Preview card for 'Patch Gap to Mobile Renderer RCE: Pwning Samsung Internet's V8 on the Galaxy S25'
Featured Post

Patch Gap to Mobile Renderer RCE: Pwning Samsung Internet's V8 on the Galaxy S25

Samsung Internet on the Galaxy S25 shipped a six-month-old version of V8, exposing it to publicly known bugs. Learn how we exploited a bytecode interpreter vulnerability to achieve renderer RCE and universal XSS in the browser.

Read More

Security exploits, tutorials, and findings

Preview card for 'Patch Gap to Mobile Renderer RCE: Pwning Samsung Internet's V8 on the Galaxy S25'
Apr 1, 2026

Patch Gap to Mobile Renderer RCE: Pwning Samsung Internet's V8 on the Galaxy S25

Samsung Internet on the Galaxy S25 shipped a six-month-old version of V8, exposing it to publicly known bugs. Learn how we exploited a bytecode interpreter vulnerability to achieve renderer RCE and universal XSS in the browser.

Preview card for 'From virtio-snd 0-Day to Hypervisor Escape: Exploiting QEMU with an Uncontrolled Heap Overflow'
Mar 17, 2026

From virtio-snd 0-Day to Hypervisor Escape: Exploiting QEMU with an Uncontrolled Heap Overflow

Turning an uncontrolled heap overflow into a reliable QEMU guest-to-host escape using new glibc allocator behavior and QEMU-specific heap spray techniques.

Preview card for 'Unfaithful Claims: Breaking 6 zkVMs'
Mar 3, 2026

Unfaithful Claims: Breaking 6 zkVMs

A zkVM verifier should be faithful to one thing above all else: its public claims. Yet we found six systems where this guarantee breaks. Learn how a subtle ordering bug lets an attacker bypass the cryptography entirely and prove mathematica...

Preview card for 'ERC-4337 Paymasters: Better UX, Hidden Risks'
Dec 2, 2025

ERC-4337 Paymasters: Better UX, Hidden Risks

ERC-4337 paymasters unlock powerful UX by abstracting gas costs, but they also add complexity and subtle bugs. Explore some common pitfalls in real-world implementations and learn how to design production-ready paymasters.

Preview card for 'How We Broke Exchanges: A Deep Dive Into Authentication And Client-Side Bugs'
Oct 16, 2025

How We Broke Exchanges: A Deep Dive Into Authentication And Client-Side Bugs

OAuth misconfigurations show how common dev settings can lead to account takeovers. Explore real cases where failing to account for differences between desktop and mobile environments left SDKs, exchanges, and wallets vulnerable to exploits...

Preview card for 'How to Survive Supply-Chain Attacks'
Sep 13, 2025

How to Survive Supply-Chain Attacks

The recent supply-chain attack on NPM showed how easily trusted dependencies can become delivery vectors for malware. Learn how the attack worked and practical defenses developers can implement to stay safe.

Preview card for 'PoRv2: A Fast, Transparent ZK-Based Proof of Reserves'
Aug 27, 2025

PoRv2: A Fast, Transparent ZK-Based Proof of Reserves

Here, we explore zk-proofs, Merkle trees, and our new open-source implementation, PoRv2. Our proof-of-reserve enables users to verify exchange liabilities without relying on external auditors, setting a new standard for trust.

Preview card for 'Compiler Bug Causes Compiler Bug: How a 12-Year-Old G++ Bug Took Down Solidity'
Aug 11, 2025

Compiler Bug Causes Compiler Bug: How a 12-Year-Old G++ Bug Took Down Solidity

A subtle G++ bug from 2012, C++20's new comparison rules, and legacy Boost code can collide to crash Solidity's compiler on valid code. We unpack the surprising chain reaction and how to fix it.

Preview card for 'Cosmos Security: An Otter's Guide'
Jun 10, 2025

Cosmos Security: An Otter's Guide

From infinite loops and map determinism to AnteHandler missteps and storage key collisions, we highlight real-world vulnerabilities and actionable advice for building safer Cosmos-based projects.

Preview card for 'Solana: The hidden dangers of lamport transfers'
May 14, 2025

Solana: The hidden dangers of lamport transfers

Solana’s lamport transfer logic hides dangerous edge cases — from rent-exemption quirks to write-demotion traps. We dissect a deceptively simple smart contract game to expose how transfers to arbitrary accounts can silently fail, brick your...

Preview card for 'Subverting Web2 Authentication in Web3'
Mar 7, 2025

Subverting Web2 Authentication in Web3

Web3 authentication uses cryptographic signatures and wallets, but Web2 auth integrations can introduce hidden risks. We explore vulnerabilities like OAuth logic exploits, Supabase misconfigurations, and OAuth abuse in localhost setups.

Preview card for 'Solana Multisig Security'
Feb 22, 2025

Solana Multisig Security

What can teams do if their multisig signers are compromised? We explore Solana's transaction signing model and present a procedure for safe signing in the presence of malicious signers on Solana.

Preview card for 'Hitchhiker's Guide to Aptos Fungible Assets'
Feb 10, 2025

Hitchhiker's Guide to Aptos Fungible Assets

We take a deep dive into Aptos’ implementation of fungible assets, exploring the intricacies hidden within its functions, objects, and interactions. While the Fungible Asset model was designed to address the limitations and security flaws o...

Preview card for 'OtterRoot: Netfilter Universal Root 1-day'
Nov 25, 2024

OtterRoot: Netfilter Universal Root 1-day

A peek into the state of Linux kernel security and the open-source patch-gap. We explore how we monitored commits to find new bug fixes and achieved 0day-like capabilities by exploiting a 1-day vulnerability.

Preview card for 'Supply Chain Attacks: A New Era'
Jun 10, 2024

Supply Chain Attacks: A New Era

Unpacking Lavamoat and how it fights supply chain attacks in Web3. We spill the beans on some sneaky bypasses, illustrating just how tricky it is to lock down JavaScript ecosystems.

Preview card for 'Rounding Bugs: An Analysis'
Jan 18, 2024

Rounding Bugs: An Analysis

Rounding-related hacks are having a moment in the spotlight. We explore these exploits, correct some popular misunderstandings, and provide mitigations.

Preview card for 'Solana: Jumping Around in the VM'
Dec 11, 2023

Solana: Jumping Around in the VM

An exploration of low-level Solana VM behavior. How to escalate from a powerful memory corruption primitive to full program control.

Preview card for 'Metamask Snaps: Playing in the Sand'
Nov 1, 2023

Metamask Snaps: Playing in the Sand

A deep dig into Metamask Snaps. We explore safety considerations, environment design, and break down a property spoofing vulnerability in the Snaps sandboxing layer.

Preview card for 'Web2 Bug Repellant Instructions'
Aug 11, 2023

Web2 Bug Repellant Instructions

An analysis of security risks that don’t get enough attention - web2 bugs in web3 apps. We take a deep and practical look at vulnerabilities across various applications.

Preview card for 'Vyper Hack Timeline'
Aug 1, 2023

Vyper Hack Timeline

A timeline and postmortem for the Vyper compiler bug. Thoughts on trust assumptions, vulnerability disclosures, and whitehack recoveries.

Preview card for 'Solidity Compilers: Memory Safety'
Jul 28, 2023

Solidity Compilers: Memory Safety

An exploration into the Solidity compilation pipeline, optimization assumptions, and how it all relates back to memory-safe assembly.

Preview card for 'Solana Formal Verification: A Case Study'
Jan 26, 2023

Solana Formal Verification: A Case Study

We present a novel framework for formal verification of Solana Anchor programs — and a case study application to the Squads multisig.

Preview card for 'Rust, Realloc, and References'
Dec 9, 2022

Rust, Realloc, and References

Rust is safe.. right? Not if your dependencies are unsafe.. A deep dive into a subtle Solana SDK bug, Rust internals, and how we found it all.

Preview card for 'The Move Prover: A Guide'
Sep 16, 2022

The Move Prover: A Guide

A practical guide to the Move Prover - tutorial, case study, and specifications.

Preview card for 'Move: An Auditor's Introduction'
Sep 6, 2022

Move: An Auditor's Introduction

What actually makes Move secure? A discussion of Move's typing system and formal verification.

Preview card for 'Reverse Engineering Solana with Binary Ninja'
Aug 27, 2022

Reverse Engineering Solana with Binary Ninja

An introduction to our open-source Binary Ninja plugin for blackbox Solana program analysis along with an executive reference to the Solana runtime.

Preview card for 'The Story of the Curious Rent Thief'
Aug 19, 2022

The Story of the Curious Rent Thief

A tale of pickpockets preying on the Solana ecosystem. Read our investigation into the persistent theft of rent from uninitialized accounts. This is the story of the Solend rent thief.

Preview card for 'Becoming a Millionaire, 0.000150 BTC at a Time'
Apr 26, 2022

Becoming a Millionaire, 0.000150 BTC at a Time

How we discovered a critical issue in Solana's stable swap implementation. A story about arbitrage and rounding.

Preview card for 'Solana: An Auditor's Introduction'
Mar 14, 2022

Solana: An Auditor's Introduction

A security focused introduction to Solana, exploring the underlying runtime environment, security boundaries, and implications. An important resource for all developers who want to write more secure code.

Preview card for 'The $200m Bluff: Cheating Oracles on Solana'
Feb 16, 2022

The $200m Bluff: Cheating Oracles on Solana

How we fooled oracles to beat the house. An exploration into liquidity tokens and oracle price manipulation.

Subscribe to our blogs