Marco Nunes
@marcotnunes
Followers
595
Following
2K
Statuses
327
security researcher & hacker • securing the frontier, forging new realities ~ aka ciphermarco
🇪🇺
Joined August 2023
🧵 Vulnerability Disclosure Time: Wormhole Alright, you aren’t only here for my memes and jokes, are you? So let’s switch it up and dive into a vulnerability disclosure for Wormhole. One overlooked detail landed me a $50K reward 💸👇
1
12
86
@defilearner1 Thank you for asking, maybe I wasn’t very clear. Quote-reposted it in case others also didn’t fully understand it from my writing. This Articles thing sucks hard in visibility, it's very disconnected from the rest of X
For some reason (I assume from bootstrapping days), the first two Guardian sets had only ONE specific key. Turns out these Guardian Sets were never expired (i.e., they have `expirationTime == 0`). Thus, the VAA verification logic assumed they were valid unexpired Guardian sets, just like the current 19 Guardians set. This meant that having this one specific key would allow the holder to bypass the need for a quorum of 13 Guardians. Their immediate fix might help with understanding:
0
0
3
RT @marcotnunes: 🧵 Vulnerability Disclosure Time: Wormhole Alright, you aren’t only here for my memes and jokes, are you? So let’s switch…
0
12
0
I honestly didn’t like using the X Articles features. It feels so disconnected from the rest of the experience that I think I’ll avoid it next time But generating the post’s header image with DALL-E was very fun and satisfying ⛓️🌌 I might actually use one of these or tweak it a bit for my profile header
0
0
3