Public Reports

Welcome to the official public reports repository of D23E. We are a company specializing in blockchain security and research, focusing on identifying vulnerabilities in both design and code.

Sep 2024

Amplification Attack

Research Paper

  • Disclosed to bloXroute
  • Disclosed to Eden network
Download

Aug 2024

Ethereum Mempool DoS

Research Paper

  • Disclosed to Ethereum foundation (bug bounty received)
  • Disclosed to Flashbots (bug bounty received)
Download

May 2024

BX Digital

Audit Report

  • PVE-001 (Medium): AssetAddress can be variable balance token
  • PVE-002 (Low): Malicious oracle can manipulate the trade order
  • PVE-003 (Info): Front-running possibility when the oracle is malicious
Download

Aug 2023

Role Play Attacks

Research Paper

  • Formalization of Role-Play Attacks in DeFi capturing $435.1M losses
Download

Aug 2023

Generalised Front-Running

Research Paper

  • MassDeposit: Vulnerability in massDeposit() risking $28.58M (ETH) and $759.54K (BSC)
  • Unverified Stake: BSC staking flaw allowing instant profit from unverified assets
  • Unauthenticated Minting: BSC token flaw enabling unlimited token minting
  • Unauthenticated Asset Redemption: Contracts on ETH and BSC allowing unrestricted asset redemptions
  • Faulty Authentication: 8 contracts (ETH/BSC) enabling unauthorized asset transfers
Download

Jul 2023

BlockWallet

Security Disclosure

  • New attack vector: bypassing swap fee
Download

Jun 2023

Huckleberry

Security Disclosure

  • Critical: Lend bug - A malicious user can steal all funds deposited into the protocol. Possible Loss: All TVL (highest ~$300k in history, now 50k)
Download

Jun 2023

SwissBorg

Audit Report

  • 3 potential security vulnerabilities that could compromise system integrity and safety
  • 3 informational findings to improve contract code quality
Download

May 2023

EPG

Research Paper

  • Uniswap + Tokenlon, flaw in token design leads to continous arbitrage opportunities
Download

Apr 2023

SoK DeFi Attacks

Research Paper

  • First systematization of DeFi attacks
Download

Dec 2021

Quantifying Ethereum MEV

Research Paper

  • First comprehensive measurement on Ethereum MEV
  • First generalized front-running algorithm
Download

Oct 2021

Liquidation

Research Paper

  • Aave flaw in liquidation design leads to double liquidation
Download

Jun 2021

DeFiPoser

Research Paper

  • First automated tool for discovering profit-generating DeFi transactions
Download

Jun 2021

A2MM

Research Paper

  • First on-chain aggregator design
Download

Mar 2021

Flashloan

Research Paper

  • First work on DeFi attacks
Download

Mar 2021

Confuzzius

Research Paper

  • First hybrid fuzzer for smart contracts
Download

Dec 2019

Sandwich attack

Research Paper

  • Disclosed to Uniswap
Download

Oct 2018

Securify

Research Paper

  • First scalable verifier for Ethereum smart contracts
Download

Dec 2016

Ethereum Eclipse

Research Paper

  • Exploiting Ethereum's block propagation vulnerabilities to perform eclipse attacks
Download

Oct 2016

PoW Security

Research Paper

  • First systematic work quantifying security and performance trade-offs in proof-of-work blockchains
Download

Oct 2015

Bitcoin Delay Propagation

Research Paper

  • Exposing adversarial block and transaction delays in Bitcoin's network propagation
Download

Dec 2014

Bloom Filters

Research Paper

  • Revealing privacy leaks in SPV Bitcoin clients using Bloom filters
Download

Note: Some reports are hidden for security reasons, as the issues have not yet been fixed.

PVE stands for Potential Vulnerability Exposure.