This page is for any content relevant to this blog, but does not have it’s own blog post.
🛹 Critical vulnerability disclosed to lending protocol 88mph
🧪 High risk vulnerability disclosed to DeFi protocol Alchemix
🧱 Critical vulnerability disclosed to Polygon
I disclosed a denial-of-service bug to Polygon affecting their
StakeManagerProxy smart contract and its dependent contracts. Technical details around this vulnerability can be found at the post by iosiro and Polygon.
🏌️ Critical vulnerability disclosed to four DeFi/NFT projects and escalated to OpenZeppelin
I disclosed a critical bug involving to four DeFi/NFT projects, and prevented the following TVLs (>$50m) from permanent hack damage:
- KeeperDAO: ~$44m worth of tokens
- Rivermen NFT: ~$6.95m worth of NFTs
- redacted project: <$2m worth of NFTs
- redacted project: <$500k worth of tokens
The root of the critical bug was an uninitalized logic contract behing UUPS proxy leading to an arbitrary
delegatecall, which could be used with a
selfdestruct instruction. The severity was heightened since, by default, UUPS proxies have no external upgrade functions, so a
selfdestruct call would permanently impair the proxy contract rendering all funds permently inaccessible.
🕵️ Undisclosed vulnerabilities
I’ve reported bugs that were confirmed by the respective team, but they’ve asked to redact the bug details in the interim. If this changes in the future, I’ll update the list below and include the details once I have permission.
- Medium risk bug reported to and confirmed by redacted project 1.
- High risk bug reported to and confirmed by redacted project 2.
- High risk bug reported to and confirmed by redacted project 3.
🥊 Code 4rena contests
I occassionally participate in code 4rena contests, usually quite loosely. You can find my progress on the leaderboard under the alias
toastedsteaksandwich. I’ve submitted at least one valid issue to the following contests: