hear from you. Sign up to pitch your project here.
Check Out Our Past Derby Pitchers' Insights!

In brief ⚡
Miner Token Exploited for $463.4k: ERC-X Vulnerability Leads to 87% Price Drop
DeFi Exploits Strike BSC: @particle_trade and @dualpools Suffer Losses Totalling $180k
Crypto Casino Duelbits Loses $4.6 Million in Exploit; Hacker Utilizes Asset Swaps to Obfuscate Trail
Visit QuillMonitor
Hacks and Scams⚠️
MinerCx
Amount of Loss: ~ $463k
Analysis
Miner ERC-X token, following an exploit on Feb 14, lost approximately 168.8 ETH (valued around $463.4k), leading to an 87% drop in its price.
The exploit was attributed to a vulnerability in the smart contract, specifically in the _update function, which erroneously awarded free tokens when users transferred tokens to themselves.
The attacker exploited this flaw by sending tokens to themselves in multiple transactions, causing the balance calculation to double the tokens in the attacker's account.
The Miner Team responded by announcing plans to re-audit the vulnerable contract and redeploy it after rectification. They intend to use the remaining liquidity of approximately 130 ETH for redeployment and plan to take a pre-exploit snapshot of current holders.
Additionally, the team attempted to negotiate with the attacker through an on-chain message, offering a 30% reward (~$120k) in return for returning the stolen funds, but as of now, the attacker has not responded to the offer.
Particle Trade and Dual Pool
Amount of Loss: ~ $139k and $41k
Analysis
Two DeFi protocols, @particle_trade and @dualpools, experienced exploits resulting in significant losses, approximately $139k and $41k respectively.
@particle_trade confirmed the exploit, attributing it to unchecked user input on their previously deprecated NFT contract, while asserting that their current protocol remained unaffected.
@dualpools, however, has yet to officially acknowledge the hack, despite details of the exploit being shared publicly.
The breakdown of stolen funds from the @dualpools exploit includes various cryptocurrencies such as BNB, BTCB, ETH, ADA, and BSC-USD.
Specific transaction and contract addresses associated with the @dualpools exploit have been identified and shared, providing insight into the malicious activity.
DuelBits
Amount of Loss: ~ $4.6M
Analysis
On February 13th, the crypto casino platform Duelbits experienced a significant exploit resulting in approximately $4.6 million worth of crypto assets being lost.
The exploit targeted Duelbits' wallets on both the Ethereum ($ETH) and Binance Smart Chain ($BNB) networks.
While Duelbits has not yet released an official statement regarding the hack, speculation suggests a compromised private key or loss of wallet access control as potential causes.
Stolen funds included various tokens such as USDT, APE, and SHIB, with the attacker attempting to obfuscate the trail by swapping assets from the BNB chain to Ethereum.
To overcome gas fee limitations during asset bridging, the hacker utilized the FixedFloat service for quick cryptocurrency exchanges.
Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖
Tweets
ALPHA ALERT : I just found a cool, well articulated way to approach a codebase while auditing smart contract. 𝐒𝐨𝐮𝐫𝐜𝐞𝐬 𝐚𝐧𝐝 𝐒𝐢𝐧𝐤𝐬 This is used in Web2. They call it as Taint Analysis.
𝐇𝐨𝐰 𝐝𝐢𝐝 𝐈 𝐟𝐢𝐧𝐝 𝐚 𝐰𝐚𝐲 𝐭𝐨 𝐛𝐥𝐨𝐜𝐤 𝐭𝐡𝐞 𝐋𝐚𝐲𝐞𝐫𝐙𝐞𝐫𝐨 𝐩𝐚𝐭𝐡𝐰𝐚𝐲?
This new ERC404 hype seems to have a funny side-effect in its _transf
Every blockchain or smart contract language should be aware of the “tutorial avalanche” and do their best to trigger it.
3 mandatory checklists to go through before doing a smart contract security audit on your codebase:
GitHub Repos
uniswap-resources
Articles
6 security sins of Web3 bridges
Exchange Rate Manipulation in ERC4626 Vaults
ZK-Audit
Vulnerable Spots of Lending Protocols
Ethereum Executes Blockchain Hard Fork to Return DAO Funds
Web3 Community Spotlight🔦
Transforming Assets: Unlocking Real-World Asset Tokenization
Thanks for reading HashingBits! Share a summary of our newsletter on your social media platforms, tag us, and use the #AwareToEarn hashtag, and you could win 10 USDT as a reward! Help us build a safer Web3 ecosystem and have a chance to earn rewards and support our work.
Subscribe now