A bug in the Solidity compiler (versions 0.8.29–0.8.35) causes the C3-linearized list of base contracts to be permanently reversed in memory when Warning 3495 (storage layout too close to end of storage) is emitted. The root cause is use of ranges::actions::reverse instead of ranges::views::reverse from the ranges-v3 library, which mutates the underlying container in place. This reversal corrupts inheritance-dependent behavior including constructor invocation order, state-variable initialization, super and virtual function resolution, and can cause silent miscompilations or internal compiler errors. The bug only affects contracts using a custom storage layout placed within the last 2^64 slots of storage AND using inheritance. A Sourcify scan found no deployed contracts meeting these conditions. The fix is available in Solidity 0.8.36, which replaces the mutating call with a non-mutating view.
Nguồn: https://soliditylang.org/blog/2026/07/09/inheritance-order-reversal-on-storage-end-warning-bug. 8sync News chỉ tóm tắt và dẫn link; bản quyền nội dung thuộc tác giả và nguồn gốc.
A comparison of five Ethereum payment gateways for businesses in 2026: NOWPayments, Coinbase, CoinGate, BitPay, and Coinremitter. Each is evaluated on ETH and ERC-20 stablecoin support, fee structures, settlement speed, and business-focused features like mass payouts and e-commerce integrations. NOWPayments is ranked first for high-volume merchants needing a full-stack crypto operations platform, while Coinbase suits simple non-custodial setups, CoinGate targets EU merchants needing MiCA compliance, BitPay serves enterprise fiat settlement needs, and Coinremitter appeals to small businesses seeking low fees.
When an AI agent can submit state-changing blockchain transactions without per-action human approval, the critical question shifts from capability to authority. The post argues that DAO governance provides the right framework for defining, enforcing, and revoking agent permissions when multiple parties share economic risk. It outlines a minimal authorization layer composed of four elements: explicit machine-readable permission scopes ratified by governance, hard contract-enforced limits that reject out-of-scope actions, fast-path multisig revocation bypassing governance timelocks, and a public on-chain authorization record with action logs. Real-world asset (RWA) tokenization exposes the boundary clearly — a DAO can govern on-chain exposure but cannot control off-chain issuer redemption. Existing standards (ERC-4337, EIP-7702, ERC-7579, ERC-8004) provide infrastructure pieces but no complete mandate. Major protocols like Aave, Arbitrum, and Uniswap have governance machinery that could be extended, but none currently publish a complete agent authorization process. The authorization record can prove what was permitted and logged, but cannot validate oracle integrity, custodian reserves, or legal compliance.
Smart contracts are blind — they rely entirely on external price oracles to make financial decisions. This creates a critical attack vector: oracle manipulation. By combining flash loans with spot-price oracle reads, an attacker can borrow millions, artificially inflate a token's price in an AMM pool within a single atomic transaction, drain a lending protocol's treasury using the fake price as collateral, then repay the flash loan — all without breaking any rules. The contract robs itself. TWAP oracles slow this attack but don't eliminate it on low-liquidity tokens. Real defenses require decentralized oracle networks aggregating many sources, circuit breakers that halt on abnormal price deviations, and cross-checking two independent oracles so an attacker must corrupt multiple data sources simultaneously.
A beginner-friendly walkthrough of what happens when a smart contract function is called on the EVM. Covers how Solidity compiles to bytecode, how function selectors identify which function to execute, and why contract execution starts at the beginning of runtime bytecode rather than jumping directly to the called function. Sets up a series on EVM internals including selector collisions, delegatecall, and proxy patterns.

Trail of Bits has expanded Mewt, their open-source mutation-testing engine, to support DAML — the language used for Canton Network smart contract applications. Mutation testing goes beyond code coverage by deliberately introducing small bugs (mutants) into code and checking whether the test suite catches them. DAML's built-in coverage only reports whether choices were exercised, not whether tests verify outcomes, making it easy to have 100% coverage while missing critical authorization bugs. Mewt adds two DAML-specific mutations targeting authorization primitives: Controller Party Swap (replacing one party in a controller clause) and Controller Party Removal (dropping a party from a multi-party controller list). A worked example shows how a payment contract with full coverage can still allow a seller to release funds without buyer confirmation — a surviving mutant that reveals a missing negative test. The tool uses tree-sitter-haskell grammar to parse DAML, requires only a simple mewt.toml config, and runs against existing test suites. Limitations include equivalent mutants and time cost scaling with suite size, making nightly/weekly cadence more practical than per-commit.

Source Defense researchers have discovered a Magecart digital skimming campaign that uses Ethereum smart contracts as command-and-control infrastructure. By storing routing information inside smart contracts rather than hardcoded domains, attackers can dynamically rotate infrastructure and evade takedown efforts. The campaign involves over 15 Ethereum smart contracts, multiple infrastructure clusters, and dozens of domains. The malware hijacks e-commerce checkout flows, clones payment elements, and harvests card data and personal information. Researchers warn that blockchain-based C2 makes disruption significantly harder, and that PCI DSS 4.0 compliance gaps and under-prioritized client-side security leave many organizations exposed.
Shadow Contracts are unverified, fund-less smart contracts that execute atomic DeFi attacks — flash loan, manipulate, extract, repay — in a single transaction, reverting entirely if unprofitable. The key insight is how Flashbots bundles eliminated the traditional cost of failed attacks: bundles that would revert are dropped off-chain before landing on-chain, meaning failed probes burn zero gas. This 'Zero-Risk Revert' inverts the entire risk calculus — when failure is free, the optimal strategy is to probe everything, every block, infinitely. The piece explains the mechanics with Solidity and JSON-RPC examples, then outlines four defenses: model an omniscient adversary, break atomicity with commit-reveal and TWAP oracles, use batch-auction settlement to eliminate ordering advantage, and route user transactions through private relays.
Blockchain explorers are far more than simple transaction lookup tools — they serve as the primary forensic interface for cryptocurrency investigations. This deep-dive covers how explorers index raw blockchain data, the differences between UTXO (Bitcoin) and account-based (Ethereum) forensic paradigms, transaction graphing and hopping analysis to trace illicit funds, de-anonymization via behavioral heuristics and temporal metadata, smart contract and DeFi exploit auditing, cross-chain capital flow tracing across bridge infrastructure, and how explorer data integrates into enterprise forensics and legal frameworks as immutable evidence.