ChainCatcher message, Spectral officials stated on the X platform that some tokens on the launched Syntax platform have a security vulnerability in transactions, which will result in approximately $200,000 in liquidity being removed. In response to this issue, the Spectral team has quickly taken measures to ensure the safety of the platform and its users, including:Temporarily disabling access to the Syntax application;Suspending all smart contracts to prevent further program interactions.Currently, the Spectral team is working with top security experts in the industry to identify the root cause of the problem and develop a fix to restore normal operations of the platform as soon as possible. The Syntax team stated that these measures are the most effective way to protect the community's interests and promised to provide detailed follow-up updates in a timely manner.

ChainCatcher news, identity and access management software provider Okta officially stated that on October 30, 2024, an internal vulnerability was discovered in the AD/LDAP DelAuth when generating cached keys. The Bcrypt algorithm is used to generate cached keys, where we hash the combination string of userId + username + password. Under specific conditions, this can allow users to authenticate simply by providing a previously successfully authenticated stored cached key to the username.The prerequisite for this vulnerability is that the username must be equal to or exceed 52 characters each time a cached key is generated for the user. The affected products and versions are Okta AD/LDAP DelAuth as of July 23, 2024, and this vulnerability has been resolved in Okta's production environment on October 30, 2024.

According to ChainCatcher news, the official Bedrock announcement has released an analysis report on the uniBTC security vulnerability incident, which includes the following main points:The contract vulnerability has been confirmed and resolved;All assets are safe;Airdrop plan: All uniBTC holders can claim airdrop of 100 diamonds, and future TGE community airdrops will increase by 0.5%;The contract opening time will await official notification.

ChainCatcher news, the yield aggregator for income-generating assets built on Pendle, Penpie, has announced the suspension of all deposit and withdrawal operations due to a security vulnerability. The Penpie team is working diligently to resolve this issue.

ChainCatcher message, Slow Mist Technology's Chief Information Security Officer 23pds stated on the X platform that a vulnerability seller on the dark web claims to be selling an iOS RCE. According to the vulnerability seller, this vulnerability does not require user interaction (0 Click) and can fully control devices running iOS 17.xx and iOS 18.xx. Currently, it cannot be verified whether this vulnerability is real and usable. Everyone is reminded to upgrade their iOS system in a timely manner.

ChainCatcher news, according to Microsoft's official page, a serious security vulnerability has recently been disclosed in the Windows system, identified as CVE-2024-38063. This vulnerability affects all supported versions of Windows, including Windows 11, Windows 10, and several versions of Windows Server. The CVSS3.1 score for the vulnerability is 9.8, categorized as "critical." Attackers can remotely compromise devices and execute arbitrary code through specially crafted IPv6 packets. The vulnerability exists in the TCP/IP network stack of Windows and is a serious remote code execution flaw. Attackers can trigger the vulnerability and execute code remotely by repeatedly sending specially crafted IPv6 packets to Windows devices, without requiring user interaction or authentication. Microsoft strongly recommends that all users update to the latest version of Windows as soon as possible. Microsoft is releasing related patches to fix this vulnerability, and disabling IPv6 can temporarily prevent the exploitation of the vulnerability.

ChainCatcher news, according to The Block, Solana developers, validators, and client teams have come together to address a serious security vulnerability.Solana validator Laine stated that the process began on August 7, when the Solana Foundation contacted well-known network operators through private channels. This contact was part of a secret patching strategy aimed at preventing the vulnerability from being exploited in any way. The patch was provided through Anza engineers' GitHub repository, allowing operators to independently verify and apply the changes. As of 14:00 UTC on Thursday, August 8, detailed instructions for implementing the patch had been distributed to stakeholders, ultimately ensuring 66.6% of the network's stake. The vulnerability was publicly disclosed only after 70% of the network had implemented the patch.

ChainCatcher news, according to The Block, the Terra blockchain reported a security vulnerability in its network that led to token theft. An unknown attacker exploited a known vulnerability associated with a third-party module called IBC hooks, which facilitates cross-chain contract calls and token movements.The criminals used this vulnerability to steal the value of bridged assets, including the USDC stablecoin and Astroport tokens. Preliminary estimates suggest that tokens worth approximately $3 million may be affected.Upon discovering the incident, Terra implemented an emergency measure, temporarily halting the Terra chain at block height 11430400, during which transactions will not be processed. Terra will collaborate with validators on Terra (phoenix-1) and subsequently apply an emergency patch to fix the suspected vulnerability.

ChainCatcher news, according to Cointelegraph, cryptocurrency portfolio management company CoinStats has temporarily suspended user activity after 1,590 crypto wallets were affected by a security vulnerability.CoinStats wrote in an article on June 22: "The attack has been mitigated, and we have temporarily shut down the application to isolate the security incident."It added: "Thanks to the immediate incident response from the CoinStats team, only 1.3% of CoinStats wallets were affected, totaling 1,590 wallets, and the connected wallets and CEX were not impacted."CoinStats stated on its website that because it "requires read-only access to connected crypto wallets," users' assets are "completely safe under any circumstances." The platform allows users to connect all wallets and use them as a comprehensive crypto portfolio tracker, providing a one-stop view of all wallets.CoinStats released a Google document listing all currently affected crypto wallets. The document mentioned that as the investigation progresses, this list "may change," but no significant changes are expected. It stated: "If your wallet address is on this affected list, please transfer your funds immediately using your private key."

ChainCatcher news, the blockchain security agency CertiK announced on social media that a series of serious vulnerabilities were found on the Kraken exchange, which could lead to potential losses of hundreds of millions of dollars.CertiK's investigation revealed that Kraken's deposit system failed to effectively distinguish between different internal transfer statuses, posing a risk of malicious actors fabricating deposit transactions and withdrawing counterfeit funds. During testing, millions of dollars in fake funds could be deposited into Kraken accounts, and over $1 million in counterfeit cryptocurrency could be withdrawn and converted into valid assets, with the Kraken system triggering no alerts.After CertiK notified Kraken, Kraken classified the vulnerability as "Critical" and initially fixed the issue. However, CertiK pointed out that the Kraken security team subsequently threatened CertiK employees, demanding repayment of unmatched cryptocurrency within an unreasonable timeframe, without providing a repayment address. To protect user safety, CertiK decided to make this matter public, calling on Kraken to cease any threats against white hat hackers and emphasizing the need to address risks through collaboration to jointly safeguard the future of Web3.

ChainCatcher news, the technology website BlueDot has posted on the X platform stating that the instant messaging tool Telegram has a high-risk security vulnerability. Attackers only need to send specially crafted images, videos, or files to users, triggering the vulnerability without any interaction.This vulnerability falls under the categories of 0day and 0click vulnerabilities, with a very high level of risk. Users are advised to immediately disable the automatic download feature.

ChainCatcher news, Paradigm researcher Samczsun posted on social media that the security vulnerability reported by Twitter this morning has now been fixed. The technical summary is as follows: A reflected XSS and CORS/CSP bypass in Twitter subdomains allowed arbitrary requests to the Twitter API as a locally authenticated user.ChainCatcher previously reported that Paradigm researcher @samczsun pointed out a serious flaw in Twitter, where hackers could gain full access to accounts simply by clicking a link. This means that hackers could tweet, retweet, like, block, and more, but could not change the user's password. Before this issue was resolved, to protect their account security, users were advised to install the ad blocker uBlock Origin to reduce the risk of such attacks.

ChainCatcher news, the Web3 developer platform Thirdweb announced on social media that on November 21 at 10:00 AM Beijing time, a security vulnerability was discovered in commonly used open-source libraries in the Web3 industry. This will affect various smart contracts in the Web3 ecosystem, including some of Thirdweb's pre-built smart contracts.According to the investigation so far, the vulnerability has not been exploited in any ThirdWeb smart contracts. However, smart contract owners must take mitigation measures for certain pre-built contracts created on ThirdWeb before 11:00 AM Beijing time on November 23. Affected pre-built contracts include but are not limited to DropERC20, ERC721, ERC1155 (all versions), and AirdropERC20.

ChainCatcher message, the Safe team announced that a security issue has been found in its 4337 Canonical module v0.1.0. The official urgently requests all teams using this version to immediately discontinue its use and wait for the review of version v0.2.0 to be completed.It is reported that the review of version v0.2.0 is expected to be completed next week, which will bring additional features.

ChainCatcher news, regarding the "potential 'fake recharge' risk of the LDO Token contract," Lido Finance stated that although hackers allegedly exploited known security vulnerabilities in the LDO token contract, both LDO and stETH tokens remain secure. Lido did not confirm any vulnerabilities but acknowledged that security issues are known.According to ChainCatcher's news yesterday, based on on-chain intelligence from the Slow Mist security team, there is a potential "fake recharge" risk in the LDO Token contract, and malicious attackers may attempt to exploit this feature for fraudulent activities.

ChainCatcher news, the DeFi insurance protocol InsurAce officially announced on Twitter that its Discord server currently has a security vulnerability. The InsurAce team discovered unauthorized access earlier today, and the team is taking this incident very seriously and is working to rectify the situation. In the meantime, users are advised not to interact with the server.

ChainCatcher message, EOS EVM releases version v0.4.2, fixing a critical security vulnerability found in EOS EVM. The EOS EVM contracts, EOS EVM nodes, and EOS EVM RPC components implemented on the EOS mainnet have been patched before this version release. (source link)

ChainCatcher message, Edge wallet indicates that a security vulnerability has been found in its application, which leaked approximately 2000 private keys by sending them to Edge infrastructure, amounting to about 0.01% of the total keys created on the Edge platform. Edge is continuing its investigation, including deep device forensics, to determine whether malware could access unencrypted private keys on the disk.Edge states that private keys are leaked once users perform the following two actions: entering one of the available options in the "Buy" or "Sell" tabs in the bottom navigation bar: Bity, Wyre, Bitrefill, Ionia, Xanpool, LibertyX, Bitaccess, Bits of Gold, Banxa; using the "Upload Logs" feature in Edge to send logs to the Edge server. If the upload is completed after entering one of the buy/sell options, the logs will contain private keys. (Source link)

ChainCatcher news, according to Slow Mist intelligence, due to the weak entropy issue in versions prior to Mina JavaScript client-sdk v1.0.1, multiple users in the community have reported that their wallet private keys have been stolen. The Slow Mist security team has investigated and found that wallets created using Clorio Wallet v0.1.1 and Clorio Wallet v0.1.0 are at risk of being compromised.It is recommended that users who have created wallets using Clorio Wallet v0.1.1 or Clorio Wallet v0.1.0 (May 28, 2021) ensure that they update their wallets to the latest version (Clorio Wallet v1.0.0) and recreate new wallet addresses, transferring funds to the newly created wallet addresses to ensure asset security. The vulnerable wallet versions are Clorio Wallet < v0.1.2, and the vulnerable client-sdk version is o1labs/client-sdk < 1.0.1. (source link)