Olympix

April 2025 Exploit Analysis from Olympix Recent weeks have seen sophisticated attackers exploit vulnerabilities in DeFi protocols, resulting in $2,025,000 in cumulative losses across three major incidents. 𝗥𝗲𝗰𝗲𝗻𝘁 𝗠𝗮𝗷𝗼𝗿 𝗜𝗻𝗰𝗶𝗱𝗲𝗻𝘁𝘀: 1️⃣ Filament Finance (Sei Labs): $572K lost through price manipulation. Root Cause: Artificially inflated token prices through fake orders and leveraged positions. 𝗔𝘁𝘁𝗮𝗰𝗸 𝗩𝗲𝗰𝘁𝗼𝗿: • Deployed multiple contracts to place large fake buy orders. • Created undercollateralized leveraged positions. • Crashed prices via fake sell orders, triggering self-liquidation at favorable rates. Key Takeaway: Price oracle manipulation remains a systemic risk. Protocols must implement time-weighted average price (TWAP) checks and circuit breakers for outlier pricing. 2️⃣ Webkey (BSC): $737K extracted via parameter misconfiguration. Root Cause: Misconfigured currentSaleInfo parameter enabled token purchases at artificially low prices. 𝗔𝘁𝘁𝗮𝗰𝗸 𝗩𝗲𝗰𝘁𝗼𝗿: • Exploited fixed low _𝘱𝘳𝘪𝘤𝘦 value in 𝘣𝘶𝘺() function. • Acquired wkeyDao tokens cheaply and dumped them at market rates on DEXs. Key Takeaway: Administrative controls (e.g., mutable parameters) require multi-sig governance and real-time monitoring for unauthorized changes. 3️⃣ Venus (ZKsync): $716K compromised through exchange rate manipulation. Root Cause: Donation attack to manipulate the 𝘸𝘜𝘚𝘋𝘔 exchange rate. 𝗔𝘁𝘁𝗮𝗰𝗸 𝗩𝗲𝗰𝘁𝗼𝗿: • Borrowed 2,100 WETH via AAVE flash loan. • Looped collateral deposits to borrow 2.6M wUSDM. • Donated USDM to inflate the exchange rate, enabling profit extraction. Key Takeaway: Isolate donation functions from collateral valuation logic. Implement borrow caps and flash loan-resistant checks.

Join Channi Greenwall tomorrow at 1:30 P.M. at NYC in Cornell Tech to discuss a panel on Managing Crypto Risk in an Era of Growth and discuss everything Web3.

Big questions. Bigger ideas. And one packed agenda. This Friday, I’ll be speaking on a panel at Cornell Tech in NYC to dive into something that matters deeply to all of us 👉 The next chapter of crypto innovation in the U.S. It’s part of a full-day event with: • 50+ leaders from blockchain, fintech, Wall Street, tech, and academia • 700+ attendees from across the ecosystem • One shared focus → the future of digital finance I’ll be joining a stellar group at 1:30PM on the panel “Managing Crypto Risk in an Era of Growth” featuring: • Larry W. – PayPal • Adam Israel – Mesh • Channi Greenwall – Olympix • Mriganka Pattnaik – Merkle Science • Erin Bream – CoinTracker • And myself – Josh Peschko, CFA - Talos We’ll be unpacking the real risks, challenges, and opportunities in this new market cycle - and how top teams are navigating it all. The full agenda spans: 🔹 DeFi 🔹 Stablecoins 🔹 Payments 🔹 Crypto x AI 🔹 Onchain metrics 🔹 And more If you’re in NYC and building in this space — don’t miss it. (And if we haven’t met yet, come say hi 👋) See you Friday. #Crypto #Innovation #RiskManagement #DigitalAssets #Web3 #Fintech #CornellTech

𝟱 𝗦𝘁𝗲𝗽𝘀 𝗼𝗻 𝗙𝗶𝗻𝗱𝗶𝗻𝗴 𝗠𝗼𝗿𝗲 𝗕𝘂𝗴𝘀 𝗮𝘀 𝗮𝗻 𝗦𝗥: 1️⃣ Identify all functions that modify state variables and trace their interactions. 2️⃣ Track exactly how assets move within the system, with a particular focus on deposit and withdrawal paths.. 3️⃣ Document who the trusted actors are and where validation occurs. 4️⃣ Map out potential attack vectors based on protocol architecture. 5️⃣ Review all imported libraries and external contracts.

𝗧𝗵𝗲 𝗥𝗲𝗮𝗹𝗶𝘁𝘆 𝗼𝗳 𝗦𝗺𝗮𝗿𝘁 𝗖𝗼𝗻𝘁𝗿𝗮𝗰𝘁 𝗔𝘂𝗱𝗶𝘁 𝗖𝗼𝗻𝘁𝗲𝘀𝘁𝘀 Finding bugs is just the first hurdle - winning contests requires a much more comprehensive approach. A More Realistic Path Forward Consider this approach: • Start by submitting high-quality findings, even if they don't win. • Focus on thorough documentation and clear communication. • Engage constructively with judges and protocol teams. • Many established auditors are open to collaboration. • Join security communities like Immunefi's Discord or Code4rena. • Contribute to open discussions about vulnerabilities. • Focus on a specific area (flash loans, MEV, cross-chain bridges, etc.). • Build expertise in particular contract patterns or ecosystems. • Create tools that automate parts of your workflow. 𝗬𝗼𝘂𝗿 𝗡𝗲𝘄 𝗕𝗹𝘂𝗲𝗽𝗿𝗶𝗻𝘁: Join a team → Learn the ropes. Master PoC scripting → Prove, don’t assume. Study past contests → Decode judging patterns. The solo win will come, but first, embrace the grind.

𝗔𝘂𝗱𝗶𝘁 𝗘𝗳𝗳𝗲𝗰𝘁𝗶𝘃𝗲𝗻𝗲𝘀𝘀 𝗮𝗻𝗱 𝗠𝗲𝗻𝘁𝗮𝗹 𝗙𝗮𝘁𝗶𝗴𝘂𝗲 Even when examining high-stakes contracts with millions in TVL, effectiveness diminishes after 5 to 6 hours of focused work. Critical vulnerabilities, such as reentrancy issues, incorrect access controls, or price manipulation vectors, are typically discovered during periods of peak mental clarity. Forcing additional hours when mentally exhausted tends to produce lower-quality findings or missed vulnerabilities. The highest-impact findings often come from "fresh eyes" at the beginning of an audit session. For those developing their auditing skills: • Start with shorter, focused sessions (2-3 hours) and gradually build up. • Schedule regular breaks to process findings subconsciously. • Maintain a consistent sleep schedule – mental clarity is your most valuable asset. • Create a separation between audit work and personal life. Claims of 12-hour audit marathons are either: • Diluted focus (scrolling X, half-hearted code review). • Genetic freaks with abnormal dopamine/neurotransmitter profiles (rare). • Amphetamines or nootropics to brute-force attention (unsustainable and dangerous). Reality: The brain’s prefrontal cortex (responsible for logic/focus) fatigues after ~4 hours of intense use. Beyond that, error rates spike—a disaster when auditing code securing billions.

For security researchers willing to invest in learning Cairo now, the potential upside is substantial: • Less competition for audit work. • Higher compensation due to scarce expertise. • Opportunity to define best practices. • First-mover advantage as the ecosystem grows. Those who became experts early established reputations and practices that positioned them as leaders for years afterward.

𝗧𝗵𝗲 𝗘𝗩𝗠 𝗣𝗮𝗱𝗱𝗶𝗻𝗴 𝗯𝗲𝗵𝗮𝘃𝗶𝗼𝗿 𝗯𝗲𝗰𝗼𝗺𝗲𝘀 𝗽𝗮𝗿𝘁𝗶𝗰𝘂𝗹𝗮𝗿𝗹𝘆 𝗶𝗺𝗽𝗼𝗿𝘁𝗮𝗻𝘁 𝘄𝗵𝗲𝗻: • Analyzing off-chain signatures - Signature schemes must account for this padding. • Processing function selectors - The first 4 bytes identify the function. • Implementing assembly-level optimizations - Manual calldata manipulation requires understanding this padding. • Designing proxy contracts - Delegatecall patterns need to handle calldata precisely. When auditing contracts that use low-level calldata manipulation, always verify that developers properly account for this 32-byte alignment, especially when using assembly to process inputs. The EVM’s 32-byte alignment ensures processing efficiency, but requires developers to design parameters strategically to minimize gas costs. By packing data and leveraging fixed-size types, you can optimize calldata usage, reduce transaction fees, and enhance contract performance.

The fact that the audience believes "Hack Then Negotiate" is the more effective strategy on X conversations highlights a concerning misalignment in the bug bounty ecosystem. Several factors likely contribute to this perception: 1⃣ Historical precedent of protocols offering larger rewards after funds have been taken. 2⃣ Cases where responsibly disclosed vulnerabilities were downplayed or given minimal bounties. 3⃣ The negotiating leverage is created when a researcher already controls funds. Until protocols treat security researchers as partners, not adversaries, the "Hack Then Negotiate" model will dominate.

When you spend extended time with a single protocol, several critical things happen: • You begin to understand the unique economic models and attack vectors specific to that system. • You can trace complex interaction flows across multiple contracts. • You start seeing beyond obvious vulnerabilities to subtle state inconsistencies. • You can mentally model how different functions might interact in unexpected ways. Some of the most devastating vulnerabilities found are only revealed after days of deep immersion in a codebase. Many critical bugs hide in the interaction between components that appear secure in isolation. This approach does mean fewer payouts in the short term, but it significantly increases your chances of finding high-severity issues that others miss. It's a quality-over-quantity approach that ultimately builds a stronger reputation and leads to better outcomes for both you and the projects you audit.