A returndata bomb vulnerability in RAI's LiquidationEngine allows an attacker to deploy a malicious whitelisted savior contract that reverts with massive data, exhausting gas during the catch clause and rendering positions unliquidatable—causing protocol bad debt. The researcher disputes Immunefi's downgrade from Medium to None severity, arguing governance whitelisting cannot detect this emergent EVM interaction vulnerability.
Two high-severity Denial of Service vulnerabilities discovered in Stargate, LayerZero's liquidity layer: Bug #1 exploits a Solidity quirk where try/catch statements revert when calling non-contract addresses, allowing attackers to permanently freeze message channels by targeting non-existent contracts with swap payloads; Bug #2 abuses SSTORE gas costs to create payloads exceeding the 175k gas budget allocated for cross-chain message delivery, causing out-of-gas reverts that block the entire bridge channel.