A critical type-confusion vulnerability in Polygon's Heimdall consensus layer allowed rogue validators to forge StakeUpdate events without proper type verification, potentially enabling validator takeover and fraudulent bridge events affecting $2B+ in locked assets. The flaw exploited incomplete event signature validation in the UnpackLog function, which failed to verify the event topic hash.
Researchers automated Java deserialization gadget chain discovery using LLM-driven analysis combined with static call graph analysis, discovering novel chains against WildFly and other application servers. The methodology uses WALA-based call graph construction, dynamic bytecode analysis for type confusion, and Claude Code to iteratively explore and validate gadget chains through a REST API query interface.