A researcher discovered a SQL injection vulnerability in a trading company's web application through a hidden 'status' parameter in the report download endpoint, which was found using parameter mining techniques and exploited using time-based blind SQL injection.

A bug bounty finding demonstrating a 2FA bypass via forced browsing by directly accessing an unprotected signup endpoint (/_ajax/signup instead of /_api/signup/verify), allowing account creation without OTP verification by modifying the API request to include password field.

Researcher bypassed 2FA on www.domain.com by intercepting the login request with Burp Suite, changing the Host header to beta.domain.com (a parallel subdomain without 2FA enforcement), and submitting an arbitrary code (000000) to successfully authenticate. The vulnerability stemmed from inconsistent 2FA implementation across subdomains, fixed within one day but without bounty payout.

Researcher discovered a deserialization vulnerability in a JSF-based web application by identifying unencrypted serialized Java objects in the javax.faces.ViewState parameter, leading to remote code execution via JMX console exploitation and a $1500 bounty reward.

Researcher discovered a full account takeover vulnerability by chaining multiple weaknesses: a password change endpoint that accepted null CSRF tokens and lacked proper validation, combined with a hidden 'uid' parameter discoverable via Param Miner that allowed changing arbitrary users' passwords without authentication. The vulnerability earned a $1000 bounty.

A griefing vulnerability in Lido's Dual Governance RageQuit mechanism allowed permissionless prolongation of the RageQuit extension period, potentially blocking ETH withdrawals and protocol governance. The issue required >10% stETH veto participation to trigger and was mitigated by Emergency Committee safeguards; a patched smart contract fix was successfully deployed in September 2025.

A critical DoS vulnerability in Stacks' Clarity virtual machine was discovered where an unhandled exception in the smart contract interpreter caused client nodes to crash when processing malicious contracts. The vulnerability was patched by modifying error handling to return proper exceptions instead of using `.expect()` calls.

A researcher discovered a critical $150,000 Evmos vulnerability by simply reading Cosmos documentation—sending funds to the distribution module account (which should be blocklisted) triggered invariant violations that halted the entire blockchain and all dependent dApps.

Vesu disclosed a critical rounding convention vulnerability in the Singleton contract's liquidate_position function that could allow fund theft through malicious pool extensions, flashloans, and receive_as_shares flag manipulation. The vulnerability was remediated by removing the affected liquidation logic, whitelisting pool extensions, and migrating all user funds.

ANKR's distributeRewards() function uses low-level call with insufficient gas specification, inadvertently passing 12,300 gas instead of 10,000 due to BSC's free stipend mechanism, increasing gas costs and reentrancy attack surface area.

Brahma vault's collectFees() function incorrectly charges performance fees on gains without accounting for losses, causing users to lose portions of their original deposits during volatile market conditions. The bug stems from not tracking maximum share price per user or accumulated losses, allowing fees to be extracted from principal rather than only from actual profits.

A critical vulnerability in the Betverse ICO Token contract's transferTokenToLockedAddresses() function was caused by incorrect public visibility, allowing anyone to steal BToken by transferring amounts to arbitrary time lock addresses. The article also covers related access control vulnerabilities in Ocean Protocol and Oasys smart contracts.

Technical writeup of smart contract vulnerabilities found in Ocean Protocol's Hybrid NFT implementation, where on-chain data can be manipulated to exploit contract logic, along with references to other blockchain security issues in Oasys and Eco ecosystems.

An arbitrary method call vulnerability in xDai's Arbitrary Message Bridge (AMB) contracts allowed attackers to execute unauthorized token transfers on behalf of the bridge contracts, exploiting the fact that AMB contracts could inadvertently receive user funds despite not being intended to hold them. The vulnerability was patched by introducing monitoring on Transfer events to identify and protect locked tokens.

A critical logic error in Port Finance's lending protocol allowed attackers to manipulate LTV calculations and liquidation mechanics, potentially stealing $20–25 million. The vulnerability was responsibly disclosed by whitehat nojob via Immunefi, resulting in a $180,000 + $450,000 PORT token bounty and a swift patch by Port Finance.

Alchemix had an access control vulnerability in the setWhitelist() function of AlchemistEth.sol that allowed any user to designate arbitrary addresses as keepers, enabling DoS attacks on harvest() and flush() functions. The vulnerability was patched by adding an onlyGov modifier and renaming the function to setKeepers().

A Facebook bug allowed page admins to unintentionally disclose their admin status by upgrading a page post to a life event, which would then appear on their personal profile and reveal their connection to the page when other users visited it. The vulnerability was fixed within 2 months of disclosure and the researcher received a bounty.

A bug bounty writeup demonstrating SSRF exploitation on a job posting URL field by enumerating open/closed ports on localhost (127.0.0.1) using HTTP/HTTPS requests and observing different HTTP response codes (201 vs 400) to detect port status, leading to internal network reconnaissance.

A security researcher describes discovering 3 vulnerabilities in Yahoo's bug bounty program: two remote code executions via command injection in a Brightroll queue management service (with filter bypass techniques), and an SSRF leading to arbitrary file read via curl flag injection in the Yahoo Small Business image processing endpoint.

A brute-force vulnerability in Oculus's identity verification system allowed bypassing username-change OTP validation by exploiting missing rate limiting on 6-digit verification codes. The attacker tested 1,971 payloads and identified the correct OTP by detecting response length differences (valid: 840 bytes vs invalid: 1152 bytes).

Educational overview of buffer overflow vulnerabilities, explaining how stack-based buffer overflows work, providing vulnerable C code examples, and describing exploitation via return address overwriting with shellcode. Also covers common OS-level mitigations like ASLR, NX bit, and StackGuard.

A CORS misconfiguration on Twitter's Niche platform allowed attackers to bypass origin validation by registering subdomains like 'niche.co.evil.net', enabling theft of private synced posts and user data from Twitter, Facebook, and Instagram through a vulnerable API endpoint.

A researcher discovered an SSRF/XSPA vulnerability in Microsoft's Bing Webmaster Central that could be bypassed using the nip.io DNS service to resolve to internal IP addresses (127.127.127.127) and enumerate local ports and administrative directories.

A pentester discovered a CORS misconfiguration on a mobile app API that accepts arbitrary origins with credentials enabled, allowing potential theft of sensitive account information. The vulnerability required manual exploitation via a proof-of-concept HTML page with injected cookies due to the API's mobile-only scope, resulting in a framework-level issue acknowledgment from the developer.

A security researcher discovered a critical P1 RCE vulnerability in a Jenkins instance by finding it via Shodan, exploiting open registration and the built-in script console to execute arbitrary commands on the server. The misconfiguration resulted from the developer relying on security through obscurity by running Jenkins on a non-standard port.

A researcher discovered an SSRF vulnerability in a crypto exchange platform's image loading endpoint that allowed reading local files via file:// protocol and extracting AWS EC2 metadata credentials from the 169.254.169.254 metadata service, ultimately achieving RCE and receiving a 4-digit bounty.

Researcher discovered an RCE vulnerability on ASUS's RMA portal by bypassing front-end file upload restrictions, uploading an ASP shell to the predictable /uploads directory on IIS 8.5. The vulnerability was patched after disclosure, though the researcher experienced poor communication from ASUS and had to persist to be added to their Hall of Fame.

A researcher discovered an OTP brute-force vulnerability in a login mechanism where missing rate limiting allowed attackers to brute-force 6-digit OTPs by exploiting different response codes for valid/invalid attempts, leading to account takeover. The vulnerability was reported and fixed within a day, earning the researcher a 4-digit bounty payout.

A CORS bypass technique exploiting improper Origin header validation by injecting the target domain as a subdomain of the attacker's domain (e.g., redact.com.attacker.com), allowing credential-enabled requests to leak sensitive account information from the victim site.

Researcher exploited CVE-2017-5638 (Apache Struts2 RCE) in a Yahoo application by discovering a vulnerable .do endpoint and bypassing the WAF using a specially crafted Content-Type header payload, earning a $5,500 bounty from Yahoo through HackerOne.