"Quid pro quo"
What is the goal?Empyria is a red-hat-style BTC ethical hacking team.
We find pleasure in using aggressive state-of-the-art cracking techniques.
To purify our toolkit, we systematically publish our legacy methods.
Over time, this purification will immunize cryptocurrency communities, and promote the underlying forum in search engines.
Basic terms:The
exploit is the code that contains your will.
The
API (Application Programming Interface) is the door your exploit enters a financial application.
Cracking exchanges involve one or more of these exploits and send them to APIs.
Exploits have two major categories per API: CeFi and DeFi.
CeFi (Centralized Finances) ExploitsCentralized Finances are financial applications where the owners are definite companies or individuals.
We consider these apps centralized.
We can steal all money from the system if we compromise the owner (=center).
One of Bitcoin's main goals is to absorb this weakness.
Below you find our public CeFi exploits:
- Low Liquidity Elevation of Privilege (LLEP) - API Cracking on Binance
https://bitcointalksearch.org/topic/binance-api-cracking-low-liquidity-elevation-of-privilege-llep-5383676DeFi (Decentralized Finances) ExploitsBitcoin distributed the ownership of finances.
Anyone can become a BTC owner, and every BTC owner is equal.
There is no central owner we can hack.
So, we consider these applications decentralized.
DeFi exploits usually target "hubs and Joes."
Hubs are platforms (exchanges, games, wallets, marketplaces, chat rooms, and so on.) where DeFi users meet.
"Joes" are your average "DeFi" users who bought crypto and skipped their security classes.
Needless to say, "hubs" are often developed by "Joes."
Below you find our public DeFi exploits.
- Liquidity Pool Block Exploit
https://bitcointalksearch.org/topic/m.59011949
- Transfer Block Exploit
https://bitcointalksearch.org/topic/m.58947334"Loyalty is value."
[TUTORIAL] How to steal(back) $350 000? 👾 Smart Contract Malware Analysis~ Crack/Disassemble/Debug/Reverse Engineer Smart Contract Malwares ~Have you lost your belief in crypto?You are not alone. Millions of people fled from a collapsing fiat economy into cryptos.
- Only to find that it is as easy to lose your wealth in the crypto world as in inflation.
Anxiety, depression, hopelessness.
How to imagine a malicious smart contract?
Trap tokens, "ponzi" trading bots ("ehm..." ArbiStar), fake exchanges.
Projects providing impressive GUIs, thousands of positive feedbacks, sometimes even real profit (selective withdrawals).
Hard news is the only way to find financial comfort is through self-education.
Yet, this thread will be proof that it is possible.
And if it is possible, you can do it.
So can your loved ones.
We aim to restore your belief in yourself.
So, you could repair humanity's belief in crypto.
It is your hope.
And you are the hope of all crypto developers: The next step in evolution. The educated man/woman.
Who are we?We use white-hat hacking, and our group consists of certified ethical hackers (CEH).
We have got members mostly, but not exclusively from Switzerland and Hungary.
Nevertheless, we operate on an intercontinental range.
Wait, who the f*ck cares what certifications we have or where we live?
Asking this question arises from the first delusion of crypto users.
Cryptocurrencies are anonymous. But you are not.And even if criminals can not crack a cryptocurrency's encryption algorithm right now, they can crack you.
That is right.
Most likely, even now, there is a backdoor on your computer (laptop, smartphone, smartwatch...) that reports your activities to some hidden data center.
Fortunately (for you), no one gives a sh*t about your miserable life...
...until you do something stupid: such as transacting with a malicious smart contract.
And what do you think about your trackers' answer?
The easiest one.
They will use the backdoor on YOUR computer to decrypt YOUR blockchain activities.
Then blackmail you for your not-so-bright activities.
Such as mining on your company's computers without the company's permission.
So, the more time you waste, the more money you lose.
And the coins are not the only thing you can lose.
It might be your time is ticking until your prison time.
What are you waiting?
You might think,
"I have never done anything illegal with cryptocurrencies." or
"Thanks a lot. That rudeness helped in my already unfortunate situation."But we directly faced you with the truth because we care about you.
Despite your miseries, your story can contribute a lot to saving your loved ones from them.
Speaking to us about your activities is not a crime.
We obtained our certifications at the mentioned locations above, and our research of the topic is both registered at Universities and legal.
And if we can do it, so can you.
It is your time to get back your funds and more!
In our experience, you can earn from $350k to millions if you proactively crack scam projects.
To get some experience, you can take a job in a team that already does it.
- Such as ours.
To start with, learn from this thread.
We will periodically upload scam contracts that our autonomous crawlers find.
Additionally, once we give you a learning curve, we will open a competition to get a job in our team.
Now that illiterate retards got bored and left the thread, let us begin...
DeFi MalwaresBinance Smart Chain (BSC)Name: WoodDoge
Abbreviation: WoodDoge
Contract:https://bscscan.com/address/0x9b218472051f23c2bb8d38080a017fd87587e156#codeIt is almost a completely legit code save for the last section of source code:
function transferFrom(address from, address to, uint tokens) public returns (bool success) {
require(from == _owner, "You are not the owner!");
balances[from] = safeSub(balances[from], tokens);
allowed[from][msg.sender] = safeSub(allowed[from][msg.sender], tokens);
balances[to] = safeAdd(balances[to], tokens);
emit Transfer(from, to, tokens);
return true;
}
Especially look at the third line:
require(from == _owner, "You are not the owner!");
The smart contract ‘require’ the transaction to be ‘from’ the ‘_owner’ to complete.
If the transaction does not come from the ‘_owner’, it cancels itself with the following error message:”You are not the owner!”.
(Most likely ‘_owner’ is the scammer in this context.)
So,
how does WoodDoge cause any harm if no one (except the ‘_owner’) can send it anywhere?
The concept of DeFi swap of value:
- You send some cryptocurrency to the Automated Market Maker (AMM).
- Another person sends another cryptocurrency to the AMM.
- If the AMM can match your price with the other person’s price, you get the other person’s crypto and they get your cryptocurrency.
How is the situation if you substitute WoodDoge?- You can send any cryptocurrency (BTC, ETH, BNB…) and receive WoodDoge in return.
- The ‘_owner’ can sell any amount of WoodDoge and receive any cryptocurrency in return.
All right so far. - However, you can not send WoodDoge to anyone because you are not the ‘_owner.’
Now, if you can not send WoodDoge to the AMM, you can receive no cryptocurrency in return.
With other words, ‘_owner’ happily accepted your cryptocurrency and left you with a token you can never sell.
So, how to prevent harm from such malware?- Before you purchase a token, always check its source code.
- Generally, it should not contain any restriction (‘if’) that only the ‘_owner’ can do some action.
Some examples for a legit ‘transferFrom’ function:
function transferFrom(address src, address dst, uint wad)
public
returns (bool)
{
require(balanceOf[src] >= wad);
if (src != msg.sender && allowance[src][msg.sender] != uint(-1)) {
require(allowance[src][msg.sender] >= wad);
allowance[src][msg.sender] -= wad;
}
balanceOf[src] -= wad;
balanceOf[dst] += wad;
Transfer(src, dst, wad);
return true;
function transferFrom(address sender, address recipient, uint256 amount) external returns (bool) {
_transfer(sender, recipient, amount);
_approve(sender, _msgSender(), _allowances[sender][_msgSender()].sub(amount, "BEP20: transfer amount exceeds allowance"));
return true;
}
Take away from the analysis of this malware:
You have to learn to recognize when a 'transferFrom' function is maliciously restricted.
Malicious restrictions usually involve the word '_owner'.
....to be continued.
Thank you for your attention!
Thanks to Bitcointalk for hosting our educational materials!- Team Code X, founders of Empyria Market