• Bruno Halltari Bruno Halltari

Posts

The goldmine of insecure WebView integrations

WebViews in mobile web3 wallets can quietly inherit the permissions granted to the wallet app itself. We found 20+ major wallets where a malicious dApp could access core permissions without authorization.
Bruno Halltari, Caue Obici, Nikolaos Mourousias

How we broke exchanges: a deep dive into authentication and client-side bugs

OAuth misconfigurations show how common dev settings can lead to account takeovers. Explore real cases where failing to account for differences between desktop and mobile environments left SDKs, exchanges, and wallets vulnerable to exploits.
Bruno Halltari, Caue Obici

Subverting Web2 authentication in Web3

Web3 authentication uses cryptographic signatures and wallets, but Web2 auth integrations can introduce hidden risks. We explore vulnerabilities like OAuth logic exploits, Supabase misconfigurations, and OAuth abuse in localhost setups.
Bruno Halltari, Caue Obici

Supply chain attacks: a new era

Unpacking Lavamoat and how it fights supply chain attacks in Web3. We spill the beans on some sneaky bypasses, illustrating just how tricky it is to lock down JavaScript ecosystems.
Bruno Halltari, Caue Obici

MetaMask Snaps: playing in the sand

A deep dig into MetaMask Snaps. We explore safety considerations, environment design, and break down a property spoofing vulnerability in the Snaps sandboxing layer.
Bruno Halltari, Caue Obici

Web2 bug repellant instructions

An analysis of security risks that don’t get enough attention - web2 bugs in web3 apps. We take a deep and practical look at vulnerabilities across various applications.
Caue Obici, Bruno Halltari