Unraveling the $UN Attack: A Flash Loan Exploits Flaw in Token Contract
$UN on BSC was attacked by the flash loan with a loss of $26,000
Comparison and Evaluation of Static Application Security Testing (SAST) Tools for Java
We evaluate and compare seven free or open-source Static Application Security Testing (SAST) tools for Java. The post highlights the importance of SAST tools in detecting security vulnerabilities in software development and provides insights into improving the detection capabilities of these tools.
Understanding Vulnerability Propagation in the Cargo Ecosystem
The study analyzed 20,000 Rust packages and their dependencies to understand vulnerability propagation in the Cargo package ecosystem. Accurately calculating affected versions reduces false positives, and version ranges are not always reliable indicators. Challenges faced include a lack of security awareness and incentives for package maintainers. The study recommends improving package review mechanisms, providing incentives for security, and implementing security governance strategies to reduce the risk of software supply chain attacks.
Lesson Learned from ChatGPT Incident: Managing Open Source Vulnerabilities with MetaScan
OpenAI announced on March 24th that a weakness in the Redis client open-source library, redis-py, was responsible for the data breach. In addition to performing a thorough security assessment of smart contract code, MetaScan's Open Source Analyzer is specifically designed to pinpoint vulnerabilities in the open source software components utilized in the project.
Deep Security Analysis of the ASKACR attack
On March 21, 2023, at 01:39:47 PM +UTC, the attacker(0xb189943) created and manipulated many new contracts, which gained ASKACR tokens from the ASKACR contract itself. Finally, the attacker gained 28,633 BSC-USD from the attack.
A Powerful Formal Verification Engine for Solidity Smart Contracts
How the 120k ETH was recovered from the exploiter of Wormhole attacker
On February 2, 2022, at 18:24:13 UTC, a mysterious attacker launched an attack on the Wormhole cross-chain bridge on the Solana blockchain. Ultimately, the attacker successfully obtained 120,000 WETH from the Solana chain and transferred it to Ethereum through the cross-chain bridge. Without going into the specifics, we know that the attacker has successfully transferred the acquired WETH to their address on Ethereum. Afterward, the attacker disappeared and left behind this shocking event…
Warning: MetaTrust’s On-chain Monitoring Engine Discovers Contract Vulnerabilities: Zombier Smart Contract Exposes Critical Security Flaws
On February 28, 2023, MetaTrust’s on-chain monitoring engine discovered a serious security vulnerability in the recently open-sourced Zombier smart contract on the Ethereum blockchain. The contract has a reentrancy attack vulnerability and several parameter verification vulnerabilities, among other issues. If the client continues to use this contract, it may face significant security risks. For details, please see the vulnerability cause analysis report.
DevSecOps & Web3 Security — All you Need to Know
This post discusses the security challenges in the Web3 era and how the DevSecOps approach can be adopted to improve the security of the Web3 ecosystem. It emphasizes the importance of incorporating security analysis into the development process and introduces MetaTrust's tools and services for secure software development, including the world's first secure package manager for secure open-source development, an automatic security auditing tool for smart contracts, 24/7 runtime security monitoring, and a comprehensive security and risk score. By using these tools, developers can build a more secure and prosperous Web3 ecosystem.
The BNB chain suffered from a deflation token attack, and Metatrust discovered several dozens of tokens on the EVM chain that were unaffected
On February 10, 2023, some reflection mechanism tokens on BNB Chain were attacked and spread to multiple tokens. MetaTrust conducted a thorough analysis and found several dozens of tokens that were not yet attacked through its exclusive IP Analyzer engine.