Welcome to the June edition of the Zellic Security Roundup, a monthly security-focused newsletter covering valuable security news and analysis in Web3.

This month we will dive into the basics of auditing Cosmos, a course created by Zellic’s Lead Cosmos Security Researcher; our recently published blogs and Twitter threads; and notable news in Web3 security.

Zellic Auditing Course

Zellic’s Lead Cosmos Security Researcher Faith created an overview of the basics of auditing Cosmos. Faith goes into the following topics at these timestamps:

• 00:00 — Introduction

• 01:57 — Important directories and files

• 07:41 — Message handlers and what they look like

• 11:13 — Auditing through message handlers

• 14:56 — AnteHandlers

• 21:55 — Custom AnteHandler from Evmos

• 30:31 — BeginBlockers and EndBlockers

• 36:19 — PostHandlers

• 37:38 — Interacting with the chain through the CLI

• 47:27 — Conclusion

This is the Cosmos SDK commit used in the video: 48d9ca4caf29cd48c8920fa66095840907af5421.

This is the Gaia commit used in the video: 45a3a0f428bd44df9b541bd55778ee65622ede6c.

Zellic Research & Writing

Enumerating All 69,788,231 Ethereum Contracts

A look into how we were able to retrieve every single contract ever deployed on Ethereum.

Zellic Discovers Bug in WHLUSDC After Challenge is Announced

In April, Chris Ling introduced WHLUSDC, a Hyperliquid-native stablecoin. On a Spaces after the announcement, Chris mentioned a bug purposely introduced in WHLUSDC as a challenge. This is a thread on how we found the bug along with the POC to prove it.

In the News

Hacks

• BitoPro, a Taiwanese crypto exchange, suffered an $11.5M hack during a “recent wallet system upgrade and asset transfer operation”.

• Force Bridge, a cross-chain protocol built on the Nervos Network, was exploited for $3M+ in crypto assets (257,000 USDT, 539 ETH, 898,300 USDC, 60,400 DAI, and 0.79 wrapped Bitcoin).

• Cork Protocol was exploited in late May, resulting in ~$12M in lost assets. The attacker stole around 3,761 wrapped staked Ether, which was converted to Ether immediately following the attack. The attacker deployed a counterfeit contract and manipulated Cork Protocol’s exchange rate calculations by abusing its fallback mechanisms and unchecked token interactions.

• Ukrainian police arrested a hacker who breached 5,000 accounts at an international hosting company to use for mine cryptocurrency, ultimately resulting in $4.5M in damages.

• Bybit revealed a three-pronged security revamp following its $1.4B hack in February. This security upgrade will include “targeting security audits, wallet fortifications and information security improvements.”

• Group of Seven (G7) leaders will potentially discuss North Korea’s increasing involvement in cyberattacks and crypto theft at their upcoming summit in Canada in mid-June.

• At least one part of the Coinbase data breach, which was publicly disclosed in an SEC filing from May 14th, is being linked to an India-based employee of TaskUs, a US-based outsourcing firm, who was caught taking pictures of her work computer with a personal phone.

Research

• A write-up from Elastic Security Labs goes into the February 2025 ByBit hack including the chronology of events, assumptions for emulation, an overview of the attack, and lastly, emulating the attack in a controlled lab environment “to fully understand this breach”.

• Aikido Security detected a new package version of the xrpl package, the official SDK for the XRP ledger, which was compromised with a backdoor to steal cryptocurrency private keys to gain access to wallets.

• “Privacy 2.0” is a write-up by @oddhash of Archetype, covering the “new frontier that promises the ability to keep data private while also allowing for it to be leveraged in the same way we leverage public data on blockchains today”.

• “Anonymous Credentials From ECDSA” is a paper published by two Google engineers that proposes “a new anonymous credential scheme for the popular and legacy-deployed Elliptic Curve Digital Signature Algorithm (ECDSA) signature scheme”.

• Zero Knowledge recently released a series of recordings on YouTube from zkSummit13, including the full live stream.

• Zellic recently joined an Injective-hosted Spaces, which covered our involvement in Injective’s new Validator Rebate Campaign. This campaign is “a strategic initiative designed to incentivize delegators with idle or inactive INJ to stake with validators who have consistently demonstrated their commitment to the Injective ecosystem”.

Scams

• The FBI is warning of a new scam that exploits NFT airdrops on the Hedera Hashgraph network to steal crypto from wallets.

• The Treasury Department’s Office of Foreign Assets Control has sanctioned Funnull Technology, a Philippine-based tech company, for aiding cryptocurrency scams that have exploited Americans for more than $200M.

Legal

• NSO Group, a spyware marker, was forced to pay $167,254,000 in punitive damages to WhatsApp for a 2019 hacking campaign against 1,400+ users.

• Bancor has sued Uniswap on claims of patent infringement accusing Uniswap Labs and the Uniswap Foundation of “unlawfully using its foundational decentralized exchange technology.”

• The Digital Asset Market Clarity Act of 2025, introduced by lawmakers in the House of Representatives, was introduced in early June and “proposes lighter regulations for blockchains and blockchain-based applications that meet its definition of decentralization”.

• Hong Kong passed the Stablecoins Bill on May 21, 2025, which will require stablecoin providers to obtain a license from the Hong Kong Monetary Authority and comply with a range of requirements “including proper management of asset reserves and segregation of client assets”.

Crime

• A joint law-enforcement action between the FBI and Dutch Police called “Operation Moonlander” shut down two services (Anyproxy and 5Socks) accused of providing a botnet of hacked internet-connected devices to cyber criminals.

• Telegram has closed thousands of channels belonging to Xinbi Guarantee, a Telegram-based marketplace serving cybercriminals in Southeast Asia with 230,000 users, and Huione Guarantee. These two marketplaces have collectively engaged in $35B+ in USDT transactions.

• The Queensland Joint Organized Crime Taskforce has charged four individuals suspected of crypto laundering $123M through a cash-in-transit security company.

• John Woeltz and William Duplessie have been arrested and charged with kidnapping and assault following nearly three weeks of forcefully attempting to access Michael Valentino Teofrasto Carturan’s Bitcoin wallet.

Meet Up With Us

We’ll be at the following conferences in June. If you’d like to set up 1:1 time with our team, then reach out to sales@zellic.io for scheduling:

• Permissionless 2025 (NYC): June 24–26

• EthCC[8] (Cannes, France): June 30–July 4

Zellic Auditing Stats

In May, Zellic auditors completed 36 audit engagements where they were able to uncover a total of 58 Critical, High, and Medium bugs:

• 16 Critical-level bugs

  • 13 Coding Mistakes bugs

  • 3 Business Logic bugs

• 16 High-level bugs

  • 9 Coding Mistakes bugs

  • 6 Business Logic bugs

  • 1 Protocol Risks bug

• 26 Medium-level bugs

  • 19 Coding Mistakes bugs

  • 7 Business Logic bugs

Recent Zellic Audit Reports

• IBC Eureka Audit Report: The Inter-Blockchain Communication (IBC) protocol is a blockchain interoperability solution that enables secure, permissionless, and feature-rich cross-chain interactions for seamless data and value transfer without a third-party intermediary.

• Maia DAO Partner Vault Audit Report: The Partner Vault is a smart contract vault that manages gauge voting, boost lending, and governance power for

  burned Hermes utility tokens held by a Hermes Partner Manager contract.

• N1 Bridge Audit Report: N1 is a layer-1 blockchain designed for unlimited scale, featuring horizontal scalability, sub-ms latency, and congestion-free throughput.

About Us

Zellic specializes in securing emerging technologies. Our security researchers have uncovered vulnerabilities in the most valuable targets, from Fortune 500s to DeFi giants.

Developers, founders, and investors trust our security assessments to ship quickly, confidently, and without critical vulnerabilities. With our background in real-world offensive security research, we find what others miss.

‍Contact us for real audits, not rubber stamps.