SECHIVE · BOUNTY PIPELINE · SAYBOOK FILING · DAY 111
BOUNTY DIAMONDS
"You are not finding bugs anymore. You are classifying collapse geometries with gas receipts."
5/5 PASS SAYBOOK CHAPTERS THEOREM RAILS CLO GATED watcher_signal_not_floor_restoration
FILING ORDER · AFTER CLO SMOKE CLEARS
① FIRST
LayerZero
lzCompose
FILE NOW
② SECOND
Morpho
Staleness
CANTINA ROUTE
③ THIRD
Aave Oracle
Manipulation
VERIFY AUTHORITY
④ FOURTH
MetaMorpho
Permissionless
CLO FIRST
⑤ LAST
Maker OSM
Delay
INFORMATIONAL
5 COLLAPSE SPECIMENS · PoC → Saybook Chapter → Filing
POC024
LayerZero lzCompose Reentrancy · L6×L0
① FILE NOW
Shape
Reentrancy Spiral · L6→L0 state corruption
Collapse layers
L6 (execution) × L0 (state) collapse
Attack geometry
1 call → 6 nested → depth 5 → corrupted state
Invariant violated
CEI · single-message execution model
WLS
75 · HIGH/CRITICAL candidate
Theorem
skip_verify_zombie_floor (CEI = verification skipped)
Filing thesis (lead with bite mark, not species)
"State corruption across reentrant lzCompose execution with reproducible call trace and invariant violation. A crafted lzCompose flow reenters before state finalization, producing six nested calls from a single attacker entry, reaching depth 5 and corrupting state."
SORRY-SCOPE-FRESHNESS: re-check LayerZero OApp group/version/chain before submit SORRY-VAR: 6 reentrant calls is the knife; quantify affected pool/message value SORRY-REPRODUCIBILITY: include exact commit, fork block, forge command, assertions
POC016
Morpho Oracle Staleness · L2 Watcher Floor
② CANTINA ROUTE
Shape
Stale Watcher Crescent · L2 watcher floor=0
Staleness
86,400 seconds · protocol treats stale = fresh
Gas
1.1M gas · MEDIUM candidate
Root cause
Missing watcher freshness floor
WLS
Medium · watcher trust failure
Theorem
watcher_signal_not_floor_restoration (stale = stale_truth_failure)
Filing thesis
"The protocol lacks a freshness floor and therefore cannot distinguish current truth from yesterday's corpse. A Morpho market processes oracle data that is 86,400 seconds stale without protocol-level freshness rejection."
SORRY-MORPHO-VENUE: current Morpho docs point to Cantina, not Immunefi — verify exact route SORRY-VAR: staleness window value-at-risk depends on price volatility during gap
POC005
Aave Oracle Manipulation · L2×L5 Regulator Fork
③ VERIFY AUTHORITY PATH
Shape
Regulator Fork · L2×L5 oracle authority replacement
Extraction
3,500 USDC in → ~$10,309 WETH out · 2.94×
Gas
820k gas · HIGH (if non-admin)
Critical gate
Admin-only → loaded gun in safe. Non-admin → loaded gun in vending machine.
Theorem
stale_truth_failure + watcher_signal_not_floor_restoration
WLS
Pending authority determination
Filing thesis (admin-only)
"Oracle source replacement produces 2.94× extractive mispricing. Severity conditioned on whether replacement path is restricted to trusted admin/governance or reachable through weaker authority."
SORRY-AAVE-AUTHORITY: [P0] determine admin-only vs non-admin path BEFORE filing severity claim SORRY-BLAST-RADIUS: 2.94× is PoC profit, not full VaR — quantify affected pools
MORPHO-PERM
MetaMorpho Permissionless Oracle · L2 Empty Floor Well
④ CLO FIRST
Shape
Empty Floor Well · L2 floor=0, no enforcement
Impact
10 ETH seized · victim keeps debt
Gas
398k gas
Legal goblin
Spearbit/audit may have acknowledged by-design. MetaMorpho curator trust = the angle.
Filing angle
MetaMorpho vault users inherit unsafe oracle via curator without enforcement/disclosure
Theorem
gbm_bevacizumab_paradox (curator present ≠ market safe)
Filing thesis (CLO-reviewed only)
"MetaMorpho vault users can inherit unsafe permissionless oracle assumptions through curator abstraction, causing collateral seizure and remaining debt in markets appearing curator-mediated."
SORRY-BY-DESIGN: permissionless oracle risk may be acknowledged — CLO read required SORRY-AUDIT-PRIOR-ART: Spearbit acknowledgment may constitute prior-art tombstone SORRY-CURATOR-TRUST: prove vault abstraction creates user trust vs explicit permissionless assumption
MAKER-OSM
MakerDAO OSM Delay Window · L2×L5 Delayed Page Curve
⑤ INFORMATIONAL
Shape
Delayed Page Curve · L2×L5 watcher latency
Window
1hr OSM blind + $141/ETH undercollateralized at 10% crash
Status
Known design · OSM delay is intentional
Value
Risk quantification: specific window, specific $ gap
Theorem
watcher_signal_not_floor_restoration (stale watcher = old truth)
Payout likely?
No — unless novel bypass found
Filing thesis (informational)
"Quantified OSM delay exploit window under 10% ETH crash creates $141/ETH undercollateralization gap. Known design risk with new quantified specificity. Not claiming novel bug — documenting known sharpness."
SORRY-BY-DESIGN: OSM delay is intentional Maker design — file as risk analysis, not bug SORRY-PAYOUT: known design + prior acknowledgment = unlikely payout without novel bypass
SAYBOOK CHAPTER TEMPLATE · 10 SECTIONS PER PoC
Chapter: [POC_ID] — [Protocol] [Attack Shape] §1 ONE-SENTENCE IMPACT "A crafted X can Y, enabling Z under a single-message execution model." §2 SCOPE + PROGRAM LINK Program: [exact Immunefi/Cantina/H1 URL, saved PDF at filing time] Asset: [contract address · chain · version · group] §3 AFFECTED CONTRACTS / FUNCTIONS Contract: [address] · Function: [name] · File: [path:line] §4 INVARIANT VIOLATED "Before: X cannot happen. After exploit: X happened." §5 POC STEPS forge test --fork-url [RPC] --fork-block [N] -vvvv --match-test [testName] §6 RUNTIME TRACE [call tree, depths, gas per call, return values] §7 STATE DELTA Before: [state vars]. After: [corrupted/changed state vars]. §8 VALUE-AT-RISK ESTIMATE Theoretical max: [TVL × %. Current TVL: $X. Realistic window: $Y.] §9 SUGGESTED FIX [ReentrancyGuard / freshness check / CEI reorder / invariant assertion] §10 SORRIES / ASSUMPTIONS / SCOPE NOTES SORRY-[id]: [what we don't know / scope disclaimer]
PRE-SUBMIT CHECKLIST · 12 MANDATORY ITEMS
Exact contract/function/address named in report
Current program scope saved (PDF screenshot at filing time)
Chain/fork/block pinned for reproducibility
Repro command included (forge command, exact flags)
Assertions included in PoC (call_count, state_corrupted, etc.)
Value-at-risk estimate (PoC profit ≠ full VaR)
Why not by-design clearly argued
Why not known issue — prior audit search done
Root cause named (CEI / missing check / authority gap)
Patch suggestion included
Sorries / assumptions labeled and visible
No public exploit leakage — internal Saybook full, external filing redacted
MASTER SORRY FOOTER · ALL FILINGS
SORRY-POC-NOT-INDEPENDENTLY-RERUN: 5/5 PASS is reported outcome; independent rerun needed per filing SORRY-SCOPE-CHANGES: program scopes change; snapshot scope immediately before each submit SORRY-MORPHO-VENUE: current docs point to Cantina; verify exact Morpho filing route SORRY-AAVE-AUTHORITY: severity depends on admin-only vs non-admin path [P0 — determine first] SORRY-BY-DESIGN-MORPHO-PERM: permissionless oracle risk may be acknowledged; MetaMorpho angle = CLO SORRY-MAKER-BY-DESIGN: OSM delay is known design; informational only unless novel bypass found SORRY-VAR-ESTIMATION: PoC profit/gas ≠ full value at risk across all affected pools SORRY-PUBLIC-DISCLOSURE: keep exploit detail private until program disclosure rules allow publication SORRY-DUPLICATE: programs reject known/audit-acknowledged issues — prior-art check required
A PoC is not a filing. A filing is a PoC with scope, impact, replay, sorries, and restraint. LayerZero bites first. Morpho stales second. Aave waits on authority. MetaMorpho needs CLO. Maker gets numbers, not thunder. Say it. Ground it. Sorry it. File it. Then let the Saybook remember.
γ₁ = 14.134725141734693
EOSE LABS INC. · BOUNTY DIAMONDS · SAYBOOK FILING PIPELINE · DAY 111