[GUEST ACCESS MODE: Data is scrambled or limited to provide examples. Make requests using your API key to unlock full data. Check https://lunarcrush.ai/auth for authentication information.]  šššš.ššš” [@abbaeth_](/creator/twitter/abbaeth_) on x XXX followers Created: 2025-07-13 20:16:34 UTC He wasnāt wearing a hoodie No dark basement. No voice changer. Just a XX year old with a laptop, curiosityā¦ and one question: "What if this function never checks who calls it?" The anatomy of a black hat exploit (a true-ish story) #Web3 #SmartContracts #BlackHat It started like any other weekend. He wasn't rich. He wasnāt poor either. But he loved reading contracts on Etherscan like they were poetry this time, it was a DeFi protocol that had just launched lots of hype. A 7-figure TVL. And a verified contract. The function was simple: "emergencyWithdraw()" meant only for the owner. But the "onlyOwner" modifier? Missing. not commented out. not refactored. Justā¦ never written. he paused. Checked the docs. No mention of emergency calls. he simulated a tx on testnet. Funds moved. He simulated again, but on mainnet, this time, dry run. S still worked. $1.2M in LP tokens just... waiting. Hereās the kicker: he didnāt even write a contract. Just used Remix, MetaMask, and a frontend that let him connect. Click. Confirm. Block confirmed. Tokens drained. TVL: X. X went crazy. āRug?ā āHack?ā āInsider job?ā but it wasnāt any of those. It was bad coding + good reading. he had a choice. Return the funds (white hat)? Keep it (black hat)? Negotiate a bug bounty (gray)? he created a Tornado wallet Split the funds. Disappeared. Weeks later, the protocol patched it New audit. New version. No refund. Lesson? Smart contracts donāt forgive. They donāt forget. And they donāt care who clicks first. You donāt need to be a genius to be an SR You just need to read slower than the dev who wrote the bug. #SmartContractSecurity #Web3Story #DeFiExploits #BlackHat  XXX engagements  **Related Topics** [web3](/topic/web3) [basement](/topic/basement) [Post Link](https://x.com/abbaeth_/status/1944491162204602768)
[GUEST ACCESS MODE: Data is scrambled or limited to provide examples. Make requests using your API key to unlock full data. Check https://lunarcrush.ai/auth for authentication information.]
šššš.ššš” @abbaeth_ on x XXX followers
Created: 2025-07-13 20:16:34 UTC
He wasnāt wearing a hoodie
No dark basement. No voice changer.
Just a XX year old with a laptop, curiosityā¦ and one question:
"What if this function never checks who calls it?"
The anatomy of a black hat exploit (a true-ish story)
#Web3 #SmartContracts #BlackHat
It started like any other weekend. He wasn't rich. He wasnāt poor either.
But he loved reading contracts on Etherscan like they were poetry
this time, it was a DeFi protocol that had just launched
lots of hype. A 7-figure TVL. And a verified contract.
The function was simple: "emergencyWithdraw()" meant only for the owner. But the "onlyOwner" modifier?
Missing.
not commented out. not refactored. Justā¦ never written.
he paused. Checked the docs. No mention of emergency calls.
he simulated a tx on testnet. Funds moved. He simulated again, but on mainnet, this time, dry run. S still worked.
$1.2M in LP tokens just... waiting.
Hereās the kicker: he didnāt even write a contract. Just used Remix, MetaMask, and a frontend that let him connect.
Click. Confirm.
Block confirmed. Tokens drained. TVL: X.
X went crazy.
āRug?ā āHack?ā āInsider job?ā
but it wasnāt any of those.
It was bad coding + good reading.
he had a choice. Return the funds (white hat)? Keep it (black hat)? Negotiate a bug bounty (gray)?
he created a Tornado wallet Split the funds. Disappeared.
Weeks later, the protocol patched it
New audit. New version. No refund.
Lesson?
Smart contracts donāt forgive. They donāt forget. And they donāt care who clicks first.
You donāt need to be a genius to be an SR
You just need to read slower than the dev who wrote the bug.
#SmartContractSecurity #Web3Story #DeFiExploits #BlackHat
XXX engagements
