Lessons Library

169 entries | auto-synced from box every 15 min
Cycle 296 - MCP credential-forwarding / path-authority-injection vein (Apify CVE-2026-50143 class)
2026-07-02 13:10 UTC 827 words
Date: 2026-07-02. WALK-with-lessons + 1 staged candidate (IBM mcp-context-forge, Medium).
Lesson: capture-replay differential authz fuzzing (M3 v0.1)
2026-06-30 01:10 UTC 365 words
Date: 2026-06-30 | Origin: M3 capability build (~/bounty/tools/authz-diff-fuzzer/)
M2 R2 (Garden HTLC, C4 2025-11): the R1 rules work; the remaining gap is severity calibration
2026-06-29 15:38 UTC 424 words
Source: M2 Round 2. Blind-audited Garden Finance cross-chain HTLC (EVM scope, 6 files), self-graded vs the C4 awarded set (1 Medium, 0 High) plus the in-repo Zellic V12 finding and the known-issues list.
M2 blind-audit calibration (Kinetiq C4 2025-04): two miss-patterns that cost 7 of 8 findings
2026-06-29 12:34 UTC 542 words
Source: M2 capability cycle. Blind-audited Kinetiq (HYPE liquid staking on Hyperliquid), self-graded vs the published C4 report (3 High + 5 Medium). Caught 1 clean (H-02 slashing-rate-lock). The other 7 fall into two...
Lesson (cycle295, 2026-06-28): on a multi-CVE-swept authz surface, the residual asymmetries are DESIGN, not gaps
2026-06-28 02:38 UTC 475 words
Target: Mattermost plugins (playbooks run handlers + calls host-controls), Bugcrowd mattermost-mbb-public.
LST/LRT withdrawal-queue anti-extraction: payout = MIN(rate@initiate, rate@unlock) + burn-exactly-locked
2026-06-24 15:25 UTC 227 words
Banked from the live Kelp DAO withdrawal-flow audit (2026-06-24, in-scope Immunefi, clean walk).
Manual-audit pre-grade CHECKLIST v1 (validated across Module 2 Escher + Module 3 RabbitHole)
2026-06-24 14:18 UTC 590 words
Standing checklist to run on every codebase BEFORE concluding, targeting the logic layer scanners miss.
Manual-audit review heuristics (banked from Module 2: Escher blind audit vs C4 answer key)
2026-06-24 13:58 UTC 488 words
Source: training Module 2. Blind audit of Code4rena 2022-12-Escher; graded vs the published report (3 High,
MFV cash lane: the compressed-joblib picklescan/modelscan bypass is SATURATED (Gate-0 walk) + the frontier map
2026-06-23 16:15 UTC 410 words
Date: 2026-06-23. Executed the huntr MFV cash shot (scanner-bypass code-exec-on-load).
Proxy authz-bypass via path-encoding is only live if the UPSTREAM normalizes the encoding the proxy's authz-check missed - test the upstream alone (cheap), don't assume "most routers normalize"
2026-06-23 15:21 UTC 919 words
Date 2026-06-21. Target: Grafana datasource proxy (CASH / HackerOne). first_patched-verifier on CVE-2025-3454. Result: source-strong INCOMPLETE-FIX candidate, REFUTED by a live test of the upstream. The Floor's live-E...
Discourse full-surface differential IDOR/BAC: WALK CLEAN (the 3rd cash-gated blue-chip)
2026-06-23 14:52 UTC 584 words
Date: 2026-06-23
Fame-ladder cash-gate sweep: fresh + paying + self-hostable is a near-empty intersection (banked)
2026-06-23 14:16 UTC 498 words
Date: 2026-06-23
Mattermost CORE /api/v4 differential IDOR/BAC: WALK CLEAN (fallback after GitLab)
2026-06-23 14:04 UTC 578 words
Date: 2026-06-23
GitLab CE latest - FULL /api/v4 surface differential IDOR/BAC: WALK CLEAN at scale (1179 endpoints)
2026-06-23 13:59 UTC 700 words
Date: 2026-06-23
Cycle282: incomplete-fix vein - the advisory-body sibling gate + the low-saturation yield lever
2026-06-22 16:00 UTC 1,371 words
Banked from a 5-drill incomplete-fix sweep on fresh (last 2-4 weeks) multi-CVE OSS releases: mcp-searxng, EverOS, vcrpy, web-token/jwt-framework, craftcms. 5 disciplined WALKs, 0 candidates - but two drills mechanical...
Cycle281 WALK: verify the PRECONDITION FEATURE EXISTS before drilling a parser-differential authz-bypass lead
2026-06-22 13:12 UTC 342 words
ClickHouse (Bugcrowd cash $2.5k, in-scope) scout-candidate: getFunctionURINormalized() (src/TableFunctions/ITableFunction.cpp:95) returns "" when Poco::URI() throws, and that empty string is the FILTER arg to checkAcc...
Reproduce the FULL dependency topology (Kafka + coordinators + partition ring) before declaring an impact dead (Loki ingest-limits cycle277 live-PoC)
2026-06-22 00:43 UTC 306 words
Banked from confirming Finding 1 (Loki cross-tenant ingest-limits) Medium impact. The single-binary PoC proved the MISSING-AUTH but the IMPACT did not fire (ReasonFailed + partitions_missing, read=0). That was a WIRIN...
Cash-gate HARD RULE: verify the program is the CASH one + ACTIVE + current tier (2026-06-22)
2026-06-22 00:16 UTC 243 words
Three cash-gate misses in one night taught this. Before tagging ANY finding "cash", check the LIVE program page on the paying platform and confirm ALL THREE:
Disclosure-gate HARD RULE: check the PLATFORM report board for the repo, not just GitHub+CVE (2026-06-21, DB-GPT)
2026-06-21 23:33 UTC 300 words
Miss: cycle274 DB-GPT unauth-RCE disclosure-gate was called CLEAN off GitHub issues/PRs + CVE/GHSA (0 hits for code_interpreter/react-agent). Whole cycle + a Docker live-E2E spent bulletproofing it. When the operator...
Next.js middleware-bypass/SSRF class = SATURATED/freshly-swept; "young PROGRAM" != "young/less-picked SECURITY SURFACE" (cycle276 saturation WALK)
2026-06-21 22:44 UTC 357 words
Banked from the Vercel/Next.js CVE-2025-29927 incomplete-fix sibling hunt = WALK at the disclosure/saturation gate (no self-host spent).
Mattermost applies the team-membership / per-user self-check authz pattern COMPREHENSIVELY (cycle275 WALK calibration)
2026-06-21 22:38 UTC 325 words
Banked from the CVE-2026-2458 (Missing Authorization in Channel Search) incomplete-fix hunt = WALK. After the fix added GetTeamMember to searchChannelsForTeam, the SAME protection class is applied consistently across...
HARD RULE: the CASH-GATE must read the CURRENT reward tier on the repo page, NOT historical report amounts
2026-06-21 22:14 UTC 276 words
Banked from the cycle274 DB-GPT cash-gate ERROR. I confirmed db-gpt was "cash-filable ~$600" by reading HISTORICAL 2024 huntr reports that showed "Critical $600" - but the CURRENT program tier on huntr.com/repos/eosph...
Cycle274: agent-tool unsandboxed code_interpreter RCE pattern + the huntr-OSV-lane EV-per-hour calibration
2026-06-21 22:05 UTC 614 words
Banked from the DB-GPT v0.8.1 unauth RCE finding (the session's first submittable cash candidate after 3 disciplined WALKs).
GGUF / chat_template Jinja2-SSTI vein = SATURATED across listed consumers (cycle271 Phase-0, disclosure-gated pre-PoC)
2026-06-21 20:55 UTC 475 words
Banked from cycle271 Phase-0. Thesis was strong (CVE-2024-34359 llama-cpp-python -> CVE-2026-5760 SGLang = a live, recurring "model file carries a Jinja2 chat_template, framework renders it UNSANDBOXED -> RCE" cluster...
GitLab hierarchy-traversal authz: the entitlement-implication invariant (cycle270 Phase-3b, CVE-2026-1080 incomplete-fix vein)
2026-06-21 19:16 UTC 822 words
Banked from the CVE-2026-1080 (GitLab EE iterations API descendant-group disclosure, CWE-639, CVSS 4.3, fixed 18.8.4/18.7.4/18.6.6) incomplete-fix drill. Prime target + the milestone sibling both = WALK CLEAN; the val...
GitLab IDOR/BAC source-guided audit invariants (cycle270 Phase-1, 2026-06-21)
2026-06-21 17:59 UTC 1,306 words
Banked from GitLab CE (gitlab-org/gitlab@master, HEAD 8e5a8f9) Phase-1 = WALK CLEAN (3-agent fleet: GraphQL mutations + resolvers/types + REST). The authz-asymmetry recon toolkit for GitLab (and Grape/GraphQL Rails ap...
SCOPE GATE: a finding is a candidate ONLY if its IMPACT is in the program's scope (GitLab metadata-exclusion, 2026-06-21)
2026-06-21 17:37 UTC 372 words
The linkedItems authz-skip BAC was REAL + live-confirmed + coordinator-verified - but HELD/not-submitted because it leaks METADATA only (existence + state + link-type + timestamps; the nested content was type-authz-pr...
HARD RULE (process-safety near-miss, 2026-06-21): never run git checkout/sparse-checkout after an unverified `cd`
2026-06-21 17:15 UTC 403 words
While cloning gitlab-org/gitlab to /tmp/gitlab-full, the clone FAILED (gitlab.com load-shedding) so the dir was never created. The next command chain was cd /tmp/gitlab-full 2>/dev/null && git sparse-checkout init &&...
Pattern: Loss-index / loss-factor saturation traps + stale-snapshot slashing of fresh lenders
2026-06-21 17:14 UTC 981 words
Banked: Cycle 192 (Morpho Midnight saturated-target mining)
Opus 4.8 vs 4.7 behavioral delta - PENDING (no live-migration occurred Cycle 185)
2026-06-21 17:14 UTC 561 words
Banked: 2026-05-29 (Cycle 185 Phase A)
Pattern: `view`-keyword (STATICCALL) as an implicit reentrancy guard
2026-06-21 17:14 UTC 745 words
Banked: Cycle 192 (Morpho Midnight saturated-target mining)
Zest Protocol V2 (Stacks / Clarity 4) - Cycle 159 lessons file
Zest Protocol V2, Immunefi $100K Critical, no KYC, permanent BB program (not contest) 2026-06-21 17:14 UTC 1,743 words
LEARN-MODE date: 2026-05-19 (Cycle 159)
Pattern: Just-in-time settlement callbacks lack actor-binding (payer/seller confusion in no-capital-lock offer models)
2026-06-21 17:14 UTC 1,035 words
Banked: Cycle 192 (Morpho Midnight saturated-target mining)
K2 Soroban DeFi Lending - LEARN-MODE pass (Cycle 154)
K2 Borrow-Lend Protocol (Aave-V3-inspired, Soroban-native) 2026-06-21 17:14 UTC 2,884 words
Code4rena audit: 2026-04-k2, 17 Apr - 27 May 2026
Pattern: Fixed-maturity boundary abuse + fungible-credit risk-transfer (zero-coupon lending economics breaks)
2026-06-21 17:14 UTC 1,205 words
Banked: Cycle 192 (Morpho Midnight saturated-target mining)
Investment Intelligence Methodology - Cycle 148
ARGUS /investments route + Invariant Operator cross-correlation layer 2026-06-21 17:14 UTC 976 words
Date: 2026-05-18
Compound III (Comet) Extended Asset List - dual-bitmap `assetsIn` invariant
2026-06-21 17:14 UTC 574 words
Banked: Cycle 194 (compound-finance/comet @ d5a30b0, PR #904 "Comet with extended asset list").
Pattern: Derived tenor (vs independent maturity input) closes the fixed-maturity boundary seam
2026-06-21 17:14 UTC 711 words
Banked: Cycle 199 (Rheo / Size Credit, Cantina $50K bounty, commit a8e5d174). WALK-CLEAN target.
Base Azul - Cycle 150 LEARN-MODE pass (2nd lessons-library entry)
Base Azul Immunefi audit competition ($250K cap, Base L2 multiproof + TEE + OP-shared contracts). 2026-06-21 17:14 UTC 4,453 words
Source URL: https://immunefi.com/audit-competition/audit-comp-base-azul/information/
Audit-Saturation Skill - Cross-Target Validation Lessons
2026-06-21 17:14 UTC 787 words
Cross-target validation of ~/bounty/skills/audit-saturation-pre-check/check.py outside its in-domain calibration anchor (Modular Account V2). Banked from Cycle 149 (2026-05-18).
META: Cross-Target Pattern Transfer - Validated Hypothesis (Cycle 150)
2026-06-21 17:14 UTC 712 words
Class: top-level meta-lesson (not target-specific)
GitLab GraphQL Mutation Broken-Access-Control Audit (2026-06-21)
2026-06-21 11:53 UTC 511 words
Target: gitlab-org/gitlab @ HEAD 8e5a8f9 (sparse: app/graphql only on disk; services/models/policies pulled from git).
ONNX external-data cluster = SWEPT (not point-fixed); huntr Model-File-Formats lane = high-saturation (cycle269, 2026-06-21)
2026-06-21 03:48 UTC 496 words
Banked from cycle269 ONNX (onnx/onnx 1.23.0) Phase-0 = WALK. The 2nd huntr Model-File-Formats target walked (after Keras saturated). Methodology + lane-level finding.
Keras model-load deserialization = SATURATED (huntr); disclosure-gate kills it (cycle269, 2026-06-21)
2026-06-21 03:26 UTC 484 words
Banked from cycle269 Phase-0 (huntr AI cash lane, Keras Native $4000). Disclosure-gate-FIRST WALK. The methodology refinements are the value.
Rate-accumulator (chi/sUSDS-fork) vault + liquidity-pull (take) invariants (Spark Vaults V2, cycle268, 2026-06-21)
2026-06-21 03:09 UTC 552 words
Banked from spark-vaults-v2 SparkVault.sol (WALK CLEAN) - an sUSDS fork (ERC4626 + chi/VSR accumulator) with a NOVEL TAKER_ROLE that pulls liquidity to deploy in strategies. Reusable for any chi/index-accumulator vaul...
Spark Phase-0 invariants: port-lag severity gate, audit-PDF disclosure gate, relayer-trust-boundary (cycle268, 2026-06-21)
2026-06-21 02:56 UTC 837 words
Banked from Spark (sparklend) Phase-0 = WALK CLEAN across SparkLend-core (Aave-V3 fork), sparklend-advanced oracles, and spark-alm-controller (Liquidity Layer). Heavily-audited target; the value is the methodology ref...
Oracle config-field dead-code + push-rate staleness (EtherFi Cash v3 PriceProviderV2, 2026-06-21) - CANDIDATE-grade
2026-06-21 02:29 UTC 856 words
Banked from a real staged candidate (cycle267 doc 06). The highest-yield oracle audit lenses, all proven on EtherFi Cash.
Delegatecall-router config-provenance + fail-closed coarse dedup-key (EtherFi Cash top-up, 2026-06-21)
2026-06-21 01:54 UTC 616 words
Banked from etherfi-protocol/cash-v3 src/top-up/* (WALK). Two high-yield, reusable audit lenses for cross-chain bridge-router + dest-credit designs.
LST-deposit valuation: min(self-rate, market) + 1:1 cap defeats BOTH depeg-arb AND Curve-flash-manip (EtherFi Liquifier, 2026-06-21)
2026-06-21 01:30 UTC 613 words
Banked from etherfi-protocol/smart-contracts src/Liquifier.sol @ HEAD (WALK). The canonical CORRECT way to value a non-ETH LST (stETH/cbETH/wbETH) deposited to mint an ETH-pegged token (eETH) - a positive case study +...
HyperEVM LST: stored-bounded-rate defeats precompile-read manipulation + instant-vs-queue reservation (EtherFi beHYPE, 2026-06-21)
2026-06-21 01:28 UTC 699 words
Banked from etherfi-protocol/beHYPE @ 06ee135 (WALK). First HyperEVM target in the library. HYPE liquid staking: StakingCore reads HyperCore via l1Read precompiles + writes via CoreWriter.
AVS restaking-operator identity: forward-allowlist + EIP-1271 + beacon-proxy invariants (EtherFi avs-smart-contracts, 2026-06-21)
2026-06-21 01:10 UTC 599 words
Banked from etherfi-protocol/avs-smart-contracts @ 50b2217 (WALK-clean). The contracts (AvsOperatorManager + AvsOperator) manage EtherFi's restaked-validator OPERATOR IDENTITIES that register to AVSs (EigenLayer AVSDi...
LayerZero-OFT supply-conservation + cross-chain native-mint (SyncPool) invariants (EtherFi weETH-cross-chain, 2026-06-21)
2026-06-21 01:05 UTC 661 words
Banked from auditing etherfi-protocol/weETH-cross-chain @ cc6c220 (WALK-clean). Reusable for any LZ-OFT / cross-chain LST bridge (my LayerZero+bridge+OFT class).
LST rate-source bifurcation + lazy-slash instant-redeem arbitrage bounds (EtherFi restaking, 2026-06-21)
2026-06-21 00:58 UTC 537 words
A restaking LST can expose a "live, slash-aware" TVL view AND a separate lazily-updated rate scalar that the VALUE-BEARING paths actually read. Audit rule: confirm WHICH TVL the mint/deposit and redeem paths read - ne...
Split-layer reservation enforcement = a fragility class to flag (EtherFi LiquidityPool, 2026-06-21)
2026-06-21 00:54 UTC 417 words
A shared-liquidity pool defends its reservation invariant (don't drain liquidity reserved for queue X) for SOME callers INSIDE the privileged withdraw/drain function, but DELEGATES the same check to an EXTERNAL self-p...
Dual-withdrawal-queue shared-liquidity union bound (EtherFi LiquidityPool, 2026-06-21)
2026-06-21 00:54 UTC 631 words
When a protocol adds a SECOND withdrawal queue that drains the SAME liquidity pool as an existing one (EtherFi: legacy withdrawRequestNFT + new priorityWithdrawalQueue, both pulling from LiquidityPool.totalValueInLp),...
Snapshot + recomputed-share postcondition = safe-by-construction new entry-paths (EtherFi PriorityWithdrawalQueue, 2026-06-21)
2026-06-21 00:39 UTC 436 words
A share-accounted withdrawal queue can add NEW user entry-paths (new token, new permit variant) safely WITHOUT re-auditing the accounting, IF every entry-path:
The "guard-exists-but-unwired" SSRF tell - now a 3-instance validated pattern (2026-06-21)
2026-06-21 00:09 UTC 462 words
When auditing a "fetch-a-user-URL" sink for SSRF, the strongest finding (and the strongest anti-by-design argument) is when the project HAS AUTHORED an SSRF/internal-IP guard somewhere in its own codebase but FAILS TO...
Cycle 264 follow-up - Bisheng unauth SSRF: live-confirm techniques that worked (2026-06-21)
2026-06-20 23:53 UTC 590 words
Context: prior session staged Bisheng unauth SSRF as source-confirmed + faithful-harness only (full-image E2E left to "a capable host" - the 3.8GB box OOM'd the 6-svc stack). Box upgraded to 15GB/4vCPU this session ->...
OSS-vs-cloud tenancy mismatch: before hunting cross-tenant IDOR, VERIFY the tenancy boundary actually exists in the OPEN-SOURCE schema. A "raw by-id, auth unused" pattern is only IDOR if a tenant column exists to enforce.
2026-06-20 19:54 UTC 560 words
Date 2026-06-21. Target: TaskingAI (TaskingAI/TaskingAI, LLM BaaS). Triage assumed multi-tenancy (projects/workspaces). Result: WALK - the cross-tenant IDOR class does NOT EXIST in the OSS edition.
When IDOR is saturated/disciplined, PIVOT bug class to SSRF/server-side-fetch - it's the live unmined vein. Plus: the "fetch-a-URL feature" by-design gate (cloud/multi-tenant framing is the cash angle).
2026-06-20 18:05 UTC 567 words
Date 2026-06-21. After confirming the IDOR-asymmetry cash vein is exhausted (popular apps saturated by active CVE sweeps; well-engineered fresh apps centrally-guarded), I pivoted bug CLASS to SSRF. FIRST SSRF target (...
Disclosure gate is GATE-0 (before ANY compute). LIVE-WORKS != UNDISCLOSED. RAGFlow IDOR = SATURATED (2nd strike).
2026-06-20 17:16 UTC 508 words
Date 2026-06-21. Coordinator STOP/REDIRECT: WALK the entire RAGFlow cycle259 #0 + cycle260 cluster. My disclosure gate FAILED on independent re-check - the bugs are already disclosed in OPEN issues/PRs by exact route:
Getting a CVE correlates with FIXING THE CLASS: VEIN-A (incomplete-fix) on freshly-CVE'd projects mostly WALKS - it pays only when the release-diff shows a NARROW fix, or the target is an UNPORTED FORK
2026-06-20 16:29 UTC 592 words
Date 2026-06-21. Two consecutive cash leads from the curated hunt-queue walked: PraisonAI (#1, swept class-fix) and Aegra (#2, swept + no-auth-default). Both were "fresh 2026 IDOR CVE on a multi-tenant app" - the exac...
A cluster of identical CVEs disclosed together is AMBIGUOUS (sloppy-residual OR thorough class-sweep) - resolve it with a DIFFERENTIAL RELEASE DIFF, don't guess from advisory text
2026-06-20 16:10 UTC 593 words
Date 2026-06-21. Target: PraisonAI Platform (huntr CASH). Ranked #1 in the hunt queue on the reasoning "3 identical workspace-scope IDORs (CVE-2026-47418/19/15) in one batch = proven-sloppy codebase = residual sibling...
Incomplete-fix often lives in SIBLING FILES the fix never opened - first_patched-verifier must grep the fix's PATTERN repo-wide, not just re-read the patched file
2026-06-20 10:37 UTC 511 words
Date 2026-06-21. Target: Plane (makeplane/plane, Web2 PM tool). Result: confirmed undisclosed incomplete-fix of CVE-2026-27705. Best Web2 find since Forgejo. Banked because the detection move is a sharp refinement of...
The IDOR-asymmetry vein works everywhere, but YIELD + SEVERITY scale with the target's authz discipline, id-strength, and leak channels - triage targets by these BEFORE the deep sweep
2026-06-20 09:57 UTC 469 words
Date 2026-06-21. Same vein (per-handler authz-asymmetry / unscoped resource-by-id lookup), two cash targets, very different outcomes:
Chase the census's ADJACENT FOOTNOTES: an SSRF/exec guard-census surfaced a cross-tenant IDOR in passing - the per-handler authz asymmetry is the highest-yield NOVEL-cash vein on fast-moving apps
2026-06-20 09:04 UTC 557 words
Date 2026-06-21. Target: RAGFlow 0.26.1 (huntr CASH). An exhaustive SSRF/path/exec guard-coverage census returned WALK on those classes, but flagged ONE adjacent non-scope item ("download_document does DocumentService...
An incomplete-fix gap confirmed in SOURCE is not a finding until the attacker can REACH a VICTIM's resource - an unguessable token + blocked enumeration kills cross-tenant reachability
2026-06-20 08:00 UTC 636 words
Date 2026-06-21. Target: Nextcloud server (master, 35.0.0-dev). first_patched-verifier on CVE-2026-45157 (share tokens read share-owner's temp upload files). Result: honest downgrade to WALK. The incomplete-fix gap is...
GitLab incomplete-fix hunting: authz is a shared chokepoint (REST+GraphQL converge), and the cash window is the 30-day public-sink gap
2026-06-20 07:38 UTC 633 words
Date 2026-06-21. Target: GitLab (gitlab-org/gitlab, default branch 19.2.0-pre). first_patched-verifier on the freshest advisories. Result: WALK - no incomplete-fix sibling survived. Banked because both the false-posit...
Cross-fork port-lag: when upstream ships a security fix, the hard-fork is a high-EV regression target - and architectural divergence leaves the port incomplete
2026-06-20 06:57 UTC 1,026 words
Date 2026-06-21. Target: Forgejo (hard-fork of Gitea). Result: CONFIRMED HIGH (live PoC) - Forgejo never ported Gitea's CVE-2026-24791/GHSA-wrr5 public-only-token fix (1.26.2, 2026-06-14); at Forgejo 11.0.15 + HEAD a...
Gitea/Forgejo authz: the coarse route middleware is NOT the gate - the deeper per-resource access computation is. Check it before claiming a gap.
2026-06-20 06:29 UTC 526 words
Date 2026-06-21. Reinforced THREE times in one session auditing Forgejo against Gitea security advisories. This is the dominant false-positive trap for the Gitea/Forgejo family (and any app that separates a coarse aut...
ML-platform model-deserialization is by-design-trusted UNLESS chained to an unauth/cross-tenant artifact-WRITE primitive
2026-06-20 05:07 UTC 444 words
Date 2026-06-20. Target: MLflow (last parked lead of the huntr AI/ML session). Verdict: WALK. But the WHY is a reusable hunting strategy for the whole ML-platform class (MLflow, BentoML, KServe, Ray Serve, Seldon, Hug...
Disclosure gate: search OPEN GitHub issues + OPEN PRs by the EXACT sink name - a CVE/advisory/huntr-disclosed search is NOT enough
2026-06-20 05:00 UTC 635 words
Date 2026-06-20. Target: RAGFlow Browser-component SSRF (cycle257). This is a CORRECTION lesson - I staged it as a HUNTR CANDIDATE (cash) with "not individually disclosed," and the max-depth deep-drill found it WAS di...
Cross-language forwarded sink: a bypass only counts if it survives the upstream guard AND is effective at the downstream language's parser
2026-06-20 04:53 UTC 691 words
Date 2026-06-20. Target: Dify CVE-2026-41948 (Python backend -> Go dify-plugin-daemon forwarded path-traversal). Parked lead from the 0.26 sweep. Verdict: WALK CLEAN. The fix is complete ACROSS the Python->Go boundary.
huntr cash lane: run the DISCLOSURE-status eligibility gate BEFORE the live PoC, not after
2026-06-20 04:47 UTC 953 words
Date 2026-06-20. Lane: huntr.com paid AI/ML. Sweep: 6 mainstream targets (ComfyUI, Open WebUI, vLLM, Dify, Gradio, MLflow) via first_patched-verifier. Result: 0 cash candidates, but the methodology lesson is the yield.
Guard-retrofit census: when a project centralizes a security guard, the bug is the call site added AFTER the retrofit (the N+1th)
2026-06-20 04:41 UTC 718 words
Date 2026-06-20. Lane: huntr.com paid AI/ML. Target: RAGFlow 0.26.1. Result: HUNTR CANDIDATE (cash) - authenticated full-read SSRF in the Agent Browser component (agent/component/browser.py:227 bare urlopen), live cod...
Live PoC refuted a "sniffable inline serve -> stored XSS" static claim: contentDisposition(name) defaults to ATTACHMENT
2026-06-20 02:59 UTC 419 words
Date 2026-06-20. Target: Flowise v3.1.2 (huntr AI/ML lane). Outcome: REFUTED an XSS candidate at the live-PoC gate before any submission.
Cycle256 - huntr AI/ML paid lane: "consistency check != content validation" + the serving-sink completes the XSS
2026-06-20 02:46 UTC 445 words
Date 2026-06-20. Lane: huntr.com paid AI/ML (cash, submit-via-huntr-first). Method: first_patched-verifier on the freshest CVE-rich AI/ML OSS. Fleet: LiteLLM (walk) + Flowise (HUNTR CANDIDATE).
Cycle255 - Directus TUS-vs-REST file-overwrite guard asymmetry = CONFIRMED HIGH (incomplete fix, live cross-user PoC)
2026-06-20 02:02 UTC 515 words
Date 2026-06-20. Target: Directus (directus/directus). Verdict: VULNERABLE-CONFIRMED HIGH (live). First paid-lane heavyweight-target win under the box upgrade.
GitLab CVE-2026-6269 (hidden-MR modification, developer role) incomplete-fix = WALK CLEAN
2026-06-20 01:29 UTC 527 words
Date: 2026-06-20. Source: GitLab EE @ master HEAD (sparse: app/policies + ee/app/policies + app/graphql/mutations + ee/app/graphql/mutations + ee/app/services/merge_requests). White-box, no instance.
Gitea June-14-2026 advisory watch: GHSA-wrr5 + GHSA-fhx7 incomplete-fix hunts = WALK CLEAN
2026-06-20 01:16 UTC 527 words
Date: 2026-06-20. Source: gitea-src @ origin/main 645b100 (2026-06-19, fetched fresh). Daily advisory watch surfaced 3 NEW Gitea High advisories dated 2026-06-14 (after the 06-13 watch):
GitLab CVE-2026-6552 (Group SAML Identity account-takeover) incomplete-fix hunt = WALK CLEAN
2026-06-20 01:05 UTC 686 words
Date: 2026-06-20. Target: GitLab EE @ master HEAD 9e82941 (2026-06-19). White-box, EE source sparse-clone (blobless, app/graphql+policies+ee/lib+ee/app/services+ee/app/models+lib/gitlab/auth, 103MB). No live instance...
2026-06-19 - Pejji Secure-Build Standard: defensive application of our offensive findings (dogfood)
2026-06-19 02:49 UTC 228 words
Date: 2026-06-19 Type: standing defensive lane (our own code).
Cycle254 - "Claimed-fixed version still vulnerable": verify the PUBLISHED artifact, not the advisory's word
2026-06-18 16:20 UTC 345 words
Date: 2026-06-18 Target: Langflow KB API (CVE-2026-42048 / GHSA-9whx-c884-c68q) Verdict: VULNERABLE-CONFIRMED (High).
2026-06-18 - Digest leads: distinguish a DOCUMENTED OPT-IN fix from a HIDDEN incomplete-fix
2026-06-18 15:43 UTC 318 words
Date: 2026-06-18 Leads: Capsule (WALK), Gitea (WALK), Multer (residual-but-documented-opt-in).
2026-06-18 - Research auto-regen: dataset-reconciliation false-alarm + token-in-clone-URL hygiene
2026-06-18 02:33 UTC 344 words
Date: 2026-06-18 Task: securva.net/research auto-regen pipeline (operator build).
2026-06-17 - n8n dynamic-node-parameters credential-authz cluster: WALK CLEAN (centralized sweep)
2026-06-17 14:52 UTC 310 words
Date: 2026-06-17 Target: n8n (master, post fresh ~30-CVE disclosure 2026-06-16) Verdict: WALK CLEAN (fresh cluster #3).
Cycle253 - Payment money-path was DEFENDED, but the debug log next to it leaked all PII (PHPNuxBill Paystack)
2026-06-17 14:18 UTC 305 words
Date: 2026-06-17 Target: PHPNuxBill Paystack + Tripay gateways Verdict: forge REFUTED (defended); Paystack PII-log CONFIRMED.
Cycle252 - Incomplete fix of a 3-day-old "parameterize queries" commit (PHPNuxBill PR #448)
2026-06-17 13:58 UTC 319 words
Date: 2026-06-17 Target: PHPNuxBill HEAD Verdict: VULNERABLE-CONFIRMED (auth-gated SQLi cluster).
2026-06-17 - hono 4.12.25 CORS fix: WALK CLEAN; user-misconfig reflection is NOT an incomplete fix
2026-06-17 13:33 UTC 338 words
Date: 2026-06-17 Target: hono 4.12.25 (fresh 5-CVE cluster) Verdict: WALK CLEAN (CORS, the HIGH item).
2026-06-17 - python-multipart 0.0.31 fresh 4-CVE cluster: WALK CLEAN (sibling-quadratic hypothesis empirically disproved)
2026-06-17 13:30 UTC 354 words
Date: 2026-06-17 Target: python-multipart 0.0.31 (fresh cluster, disclosed ~2026-06-16) Verdict: WALK CLEAN.
Spark triage - ARGUS name-collision disambiguation + domain-fit gates EV (before saturation)
2026-06-16 20:30 UTC 320 words
Date: 2026-06-16 Type: scope triage (NO-GO) Target: Immunefi "Spark (Lightspark)".
Cycle251 - Scrutiny dominates the point-fixer prior; and platform-bounded bugs need the platform
2026-06-16 20:27 UTC 296 words
Date: 2026-06-16 Target: tar-fs 3.1.2 / node-tar 7.5.x (path-traversal serial-incomplete-fixer) Verdict: WALK CLEAN (Linux vectors).
Cycle250 - aiohttp C/Python parser+writer parity: a sweeper walk (and how to test the divergence)
2026-06-16 19:05 UTC 288 words
Date: 2026-06-16 Target: aiohttp 3.14.1 (patched 3.13.4 bundle: CVE-2026-22815/34516/34519/34520/34525) Verdict: WALK CLEAN.
Cycle249 - Same DoS class, fixed RIGHT (ASGI) vs WRONG (Truncator) in the SAME release
2026-06-16 18:51 UTC 240 words
Date: 2026-06-16 Target: Django 5.2.11, CVE-2025-14550 (ASGI dup-header DoS) Verdict: WALK CLEAN.
Cycle248 - A fix that ADDS a mitigation constant + docstring promise but never APPLIES it (dead mitigation)
2026-06-16 18:34 UTC 363 words
Date: 2026-06-16 Target: Django 5.2.11 Truncator (patched CVE-2026-1285) Verdict: VULNERABLE-CONFIRMED (Medium DoS).
Cycle247 - Same bug-class, opposite completeness: axios (swept) vs form-data npm (point-fixed)
2026-06-16 17:29 UTC 282 words
Date: 2026-06-16 Target: axios 1.18.0 (patched CVE-2026-42037, formDataToStream blob.type CRLF) Verdict: WALK CLEAN.
Cycle246 - Trace the FULL control flow before claiming a validation gap (verify-before-claim, control-flow edition)
2026-06-16 17:03 UTC 338 words
Date: 2026-06-16 Target: undici 8.5.0 (patched CVE-2026-1527 CRLF via upgrade) Verdict: WALK CLEAN.
Cycle245 - Full-cluster audit scorecard: a "point-fixer" maintainer signal (2 of 5 fixes incomplete)
2026-06-16 16:52 UTC 352 words
Date: 2026-06-16 Target: PyJWT 2.13.0 (5-fix security release) Verdict: cluster audit complete - 2 incomplete, 1 edge, 2 clean.
Cycle244 - "The fix addressed a SIDE-EFFECT of the named threat, not the threat itself"
2026-06-16 16:28 UTC 308 words
Date: 2026-06-16 Target: PyJWT PyJWKClient 2.13.0 (patched GHSA-fhv5-28vv-h8m8) Verdict: VULNERABLE-CONFIRMED (Medium DoS)
Cycle243 - Predictor refinement: scattered architecture is necessary-not-sufficient for incomplete-fix; maintainer-sweep-discipline is the missing axis
2026-06-16 16:04 UTC 434 words
Date: 2026-06-16 Target: Symfony Mailer+Notifier webhook-signature CVE cluster (CVE-2026-45755 Mailtrap, CVE-2026-47212 Twilio never-verify; CVE-2026-48747 Mailomat algo-downgrade). Verdict: WALK CLEAN (17 bridge pa...
Cycle242 - "Validate the initial value, miss the redirect hop" (per-hop set-difference)
2026-06-16 15:53 UTC 280 words
Date: 2026-06-16 Target: PyJWT PyJWKClient 2.13.0 (patched CVE-2026-48522) Verdict: VULNERABLE-CONFIRMED (Low-Mod)
Cycle241 - "Spec-faithful fix" still leaves a sibling param un-escaped in the SAME sink
2026-06-16 15:34 UTC 326 words
Date: 2026-06-16 Target: form-data npm 4.0.6 (patched CVE-2026-12143) Verdict: VULNERABLE-CONFIRMED
Cycle 240 - Fleet ORDER BY oracle fix is THOROUGH (WALK CLEAN). The set-difference predicts incomplete-fix BUT must weight the SINK, not just the call site.
2026-06-13 15:30 UTC 425 words
Date: 2026-06-13 | Target: fleetdm/fleet @ HEAD (post-CVE-2026-46371) | Result: WALK CLEAN (no finding) | Method: white-box set-difference (no stack needed for a no-finding conclusion)
Cycle 239 - Web2 self-host active-testing lane: token-scope fixes ship per-handler, so audit the WHOLE class
2026-06-13 06:52 UTC 729 words
Date: 2026-06-13 | Target: Gitea (self-hosted in Docker, localhost) | Result: CONFIRMED Moderate (feed token-scope bypass) | Lane: Web2 active self-host (newly unlocked, first run)
Cycle 239d - Centralized authz gate (MinIO) resists the incomplete-patch class that per-handler checks (Gitea) invite. Cross-target META.
2026-06-13 06:32 UTC 528 words
Date: 2026-06-13 | Targets: MinIO (self-hosted) vs Gitea (same session) | Result: MinIO WALK CLEAN - CVE-2025-62506 reproduced (lane-validated on IAM privesc), fix verified COMPLETE at HEAD; no new finding.
Cycle 239b - An unscoped load-by-ID in the router is NOT an IDOR if the model/service layer enforces ownership. Verify the WHOLE write path before claiming.
2026-06-13 05:07 UTC 477 words
Date: 2026-06-13 | Target: Gitea (self-hosted, localhost) | Result: 2 high-severity classes WALK CLEAN (SSRF + label-IDOR), 1 finding earlier (feed token-scope) | Method: parallel fleet (2 Explore agents) + operator-s...
Subdomain-takeover sweep: cross-cert dead-app discovery + Vercel/Heroku fingerprint triage refinements
2026-06-13 03:56 UTC 637 words
Date: 2026-06-13
RWA-backed stablecoin: withdrawal-queue + keeper-bot + sanctions-wrapper + yield-adapter audit primitives
2026-06-13 03:29 UTC 1,239 words
Date: 2026-06-13
Re-validate a standing gate's PREMISE against fresh signals (premise can go stale even when preference holds)
2026-06-13 03:04 UTC 310 words
Banked 2026-06-13 (auto-continue fresh-signal scan).
META - Subdomain-Takeover Triage Playbook (transferable)
2026-06-12 15:51 UTC 739 words
Consolidates the 2026-06-12 passive-Web2 session's takeover lessons into ONE reusable methodology. Run this against any program with a broad wildcard scope. Source lessons: web2-firebase-hosting-dangling-domain-finger...
Lesson: Vercel `DEPLOYMENT_NOT_FOUND` is a fingerprint, not a confirmed takeover - the team-verification gate decides claimability
2026-06-12 15:43 UTC 523 words
Banked: 2026-06-12
Lesson: subdomain-takeover "dangling != claimable" - the four false-positive classes
2026-06-12 15:40 UTC 433 words
Banked: 2026-06-12. Source: Cycle Web2-sprawl-consumer (Yahoo / AOL / TechCrunch, 847 subs, WALK CLEAN).
Lesson: Statuspage takeover triage needs the Host-header / claimed-control discriminator, not the raw-CNAME 302
2026-06-12 15:35 UTC 421 words
Banked: 2026-06-12 (Web2 passive sprawl recon, Spotify program)
Lesson: Firebase Hosting dangling-domain takeover fingerprint + passive/active confirmation boundary
2026-06-12 15:26 UTC 484 words
Banked 2026-06-12 (Web2 gaming lane, Playtika H1 program, dev.gdpr.seriously.com).
Lesson: CORS triage double-gate - static-ACAO vs reflective, AND auth-model gate
2026-06-12 15:23 UTC 369 words
Banked: 2026-06-12 (WEB2 passive devtools lane, target: Doppler HackerOne)
Lesson: CT-source failover (crt.sh is the single point of failure) + "resolves != claimed" CNAME triage
2026-06-12 15:17 UTC 553 words
Banked 2026-06-12 from Web2 passive recon on Taiko (taiko.xyz, L2). This is the retry of a lane that previously died to a transient API overload - and the SAME failure recurred, so the fix is now doctrine.
Lesson: reflective-CORS + credentials=true is exploitable ONLY under cookie/HTTP-auth, NOT bearer-token
2026-06-12 15:11 UTC 369 words
Banked 2026-06-12 from Web2 passive recon on Moov (moov.io, HackerOne VDP, fintech payments API).
Lesson: Empty-CNAME NXDOMAIN/NODATA != dangling-CNAME takeover candidate
2026-06-12 15:03 UTC 433 words
Banked: 2026-06-12 (Web2 passive lane, Sentry sentry.io recon)
Rule-38.4 sub-lesson: consolidation/delete commits - signature-diff is the discriminator
2026-06-12 15:00 UTC 379 words
Banked 2026-06-12 from Compound Comet commit db72b0c ("Regular Comet update from Woof team", #1131).
META - Collateral/Oracle Seam-Hunting Playbook (transferable)
2026-06-11 16:51 UTC 701 words
Consolidates the 2026-06-11 session's seam lessons into ONE reusable methodology. A "seam" = protocol A consumes protocol B (as price/rate/collateral) and no single audit covers the A-trusts-B boundary. This playbook...
Lesson: Fresh-program subdomain-takeover triage -- claimed-CNAME fingerprint table
2026-06-11 16:31 UTC 512 words
Banked 2026-06-11 from Home Bargains (HackerOne homebargains) Web2 passive recon.
Lesson: OZ Governor + TimelockController consumer-side role triage (ENS DAO, SEAMS lane)
2026-06-11 16:17 UTC 496 words
Banked: 2026-06-11. Source cycle: SEAMS governance/timelock lane, target = ENS DAO (mainnet).
Lesson: Euler resolvedVault donation hunt - the isProxy classifier, the LTV=0 inert-config trap, and why this class is near-unwinnable on Euler scope
2026-06-11 16:06 UTC 712 words
Banked 2026-06-11 (SEAMS/oracle lane, Euler v2 EulerRouter resolvedVaults follow-up to pufETH + Morpho).
Lesson: Hand-rolled lzCompose handlers - what to check, and a fresh WALK-CLEAN data point
2026-06-11 16:03 UTC 784 words
Date: 2026-06-11
Lesson: Cross-chain consumer message-trust - where to actually look, and where it's a dead end
2026-06-11 15:30 UTC 518 words
Date: 2026-06-11
Lesson: Dead-oracle-feed liquidation-DoS - confirm LIVE not just MECHANICAL, and gate scope HARD
2026-06-11 15:23 UTC 651 words
Banked: 2026-06-11
Lesson: settle LST/LRT self-rate donation-inflatability with a FORK DONATION TEST, never with a single balanceOf read
2026-06-11 15:13 UTC 596 words
Banked 2026-06-11 (SEAMS lane, self-rate variant follow-up to Morpho ezETH/WETH WALK)
Lesson: Web2 authorization-QUOTABILITY (not target-hardness) is the binding constraint for the smaller-program pivot
2026-06-11 15:05 UTC 487 words
Banked: 2026-06-11 (Web2 Lane 4). Class: methodology / ROE / target-selection.
Lesson: LRT-collateral oracle - the decisive bit is feed TYPE (market vs redemption), read it from dataFeedId/value-comparison, not from the wrapper
2026-06-11 14:56 UTC 417 words
Banked 2026-06-11 (SEAMS lane, Morpho Blue ezETH/WETH WALK-CLEAN)
Lesson: "permissioned protocol" curating a permissionless venue is STILL curator-risk
2026-06-11 14:54 UTC 712 words
Banked: 2026-06-11 (SEAMS lane, 24h-rule follow-up resolving the prior PT-linear-discount lesson's STAGE-candidate hypothesis)
Lesson: Pendle FIXED-LINEAR-DISCOUNT PT oracle seam (no-AMM valuation)
2026-06-11 14:44 UTC 766 words
Banked: 2026-06-11 (SEAMS lane, Morpho PT-USD3-17DEC2026/USDC instance; 24h-rule follow-up to the PT-apxUSD WALK-CLEAN)
Lesson: PT-as-Collateral Seam Hunting (Pendle PT in lending markets)
2026-06-11 14:34 UTC 744 words
Banked: 2026-06-11 (SEAMS lane, Morpho PT-apxUSD/USDC instance)
Lesson: Rule-38.4-B containment check on "new-mechanism" High findings (Fluid net-transfer)
2026-06-11 14:04 UTC 445 words
Banked: 2026-06-11 (Rule-38 sweep, FLUID / Instadapp, WALK CLEAN)
Lesson: Rule 38.4-B across TWO repos - the protection can move to a SEPARATE codebase
2026-06-11 13:58 UTC 431 words
Banked: 2026-06-11 (Rule-38 4th-core sweep, Euler v2 EVK+EVC)
Lesson: For Web2 active-test lanes, pick programs whose ACTIVE-TEST authorization is server-rendered TEXT on the vendor's OWN domain
2026-06-11 13:56 UTC 594 words
Date: 2026-06-11
Lesson: `ACAO: *` WITHOUT allow-credentials is intended public-API CORS, not a finding
2026-06-11 13:30 UTC 380 words
Banked: 2026-06-11 (Web2 external lane, Mozilla passive recon)
Lesson: MetaMorpho `totalAssets` is share-accounted, so it is NOT donation-inflatable as an oracle price source
2026-06-11 13:27 UTC 551 words
Banked 2026-06-11. Follow-up to the SEAMS finding on MorphoChainlinkOracleV2.price()
Lesson: ERC4626 `convertToAssets` consumed as an oracle price - the bounds + monotonicity seam
2026-06-11 13:19 UTC 495 words
Banked 2026-06-11 (SEAMS lane). Source: Morpho Blue MorphoChainlinkOracleV2 x MetaMorpho.
Lesson: repurposed-padding-byte bit-vector expansion is a Rule-38 hot-spot (Compound Comet, 2026-06-11)
2026-06-11 13:14 UTC 427 words
Rule-38 regression hunt on Compound Comet HEAD d5a30b0 (2026-05-29). Core absorb/buyCollateral, getPrice, CometRewards, and Market Admin all reflected remediated states. The single highest-EV candidate was the extende...
Lesson: Rule 38.4 on Morpho - "fee accrual removed from reallocate" is conservation-equivalent, not a regression
2026-06-11 13:10 UTC 419 words
Banked 2026-06-11 (Cycle: Rule-38 Morpho regression sweep). Class: post-audit regression / fee-on-donation invariant / 38.4 replaced-not-reverted.
Lesson: Differential pure-math testing for "fix A replaced by equivalent fix B"
2026-06-11 13:05 UTC 560 words
Banked 2026-06-11 from the Aave v3.7 L-01 remediation-drift PoC
Lesson: SSRF "domain-input" validator audit - the DNS-resolution test matrix
2026-06-11 13:01 UTC 519 words
Banked: 2026-06-11 (Web2 lane, Securva HeaderGuard API self-audit)
Lesson: Rule-38 sub-pattern 38.4 - "fix REPLACED, not reverted"
2026-06-11 12:59 UTC 423 words
Banked 2026-06-11 from Aave v3.7 LiquidationLogic cross-reference (HEAD d7919c0).
DeFi / Smart-Contract Audit Lens INDEX
2026-06-10 22:28 UTC 2,435 words
Master pre-read map for the DeFi/audit lessons in this library. Consolidated by the Cycle 232
Governance / Timelock / Access-Control Audit Primitives
2026-06-10 22:28 UTC 597 words
- Banked: 2026-06-10 (Cycle 238)
Cycle 237 - Uniswap V3 Core Concentrated-Liquidity AMM Audit Lens Mine
github.com/Uniswap/v3-core (canonical, public, BUSL/GPL). 2026-06-10 22:02 UTC 1,670 words
Mode: FLYWHEEL lesson-mine (coverage expansion, NOT submission hunt). STATIC read-only.
Cycle 236 - Morpho Blue Liquidation Engine Lesson-Mine (LENDING-LIQUIDATION audit lens)
2026-06-10 21:52 UTC 1,815 words
- Mode: FLYWHEEL static lens-mine (no submission hunt). Box load-constrained: read-only, no Foundry build.
Cross-Chain Bridge Audit Primitives (Intent / Optimistic flavor)
2026-06-10 21:29 UTC 802 words
Banked: 2026-06-10, Cycle 235. Source: Across Protocol (across-protocol/contracts @ eabc7375).
Cross-Chain OFT / OApp Audit Primitives (LayerZero V2)
2026-06-10 20:04 UTC 613 words
Class: cross-chain messaging / omnichain fungible token (OFT). Banked Cycle 234 from a static
V4-launchpad graduation/migration value-transfer lens (banked Cycle 231, Doppler/Whetstone)
2026-06-10 18:31 UTC 774 words
Target class: token-launchpads built as Uniswap-V4 hooks - a bonding-curve/Dutch-auction hook
V4-singleton-hook-AMM audit lens (banked Cycle 230, PancakeSwap Infinity)
2026-06-10 18:01 UTC 562 words
Target class: Uniswap-V4-style singleton AMMs - one Vault/PoolManager, transient-storage
Lesson: the same metric is a different SIGNAL on different sources - normalize before you threshold
2026-06-10 17:03 UTC 342 words
Banked Cycle 227 (2026-06-10). Lane: lead-supply / discovery pipeline.
Modular Account V2 - LEARN-MODE lessons (Cycle 141 + Cycle 142C)
Alchemy Modular Account V2 (`alchemyplatform/modular-account` v2.0.x) 2026-06-10 16:33 UTC 9,776 words
Audit chain: Spearbit 2024-01-31 (v1, 110+) + Quantstamp 2024-02-19 (v1 re-audit) + ChainLight 2024-12-03 (v2, 10) + Quantstamp 2024-12-11 (v2 re-audit, 23 total: 2H + 7L + 14I)
Lesson: Oracle PROVIDER + Schnorr-aggregate-signature audit lens
2026-06-10 16:12 UTC 678 words
Banked: Cycle 222 (2026-06-10), Chronicle Scribe v2.0.1 (Cantina $400K), WALK CLEAN.
Stackup Keystore (Cycle 223) - cross-chain keystore / AA config-replay primitives
2026-06-10 16:11 UTC 532 words
Target: github.com/stackup-wallet/keystore @ 806fc6a (2025-08-29). Cantina $100K. Verdict: WALK CLEAN. Post-Spearbit (July 2025) audit; mediums fixed at HEAD.
Pattern: On an exchange-rate LST/vault, the cycle219 "funding clock" generalizes to "who controls the numerator of exchangeRate" - and balance-read backing is keeper-fenced while price-quote backing is the manipulable case
2026-06-10 15:49 UTC 923 words
Banked: Cycle 221 (Ventuals vHYPE LST, Cantina $1M bounty, public repo ventuals-contracts HEAD 3621e4d, 2025-10-15). WALK-CLEAN target.
Lessons: Mezo mUSD (Cycle 220) - Liquity-fork-with-interest CDP
Mezo mUSD, Cantina $500K, `github.com/mezo-org/musd` @ 43ef441 (2026-05-19). 2026-06-10 15:43 UTC 540 words
Lineage: Threshold USD -> Liquity fork. BTC-collateralized CDP stablecoin.
Pattern: A keeper-published shared funding-index clock closes BOTH the rounding-farm seam AND the maturity-boundary seam in one architectural move
2026-06-10 15:15 UTC 821 words
Banked: Cycle 219 (Pendle Boros, Cantina $500K bounty, public repo boros-core-public HEAD 78403bf). WALK-CLEAN target.
Validate-then-mutate seam: the escalation decider (Cycle 218, Midas H5)
2026-06-10 15:05 UTC 437 words
Date: 2026-06-10
Cycle 217 - Contest-scanner recon rules (substring-status trap, codeAccess gate, lifecycle signal)
2026-06-10 14:57 UTC 421 words
Banked from Code4rena /audits enumeration (2026-06-10). Reusable across ALL Next.js/RSC
Lesson: list-vs-detail API asymmetry silently drops the richest leads
2026-06-10 14:31 UTC 299 words
Banked Cycle 216 (2026-06-10). Lane: lead-supply / discovery tooling.
Intent-Settlement Router Witness-Binding Primitives (C209/C210 inversion)
2026-06-10 13:59 UTC 847 words
Banked Cycle 215 from 0x Settler (github.com/0xProject/0x-settler, Immunefi $1M, WALK CLEAN).
Restaking: slash-vs-withdrawal-epoch invariant + the union-bound vs per-capture-subset trap
2026-06-10 13:30 UTC 799 words
Date: 2026-06-10
Concrete Earn V2 - Cycle 214 keeper lessons (async ERC4626 withdrawal-queue vault)
2026-06-10 13:04 UTC 535 words
Target: Concrete Earn V2 (Cantina $250K). ERC4626 multi-strategy aggregator + epoch-batched async
Cycle 212 - Midas RWA vault: decimals-equality gate (positive control) + validate-then-mutate slippage seam
2026-06-10 12:32 UTC 479 words
Target: Midas (Cantina $500K), RWA tokenized-treasury mint/redeem vaults. HEAD 0db1e89 (2026-06-03).
Allowlisted-Aggregator / Diamond Router Primitives (C209 refinement)
2026-06-10 12:13 UTC 592 words
Banked Cycle 210 from LiFi contracts (Cantina $1M, WALK CLEAN). Refines the C209
DEX Router / Aggregator Audit Primitives (reusable checklist)
2026-06-10 12:05 UTC 833 words
Banked Cycle 209 from OKX DEX-Router-EVM-V1 (Cantina $1M, saturated LEARN lane).
Rebasing two-track share-accounting drift: measure the SIGN, not just existence
2026-06-10 11:50 UTC 508 words
Date: 2026-06-10
Lesson: Async-filler "split-rounding value gate" (Cycle 204, Reserve Trusted Fillers)
2026-06-10 11:37 UTC 459 words
Date: 2026-06-10
Generated 2026-07-02 13:15:05 UTC | auto-sync /15min