A missing access control and unchecked state transition vulnerability in Alchemist's TimelockConfig.confirmChange() function allows any attacker to set arbitrary configuration parameters (including admin and recipient addresses) to zero without initiating the required first step, permanently bricking critical DeFi functions like token minting for staking rewards.
A reentrancy vulnerability in TectonicStakingPoolV3 allows attackers to mint xTonic tokens for free by injecting a malicious token into swap paths during performConversionForTokens() calls, enabling theft of over $2.5M with minimal capital ($23K TONIC). The attack exploits unwhitelisted intermediate swap path tokens to gain execution control and stake during balance calculations.
A security researcher earned $10,000 on Immunefi by discovering two related vulnerabilities in DFX Finance: unhandled fee-on-transfer (FoT) tokens that drain liquidity from USDC pairs, and risks from USDC being upgradable, which could introduce breaking changes to the protocol. The submission succeeded through a functional proof-of-concept, real-world impact examples, and actionable remediation recommendations.
A security researcher discovered a CORS misconfiguration on a mobile app API that accepted arbitrary origins and included Access-Control-Allow-Credentials, allowing credential-based requests from attacker-controlled domains. Despite identifying the vulnerability, exploitation was limited due to high attack complexity (API only accessible in mobile app), though a proof-of-concept demonstrated the ability to exfiltrate sensitive account information when credentials were available in the browser.
MySQL clients can be abused via the LOAD DATA LOCAL INFILE feature to exfiltrate arbitrary files from the client machine by setting up a fake MySQL server that bypasses authentication and sends malicious payloads. This exploitation technique works because MySQL clients trust server-sent commands after authentication, allowing attackers to read sensitive files like /etc/hosts from compromised systems.