A portfolio page showcasing multiple critical smart contract vulnerability disclosures across DeFi protocols (88mph, Polygon, KeeperDAO, Alchemix, Ondo Finance) and bug bounty wins totaling over $6.5M in rescued funds, with brief technical descriptions of UUPS proxy exploits, access control flaws, and token theft vulnerabilities.
A round-down arithmetic vulnerability in Astroport's Staking.rs contract allows an attacker to deflate the xASTRO token and break staking for all users by exploiting the absence of minimum liquidity requirements, potentially leading to governance control via vote monopolization.
A critical rounding convention bug in Vesu's Singleton liquidation contract allowed attackers to steal user funds through malicious pool extension contracts, flashloans, and improper handling of the receive_as_shares flag. The vulnerability was discovered via Immunefi bug bounty, remediated by removing the affected liquidation logic and whitelisting pool extensions within 5 days.
A reentrancy vulnerability in TectonicStakingPoolV3 allows attackers to mint xTonic tokens for free by injecting a malicious token into swap paths during performConversionForTokens() calls, enabling theft of over $2.5M with minimal capital ($23K TONIC). The attack exploits unwhitelisted intermediate swap path tokens to gain execution control and stake during balance calculations.
A high-risk vulnerability in Ondo Finance's TrancheToken smart contract allowed attackers to destroy the uninitialized implementation contract via selfdestruct, causing all proxy contracts to no-op and potentially draining $50m from UniswapStrategy contracts if a minting flag were enabled. The bug was patched immediately after disclosure with no user funds at risk.
This appears to be a landing page or navigation hub for Fraxlend, a DeFi lending protocol, featuring content from Obsidian Audits. The page lacks substantive technical content about specific vulnerabilities or findings.
Security researcher Merkle Bonsai documents a hybrid NFT vulnerability in Ocean Protocol where on-chain Data Description Objects (DDOs) can be modified to enable attacks, exploiting the protocol's reliance on modifiable on-chain data structures. The article discusses how these hybrid attacks work and references previous analysis of Ocean Protocol's design vulnerabilities.
A collection of blockchain security research and bug reports covering vulnerabilities in Oasys L2 blockchain, Eco's lockup contracts, and hybrid NFT attacks on Ocean Protocol. Multiple issues were identified and reported through Immunefi's bug bounty program.
A collection of security research articles covering vulnerabilities in blockchain projects including Oasys (a gaming-focused Ethereum L2), Eco's lockup contracts, and Ocean Protocol's hybrid NFT implementation where on-chain data modifications can be exploited. Multiple bugs are documented with disclosure timelines and remediation details.
Article or post about Balancer V2, a decentralized finance protocol on Ethereum. Limited content available in the provided text.
Quantish is a security research organization that performs vulnerability research and analysis on code, focusing on identifying severe security problems rather than conducting traditional audits. The article appears to be a homepage or profile page for the Quantish security research service.
A critical vulnerability in the Betverse ICO Token contract's transferTokenToLockedAddresses() function was caused by incorrectly marking it as public instead of internal, allowing attackers to steal BToken by repeatedly transferring funds to their addresses. The article documents this access control misconfiguration discovered during security research on the Immunefi platform.
An analysis of how bug-fix attempts in the RAI protocol's debt auctions introduced critical vulnerabilities while addressing low-severity issues, alongside technical exploration of EVM bit masking operations and assembly-level smart contract optimization techniques.
Iron Bank's seizeInternal() function fails to credit liquidators with the correct collateral amount when seizing tokens, undercounting their collateral and potentially triggering unintended liquidations. The bug stems from only increasing collateral by collateralTokens instead of the full seizeTokens amount, with the difference (buffer) not being accounted for.
Two high-severity Denial of Service vulnerabilities discovered in Stargate, LayerZero's liquidity layer: Bug #1 exploits a Solidity quirk where try/catch statements revert when calling non-contract addresses, allowing attackers to permanently freeze message channels by targeting non-existent contracts with swap payloads; Bug #2 abuses SSTORE gas costs to create payloads exceeding the 175k gas budget allocated for cross-chain message delivery, causing out-of-gas reverts that block the entire bridge channel.
ANKR's distributeRewards() function on BSC receives 12,300 gas per call instead of the intended 10,000 due to the protocol's 2,300 free gas stipend for value transfers, increasing gas costs and slightly elevating reentrancy attack risk, though the gas amount remains below typical exploit thresholds.
Brahma-Fi's withdrawal mechanism uses Curve's calc_token_amount() function with an incorrect boolean parameter (true instead of false), causing LP token amount calculations to underestimate required withdrawals and leading to batch withdrawal failures. The bug affects both unstaking amounts and LP redemption amounts, resulting in insufficient USDC being withdrawn from the Curve pool.
Morpho Finance's PositionsManager implementation contract can be directly called (bypassing proxy) with arbitrary state mutation via unvalidated delegatecall, potentially allowing attackers to trigger selfdestruct and shut down the system. The vulnerability stems from uninitialized storage pointers and lack of access controls on dangerous delegatecall operations.
Trust Security discovered a class of DOS vulnerabilities affecting 100+ projects that abuse the frontrunnable nature of EIP-2612 Permit function when composed with other contract logic. The vulnerability allows attackers to force transaction reverts by front-running permit() calls, causing griefing attacks that block normal function execution, with $50k in bounties awarded across 15 projects.
A critical bug in Thena's merge() function fails to reset the supply variable when merging two veNFTs, allowing attackers to artificially inflate supply and manipulate weekly emissions, reduce reward distribution, or cause DOS attacks against the protocol. The vulnerability was disclosed to Thena via Immunefi and rewarded $20k.
Sherlock disclosed a bug bounty payout related to a yield strategy vulnerability discovered in their Euler integration on July 14, 2022, which posed no immediate risk to funds but could have eventually resulted in loss. The issue was reported via Immunefi and has since been fixed, with the bug bounty payout not impacting Sherlock's staking pool or coverage funds.
A bug discovered in Fluidity's reward distribution system where improper state management in reward function ordering could enable double-claiming of rewards across different batch and manual reward invocations. The vulnerability stems from insufficient tracking of reward claims when multiple batchReward() and manualReward() transactions execute out of order in the mempool.
A Web3-focused article exploring Insecure Direct Object Reference (IDOR) vulnerabilities in blockchain applications, using the metaphor of an unlocked bank vault to illustrate authorization flaws that allow unauthorized access to resources.
Technical writeup identifying six common vulnerability patterns in ERC-4337 smart account implementations, starting with incorrect access control on execute functions that can allow unauthorized fund drainage. The article covers ERC-4337 architecture basics and demonstrates vulnerable vs. secure code patterns for smart account development.