Jack marz-hunter

Summary

The _processFeedResponses() function in PriceFeed.sol (lines 171-173) decodes and uses the share price from LST tokens without any bounds validation. A malicious or compromised LST token returning zero share price causes all collateral to appear worthless (triggering mass liquidations), while an inflated share price allows attackers to borrow unlimited USBD against minimal collateral. This vulnerability can result in complete protocol insolvency.

Finding Description

The Bima Protocol supports LST (Liquid Staking Token) collaterals that have exchange rates with their underlying assets. The PriceFeed fetches these exchange rates via sharePriceSignature calls.

The vulnerability exists at lines 171-173:

Summary

The _calcEthPrice() function in PriceFeed.sol (line 194-197) recursively calls fetchPrice(address(0)) to get the ETH/USD price for ETH-indexed tokens. If the ETH oracle (address(0)) is misconfigured as ETH-indexed, this creates infinite recursion and complete DoS. Additionally, ETH oracle downtime causes cascading failures for ALL ETH-indexed collateral types, creating a single point of failure that can freeze the entire protocol.

Finding Description

The Bima Protocol supports ETH-indexed collateral tokens where the base price is denominated in ETH rather than USD. To convert these prices, _calcEthPrice() fetches the ETH/USD price by calling fetchPrice(address(0)).

The vulnerability exists at lines 194-197:

Summary

The _isValidResponse() function in PriceFeed.sol does not validate Chainlink's answeredInRound parameter against roundId (lines 221-228). This allows stale oracle prices to be accepted as valid when answeredInRound < roundId, which occurs during oracle disputes or network issues. Attackers can exploit stale prices to open undercollateralized positions or trigger unfair liquidations, with potential losses of 6-10% of TVL during price discrepancy events.

Finding Description

The Bima Protocol relies on Chainlink oracles for price data. Chainlink's latestRoundData() returns multiple values including roundId and answeredInRound. According to Chainlink best practices, a price is considered stale if answeredInRound < roundId, indicating the answer was carried over from a previous round.

The vulnerability exists in the _isValidResponse() function at lines 221-228:

Summary

The _processFeedResponses() function in PriceFeed.sol uses abi.encode() instead of abi.encodeWithSelector() when making external calls to fetch share prices from LST tokens (line 171). This produces 32 bytes of malformed calldata instead of the required 4-byte function selector, causing all share price lookups to fail. As a result, the Bima Protocol cannot support yield-bearing Bitcoin LST tokens like wrapped staked BTC derivatives, completely blocking core protocol functionality.

Finding Description

The Bima Protocol is a Liquity-fork CDP lending protocol that allows users to deposit Bitcoin LSTs as collateral to mint USBD stablecoin. To support derivative tokens with exchange rates (like wstETH, rETH, etc.), the PriceFeed contract has a sharePriceSignature mechanism to fetch the share price from the token contract.

The vulnerability exists at line 171 in PriceFeed.sol:

hi, i'm daniel. i'm a 15-year-old with some programming experience and i do a little bug hunting in my free time. here's the insane story of how I found a single bug that affected over half of all Fortune 500 companies:

say hello to zendesk

If you've spent some time online, you’ve probably come across Zendesk.

Zendesk is a customer service tool used by some of the world’s top companies. It’s easy to set up: you link it to your company’s support email (like support@company.com), and Zendesk starts managing incoming emails and creating tickets. You can handle these tickets yourself or have a support team do it for you. Zendesk is a billion-dollar company, trusted by big names like Cloudflare.

Personally, I’ve always found it surprising that these massive companies, worth billions, rely on third-party tools like Zendesk instead of building their own in-house ticketing systems.

your weakest link

Berikut adalah langkah-langkah untuk mengaktifkan Remote Desktop Protocol (RDP) di Windows 10 dan mengaksesnya melalui Ngrok:

1. Aktifkan RDP di Windows 10

Buka Settings dengan menekan tombol Windows + I.
Pilih System > Remote Desktop.
Aktifkan Enable Remote Desktop.

	[
	{
	"program_name": "Unknown",
	"program_url": "https://immunefi.com/bug-bounty/layerzero",
	"address": "https://etherscan.io/address/0x4d73adb72bc3dd368966edd0f0b2148401a178e2#code",
	"chain": "Unknown",
	"name": "Unnamed Contract",
	"severity": "N/A"
	},
	{

	import requests
	import json

	# Step 1: Get the initial buildId from the first request
	print("Fetching buildId...")
	response1 = requests.get('https://immunefi.com/bug-bounty/')
	response1.raise_for_status() # Ensure we got a successful response

	# Find the buildId in the response body
	start_index = response1.text.find('"buildId":"') + len('"buildId":"')

	import requests

	# Step 1: Get the initial buildId from the first request
	response1 = requests.get('https://immunefi.com/bug-bounty/')
	response1.raise_for_status() # Ensure we got a successful response

	# Find the buildId in the response body
	start_index = response1.text.find('"buildId":"') + len('"buildId":"')
	end_index = response1.text.find('"', start_index)
	build_id = response1.text[start_index:end_index]

	#!/usr/bin/python

	import io
	import tldextract

	def extract(infile):
	with io.open(infile, encoding='utf-8') as f:
	for line in f:
	domain = line.strip('\n')
	extracted = tldextract.extract(domain)