bug-bounty457
google360
microsoft310
facebook264
xss250
apple176
malware175
rce165
exploit140
cve111
account-takeover104
bragging-post102
phishing84
privilege-escalation82
csrf81
supply-chain68
stored-xss65
authentication-bypass64
dos62
browser60
reflected-xss57
react52
cloudflare50
reverse-engineering49
access-control48
input-validation48
cross-site-scripting48
aws47
node46
docker46
smart-contract45
ethereum44
sql-injection43
defi43
web-security43
ssrf42
web342
web-application41
writeup37
oauth37
race-condition36
burp-suite35
info-disclosure34
idor34
vulnerability-disclosure34
auth-bypass33
cloud33
html-injection33
buffer-overflow32
smart-contract-vulnerability32
0
7/10
vulnerability
An unprotected init() function in 88mph's CRV:RENWBTC, CRV:STETH, and yaLink pools lacked onlyOwner and initializer modifiers, allowing anyone to call it multiple times and take ownership of NFT contracts to mint/burn user deposits. The vulnerability was worth approximately $6.5M in potential theft and was responsibly disclosed and patched via whitehack.
smart-contract-vulnerability
access-control
initialization-bug
ethereum
defi
bug-bounty
whitehack
privilege-escalation
nft
unprotected-function
88mph
Immunefi
Ashiq Amien
iosiro
Duncan Townsend
CVE-2021-41119