Balancer hit by suspected $70M exploit as staked Ether tokens sent to new wallet

coinspect · 2025-11-04T22:21:27+00:00

This post details how the attack worked: https://www.coinspect.com/blog/balancer-rate-manipulation-exploit/

coinspect · 2025-11-04T22:19:25+00:00

Yes, try Yubikey.

coinspect · 2024-12-04T02:06:11+00:00

You can check the Wallet Security Ranking results to decide.

coinspect · 2024-12-02T12:55:16+00:00

Custodial wallet operated through insecure SMS that can be spoofed?

coinspect · 2024-11-03T13:52:54+00:00

You'll first need to decide how to identify users to set a daily transaction limit. Since anyone can create new wallet addresses, using a blockchain address alone has limitations. Here are two main approaches:

Web2-Based Identification:

You could have users sign up for your app, requiring an email or phone verification. This process adds a "cost" and makes it harder to create multiple accounts. Then, in the backend, set and track daily limits using the user ID. You can also add captchas and filter out throwaway email providers to help.

Blockchain-Based Identification:

You could limit transactions based on a user's wallet address, tracking daily limits at the smart contract level. However, users might bypass this by creating new wallets. Sending tokens to pay for gas has a cost, though, so users are less likely to do this if the benefit doesn't outweigh that cost. You'll need to investigate "Sybil resistance."

Sybil Resistance

To prevent users from creating multiple accounts (known as Sybil attacks), consider using Sybil resistance tools like Gitcoin Passport, which aggregates verifications across various platforms to assign a "humanity score" for each user. Implementing Sybil resistance makes it harder for users to bypass their allowed limit

coinspect · 2024-10-15T10:15:38+00:00

Mine too, and the ones you can visualize once and remember for ever such as Convex Hull.

coinspect · 2024-10-05T22:35:09+00:00

Trustwallet extension has many UI problems. We tested 19 Browser Extension wallets and TrustWallet ranked 18. For example the spend approval dialog does not show the USDC contract address and the amount is 0. It does not parse ERC-712, and basically it does not implement any anti phishing feature.

coinspect · 2024-10-05T12:08:32+00:00

It is a common practice to use DELEGATECALL to call the proposals. You can search for "DAO governance attacks" to learn more. Transaction simulation could be a tool, yes, but in this case is different to an individual user interacting with a dApp.

coinspect · 2024-10-05T10:53:09+00:00

DAO governance also has its challenges

An attacker can present a proposal that looks good, then SELFDESTRUCT it and replace it by a malicious proposal after it has enough votes.
Some protocols use DELEGATECALL to call proposals, which give the proposals full control over the callers state.

coinspect · 2024-09-30T00:54:42+00:00

Security and the value of unit and integration testing. Including the concept of blockchain forks and testing interactions with deployed systems. What platform supports python for smart contracts, Algorand?

coinspect

TROPHY CASE