DARKNAVY

Contract Auditor

Mon, 13 Apr 2026 00:00:00 +0000

DFS-based multi-agent Solidity audit with adversarial validation

Client Auditor

Mon, 13 Apr 2026 00:00:00 +0000

7-stage orchestrated audit for blockchain node codebases (Go, Rust, C/C++)

Exploit Investigator

Mon, 13 Apr 2026 00:00:00 +0000

Multi-agent pipeline for on-chain attack analysis with Analyst-Validator debate loop

Hyperbridge ISMP Forged Proof DOT Mint

Mon, 13 Apr 2026 00:00:00 +0000

On April 13, 2026 at 03:55:23 UTC, a helper contract deployed by the attacker used Hyperbridge's Ethereum-side ISMP message path to deliver a forged governance-style `PostRequest` into `TokenGateway`. The exploit is best classified as an access-control failure at the proof-validation boundary: `Hand...

SubQuery Settings Access Control Staking Drain

Sun, 12 Apr 2026 00:00:00 +0000

On April 12, 2026, SubQuery Network, a staking protocol on Base, (block 44,590,469) suffered an access-control exploit that drained approximately **218.29M SQT** (about **$131.2K**) from the protocol's Staking contract. The attacker deployed two ephemeral contracts, abused the absence of any owner o...

Denaria Finance Virtual AMM Manipulation

Sun, 05 Apr 2026 00:00:00 +0000

On April 5, 2026, Denaria Finance, a perpetual DEX on Linea, (block 30,067,821) suffered a virtual AMM manipulation attack that drained approximately **165,618 USDC** from the protocol's Vault. The attacker flash-loaned 60,000 USDC from Aave V3, deployed pairs of ephemeral LP and Trader contracts, a...

InfinitySix TWAP Stale Price

Tue, 31 Mar 2026 00:00:00 +0000

Two compounding flaws in InfinitySix's (`$i6`) BSC staking contract were chained to extract **273,802 USDT** in block 89,703,286. The contract credits referral bonuses to a sponsor's withdrawable balance immediately upon the referral's `invest()` call; separately, its TWAP oracle enforces a 1-minute...

LML APower Reward-Claim Price Manipulation

Tue, 31 Mar 2026 00:00:00 +0000

On March 31, 2026 at 20:39:02 UTC, the attacker used flash-loaned capital on BNB Chain to manipulate the LML/USDT market, then batch-triggered reward claims for pre-seeded accounts through APower and immediately sold the resulting LML back into the distorted pool. The primary issue is a price-manipu...

WhaleBit CES/IGT Staking Oracle Manipulation

Tue, 31 Mar 2026 00:00:00 +0000

On March 31, 2026 at 22:56:21 UTC (Polygon block `84938872`), an attacker exploited WhaleBit's unverified staking system through a **same-transaction spot-oracle manipulation** funded by a flash loan. The attacker EOA `0xe66b37de57b65691b9f4ac48de2c2b7be53c5c6f` used helper contract `0xb5a8d7a37d60a...

VTSwapHook Pricing Error

Sat, 28 Mar 2026 00:00:00 +0000

On 2026-03-28, the VTSwapHook contract (`0xbf4b4a83708474528a93c123f817e7f2a0637a88`) deployed on Arbitrum was exploited through a **logic error** in its custom pricing formula. The hook implements a nonlinear (logarithm-based) price curve but approximates execution price using a simple midpoint ave...

EST BNBDeposit Claim Manipulation

Fri, 27 Mar 2026 00:00:00 +0000

On 2026-03-27, the EST / BNBDeposit system on BNB Smart Chain was exploited through a **flash-loan-assisted reward-accounting flaw** in `BNBDeposit`, amplified by **fee-exempt routing and pair-state manipulation** in EST. The attacker borrowed `250,000 WBNB`, built a temporary claim-bearing share in...

Cyrus Price Manipulation

Sun, 22 Mar 2026 00:00:00 +0000

On March 22, 2026, the CyrusTreasury protocol on BNB Chain was exploited through a price manipulation attack against its `withdrawUSDTFromAny` function, which is called internally by `exit()`. The vulnerable contract (`CyrusTreasury`, `0xb042ea7b35826e6e537a63bb9fc9fb06b50ae10b`) reads the live Panc...

Escrow Overflow

Sun, 22 Mar 2026 00:00:00 +0000

An unverified escrow-like contract at `0xf0a105d93eec8781e15222ad754fcf1264568c97` on Ethereum Mainnet was fully drained in block 24,707,679 (timestamp 2026-03-22 UTC) through an **integer overflow** in its deposit function `0x317de4f6`. The deposit function accumulates entry amounts into a running ...

dTRINITY dLEND Index Manipulation

Wed, 18 Mar 2026 00:00:00 +0000

On 2026-03-18, the dTRINITY dLEND lending protocol (an Aave v3 fork deployed on Ethereum mainnet) was exploited through a **flash loan abuse combined with a logic error** in the flash loan repayment accounting. An attacker manipulated the cbBTC reserve's liquidity index from ~1.0 RAY to 6,226,622 RA...

KToken Redeem Logic Flaw

Tue, 17 Mar 2026 00:00:00 +0000

On 2026-03-17 (block 30488585), a lending protocol deployed on Polygon zkEVM (chain ID 1101) was attacked through a logic error in its Compound-fork KToken implementation. The vulnerability is in internal function `0x3dff` (`redeemFresh`): when `redeemUnderlying()` is called, the function (1) comput...

USDC Permit Phishing Drain

Mon, 16 Mar 2026 00:00:00 +0000

**Transaction**: `0xfd7417af8433e3d9bcbed3f965307c800a24eb4e98f42cebfab6ca6064f5a642` **Chain**: Ethereum Mainnet (Chain ID 1) **Block**: 24671606 **Date**: 2026-03-16 17:38:59 UTC **Incident Name**: `usdc-permit-phishing-drain`

Venus Lending Exploit

Sun, 15 Mar 2026 00:00:00 +0000

On BNB Smart Chain, an attacker exploited Venus Protocol's vTHE (THENA/THE) market by combining three pre-obtained approvals with a classic exchange-rate inflation technique. The attacker held ERC-20 `transferFrom` allowances for the THE token from six victim addresses and a Comptroller `approvedDel...

AM Burn Reserve Manipulation

Thu, 12 Mar 2026 00:00:00 +0000

On March 12, 2026 (BSC block 86066209), attacker EOA `0x0b9a1391269e95162bfec8785e663258c209333b` exploited a combination of the AM token's fee-on-transfer burn mechanism and Moolah lending protocol's collateralized borrowing to extract approximately **131,572 USDT** in profit.

CoW Protocol Solver Exploit

Thu, 12 Mar 2026 00:00:00 +0000

On March 12, 2026 (block 24,643,151), a victim address (`0x98b9d979`) lost approximately $50.4 million worth of Aave-wrapped USDT (aEthUSDT) on Ethereum mainnet through a two-transaction attack. In the primary transaction, a registered CoW Protocol solver (`0x3980daa7`) submitted a settlement execut...

DBXen ERC2771 Confusion

Thu, 12 Mar 2026 00:00:00 +0000

The DBXen protocol on BNB Chain was exploited at block 86,063,902 through an ERC2771 meta-transaction context confusion vulnerability in the `burnBatch()` function. The attacker abused the inconsistency between `_msgSender()` (used in the `gasWrapper` modifier) and `msg.sender` (passed as the `user`...

Gamma Lending Exploit

Wed, 11 Mar 2026 00:00:00 +0000

On March 11, 2026, the Gamma Protocol (a Compound-fork lending platform formerly known as Planet Finance) on BNB Chain was exploited for approximately **7,882 USDT** via a logic flaw in the publicly-callable `updateUserDiscount()` function. The attacker leveraged a flash-loaned USDT position to repe...

Planet Finance Lending

Wed, 11 Mar 2026 00:00:00 +0000

On 2026-03-11, a failed attempt was made to exploit Planet Finance, a Compound-fork lending protocol on BNB Smart Chain, via an oracle price manipulation attack. Transaction `0x330ccbfa...` was initiated by attacker EOA `0x2eb7c45f` but **reverted** with status `0x0`, consuming 38,751,495 of 40,000,...

Wukong Staking Reentrancy

Wed, 11 Mar 2026 00:00:00 +0000

On 2026-03-11, the WUKONG staking protocol on BNB Chain was exploited via a classic reentrancy attack against its `unstake()` function in the `StakingUpgradeableV10` implementation. The vulnerability arises because `unstake()` sends BNB to the caller (via a low-level `call`) **before** updating the ...

Alkemi Self-Liquidation

Tue, 10 Mar 2026 00:00:00 +0000

On March 10, 2026, an attacker exploited the `liquidateBorrow` function of the Alkemi Earn Public lending protocol on Ethereum mainnet (block 24,626,979) to self-liquidate their own solvent position. The root cause is a compound vulnerability: `liquidateBorrow` lacks both a self-liquidation guard (`...

Gondi PurchaseBundler Drain

Mon, 09 Mar 2026 00:00:00 +0000

On 2026-03-09, the `PurchaseBundler` contract (`0xc10472ac`) deployed on Ethereum (block 24618641) was exploited through an access control bypass in its `executeSell` function. The attacker (`0x8d171c74`) used a purpose-built contract (`0xe95e3cfc`) to call `executeSell` 81 times, successfully drain...

MOLT EVM Weak Spawner Access Control

Sun, 08 Mar 2026 00:00:00 +0000

On 2026-03-08 at 20:36 UTC (Base block 43093167), an attacker exploited a trivially bypassable `onlySpawnerToken` modifier on the MoltEVM token contract (`0x225da3d879d379ff6510c1cc27ac8535353f501f`) to mint 100,000,000 mEVM tokens at zero cost. The modifier requires only that the caller is a contra...

SOLV BRO Double Mint

Thu, 05 Mar 2026 00:00:00 +0000

On March 5, 2026, Solv Protocol's Bitcoin Reserve Offering on Ethereum was exploited through a callback-driven logic error in the BRO wrapper at `0x15f7c1ac69f0c102e4f390e45306bd917f21cfcf`, accessed through the beacon proxy at `0x014e6f6ba7a9f4c9a51a0aa3189b5c0a21006869`. The vulnerable full-value ...

When an AI Assistant Becomes Part of the Hacker’s Attack Chain | Security Analysis of Doubao Phone

Wed, 04 Mar 2026 11:30:34 +0800

When a phone starts “taking action” on its own, it’s no longer just answering questions like how to get a cheaper takeout—it can actually open apps, compare prices, and place orders. Control shifts from the user’s fingers to an intelligent agent capable of seeing the screen, planning, and executing tasks.

Launched at the end of 2025, the Doubao Phone Assistant (hereafter Doubao Assistant) was the first to hand over the phone’s full operational chain to an AI agent. It uses a large language model as the central decision-making unit, combined with GUI Agent technology, to understand user intentions, break down tasks, plan paths, and execute complex cross-app and cross-scenario operations with system-level capabilities.

Base Multi-Contract Exploit

Wed, 04 Mar 2026 00:00:00 +0000

**Transaction:** `0xe94a5ed54d0a9aa317c997607d7d1ea9828ad47626d7794b0e4020ff49cdf9a0` **Chain:** Base (Chain ID: 8453) **Block:** 42832267 **Date of Analysis:** 2026-03-04 **Debate Round:** 1

Inugami Staking Reward Debt Drain

Tue, 03 Mar 2026 00:00:00 +0000

On March 3, 2026, the Inugami staking contract on BNB Chain (`0x2001144a0485b0b3748a167848cdd73837345d73`) was exploited via a logic error in reward-debt initialization. The attacker staked a small amount of LP, sent 1 wei WBNB to reactivate the reward window, and then claimed legacy rewards that sh...

Uniswap V4 Hook Swap Drain

Tue, 03 Mar 2026 00:00:00 +0000

On March 3, 2026 (block 24,575,085), the UniswapV4Router04 contract at `0x00000000000044a361ae3cac094c9d1b14eece97` on Ethereum mainnet was exploited via an authorization bypass vulnerability in its `swap(bytes,uint256)` function. The root cause is a hardcoded calldata offset in an inline assembly a...

sDOLA LlamaLend Oracle Manipulation

Mon, 02 Mar 2026 00:00:00 +0000

On March 2, 2026 at 03:00:11 UTC (block 24566937), an attacker exploited an oracle misconfiguration in the Curve LlamaLend sDOLA/crvUSD market on Ethereum. The root cause was the `CryptoFromPoolVaultWAgg` oracle contract (`0x88822ee5`) calling `sDOLA.convertToAssets()` as a spot price feed, which co...

BUBU2 Fee Token Staking Drain

Sun, 01 Mar 2026 00:00:00 +0000

On March 1, 2026, the BUBU2/WBNB PancakeSwap pair on BNB Chain (block 83,955,808) was drained by flash-loan sandwiching a permissionlessly-triggerable burn mechanism inside the BUBU2 token contract.

Movie Token Burn Manipulation

Sat, 28 Feb 2026 00:00:00 +0000

On 2026-02-28 (BSC block 85677691), the Movie Token ($MT) project was exploited for approximately **381.75 WBNB (~$242K USD)** in a single transaction. The attacker abused the MT token's `extractFromPoolForLpMining` function, which burns tokens directly from the PancakeSwap MT/WBNB LP pair's balance...

Aave Fork Undercollateralized Borrow

Thu, 26 Feb 2026 00:00:00 +0000

On February 26, 2026, an attacker exploited a misconfigured Aave V3 fork lending pool on Ethereum mainnet (block 24,538,897). The root cause was a deployment-time oracle misconfiguration in the `AaveOracle` contract at `0x9dce7a180c34203fee8ce8ca62f244feeb67bd30`, where the constructor arguments con...

HPay Staking ForceExit Drain

Wed, 25 Feb 2026 00:00:00 +0000

On February 25, 2026, the HPAY staking contract on BNB Chain (BSC) was exploited via a logic error in the unverified staking implementation at `0xbe189fe9f84ca531cd979630e1f14757b88dd80d`, accessed through the TransparentUpgradeableProxy at `0x6e30c17d2554dca5a1ac178939764c6bf61ab95a`. The `forceExi...

STO Deflationary Burn Drain

Mon, 23 Feb 2026 00:00:00 +0000

On February 23, 2026, the STO Protocol token on BNB Chain was exploited via a logic error in its deflationary sell-burn mechanism. The STO token's `_executePendingSellBurn()` function burns previously sold tokens from the PancakeSwap pair and calls `sync()` to update reserves mid-transfer, allowing ...

TARA DODO CoopPool Exploit

Sun, 22 Feb 2026 00:00:00 +0000

An attacker on Ethereum mainnet (block 24,513,601) drained the TARA cross-chain bridge by exploiting a compromised bridge validator key. The vulnerability is an **access control failure**: the TARA light client contract (`0xcdf14446`) accepted ECDSA-signed bridge state submissions from any registere...

Veil Cash Groth16 Forgery

Fri, 20 Feb 2026 00:00:00 +0000

On February 20, 2026, the Veil Cash privacy protocol on Base was exploited for 2.9 ETH (~$5.69K) through a zero-knowledge proof forgery attack. The root cause is a misconfigured Groth16 SNARK verifier contract at `0x1e65c075989189e607ddafa30fa1a0001c376cfd` where the delta verification key parameter...

Fee Token Skim Exploit

Mon, 16 Feb 2026 00:00:00 +0000

On BSC (BNB Smart Chain) block 81,556,796 (2026-02-16 12:51:23 UTC), an attacker exploited a fee-on-transfer token's built-in auto-liquidity mechanism to drain value from its PancakeSwap V2 liquidity pair. The vulnerable component is VictimToken (`0x02739be625f7a1cb196f42dceee630c394dd9faa`), an ERC...

Uniswap Router Approval Abuse

Fri, 13 Feb 2026 00:00:00 +0000

A custom, unverified swap router contract at `0xc87c815c03b6cd45880cbd51a90d0a56ecfba9da` on Ethereum mainnet contains a critical access control flaw that allows any caller to execute token swaps using another user's token approvals. On February 13, 2026 at 17:06:47 UTC (block 24,449,245), an attack...

ERC1155 Bonding Curve Reentrancy

Sun, 08 Feb 2026 00:00:00 +0000

On 2026-02-08 12:06:47 UTC (block 24,411,960), tx `0x7b3878969c2f44dae5e47d7c03616d5f17dfc46ea59ea75f135c468709a59ce7` on Ethereum drained four Decent.xyz "Crescendo" ERC1155 bonding curve contracts of nearly all their ETH reserves via reentrancy through the native ETH refund path in `buy()` and the...

USDe Safe Module Flashloan

Sat, 07 Feb 2026 00:00:00 +0000

On 2026-02-07 (Ethereum mainnet, block 24,406,366), an attacker used a Balancer Vault flash loan callback to trigger a Gnosis Safe module at `0xf5e48ff26c60f3d2bdc0b38a570ce6373a927e19`, which executed `execTransactionFromModule` on the Safe `0x635fa9b57a9888ffe624323e547fdfbad1a74606` with a `DELEG...

NEUTRL nUSD Internal Balance

Wed, 04 Feb 2026 00:00:00 +0000

On Ethereum mainnet, transaction `0x047fcfa2cfb51879f19769dd25e2768be42985f9c2d8f483f2a0c18703834061` (2026-02-04 13:49:23 UTC) used a Morpho flash loan to route through Pendle’s NUSD Standardized Yield (SY) integration and drain NUSD, then swap to USDC. The attacker’s EOA `0x1f36068728b86ae4d65249f...

reUSD SingleAdapterRouter Withdraw

Wed, 04 Feb 2026 00:00:00 +0000

On 2026-02-04 13:46:59 UTC (block 24,383,881), tx `0xee2b216b7d649513dc8ba102e130d3d86d189b393a0d5f387e479be3dbda799d` on Ethereum deployed helper contracts and invoked `depositWithCalldataMultiToken` and `withdrawWithCalldataMultiToken` on SingleAdapterRouter (Vault_reUSD) at `0x169a5effcae91ab33bc...

EYWA PortalV2 Axelar

Sun, 01 Feb 2026 00:00:00 +0000

On 2026-02-01 18:38:23 UTC (block 24,363,854), tx `0x37d9b911ef710be851a2e08e1cfc61c2544db0f208faeade29ee98cc7506ccc2` on Ethereum called `expressExecute` on ReceiverAxelar (`0xb2185950f5a0a46687ac331916508aada202e063`) with `sourceChain="berachain"` and `sourceAddress=0x5eEdDcE72530e4fC96d43E3d70Fe...

Gyro Finance CCIP Escrow

Fri, 30 Jan 2026 00:00:00 +0000

On Ethereum mainnet, Gyro Finance's GYD bridge escrow was exploited on January 30, 2026. The attacker used a crafted CCIP message to make the escrow contract approve unlimited GYD allowance, then drained the escrow via `transferFrom`.

XPL

Wed, 28 Jan 2026 00:00:00 +0000

The transaction `0x9779341b2b80ba679c83423c93ecfc2ebcec82f9f94c02624f83d8a647ee2e49` on BNB Smart Chain exploited XPlayer's node distribution burn path to manipulate the XPL/USDT PancakeSwap pool and drain USDT. The attacker used a flash-loan style contract to burn XPL out of the pool, forcing reser...

Makina Oracle Manipulation

Tue, 20 Jan 2026 00:00:00 +0000

The attacker used flash‑loaned USDC (Morpho + Aave) to temporarily skew spot‑based on‑chain state (Curve pools and oracle inputs, including the ERC4626 convertToAssets path used in pricing). In the same transaction, they invoked accountForPosition and updateTotalAum, locking an inflated AUM into las...

FutureSwap

Sat, 10 Jan 2026 00:00:00 +0000

On 2026-01-10 08:30:35 UTC (Arbitrum block 419,829,771), tx `0xe1e6aa5332deaf0fa0a3584113c17bedc906148730cbbc73efae16306121687b` deployed an attacker contract that drained approximately 394,743 USDC.e from FutureSwap's unverified perpetual exchange contract at `0xf7ca7384cc6619866749955065f17bedd3ed...

TMX Tribe

Mon, 05 Jan 2026 00:00:00 +0000

The unverified contracts of TMXTribe were exploited by a series of attack transactions exploiting a vulnerability in the accounting logic. The root cause is that the AUM calculation (used to price TLP) ignores USDG liabilities, so USDG minting inflates AUM and enables high‑price redemptions.

How And Why We Hacked Cypherock Hardware Wallet: The Full Story

Fri, 21 Nov 2025 15:47:08 +0800

On blockchains, whoever controls the private key to an address controls the funds in the corresponding account.

In October 2025, the U.S. government announced the seizure of 127,000 BTC from Prince Group. On‑chain tracing reports indicated that these funds were in fact the assets stolen from the LuBian mining pool in December 2020.

A Bitcoin private key is a 256‑bit random number and is, in theory, infeasible to brute‑force. How did the U.S. government obtain LuBian’s wallet private key?

About

Tue, 14 Oct 2025 16:33:58 +0800

DARKNAVY, headquartered in Singapore and Shanghai, is an independent cybersecurity research and services organization. We are pioneers in AVSS (Adversarial Vulnerability Scoring System) and quantitative security, as well as the founding team behind the international hacking competition GEEKCON.

Founded upon the legacy of KeenTeam, established in 2011 and globally recognized as a multiple world-record holder and international hacking competition champion, DARKNAVY inherits over a decade of cutting-edge security research experience across operating systems, chipsets, AI, mobile, IoT, and Web3. Guided by the founding team’s unique vision, we have built a collaborative research team dedicated to solving the most critical security challenges faced by our clients.

Argusee: A Multi-Agent Collaborative Architecture for Automated Vulnerability Discovery

Fri, 23 May 2025 11:09:50 +0800

As we envisioned in DARKNAVY INSIGHT | The Most Imaginative New Applications of 2024:

The next generation of AI agents will have excellent reasoning and generalization abilities and be skilled at using a variety of security research tools, inheriting a wealth of human expert knowledge. They will be able to discover more 0-day vulnerabilities in the real world, like top security experts.

Unsurprisingly, as Large Language Models (LLMs) demonstrate increasing proficiency in handling complex tasks, Agent technology is emerging as a new paradigm in the field of vulnerability discovery. Since Google Project Zero released Naptime[1] last year, an increasing number of Agent-based auditing tools are appearing. By providing LLMs with the necessary toolsets and source code for testing, these tools simulate the behaviour of security researchers to perform code audits and vulnerability confirmation.

If the Person Who Finds a Web3 Hardware Wallet is a Hacker

Sun, 30 Mar 2025 10:00:52 +0800

In 2024, Web3 security incidents caused by private key leaks have surged, resulting in estimated financial losses exceeding $855 million.

Private keys function as the sole credentials for blockchain accounts, controlling access to all associated on-chain assets like cryptocurrencies and NFTs. Due to the decentralized nature of blockchain, losing the private key means permanently losing account control, while leakage typically results in asset theft. Hardware wallets, utilizing techniques like offline private key storage and secure chips, have become the primary choice for asset protection.

The Jailbroken Unitree Robot Dog

Fri, 28 Mar 2025 10:00:17 +0800

The history of humanity’s domestication of wolves has spanned forty thousand years – we used firelight and patience to soften the wildness in their eyes, transforming their fangs into the loyalty that guards our homes.

When various robot dogs created by America’s Boston Dynamics and China’s Unitree Robotics leap and flip gracefully under the spotlight, this ancient symbiotic relationship seems to take on a new meaning in the cyber age: trust that once required thousands of years of genetic selection to build can now be achieved with just a line of code.

A First Glimpse of the Starlink User Ternimal

Wed, 26 Mar 2025 10:10:22 +0800

I think the human race has no future if it doesn’t go to space. —— Stephen Hawking

Starlink is a low Earth orbit (LEO) satellite internet service provided by SpaceX. Users connect to near-Earth orbit satellites through a user terminal, which then connects to the internet via ground gateways.

As the new generation of satellites gradually incorporates laser links, some satellites can communicate with each other via laser. This both reduces reliance on ground stations and improves transmission efficiency, enhancing global coverage.

Reconstructing the $1.5 Billion Bybit Hack by North Korean Actors

Mon, 24 Mar 2025 15:34:29 +0800

Both the Attackers and Victims Made Critical Mistakes

On February 21, 2025, the cryptocurrency exchange Bybit experienced the most significant financial loss in Web3 history when nearly $1.5 billion was illicitly transferred from its multi-signature wallet by North Korean threat actors.

The DARKNAVY team has been closely monitoring security developments within the Web3 ecosystem. Following the Bybit incident, we conducted a reconstruction of the attack, analyzing it from the perspectives of the attackers, the developers, and the transaction signers.

Fatal Vulnerabilities Compromising DJI Control Devices

Fri, 21 Mar 2025 10:01:19 +0800

As logistics drones weave through buildings and surveying equipment delineates urban landscapes, the capillaries of the low-altitude economy are sketching the future with millimeter-level precision.

DARKNAVY consistently focuses on the construction and breaching of drone security defenses. In this research, we discovered a fatal exploit chain in DJI remote control devices, leading to the complete compromise of the security defenses within the DJI remote controller. How can we assist industry leader DJI in fortifying its security defenses? What potential risks do these vulnerabilities reveal? Welcome to read this article.

The Most Stealthy Manipulator of 2024

Mon, 17 Feb 2025 18:00:44 +0800

In the era of mobile internet, user traffic is the lifeline of manufacturers. In this battle for traffic, smartphone manufacturers hold the most overwhelming advantage — ultimate control over the operating system. By deeply customizing AOSP, manufacturers not only gain precise control over user and app activities but can even manipulate and interfere with user choices.

Ordinarily, few companies would choose to violate regulations and abuse their privileges to harm consumers. However, in 2024, a well-known Chinese smartphone brand crossed the ethical bottom line of business. By leveraging non-security technological means, it covertly manipulated its own smartphone system, turning millions of users into mere tools for profit.

The Most Frustrating Vulnerability Disclosure of 2024

Sun, 16 Feb 2025 17:58:16 +0800

In the field of cybersecurity, vulnerability disclosure has long been regarded as a crucial step in safeguarding users. However, in practice, this process is fraught with controversy and contradictions. What truly constitutes “responsible disclosure”? When vendors dominate the public release of information and patch deployment, while security researchers invest substantial time and energy in negotiations, can this model still fulfill its intended purpose of protecting user security? In an era of rapidly advancing technology and escalating cyber threats, has the traditional vulnerability disclosure process become outdated?

The Most "Secure" Defenders of 2024

Sat, 15 Feb 2025 17:54:34 +0800

In the increasingly intense offense and defense confrontation of 2024, security software has always been regarded as an important cornerstone of the corporate security defense line. However, these security softwares themselves may also have vulnerabilities and could be exploited by attackers as a springboard for intrusions to harm users. Over the years, incidents caused by security software have raised a question — can security software really be trusted?

The following is the eighth article of the “DARKNAVY INSIGHT | 2024 Annual Security Report”.

The Most Unstoppable Offensive and Defensive Trend of 2024

Fri, 14 Feb 2025 17:47:00 +0800

In recent years, the evolution of vulnerabilities and defense techniques has been continuous. From the days when a simple stack overflow could compromise a system, to the present day, where sophisticated techniques are necessary to bypass multiple layers of defense. The “shield” and the “spear” are in dynamic confrontation: whenever new defense measures are introduced, new attack methods emerge in response. The enhancement of defense mechanisms compels attackers to seek out new vulnerabilities, while the innovation of attack techniques propels the development of defense technologies

The Most Unfortunate Backdoor of 2024

Thu, 13 Feb 2025 17:07:28 +0800

Does open source guarantee that there are no backdoors?

At the 1983 Turing Award ceremony, Ken Thompson raised this question. As one of only three legends to win the Turing Award before the age of 40, he demonstrated how to hack Unix systems compiled from harmless source code by implanting backdoors in compilers, remaining a tale frequently cited by hackers to this day.

In 2024, the XZ backdoor incident resurfaced this question. Under the nose of the open-source community, attackers successfully pushed the backdoored xz-utils 5.6.1 package into official repositories of several distributions like Debian and Fedora. Fortunately, engineer Andres Freund discovered and reported the abnormal behavior of xz-utils 5.6.1 in time. Although the community effectively stopped the backdoor’s spread, this heart-stopping crisis made every open-source user rethink the trust model in collaborative development.

The Most Prominent Privacy Security Trend of 2024

Wed, 12 Feb 2025 16:40:12 +0800

At the beginning of 2025, the five-year “Siri Eavesdropping Scandal” finally came to an end. Apple settled a class-action lawsuit with the plaintiffs for $95 million.

This well-known privacy case started when users accused Siri of accidentally capturing and recording their everyday conversations without permission, and leaking the data to third-party advertisers.

Even though Apple firmly denied these claims, public concern over privacy security is growing day by day. Now, we share massive amounts of personal data with AI every day. Are these privacy data really secure enough?

The Maddest Vulnerability of 2024

Tue, 11 Feb 2025 11:41:45 +0800

Under the collective efforts of security researchers and increasingly stringent security mitigations, most memory vulnerabilities have been nipped in the bud.

Is it time to declare memory vulnerabilities a thing of the past?

In July 2024, a “nuclear bomb” from the Windows camp shattered the illusion of security. We can’t help but ask: When faced with threats from memory, just how much can the walls in front of us really defend against?

The Most Imaginative New Applications of 2024

Mon, 10 Feb 2025 11:25:50 +0800

2023 was the dawn of generative AI and large language models, which output content in unprecedented ways.

In 2024, a large number of AI agents emerged, expanding the capabilities of LLM, driving more widespread tool usage, and extending their application to more fields.

For security researchers, how to leverage AI to improve work efficiency, and even drive AI to think, analyze, and find vulnerabilities like humans, has become a key topic.

The Most "Golden" Bypass of 2024

Sun, 09 Feb 2025 17:13:30 +0800

Since the early 2000s, attacks based on browser vulnerabilities have remained a mainstream, effective, and versatile attack method. The following is the second article from the “DARKNAVY INSIGHT | 2024 Annual Security Report”.

According to the latest report from market research firm Statcounter, Chrome has unquestionably secured its position as the most dominant browser in terms of market share.

Chrome is renowned for its exceptional security, with the Google security team continuously researching and implementing cutting-edge vulnerability mitigation mechanisms. One of the most well-known among them is MiraclePtr, designed to prevent attackers from exploiting Use-After-Free (UAF) vulnerabilities in the browser.

The Most Groundbreaking New Security Ecosystem of 2024

Sat, 08 Feb 2025 17:10:13 +0800

In the “DARKNAVY INSIGHT | 2023 Annual Security Report”, we noted: “As we stand on the precipice of the next decade, 2023 will undoubtedly be a year of profound transformation. The deployment of new defense mechanisms and the rise of novel attack technologies will fundamentally reshape the digital security landscape.”

The year 2024 arrived like a swift gust of wind, only to fade away like a brief storm. The AI revolution, breakthroughs in mobile operating systems, and challenges in supply chain security that we discussed in 2023 continue to unfold in 2024, leaving little room to catch our breath.

CVE-2024-5274: A Minor Flaw in V8 Parser Leading to Catastrophes

Fri, 30 Aug 2024 10:09:29 +0800

In May of this year, we noticed that Chrome fixed a V8 vulnerability that was being exploited in the wild in this update. We quickly pinpointed the fix for this vulnerability and discovered that it was a rare bug in the Parser module, which piqued our interest greatly. This led to the following research.

From Patch to PoC

First, let’s take a look at the patch for this vulnerability:

diff --git a/src/ast/scopes.cc b/src/ast/scopes.cc
index 660fdd2e9ad..de4df35c0ad 100644
--- a/src/ast/scopes.cc
+++ b/src/ast/scopes.cc
@@ -2447,7 +2447,7 @@ bool Scope::MustAllocate(Variable* var) {
     var->set_is_used();
     if (inner_scope_calls_eval_ && !var->is_this()) var->SetMaybeAssigned();
   }
-  DCHECK(!var->has_forced_context_allocation() || var->is_used());
+  CHECK(!var->has_forced_context_allocation() || var->is_used());
   // Global variables do not need to be allocated.
   return !var->IsGlobalObjectProperty() && var->is_used();
 }
diff --git a/src/parsing/parser-base.h b/src/parsing/parser-base.h
index 40914d39a4f..65c338f343f 100644
--- a/src/parsing/parser-base.h
+++ b/src/parsing/parser-base.h
@@ -2661,6 +2661,7 @@ typename ParserBase<Impl>::BlockT ParserBase<Impl>::ParseClassStaticBlock(
   }

   FunctionState initializer_state(&function_state_, &scope_, initializer_scope);
+  FunctionParsingScope body_parsing_scope(impl());
   AcceptINScope accept_in(this, true);

   // Each static block has its own var and lexical scope, so make a new var

The patch is very simple, the actual effective fix is just one line of code. This line introduces a variable of type FunctionParsingScope when parsing the static initialization block of a class. Let’s examine what this newly introduced variable does:

Exploiting Steam: Usual and Unusual Ways in the CEF Framework

Thu, 27 Jun 2024 11:39:32 +0800

Introduction

The Chromium Embedded Framework (CEF) is an open-source framework that allows developers to embed the Chromium engine in their applications. Although CEF is widely employed in a range of popular software, including WeChat and the Epic Games Launcher, there has been little security research on it. In this article, we will use the Steam Client Browser (a CEF-based application) as an example to present the vulnerabilities we found and how we exploited them to build three Remote Code Execution (RCE) chains.

AVSS Report: System Security Adversarial Capability Preliminary Evaluation of iOS, Android, and HarmonyOS - Kernel

Tue, 11 Jun 2024 15:40:57 +0800

As consumers, when faced with five different brands and models of smartphones or ten different smart cars, it’s difficult for us to determine which one can effectively prevent our privacy from being stolen or maliciously accessed, such as our location or even hearing our conversations inside the car.

Even as ordinary consumers, we currently have no way of knowing. As technology professionals who have long studied in APT(Advanced Persistent Threat) attacks, we understand that these devices can ultimately be compromised in the face of advanced persistent attacks.

Strengthening the Shield: MTE in Heap Allocators

Wed, 03 Jan 2024 16:19:13 +0800

Introduction

In 2018, with the release of ARMv8.5-A, a brand new chip security feature MTE (Memory Tagging Extensions) emerged. Five years later, in 2023, the first smartphone to support this feature was released — Google Pixel 8 — marking the official entry of MTE into the consumer market. Although this feature is not yet enabled by default, developers can turn it on themselves for testing.

As a powerful defense against memory corruption, there has not yet been a comprehensive analysis of MTE’s defensive boundaries, capabilities, and its impact on performance on the internet. Previously, Google Project Zero published a series of articles about MTE, focusing on the more low-level security aspects of MTE. However, the actual impact of MTE on real software security remains a mystery. To discuss this topic, heap allocators provide an excellent starting point. Heap memory corruption issues have gradually become the mainstream type of binary vulnerabilities. For reference, see the presentation by MSRC at CppCon 2019:

Exploiting the libwebp Vulnerability, Part 2: Diving into Chrome Blink

Fri, 03 Nov 2023 14:10:17 +0800

Introduction

When we examine a third-party library vulnerability in a real environment, we often encounter numerous complex variables that exist within the vulnerability’s context. Exploiting such a vulnerability is not as easy as one might imagine.

Here is the information we know:

The overflowed variable huffman_tables, has a size of 0x2f28.
The heap chunk is allocated in the renderer’s ThreadPool, while most objects are allocated in the main thread.
We can write a partially controlled 4-byte integer with an offset that is a multiple of 8 bytes.

In Chrome, different-sized heap chunks are stored in separate buckets, isolating objects of different sizes to ensure security. Typically, achieving heap exploitation in Chrome requires identifying objects of the same size for layout purposes and then utilizing Use-After-Free (UAF) or Out-of-Bounds (OOB) techniques to manipulate other objects, leading to information disclosure or control-flow hijacking. In the following, we will share the objects we have discovered, as well as attempting to bypass this mechanism.

Exploiting the libwebp Vulnerability, Part 1: Playing with Huffman Code

Fri, 03 Nov 2023 14:10:12 +0800

Vulnerability Localization

In the initial phase of vulnerability analysis, due to the absence of readily available PoCs or detailed analysis reports, we first attempted to read and understand the patch code for CVE-2023-4863 in the upstream repository of webmproject/libwebp. However, the WebM Project’s official patch was relatively complex, making it difficult for us to accurately pinpoint the root cause of the vulnerability.

Thus, we turned our attention to Apple’s official patch for CVE-2023-41064, and performed a comparison of the ImageIO framework before and after the update using BinDiff. We noticed that Apple’s patch involved fewer code changes and was much easier to understand.