This article collection documents smart contract vulnerabilities discovered in Web3 projects, including Betverse's public function visibility flaw enabling token theft and Ocean Protocol's unprotected ownerWithdraw function allowing unauthorized fund transfers. These medium to critical severity bugs highlight improper access control in Solidity smart contracts.
A critical vulnerability in the Betverse ICO Token contract's transferTokenToLockedAddresses() function was caused by incorrectly marking it as public instead of internal, allowing attackers to steal BToken by repeatedly transferring funds to their addresses. The article documents this access control misconfiguration discovered during security research on the Immunefi platform.
A security researcher (pwning.eth) disclosed critical smart contract vulnerabilities in blockchain protocols, earning substantial bug bounties including $1M from Moonbeam for discovering a delegatecall design flaw protecting $100M+ in DeFi assets, and $6M for an Aurora Engine vulnerability that could have resulted in 70,000 ETH being stolen.