Maksym Vatsyk

On Feb 17 2025 I reported a critical vulnerability to @Scroll_ZKP. $100m+ in TVL was at risk for more than 2 months. Anyone could force Scroll L2 into an indefinite re-org, halting the chain so that no user transactions would be included in blocks and the chain would not move forward. All funds on L2 would be frozen. @Scroll_ZKP downplayed the report. There was no meaningful communication about the issue—only continuous ghosting and silence. The @immunefi team mediated, yet did not correctly classify the vulnerability, which clearly falls under "Primacy of Impact." When I requested a re-evaluation, I received no response. As a result, I am disclosing this to the public to highlight Scroll's lack of security proficiency, their unfair resolution process, and their treatment of white-hats. You can find the link to the full report and complete timeline below. @redhairshanks86 @0xBalloonLover @Wublockchain @coindesk @cointelegraph @TheBlock__ @aave @EtherFi @ambient_finance @l2beat Full impact of the issue: - The Scroll chain can be halted deliberately at zero cost to the attacker. - Withdrawals remain blocked for the duration of the attack (potentially indefinitely, as it is free to sustain). - Halted block production prevents critical time-dependent DeFi actions (e.g., topping up positions to avoid liquidation, oracle price updates), putting user funds at risk. - The sequencer stops collecting transaction fees because no L2 user transactions can be included in blocks. - Anyone on the internet can trigger the attack, and Scroll has no preventative measures. --- Timeline - **Feb 17 2025** – Issue submitted on Immunefi. - **Feb 18 2025** – Scroll claims the issue was known from a Trail of Bits audit 14 months earlier and says it will be fixed in the Euclid upgrade (still 2+ months away). Scroll closes the report. - **Feb 18 2025** – I request Immunefi triage, providing code commits that show Scroll attempted—but failed—to fix the issue. I emphasize that, while the attack vector is similar, the impact and exploitation mechanism are different. - **Feb 24 2025** – Immunefi reopens the report for discussion with Scroll. - **Feb 27 2025** – Immunefi asks Scroll for an update. - **Mar 03 2025** – I contact Scroll to stress that the issue is public and exploitable on the live protocol. - **Mar 03 2025** – I DM @yezhang1998 on Twitter about the Immunefi report. - **Mar 04 2025** – Scroll says the issue is out of scope, labeling it "Throttling or suppression of operations without loss of user funds," and notes a similar report from Nov 06 2024. - **Mar 04 2025** – I request Immunefi mediation to confirm the submission's uniqueness and ensure a fair bounty. - **Mar 13 2025** – I ask Immunefi for an update. - **Mar 17 2025** – Immunefi classifies the issue as **High severity** ("causing network processing nodes to handle transactions from the mempool beyond set parameters"). They confirm the bug is unique, acknowledge Scroll's attempted fix was ineffective, and suggest a goodwill bounty because Euclid will deprecate the vulnerable functionality (in ~1.5 months). - **Mar 17 2025** – I reiterate that an attacker could freeze $100m+ on L2 and highlight Scroll's "Primacy of Impact" policy, which requires considering broader consequences. - **Mar 19 2025** – Scroll acknowledges receipt and promises to follow up shortly. - **Mar 27 2025** – I ask Scroll for an update. - **Apr 03 2025** – I ask Scroll for an update. - **Apr 03 2025** – Immunefi also asks Scroll for an update. - **Apr 09 2025** – Immunefi contacts Scroll directly. - **Apr 09 2025** – Scroll offers a payment of only **$1000**, stating the mechanism will be deprecated in the Euclid upgrade (3-4 weeks away). - **Apr 09 2025** – I reject the bounty, explaining the protocol is still vulnerable and detailing potential losses had the vulnerability been exploited on Feb 17 2025. - **Apr 15 2025** – I ask Immunefi to confirm "Primacy of Impact" applies and that the network remains vulnerable. - **Apr 22 2025** – Scroll responds with a single "." and closes the report. - **Apr 22 2025** – I ask Immunefi to explain Scroll's response and provide an update. - **Apr 29 2025** – I notify both Scroll and Immunefi that I will publicly disclose the vulnerability on Apr 30 2025 unless the report is treated and rewarded fairly. Here is the full audit report with a complete explanation of the issue, PoC scripts, a local network setup guide, and a PoC video. A full triage history (screenshots) is included at the end of the blog post—please review it! notion.so/shabarkin/Crit…

Features: - 8 separate user profiles that can be used simultaneously (just like PwnFox) - Color-coded traffic in Proxy tab based on user profile - Only has to be configured once - Works on MacOS, Windows and Linux - You can keep separate profile data directories for each project

Are you frustrated with those pesky Chrome-only web app pentests? PwnFox For Chromium's got you covered. It's a Burp extension that ports the functionality of a popular PwnFox Firefox addon to Chromium browsers. github.com/adeadfed/PwnFo… #BugBounty #bugbountytip #CyberSecurity

@offlinehacker @steventseeley @phrack The privesc part can be skipped, of course

@adeadfed @steventseeley @phrack But then you are super admin and you don't need to go through all the hoops and you can directly rewrite and reload config

Luckily I’ve never needed to exploit a select only Postgres SQLi but if I did, this would be my go to: #article" target="_blank" rel="nofollow noopener">phrack.org/issues/71/8.ht…

@offlinehacker @steventseeley @phrack Yup. This should work for the Postgres containers by default tho if the devs forgot to change the DBMS user

@steventseeley @phrack As I understand you still need to have extra permissions to actually use large object functions, which normal user wouldn't usually have.

@mdisec @steventseeley Now that I'm thinking about it - yeah, it might've been :D Not sure about properly transferring row and table metadata from target host to the replica container. This would likely require some extra steps, but it's for sure a viable technique

Nice technique !! The question on my mind is: Instead of implementing custom fileNode parser, wouldn't be much easier with: - Get the remove postgresql version. - Automatically create a docker instance with the exact Postgresql version. - Download the download/var/lib/postgresql/13/main/global/1260 file with same lo tricks. Replace the 1260 with the local docker instance's. - Update the permissions. - Copy the local "1260" file - Carry on the same steps as it's written on the article.

@carrot_susu @NTDEV_ it's x86 build, that's what you'd normally see on x32 bit OS

Tiny10 21H2 x86 beta 2 is here New features: - updated to the latest CU(19044.1586) - in place upgrade is now available Known issues - touch keyboard doesn't work (will be fixed with a later update) - the Getting ready screen after OOBE is still missing - BSODs on HyperV gen 1

The last video with the girl who died today in Vinnytsia — the video was recorded half an hour before the terrorist attack #russiaisaterrorisstate

@jojjsec @cerias It was a great pleasure to work with you! Hope you'll come to Ukraine soon :)