HashingBits Week 75: Vitalik’s Keynote at EthCC, Optimism’s Superfest, Worldcoin’s L2 Chain, Story Protocol’s First IP Debut, Bittensor’s $8M Wallet Hack
GM! Buidlers
In this latest issue of HashingBits, we’re diving deep into Ethereum’s Core Developers meetings, covering all the major updates in the Ethereum ecosystem. But that’s not all — we’ll explore the latest happenings in the Polygon, Arbitrum & Optimism ecosystems, along with recent events at ETHCC & advancements in the AI & Web3 space. For developers, we’re highlighting new tools designed to assist smart contract developers and auditors. And, of course, we’ll delve into the headlines about the $8M Bittensor wallet hack and Dough Finance’s $1.94M loss in flash loan attacks.
EtherScope: Core Developments 👨💻
- Summary of All Core Devs — Consensus (ACDC)#137
- Why is Marius Van Der Wijden against EOF in Pectra?
- A look at PeerDAS breakout #3
- Deep dive into Censorship Resistance Model
- Constantine v0.1: implementations of BLS signatures, BN254 & BLS12–381 precompiles
- Lido has implemented the Simple DVT Module powered by SSV
- Vitalik Buterin pushes for Ethereum to respond to 51% attacks in a more automated way
- Deep Dive into Attestations — A quantitative analysis
Layer1 & Layer2
- Péter Szilágyi: SSZ library implemented in Go
- RollCall (L2 standards) #6: L1 blob basefee spike discussion & presentations on RIP7728 L1SLOAD precompile & RIP7740 preinstall deterministic deployment factories
- Titan Builder eth_sendBlobs: send permutations of blob transactions from a single sender
- Kernel Protocol is live
- Vesu is live on Starknet
- Worldcoin Foundation launches World Chain developer preview
- Introducing Puffer UniFi — Puffer’s Based Rollup
- Penumbra is live
- Skale introducing Pacifica V3 upgrade
- LayerZero and Initia are developing an interoperability standard for Cosmos
- Introducing Termina: the End State of SVM Scaling
- Reducing Evmos Inflation
- Announcing Usual public mainnet launch
- OEV Network is live
- Omni Network launches Streams
- Starknet will open staking by end of this year
- Introducing the Halliday Commerce Automation Network
- Exodus launches Passkeys Wallet
- Justin Sun: gas-less stablecoin coming in Q4 on Tron, followed by Ethereum & all EVM chains
- TAC is teaming up with Polygon to bring EVM compatibility to TON ecosystem
- Notcoin, 1inch, and Sign launch accelerator for Telegram and TON ecosystems
- Introducing the Fuel Points Program
- You can now track narratives on DefiLlama
- dDocs: Onchain Google Docs is here
- Introducing Story Network, the World’s IP Blockchain
ERCs
- ERC7737: Custom data access model
- ERC7738: Permissionless script registry
- ERC7739: Readable typed signatures for smart accounts
- ERC7741: Authorize operator (via EIP712 secp256k1 signatures)
EIPs
- EIP7742: Uncouple blob count between CL and EL
- EIP.tools adds EIP-GPT, AI generated summary of an EIP/ERC
RIPs
• RIP7740: Preinstall deterministic deployment factories
EcoExpansions: Beyond Ethereum 🚀
Polygon
- Polygon Miden Alpha Testnet v3 is Live
- Weekly roundup for gaming on Polygon
- Take a look at the weekly updates on Polygon
- TON is building a zk-powered L2 using Polygon CDK that will connect to the AggLayer
- The number of active addresses on @0xPolygon PoS is up 227% since the beginning of the year
Optimism
- OP Stack Fjord upgrade is here, cheaper smart wallet passkey verification via RIP7212 secp256r1 precompile & 5–15% lower data availability costs via Brotli channel compression.
- SuperFest, the Superchain DeFi Festival, is officially here.
- A simple explanation of the superchain
- RIP-7212 is now available on the Superchain.
- Celo L2 Dango testnet is now on OP Stack
Arbitrum
- No-Code Deployer App for Rollups is live on collaboration with Arbitrum
- Karak introducing restaking functionality for Arbitrum
- Arbitrum has integrated OKX Wallet on their bridge
- Three Important ArbitrumDAO Proposals
DevToolkit: Essentials & Innovations 🛠️
- Lodestar v1.20.0: lodestar/api package changes exported types, flag to use SSZ APIs with validator client and testnet bootnode ENRs updated.
- Besu v24.7.0: adds eth_maxPriorityFeePerGas support and improvements to sync, peering & startup performance
- Erigon v2.60.3: adds optional include precompiles flag to tracing
- Geth v1.14.7: hotfix for concurrent map read/write bug in v1.14.6
- Reth v1.0.1: full node performance improvements, ExEx backfill & RPC fixes
- Stereum v2.2: multi-setup support and connection check to test network stability & connectivity
- gevm — EVM implementation from scratch written in go
Hackathons, Workshops & Events
- Updates on Devcon 2024: Speaker & volunteer applications are open
- Solana Summer Fellowship is here
- Superteam Talent Olympics begins: Frontend & Rust track
Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖
- Mysticeti: Reaching the Limits of Latency with Uncertified DAGs
- RFC 9591: The Flexible Round-Optimized Schnorr Threshold (FROST) Protocol for Two‑Round Schnorr Signatures
- Alice’s Ring Protocol Whitepaper V1.0 is out
- Slot-to-Ping and Another Descriptive Measure for Blockchains
- Deep Diving Attestations — A quantitative analysis
- Maximum Viable Security (MVS): a new framework for Ethereum Issuance
- Report of Crypto & Blockchain Venture Capital — Q2 2024
- Introducing gas refunds from Flashbots
- EVIntent — Darkmatter in MEV
- MEV resistant dynamic pricing auction of execution proposal rights
- Take a look at the Flashbots Protect Explorer
- BTC’s Security Model is Broken?
- Busting some myths about Bera Chain
Articles
- Anders Elowsson: dynamic pricing auction of execution proposal rights, induces less new MEV & produces high aggregate MEV burn
- Have a look at the guide to OpenZeppelin Contracts Initializable
- Nethermind Clear: formal verification framework for Yul code
- Byteracing: maze solver in Solidity, try to make it more gas efficient
- L2 Asset Interoperability via Two-way Canonical Bridges
- All the problems in IP
- Solana is the reason why L2 rollup chaos started on Ethereum
- Improving Predictability in Arbitrum DAO’s Operations
- AGI Will Obsolete Blockchains?
- On Orchestrating Parallel Broadcasts for Distributed Systems
- Pointenomics 101: Mastering the New Language of Crypto Incentives
- Multiple Concurrent Leaders
- A blog post on how Family Wallet was built
Research Papers
- eyeballvul: a future-proof benchmark for vulnerability detection in the wild
- SpiralShard: Highly Concurrent and Secure Blockchain Sharding via Linked Cross-shard Endorsement
- BriDe Arbitrager: Enhancing Arbitrage in Ethereum 2.0 via Bribery-enabled Delayed Block Production
- Tactics, Techniques, and Procedures (TTPs) in Interpreted Malware: A Zero-Shot Generation with Large Language Models
- Enhancing Privacy of Spatiotemporal Federated Learning against Gradient Inversion Attacks
Github
- Web-solc: adapter to fetch/run specific version of Solidity compiler in the browser
- ERC3770 (Rust): helper method for ERC3770 chain specific addresses
- RicMoo’s Firefly Pixie: open source hardware wallet
Watch🎥
Web3 Security Watch 🛡️
Articles
- Dough Finance $2M exploit via unvalidated calldata
- Crypto’s Achilles’ Heels?
- Scam Sniffer’s Mid year Phising report
- Introducing Safe Harbor: Your Last Line of Defense Against Active Exploits
- CryptoISAC launched as a community of CeFi, DeFi, audit, infrastructure, and other cryptocurrency-related projects.
- Twilio says hackers identified cell phone numbers of two-factor app Authy users
- New OpenSSH Vulnerability Could Lead to RCE as Root on Linux Systems.
- After a 10-Year Wait, Mt. Gox Bitcoin Is Finally Being Returned.
- Karma served: Pink Drainer gets hit with address poisoning scam.
- Inferno Drainer is active again by SlowMist. The drainer group reportedly stopped operating in November last year.
- Coinbase-posing scammers steal $1.7M from a user amid a string of attacks.
Research Papers
- Abusing the Ethereum Smart Contract Verification Services for Fun and Profit
- Real-time Cyberattack Detection with Collaborative Learning for Blockchain Networks.
- Performance Evaluation of Hashing Algorithms on Commodity Hardware
- Vulnerability Detection in Smart Contracts: A Comprehensive Survey
- Tayvano: example of a Lazarus attack, contact via socials and then compromise via GitHub repo
- Multiple crypto projects had their domains hijacked following a DNS attack targeting web hosting service provider Squarespace.
- Fake X accounts lead to record-setting crypto phishing attacks of $341 million.
- Are your funds SAFU?
Hacks and Scams 🚨
Bittensor
Loss ~ $8M
- July 2, 7:06 PM UTC: The attacker begins transferring funds from compromised wallets to their own wallet.
- July 2, 7:25 PM UTC: The Opentensor Foundation detects an abnormal increase in transfer volume and assembles a war room.
- July 2, 7:41 PM UTC: Validators on the Opentensor chain are placed behind a firewall, and Subtensor is switched to safe-mode to halt all transactions.
- July 3: The team identifies the attack source as a malicious package in PyPi Package Manager version 6.12.2, which compromised user security.
- The malicious package masqueraded as a legitimate Bittensor package and intercepted unencrypted coldkey details when users decrypted their keys.
- Affected users were those who downloaded the Bittensor PyPi package between May 22, 7:14 PM UTC, and May 29, 6:47 PM UTC, and performed operations involving key decryption.
- The compromised package (6.12.2) was removed from the PyPi repository.
- The Subtensor and Bittensor code on GitHub was thoroughly reviewed; no additional vulnerabilities were found.
- OTF contacted several cryptocurrency exchanges to trace the attacker and attempt to recover stolen funds.
- The Bittensor community actively supported the investigation and mitigation efforts.
- After the code review, normal operations of the Bittensor blockchain will gradually resume, with regular updates provided to the community.
- Users are advised to create new wallets and transfer their funds once the blockchain resumes operations and to upgrade to the latest version of Bittensor.
- Future enhancements include stricter access and verification processes for packages, increased frequency of security audits, implementation of best practices in public security policies, and improved monitoring of package uploads and downloads.
Dough Finance
Loss — $1.94M
- On the morning of July 12, 2024, Dough Finance suffered a flash loan attack, losing approximately $1.94 million in user funds.
- Cyvers detected multiple suspicious transactions involving Dough Finance.
- The hacker stole $1.8 million in USDC and swapped the funds to Ethereum (ETH) using the zero-knowledge (ZK) protocol Railgun, obtaining 608 ETH.
- Olympix revealed the exploit was due to unvalidated calldata within the ConnectorDeleverageParaswap contract, allowing manipulation of contract data and fund transfers to an Externally Owned Account (EOA).
- A second attack occurred, resulting in an additional loss of $141,000 in USDC.
- Despite the attack, Cyvers confirmed that Aave’s pools remained unaffected.
- Dough Finance urged users to withdraw their remaining funds and identified and closed the exploit.
- The team reached out to the attacker via an on-chain message, offering to discuss a bounty if the exploit was conducted as a white or grey hat and requesting the return of the funds by July 15, 2024, at 23:00 UTC.
- Dough Finance assured the community they are actively working to recover the funds and make investors whole.
- This week, various DeFi projects, including Compound Finance, were compromised in a phishing attack involving a DNS domain redirecting users to a fake website that drained funds. Affected projects urged customers not to interact with the websites until further notice.
Community Spotlight
https://twitter.com/quillaudits_ai/status/1811290907922117015
https://twitter.com/quillaudits_ai/status/1810653169787220135?
https://twitter.com/quillaudits_ai/status/1809508585170178268?