Home Research and Training
Research and Training
Cancel

Research and Training

Vulnerability disclosures

🛹 Critical vulnerability disclosed to lending protocol 88mph

I disclosed a critical bug to the fixed-rate lending protocol 88mph and helped rescue over $6.5m. Technical details around this vulnerability can be found at the posts by iosiro and Immunefi.


🧱 Critical vulnerability disclosed to Polygon

I disclosed a denial-of-service bug to Polygon affecting their StakeManagerProxy smart contract and its dependent contracts. Technical details around this vulnerability can be found at the post by iosiro and Polygon.


🏌️ Critical vulnerability disclosed to four DeFi/NFT projects and escalated to OpenZeppelin

I disclosed a critical bug involving to four DeFi/NFT projects, and prevented the following TVLs (>$50m) from permanent hack damage:

  • KeeperDAO: ~$44m worth of tokens
  • Rivermen NFT: ~$6.95m worth of NFTs
  • redacted project: <$2m worth of NFTs
  • redacted project: <$500k worth of tokens

The root of the critical bug was an uninitalized logic contract behind a UUPS proxy leading to an arbitrary delegatecall, which could be used with a selfdestruct instruction. The severity was heightened since, by default, UUPS proxies have no external upgrade functions, so a selfdestruct call would permanently impair the proxy contract rendering all funds permently inaccessible.

Technical details around this vulnerability can be found at the post by iosiro. The official OpenZeppelin postmortem be can be found here.


🧑‍🎨 Critical vulnerability disclosed to @abwagmi

I disclosed a critical bug to @abwagmi regarding a buggy transferFrom function on their AxonsToken contract that could allow any user to steal the entire circulating token supply.

An overridden transferFrom function in the AxonsToken allowed anyone to send tokens to the auctionHouse contract from any other account, or pull tokens from the auctionHouse contract without allowance. A malicious user could exploit this to send other user’s tokens to the auctionHouse address and then pull it for themselves. The POC can be seen at the following code sample.

Big thanks @abwagmi for supporting whitehats!


⚡ Critical vulnerability disclosed to pxMythics

I disclosed a critical bug to pxMythics regarding an access control vulnerability that could lead to permanent bricking of mint-related functions across two contracts.

The Genesis and GenesisSupply contracts contained mint and mint-related functions such as the mintWhitelist function and the airdrop function. These functions relied on the mint state being closed or active, with the Genesis contract owner having functionality to change the mint state as needed. However, both contracts contained an external unprotected _setMintState function that allowed anyone to update the mint state. Moreover, anyone could change the state to Finalized, which bricks the aforementioned mint-related functions and prevents the mint state from being updated further.

Many thanks to the pxMythics team for supporting whitehats!


🧪 High risk vulnerability disclosed to Alchemix

I disclosed an access-control bug to future yield tokenization protocol Alchemix. Technical details around this vulnerability can be found at the post by iosiro and Immunefi.


🕵️ Undisclosed vulnerabilities

I’ve reported bugs that were confirmed by the respective team, but they’ve asked to redact the bug details in the interim. If this changes in the future, I’ll update the list below and include the details once I have permission.

  • Medium risk bug reported to and confirmed by redacted project 1.
  • High risk bug reported to and confirmed by redacted project 2.
  • High risk bug reported to and confirmed by redacted project 3.
  • Low risk bug reported to and confirmed by redacted project 4.
  • Critical bug reported to and confirmed by redacted project 5.

🥊 Code 4rena contests

I occassionally participate in code 4rena contests, usually quite loosely. You can find my progress on the leaderboard under the alias toastedsteaksandwich. I’ve submitted at least one valid issue to the following contests:


Training materials

✍️ Introduction to smart contract bug hunting

I wrote a blog post for Hack South to introduce smart contract bug hunting. The post can be found here.


🧑‍🏫 How to PoC your bug leads

I wrote a blog post for Immunefi on how to write a PoC for any smart contract bug leads you’ve come across. The post can be found here.

Trending Tags

Trending Tags