bug-bounty622
facebook479
xss316
google174
microsoft120
rce102
apple72
csrf60
web355
account-takeover53
writeup51
exploit43
sqli41
dos36
ssrf34
cve33
cloudflare32
privilege-escalation29
defi28
malware27
node26
smart-contract-vulnerability25
idor25
subdomain-takeover24
clickjacking23
smart-contract23
ethereum23
access-control21
react21
vulnerability-disclosure21
reverse-engineering20
auth-bypass19
aws19
remote-code-execution18
lfi18
cloud17
docker17
cors17
oauth17
supply-chain17
race-condition17
info-disclosure16
browser14
authentication-bypass14
solidity14
phishing14
denial-of-service11
sql-injection11
delegatecall11
wordpress10
0
8/10
vulnerability
A high-risk vulnerability in Ondo Finance's TrancheToken smart contract allowed attackers to destroy the uninitialized implementation contract via selfdestruct, causing all proxy contracts to no-op and potentially draining $50m from UniswapStrategy contracts if a minting flag were enabled. The bug was patched immediately after disclosure with no user funds at risk.
smart-contract
vulnerability
proxy-pattern
selfdestruct
uninitialized-contract
ethereum
solidity
bug-bounty
defi
access-control
Ondo Finance
Ashiq Amien
iosiro
TrancheToken
AllPairVault
UniswapStrategy
Immunefi
0
vulnerability
Morpho Finance's PositionsManager implementation contract can be directly called (bypassing proxy) with arbitrary state mutation via unvalidated delegatecall, potentially allowing attackers to trigger selfdestruct and shut down the system. The vulnerability stems from uninitialized storage pointers and lack of access controls on dangerous delegatecall operations.
smart-contract
delegatecall
storage-corruption
access-control
data-validation
uninitialized-data
ethereum
solidity
proxy-pattern
selfdestruct
storage-collision
Morpho Finance
PositionsManager
MorphoStorage
interestRatesManager