I post a progress report showing what I did and how my products performed each month. Last month’s report can be seen here.

What did I do

Productive Hours in July
Productive Hours in July

Hours worked on side-projects in July

I worked 106 productive on side projects hours last month.

To make these progress reports a bit more interesting, from now on I’ll post my favourite song, TV show, and article I read last month.

What was worked on


I post a progress report showing what I did and how my products performed each month. Last month’s report can be seen here.

What did I do

Productive Hours in June
Productive Hours in June

Hours worked on side-projects in June

I worked 101 productive on side projects hours last month.

To make these progress reports a bit more interesting, from now on I’ll post my favourite song, TV show, and article I read last month.

What was worked on


I post a progress report showing what I did and how my products performed each month. Last month’s report can be seen here.

What did I do

Productive Hours in May
Productive Hours in May

Hours worked on side-projects in May

I worked 102 productive on side projects hours last month.

To make these progress reports a bit more interesting, from now on I’ll post my favourite song, TV show, and article I read last month.

What was worked on


On May 19th 2021, PancakeBunny was exploited by an attacker abusing a wrong PancakeSwap LP price computation in Bunny’s PriceCalculatorBSCV1 contract to mint 6.97M BUNNY tokens which were then exchanged for a profit of 114,631 WBNB (~30M USD).

Background

PancakeBunny is a yield aggregator accepting a variety of tokens, among them LP tokens from PancakeSwap. Stakers need to pay a 30% performance fee on the profits when withdrawing/claiming. However, they also receive BUNNY tokens in return — for every 1 BNB in fees collected, 3 BUNNY is rewarded to the depositor.

The Exploit

There’s an official post mortem but it lacks depth making…


The vaults.sx contract on EOS mainnet has been exploited through a re-entrancy attack. 1,180,142.5653 EOS (~13M USD) and 461,796.8968 USDT were stolen making this the biggest hack on EOS.

Vaults.sx is a yield aggregator where users can deposit EOS or USDT in return for interest-bearing SXEOS/SXUSDT tokens. The deposited tokens are then available in the flash.sx contract for flashloans and aggregate fees. Finally, SX tokens can be redeemed for a pro-rata share of the underlying funds + aggregated fees again.

EOS actions execution order

To understand the attack one first needs to understand the execution order of notifications (require_recipient) and normal inline actions (send_inline).


I post a progress report showing what I did and how my products performed each month. Last month’s report can be seen here.

What did I do

Productive Hours in April
Productive Hours in April

Hours worked on side-projects in April

I worked 55 productive on side projects hours last month.

To make these progress reports a bit more interesting, from now on I’ll post my favourite song, TV show, and article I read last month.

You should be…


I post a progress report showing what I did and how my products performed each month. Last month’s report can be seen here.

What did I do

Productive Hours in March
Productive Hours in March

Hours worked on side-projects in March

I worked 71 productive on side projects hours last month.

To make these progress reports a bit more interesting, from now on I’ll post my favourite song, TV show, and article I read last month.

What was worked on

Mostly client work, but I also did some bug…


In this part of the Replaying Ethereum Hacks series, we will look at a vulnerability that is common among yield aggregators. Many of these protocols disclose a function to automatically convert the profits to a different token by trading on a decentralized exchange like Uniswap. This in and of itself already opens the protocol up to a potential sandwich attack. The profitability of such an attack can be dramatically improved if the attacker can force the protocol to trade in an illiquid pool.

A recent example of such an arbitrage attack could be observed in BadgerDAO’s DIGG <> WBTC Sushiswap…


I post a progress report showing what I did and how my products performed each month. Last month’s report can be seen here.

What did I do

Productive Hours in February
Productive Hours in February

Hours worked on side-projects in February

I worked 104 productive on side projects hours last month.

To make these progress reports a bit more interesting, from now on I’ll post my favourite song, TV show, and article I read last month.

What was worked on


Furucombo has been exploited yesterday for ~15M USD.

Let’s dive into the attack, understand it by reading the code of the relevant contracts, and then replay the hack using a custom contract.

Background

Furucombo lets users build custom DeFi flows through a drag’n’drop interface — think Zapier or If This Then That for DeFi.

The entry-point for the attack is the Furucombo Proxy that some users approved with many different tokens worth millions of dollars. The gist of the attack is that anyone can call into the contract, make it do a delegatecall to a user-controlled…

Christoph Michel

Full Stack Software Engineer #javascript #EOS. Into Recreational Math / CS 🤯 Just message me about anything, my mind is open.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store