Portfolio page showcasing multiple critical smart contract vulnerabilities disclosed across DeFi protocols, including UUPS proxy initialization flaws, access control bypasses, and token theft vectors. While listing numerous bug bounty successes (>$6.5m rescued), it provides minimal technical depth and primarily serves as credentials summary.
A portfolio page showcasing multiple critical smart contract vulnerability disclosures across DeFi protocols (88mph, Polygon, KeeperDAO, Alchemix, Ondo Finance) and bug bounty wins totaling over $6.5M in rescued funds, with brief technical descriptions of UUPS proxy exploits, access control flaws, and token theft vulnerabilities.
Portfolio page showcasing multiple critical smart contract vulnerabilities disclosed across DeFi/NFT protocols, including access control flaws, uninitialized UUPS proxies enabling arbitrary delegatecalls, and broken token transfer functions. Author details bounty payouts and rescued funds across 88mph, Polygon, KeeperDAO, and other projects, with limited technical depth on each vulnerability.
Threshold Network's L2WormholeGateway contract contained a critical vulnerability allowing attackers to mint unlimited canonical L2 tBTC by exploiting the depositWormholeTbtc function through reentrancy via a malicious ERC20 token's transfer callback. The vulnerability was discovered via Immunefi bug bounty, patched by removing the vulnerable function and adding reentrancy protection, with no funds lost.
A missing access control and unchecked state transition vulnerability in Alchemist's TimelockConfig.confirmChange() function allows any attacker to set arbitrary configuration parameters (including admin and recipient addresses) to zero without initiating the required first step, permanently bricking critical DeFi functions like token minting for staking rewards.
A round-down arithmetic vulnerability in Astroport's Staking.rs contract allows an attacker to deflate the xASTRO token and break staking for all users by exploiting the absence of minimum liquidity requirements, potentially leading to governance control via vote monopolization.
A reentrancy vulnerability in TectonicStakingPoolV3 allows attackers to mint xTonic tokens for free by injecting a malicious token into swap paths during performConversionForTokens() calls, enabling theft of over $2.5M with minimal capital ($23K TONIC). The attack exploits unwhitelisted intermediate swap path tokens to gain execution control and stake during balance calculations.
A portfolio/services page by security auditor Kiki showcasing 50+ smart contract audits and 15+ bug bounties across DeFi protocols, with client testimonials and links to published audit reports, primarily for lending/staking/perpetual trading protocols.
A vulnerability in Tranchess's ShareStaking contract allows attackers to drain user funds by exploiting a skipped `_checkpoint()` call during rebalance events, causing a mismatch between token total supplies and actual contract balances. The attack leverages the contract's gas optimization technique to manipulate `spareAmount` calculations and steal staked tokens.
A high-risk vulnerability in Ondo Finance's TrancheToken smart contract allowed attackers to destroy the uninitialized implementation contract via selfdestruct, causing all proxy contracts to no-op and potentially draining $50m from UniswapStrategy contracts if a minting flag were enabled. The bug was patched immediately after disclosure with no user funds at risk.
This appears to be a landing page or navigation hub for Fraxlend, a DeFi lending protocol, featuring content from Obsidian Audits. The page lacks substantive technical content about specific vulnerabilities or findings.
A critique of bug bounty program practices, contrasting good practices (fair and timely payments) with bad practices (ignoring disclosures, delayed payments, underpaid bounties) in the context of DeFi protocol security.
Article or post about Balancer V2, a decentralized finance protocol on Ethereum. Limited content available in the provided text.
Brahma.Fi's collectFees() function incorrectly charges performance fees without accounting for previous losses, causing users to permanently lose funds as fees are collected on unrealized gains. The vulnerability was rejected by Immunefi despite being a critical accounting flaw that will systematically drain user deposits over time due to market volatility.
Compound's liquidation mechanism fails to validate that seized assets are actually held as collateral, allowing liquidators to seize any user assets when borrowing becomes undercollateralized, not just those explicitly marked as collateral via enterMarkets().
O3 bridge aggregators are vulnerable to token theft through callproxy parameter manipulation in exactInputSinglePToken(), allowing attackers to impersonate approved users and steal their funds when they've approved the aggregator with non-MAX amounts. The vulnerability affects all O3 aggregators across 10+ chains, though the team disputed the severity citing their frontend's default MAX approval behavior.
A critical protocol insolvency bug in Fringe.fi's lending platform allows borrowers to withdraw collateral without updating accrued interest, leaving the protocol with undercollaterized positions that cannot be liquidated. The vulnerability exploits the fact that updateInterestInBorrowPositions() is only called when withdrawing the maximum amount, enabling attackers to maintain stale accrual values and manipulate their health factor below the required 1.0 threshold.
ANKR and Stader's liquid staking protocols for BSC are vulnerable to MEV-based sandwich attacks on the updateRatio() reward distribution function, allowing attackers to steal rewards from the pool by depositing before reward updates and withdrawing after, without actually staking their funds for the required period. The vulnerability enables attackers to capture a proportional share of protocol rewards through timing manipulation and DeFi market exits.
Iron Bank's CCollateralCapERC20 token fails to enforce the collateralCap invariant during account initialization via initializeAccountCollateralTokens(), allowing the total collateral to exceed the cap and exposing the protocol to liquidation insolvency risks. The vulnerability exists because initialization bypasses the increaseUserCollateralInternal() cap check that other collateral increase operations enforce.
Iron Bank's seizeInternal() function fails to credit liquidators with the correct collateral amount when seizing tokens, undercounting their collateral and potentially triggering unintended liquidations. The bug stems from only increasing collateral by collateralTokens instead of the full seizeTokens amount, with the difference (buffer) not being accounted for.
Brahma-Fi's withdrawal mechanism uses Curve's calc_token_amount() function with an incorrect boolean parameter (true instead of false), causing LP token amount calculations to underestimate required withdrawals and leading to batch withdrawal failures. The bug affects both unstaking amounts and LP redemption amounts, resulting in insufficient USDC being withdrawn from the Curve pool.
A critical vulnerability was discovered in Oasis Earn service that allows attackers to selfdestruct the OperationExecutor contract through a delegatecall code-reuse attack, exploiting the assumption that executeOp() runs only in user's DSProxy context. The researcher earned a $20K bounty by chaining arbitrary calldata execution with hardcoded service registry mappings to achieve contract destruction.
A critical access control vulnerability was discovered in oasisDEX's MultiplyProxyActions contract where the recreateTrigger function performs an unsafe delegatecall assuming msg.sender is AutomationBot, allowing external attackers to execute arbitrary code in the command context and potentially access user vault funds or cause system denial of service. The researcher found the vulnerability had already been patched a month prior, highlighting the importance of verifying contract versions against live deployments.
A critical bug in Thena's merge() function fails to reset the supply variable when merging two veNFTs, allowing attackers to artificially inflate supply and manipulate weekly emissions, reduce reward distribution, or cause DOS attacks against the protocol. The vulnerability was disclosed to Thena via Immunefi and rewarded $20k.
Sherlock disclosed a bug bounty payout related to a yield strategy vulnerability discovered in their Euler integration on July 14, 2022, which posed no immediate risk to funds but could have eventually resulted in loss. The issue was reported via Immunefi and has since been fixed, with the bug bounty payout not impacting Sherlock's staking pool or coverage funds.
A security researcher (pwning.eth) disclosed critical smart contract vulnerabilities in blockchain protocols, earning substantial bug bounties including $1M from Moonbeam for discovering a delegatecall design flaw protecting $100M+ in DeFi assets, and $6M for an Aurora Engine vulnerability that could have resulted in 70,000 ETH being stolen.
A bug discovered in Fluidity's reward distribution system where improper state management in reward function ordering could enable double-claiming of rewards across different batch and manual reward invocations. The vulnerability stems from insufficient tracking of reward claims when multiple batchReward() and manualReward() transactions execute out of order in the mempool.
A guide for Web3 protocol teams on evaluating and selecting smart contract auditors to assess the security of their code, which governs significant amounts of decentralized finance value.