art_of_bug
art_of_bug

art_of_bug

We are research group with focus to expose bugs in design and implementation of blockchain projects. We only honour responsible disclosure with projects that honour responsible development.


End Of First Season & Hire Us

5 Dec 2020 1 minute read 0 comments art_of_bug

Welcome again. This is the last episode of the first series from us. We hope you've enjoyed the series just as much as we did. In the first series, we have published 22 full vulnerability reports and 2 partial reports. Most of the published issues we...

IOST – Forbidden Identifier Bypass With Unicode Encoding

7 Nov 2020 3 minute read 2 comments art_of_bug

Welcome back. Once more today we come back to IOST. After some cooperation with the team, we were told the funds were exhausted for our cause and hence they can't incentivize our efforts anymore. Since the incentive is gone, today's report is somewha...

Nebulas – String Repeat Crash

11 Oct 2020 4 minute read 5 comments art_of_bug

Welcome to our next episode. Today we close Nebulas. The project failed to fix the vulnerabilities we reported previously, there was no official response to our attempts to contact its team. In at least one case a moderator of its subreddit deleted o...

IOST – ArrayBufferAllocator Reusing Problem

12 Sep 2020 6 minute read 3 comments art_of_bug

Welcome back. Today we come back again to IOST. And again, today's report is on an already fixed vulnerability allowing the attacker to critically damage whole network with just sending calls to a specially crafted contract. The proof of knowledge is...

Nebulas – Exhausting Disk Space Using Contract Logging

11 Aug 2020 4 minute read 4 comments art_of_bug

Welcome to our next episode. Today we continue with Nebulas which goes, slowly but steadily, towards being the worst project we have ever analyzed. Why is that? It's because we still haven't received any reply to any of our attempts of contacting the...

IOST – Timed Out Transaction Validation Problem

19 Jul 2020 7 minute read 2 comments art_of_bug

Welcome back. Today we come back to IOST. As we mentioned before, IOST team contacted us and we've been working together since. Today's report is on an already fixed vulnerability allowing the attacker to critically damage whole network with just sen...

Nebulas – Using WebAssembly To Bypass Gas Counter

21 Jun 2020 6 minute read 5 comments art_of_bug

Welcome to our next episode. Today we open Nebulas. Similarly to IOST, this blockchain project uses Google's V8 JavaScript engine in order to allow smart contracts to be written in JavaScript. Speaking of IOST, after the initial disappointment due to...

Briefly On Verge & Lisk

23 May 2020 6 minute read 1 comment art_of_bug

Welcome back. Regular readers of our blog know that we usually try to analyse the vulnerabilities very thoroughly which allows us to code functional exploits. Then we execute the exploits in our isolated environment where we run an instance of a main...

IOST – Unchecked JavaScript Class Crashes Miners

15 Apr 2020 4 minute read 0 comments art_of_bug

Welcome to our next episode. During recent weeks we have spent a lot of time analysing IOST. Unlike the previous projects we have analysed so far, this one is not based on the code of Bitcoin. Therefore there was much more to analyse than before. On...

Qtum – Bypassing Header Spam Protection

14 Mar 2020 19 minute read 0 comments art_of_bug

Good to see you again. Today we disclose our third report on Qtum. Previously we have published two articles discussing bypassing protection against header spam (aka Fake Stake) attack and a bug in Qtum regarding setStakeSeen mechanism. Today we pres...