The later price movement only exposes the consequence of that protocol-approved state transitionโit isn't the root cause. That's why I believe this deserves more discussion than simply being dismissed as "accepted collateral preference." @cantinasecurity
I independently discovered and reported this issue. The PoC doesn't claim every liquidation causes lossesโit shows the protocol accepts two valid liquidation paths, yet one leaves the borrower in a strictly worse recovery state. @cantinasecurity
In a recent @Morpho Midnight audit contest at
@cantinasecurity, a severity dispute arose regarding a lending protocol that allows borrowers to use multiple collateral assets simultaneously.
https://t.co/EGeMbxaSg1
The thread ๐งต๐
In a recent @Morpho Midnight audit contest at
@cantinasecurity, a severity dispute arose regarding a lending protocol that allows borrowers to use multiple collateral assets simultaneously.
https://t.co/EGeMbxaSg1
The thread ๐งต๐
@D4NOGOTHACKED cannot find the message button in your account. btw here the escalated submission I push as our same batch:
https://t.co/N6a8F1hDl4
Happy to receive your inputs
Past 6 months has been the craziest 6 months of my career as a smart contract security researcher. I submitted over 15 different vuln in the morphos contest. Each and every finding was either regarded as OOS or as invalid while the rest were downgraded to Information.
@glider_xyz In the AUTOfinance bounty, my report was closed as a duplicate without a screenshot, report reference, or ZK Proof of Duplicate. The program guidelines require proof for duplicate decisions. Please investigate.
@glider_xyz AUTOfinance marked my report as a duplicate with only โalready reportedโ as the reason. Hunt's rules require proof of duplicate (screenshot or ZK Proof upon request). No evidence was provided. Can this be reviewed?
Continuation:
I'll be stepping offline for the month and putting auditing, research, and social media on hold.
The goal remains the same. Right now, the priority is handling what's in front of me.
See you all in July. ๐จโ๐ป
๐จโ๐ป Time to put a pin in this journey for now.
My exams have started, and June will be dedicated entirely to academics. There are also a few important things happening in my life that need my full attention.
All a nigha needs is a time off
The $5,000,000 @Polymarket x Cantina bug bounty program just expanded: 7 newly deployed contracts are now in scope. ๐ช
Start the hunt: https://t.co/CwhMhTpgNt
๐จโ๐ป Day 4 complete.
Today wasn't about protocol mechanics, architecture reviews, or vulnerability research.
It was about handling academic responsibilities and preparing for upcoming exams. Tomorrow, the focus shifts back to Midnight and continuing the audit journey.
It's crazy and scary at the time cause there are auditors out there who will get actually spend time going through the codebase. When there finally submit, it will be marked as duplicate alongside all the AI slops
Morpho Midnight contest: ~635 submissions in ~2 days.
The code has already been audited by some of the top SRs (private engagements with Blackthorn and Spearbit), with 2 medium findings in each report.
There are two possibilities:
โ either some of the best SRs in the world missed a ton of bugs
โ or the AI spam problem is getting worse
I wouldnโt bet on the first one.
๐จโ๐ป Day 3 complete.
Spent the day reviewing supporting contracts, libraries, external resources, and protocol interactions.
A large portion of the work involved validating an assumption that initially appeared small but ultimately required much deeper investigation.