-attack

Web3 security company GoPlus stated that the AI development tool OpenClaw has recently been reported to have experienced a self-attack security incident. During the execution of automated tasks, the system constructed an incorrect Bash command while calling Shell commands to create a GitHub Issue, inadvertently triggering command injection, which led to the exposure of a large number of sensitive environment variables.In the incident, the AI-generated string contained a set wrapped in backticks, which was interpreted by Bash as command substitution and executed automatically. Since Bash outputs all current environment variables when executing set without parameters, this ultimately resulted in over 100 lines of sensitive information (including Telegram keys, authentication tokens, etc.) being directly written to the GitHub Issue and publicly published. GoPlus recommends that in AI automation development or testing scenarios, API calls should be used instead of directly concatenating Shell commands, and the principle of least privilege should be followed to isolate environment variables. Additionally, high-risk execution modes should be disabled, and a manual review mechanism should be introduced for critical operations.

ChainCatcher news, Binance announced on platform X that GriffinAI (GAIN) has confirmed it was previously hacked and is currently investigating the technical details. To protect users, the project has mitigated the related issues by removing the official on-chain liquidity of GAIN tokens on the BNB chain.Binance is assisting the project team in conducting a post-incident analysis and formulating a compensation plan, and will continue to provide updates on the latest developments. In previous news, GriffinAI stated that it has requested all exchanges to suspend trading, deposits, and withdrawals of GAIN on BSC.

ChainCatcher message, DeFi protocol MetronomeDAO released an analysis report on the Curve attack incident, stating that the recovered funds have been injected into a new Curve msETH-WETH pool, which will be fully allocated to the affected LPs as part of an effort to restore usage as much as possible.Metronome seeks to negotiate to recover the remaining funds, and the team also supports the repair work led by Vyper and Curve. Specific instructions on how to reallocate these funds will be announced soon.