Public Reports

Welcome to the official public reports repository of d23e.ch. We are a company specializing in blockchain security and research, focusing on identifying vulnerabilities in both design and code.

Our Services

  1. Research: We conduct in-depth research on various aspects of blockchain technology, smart contracts, and decentralized finance (DeFi).
  2. Security: We offer comprehensive security audits and vulnerability assessments for blockchain projects and smart contracts.

Repository Contents

This repository contains our public disclosures, research papers, and audit reports. Below is a comprehensive table of our work:

DateProject/TopicType & DocumentNew Vulnerabilities/New Findings
Sep 2024Amplification AttackResearch PaperDisclosed to bloXroute
Disclosed to Eden network
Aug 2024Ethereum Mempool DoSResearch PaperDisclosed to Ethereum foundation (bug bounty received)
Disclosed to Flashbots (bug bounty received)
May 2024BX DigitalAudit ReportPVE-001 1 (Medium): AssetAddress can be variable balance token
PVE-002 1 (Low): Malicious oracle can manipulate the trade order
PVE-003 1 (Info): Front-running possibility when the oracle is malicious
Sep 2023Hidden 2 3Security DisclosureCentralized risk to steal users' fund
Aug 2023Role Play AttacksResearch Paper
Aug 2023Generalised Front-RunningResearch PaperMassDeposit: Vulnerability in massDeposit() risking $28.58M (ETH) and $759.54K (BSC).
Unverified Stake: BSC staking flaw allowing instant profit from unverified assets.
Unauthenticated Minting: BSC token flaw enabling unlimited token minting.
Unauthenticated Asset Redemption: Contracts on ETH and BSC allowing unrestricted asset redemptions.
Faulty Authentication: 8 contracts (ETH/BSC) enabling unauthorized asset transfers.
Jul 2023BlockWallet 3Security DisclosureNew attack vector: bypassing swap fee
Jul 2023Hidden 2 3Security DisclosureNew attack vector: bypassing swap fee
Jun 2023HuckleberrySecurity DisclosureCritical: Lend bug - A malicious user can steal all funds deposited into the protocol. Possible Loss: All TVL (highest ~$300k in history, now 50k)
Jun 2023SwissBorgAudit Report3 potential security vulnerabilities that could compromise system integrity and safety.
3 informational findings to improve contract code quality.
May 2023EPGResearch PaperUniswap + Tokenlon, flaw in token design leads to continous arbitrage opportunities
Apr 2023SoK DeFi AttacksResearch Paper
Dec 2021Quantifying Ethereum MEVResearch Paper
Oct 2021LiquidationResearch PaperAave flaw in liquidation design leads to double liquidation
Jun 2021DeFiPoserResearch Paper
Jun 2021A2MMResearch PaperFirst on-chain aggregator design
Mar 2021FlashloanResearch Paper
Mar 2021ConfuzziusResearch Paper
Dec 2019Sandwich attackResearch PaperDisclosed to Uniswap
Oct 2018SecurifyResearch Paper
Dec 2016Ethereum EclipseResearch Paper
Oct 2016PoW SecurityResearch Paper
Oct 2015Bitcoin Delay PropagationResearch Paper
Dec 2014Bloom FiltersResearch Paper

About Our Work

Our work spans various aspects of blockchain security and research. Through our security disclosures, we help improve the safety of popular blockchain wallets and platforms. Our audit reports demonstrate our commitment to enhancing the security of blockchain projects. The research papers showcase our contributions to advancing knowledge in critical areas such as MEV, front-running, DoS attacks, and DeFi protocol analysis.

For more information about our services or to engage with us, please visit our website at https://d23e.ch.

Footnotes

  1. PVE stands for Potential Vulnerability Exposure. 2 3

  2. Hidden for security reasons, as the issue has not yet been fixed. 2

  3. Proof of Concept (PoC) included to demonstrate the feasibility. 2 3