A researcher discovered an IDOR vulnerability in a WebSocket-based signup flow that allowed account takeover by modifying UUID parameters during user registration, enabling email change on arbitrary accounts without proper authorization checks.

A researcher discovered a Reflected XSS vulnerability in a video game company's language parameter that, when combined with weak web cache poisoning behavior, allowed cached payload execution across all site pages and enabled account takeover through session cookie theft (due to missing HttpOnly and Secure flags).

A bug bounty hunter discovered an IDOR vulnerability in an online shopping platform's address book functionality that, combined with stored XSS, allowed complete account takeover of any user. The vulnerability stemmed from insufficient authorization checks on an edit address endpoint where sequential, guessable IDs were not properly validated against the authenticated user.

Brahma.Fi's ConvexTradeExecutor incorrectly uses Curve's calc_token_amount() interface with the wrong boolean parameter, causing insufficient LP token conversions during withdrawals. The function uses isDeposit=true instead of false, resulting in miscalculated LP redemption amounts that can cause batch withdrawals to fail when insufficient USDC is withdrawn from the pool.

A consensus bypass vulnerability in Polygon's proof-of-stake system allowed attackers to decrease total staking power and bypass the ⅔ threshold requirement, potentially enabling fund drainage and unlimited withdrawals. The bug required specific market conditions and high capital/time costs to exploit, earning a $75,000 bounty.

A critical vulnerability in Q Blockchain's voting mechanism allows attackers to manipulate voting power through improper handling of voting weight delegation and locking logic, particularly in the VotingWeightProxy contract's interaction with voting delegation. The bug was discovered during a bug bounty hunt and rewarded $50,000.

A security researcher documents two vulnerability submissions against Angle Protocol: a reentrancy vulnerability in the Router.mixer() function enabling fund theft via ERC777 hooks, and a potential vault theft via mixerVaultManagerPermit() function, both rejected by Immunefi despite meeting critical severity criteria. The writeup details the attack vectors, the reasoning process, and the rejection justifications from the protocol team.

A critical vulnerability in the Betverse ICO Token contract's transferTokenToLockedAddresses() function was caused by incorrect visibility marking as public instead of internal, allowing attackers to steal BToken funds by repeatedly transferring amounts to attacker-controlled time lock addresses.

A critical vulnerability in Zapper's "Zap Out" contracts allowed attackers to inject arbitrary call data into permit functions, enabling the theft of LP tokens from any user who had approved the contract. The vulnerability was patched within 24 hours of disclosure, with a $25,000 bounty awarded to the whitehat researcher.

Immunefi's retrospective on Wormhole's critical uninitialized proxy vulnerability in their Ethereum bridge contract, which was responsibly disclosed by researcher satya0x and resulted in a record $10 million bug bounty. The article includes detailed technical explanation of proxy patterns, delegatecall mechanics, and how uninitialized proxies can lead to fund lockup.

ANKR and Stader's liquid staking protocols on BSC are vulnerable to sandwich attacks where attackers can stake immediately before reward distribution, capture a disproportionate share of newly minted rewards via the updateRatio() function, and exit with profits via DeFi markets before actual reward distribution occurs. The root cause is that rewards are distributed collectively but users can claim their share immediately despite their capital not being deployed during the staking period.

O3's cross-chain bridge aggregators allow arbitrary address impersonation via the callproxy parameter in exactInputSinglePToken(), enabling attackers to execute swaps using victim-approved funds and redirect outputs to attacker addresses. The vulnerability affects all aggregators across supported chains except when users set MAX_APPROVE.

A sign confusion bug in Brahma's PerpV2Controller misinterprets negative accountValue (indicating underwater positions) as positive funds, causing incorrect share calculations during deposits/withdrawals and enabling protocol insolvency through fund extraction.

A high-severity griefing vulnerability in Charged Particles' NFT marketplace allowed malicious Proton creators to hold NFTs hostage by setting a ransom contract as the royalties receiver, effectively locking buyers/sellers out of transactions until payment. The bug was fixed and the whitehat researcher received a $5,000 USDC bounty.

Iron Bank's seizeInternal() function in its lending protocol fails to properly account for seized collateral tokens when a buffer exists, leading to under-counted collateral for liquidators and potential unexpected liquidations. The bug occurs when the delta between actual seizable tokens and accounted tokens is not credited to the liquidator's collateral balance.

DFX Finance had a critical rounding error vulnerability in the AssimilatorV2 contract where integer division could result in zero tokens being transferred while still minting LP tokens to the attacker. By exploiting the non-standard 2-decimal EURS token, an attacker could repeatedly deposit minimal amounts and drain approximately $237,143 from the vulnerable pool.

SSRF vulnerability in a PDF generator where HTML filters on the web app were bypassed by inserting payloads via mobile app and using forward-slash character encoding in iframe tags to access internal resources like error logs (elmah.axd).

A bug bounty hunter discovered RCE by bypassing file upload restrictions through MIME type manipulation in a GET request, which was reflected in subsequent PUT requests, ultimately allowing PHP file upload via php5/php7 extensions when direct PHP upload was blocked.

A file upload bypass vulnerability on a crypto trading platform allowing RCE by manipulating Content-Type headers from image/png to text/html, leading to PHP shell execution and database credential extraction for account manipulation. The author demonstrates chaining file upload bypass with RCE and database access to achieve P1 severity.

Researcher bypassed WAF protections against Apache Struts CVE-2013-2251 by embedding OGNL RCE payloads within a legitimate redirect parameter, then escalated from remote code execution to root shell via SSH key manipulation and kernel CVE-2013-2094 exploitation.

Researcher discovered RCE via exposed Rails secret token leaked through Rack's ShowExceptions error page enabled on production. By fuzzing the filename parameter with %0d to trigger an exception, they obtained the secret_token used to sign cookies, which they then exploited to achieve remote code execution across two in-scope assets.

A researcher discovered and exploited an SSRF vulnerability in DownNotifier's website monitoring service, using the 0.0.0.0 loopback address to bypass filters and enumerate local services (FTP, HTTP) via XSPA timing analysis.

A guide on detecting race conditions in web applications using Burp Suite's Intruder tool, with specific steps to configure concurrent request threads and demonstrating the vulnerability through real-world examples like balance transfer and gift card exploitation.

Researcher exploited an SSRF vulnerability on Adfly to gain access to the internal SMTP server via the Gopher protocol, enabling unauthorized email sending from the Adfly domain. The attack involved uploading a PHP redirect file to a third-party server that, when visited through Adfly's URL shortening feature, would execute a Gopher payload to interact with the local SMTP service.

A race condition vulnerability in a team management feature allows bypassing the free tier's 5-user invitation limit by sending concurrent requests via Burp Intruder with high threading, enabling an attacker to invite 22+ users without upgrading to a paid plan.

A bug bounty writeup describing how LaTeX injection in a journal CMS's PDF conversion feature can be exploited to read arbitrary files and achieve remote command execution via crafted LaTeX payloads, escalated to database/Elasticsearch access through SSRF.

A bug bounty writeup demonstrating how SSRF vulnerability in a JavaScript-exposed endpoint was exploited to read internal files via the file:// URI scheme, discovered by analyzing unminified JavaScript code for new endpoints.

A practical writeup demonstrating how a race condition vulnerability was exploited to bypass console creation limits on a free-tier web application by sending parallel requests while simultaneously removing resources, allowing a free user to exceed the 2-console restriction.

A DevOps engineer discovered unauthenticated RCE as root on publicly exposed Marathon container orchestration instances by leveraging the task scheduling API to execute arbitrary commands without authentication, discovered via Shodan reconnaissance.

A researcher exploited CORS misconfiguration combined with XSS on a subdomain to exfiltrate sensitive user data (email, age, gender, DOB) from a main domain endpoint. By crafting an XSS payload that sends a credentialed XMLHttpRequest to the misconfigured endpoint and exfiltrates the response, the attacker could steal protected user information.