GM! Buidlers

This edition of Hashingbit covers important updates in the world of web3. Ethereum is getting a potential efficiency boost with Vitalik Buterin's proposed EIP-7706 for a new call data gas type. Developments are also underway at Solana and EigenLayer. Sui users will soon be able to claim their own Web3 phone numbers. QuillCheck is expanding its services to include Base Chain tokens, allowing users to evaluate the risks of new crypto tokens before investing. The newsletter also brings attention to new developer tools available in the web3 space, such as Immune-fi Terminal, Create Chimera App, eth-easy, and Metasleuth. Security remains a major concern, as highlighted by recent attacks on Sonne Finance ($20 million), Pump.fun ($1.9 million), and PiiPark (rugpull for $490,000). Hashingbit keeps you informed about the latest happenings in blockchain technology and security.

EtherScope: Core Developments 👨‍💻

  • Ethereum Ecosystem Value Prop

  • Ethereum has been increasingly inflationary for over a month as fees hit all-time low

  • Ethereum L2 Usage Surges

  • Ethereum gas under 5 gwei, the lowest daily average since February 2020

  • Why 4337 and 3074 authors are disagreeing, and who got it right

  • Vitalik Buterin drafts EIP-7706, proposing a new call data gas type for Ethereum

  • Paul O’Leary on how Polygon’s zkEVM will enhance Ethereum scalability

  • Ethereum account abstraction to catalyze crypto mass adoption

  • Grandine v0.4.0/1: optimizations, new attestations packer, in-memory mode, improved compatibility with other validator clients, integrations with Eth-docker & Ethereum on Arm

  • Geth v1.14.3: block processing & RPC API improvements

  • Etherscan: address poisoning attack explainer

  • Overview on based sequencing & preconfirmations

  • EIPs

    • EIP-7704 - Align incentives for access list provisioning

    • EIP-7706 - Separate gas type for calldata

    • EIP-7707 - Incentivize Access List Provisioning

EcoExpansions: Beyond Ethereum 🚀

  • Sui

    • The Move programming language on Sui incorporates three fundamental innovations

    • NetkiCorp Brings Digital Identity Verification Expertise to Sui, Enhancing Decentralized Financial Systems

    • ChainIDE Launches for SuiNetwork: Compile, Deploy, and Interact with Sui Move Contracts in Your Browser!

    • Claim your Web3 phone number – coming soon to Sui!

  • Eigen Layer

    • EigenLayer Opens Claims for Airdrop of EIGEN Token, Though It's Non-Transferable

    • EigenDA accepts staking delegations as Eigen token claims open

    • ICYMI - Check out Awesome AVS if you'd like to learn more about how to build on EigenLayer.

    • Omni Network; Using Eigenlayer to Unleash Ethereum Liquidity

    • EigenLayer Launches @buildoneigen for the Latest Ecosystem Updates!

  • Solana

    • Solana DEX Drift opens airdrop claims for 120 million tokens with bonus

    • Solana Devs, Wake Up! 🛠️🦀 Join the Free 6-Week Solana Bootcamp by @encodeclub Starting June 3rd!

    • Introducing Solana's First Liquidity Layer: The Evolution of Marginfi for Performant DeFi

    • Squads Validator is Now Live: Stake Your SOL Directly from the App

    • AgriDex & Solana Launch RWA Marketplace This Summer!

DevToolkit: Essentials & Innovations 🛠️

  • Forge-std v1.8.2: adds cheat codes including prompt, blobhashes & ensNamehash

  • Mastering Solidity: Control Structures And Error Handling

  • Solady (Solidity snippets): adds UpgradeableBeacon for ERC1967 beacon proxies

  • Frangio: Solidity compiler code generation for stack-based EVM & stack too deep errors

  • Viem experimental adds ERC6492 signature utilities

  • Slitherin (custom Slither detectors) v0.7.0: adds detectors for Arbitrum Chainlink sequencer uptime, read-only reentrancy with Balancer/Curve & price manipulation via token transfers

  • Betterscan: inspect verified contracts

  • Profiling Echidna found a memory leak in hevm

  • Guide to building a tracer using Geth for transactions involving a set of addresses

  • Etherscan converter tools: Base64, block & date, UTF-8 and method ID

Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖

  • Twitter

    • Types of Smart Contract Design Patterns

    • Secureum RACE #29: answers to 8 question Solidity quiz

  • Articles

    • Vitalik Proposes EIP-7702 for Externally Owned Accounts

    • Exploring Consensus With Parallel Proposals: The Difference Between PBFT and BBCA-Chain

    • Mastering the Final Boss in Blockchain Scalability: State Growth

    • No-Code Blockchain Development: Pros and Cons

    • Omni Network: Using Eigenlayer to Unleash Ethereum Liquidity

    • Using Ethereum to Understand the Protocol Economy

  • Research Papers

    • Temporarily Restricting Solidity Smart Contract Interactions

    • T-Watch: Towards Timed Execution of Private Transaction in Blockchains

    • Cross-Blockchain Communication Using Oracles With an Off-Chain Aggregation Mechanism Based on zk-SNARKs

    • Permissioned Blockchain-based Framework for Ranking Synthetic Data Generators

    • BitVMX: A CPU for Universal Computation on Bitcoin

    • Implementation Study of Cost-Effective Verification for Pietrzak's Verifiable Delay Function in Ethereum Smart Contracts

  • Tools

    • eth easy! - easy-to-use, flexible, and blazing-fast toolkit that helps accelerate Ethereum development by 0xrusowsky. Recent features include ABI encoding/decoding and call data debugging. Very cool!

    • MetaSleuth adds support for Solana.

  • Watch🎥

Web3 Security Watch 🛡️

  • Articles

    • Reentrancy attacks in smart contracts explained

    • Verifiable Compute: Scaling Trust with Cryptography

    • Cosmos IBC Reentrancy Infinite Mint

    • Blast Integration Bugs - Part 1

    • Hamburger Factory Validity

  • Research Papers

    • StateGuard: Detecting State Derailment Defects in Decentralized Exchange Smart Contract

    • BeACONS: A Blockchain-enabled Authentication and Communications Network for Scalable IoV

    • An Approach for Decentralized Authentication in Networks of UAVs

    • Foundational Verification of Smart Contracts through Verified Compilation

  • Twitter

    • Web3 Phishing Attacks you must know about

  • Tools

    • **Immunefi-terminal** - The only crypto bug bounty terminal you'll ever need by shortdoom.

    • Create Chimera App - The Foundry template allows you to bootstrap a fuzz testing suite using a scaffolding provided by the Recon tool by Recon-Fuzz. It extends the default Foundry template used when running forge init to include example property tests using assertion tests and boolean property tests supported by Echidna and Medusa.

Hacks and Scams 🚨

  1. Sonne Finance

Loss ~ $20M

  • Hackers stole $20 million in cryptocurrency from Sonne Finance on May 14th.

  • Hackers targeted USD Coin (USDC), Wrapped Ether (WETH), Velo (VELO), soVELO and Wrapped USDC (USDC.e).

  • Sonne Finance paused operations and is investigating ways to recover funds, including a bug bounty.

  • The hacker seems uninterested in negotiations and is moving stolen funds.

  • Hack exploited a known bug in Sonne's Compound v2 forks.

  • Sonne Finance is criticized for using the known vulnerable code.

  1. Pump.fun

Loss ~ $1.9M

  • A former employee exploited pump.fun, a platform for creating Solana meme coins, resulting in a loss of nearly $2 million through a "bonding curve" attack.

  • The exploit involved the ex-employee leveraging their insider access to compromise the platform's internal systems.

  • Approximately $1.9 million was stolen out of a total of $45 million held in pump.fun’s bonding curve contracts.

  • Trading on the platform was temporarily halted but has since resumed, with assurances that the smart contracts remain secure.

  • To carry out the attack, the exploiter utilized flash loans on a Solana lending protocol to borrow tokens, which were then used to inflate the bonding curve.

  • A user named "STACCoverflow" is suspected to be involved, as hinted in cryptic posts suggesting a foreknowledge of the incident.

  1. Pii Park

Loss ~$490K

  • A project called Pii Park (different from others with similar names) has likely run an exit scam.

  • Their token's value plummeted by around 99%, indicating a potential rug pull.

  • Investors lost approximately ~$490,000 throughout the project's existence.

Avoid rug pulls with QuillCheck's easy token safety checks on multiple chains.

Visit QuillCheck

  1. Predy Finance

Loss ~$464K

  • Hackers exploited a vulnerability on Predy Finance on Arbitrum, stealing ~$464,000.

  • Predy Finance is a DEX for perpetual trading and token swaps.

  • The exploit was due to a lack of access control in a function allowing anyone to add trading pairs.

  • Hackers added a fake pair, deposited funds, and then withdrew everything.

  • Some stolen funds (~$304,640) were bridged to Ethereum Mainnet.

  • Predy Finance acknowledged the exploit and offered a 10% bounty to return the funds.

  • They also disabled the vulnerable functions and advised users to revoke access.

Community Spotlight

#EthereumÂ