I disclosed a denial-of-service bug to Polygon affecting their
StakeManagerProxy smart contract and its dependent contracts. Technical details around this vulnerability can be found at the post by iosiro and Polygon.
I disclosed a critical bug involving to four DeFi/NFT projects, and prevented the following TVLs (>$50m) from permanent hack damage:
- KeeperDAO: ~$44m worth of tokens
- Rivermen NFT: ~$6.95m worth of NFTs
- redacted project: <$2m worth of NFTs
- redacted project: <$500k worth of tokens
The root of the critical bug was an uninitalized logic contract behind a UUPS proxy leading to an arbitrary
delegatecall, which could be used with a
selfdestruct instruction. The severity was heightened since, by default, UUPS proxies have no external upgrade functions, so a
selfdestruct call would permanently impair the proxy contract rendering all funds permently inaccessible.
I disclosed a critical bug to @abwagmi regarding a buggy
transferFrom function on their AxonsToken contract that could allow any user to steal the entire circulating token supply.
transferFrom function in the
AxonsToken allowed anyone to send tokens to the
auctionHouse contract from any other account, or pull tokens from the
auctionHouse contract without allowance. A malicious user could exploit this to send other user’s tokens to the
auctionHouse address and then pull it for themselves. The POC can be seen at the following code sample.
Big thanks @abwagmi for supporting whitehats!
I disclosed a critical bug to pxMythics regarding an access control vulnerability that could lead to permanent bricking of mint-related functions across two contracts.
The Genesis and GenesisSupply contracts contained mint and mint-related functions such as the mintWhitelist function and the airdrop function. These functions relied on the mint state being closed or active, with the Genesis contract owner having functionality to change the mint state as needed. However, both contracts contained an external unprotected _setMintState function that allowed anyone to update the mint state. Moreover, anyone could change the state to
Finalized, which bricks the aforementioned mint-related functions and prevents the mint state from being updated further.
Many thanks to the pxMythics team for supporting whitehats!
I disclosed a potential token theft bug to DeFi protocol Ondo Finance. The exploit relied on a feature that was not live, so no actual user funds were at risk. Technical details around this vulnerability can be found at the post by iosiro.
I’ve reported bugs that were confirmed by the respective team, but they’ve asked to redact the bug details in the interim. If this changes in the future, I’ll update the list below and include the details once I have permission.
- Medium risk bug reported to and confirmed by redacted project 1.
- High risk bug reported to and confirmed by redacted project 2.
- High risk bug reported to and confirmed by redacted project 3.
- Low risk bug reported to and confirmed by redacted project 4.
- Critical bug reported to and confirmed by redacted project 5.
I occassionally participate in code 4rena contests, usually quite loosely. You can find my progress on the leaderboard under the alias
toastedsteaksandwich. I’ve submitted at least one valid issue to the following contests: