Vulnerability disclosures
🛹 Critical vulnerability disclosed to lending protocol 88mph
I disclosed a critical bug to the fixed-rate lending protocol 88mph and helped rescue over $6.5m. Technical details around this vulnerability can be found at the posts by iosiro and Immunefi.
This bug was also eligble for the Founders Bounty, which included an $ARMOR token bonus, as well as the choice of my own tattoo on the EaseDeFi co-founder Robert Forster. The tattoo was easily the most unique prize I’ve ever received, and can be seen here!
🧱 Critical vulnerability disclosed to Polygon
I disclosed a denial-of-service bug to Polygon affecting their StakeManagerProxy smart contract and its dependent contracts. Technical details around this vulnerability can be found at the post by iosiro and Polygon.
🏌️ Critical vulnerability disclosed to four DeFi/NFT projects and escalated to OpenZeppelin
I disclosed a critical bug involving to four DeFi/NFT projects, and prevented the following TVLs (>$50m) from permanent hack damage:
- KeeperDAO: ~$44m worth of tokens
- Rivermen NFT: ~$6.95m worth of NFTs
- redacted project: <$2m worth of NFTs
- redacted project: <$500k worth of tokens
The root of the critical bug was an uninitalized logic contract behind a UUPS proxy leading to an arbitrary delegatecall, which could be used with a selfdestruct instruction. The severity was heightened since, by default, UUPS proxies have no external upgrade functions, so a selfdestruct call would permanently impair the proxy contract rendering all funds permently inaccessible.
Technical details around this vulnerability can be found at the post by iosiro. The official OpenZeppelin postmortem be can be found here.
🧑🎨 Critical vulnerability disclosed to @abwagmi
I disclosed a critical bug to @abwagmi regarding a buggy transferFrom function on their AxonsToken contract that could allow any user to steal the entire circulating token supply.
An overridden transferFrom function in the AxonsToken allowed anyone to send tokens to the auctionHouse contract from any other account, or pull tokens from the auctionHouse contract without allowance. A malicious user could exploit this to send other user’s tokens to the auctionHouse address and then pull it for themselves. The POC can be seen at the following code sample.
Big thanks @abwagmi for supporting whitehats!
⚡ Critical vulnerability disclosed to pxMythics
I disclosed a critical bug to pxMythics regarding an access control vulnerability that could lead to permanent bricking of mint-related functions across two contracts.
The Genesis and GenesisSupply contracts contained mint and mint-related functions such as the mintWhitelist function and the airdrop function. These functions relied on the mint state being closed or active, with the Genesis contract owner having functionality to change the mint state as needed. However, both contracts contained an external unprotected _setMintState function that allowed anyone to update the mint state. Moreover, anyone could change the state to Finalized, which bricks the aforementioned mint-related functions and prevents the mint state from being updated further.
Many thanks to the pxMythics team for supporting whitehats!
🧪 High risk vulnerability disclosed to Alchemix
I disclosed an access-control bug to future yield tokenization protocol Alchemix. Technical details around this vulnerability can be found at the post by iosiro and Immunefi.
🌀 High risk vulnerability disclosed to Ondo Finance
I disclosed a potential token theft bug to DeFi protocol Ondo Finance. The exploit relied on a feature that was not live, so no actual user funds were at risk. Technical details around this vulnerability can be found at the post by iosiro.
🕵️ Undisclosed vulnerabilities
I’ve reported bugs that were confirmed by the respective team, but they’ve asked to redact the bug details in the interim. If this changes in the future, I’ll update the list below and include the details once I have permission.
- Medium risk bug reported to and confirmed by redacted project 1.
- High risk bug reported to and confirmed by redacted project 2.
- High risk bug reported to and confirmed by redacted project 3.
- Low risk bug reported to and confirmed by redacted project 4.
- Critical bug reported to and confirmed by redacted project 5.
🥊 Code 4rena contests
I occassionally participate in code 4rena contests, usually quite loosely. You can find my progress on the leaderboard under the alias toastedsteaksandwich. I’ve submitted at least one valid issue to the following contests:
Training materials
✍️ Introduction to smart contract bug hunting
I wrote a blog post for Hack South to introduce smart contract bug hunting. The post can be found here.
🧑🏫 How to PoC your bug leads
I wrote a blog post for Immunefi on how to write a PoC for any smart contract bug leads you’ve come across. The post can be found here.
🐛 Getting started with smart contract bug bounty
I wrote a blog post for YesWeHack on getting started with smart contract bug bounty. The post can be found here.
🗣 BSides Cape Town 2022 Presentation
I spoke at BSides Cape Town 2022 about bricking smart contract proxies. The live recording can be found here.
👌 Decently Safe DeFi
I created Decently Safe DeFi - a wargame to learn offensive security of DeFi smart contracts. It’s based off the excellent Damn Vulnerable DeFi, check it out here!
Other
😇 2022 Underhanded Solidity Contest
I entered the 2022 Underhanded Solidity Competition. My submission was based on Dedaub’s vulnerability disclosure around phantom functions. My final submission can be found here.
🤓 yAcademy Block III
I was selected to participate in Block III of yAcademy. I worked along side other fellows to discuss and report bugs affecting in-scope codebases.
✍️ OpenZeppelin Top 10 2022
I was invited to participate in the selection process of ranking the top 10 hacking techniques of 2022 in collaboration with OpenZeppelin. The final report can be found here.
🌉 Rewind 2023 Contest
I won first place in the Rewind 2023 Contest. This was a competitive technical writing contest that involved participants writing up the essense of the security incidents that took place over the year. The top 3 winners got to go to TrustX in Istanbul, and were invited to speak about one of the incidents they wrote up. I chose to talk about the Curve Finance Vyper exploit, the video is available here.