Zellic

Want to learn deep Web3 security knowledge written by the best hackers in the world? Here's a Twitter thread of interesting Twitter threads the Zellic team has written! 👇🧵

Announcing YC Crypto deals We're now providing crypto deals to support fintech builders funded by YC: support on tools like wallets, onramps, audits, blockchains, onchain data.

linux LPE in rds kernel module

today we are releasing a qemu escape

Microsoft Edge's Enhanced Security Mode was designed to be the ultimate defense when browsing unfamiliar websites. Zellic researchers @eternalsakura13 and R1nd0 found 23 RCEs in it. Their target? DrumBrake, Microsoft's WebAssembly interpreter. The irony? This security feature became a massive attack surface itself. These findings span type confusion, out-of-bounds memory access, use-after-free, and critical control flow errors.

Second round of smart contract audits completed with @Zellic_io and @fuzzland_

Thanks @zellic_io for backing the round and including my project 🙌 Excited to keep shipping practical security education for AI agents on Ethereum + L2s! Big ups to everyone supporting Ethereum security QF: qf.giveth.io/project/securi… Exciting times ahead!

@seal_911: qf.giveth.io/project/seal-9… @_SEAL_Org: qf.giveth.io/project/seal-s… @_SEAL_Org: qf.giveth.io/project/seal-c… @Wonderland: qf.giveth.io/project/canon-… @suppvalen: qf.giveth.io/project/securi…

Zellic is proud to support @thedaofund’s Ethereum Security QF round! Check out some of the projects our badgeholders donated to below:

$XAUm and $XAGm - Matrixdock tokenized gold and silver on @SuiNetwork - are independently audited by @Zellic_io. Physical reserves verified by @BureauVeritasCU. Smart contracts audited by @Zellic_io. Transparency and trust, fully documented. All audit reports are publicly available. Physical Audit: matrixdock.gitbook.io/matrixdock-doc… XAUm (Gold): reports.zellic.io/publications/x… XAGm (Silver): reports.zellic.io/publications/x…

another day, another universal linux LPE

Fuzzing to Zero-Day: Pwning V8CTF With TurboFan Type Confusion, CVE-2025-2135 - @zellic_io zellic.io/blog/pwning-v8…

I’m really proud of this. The code we audited will be on millions if not billions of machines and containers. Thanks to @Canonical for working with us on this.

Check out the full uutils coreutils audit report below: github.com/Zellic/publica…

The core utilities that run every Linux system have been rewritten in Rust. We audited them. Before shipping uutils coreutils with Ubuntu 26.04, @Canonical commissioned Zellic for an external security audit. Two rounds, fixes contributed directly upstream. Full report below.

TRX CTF 2026 has officially started!🔥 v8, winpwn, kpwn, bootloader, krev, xsleak, webdriver, pyjails, golfing, quantum, web3 and what else?👀 ctf.theromanxpl0.it sponsored by: @osec_io, @zellic_io, @Google

💥Our challenge authors are preparing some interesting challenges for #LakeCTF, and we’re working hard to playtest them all. We can’t wait to see our participants tackle what we’ve cooked up! Let's go!🤘🏽 @asymmetric_re @zellic_io @infomaniak @orangecyberch @osec_io #CTF #EPFL

Zellic researchers created POCs for each of these three vulnerabilities, and each of these three vulnerabilities has been patched. We want to give a huge shoutout to the IronClaw team for their dedication to ensuring security and quick merging of fixes for these issues!

The attack scenario involves attacker-controlled content that contains XML tool-call tags. When the user asks the agent to process this content, the LLM’s text response may include the XML tags. The pre-fix `recover_tool_calls_from_content` performed purely syntactic pattern matching on the entire text without filtering code blocks or checking surrounding context. So it couldn’t distinguish between intentionally emitted XML tags and XML tags that appeared in quoted, referenced, or injected content. This means that any matching tag was parsed as a real `ToolCall` object and fed into the execution pipeline.

First, it scanned the entire text content without excluding XML tags inside Markdown code blocks, so injected or quoted XML was treated the same as model-intended XML. Second, the recovered `ToolCall` objects were returned directly as `RespondResult::ToolCalls`. This enters the exact same execution pipeline as structured tool calls from the LLM.

The recovery function - scans the LLM’s text response for known XML tag patterns, - parses each matched tag as JSON to extract a tool name and arguments, - validates that the tool name exists in the available tool set, - and converts the result into a `ToolCall` object that enters the standard execution pipeline. But this function had not one but two security issues.

The final vulnerability was in the XML tool-call recovery and model compatibility. Certain LLMs don’t use the structured `tool_calls` field in the OpenAI protocol when performing function calls. Instead, they emit tool calls as XML tags within the content field of their text responses. To maintain compatibility with these models, IronClaw implements a fallback mechanism in the reasoning engine’s `respond_with_tools` method.

An attacker can discover targets through port scanning and send a forged Feishu event JSON to the fixed path `/webhook/feishu`. This forged message enters the agent’s processing queue like a legit message, and if the operator enabled `auto_approve_tools = true`, then the injected message can instruct the LLM to invoke the shell tool without human intervention. If the Docker sandbox is also disabled, commands execute directly on the host.