Week 88: Vitalik‘s Surgical EVM Scaling, Uniswap’s UniChain, SUI’s Native USDC, QuillCheck Now On Solana & $35M Phishing Exploit On Blast
GM! Buidlers
In this latest issue of HashingBits, we’re diving deep into Ethereum’s Core Developers meetings, covering all the major updates in the Ethereum ecosystem. But that’s not all — we’ll explore the latest happenings in the Polygon, Solana & Base ecosystems, along with advancements in the AI & Web3 space. For developers, we’re highlighting new tools designed to assist smart contract developers and auditors. And, of course, we’ll delve into the headlines about the $35M Exploit on Blast and Eigenlayer investor’s $5.7M loss in email thread compromise.
EtherScope: Core Developments 👨💻
- Eth R&D protocol call focused on execution layer (ACDE #198)
- Base blob increase proposal: recommends target of 5 & max of 8 blobs (up from 3/6), implementing engine_getBlobsV1 & IDONTWANT and disabling flood publishing
- Vitalik: surgical EVM scaling, EVMMAX + SIMD and reduce some opcode gas costs
- EIP7732 ePBS: ePBS breakout #11: Prysm aim to launch devnet in 2 weeks
- Peerdas-devnet-3: launched with peerdas-devnet-2 spec, issue caused clients to be on different forks
- Consensus-specs v1.5.0-alpha.8: pectra-devnet-4 target
- Weekly testing call #8
Layer1 & Layer2
- Flashbots Rollup-Boost: block building using TEEs, starting with 250ms Flashblocks (partial blocks) and priority ordering
- L2 standards meeting (RollCall #8): RIP7755 cross-L2 calls presentation, Pectra upgrade expected Q1 2025 (optimistically February) & upcoming breakout on future of EVM on L2
- Stripe Pay with Crypto: US businesses can accept USDC on mainnet, settled in USD
- ZKP2P Tickets: lower fee secondary market for Ticketmaster, zk proof of transfer
- Uniswap has unveiled its own Layer 2 solution, Unichain, aimed at advancing Ethereum’s scaling efforts and catering specifically to DeFi users and protocols.
- ArtRun, a new platform powered by Zora on Base, has launched.
- 1inch introduced Fusion Plus, enabling users to execute gasless transactions by signing off-chain orders without incurring gas fees in native tokens.
- PancakeSwap launched the Zap feature for BNB Chain v3 pairs and over 20 selected pairs on Ethereum and Arbitrum.
- Swell Network updated its Voyage Loyalty Bonus criteria based on community feedback to better acknowledge the contributions of long-term stakers.
- Aave Labs proposed two ARFCs to expand the GHO stablecoin to Base and Avalanche, following its current availability on Ethereum and Arbitrum.
- NOTAI launched an AI-powered stablecoin farming feature
- Morpho Labs invited individuals interested in becoming delegates for the Morpho DAO to apply.
- Sui Network has launched its native $USDC, becoming the first Move-based Layer-1 blockchain to partner with Circle.
- Linea has proposed steps to transition its zkEVM to a permissionless system, highlighting decentralization through a proof-of-stake (PoS) model for block validation.
- EigenExplorer has launched a new dashboard intended to improve the restaking experience.
- Thesis has introduced the BitcoinFi Stack
- Layer3 has launched on Solana
- Babylon Labs has announced that Cap-2 for Babylon Bitcoin Staking Phase-1 is now live.
- LayerZero has officially launched on peaq, a Layer 1 blockchain centered on Decentralized Physical Infrastructure Networks (DePIN).
- Midas has launched its core product suite, offering globally accessible yield through two tokens, $mTBILL and $mBASIS
- Zest Protocol has launched early access for $BTCz, a liquid-staked Bitcoin that allows users to earn yield on their Layer 1 Bitcoin.
- World Liberty Financial (WLFI) has submitted a governance proposal to Aave’s forum to deploy an Aave V3 instance on Ethereum Mainnet.
- Sky has introduced new rewards for USDS suppliers on Aave
- Lista is partnering with Binance to enhance BNB’s utility.
- Pendle has added Sky’s USDS to its PT/YT market
- Aevo and Hyperliquid have both listed Scroll’s SCR on their pre-launch markets.
- Musubi, the chainless swap venue by Kinto, is live now.
- Aave DAO has launched the v3.2 upgrade, which introduces “Liquid eModes” and fully deprecates stable borrowing.
EIPs (Ethereum improvement proposals)
- EIP7782: Reduce slot time for lower peak bandwidth
- EIP7783: Add controlled gas limit increase strategy
- EIP7784: GETCONTRACT opcode
ERCs
- ERC7785: Onchain registration of chain identifiers
EcoExpansions: Beyond Ethereum 🚀
Base
- cbBTC is now live on compound
- Solv assets can now be bridged to base using chainlink’s CCIP!
- Paymaster now allows users to pay for gas with custom ERC-20 tokens on Base!
- SHILLR Media S3 mint is LIVE!
- ZkP2P’s fan-to-fan ticket market is now live on Base
- Base’s gas target is now at 13 Mgas/s
- Spectra is now live on Base
Polygon
- The Moonveil ZK Layer 2 testnet is launching soon
- Polygon introduced POL Rush
Solana
- USDC payments on solana now live for stripe merchants.
- Dialect introduced miniblinks
- Jupiter exchange mobile is now in app store
- Layer3 is LIVE on Solana
Hackathons, Workshops, CTFs & Events
- Ethereum Foundation EcoDev research fellowships (6 months), deadline November 15
- Hackathon projects: Ethereum Kuala Lumpur & ETHRome
- Oct 17–19 — ETHSofia conference & hackathon
- Oct 17–20 — ETHLisbon hackathon
Updates on Development Kits & Tools
- Teku v24.10.0: adds engine_getBlobsV1 & IDONTWANT support and disabled flood publishing; v24.10.1: hotfix for validators proposer config that prevented startup in v24.10.0
- Solidity v0.8.28: adds transient storage state variables for value types, generates JSON for Yul ASTs on demand to reduce memory usage and adds ability to request bytecode/IR for subset of contracts
- RareSkills: storage slots for dynamic types in Solidity (mappings, arrays, strings & bytes)
- Circom v2.2.0: adds buses (groups related signals under one name)
- Circuitscan: submit/browse verified Circom circuits
- Nethermind v1.29.0: adds heuristics-based censorship detection for high-paying transactions & addresses
- Reth v1.1.0: Engine 2.0 enabled by default (except op-reth), new metrics & RPC improvements
Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖
- Deep Dive into DA Layers
- Take a look into a deep dive into Atomic swaps
- Prediction Markets are in their prime!
- Front-running in blockchain: Explained
Articles
- Uniswap launches its own layer-2, Unichain
- Ronin to secure cross-chain bridge with Chainlink CCIP
- Exploring the power of Web3 for better lifestyles: Insights from VeChain and Puffpaw
Research Papers
- Terence: transaction invalidation in FOCIL & impact on block producers/verifiers
- Uncrowdability of FOCIL: outsourcing inclusion list construction rights is not individually profitable
- Silent threshold encryption combined with ZK or TEEs to remove MEV-Boost relays
Watch🎥
Web3 Security
Articles
- EigenLayer $6M stolen via compromised investor email thread, token vesting not enforced onchain but via legal documents
- US broadband attack linked to China, may have had access to wiretap infrastructure
- Internet Archive Wayback Machine offline after DDoS attack & data breach
- Penpie’s first draft of hack compensation plan is now live on the governance forum and under discussion.
- Inside the $44.7M BingX Exploit: What Went Wrong?
- Decoding OnyxDAO’s 4M Exploit
- Crypto-stealing malware discovered in Python Package Index — Checkmarx
- Blockchain data firm Arkham to launch derivatives exchange: Report
Research Papers
- Ormer: A Manipulation-resistant and Gas-efficient Blockchain Pricing Oracle for DeFi
- BlockEmulator: An Emulator Enabling to Test Blockchain Sharding Protocols
- Remeasuring the Arbitrage and Sandwich Attacks of Maximal Extractable Value in Ethereum
- Symbiotic reported that their X account was compromised by hackers at 6 PM EDT on Friday.
- EigenLayer reported that they have been drained 1.674M EIGEN (worth ~$5.87M). The attacker swapped the stolen EIGEN for USDC. Most of the stolen funds have been transferred to HitBTC, while ~5K USDC was sent to Kraken.
- Penpie has resumed operations after comprehensive security audits, allowing users to withdraw liquidity from affected pools, continue using unaffected pools, and participate in new pools with enhanced rewards.
Hacks and Scams 🚨
DeFi User
Loss ~ $35M
- Few hours ago, our security team uncovered a $35M loss on Blast chain due to a malicious “permit” signature request. 🚨
- The attacker quickly sold the stolen fwdETH, causing a sharp price drop in dETH.
- This sell-off hit DeFi protocols like Pac Finance & Orbit Finance, both of which rely on dETH for stability.
- Attacker’s address: 0x0605edee6a8b8b553cae09abe83b2ebeb75516ec
- Victim’s wallet: 0xeab23cfe3776adf45e2e3dc56bcf739f6e0a393
- Attack transaction: https://blastscan.io/tx/0x80bbc39dd5c62b5368e1bf10d40969f5da8b45555de6bfbbcfe5b84591e3648d
- Interestingly, this wallet may belong to Continue Fund, a VC firm that invests in crypto. Ironically, they became a victim of one of the most common Web3 phishing tactics — a “permit” signature exploit.
EigenLayer
Loss ~ $5.7M
- An email thread involving one investor’s transfer of tokens into custody was compromised by a malicious attacker.
- As a result, 1,673,645 EIGEN tokens were erroneously transferred to the attacker’s address.
- The attacker sold these stolen EIGEN tokens via a decentralized swap platform and transferred stablecoins to centralized exchanges.
- We are in contact with these platforms and law enforcement. A portion of the funds have already been frozen.
- The compromise has not impacted the broader ecosystem. There is no known vulnerability in the protocol or token contracts and this compromise was not related to any onchain functionality.
Community Spotlight
QuillAI Network is Pushing Boundaries
The QuillAI Network is the AI layer for web3 security. In their mission to create a safer web3, QuillAI features an OML-aligned framework incentivising developers and users to build self-sovereign AI agents for dedicated tasks through the fine-tuning of its D-LLM. With agents for solidity (QuillShield) and due diligence (QuillCheck) helping safeguard contracts, transactions, and wallets, QuillAI is empowering web3 users and builders to charge of their security needs.