bug-bounty404
google392
xss350
microsoft305
facebook274
apple184
exploit182
rce174
malware136
cve107
account-takeover94
csrf86
browser85
writeup69
privilege-escalation66
phishing61
dos60
react59
supply-chain56
bragging-post55
authentication-bypass53
node51
cloudflare51
ssrf49
docker48
aws48
access-control46
reverse-engineering45
smart-contract45
web344
ethereum43
defi42
pentest41
oauth41
sql-injection40
idor35
lfi35
race-condition33
info-disclosure33
smart-contract-vulnerability32
cloud31
buffer-overflow30
wordpress29
auth-bypass29
clickjacking29
subdomain-takeover27
solidity27
vulnerability-disclosure25
web-application24
sqli23
0
8/10
vulnerability
A missing access control and unchecked state transition vulnerability in Alchemist's TimelockConfig.confirmChange() function allows attackers to call confirmChange() without authorization and set arbitrary config parameters to 0, including bricking the admin wallet and mint recipient, which permanently halts token inflation distribution to stakers. The root cause is Solidity's behavior of returning default zero values for non-existent map entries rather than reverting.
smart-contract-vulnerability
access-control
solidity
state-transition
web3
defi
timelock
admin-functions
input-validation
erc20
bug-bounty
Alchemist
Fjord Foundry
TimelockConfig
Aludel
Crucible
StreamV2
MIST token