HashingBits Week 75: Vitalik’s Keynote at EthCC, Optimism’s Superfest, Worldcoin’s L2 Chain, Story Protocol’s First IP Debut, Bittensor’s $8M Wallet Hack

--

GM! Buidlers

In this latest issue of HashingBits, we’re diving deep into Ethereum’s Core Developers meetings, covering all the major updates in the Ethereum ecosystem. But that’s not all — we’ll explore the latest happenings in the Polygon, Arbitrum & Optimism ecosystems, along with recent events at ETHCC & advancements in the AI & Web3 space. For developers, we’re highlighting new tools designed to assist smart contract developers and auditors. And, of course, we’ll delve into the headlines about the $8M Bittensor wallet hack and Dough Finance’s $1.94M loss in flash loan attacks.

EtherScope: Core Developments 👨‍💻

Layer1 & Layer2

ERCs

  • ERC7737: Custom data access model
  • ERC7738: Permissionless script registry
  • ERC7739: Readable typed signatures for smart accounts
  • ERC7741: Authorize operator (via EIP712 secp256k1 signatures)

EIPs

  • EIP7742: Uncouple blob count between CL and EL
  • EIP.tools adds EIP-GPT, AI generated summary of an EIP/ERC

RIPs

RIP7740: Preinstall deterministic deployment factories

EcoExpansions: Beyond Ethereum 🚀

Polygon

Optimism

Arbitrum

DevToolkit: Essentials & Innovations 🛠️

  • Lodestar v1.20.0: lodestar/api package changes exported types, flag to use SSZ APIs with validator client and testnet bootnode ENRs updated.
  • Besu v24.7.0: adds eth_maxPriorityFeePerGas support and improvements to sync, peering & startup performance
  • Erigon v2.60.3: adds optional include precompiles flag to tracing
  • Geth v1.14.7: hotfix for concurrent map read/write bug in v1.14.6
  • Reth v1.0.1: full node performance improvements, ExEx backfill & RPC fixes
  • Stereum v2.2: multi-setup support and connection check to test network stability & connectivity
  • gevm — EVM implementation from scratch written in go

Hackathons, Workshops & Events

Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖

Twitter

Articles

Research Papers

Github

  • Web-solc: adapter to fetch/run specific version of Solidity compiler in the browser
  • ERC3770 (Rust): helper method for ERC3770 chain specific addresses
  • RicMoo’s Firefly Pixie: open source hardware wallet

Watch🎥

Web3 Security Watch 🛡️

Articles

Research Papers

Twitter

Hacks and Scams 🚨

Bittensor

Loss ~ $8M

  • July 2, 7:06 PM UTC: The attacker begins transferring funds from compromised wallets to their own wallet.
  • July 2, 7:25 PM UTC: The Opentensor Foundation detects an abnormal increase in transfer volume and assembles a war room.
  • July 2, 7:41 PM UTC: Validators on the Opentensor chain are placed behind a firewall, and Subtensor is switched to safe-mode to halt all transactions.
  • July 3: The team identifies the attack source as a malicious package in PyPi Package Manager version 6.12.2, which compromised user security.
  • The malicious package masqueraded as a legitimate Bittensor package and intercepted unencrypted coldkey details when users decrypted their keys.
  • Affected users were those who downloaded the Bittensor PyPi package between May 22, 7:14 PM UTC, and May 29, 6:47 PM UTC, and performed operations involving key decryption.
  • The compromised package (6.12.2) was removed from the PyPi repository.
  • The Subtensor and Bittensor code on GitHub was thoroughly reviewed; no additional vulnerabilities were found.
  • OTF contacted several cryptocurrency exchanges to trace the attacker and attempt to recover stolen funds.
  • The Bittensor community actively supported the investigation and mitigation efforts.
  • After the code review, normal operations of the Bittensor blockchain will gradually resume, with regular updates provided to the community.
  • Users are advised to create new wallets and transfer their funds once the blockchain resumes operations and to upgrade to the latest version of Bittensor.
  • Future enhancements include stricter access and verification processes for packages, increased frequency of security audits, implementation of best practices in public security policies, and improved monitoring of package uploads and downloads.

Dough Finance

Loss — $1.94M

  • On the morning of July 12, 2024, Dough Finance suffered a flash loan attack, losing approximately $1.94 million in user funds.
  • Cyvers detected multiple suspicious transactions involving Dough Finance.
  • The hacker stole $1.8 million in USDC and swapped the funds to Ethereum (ETH) using the zero-knowledge (ZK) protocol Railgun, obtaining 608 ETH.
  • Olympix revealed the exploit was due to unvalidated calldata within the ConnectorDeleverageParaswap contract, allowing manipulation of contract data and fund transfers to an Externally Owned Account (EOA).
  • A second attack occurred, resulting in an additional loss of $141,000 in USDC.
  • Despite the attack, Cyvers confirmed that Aave’s pools remained unaffected.
  • Dough Finance urged users to withdraw their remaining funds and identified and closed the exploit.
  • The team reached out to the attacker via an on-chain message, offering to discuss a bounty if the exploit was conducted as a white or grey hat and requesting the return of the funds by July 15, 2024, at 23:00 UTC.
  • Dough Finance assured the community they are actively working to recover the funds and make investors whole.
  • This week, various DeFi projects, including Compound Finance, were compromised in a phishing attack involving a DNS domain redirecting users to a fake website that drained funds. Affected projects urged customers not to interact with the websites until further notice.

Community Spotlight

https://twitter.com/quillaudits_ai/status/1811290907922117015

https://twitter.com/quillaudits_ai/status/1810653169787220135?

https://twitter.com/quillaudits_ai/status/1809508585170178268?

--

--

QuillAudits - Web3 Security 🛡️

6+ Years Securing #Web3: 1M+ Lines Audited. Trusted by 1K+ Clients including StarkWare, Taiko, ZetaChain & Metis. Next-gen audits, KYC & on-chain monitoring.