Scary hackers can steal assets from your wallet

Mar 07, 2024

Heyo,

Jules here, from Cyfrin.

The future of crypto hinders on smart contract security. As the markets rise, we’re more focused than ever on building the web3 we dream of.

Through technical education, private and competitive audits, auditor tooling, and more - we are committed to making 2024 the best year of crypto yet!

Our team of white hats preparing to fight the hackers (okay and play paintball 🤪)

TLDR

✍🏼 How did a hacker steal assets from people’s wallets?

📆 Cyfrin ecosystem updates

📚 Auditing tools, audits, and AI debuggers

How did a hacker steal assets directly from user’s wallets?

Exactly a week ago, the Seneca Protocol, a DeFi collateralized debt position protocol, was exploited for approximately $6 million.

🤷🏻‍♀️ How did it happen?

The attacker was able to transfer tokens from users' wallets to their own address by manipulating the Chamber::performOperations function.

The performOperations function was set as external without the right input validation, enabling the attacker to call any contract with any arbitrary data.
The attacker set callData as a transferFrom() function on a token, specifying the to address to an attacker's EOA address
Since the msg.sender was the Chamber contract, the attacker transferred funds to themselves since the Chamber contract had an approval amount that exceeded the total amount of collateral deposited.

Assembly, EVM Opcodes, and Formal Verification Course

This week at Cyfrin

👩🏻‍💻 Cyfrin CodeHawks is the only competitive auditing platform in the market today enabling users to judge contests. Learn more about how that works here!

👩🏻‍🎓 Opcodes, Huff, Assembly, bytecode, Yul, EVM, we dive deep in our Smart Contract Security Course part 2. Check it out here!

🕵🏻‍♀️ Static analyzers are foundational to audits today - helping researchers uncover vulnerabilities in seconds. Check out Cyfrin Aderyn, a Rust-based analyzer which outputs the report in an easy-to-consume markdown from the get-go!