Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The backstory on how vulnerabilities were discovered is always fascinating to me. To me, the vulnerability is cool but I want to be able to reproduce the research process to find my own bugs rather than find the individual vulnerability.

While auditing a project, they were concerned with the ERC-4626 vaults that they were integrated with. As a result, they decided to look into these. In one of the vaults, one of them was violating CEI. Are there more vaults?

When calling withdraw() to transfer ETH, the totalAssets were being updated after this call. So, the classic reentrancy was on!

To exploit the reentrancy, the author of the Twitter thread has a nice diagram. The basic idea is to get more and more of the assets with burning less and less of the shares. Eventually, this can be used to drain all of the assets, since the ratio of assets to shares gets broken.

With a vulnerability on a live project, what do you do? The author decided to hop in their discord and reach out to them. After not getting a response in 5 minutes they reached out to the SEAL-911 bot Telegram bot. Within 2 minutes, they responded to them. Using trusted channels contact had been made with the protocol at the 20 minute mark.

Now, 30 minute later they fixed the vulnerability and deployed the code. In the end, the vulnerability was patched at 51 minutes between starting the reporting process and fixed deployment. It's an incredibly fast time!

Overall, it's a great find! But, two things stick out to me. First, looking for issues in code that your client uses but isn't owned by feels strange to me. Is that really a good use of time by them? To me, it feels out of scope, even if there is impact.

The second thing was the response time. When the author didn't get a response in the Discord within 5 minutes, they reached out through alternative means. To me, this feels a tad aggressive and fast. If the vulnerability has been there for a year, what are the odds that an attacker going to find and exploit the issue at the same time if you spend a few extra hours waiting? Probably none but I appreciate the want to fix this for the protocol.