HashingBits Week 75: Vitalik’s Keynote at EthCC, Optimism’s Superfest, Worldcoin’s L2 Chain, Story Protocol’s First IP Debut, Bittensor’s $8M Wallet Hack
GM! Buidlers
In this latest issue of HashingBits, we’re diving deep into Ethereum’s Core Developers meetings, covering all the major updates in the Ethereum ecosystem. But that’s not all — we’ll explore the latest happenings in the Polygon, Arbitrum & Optimism ecosystems, along with recent events at ETHCC & advancements in the AI & Web3 space. For developers, we’re highlighting new tools designed to assist smart contract developers and auditors. And, of course, we’ll delve into the headlines about the $8M Bittensor wallet hack and Dough Finance’s $1.94M loss in flash loan attacks.
EtherScope: Core Developments 👨💻
Summary of All Core Devs — Consensus (ACDC)#137
Why is Marius Van Der Wijden against EOF in Pectra?
A look at PeerDAS breakout #3
Deep dive into Censorship Resistance Model
Constantine v0.1: implementations of BLS signatures, BN254 & BLS12–381 precompiles
Lido has implemented the Simple DVT Module powered by SSV
Vitalik Buterin pushes for Ethereum to respond to 51% attacks in a more automated way
Layer1 & Layer2
Péter Szilágyi: SSZ library implemented in Go
RollCall (L2 standards) #6: L1 blob basefee spike discussion & presentations on RIP7728 L1SLOAD precompile & RIP7740 preinstall deterministic deployment factories
Titan Builder eth_sendBlobs: send permutations of blob transactions from a single sender
Kernel Protocol is live
Vesu is live on Starknet
Worldcoin Foundation launches World Chain developer preview
Introducing Puffer UniFi — Puffer’s Based Rollup
Penumbra is live
Skale introducing Pacifica V3 upgrade
LayerZero and Initia are developing an interoperability standard for Cosmos
Introducing Termina: the End State of SVM Scaling
Reducing Evmos Inflation
Announcing Usual public mainnet launch
OEV Network is live
Omni Network launches Streams
Starknet will open staking by end of this year
Introducing the Halliday Commerce Automation Network
Exodus launches Passkeys Wallet
Justin Sun: gas-less stablecoin coming in Q4 on Tron, followed by Ethereum & all EVM chains
TAC is teaming up with Polygon to bring EVM compatibility to TON ecosystem
Notcoin, 1inch, and Sign launch accelerator for Telegram and TON ecosystems
Introducing the Fuel Points Program
You can now track narratives on DefiLlama
dDocs: Onchain Google Docs is here
ERCs
ERC7737: Custom data access model
ERC7738: Permissionless script registry
ERC7739: Readable typed signatures for smart accounts
ERC7741: Authorize operator (via EIP712 secp256k1 signatures)
EIPs
EIP7742: Uncouple blob count between CL and EL
EIP.tools adds EIP-GPT, AI generated summary of an EIP/ERC
RIPs
• RIP7740: Preinstall deterministic deployment factories
EcoExpansions: Beyond Ethereum 🚀
Polygon
Polygon Miden Alpha Testnet v3 is Live
Weekly roundup for gaming on Polygon
Take a look at the weekly updates on Polygon
TON is building a zk-powered L2 using Polygon CDK that will connect to the AggLayer
The number of active addresses on @0xPolygon PoS is up 227% since the beginning of the year
Optimism
OP Stack Fjord upgrade is here, cheaper smart wallet passkey verification via RIP7212 secp256r1 precompile & 5–15% lower data availability costs via Brotli channel compression.
SuperFest, the Superchain DeFi Festival, is officially here.
A simple explanation of the superchain
RIP-7212 is now available on the Superchain.
Celo L2 Dango testnet is now on OP Stack
Arbitrum
No-Code Deployer App for Rollups is live on collaboration with Arbitrum
Karak introducing restaking functionality for Arbitrum
Arbitrum has integrated OKX Wallet on their bridge
DevToolkit: Essentials & Innovations 🛠️
Lodestar v1.20.0: lodestar/api package changes exported types, flag to use SSZ APIs with validator client and testnet bootnode ENRs updated.
Besu v24.7.0: adds eth_maxPriorityFeePerGas support and improvements to sync, peering & startup performance
Erigon v2.60.3: adds optional include precompiles flag to tracing
Geth v1.14.7: hotfix for concurrent map read/write bug in v1.14.6
Reth v1.0.1: full node performance improvements, ExEx backfill & RPC fixes
Stereum v2.2: multi-setup support and connection check to test network stability & connectivity
Hackathons, Workshops & Events
Updates on Devcon 2024: Speaker & volunteer applications are open
Solana Summer Fellowship is here
Superteam Talent Olympics begins: Frontend & Rust track
Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖
Twitter
Mysticeti: Reaching the Limits of Latency with Uncertified DAGs
RFC 9591: The Flexible Round-Optimized Schnorr Threshold (FROST) Protocol for Two‑Round Schnorr Signatures
Slot-to-Ping and Another Descriptive Measure for Blockchains
Deep Diving Attestations — A quantitative analysis
Maximum Viable Security (MVS): a new framework for Ethereum Issuance
Introducing gas refunds from Flashbots
EVIntent — Darkmatter in MEV
MEV resistant dynamic pricing auction of execution proposal rights
Take a look at the Flashbots Protect Explorer
Busting some myths about Bera Chain
Articles
Anders Elowsson: dynamic pricing auction of execution proposal rights, induces less new MEV & produces high aggregate MEV burn
Have a look at the guide to OpenZeppelin Contracts Initializable
Nethermind Clear: formal verification framework for Yul code
Byteracing: maze solver in Solidity, try to make it more gas efficient
Solana is the reason why L2 rollup chaos started on Ethereum
On Orchestrating Parallel Broadcasts for Distributed Systems
Pointenomics 101: Mastering the New Language of Crypto Incentives
Research Papers
eyeballvul: a future-proof benchmark for vulnerability detection in the wild
SpiralShard: Highly Concurrent and Secure Blockchain Sharding via Linked Cross-shard Endorsement
BriDe Arbitrager: Enhancing Arbitrage in Ethereum 2.0 via Bribery-enabled Delayed Block Production
Tactics, Techniques, and Procedures (TTPs) in Interpreted Malware: A Zero-Shot Generation with Large Language Models
Enhancing Privacy of Spatiotemporal Federated Learning against Gradient Inversion Attacks
Github
Web-solc: adapter to fetch/run specific version of Solidity compiler in the browser
ERC3770 (Rust): helper method for ERC3770 chain specific addresses
RicMoo’s Firefly Pixie: open source hardware wallet
Watch🎥
Web3 Security Watch 🛡️
Articles
Dough Finance $2M exploit via unvalidated calldata
Crypto’s Achilles’ Heels?
Scam Sniffer’s Mid year Phising report
Introducing Safe Harbor: Your Last Line of Defense Against Active Exploits
CryptoISAC launched as a community of CeFi, DeFi, audit, infrastructure, and other cryptocurrency-related projects.
Twilio says hackers identified cell phone numbers of two-factor app Authy users
New OpenSSH Vulnerability Could Lead to RCE as Root on Linux Systems.
After a 10-Year Wait, Mt. Gox Bitcoin Is Finally Being Returned.
Karma served: Pink Drainer gets hit with address poisoning scam.
Inferno Drainer is active again by SlowMist. The drainer group reportedly stopped operating in November last year.
Coinbase-posing scammers steal $1.7M from a user amid a string of attacks.
Research Papers
Abusing the Ethereum Smart Contract Verification Services for Fun and Profit
Real-time Cyberattack Detection with Collaborative Learning for Blockchain Networks.
Performance Evaluation of Hashing Algorithms on Commodity Hardware
Vulnerability Detection in Smart Contracts: A Comprehensive Survey
Twitter
Tayvano: example of a Lazarus attack, contact via socials and then compromise via GitHub repo
Multiple crypto projects had their domains hijacked following a DNS attack targeting web hosting service provider Squarespace.
Fake X accounts lead to record-setting crypto phishing attacks of $341 million.
Are your funds SAFU?
Hacks and Scams 🚨
Bittensor
Loss ~ $8M
July 2, 7:06 PM UTC: The attacker begins transferring funds from compromised wallets to their own wallet.
July 2, 7:25 PM UTC: The Opentensor Foundation detects an abnormal increase in transfer volume and assembles a war room.
July 2, 7:41 PM UTC: Validators on the Opentensor chain are placed behind a firewall, and Subtensor is switched to safe-mode to halt all transactions.
July 3: The team identifies the attack source as a malicious package in PyPi Package Manager version 6.12.2, which compromised user security.
The malicious package masqueraded as a legitimate Bittensor package and intercepted unencrypted coldkey details when users decrypted their keys.
Affected users were those who downloaded the Bittensor PyPi package between May 22, 7:14 PM UTC, and May 29, 6:47 PM UTC, and performed operations involving key decryption.
The compromised package (6.12.2) was removed from the PyPi repository.
The Subtensor and Bittensor code on GitHub was thoroughly reviewed; no additional vulnerabilities were found.
OTF contacted several cryptocurrency exchanges to trace the attacker and attempt to recover stolen funds.
The Bittensor community actively supported the investigation and mitigation efforts.
After the code review, normal operations of the Bittensor blockchain will gradually resume, with regular updates provided to the community.
Users are advised to create new wallets and transfer their funds once the blockchain resumes operations and to upgrade to the latest version of Bittensor.
Future enhancements include stricter access and verification processes for packages, increased frequency of security audits, implementation of best practices in public security policies, and improved monitoring of package uploads and downloads.
Dough Finance
Loss — $1.94M
On the morning of July 12, 2024, Dough Finance suffered a flash loan attack, losing approximately $1.94 million in user funds.
Cyvers detected multiple suspicious transactions involving Dough Finance.
The hacker stole $1.8 million in USDC and swapped the funds to Ethereum (ETH) using the zero-knowledge (ZK) protocol Railgun, obtaining 608 ETH.
Olympix revealed the exploit was due to unvalidated calldata within the ConnectorDeleverageParaswap contract, allowing manipulation of contract data and fund transfers to an Externally Owned Account (EOA).
A second attack occurred, resulting in an additional loss of $141,000 in USDC.
Despite the attack, Cyvers confirmed that Aave’s pools remained unaffected.
Dough Finance urged users to withdraw their remaining funds and identified and closed the exploit.
The team reached out to the attacker via an on-chain message, offering to discuss a bounty if the exploit was conducted as a white or grey hat and requesting the return of the funds by July 15, 2024, at 23:00 UTC.
Dough Finance assured the community they are actively working to recover the funds and make investors whole.
This week, various DeFi projects, including Compound Finance, were compromised in a phishing attack involving a DNS domain redirecting users to a fake website that drained funds. Affected projects urged customers not to interact with the websites until further notice.
Community Spotlight
https://twitter.com/quillaudits_ai/status/1811290907922117015
https://twitter.com/quillaudits_ai/status/1810653169787220135?
https://twitter.com/quillaudits_ai/status/1809508585170178268?