Stealing Gas From dYdX, 0.5 ETH A DayGas is liquid gold. Back in February 2022, we found a way to abuse a feature called “Gasless Deposits” on dYdX exchange that could allow…Aug 10, 2022Aug 10, 2022
Forked protocols are not battle-tested: Agave Uninitialized Proxy VulnerabilityHaving a similar name, Agave.finance is a forked from Aave V2 on the Gnosis chain. One would think that a fork of a battle-tested protocol…Aug 5, 20221Aug 5, 20221
We Rescued $4M from Rari Capital. But Was It Worth It?On April 6th, we discovered a verified Fuse pool in Rari Capital used a weak price oracle prone to manipulation. Usually, exploiting a…Apr 28, 20222Apr 28, 20222
Aave V3’s Price Oracle Manipulation VulnerabilityOn April 7th, after Aave V3 had launched for 3 weeks, we discovered an issue on Aave V3’s price oracle. To be more specifically, the…Apr 22, 20222Apr 22, 20222
How we spoofed ENS domains for $15kTL;DR: We found a flaw that allowed us to spoof Ethereum domain names and received a $15k bounty.Apr 16, 2022Apr 16, 2022