A security researcher discloses CVE-2026-4931, a critical integer truncation vulnerability in the Marginal V1 DeFi protocol that allowed complete liquidity drainage via a permissionless flash loan attack. The vulnerability stemmed from an unchecked uint128 cast in the adjust() function. The protocol paused within 48 hours and deployed the exact SafeCast fix recommended by the researcher within 72 hours. Despite on-chain evidence of the patch, Cantina (Spearbit's bug bounty platform) denied the $25,000 bounty using three verifiably false technical claims — misidentifying the vulnerable contract as a GnosisSafe and the patched contract as a Uniswap NFPM. CERT/CC independently confirmed the vulnerability and assigned the CVE. The article provides all contract addresses and cast commands to independently verify every claim on Ethereum Mainnet.
Sort: