Whitehat Bandit
@banditx0x
Security Researcher @OpenZeppelin Whitehat Initiate @ImmuneFi
Theres a common misconception that AMM spot price manipulation attacks require low liquidity pools. Swapping to an imbalanced price, doing some exploit with the manipulated price, then swapping back only costs the swap fee.
Jane Street's India options trade is a price oracle exploit but you only get banned instead of arrested once caught.
It’s really competitive getting into an audit firm nowadays 👀
We have manually reviewed all the applications and will be sending out 20 interview invites soon. To give an idea of the quality, the people who have made the cut have had 50+ H/M bugs in audit contests, multiple top finishes, private audit portfolio.
Cork protocol also had a bug bounty on Cantina with a max bounty that was <1% of funds at risk. It makes me think that the exploiter found the issue when hunting bug bounties and preferred taking $12m illegally over maybe getting a 100k bounty.
So he steals 12M, observes the whole drama AND then comments on it 😅 I’m wondering who that is now .. the chance is very high we all know him
AMM’s aren’t complex enough, let’s add another dimension
Orbital extends concentrated liquidity to pools of three or more stables by drawing tick boundaries as orbits around the $1 equal price point. Unlike 2D concentrated AMMs, even if one stablecoin depegs to 0, an Orbital tick can still use its reserves to trade the others. 4/8
Which lending protocol is forked more often? Compound or Aave?
Uniswap V2 LP tokens are ERC4626 tokens that are comprised of 2 assets. ERC4626 tokens maintain a consistent asset/share ratio upon deposits and withdrawals. Rewards can be distributed to shareholders by increasing assets without increasing the number of shares. In Uniswap V2,…
One of the most well known bugs is the ERC4626 first depositor inflation attack. It's so common that it would earn $0.00 when reported in a public contest. The bug actually exploits a really cool bug pattern and understanding this pattern can be used to discover unique high…
Yesterday's complete hack of Wise Lending was far more complex than reported. Very worth examining. The protocol had added explicit defenses against this style of attack, which the attack then either bypassed or used against the protocol. 🧵 1/21
In Uniswap V2/V3/V4, liquidity deposits need slippage protection to prevent frontrunning attacks but liquidity withdrawals don't. Reasoning below: First let's explore why this statement is true: Withdrawing liquidity when the pool is deviated from equilibrium gives more…
I'm going to learn ZK Auditing this year starting with zero formal maths background. Will use @RareSkills_io ZK Book, bootcamp and LLM's. I believe going from high school level maths to understanding cutting edge ZK maths/cryptography papers and bug hunting ZK circuits should…