Security researcher discovered two critical bugs in Cronos Gravity Bridge: (1) an incorrect ERC-20 deploy event check causing nonce mismatch that halts cross-chain transfers from Ethereum to Cronos, and (2) a malicious token that can disable the entire bridge. The vulnerabilities stem from inadequate validation in the MsgSubmitEthereumEvent handler and token supply checks.
SQL injection vulnerability discovered on tw.stock.yahoo.com in the getjson.php endpoint where double URL decoding bypass allowed unescaped single quotes in the 's' parameter, enabling attackers to execute arbitrary SQL queries with root database privileges. The vulnerability leveraged insufficient input validation combined with incomplete quote stripping after the first decode pass.
Researcher Josip Franjković documented multiple race condition vulnerabilities discovered in Facebook, DigitalOcean, and LastPass that allowed attackers to bypass single-action restrictions by sending concurrent requests—including inflating page reviews, creating multiple usernames, and redeeming promo codes multiple times. All bugs were subsequently fixed and disclosed through responsible disclosure timelines.