Smart contracts are blind — they rely entirely on external price oracles to make financial decisions. This creates a critical attack vector: oracle manipulation. By combining flash loans with spot-price oracle reads, an attacker can borrow millions, artificially inflate a token's price in an AMM pool within a single atomic transaction, drain a lending protocol's treasury using the fake price as collateral, then repay the flash loan — all without breaking any rules. The contract robs itself. TWAP oracles slow this attack but don't eliminate it on low-liquidity tokens. Real defenses require decentralized oracle networks aggregating many sources, circuit breakers that halt on abnormal price deviations, and cross-checking two independent oracles so an attacker must corrupt multiple data sources simultaneously.
Nguồn: https://coinsbench.com/i-watched-a-contract-rob-itself-of-50m-nobody-hacked-it-dfbbe98a9219. 8sync News chỉ tóm tắt và dẫn link; bản quyền nội dung thuộc tác giả và nguồn gốc.
When an AI agent can submit state-changing blockchain transactions without per-action human approval, the critical question shifts from capability to authority. The post argues that DAO governance provides the right framework for defining, enforcing, and revoking agent permissions when multiple parties share economic risk. It outlines a minimal authorization layer composed of four elements: explicit machine-readable permission scopes ratified by governance, hard contract-enforced limits that reject out-of-scope actions, fast-path multisig revocation bypassing governance timelocks, and a public on-chain authorization record with action logs. Real-world asset (RWA) tokenization exposes the boundary clearly — a DAO can govern on-chain exposure but cannot control off-chain issuer redemption. Existing standards (ERC-4337, EIP-7702, ERC-7579, ERC-8004) provide infrastructure pieces but no complete mandate. Major protocols like Aave, Arbitrum, and Uniswap have governance machinery that could be extended, but none currently publish a complete agent authorization process. The authorization record can prove what was permitted and logged, but cannot validate oracle integrity, custodian reserves, or legal compliance.
A beginner-friendly walkthrough of what happens when a smart contract function is called on the EVM. Covers how Solidity compiles to bytecode, how function selectors identify which function to execute, and why contract execution starts at the beginning of runtime bytecode rather than jumping directly to the called function. Sets up a series on EVM internals including selector collisions, delegatecall, and proxy patterns.

Trail of Bits has expanded Mewt, their open-source mutation-testing engine, to support DAML — the language used for Canton Network smart contract applications. Mutation testing goes beyond code coverage by deliberately introducing small bugs (mutants) into code and checking whether the test suite catches them. DAML's built-in coverage only reports whether choices were exercised, not whether tests verify outcomes, making it easy to have 100% coverage while missing critical authorization bugs. Mewt adds two DAML-specific mutations targeting authorization primitives: Controller Party Swap (replacing one party in a controller clause) and Controller Party Removal (dropping a party from a multi-party controller list). A worked example shows how a payment contract with full coverage can still allow a seller to release funds without buyer confirmation — a surviving mutant that reveals a missing negative test. The tool uses tree-sitter-haskell grammar to parse DAML, requires only a simple mewt.toml config, and runs against existing test suites. Limitations include equivalent mutants and time cost scaling with suite size, making nightly/weekly cadence more practical than per-commit.
Shadow Contracts are unverified, fund-less smart contracts that execute atomic DeFi attacks — flash loan, manipulate, extract, repay — in a single transaction, reverting entirely if unprofitable. The key insight is how Flashbots bundles eliminated the traditional cost of failed attacks: bundles that would revert are dropped off-chain before landing on-chain, meaning failed probes burn zero gas. This 'Zero-Risk Revert' inverts the entire risk calculus — when failure is free, the optimal strategy is to probe everything, every block, infinitely. The piece explains the mechanics with Solidity and JSON-RPC examples, then outlines four defenses: model an omniscient adversary, break atomicity with commit-reveal and TWAP oracles, use batch-auction settlement to eliminate ordering advantage, and route user transactions through private relays.
Blockchain explorers are far more than simple transaction lookup tools — they serve as the primary forensic interface for cryptocurrency investigations. This deep-dive covers how explorers index raw blockchain data, the differences between UTXO (Bitcoin) and account-based (Ethereum) forensic paradigms, transaction graphing and hopping analysis to trace illicit funds, de-anonymization via behavioral heuristics and temporal metadata, smart contract and DeFi exploit auditing, cross-chain capital flow tracing across bridge infrastructure, and how explorer data integrates into enterprise forensics and legal frameworks as immutable evidence.
Khi kiểm toán hợp đồng thông minh Solidity, việc đầu tiên cần xem xét là phép chia nguyên (integer division) vì nó tự động cắt bỏ phần dư, dẫn đến lỗi chính xác có thể ảnh hưởng đến lợi ích người dùng. Các mẫu dễ bị tấn công thường gặp trong tính toán phần thưởng hoặc tỷ lệ chia sẻ, và giải pháp thường là sắp xếp phép nhân trước phép chia.
Một lập trình viên nên đọc bài này để tránh các lỗi precision không mong muốn trong các tính toán chia nguyên số trong Solidity, đặc biệt khi thiết kế hệ thống phân phối thưởng, lợi nhuận hoặc các giao dịch quy mô lớn.
Một nhà phát triển xây dựng nền tảng escrow Web3 không tốn gas dựa trên milestone trong 20 giờ trên Base Sepolia, kết hợp hợp đồng thông minh Solidity với Firebase Firestore để đồng bộ giao diện theo thời gian thực. Quá trình gỡ lỗi gặp khó khăn do quy tắc bảo mật Firestore quá phức tạp gây ra điều kiện tranh chấp xác thực, sau đó được khắc phục bằng cách đơn giản hóa quy tắc. Bài viết chia sẻ kinh nghiệm như trì hoãn đăng ký subscription cho đến khi kết nối ví được xác nhận và luôn truyền callback lỗi cho trình nghe Firestore.
Lập trình viên Web3 nên đọc bài này để tránh gặp phải các lỗi an toàn và hiệu suất như auth race condition từ Firestore khi thiết kế giao diện thực thời mà không kiểm soát kỹ quy tắc bảo mật, và học cách tối ưu hóa từ các giải pháp MVP đơn giản hơn.
Polymarket confirmed hackers stole approximately $3 million in cryptocurrency from over 11 users after a third-party vendor was compromised, injecting malicious code into the prediction market's frontend. The stolen funds were bridged from Polygon to Ethereum and converted into roughly 1,893 ETH. Polymarket says it has contained the incident and is refunding affected users in full. The attack was a supply chain compromise — no core smart contracts were exploited. The breach is the latest in a string of bad news for Polymarket, which also faced a separate $520K smart contract drain in May, a Wall Street Journal investigation into deceptive promotional videos, a Google engineer insider trading charge, regulatory blocks in multiple countries, and a $345 million governance dispute.