A security researcher documents two vulnerability submissions against Angle Protocol: a reentrancy vulnerability in the Router.mixer() function enabling fund theft via ERC777 hooks, and a potential vault theft via mixerVaultManagerPermit() function, both rejected by Immunefi despite meeting critical severity criteria. The writeup details the attack vectors, the reasoning process, and the rejection justifications from the protocol team.

Immunefi's retrospective on Wormhole's critical uninitialized proxy vulnerability in their Ethereum bridge contract, which was responsibly disclosed by researcher satya0x and resulted in a record $10 million bug bounty. The article includes detailed technical explanation of proxy patterns, delegatecall mechanics, and how uninitialized proxies can lead to fund lockup.

A critical vulnerability in Zapper's "Zap Out" contracts allowed attackers to inject arbitrary call data into permit functions, enabling the theft of LP tokens from any user who had approved the contract. The vulnerability was patched within 24 hours of disclosure, with a $25,000 bounty awarded to the whitehat researcher.

A sign confusion bug in Brahma's PerpV2Controller misinterprets negative accountValue (indicating underwater positions) as positive funds, causing incorrect share calculations during deposits/withdrawals and enabling protocol insolvency through fund extraction.

O3's cross-chain bridge aggregators allow arbitrary address impersonation via the callproxy parameter in exactInputSinglePToken(), enabling attackers to execute swaps using victim-approved funds and redirect outputs to attacker addresses. The vulnerability affects all aggregators across supported chains except when users set MAX_APPROVE.

A consensus bypass vulnerability in Polygon's proof-of-stake system allowed attackers to decrease total staking power and bypass the ⅔ threshold requirement, potentially enabling fund drainage and unlimited withdrawals. The bug required specific market conditions and high capital/time costs to exploit, earning a $75,000 bounty.

Iron Bank's seizeInternal() function in its lending protocol fails to properly account for seized collateral tokens when a buffer exists, leading to under-counted collateral for liquidators and potential unexpected liquidations. The bug occurs when the delta between actual seizable tokens and accounted tokens is not credited to the liquidator's collateral balance.

A critical vulnerability in Q Blockchain's voting mechanism allows attackers to manipulate voting power through improper handling of voting weight delegation and locking logic, particularly in the VotingWeightProxy contract's interaction with voting delegation. The bug was discovered during a bug bounty hunt and rewarded $50,000.

A high-severity griefing vulnerability in Charged Particles' NFT marketplace allowed malicious Proton creators to hold NFTs hostage by setting a ransom contract as the royalties receiver, effectively locking buyers/sellers out of transactions until payment. The bug was fixed and the whitehat researcher received a $5,000 USDC bounty.

A critical vulnerability in the Betverse ICO Token contract's transferTokenToLockedAddresses() function was caused by incorrect visibility marking as public instead of internal, allowing attackers to steal BToken funds by repeatedly transferring amounts to attacker-controlled time lock addresses.

DFX Finance had a critical rounding error vulnerability in the AssimilatorV2 contract where integer division could result in zero tokens being transferred while still minting LP tokens to the attacker. By exploiting the non-standard 2-decimal EURS token, an attacker could repeatedly deposit minimal amounts and drain approximately $237,143 from the vulnerable pool.

ANKR and Stader's liquid staking protocols on BSC are vulnerable to sandwich attacks where attackers can stake immediately before reward distribution, capture a disproportionate share of newly minted rewards via the updateRatio() function, and exit with profits via DeFi markets before actual reward distribution occurs. The root cause is that rewards are distributed collectively but users can claim their share immediately despite their capital not being deployed during the staking period.

A DevOps engineer discovered unauthenticated RCE as root on publicly exposed Marathon container orchestration instances by leveraging the task scheduling API to execute arbitrary commands without authentication, discovered via Shodan reconnaissance.

Researcher bypassed WAF protections against Apache Struts CVE-2013-2251 by embedding OGNL RCE payloads within a legitimate redirect parameter, then escalated from remote code execution to root shell via SSH key manipulation and kernel CVE-2013-2094 exploitation.

A bug bounty writeup describing how LaTeX injection in a journal CMS's PDF conversion feature can be exploited to read arbitrary files and achieve remote command execution via crafted LaTeX payloads, escalated to database/Elasticsearch access through SSRF.

A researcher exploited CORS misconfiguration combined with XSS on a subdomain to exfiltrate sensitive user data (email, age, gender, DOB) from a main domain endpoint. By crafting an XSS payload that sends a credentialed XMLHttpRequest to the misconfigured endpoint and exfiltrates the response, the attacker could steal protected user information.

SSRF vulnerability in a PDF generator where HTML filters on the web app were bypassed by inserting payloads via mobile app and using forward-slash character encoding in iframe tags to access internal resources like error logs (elmah.axd).

A bug bounty writeup demonstrating how SSRF vulnerability in a JavaScript-exposed endpoint was exploited to read internal files via the file:// URI scheme, discovered by analyzing unminified JavaScript code for new endpoints.

Researcher discovered RCE via exposed Rails secret token leaked through Rack's ShowExceptions error page enabled on production. By fuzzing the filename parameter with %0d to trigger an exception, they obtained the secret_token used to sign cookies, which they then exploited to achieve remote code execution across two in-scope assets.

Researcher exploited an SSRF vulnerability on Adfly to gain access to the internal SMTP server via the Gopher protocol, enabling unauthorized email sending from the Adfly domain. The attack involved uploading a PHP redirect file to a third-party server that, when visited through Adfly's URL shortening feature, would execute a Gopher payload to interact with the local SMTP service.

A bug bounty hunter discovered RCE by bypassing file upload restrictions through MIME type manipulation in a GET request, which was reflected in subsequent PUT requests, ultimately allowing PHP file upload via php5/php7 extensions when direct PHP upload was blocked.

A guide on detecting race conditions in web applications using Burp Suite's Intruder tool, with specific steps to configure concurrent request threads and demonstrating the vulnerability through real-world examples like balance transfer and gift card exploitation.

A researcher discovered and exploited an SSRF vulnerability in DownNotifier's website monitoring service, using the 0.0.0.0 loopback address to bypass filters and enumerate local services (FTP, HTTP) via XSPA timing analysis.

A file upload bypass vulnerability on a crypto trading platform allowing RCE by manipulating Content-Type headers from image/png to text/html, leading to PHP shell execution and database credential extraction for account manipulation. The author demonstrates chaining file upload bypass with RCE and database access to achieve P1 severity.

A researcher demonstrates exploiting a race condition vulnerability in a bug bounty program to bypass team member creation limits (creating 4 members instead of the authorized 3) using Burp Suite's Intruder tool with simultaneous request execution.

Researcher discovered SSRF vulnerabilities in Slack's Slash Commands and Event Subscriptions by bypassing IPv6 blacklist protections using HTTP redirects with the [::] hostname notation, earning $1,000 in total bounties.

A practical writeup demonstrating how a race condition vulnerability was exploited to bypass console creation limits on a free-tier web application by sending parallel requests while simultaneously removing resources, allowing a free user to exceed the 2-console restriction.

A race condition vulnerability in a team management feature allows bypassing the free tier's 5-user invitation limit by sending concurrent requests via Burp Intruder with high threading, enabling an attacker to invite 22+ users without upgrading to a paid plan.

A researcher discovered an SSRF vulnerability in a private Hackerone program's screenshot API by bypassing file:// protocol filtering through path manipulation (using file:// with single slash instead of triple slash) to achieve local file disclosure, specifically reading /etc/passwd via the URL file://s/etc/passwd.

An IDOR vulnerability in Facebook Analytics allows users with analyst roles to access private dashboard charts by manipulating the 'chartID' parameter in a GraphQL request, disclosing chart names and data that should only be visible to the dashboard owner.