Blog

We are constantly learning new things, and believe that knowledge should be shared.

AVS

October 28, 2024

Build secure Uniswap V4 Hooks in AVS

In recent months, both Uniswap V4 and EigenLayer’s Actively Validated Services (AVS) have gained significant attention – not without reason. Uniswap V4 introduced a […]

Damian Rusinek

Managing Partner & Smart Contract Security Auditor

Lido – Node Operator can exit and slash their validator to move withdrawal finalization border epoch

Bypassing the border epoch as determined by the mass slashing event. Vulnerability Details During a mass slashing event, the withdrawal queue may delay finalization […]

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

Lido – Uncaught exception on creating ejection report

The report generation cannot be completed and submitted due to this bug. Vulnerability Details The get_remaining_forced_validators function is designed to remove validators that are […]

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

Security Guide

Security Guide for DApps CTOs, Lead Developers, and Security Enthusiasts This forthcoming resource cuts straight to the point, delivering practical, effective security strategies without […]

Damian Rusinek

Managing Partner & Smart Contract Security Auditor

Othentic – Invalid EigenLayer reward submission

The standard rewards distribution process (as recommended by the CLI) fails, resulting in gas loss for the AVS manager. Vulnerability Details The OperatorDirectedRewardsSubmission struct […]

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

Othentic – Uncleared claims

Operators face the risk of losing rewards on the default L2 and also jeopardizesubsequent rewards on the non-default L2. Vulnerability Details The AVSGovernance contract […]

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

Othentic – Permanent revert on rewards submission

Permanent blockage in the rewards distribution process. Vulnerability Details In the AVSGovernance contract, when processing a payment request from the AttestationCenter contract, the function […]

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

YieldNest – Invalid decimals used to calculate totalAssets

The primary outcome of this vulnerability is that the totalAssets variable will be inaccurately calculated, leading to theft of assets or potential losses for […]

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

YieldNest – Inflating vault’s share rate via reentrancy

This attack results in the theft of assets alongside an inflated share value Vulnerability Details The withdrawal process from the Max Vault works in […]

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

YieldNest – Invalid amounts of asset returned by strategies

This issue prevents the successful withdrawal of assets based on the values returned by the ERC4626 functions and their equivalent versions for different assets. […]

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

Join the newsletter now

Please wait...

Thank you for sign up!

Let us help

Get throughly tested by the creators of Smart Contract Security Verification Standard

Request audit