Research from the OtterSec team

Vulnerability breakdowns, protocol deep dives, and the security research behind the audits.

Featured

Announcing the Save CTFs Fund

OtterSec is committing $100,000 to keep CTFs competitive in the age of AI. We break down why Jeopardy scoring is breaking down, what better formats might look like, and how to apply for sponsorship.
Michael Debono #ctf#ai Read post

Auto reverse-engineering the Hyperliquid risk engine, with some agentic help

Perps allow traders to leverage beyond their collateral, until the market turns abruptly and losses are clawed back. We auto-reverse engineer Hyperliquid’s risk engine to show how it ranks and deleverages winning users under the solvency–fairness–revenue trilemma.
Renato Marziano

The goldmine of insecure WebView integrations

WebViews in mobile web3 wallets can quietly inherit the permissions granted to the wallet app itself. We found 20+ major wallets where a malicious dApp could access core permissions without authorization.
Bruno Halltari, Caue Obici, Nikolaos Mourousias

Pwning Minecraft: 4-byte heap overflow to RCE

We achieved RCE in Minecraft Bedrock, turning a 4-byte heap overflow into complete client compromise. Learn how a universal, Bedrock-specific technique is used to bypass ASLR and achieve arbitrary read/write primitives.
Hrvoje Mišetić

Unverified evaluations in Dusk’s PLONK

Dusk’s privacy layer protects ~$60M of DUSK and hinges on one proof check. dusk-plonk’s verifier never validated four of the prover’s polynomial commitments, enough to mint DUSK from nothing and forge shielded spends the network confirmed as real.
Himanshu Sheoran, Valter Wik

Patch gap to mobile renderer RCE: pwning Samsung Internet’s V8 on the Galaxy S25

Samsung Internet on the Galaxy S25 shipped a six-month-old version of V8, exposing it to publicly known bugs. Learn how we exploited a bytecode interpreter vulnerability to achieve renderer RCE and universal XSS in the browser.
Hrvoje Mišetić, Jamie Hill-Daniel, William Liu

From virtio-snd 0-day to hypervisor escape: exploiting QEMU with an uncontrolled heap overflow

Turning an uncontrolled heap overflow into a reliable QEMU guest-to-host escape using new glibc allocator behavior and QEMU-specific heap spray techniques.
Hrvoje Mišetić

Unfaithful claims: breaking 6 zkVMs

A zkVM verifier should be faithful to one thing above all else: its public claims. Yet we found six systems where this guarantee breaks. Learn how a subtle ordering bug lets an attacker bypass the cryptography entirely and prove mathematically impossible statements.
Himanshu Sheoran, Valter Wik

ERC-4337 paymasters: better UX, hidden risks

ERC-4337 paymasters unlock powerful UX by abstracting gas costs, but they also add complexity and subtle bugs. Explore some common pitfalls in real-world implementations and learn how to design production-ready paymasters.
Nicholas Putra

How we broke exchanges: a deep dive into authentication and client-side bugs

OAuth misconfigurations show how common dev settings can lead to account takeovers. Explore real cases where failing to account for differences between desktop and mobile environments left SDKs, exchanges, and wallets vulnerable to exploits.
Bruno Halltari, Caue Obici

Subscribe to the blog

New posts from the OtterSec team, straight to your inbox. One email per post, unsubscribe any time.