Week 67 - Ethereum Efficiency Boost, Base Chains on QuillCheck, Web3 Phone Numbers on Sui ?, Web3 Attacks Persists - Sonne Finance, Pump.Fun, Pii Park, Predy Finance
Hashingbits: Your Monthly Dose of Web3 Innovation and Security
GM! Buidlers
This edition of Hashingbit covers important updates in the world of web3. Ethereum is getting a potential efficiency boost with Vitalik Buterin's proposed EIP-7706 for a new call data gas type. Developments are also underway at Solana and EigenLayer. Sui users will soon be able to claim their own Web3 phone numbers. QuillCheck is expanding its services to include Base Chain tokens, allowing users to evaluate the risks of new crypto tokens before investing. The newsletter also brings attention to new developer tools available in the web3 space, such as Immune-fi Terminal, Create Chimera App, eth-easy, and Metasleuth. Security remains a major concern, as highlighted by recent attacks on Sonne Finance ($20 million), Pump.fun ($1.9 million), and PiiPark (rugpull for $490,000). Hashingbit keeps you informed about the latest happenings in blockchain technology and security.
EtherScope: Core Developments 👨💻
Ethereum has been increasingly inflationary for over a month as fees hit all-time low
Ethereum gas under 5 gwei, the lowest daily average since February 2020
Why 4337 and 3074 authors are disagreeing, and who got it right
Vitalik Buterin drafts EIP-7706, proposing a new call data gas type for Ethereum
Paul O’Leary on how Polygon’s zkEVM will enhance Ethereum scalability
Ethereum account abstraction to catalyze crypto mass adoption
Grandine v0.4.0/1: optimizations, new attestations packer, in-memory mode, improved compatibility with other validator clients, integrations with Eth-docker & Ethereum on Arm
Geth v1.14.3: block processing & RPC API improvements
Etherscan: address poisoning attack explainer
Overview on based sequencing & preconfirmations
EIPs
EcoExpansions: Beyond Ethereum 🚀
Sui
The Move programming language on Sui incorporates three fundamental innovations
NetkiCorp Brings Digital Identity Verification Expertise to Sui, Enhancing Decentralized Financial Systems
ChainIDE Launches for SuiNetwork: Compile, Deploy, and Interact with Sui Move Contracts in Your Browser!
Claim your Web3 phone number – coming soon to Sui!
Eigen Layer
EigenLayer Opens Claims for Airdrop of EIGEN Token, Though It's Non-Transferable
EigenDA accepts staking delegations as Eigen token claims open
ICYMI - Check out Awesome AVS if you'd like to learn more about how to build on EigenLayer.
Omni Network; Using Eigenlayer to Unleash Ethereum Liquidity
EigenLayer Launches @buildoneigen for the Latest Ecosystem Updates!
Solana
Solana DEX Drift opens airdrop claims for 120 million tokens with bonus
Solana Devs, Wake Up! 🛠️🦀 Join the Free 6-Week Solana Bootcamp by @encodeclub Starting June 3rd!
Introducing Solana's First Liquidity Layer: The Evolution of Marginfi for Performant DeFi
Squads Validator is Now Live: Stake Your SOL Directly from the App
AgriDex & Solana Launch RWA Marketplace This Summer!
DevToolkit: Essentials & Innovations 🛠️
Forge-std v1.8.2: adds cheat codes including prompt, blobhashes & ensNamehash
Mastering Solidity: Control Structures And Error Handling
Solady (Solidity snippets): adds UpgradeableBeacon for ERC1967 beacon proxies
Frangio: Solidity compiler code generation for stack-based EVM & stack too deep errors
Viem experimental adds ERC6492 signature utilities
Slitherin (custom Slither detectors) v0.7.0: adds detectors for Arbitrum Chainlink sequencer uptime, read-only reentrancy with Balancer/Curve & price manipulation via token transfers
Betterscan: inspect verified contracts
Profiling Echidna found a memory leak in hevm
Guide to building a tracer using Geth for transactions involving a set of addresses
Etherscan converter tools: Base64, block & date, UTF-8 and method ID
Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖
Twitter
Types of Smart Contract Design Patterns
Secureum RACE #29: answers to 8 question Solidity quiz
Articles
Vitalik Proposes EIP-7702 for Externally Owned Accounts
Exploring Consensus With Parallel Proposals: The Difference Between PBFT and BBCA-Chain
Mastering the Final Boss in Blockchain Scalability: State Growth
No-Code Blockchain Development: Pros and Cons
Omni Network: Using Eigenlayer to Unleash Ethereum Liquidity
Using Ethereum to Understand the Protocol Economy
Research Papers
Temporarily Restricting Solidity Smart Contract Interactions
T-Watch: Towards Timed Execution of Private Transaction in Blockchains
Cross-Blockchain Communication Using Oracles With an Off-Chain Aggregation Mechanism Based on zk-SNARKs
Permissioned Blockchain-based Framework for Ranking Synthetic Data Generators
BitVMX: A CPU for Universal Computation on Bitcoin
Implementation Study of Cost-Effective Verification for Pietrzak's Verifiable Delay Function in Ethereum Smart Contracts
Tools
eth easy! - easy-to-use, flexible, and blazing-fast toolkit that helps accelerate Ethereum development by 0xrusowsky. Recent features include ABI encoding/decoding and call data debugging. Very cool!
Watch🎥
Web3 Security Watch 🛡️
Articles
Reentrancy attacks in smart contracts explained
Verifiable Compute: Scaling Trust with Cryptography
Cosmos IBC Reentrancy Infinite Mint
Blast Integration Bugs - Part 1
Research Papers
StateGuard: Detecting State Derailment Defects in Decentralized Exchange Smart Contract
BeACONS: A Blockchain-enabled Authentication and Communications Network for Scalable IoV
An Approach for Decentralized Authentication in Networks of UAVs
Foundational Verification of Smart Contracts through Verified Compilation
Twitter
Web3 Phishing Attacks you must know about
Tools
**Immunefi-terminal** - The only crypto bug bounty terminal you'll ever need by shortdoom.
Create Chimera App - The Foundry template allows you to bootstrap a fuzz testing suite using a scaffolding provided by the Recon tool by Recon-Fuzz. It extends the default Foundry template used when running
forge init
to include example property tests using assertion tests and boolean property tests supported by Echidna and Medusa.
Hacks and Scams 🚨
Sonne Finance
Loss ~ $20M
Hackers stole $20 million in cryptocurrency from Sonne Finance on May 14th.
Hackers targeted USD Coin (USDC), Wrapped Ether (WETH), Velo (VELO), soVELO and Wrapped USDC (USDC.e).
Sonne Finance paused operations and is investigating ways to recover funds, including a bug bounty.
The hacker seems uninterested in negotiations and is moving stolen funds.
Hack exploited a known bug in Sonne's Compound v2 forks.
Sonne Finance is criticized for using the known vulnerable code.
Pump.fun
Loss ~ $1.9M
A former employee exploited pump.fun, a platform for creating Solana meme coins, resulting in a loss of nearly $2 million through a "bonding curve" attack.
The exploit involved the ex-employee leveraging their insider access to compromise the platform's internal systems.
Approximately $1.9 million was stolen out of a total of $45 million held in pump.fun’s bonding curve contracts.
Trading on the platform was temporarily halted but has since resumed, with assurances that the smart contracts remain secure.
To carry out the attack, the exploiter utilized flash loans on a Solana lending protocol to borrow tokens, which were then used to inflate the bonding curve.
A user named "STACCoverflow" is suspected to be involved, as hinted in cryptic posts suggesting a foreknowledge of the incident.
Pii Park
Loss ~$490K
A project called Pii Park (different from others with similar names) has likely run an exit scam.
Their token's value plummeted by around 99%, indicating a potential rug pull.
Investors lost approximately ~$490,000 throughout the project's existence.
Avoid rug pulls with QuillCheck's easy token safety checks on multiple chains.
Predy Finance
Loss ~$464K
Hackers exploited a vulnerability on Predy Finance on Arbitrum, stealing ~$464,000.
Predy Finance is a DEX for perpetual trading and token swaps.
The exploit was due to a lack of access control in a function allowing anyone to add trading pairs.
Hackers added a fake pair, deposited funds, and then withdrew everything.
Some stolen funds (~$304,640) were bridged to Ethereum Mainnet.
Predy Finance acknowledged the exploit and offered a 10% bounty to return the funds.
They also disabled the vulnerable functions and advised users to revoke access.