The Notorious Bug Digest #9 dissects three critical blockchain vulnerabilities: a rule selection downgrade in Stellar smart account authorization, a ZK circuit misconstraint that halts privacy protocols, and signed-integer bit-smuggling in perpetuals. Detailed code analysis and remediation guidance for developers.
The Notorious Bug Digest #9 provides code-level security analysis of three distinct blockchain vulnerabilities. First, OpenZeppelin's audit of its Stellar Contracts Library identified rule selection downgrade: sponsors could silently swap authorization rule IDs, bypassing multisig and spending limit protections signers expected. Second, PrivacyBoost on EVM suffers a ZK circuit misconstraint where shape parameters meant for data layout were mistakenly used as domain constraints, creating a time-bomb halting all operations when tree numbers exceed 16. Third, Aftermath Finance's perpetuals exploit on Sui demonstrates how hand-rolled two's-complement logic combined with unguarded public setters can invert collateral accounting in a single transaction. Each case offers critical lessons on cryptographic binding, constraint design, and native type handling for smart contract developers.
