A logic error in Tidal Finance's staking contract on Polygon allowed attackers to claim unearned rewards by exploiting improper state management in the payout process, where user.rewardDebt remained zero after a finalized payout. The vulnerability was patched by moving a critical rewardDebt update line earlier in the execution flow.
Opinion piece criticizing Balancer's bug bounty program practices, highlighting issues with delayed payments, reduced payouts, and poor communication with security researchers.
A reflected XSS vulnerability was discovered in eBay's mobile application through improper sanitization of the itemId parameter, allowing arbitrary JavaScript execution via crafted URLs. The vulnerability was manually identified through input tampering and successfully reported to eBay's security team.