A returndata bomb vulnerability in RAI's LiquidationEngine allows an attacker to deploy a malicious whitelisted savior contract that reverts with massive data, exhausting gas during the catch clause and rendering positions unliquidatable—causing protocol bad debt. The researcher disputes Immunefi's downgrade from Medium to None severity, arguing governance whitelisting cannot detect this emergent EVM interaction vulnerability.
Verichains discovered a critical proof forgery vulnerability in Polygon zkEVM's zkProver component stemming from field incompatibilities between STARK (F_p^3) and SNARK (F_q) operations, combined with improper constraints in Merkle root computation and arithmetic gates, allowing generation of counterfeit proofs that could manipulate network state. The vulnerability was patched in December 2023 through constraint additions and operational segregation in the pil-stark library.
Security researcher discovered two critical bugs in Cronos Gravity Bridge: (1) an incorrect ERC-20 deploy event check causing nonce mismatch that halts cross-chain transfers from Ethereum to Cronos, and (2) a malicious token that can disable the entire bridge. The vulnerabilities stem from inadequate validation in the MsgSubmitEthereumEvent handler and token supply checks.
A high-risk vulnerability in Ondo Finance's TrancheToken smart contract allowed attackers to destroy the uninitialized implementation contract via selfdestruct, causing all proxy contracts to no-op and potentially draining $50m from UniswapStrategy contracts if a minting flag were enabled. The bug was patched immediately after disclosure with no user funds at risk.
This appears to be a landing page or navigation hub for Fraxlend, a DeFi lending protocol, featuring content from Obsidian Audits. The page lacks substantive technical content about specific vulnerabilities or findings.
A collection of blockchain security research and bug reports covering vulnerabilities in Oasys L2 blockchain, Eco's lockup contracts, and hybrid NFT attacks on Ocean Protocol. Multiple issues were identified and reported through Immunefi's bug bounty program.
A collection of security research articles covering vulnerabilities in blockchain projects including Oasys (a gaming-focused Ethereum L2), Eco's lockup contracts, and Ocean Protocol's hybrid NFT implementation where on-chain data modifications can be exploited. Multiple bugs are documented with disclosure timelines and remediation details.
Article or post about Balancer V2, a decentralized finance protocol on Ethereum. Limited content available in the provided text.
This article collection documents smart contract vulnerabilities discovered in Web3 projects, including Betverse's public function visibility flaw enabling token theft and Ocean Protocol's unprotected ownerWithdraw function allowing unauthorized fund transfers. These medium to critical severity bugs highlight improper access control in Solidity smart contracts.
Brahma.Fi's collectFees() function incorrectly charges performance fees without accounting for previous losses, causing users to permanently lose funds as fees are collected on unrealized gains. The vulnerability was rejected by Immunefi despite being a critical accounting flaw that will systematically drain user deposits over time due to market volatility.
O3 bridge aggregators are vulnerable to token theft through callproxy parameter manipulation in exactInputSinglePToken(), allowing attackers to impersonate approved users and steal their funds when they've approved the aggregator with non-MAX amounts. The vulnerability affects all O3 aggregators across 10+ chains, though the team disputed the severity citing their frontend's default MAX approval behavior.
A critical protocol insolvency bug in Fringe.fi's lending platform allows borrowers to withdraw collateral without updating accrued interest, leaving the protocol with undercollaterized positions that cannot be liquidated. The vulnerability exploits the fact that updateInterestInBorrowPositions() is only called when withdrawing the maximum amount, enabling attackers to maintain stale accrual values and manipulate their health factor below the required 1.0 threshold.
Iron Bank's CCollateralCapERC20 token fails to enforce the collateralCap invariant during account initialization via initializeAccountCollateralTokens(), allowing the total collateral to exceed the cap and exposing the protocol to liquidation insolvency risks. The vulnerability exists because initialization bypasses the increaseUserCollateralInternal() cap check that other collateral increase operations enforce.
Iron Bank's seizeInternal() function fails to credit liquidators with the correct collateral amount when seizing tokens, undercounting their collateral and potentially triggering unintended liquidations. The bug stems from only increasing collateral by collateralTokens instead of the full seizeTokens amount, with the difference (buffer) not being accounted for.
ANKR's distributeRewards() function on BSC receives 12,300 gas per call instead of the intended 10,000 due to the protocol's 2,300 free gas stipend for value transfers, increasing gas costs and slightly elevating reentrancy attack risk, though the gas amount remains below typical exploit thresholds.
Morpho Finance's PositionsManager implementation contract can be directly called (bypassing proxy) with arbitrary state mutation via unvalidated delegatecall, potentially allowing attackers to trigger selfdestruct and shut down the system. The vulnerability stems from uninitialized storage pointers and lack of access controls on dangerous delegatecall operations.
Trust Security discovered a class of DOS vulnerabilities affecting 100+ projects that abuse the frontrunnable nature of EIP-2612 Permit function when composed with other contract logic. The vulnerability allows attackers to force transaction reverts by front-running permit() calls, causing griefing attacks that block normal function execution, with $50k in bounties awarded across 15 projects.
A critical vulnerability was discovered in Oasis Earn service that allows attackers to selfdestruct the OperationExecutor contract through a delegatecall code-reuse attack, exploiting the assumption that executeOp() runs only in user's DSProxy context. The researcher earned a $20K bounty by chaining arbitrary calldata execution with hardcoded service registry mappings to achieve contract destruction.
A critical access control vulnerability was discovered in oasisDEX's MultiplyProxyActions contract where the recreateTrigger function performs an unsafe delegatecall assuming msg.sender is AutomationBot, allowing external attackers to execute arbitrary code in the command context and potentially access user vault funds or cause system denial of service. The researcher found the vulnerability had already been patched a month prior, highlighting the importance of verifying contract versions against live deployments.
A security researcher disclosed critical vulnerabilities in Moonbeam and Aurora EVM-based networks, protecting over $100M in DeFi assets and earning $1M+ in bug bounties through the discovery of delegatecall misuse and design flaws in layer-2 solutions. The article also discusses potential insolvency risks in wrapped token protocols like WETH.
A security researcher (pwning.eth) disclosed critical smart contract vulnerabilities in blockchain protocols, earning substantial bug bounties including $1M from Moonbeam for discovering a delegatecall design flaw protecting $100M+ in DeFi assets, and $6M for an Aurora Engine vulnerability that could have resulted in 70,000 ETH being stolen.
A security researcher disclosed critical vulnerabilities in Moonbeam and Aurora Engine smart contracts, earning record bug bounties ($1M from Moonbeam, $6M from Aurora) by identifying delegatecall misuse and design flaws that put over $100M in DeFi assets at risk.
A bug discovered in Fluidity's reward distribution system where improper state management in reward function ordering could enable double-claiming of rewards across different batch and manual reward invocations. The vulnerability stems from insufficient tracking of reward claims when multiple batchReward() and manualReward() transactions execute out of order in the mempool.
Technical writeup identifying six common vulnerability patterns in ERC-4337 smart account implementations, starting with incorrect access control on execute functions that can allow unauthorized fund drainage. The article covers ERC-4337 architecture basics and demonstrates vulnerable vs. secure code patterns for smart account development.