Summary

Whitehat Ashiq Amien, security researcher at the auditing firm iosiro, discovered a vulnerability in Alchemix on June 16, which consisted of an access control issue. The vulnerability was given a severity rating of “high.” Alchemix rewarded Ashiq a bounty of $7,500, paid to iosiro at request. Funds at risk were very low, though if the bug had remained undetected and unpatched, it’s possible that it would have become a much bigger issue down the line for future Alchemix strategies. Alchemix has patched the vulnerability. We’d like to congratulate Ashiq for using his auditing skills to moonlight as a bounty…


THORChain, a decentralized cross-chain liquidity protocol, is joining Immunefi with a $500,000 bug bounty following two multi-million dollar hacks that have left the protocol searching for ways to boost security.

Both hacks occurred within a single week, resulting in losses of $5 million and $8 million, respectively.

THORChain has halted its network to prevent additional exploits and listed a bug bounty on Immunefi for covering the protocol’s highest impact code, with the scope set to increase over time. The point of the bug bounty is to promote responsible disclosure and resume network functionality, namely blocks and node rewards, in addition…


The lightweight chat client Telegram is one of the most common methods of communication in crypto, and there’s a good reason for that. SIM swap attacks, which transfer ownership of your phone number to a malicious attacker, are a common attack vector.

And once the attacker has your number in hand, they can cause all sorts of mayhem, most notably by obtaining two-factor authentication (2FA) codes for your important logins that are sent over text. A lot of tradfi banks and other services operate on legacy technology, for example, meaning that many only offer 2FA authentication via text. …


Rug pulls are by far the most common type of fraud in DeFi, and they evolved out of the exit scam ICO craze.

According to CipherTrace, exit scams and rug pulls accounted for 99% of all DeFi fraud cases in 2020. In fact, based on what we’ve heard from the DeFi users we’ve spoken with, the dreaded rug pull is one of the biggest worries that keeps them up at night, tossing and turning, just wondering if their hard-earned money is going to all vanish in an instant — stolen by malicious developers.

The prospect of losing everything you’ve invested…


PolyBunny, a yield farming aggregator and optimizer on the Polygon network, is joining Immunefi with a $250,000 bug bounty to invite whitehats to test its code and restore community confidence in the wake of a recent hack.

PolyBunny suffered an exploit on July 16 that saw the price of polyBUNNY drop to $2 after exploiters minted 2.1m of the token. The bug has now been patched, and the team is taking steps to identify the exploiters. …


Summary

Whitehat Lucash-dev, who is a member of Immunefi’s Whitehat Scholarship, submitted a critical vulnerability in MCDEX’s broker contract on June 14 that would have allowed a malicious user to drain that contract of ETH. It does not appear as though the vulnerability was ever exploited, and at the time of the report, funds at risk were insubstantial. MCDEX is paying Lucash-dev a bounty of $50,000 and has patched the bug.

Vulnerability Analysis

MCDEX is a decentralized exchange and layer 2 platform that allows users to trade perpetual contracts. MCDEX’s Broker.sol contract has a batchTrade() function that does not validate…


Summary:

Whitehat Juno submitted a critical vulnerability in PancakeSwap’s lottery contract on April 27. The vulnerability consisted of a logic error. Due to insufficient validation, a malicious user could have claimed the same winning ticket at least 255 times in a single transaction, meaning the reward size was 255 times too great. A total of $700,000 in funds could have been lost, had the vulnerability been exploited. There is no evidence the vulnerability was ever exploited. Prior to the reporting of this vulnerability, PancakeSwap had already shut down its lottery contract by disallowing new lottery drawings.

After disclosure, PancakeSwap fixed…


Summary

Azeem, Co-Founder of DeFi protocol Armor, became aware of a vulnerability in Cream Finance circulating in the wild and promptly reported it to Immunefi on June 13. The vulnerability was rated as “critical” because it allowed a malicious user to drain Cream’s liquidity mining rewards contract of approximately $100,000 in CREAM tokens, even though it had been discontinued and was not issuing new rewards. Cream Finance has awarded Azeem with a bounty of 135 CREAM, which was 20% of the contract’s TVL at the time of the report. The current market rate of that bounty comes out to $20,750…


Summary

Whitehat Csanuragjain submitted a vulnerability to Immunefi regarding Pods Finance on June 25. The vulnerability was given a severity rating of “high”, as it is a logic error that allows for theft of yield or abuse of the rewards system on the protocol. The contract was not deployed on mainnet, so there were no funds at risk. Pods Finance received the report, evaluated it, and paid out $4,000 USDC to the whitehat in just 13 minutes, winning the award by far for the fastest ever bug bounty response and pay-out on Immunefi. …


Audits have become a staple of the DeFi industry. They’re an essential part of the DeFi security stack, which also includes automated monitoring and bug bounties. Every project wants at least one audit, and projects that don’t have one are treated with more skepticism by users — especially if the dev team is anonymous.

But some cracks have started to appear. Audit firms are working at a breakneck pace to accommodate growing demand, and bugs are starting to slip through.

Still, audits have proven invaluable at catching a lot of critical issues in protocols. They’re absolutely necessary.

So what does…

Immunefi

Immunefi is the premier bug bounty platform for smart contracts, where hackers review code, disclose vulnerabilities, get paid, and make crypto safer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store