Move is a programming language specifically designed for building secure smart contracts that can be formally verified. Recently, Sui hosted a Capture the Flag competition on its developer testnet. In this article, we run through each of the challenges and their solutions. The Contest includes four challenges. In the followings, we will introduce them one by one: Challenge 1 - CheckIn Challenge 2 - SimpleGame Challenge 3 - FlashLoan Challenge 4 - MoveLock

On November 2nd, 2022, Deribit Exchange’s hot wallet was compromised. A private key leak may have led to the loss of ~$28m in USDC.

On October 11, 2022 Mango Market was attacked causing a loss of $116M. The attacker was able to manipulate the price of MNGO token and borrowed more assets on the platform than permitted.

On 09 October 2022 JUMPN aka Jump Satoshi, withdrew $1.1 million from their JST token by which all the project's socials, including their website had been taken down. Two days later, all contracts associated with Jump Satoshi were drained of assets in an exit scam totaling $3.9m.

On May 14, 2022, loser coin ($lowb) experienced a flash loan attack, leading to approximately ~$10K USD worth of asset loss.

On May 15, 2022, the Space Dumpling token (SDUMP) was exploited, leading to a loss of 7.6 BNB around ~$2,000 at time of incident. The attacker took advantage of Space Dumpling anti-whale mechanism and drained funds from its liquidity pools. The attacker obfuscated the profits through Tornado Cash on June 1, 2022.

Proxy patterns enable contracts to upgrade their logic while maintaining their on-chain address and state values. This article gives an overview of the types of proxy contracts, associated security incidents and recommendations, as well as best practices when implementing a proxy contract.

In this post, we take a deep dive into the formal verification of Move programs.

CertiK is excited to announce the release of a new due diligence tool to help you conduct social analysis: Social Influencer Profiles.

CertiK has unveiled an underground ring of KYC actors for hire, used by rogue developers to scam Web3 communities.

On 29 May 2022, Novo Defi’s token, Novo, was exploited via a flash loan attack. The incident caused a loss of ~278 BNB

On May 24th 2022, the Hackerdao (Hackerdao) token was exploited by flashloan attacks, causing a loss of around 200 BNB, which was around $65K at the time of incident.

On July 28th, 2022, Nirvana Finance was exploited via flash loan attack with the attacker profiting 3.5M.

While auditing smart contracts written in Move, we've encountered multiple instances of developers neglecting to use Move’s built-in protection mechanisms or adopting programming patterns that work counter to Move’s design philosophy. This post presents a few such examples along with our suggestions for how to fix them.

Move is a relatively new programming language which has seen application in a number of Web3 projects. We recently audited a novel Layer 1 blockchain which supports smart contracts written in Move, and thought we’d take this opportunity to give a general overview of Move.

On October 18th, 2022 Celo-based Moola Market lending protocol was hacked for ~$8.4M through network manipulation

On Nov 10, 2022, DFX Finance's swapping contracts were attacked, leading to a loss of approximately $5M.

The U.S. Department of Justice announced on November 7, 2022 the seizure of $3.36 billion worth of Bitcoin in relation to a Silk Road investigation dating back to 2012.