This is the farcaster instantiation of the great and lindy ETHSecurity community which exists on Telegram and elsewhere.

Main

ETHSecurity Community

important PSA regarding OpSec!

Pls read this before we get another 1.5b hack

🚨 There are some crazy threat actors lurking among us

This guy “Nick” has a year+ persona, is hanging out in the infamous ethsec tg, and has multiple long-running dms open with multiple (legit) security researchers.

If you opened his “PDF” pls turn off your computer NOW.

important PSA regarding OpSec!

Pls read this before we get another 1.5b hack

https://x.com/tayvano_/status/1904942559673397335

Another @TheSecureum race, designed by our @trooocher - give it a shot! https://t.co/LGGc5XazKB

Let's say you are making a local web3 frontend. Is it safe to use localStorage on .localhost websites to store keys? Why/why not?

I have a bunch of this new NFC cards BurnerOS by ArcX… it’s neat, but I wonder:
How trivial is to exfiltrate the private key? There has to be a threshold of assets secured at which it makes upgrades to a stronger solution.

To all the bug hunters, who’s the best protocol handling their bug bounty program and why?

FYI if you're using tj-actions/changed-files in your GitHub Actions workflows. Nasty credential exfiltration attack impacting up to ~23k public repos
https://github.com/tj-actions/changed-files/issues/2463

Why by the way, this is a fun read.

https://gwern.net/death-note-anonymity

Switching to macOS? Here's Your Ultimate Security Guide!

Switching to macOS? Here's Your Ultimate Security Guide!

https://officercia.mirror.xyz/Q00JH0s86d4KMS43cyqNxbl3VIM2s30qtwYfdSTXywE

we saw a recent increase in scams inviting people to participate in podcasts. 
pretty well structured, message is coming from accounts that seem legit. 

both my cofounder and me have been targeted by multiple accounts already (good luck scammers).
 
be careful out there

New blog post by @johnlawniczak just dropped!

We talk about security issues we found in both smart contracts and traditional web2 software. One of these was a malware in a Go package that went undetected for over 3 years! 

"We’re in the middle of a software security arms race—hackers are adopting new tricks every day. As cyberattacks become more sophisticated, @almanax is leveraging LLMs to detect hidden threats in smart contracts and software supply chains once deemed impossible to catch."

Full blog post here: https://www.almanax.ai/post/from-smart-contracts-to-supply-chains-how-almanax-is-uncovering-hidden-threats-in-code

I came across a protocol that's done over $100M+ in volume with big customer names, but their frontend auth is poorly designed. They're exposing WebAuthn details, which isn't the main issue — it's the fact that they're also leaking customer emails. This opens the door for social engineering attacks, making it far too easy for attackers to target them.

If you're a non-custodial protocol, avoid advertising your customers — especially if I can easily identify which users are using your system and whether they have admin-level access.

The largest theft in human history, broken down in one simple diagram (ByBit hack, Feb 2025).

Surpassing even Saddam Hussein’s infamous 2003 bank heist, where he stole nearly $1 billion.

@safe

https://warpcast.com/blainemalone/0xf2cacf58

An open letter to anyone who wants better safer onchain ui/ux especially in light of the safe hack 

https://x.com/fucory/status/1895155571894165681?s=46&t=ZtDaR85ib6evdD45FLpEmQ

Do north korean hackers go to crypto conferences?

The Safe site was actually compromised!!!

We originally speculated that it was the exchange user's computers that were hacked, but it looks like it was the Safe UI the whole time!

The fix is still the same, use the Cyfrin/safe_tx_hashes tool. 

https://youtu.be/suFhAXWzGlg