Security researcher's portfolio showcasing multiple critical vulnerability disclosures in DeFi and NFT smart contracts, primarily focused on proxy vulnerabilities (UUPS), uninitialized logic contracts, and access control issues that collectively protected over $50M in TVL. While demonstrating significant impact, the article lacks technical depth and primarily lists findings with references to external postmortems rather than detailed exploitation methodology.
Portfolio page showcasing multiple critical smart contract vulnerabilities disclosed across DeFi protocols, including UUPS proxy initialization flaws, access control bypasses, and token theft vectors. While listing numerous bug bounty successes (>$6.5m rescued), it provides minimal technical depth and primarily serves as credentials summary.
A portfolio page showcasing multiple critical smart contract vulnerability disclosures across DeFi protocols (88mph, Polygon, KeeperDAO, Alchemix, Ondo Finance) and bug bounty wins totaling over $6.5M in rescued funds, with brief technical descriptions of UUPS proxy exploits, access control flaws, and token theft vulnerabilities.
Portfolio page showcasing multiple critical smart contract vulnerabilities disclosed across DeFi/NFT protocols, including access control flaws, uninitialized UUPS proxies enabling arbitrary delegatecalls, and broken token transfer functions. Author details bounty payouts and rescued funds across 88mph, Polygon, KeeperDAO, and other projects, with limited technical depth on each vulnerability.
A reentrancy vulnerability in TectonicStakingPoolV3 allows attackers to mint xTonic tokens for free by injecting a malicious token into swap paths during performConversionForTokens() calls, enabling theft of over $2.5M with minimal capital ($23K TONIC). The attack exploits unwhitelisted intermediate swap path tokens to gain execution control and stake during balance calculations.
Morpho Finance's PositionsManager implementation contract can be directly called (bypassing proxy) with arbitrary state mutation via unvalidated delegatecall, potentially allowing attackers to trigger selfdestruct and shut down the system. The vulnerability stems from uninitialized storage pointers and lack of access controls on dangerous delegatecall operations.
A critical vulnerability was discovered in Oasis Earn service that allows attackers to selfdestruct the OperationExecutor contract through a delegatecall code-reuse attack, exploiting the assumption that executeOp() runs only in user's DSProxy context. The researcher earned a $20K bounty by chaining arbitrary calldata execution with hardcoded service registry mappings to achieve contract destruction.
A critical access control vulnerability was discovered in oasisDEX's MultiplyProxyActions contract where the recreateTrigger function performs an unsafe delegatecall assuming msg.sender is AutomationBot, allowing external attackers to execute arbitrary code in the command context and potentially access user vault funds or cause system denial of service. The researcher found the vulnerability had already been patched a month prior, highlighting the importance of verifying contract versions against live deployments.
A security researcher disclosed critical vulnerabilities in Moonbeam and Aurora EVM-based networks, protecting over $100M in DeFi assets and earning $1M+ in bug bounties through the discovery of delegatecall misuse and design flaws in layer-2 solutions. The article also discusses potential insolvency risks in wrapped token protocols like WETH.
A security researcher (pwning.eth) disclosed critical smart contract vulnerabilities in blockchain protocols, earning substantial bug bounties including $1M from Moonbeam for discovering a delegatecall design flaw protecting $100M+ in DeFi assets, and $6M for an Aurora Engine vulnerability that could have resulted in 70,000 ETH being stolen.
A security researcher disclosed critical vulnerabilities in Moonbeam and Aurora Engine smart contracts, earning record bug bounties ($1M from Moonbeam, $6M from Aurora) by identifying delegatecall misuse and design flaws that put over $100M in DeFi assets at risk.