CTF Player vs Bug Bounty Hunter

Today we received a report of an issue on a certain feature of the Aave Protocol. After validation by community developers, the guardian has taken the following temporary prevention measure (no funds are at risk):

last proposal needed to restore normal operation of the V2 and some V3 markets has been submitted by bgdlabs, six days from now everything will be back to normal app.aave.com/governance/pro…

If you've ever watched an episode of Mayday / Air Crash Investigation, you know that pilots have checklists for almost any emergency situation. These checklists are concise and immediately actionable with no filler, which is exactly what you want during a crisis.

Quick journey through Scroll revealed bugs. Hats off to the team for rapid fixes pre-mainnet👏

I'm sorry, but I vehemently disagree with this. You don't work in a bank, and go-ahead to rob the bank simply because the money they store in their vault is magnitudes of order larger than your annual pay. This is a criminal behaviour, and it continues bcos projects choose to

When doing bug bounties on Immunefi, I find it easier to find issues on a codebase that was built > 1 year. I believe the devs now are better than they were 1 year ago.

It was a lucky year.

All my reports were paid in 2023. It's 99% luck to get a big win. These smaller payouts keep us in the game. Big shout out to Immunefi and every project on the platform that keeps the community healthy #ImmunefiWrapped

This is🔥🔥

A 🧵 on how yesterday's 🧙🏼‍♂️ attack worked. The protocol did everything right. They rounded in the protocol's favour whenever they should but one additional function, meant to only reduce the user's funds, ended up enabling the attack. How?

This was a very interesting one! Hope to keep finding more ZK stuff in the future.

The Top 10 Blockchain Hacking Techniques 2nd Edition is out. The industry’s compilation of the 10 most novel, interesting, and unexpected smart contract hacks and bugs. From the governance hack of Tornado Cash using metamorphic contracts, to the billion-dollar exploit

Today we are finding all contracts in a given chain that have `_burn` function "mistakenly" set as public without any modifiers or requirements, allowing unrestricted access:

Over the last week, I have been digging into WHY the WOOFi attack was able to happen and writing a full Proof of Concept On March 5, 2024, WOOFi's sPMM algorithm was exploited on Arbitrum, resulting in an $8.6M loss! Keep reading to find out how👇

My goal of the year was to spend more time on bug bounty

Just a few crits away from $100m in payouts to whitehats on Immunefi

if anyone wonders the Predy finance exploit main root cause was: anyone could register trading pairs by adding a valid uniswap pair to the pool, but HERE IS THE CATCH: `priceFeed` param was also a user input param 🫠 rip