Week 89: Vitalik‘s Thoughts On Possible futures for Ethereum (The Merge & The Surge), World Chain Live, TON Integrate With Axelar, & $58M MultiSig Wallet Compromise Of Radiant Capital

QuillAudits - Web3 Security 🛡️
Coinmonks
7 min readOct 21, 2024

--

GM! Buidlers

In this latest issue of HashingBits, we’re diving deep into Ethereum’s Core Developers meetings, covering all the major updates in the Ethereum ecosystem. But that’s not all — we’ll explore the latest happenings in the Polygon, Solana & Base ecosystems, along with advancements in the AI & Web3 space. For developers, we’re highlighting new tools designed to assist smart contract developers and auditors. And, of course, we’ll delve into the headlines about the $58M Exploit of Radiant Capital and $7.038M loss in Eigenlayer’s airdrop phishing scam.

EtherScope: Core Developments 👨‍💻

EIP2537 BLS precompiles:

  • Feedback wanted on planned EIP2537 usage & need for subgroup checks
  • EIP2537 BLS breakout: discussed removing subgroup checks & precompiles are underpriced
  • Proof of Stake (the Merge): single slot finality, 1 ETH staking, single secret leader election, faster transaction confirmations, 51% attack recovery, increasing quorum threshold for finality and quantum resistance
  • Scaling (the Surge): data availability sampling, data compression, generalized Plasma, maturing L2 proof systems, cross-L2 interoperability and scaling L1 execution

L1 & L2 Developments

  • Scroll has launched drand VRF, which provides trustless randomness on all EVM chains.
  • Sui Foundation has responded to allegations about insiders selling $400 million in tokens during a recent price increase, stating that no insiders, including employees, founders, or investors, have participated in such sales.
  • Felix Protocol, an on-chain financial system for Hyperliquid, has introduced feUSD
  • Sonic Labs, previously known as Fantom, has published its Sonic Litepaper
  • Galxe has integrated with Sei Network, described as the fastest parallel EVM Layer 1.
  • TokenUnlocks has rebranded to Tokenomist.AI
  • CrossFi has launched its mainnet
  • Osmosis has introduced Osmosis Pay, powered by Cypher HQ.
  • Towns has released a decentralized and permissionless group chat application, allowing users to create their own digital town squares.
  • Pyth Network has announced that PlutoLeverage, a DeFi leveraged yield machine on Solana, is now supported by Pyth.
  • Axelar announces partnership with TON Network.
  • Eclipse announced the launch of its official bridge, allowing for easier transfer of assets.
  • Pendle is catering to the growing demand and diverse risk appetites for Pendle BTC by introducing a new pool for pumpBTC with an expiry date of March 27, 2025.
  • LayerZero has officially launched on Worldcoin’s World Chain mainnet.
  • Hyperlend will list Resolv’s USR as collateral on the platform
  • Penpie is expanding its real-world asset (RWA) offerings by introducing a new pool for Usual Money’s USD0++ stablecoin.
  • defi.money has expanded its reach by launching on Base, currently the largest Ethereum Layer 2 network by Total Value Locked (TVL).
  • Phantom rolls out the latest feature allowing users to access interactive token pages with chart and price history
  • Sturdy Finance has created an AI-powered Morpho Vault Aggregator.
  • YieldNest has announced a collaboration with Kinza Finance, a dedicated lending protocol.
  • Moonpay collaborates with Venmo
  • MIRA AMM has launched on Fuel Ignition mainnet. MIRA is open-sourced and audited by Halborn and OtterSec.
  • Kraken launches kBTC, an ERC-20 token fully backed 1:1 by Bitcoin, held securely by Kraken and always verifiable onchain.
  • World Chain (OP Stack rollup) open to public
  • Fuel Ignition (FuelVM) live, UTXO based
  • Ephemery testnet incentives for genesis validators, infrastructure & client implementations
  • dGEN1 (mobile device): runs ethOS, ships 2025, pre-order via mint on Base
  • Towns: gated group chats using River & Base

EIPs

  • EIP7788: Dynamic target blob count
  • Informational EIP7790: Parameter recommendations for controlled gas limit increase strategy

ERCs

  • ERC7786: Cross-chain messaging gateway
  • ERC7787: Soulbound degradable governance

RIPs

RIP7789: Cross rollup contingent transactions

EcoExpansions: Beyond Ethereum 🚀

Base

Polygon

Solana

Hackathons, Workshops, CTFs & Events

Updates on Development Kits & Tools

  • OpenZeppelin Contracts v5.1: adds P256 & RSA signature validation; MerkleTree, CircularBuffer & Heap data structures; StorageSlot, ReentrancyGuardTransient & SlotDerivation utilities; updated Arrays, Base64, CREATE2, Strings & Math
  • Echidna v2.2.5: adds Cancun support, warns if an assert isn’t hit in assert mode, adds cheat codes and collects coverage during deployment
  • Nethermind v1.29.1: improved memory usage on Linux and improved OP Stack sync
  • Teku v24.10.2: hotfix for v24.10.x preventing startup on Windows
  • Besu v24.10.0: adds support for blobs in multiple transactions to engine_getBlobsV1 and Ephemery testnet support
  • Prysm v5.1.2: hotfix for v5.1.1 to recover from panic; v5.1.1: experimental state enabled by default and adds IDONTWANT support

Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖

Twitter

Articles

Research Papers

Watch🎥

Web3 Security

Articles

Research Papers

Twitter

Hacks and Scams 🚨

Radiant Capital

Loss ~ $58M

  • The attacker gained control of 3 out of 11 signers; just enough to carry out the hack. Contracts on both Arbitrum & BSC are affected.
  • The attacker used the multisig to transfer ownership to their contract, upgrading the implementation, and then proceeded to drain funds. A frontend attack could be a possibility, though it remains speculative for now.
  • On 0xd97b93f633aee356d992b49193e60a571b8c466bf46aaf072368f975dc11841c tx, the attack started with a transaction involving over $303K in USDC, $451K in BUSDT, 160 BTCB, 220.6 wBETH, 8469 wBNB, and 470.4 ETH, all drained from Radiant pools. These assets were transferred to the attacker’s wallet (0x0629b1048298AE9deff0F4100A31967Fb3f98962).
  • Attacker’s addresses:

0x911215CF312a64C128817Af3c24B9fDF66B7Ac95

0x9c5939AAC4f65A0eA233E657507C7b54acDE2841

0x0629b1048298AE9deff0F4100A31967Fb3f98962

0x97a05beCc2e7891D07F382457Cd5d57FD242e4e8

0x8B75E47976C3C500D0148463931717001F620887

0xA0e768A68ba1BFffb9F4366dfC8D9195EE7217d1

0x579145D6d1F26a460d9BDD3040C37517dac379ac

  • Attacker’s contract:

0x921B00Fa38911337aeD702Fb4857877c1aca1141

0x57ba8957ed2ff2e7AE38F4935451E81Ce1eEFbf5

0xf0c0a1a19886791c2dd6af71307496b1e16aa232

  • The contracts currently in danger are:

0xF4B1486DD74D07706052A33d31d7c0AAFD0659E1 (Arbitrum)

0xd50Cf00b6e600Dd036Ba8eF475677d816d6c4281 (BSC)

0x30798cFe2CCa822321ceed7e6085e633aAbC492F (Base)

0xA950974f64aA33f27F6C5e017eEE93BF7588ED07 (ETH)

To know more about the hack, read the analysis.

EigenLayer

Loss ~ $7.038M

  • EigenLayer X account got hacked. The attacker posted a fake airdrop phishing scam link.
  • Over $7,089,107 ($7.089M) has been lost since then. One of the example is an address 0x84b748A811BbdD520c26feD111B3F1F6cCf42E43 losing $800K worth of mETH after signing a permit phishing signature, an hour ago.
  • The victim likely signed a transaction (using the permit function, which allows for token approvals without the need for a separate on-chain approval) giving the attacker permission to spend or transfer their tokens.
  • Many victim’s funds were stolen away in the same way. Here are a list of attackers addresses:

0x0000db5c8B030ae20308ac975898E09741e70000 currently holds $21,078.59

0xaA862F977d6916A1e89E856FC11Fd99a2F2fAbF8 holds $6,854,375.78

0xFC4EAA4ac84D00f1C5854113581F881b42b4A745 $68,190.23

0x000037bB05B2CeF17c6469f4BcDb198826Ce0000 holds $129,708.00

0x0000553F880fFA3728b290e04E819053A3590000

0xcF59d5Da8F3120ADb060f2bBeA5b5762FEbDa396 holds $15,754.40

  • List of contract addresses:

0x9a9BC7d92f554bD54791783389d2246884020e60

0xed0e416e0fEEA5b484ba5c95d375545AC2b60572

To know the full details, read this detailed analysis

Community Spotlight

--

--

Coinmonks
Coinmonks

Published in Coinmonks

Coinmonks is a non-profit Crypto Educational Publication.

QuillAudits - Web3 Security 🛡️
QuillAudits - Web3 Security 🛡️

Written by QuillAudits - Web3 Security 🛡️

6+ Years Securing #Web3: 1M+ Lines Audited. Trusted by 1K+ Clients including StarkWare, Taiko, ZetaChain & Metis. Next-gen audits, KYC & on-chain monitoring.

No responses yet