Marco Croc
@malicator
Followers
552
Following
42
Media
3
Statuses
101
Lead Security Researcher @KupiaSecurity
ΞTH
Joined December 2023
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
LOVTITUDE FANMEETING
• 451085 Tweets
FB MADE YOU BLUSH
• 404296 Tweets
Xavi
• 225297 Tweets
#それスノ
• 152911 Tweets
Flick
• 129590 Tweets
#한성수_방시혁이랑_손잡고_한강가
• 117219 Tweets
#Mステ
• 114519 Tweets
クロリンデ
• 93524 Tweets
シグウィン
• 87118 Tweets
Laporta
• 76044 Tweets
LEAVE SEVENTEEN ALONE
• 74166 Tweets
The ICJ
• 70789 Tweets
ノーヒットノーラン
• 70023 Tweets
Ten Hag
• 66288 Tweets
Memorial Day
• 46653 Tweets
アルハイゼン
• 41036 Tweets
戸郷投手
• 32853 Tweets
#ساعه_استجابه
• 30986 Tweets
ショートアニメ
• 30797 Tweets
تشافي
• 24515 Tweets
العدل الدوليه
• 22418 Tweets
#松本潤生配信PART5
• 19011 Tweets
INEOS
• 17267 Tweets
Coutinho
• 17148 Tweets
不協和音
• 15696 Tweets
ジュラシックワールド
• 10719 Tweets
🐞I reported a vulnerability in
@CurveFinance
and I am thrilled to share that I've been awarded a bug bounty of $250,000. 🧵
41
68
1K
3️⃣ After thorough evaluation, the
@CurveFinance
team recognized the severity of the vulnerability and awarded me the maximum bug bounty of $250,000! Their professionalism and generosity were truly commendable.
1
0
81
5️⃣ To shed light on this fascinating journey, I've written an in-depth article that dives into the nitty-gritty details of the vulnerability. Don't miss it!
3
4
72
4️⃣ I want to express my sincere gratitude to the amazing team at
@CurveFinance
, especially
@newmichwill
, for their prompt response and collaborative approach throughout the process. It was a pleasure to work with them.
1
0
48
6️⃣ I'm a lead security researcher at
@KupiaSecurity
. Follow me for more updates on my cybersecurity explorations and future bug bounty endeavors.
1
0
46
1️⃣ The vulnerability could cause an inconsistency between the actual balance and the balance state variable by calling the withdraw_admin_fees inside the fallback of remove_liquidity_imbalance. (reentrancy)
1
0
39
2️⃣ I submitted a report with a written PoC and they swiftly acknowledged my findings. I engaged in a fruitful exchange of emails, discussing the potential impact and possible mitigations directly with
@newmichwill
.
1
0
33
@0xMackenzieM
@CurveFinance
Studied Curve some time ago and this time, filtering Avalanche projects on ImmuneFi lead me back to Curve.
Because it was a fork of Curve 😉
1
1
10
@usmannk
@CurveFinance
Checking reentrancy using "claim_admin_fees" is a common practice as recommended by
@chain_security
"withdraw_admin_fees" does the same but in this case, it didn't have a reentrancy lock.
There are many types of Curve pools, some use claim, some use withdraw.
1
0
2
@windhustler
Wonderful!
a Q, in Layer Zero token bridge, is it possible to get the sender address from destination tx only?
1
0
1
@usmannk
@CurveFinance
@chain_security
Curve team has it internally as I saw they quickly applied emergency patches to all affected pools.
Haven't found public DB though. I can browse various types of pools in Curve UI.
1
0
1