My colleagues Aaditya Purani and Pew will present our research "Electrovolt" at South Pacific F (Level 0), BlackHat in exactly one hour. Attend the presentation if you are at BlackHat🔥.

Asana Electron desktop app open redirect to local file read Did you knew local files in Electron have file:// origin not null, with another Mac trick we load our malicious file and steal any file on the pc bugcrowd.com/disclosures/f7…

Here are the Slides for "Electrovolt" published at NULLCON, Black Hat, and DEF CON speakerdeck.com/s1r1us/electro…

My pleasure to share the details of my first #RCE: gitlab.com/gitlab-org/git…

CTF + Bug Bounty + GitLab? How could I refuse such a challenge 😀

This weekend, we played 0xmonaco MatchboxDAO, a web3 gaming competition. We developed a highly profitable racing strategy by leveraging clever math and bugs. We got DQ-ed😅 In this thread, we'll break down: 🎯 our car's unique strategy 🎯 the vulnerabilities our car exploited

It's finally happening! pbctf 2023 is here 🗓️ Feb 18th, 14:00 UTC to Feb 20th 02:00 UTC (36 hours) 🎁 A $10,000 prize pool Proudly sponsored by @Zellic_io ctftime.org/event/1763

Writeup for #PBCTF2023 git-ls-api pwnfirstsear.ch/2023/02/22/pbc…

Earlier this morning, SafeMoon's Liquidity Pool was compromised and USD 8.9M worth of tokens were withdrawn. After looking at the transaction trace and the recent contract changes, we can tell you what happened:

Meet Cairo, the native language of Starknet. In this thread we'll: ✅ Introduce Cairo & Starknet ✅ Explore the security features of Cairo ✅ Examine potential pitfalls when writing contracts in Cairo ✅ Give you things to consider when writing secure code Let's dig in👇🧵:

The dangers of integer truncation: How the Zellic team found a critical vulnerability in the Astar Network. This bug allowed an attacker to drain certain LP contracts on the Astar-EVM, with no bugs required in the contracts. Read more: 🧵👇

2023 was another great year for the team! 🎉 Blue Water, a collab between perfect blue and Water Paddler, placed 1st in CTFtime globally!🏆 🥇1st place in 6 CTFs 💻Hosted a successful pbctf 2023 In the past, we also placed first in 2020 and 2021.✌ Looking forward to 2024!🎆

Zellic has moved forward to the final voting phase for Arbitrum's Security Council! We ask delegates to vote for Zellic as the Security Council furthers our mission to maximize TVL and extends our commitment to Arbitrum and its ecosystem. Vote here: tally.xyz/gov/arbitrum/c…

Version 0.11.0 of gnark was just released, which fixes two vulnerabilities in the Groth16 backend reported by Zellic (CVE-2024-45039, CVE-2024-45040). These affect the soundness and ZK property of generated proofs. Read on for more details and how to check if you're vulnerable.

✨ Our judges also decided to give a special mention to William Bowling @[email protected] for his submission in which the bug allows a `multisig` storage variable to be overwritten, allowing the `emergencyWithdraw` function to be called by an attacker. Read Patrick Collins’s thoughts on this

What happens when Random() isn’t random? Here’s how popular projects, including Proton Wallet and the Dart SDK were all affected by the same underlying weakness we uncovered in the Dart/Flutter ecosystem. All issues found were responsibly disclosed with the vendors. Let’s go

Just completed my 10th audit as a contractor Zellic and these are my top favourite things about this place: 1. They have a diverse and deep talent pool. World top Web security, Cosmos, Rust, Golang, MOVE. They have experts in every direction I want to move into (pun

With the rise of AI agents, we expect new bugs, but we’ve instead found old bugs in disguise. Let’s look at two old-school bugs we found while looking at elizaOS: • An SSRF allowing internal services to be accessed • An LFI allowing host files to be read Let’s dive in 🧵

How to spot misleading audit competition metrics Competitions are crowdsourced audits, where auditors compete to find bugs in a set timeframe. Last year, we acquired Code4rena which does these. We've also seen tons of misleading sales pitches. Here's what to watch out for: 🧵