A detailed writeup on converting a blind error-based MSSQL injection vulnerability into an exploitable boolean-based injection using the IIF() and CONVERT() functions to systematically enumerate database names and table metadata. The author demonstrates bypassing restrictions on verbose error messages and character limits through clever payload construction and Burp Intruder automation.

Ryan Kovatch discovered two critical vulnerabilities in YouTube's Video Builder beta tool: the ability to upload unlisted videos to any YouTube channel by manipulating channel IDs in API requests, and a cryptographic key leakage via error messages revealing decryption key hashes. Both issues were reported, triaged as P1/S1 and P2/S2, and resulted in a $6,337 bounty.

Story Network discovered a critical denial-of-service vulnerability where arbitrarily large EVM transactions (>4MB) could be crafted to crash validators by exploiting loose unmarshalling of ExecutionPayload fields, inherited from Omni's Octane codebase. The attack leverages JSON marshalling to double block size, allowing an attacker to exceed the 4MB panic threshold and halt the entire network.

A vulnerability in Polygon's Heimdall validator software allowed rogue validators to forge Ethereum log events by exploiting improperly indexed log matching in the DecodeValidatorStakeUpdateEvent function, potentially enabling stake manipulation and fraudulent bridge transactions affecting $2B+ in locked assets. The flaw resided in the side-handler verification logic that failed to properly validate log authenticity when comparing transaction receipts against incoming Heimdall messages.

A critical logic flaw in Movement Labs' full node software lacked height-based fork-choice logic, allowing two blocks at the same height with different IDs to be processed and permanently splitting the chain. The vulnerability required missing a height check in the process_block_from_da function, enabling double-spend attacks and necessitating a hard fork to resolve.

A critical vulnerability in Tranchess's ShareStaking contract allowed attackers to drain user funds by exploiting a skipped _checkpoint() call during rebalance events, causing total supply desynchronization. The attack enables direct theft of up to 815 BTC and 1438 ETH depending on attacker's fund size, with exploitation possible via frontrunning the rebalance settlement.

Two high-severity denial-of-service vulnerabilities discovered in Stargate's LayerZero integration: (1) a Solidity try/catch quirk where calling non-contract addresses bypasses exception handling and permanently freezes message channels, and (2) a gas exhaustion attack leveraging excessive SSTORE operations (22.1k gas per operation) in the catch clause when storing malicious payloads, both capable of blocking bridged message delivery across chains.

Verichains discovered a critical vulnerability in Polygon zkEVM's zkProver component stemming from field incompatibility between STARK (operating on F_p^3) and SNARK (operating on F_q) in the recursive proof conversion process. The flaw allowed attackers to forge arbitrary valid proofs, enabling unauthorized state manipulation and potential loss of funds across L2 and L1, which was patched in December 2023.

Two critical bugs found in the Cronos Gravity Bridge allowing attackers to halt cross-chain transfers from Ethereum to Cronos and disable the bridge entirely. The vulnerabilities stem from incorrect validation of ERC-20 deployment events causing nonce mismatches between chains, and malicious token supply causing bridge deactivation.

A denial-of-service vulnerability in Acala's Homa module allowed attackers with 12,000+ DOT to halt block production by creating 22,000 redemption requests that exceeded processing time limits during the weekly on_initialize function call. The vulnerability stemmed from unbounded iteration over a RedeemRequests map with no size constraints, enabling attackers to temporarily halt the entire parachain with only gas fees as expense.

A critical vulnerability in VeChainThor's OnSuicideContract function allowed attackers to artificially mint unlimited VTHO tokens by combining flash loans with repeated self-destruct operations, exploiting the failure to settle accrued VTHO when zero amounts are transferred. The bug was discovered by whitehat researcher @nnez and awarded 50,000 USDT bounty.

A critical vulnerability in Axelar Network allowed attackers to force validators to skip votes by exploiting Tendermint's 1MB RPC body size limit, causing validators to be deregistered for missing votes and halting cross-chain operations. The exploit chain leveraged excessive event logs to trigger RPC failures combined with the absence of minimum quorum requirements before validator penalization.

A critical censorship vulnerability in Optimism's sequencer was discovered where the absence of chain ID validation in the rate limiter allowed attackers to replay signed transactions from other chains to indefinitely rate-limit specific accounts on Optimism Mainnet, affecting ~1.3 million accounts including major protocols and bridge operators. The bug enabled selective transaction censorship without on-chain evidence, posing significant risk to network availability and DeFi operations.

Trust Security disclosed a widespread DOS vulnerability affecting 100+ DeFi projects that misuse EIP-2612's permit() function in contract call compositions. When permit() is frontrun as part of a multi-step transaction, it causes the entire function to revert, enabling denial-of-service attacks—a flaw in the original EIP's threat model that assumes A;A* (reverted action) is harmless, but fails when A is part of a sequence A;B;C.

A critical integer truncation vulnerability in Astar's assets-erc20 precompile allowed attackers to steal up to $400,000 by passing uint256 values larger than u128 max that truncate to zero, causing smart contracts to record successful token transfers when none actually occurred.

A denial-of-service vulnerability in LayerZero's ONFT (ERC721) implementation allows attackers to freeze cross-chain token transfers by exploiting uncapped gas usage in the ERC721 callback mechanism. When a malicious receiver contract exhausts the gas allocation during _safeMint(), it causes the nonblockingLzReceive() to fail with insufficient gas to store the failure, permanently blocking the message queue until manual intervention.

A critical vulnerability in marginfi's flash loan mechanism allowed attackers to borrow funds without repayment by exploiting a new `transfer_to_new_account` instruction that could reset account state during an active flash loan, bypassing health checks. The vulnerability put $160M in deposits at risk and was responsibly disclosed and patched.

A state-machine vulnerability in Fluidity's reward distribution system allows double-claiming of rewards through improper handling of out-of-order batch reward transactions combined with manual reward claims, exploitable when multiple batchReward() calls arrive in the mempool for different block ranges.

A critical flash loan vulnerability in Fei Protocol's ETH/FEI Uniswap pool allocation mechanism allowed attackers to drain up to 60,000 ETH through price oracle manipulation combined with a bypass of the nonContract modifier using contract constructors. The bug was independently discovered by whitehat Alexander Schlindwein and Fei's security team, earning an $800,000 bounty.

A critical vulnerability in Arbitrum's DelayedInbox bridge contract allowed attackers to reinitialize the contract and set a malicious bridge address due to an uninitialized storage slot combined with a gas optimization that removed a redundancy check, enabling theft of all deposited ETH.

A missing access control and unchecked state transition vulnerability in Alchemist's TimelockConfig.confirmChange() function allows attackers to call confirmChange() without authorization and set arbitrary config parameters to 0, including bricking the admin wallet and mint recipient, which permanently halts token inflation distribution to stakers. The root cause is Solidity's behavior of returning default zero values for non-existent map entries rather than reverting.

BendDAO's Sewer Pass Flash Claim contract contained an input validation vulnerability where the `airdropTokenAddresses` parameter was not validated against a whitelist, allowing NFT owners to deploy malicious token contracts that could withdraw staked ApeCoin during the flash loan execution without proper unstaking.

APWine's PT token implementation had a critical logic flaw in the beforeTokenTransfer() hook that failed to validate delegation amounts during token burns, allowing attackers to inflate delegated yield tokens and steal protocol yield by repeatedly depositing, delegating, and withdrawing without proper balance checks.

A critical vulnerability in Thena's merge() function for veNFT tokens fails to decrement the supply variable when burning NFTs, allowing attackers to artificially inflate supply and manipulate weekly emissions, reduce reward distribution, or trigger DOS conditions affecting the protocol's token economics.

Tokemak's liquidity controllers are vulnerable to token theft via pool ratio manipulation. An attacker with ADD_LIQUIDITY_ROLE can plant a malicious Uniswap/Sushi pair with an extreme token ratio, then trigger the deploy() function to cause the controller to deposit funds at that manipulated ratio, losing up to 100% of reserves through subsequent swaps exploiting the constant product formula.

Critical vulnerability in Oasis Earn platform allowing arbitrary code execution via delegatecall by exploiting hidden assumptions about execution context. The vulnerability chains operation verification bypass with code-reuse attacks against ServiceRegistry to achieve selfdestruct of the OperationExecutor contract, awarded $20K bounty.

O3 DeFi bridge aggregators are vulnerable to token theft through callproxy parameter impersonation in the exactInputSinglePToken function, allowing attackers to redirect victim-approved funds to attacker-controlled addresses. The vulnerability affects all O3 aggregators across supported chains but is mitigated if users set MAX approval rather than finite amounts.