Two high-severity denial-of-service vulnerabilities discovered in Stargate's LayerZero integration: (1) a Solidity try/catch quirk where calling non-contract addresses bypasses exception handling and permanently freezes message channels, and (2) a gas exhaustion attack leveraging excessive SSTORE operations (22.1k gas per operation) in the catch clause when storing malicious payloads, both capable of blocking bridged message delivery across chains.
A critical returndata bomb vulnerability in RAI's LiquidationEngine allows malicious savior contracts to crash liquidations by reverting with massive return data, causing out-of-gas errors and creating unliquidatable positions that lead to protocol bad debt. The vulnerability was acknowledged as technically valid but dismissed as out-of-scope due to savior whitelisting, with Immunefi reversing its initial Medium severity recommendation to None without new technical justification.