Security researcher's portfolio showcasing multiple critical vulnerability disclosures in DeFi and NFT smart contracts, primarily focused on proxy vulnerabilities (UUPS), uninitialized logic contracts, and access control issues that collectively protected over $50M in TVL. While demonstrating significant impact, the article lacks technical depth and primarily lists findings with references to external postmortems rather than detailed exploitation methodology.
Threshold Network's L2WormholeGateway contract contained a critical vulnerability allowing attackers to mint unlimited canonical L2 tBTC by exploiting the depositWormholeTbtc function through reentrancy via a malicious ERC20 token's transfer callback. The vulnerability was discovered via Immunefi bug bounty, patched by removing the vulnerable function and adding reentrancy protection, with no funds lost.
A missing access control and unchecked state transition vulnerability in Alchemist's TimelockConfig.confirmChange() function allows any attacker to set arbitrary configuration parameters (including admin and recipient addresses) to zero without initiating the required first step, permanently bricking critical DeFi functions like token minting for staking rewards.
Security researcher discovered two critical bugs in Cronos Gravity Bridge: (1) an incorrect ERC-20 deploy event check causing nonce mismatch that halts cross-chain transfers from Ethereum to Cronos, and (2) a malicious token that can disable the entire bridge. The vulnerabilities stem from inadequate validation in the MsgSubmitEthereumEvent handler and token supply checks.
A security researcher earned $10,000 on Immunefi by discovering two related vulnerabilities in DFX Finance: unhandled fee-on-transfer (FoT) tokens that drain liquidity from USDC pairs, and risks from USDC being upgradable, which could introduce breaking changes to the protocol. The submission succeeded through a functional proof-of-concept, real-world impact examples, and actionable remediation recommendations.
Trust Security discovered a class of DOS vulnerabilities affecting 100+ projects that abuse the frontrunnable nature of EIP-2612 Permit function when composed with other contract logic. The vulnerability allows attackers to force transaction reverts by front-running permit() calls, causing griefing attacks that block normal function execution, with $50k in bounties awarded across 15 projects.
A critical integer truncation vulnerability was discovered in Astar's assets-erc20 precompile that allowed attackers to steal approximately $400,000 USD worth of tokens by exploiting how uint256 amounts are truncated to u128 during ERC-20 transfers, enabling zero-token transfers to appear successful. The vulnerability affected smart contracts that relied on the transfer/transferFrom functions without proper validation of the return value.
A critical bug in Thena's reward claiming mechanism prevents veNFT holders from claiming rewards after their lock period expires due to an improper expiry check in the deposit_for function. The vulnerability freezes user rewards and was missed by CodeArena auditors despite affecting forked code from previously audited protocols.
A bug discovered in Fluidity's reward distribution system where improper state management in reward function ordering could enable double-claiming of rewards across different batch and manual reward invocations. The vulnerability stems from insufficient tracking of reward claims when multiple batchReward() and manualReward() transactions execute out of order in the mempool.