An analysis of how bug-fix attempts in the RAI protocol's debt auctions introduced critical vulnerabilities while addressing low-severity issues, alongside technical exploration of EVM bit masking operations and assembly-level smart contract optimization techniques.
A low-severity bug in the TypedMemView library's isValid function was caused by incorrect use of the bitwise NOT instruction instead of the ISZERO instruction in Yul assembly, causing the function to always return true regardless of whether memory bounds were valid. The bug was responsibly disclosed to Nomad, patched by replacing 'not' with 'iszero', and publicly documented.
Story Network's postmortem analysis reveals two critical vulnerabilities discovered during mainnet launch. The first issue allowed attackers to create arbitrarily large EVM transaction payloads (>4MB) that would cause validator crashes and network shutdown through JSON marshalling inefficiencies and inadequate block size validation inherited from Octane codebase.
A security researcher disclosed critical vulnerabilities in Moonbeam and Aurora EVM-based networks, protecting over $100M in DeFi assets and earning $1M+ in bug bounties through the discovery of delegatecall misuse and design flaws in layer-2 solutions. The article also discusses potential insolvency risks in wrapped token protocols like WETH.
A security researcher disclosed critical vulnerabilities in Moonbeam and Aurora Engine smart contracts, earning record bug bounties ($1M from Moonbeam, $6M from Aurora) by identifying delegatecall misuse and design flaws that put over $100M in DeFi assets at risk.