On 16 November 2024, Polter Finance was exploited for ~$8.7 million, due to a price manipulation exploit. Polter Finance paused their platform shortly after to investigate.

These five tips will help Web3 teams successfully pass the background investigation and obtain the CertiK KYC Badge for their project.

On 11 November 2024, DeltaPrime was exploited for ~$4.8M across Arbitrum and Avalanche network. The attack combined two vulnerabilities. The first one is an unchecked input allowing the attacker to move borrowed token to another arbitrary address. The second one also involves arbitrary address input that can be exploited by leveraging the claim mechanism to withdraw the collateral.

Desktop wallets play a crucial role in the Web3 ecosystem, providing users with a means to securely manage their digital assets within decentralized networks. This report presents the findings of this technical analysis in detail, aiming to raise user awareness about security, and assist users in better protecting their digital assets when utilizing desktop wallets.

In October 2024, CryptoBottle on Polygon was exploited on three separate occasions with combined losses totalling ~$527k. In the latest incident on 24 October, the largest of the three, an attacker exploited a critical vulnerability to disable a balance check in the swap() method after callback, and made arbitrary swaps to acquire a large amount of NAS tokens which they then sold to drain the project of ~$490k USDT.

Much like traditional financial markets, crypto markets are not immune to manipulation. Many of the same practices that plague stocks and commodities — like wash trading, spreading fear, and pump and dump schemes — also exist in the crypto space. In this blog, we’ll explore some of the most common manipulation tactics in the crypto markets and discuss how these practices impact the industry as a whole.

In a recent DeThings interview, Professor Ronghui Gu, Co-Founder of CertiK, addressed the question, "Who monitors the monitors?" and discussed how security companies self-regulate. Read to learn about key findings from the interview.

Welcome to Hack3d: The Web3 Security Report for Q3 2024. Hack3d serves as an essential resource and record of statistics for understanding security challenges and vulnerabilities in the Web3 space. It equips stakeholders with the knowledge and insights needed to fortify their defenses and make informed decisions in an increasingly high-stakes environment.

On 11 September 2024, Omnipus contracts were drained of ~$30k received during the presale of the OPUS token.

During 2024 Korean Blockchain Week (KBW), Professor Kang Li, Chief Security Officer of CertiK, was interviewed by Korean media outlet, E-Today. In the interview, Professor Kang discussed how recent regulatory developments have created new opportunities for the cryptocurrency industry. He also expressed concerns about security challenges faced by the blockchain ecosystem, and emphasized the importance of addressing these issues for long-term development and establishing trust.

On 10th September, 2024, Caterpillar Coin ($CUT token) suffered a flashloan attack resulting in a loss of ~$1.4M and causing a 99% slippage on the token. The attack exploited vulnerabilities in the ‘price protection mechanisms’, which led to the manipulation of token reserves and rewards.

CertiK’s Skynet is transforming Web3 security by making complex insights accessible to everyone. As a leading user security platform, Skynet empowers users to protect their assets, stay informed, and navigate the decentralized world confidently. Here’s how Skynet’s features are helping to build a safer, more informed Web3 community.

This blog offers insights into the differences between traditional Web2 applications and Web3 Dapps, Dapp threat modeling, and unique attack vectors enabled by the integration of blockchain components.

In January 2024, CertiK research team, in collaboration with Confio's security contributors, identified and addressed a high-impact vulnerability affecting App Chains that allow permissionless uploads in the CosmosWasm ecosystem. This vulnerability, designated as CWA-2023-004, enables a remote attacker to submit a malformed contract payload, causing a deterministic failure in every transaction processed by the WasmVM. This ultimately leads to a widespread outage across the validator network.

In June, CertiK Skyfall team conducting whitehat research discovered a critical vulnerability in the Kraken platform. We notified the exchange to ensure this important vulnerability was fixed—which was a win for blockchain and Web3 security.

Artificial intelligence (AI) and Web3 are two of the most transformative technologies shaping the future of digital interactions. The intersection of these technologies offers intriguing possibilities for enhancing privacy, security, and operational efficiency.

Clarity is a smart contract language developed collaboratively by Hiro PBC, Algorand, and other stakeholders. It is currently utilized on the Stacks chain (Bitcoin sidechain). The primary goal of Clarity is to provide a high level of predictability and security, ensuring that smart contracts behave as intended without any unexpected side effects.In this article, we explore the concept behind Clarity smart contracts, as well as best practices and security checklists for programming with Clarity.

On 12 August 2024, VOW token was exploited for around $1.2 million. The usdRateSetter address (0xbA1be907f532Ff6bb0088279e0f3DCDdD693aC7c) in the VOW contract temporarily changed the exchange rate (usdRate) between VOW and vUSD from 1 to 100. A malicious actor exploited the new usdRate to obtain vUSD at 100 times the correct amount.