ChainCatcher news, Aptos ecosystem DeFi project Thala has released the latest announcement stating: due to a security vulnerability attack on the latest V1 liquidity pool contract, assets worth 25 million USD have been stolen.Currently, Thala has suspended all related contracts and frozen Thala token assets (9 million USD MOD and 2.5 million USD THL). With the assistance of other institutions, an agreement has been reached with the attacker to recover all user assets through a 300,000 USD bounty.Affected users do not need to take further action; positions will be restored to 100% completeness. However, all related contracts and the Thala frontend will remain in a suspended state until deemed completely secure.

ChainCatcher news, Radiant Capital posted on X that after successfully restoring the lending market on the Ethereum mainnet this week, the lending market on the Base network has also been restored and is fully operational.The delay was due to the need for additional transactions after activating the time lock, involving the transfer of the emergency admin role to a new multi-signature wallet. This multi-signature wallet is now operational and is only used for emergencies, with permissions limited to pausing and resuming the market when necessary.Previous report, Radiant Capital's official social media post reviewed that the protocol experienced a highly complex security vulnerability on the 16th, resulting in a loss of $50 million. The attacker exploited multiple developers' hardware wallets through highly advanced malware injection.

ChainCatcher news, identity and access management software provider Okta officially stated that on October 30, 2024, an internal vulnerability was discovered in the AD/LDAP DelAuth when generating cached keys. The Bcrypt algorithm is used to generate cached keys, where we hash the combination string of userId + username + password. Under specific conditions, this can allow users to authenticate simply by providing a previously successfully authenticated stored cached key to the username.The prerequisite for this vulnerability is that the username must be equal to or exceed 52 characters each time a cached key is generated for the user. The affected products and versions are Okta AD/LDAP DelAuth as of July 23, 2024, and this vulnerability has been resolved in Okta's production environment on October 30, 2024.

ChainCatcher news, Fidelity recently submitted a document to the Maine Attorney General stating that 77,099 of its customers were affected by a data breach, which is just a small portion of its 51.5 million customer base.It stated that between August 17 and 19, an attacker used two recently established customer accounts to gain access to customer names and other personal identifiers. On August 19, when Fidelity first discovered the breach, unauthorized access was terminated.The company stated that it has received assistance from "external security experts" to address the issue. Fidelity emphasized that no third party accessed any Fidelity accounts.Fidelity stated that it will provide affected users with two years of free credit monitoring and identity recovery services, "to detect any unusual activity that may affect users' personal financial status."

According to ChainCatcher news, the official Bedrock announcement has released an analysis report on the uniBTC security vulnerability incident, which includes the following main points:The contract vulnerability has been confirmed and resolved;All assets are safe;Airdrop plan: All uniBTC holders can claim airdrop of 100 diamonds, and future TGE community airdrops will increase by 0.5%;The contract opening time will await official notification.

ChainCatcher news, VUSD announced on its Telegram channel that the Onyx Protocol has encountered a security vulnerability, resulting in the theft of over 13 million dollars worth of VUSD. Following the incident, the smart contract has been paused, and it has been confirmed that the VUSD codebase and reserves have no vulnerabilities.The hacker subsequently sold the stolen VUSD into liquidity pools, leading to a secondary market liquidity loss of approximately 1.5 million dollars. Malicious actors will be blacklisted according to the terms of service, and after the investigation is completed, the VUSD smart contract services will be restored, allowing participants to continue arbitraging. VUSD is still fully backed by over-collateralized assets, and institutional users can redeem and mint VUSD at market prices. VUSD is working with Onyx DAO and relevant authorities to identify the attackers and plans to explore the necessary licenses for retail redemptions in the future.It is reported that due to the theft affecting Onyx, VUSD briefly depegged and dropped to 0.6599 dollars.

ChainCatcher message, Pendle official released an analysis of the Penpie attack incident on the X platform.Earlier today, a security vulnerability targeting Penpie resulted in some fund losses. In response, Pendle quickly suspended the contract, effectively protecting approximately $105 million. After extensive efforts, the Pendle contract has now been restored and is operating normally. Funds on Pendle remain secure.The Pendle team assures that funds on Pendle are still safe and unaffected, and will continue to prioritize the secure operation of the platform.

ChainCatcher news, the yield aggregator for income-generating assets built on Pendle, Penpie, has announced the suspension of all deposit and withdrawal operations due to a security vulnerability. The Penpie team is working diligently to resolve this issue.

ChainCatcher news, according to Microsoft's official page, a serious security vulnerability has recently been disclosed in the Windows system, identified as CVE-2024-38063. This vulnerability affects all supported versions of Windows, including Windows 11, Windows 10, and several versions of Windows Server. The CVSS3.1 score for the vulnerability is 9.8, categorized as "critical." Attackers can remotely compromise devices and execute arbitrary code through specially crafted IPv6 packets. The vulnerability exists in the TCP/IP network stack of Windows and is a serious remote code execution flaw. Attackers can trigger the vulnerability and execute code remotely by repeatedly sending specially crafted IPv6 packets to Windows devices, without requiring user interaction or authentication. Microsoft strongly recommends that all users update to the latest version of Windows as soon as possible. Microsoft is releasing related patches to fix this vulnerability, and disabling IPv6 can temporarily prevent the exploitation of the vulnerability.

ChainCatcher news, according to The Block, Solana developers, validators, and client teams have come together to address a serious security vulnerability.Solana validator Laine stated that the process began on August 7, when the Solana Foundation contacted well-known network operators through private channels. This contact was part of a secret patching strategy aimed at preventing the vulnerability from being exploited in any way. The patch was provided through Anza engineers' GitHub repository, allowing operators to independently verify and apply the changes. As of 14:00 UTC on Thursday, August 8, detailed instructions for implementing the patch had been distributed to stakeholders, ultimately ensuring 66.6% of the network's stake. The vulnerability was publicly disclosed only after 70% of the network had implemented the patch.

ChainCatcher news, according to The Block, the Terra blockchain reported a security vulnerability in its network that led to token theft. An unknown attacker exploited a known vulnerability associated with a third-party module called IBC hooks, which facilitates cross-chain contract calls and token movements.The criminals used this vulnerability to steal the value of bridged assets, including the USDC stablecoin and Astroport tokens. Preliminary estimates suggest that tokens worth approximately $3 million may be affected.Upon discovering the incident, Terra implemented an emergency measure, temporarily halting the Terra chain at block height 11430400, during which transactions will not be processed. Terra will collaborate with validators on Terra (phoenix-1) and subsequently apply an emergency patch to fix the suspected vulnerability.

ChainCatcher news, according to Cointelegraph, cryptocurrency portfolio management company CoinStats has temporarily suspended user activity after 1,590 crypto wallets were affected by a security vulnerability.CoinStats wrote in an article on June 22: "The attack has been mitigated, and we have temporarily shut down the application to isolate the security incident."It added: "Thanks to the immediate incident response from the CoinStats team, only 1.3% of CoinStats wallets were affected, totaling 1,590 wallets, and the connected wallets and CEX were not impacted."CoinStats stated on its website that because it "requires read-only access to connected crypto wallets," users' assets are "completely safe under any circumstances." The platform allows users to connect all wallets and use them as a comprehensive crypto portfolio tracker, providing a one-stop view of all wallets.CoinStats released a Google document listing all currently affected crypto wallets. The document mentioned that as the investigation progresses, this list "may change," but no significant changes are expected. It stated: "If your wallet address is on this affected list, please transfer your funds immediately using your private key."

ChainCatcher news, the blockchain security agency CertiK announced on social media that a series of serious vulnerabilities were found on the Kraken exchange, which could lead to potential losses of hundreds of millions of dollars.CertiK's investigation revealed that Kraken's deposit system failed to effectively distinguish between different internal transfer statuses, posing a risk of malicious actors fabricating deposit transactions and withdrawing counterfeit funds. During testing, millions of dollars in fake funds could be deposited into Kraken accounts, and over $1 million in counterfeit cryptocurrency could be withdrawn and converted into valid assets, with the Kraken system triggering no alerts.After CertiK notified Kraken, Kraken classified the vulnerability as "Critical" and initially fixed the issue. However, CertiK pointed out that the Kraken security team subsequently threatened CertiK employees, demanding repayment of unmatched cryptocurrency within an unreasonable timeframe, without providing a repayment address. To protect user safety, CertiK decided to make this matter public, calling on Kraken to cease any threats against white hat hackers and emphasizing the need to address risks through collaboration to jointly safeguard the future of Web3.

ChainCatcher message, Cosmos Hub stated on the X platform at 4:32 AM today that Cosmos Hub is experiencing a temporary chain interruption. Subsequently, in a follow-up post, it indicated that during the v17 upgrade, Hub validators patched a security vulnerability in the Liquid Staking Module (LSM).After most validators implemented the patch for the vulnerability, Cosmos Hub stated a few minutes ago that the previous issue has been resolved, and Cosmos Hub is generating blocks again. Informal Systems and Hypha Cosmos will release a post-mortem analysis containing all the details as soon as possible.

ChainCatcher message, Hedgey Finance stated on social media that the recent security vulnerability only involved Hedgey's platform and did not affect NobleBlocks. Users participating in the PinkSale token sale were not impacted.It is reported that this incident resulted in the loss of $1.9 million worth of NOBL tokens. Hedgey stated that the company is fully supporting the community and is working with law enforcement to track and recover the funds.

ChainCatcher news, the technology website BlueDot has posted on the X platform stating that the instant messaging tool Telegram has a high-risk security vulnerability. Attackers only need to send specially crafted images, videos, or files to users, triggering the vulnerability without any interaction.This vulnerability falls under the categories of 0day and 0click vulnerabilities, with a very high level of risk. Users are advised to immediately disable the automatic download feature.

ChainCatcher news, GAMEE Token tweeted that the GMEE token contract on Polygon was accessed without authorization via GitLab a few hours ago, resulting in the theft of 600 million GMEE tokens. The attacker then exchanged the tokens for Ethereum and MATIC.The official statement indicates that the vulnerability only affected the proprietary team token reserves, and no community-owned assets were stolen. The team has currently blocked all unauthorized access to the token contract.

ChainCatcher message, GoPlus has issued a risk alert on social media stating that the high-risk zero-day vulnerability in Chrome (CVE-2024-0519) has been fixed, and users are advised to update to the latest version promptly.It is reported that this vulnerability can be exploited by attackers to access data beyond the memory buffer, potentially leading to the disclosure of sensitive information or causing crashes, or executing code in conjunction with other vulnerabilities.

ChainCatcher news, Paradigm researcher Samczsun posted on social media that the security vulnerability reported by Twitter this morning has now been fixed. The technical summary is as follows: A reflected XSS and CORS/CSP bypass in Twitter subdomains allowed arbitrary requests to the Twitter API as a locally authenticated user.ChainCatcher previously reported that Paradigm researcher @samczsun pointed out a serious flaw in Twitter, where hackers could gain full access to accounts simply by clicking a link. This means that hackers could tweet, retweet, like, block, and more, but could not change the user's password. Before this issue was resolved, to protect their account security, users were advised to install the ad blocker uBlock Origin to reduce the risk of such attacks.