Week 69 - Taiko Mainnet Launch, Uniswap & Across Cross-Chain Standard, Pessimistic Proof for the Polygon AggLayer, QuillShield AI Detects $NORMIE Bug!
Hashingbits: Your Monthly Dose of Web3 Innovation and Security
GM! Buidlers
This issue of Hashingbit features the launch of Ethereum Layer 2 Taiko, new cross-chain standards from Uniswap Labs and Across, the introduction of PayPal USD on Solana, and Fantom's collaboration with Google Cloud. It also covers ZK security advancements for AggLayer and Atoma's AI tools on Sui. Additionally, it includes developer tools for smart contract auditing and Solidity developers, and highlights QuillAudit’s AI agents detecting vulnerabilities in the $NORMIE token.
EtherScope: Core Developments 👨💻
Ethereum Layer 2 Taiko goes live on mainnet
The problem with eip4337
Low Ethereum Gas Fees Inflate Supply By 50k ETH In One Month
Suave Proposal: Implementing EIP-712 for Confidential Compute Requests
Layer 1 & Layer
Vitalik Compares the L2 and Ethereum Sharding Visions
Upcoming Feature: Starknet Applicative Recursion (SNAR)
Introducing the Pessimistic Proof for the AggLayer: ZK Security for Cross-chain Interoperability
Introducing Kakarot Sepolia
StarkWare introduces ZKThreads: A canonical ZK sharding framework for dApps
All Core Developers Execution Call #188 Writeup
Unifying VMs with Blended Execution
Zeth Brings Validity Proofs to Optimism’s OP Stack
EIPs
ERCs
EcoExpansions: Beyond Ethereum 🚀
Solana
LayerZero is live on Solana!
Solana validators voted to stop burning half the priority fee and will now keep 100% of it.
PayPal USD (PYUSD) is live on Solana!
Fantom
Opera Network Upgraded: Sonic Nodes Power 10,000 TPS and 1-Second Finality
Fantom Partners with Google Cloud to Boost Next-Gen dApp Development and Launch Validator
Polygon
Introducing the Pessimistic Proof for the AggLayer: ZK Security for Cross-chain Interoperability
Polygon Labs is using Succinct’s zkVM SP1 for building the AggLayer, their flagship interoperability protocol.
Sui
Atoma Enabling AI for Builders on Sui
Sui Overflow: Sui’s first global virtual hackathon
AUSD Stablecoin from AgoraDollar Launches on Sui, Enhancing Network Liquidity and Efficiency
DevToolkit: Essentials & Innovations 🛠️
Solidity v0.8.26: require with custom errors (via-IR only), Yul optimizer improved default sequence and JSON output format slightly changed
Clap: a Rust eDSL for PlonKish Proof Systems with a Semantics-preserving Optimizing Compiler
Batcher Contract on Aztec
Remix v0.49: RemixAI improvements & TOML syntax highlighting
Kontrol (formal verification) adds support for native Foundry cheatcode assertions
Snekmate (Vyper): adds Halmos symbolic tests for ERC20/721/1155 & math contracts
Ape-AWS: Ape plugin to use AWS Key Management Service & IAM access
Viem adds EIP4361 Sign-In with Ethereum support
EVM Diff: adds all chain comparison table to existing side by side compare
micro-eth-signer v0.9: fetch account history & token balances from archive node, SSZ in 900 lines
Vacp2p stealth-address-kit v0.1: derived from ERC5564, Rust & C bindings
Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖
Twitter
12 examples of how Chainlink is powering the tokenization megatrend
Farcaster vs. Lens Protocol: A Deep Dive 🧵
Unlocking the Power of Stylus: A Game-Changer for Arbitrum and EVM
Some more up to date thoughts the next hard fork after Cancun, Pectra
The Bitcoin L2 landscape
How do DEX aggregators actually work?
High FDV is not inherently bad.
Articles
How EigenLayer’s Restaking Enhances Security and Rewards in DeFi
Secure Voting on Blockchain with Zero-Knowledge Proofs (ZKPs)
Introducing the ENS L2
Atomicals Virtual Machine (#AVM) Whitepaper
A Two-Part Approach To Understanding Zk Coprocessors
Github Repos
Reusable workflows for GitHub Actions
Merkle Multiproof (Solidity): generate inputs for OpenZeppelin MerkleProof library for fuzz testing
Research Papers
A Dual-functional Blockchain Framework for Solving Distributed Optimization
On Fairness Concerns in the Blockchain Ecosystem
Collaborative Access Control for IoT -- A Blockchain Approach
The Writing is on the Wall: Analyzing the Boom of Inscriptions and its Impact on EVM-compatible Blockchains
Tools
Introducing Recon: Invariant Testing Made Easy**.**
EVM Diff adds cross-chain comparison.
Eth95.exe - An Instant UI for Smart Contracts.
GoAlert - Open source on-call scheduling, automated escalations, and notifications so you never miss a critical alert.
Watch🎥
Web3 Security Watch 🛡️
Articles
Beginner’s Guide to Web3 Security: Guide to Avoiding Fake Wallets and Private Key/Mnemonic Phrase Compromises
How to Identify and Prevent Address Poisoning Attacks
Research Papers
DataSafe: Copyright Protection with PUF Watermarking and Blockchain Tracking
Remeasuring the Arbitrage and Sandwich Attacks of Maximal Extractable Value in Ethereum
Decentralized Virtual Research Environment: Empowering Peer-to-Peer Trustworthy Data Sharing and Collaboration
Twitter
Arguments Against FIT21
Zero Knowledge Proofs Use Cases
Malicious Aggr Chrome Extension
Investigation $CAT meme team is connected to GCR's X.com hack last night
Introducing Trident - fuzz testing framework for Solana programs written in Anchor
Tools
Security Alliance - Drill Template - the tools that the SEAL Chaos Team uses to coordinate drills with protocol teams.
Simbolik: Solidity Debugger VS Code plugin by Runtime Verification.
Introducing shadow-reth
Introducing Open-Binius!
Hacks and Scams 🚨
NORMIE
Loss ~ $881K
NORMIE memecoin on the Base network exploited, resulting in a loss of 224.98 ETH (approx. $881,686).
Our QuillShield AI agent detected the same vulnerability in just one second.
Exploit due to a smart contract vulnerability that allowed unauthorized minting of tokens.
Attacker used 2 ETH from Sushi Router to swap for 171,955 NORMIE tokens, then matched the token deployer’s balance by swapping 5 million NORMIE tokens.
Vulnerable
_get_premarket_user
function added attacker’s address to the premarket user list by matching the team wallet balance.Flash loan of 11,333,141 NORMIE tokens taken, with 9,066,513 swapped for 65.97 ETH to manipulate token supply.
Remaining tokens used in Uniswap V2 pair and skim function to withdraw assets.
Logic flaws in
_transfer
andswapAndLiquify
functions allowed bypassing checks and minting additional tokens.Token supply inflated to 650 billion NORMIE tokens; attacker profited 224.98 ETH (approx. $881,686).
Exploiter manipulated contract permissions, used flash loan to drain the contract, bought tokens at no cost, and sold them.
Meta Dragon
Loss ~ $180k
Over 4000 NFTs were compromised in the MetaDragon hack on 28th May 2024, with community members losing approximately 2400 NFTs after deductions for the META fund and marketing.
The NFT contract remains insecure; users are advised to refrain from minting new NFTs.
Significant losses were incurred by community members, investors, and liquidity providers.
MetaDragon plans to compensate each NFT at a rate of "10,000 META + 0.15 BNB".
Total compensation amounts to approximately 24 million META and 360 BNB.
The compensation process will begin gradually with updates provided on progress.
Some partners and major holders have expressed willingness to postpone their claims, prioritizing the compensation of other members, which is deeply appreciated by the MetaDragon team.
Community Spotlight
QuillAudits at Consensus 2024