A high-severity DoS vulnerability in Sui's Narwhal consensus layer allowed attackers to crash validator nodes via Out-of-Memory (OOM) attacks by sending a single malicious request with 1.2M certificate digests (37MB payload), bypassing the absence of response limits and timeout handling in the get_certificates() function. The vulnerability was patched by removing the vulnerable GetCertificates and GetPayloadAvailability handlers, with the researcher earning a $50,000 SUI bounty.
Threshold Network's L2WormholeGateway contract contained a critical vulnerability allowing attackers to mint unlimited canonical L2 tBTC by exploiting the depositWormholeTbtc function through reentrancy via a malicious ERC20 token's transfer callback. The vulnerability was discovered via Immunefi bug bounty, patched by removing the vulnerable function and adding reentrancy protection, with no funds lost.
A critical vulnerability in Axelar Network allowed attackers to force validators to miss votes by crafting transactions with excessive logs that exceed Tendermint's 1MB RPC request limit, leading to automatic Chain Maintainer deregistration and potential halt of cross-chain operations. The vulnerability has been patched via governance proposal 256 disabling the auto-deregistration mechanism.
A critique of bug bounty program practices, contrasting good practices (fair and timely payments) with bad practices (ignoring disclosures, delayed payments, underpaid bounties) in the context of DeFi protocol security.
An article discussing best practices and common pitfalls in running bug bounty programs, using Balancer's Merkle Orchard as a case study to critique inadequate bounty management including poor communication, payment delays, and misrepresentation of bounty amounts.
A data sanitization vulnerability in Instagram Web's Notes feature allowed users to extract original video files with audio by copying the video URL from browser DevTools, bypassing the intended silent playback design. The vulnerability was specific to certain server nodes and was fixed after responsible disclosure to Meta, earning a $1,000 bounty.
A researcher discovered an RCE vulnerability on ASUS's RMA portal by bypassing front-end file upload restrictions and uploading an ASP webshell to the predictable /uploads directory on Microsoft-IIS 8.5. The vulnerability was disclosed responsibly and eventually patched, though ASUS's response was slow and the researcher reported poor communication from the vendor.
A researcher discovered a sandbox escape vulnerability in HackerEarth's Theia IDE that allowed remote code execution by accessing the disabled terminal through VS Code's 'Task: Run selected text' command. The exploit enabled reading AWS credentials, SSL certificates, and other sensitive system files from the underlying infrastructure.
A race condition vulnerability in Facebook chat groups allows an attacker to become invisible in group conversations while maintaining full read/write access and the ability to add/remove users without triggering read receipts. By rapidly adding and removing a target user from a group conversation, an attacker can exploit timing flaws to spy on private group messages undetected.