# Sujith Somraaj > Lead Security Researcher at Spearbit and Cantina. Smart contract auditor with 150+ audits completed, $50B+ total value secured, and 0 exploits post-audit. Specializing in blockchain security, DeFi protocols, cross-chain bridges, and web3 security. ## About Sujith Somraaj is a lead security researcher who dissects codebases and hunts zero-days and novel attack vectors across onchain protocols. He currently holds the following active roles: - Lead Security Researcher at Spearbit (Full-time) - Independent Security Consultant at LIFI (Consulting) - Information Security Advisor at Superform (Institutional Product) His bio: "I dissect codebases the way most people read morning news — instinctively, obsessively, finding elegance in architecture others overlook. My mind is wired to break what others build; I hunt zero-days and novel attack vectors across onchain protocols, turning adversarial thinking into an art form." ### Stats - $50B+ Total Value Secured - 150+ Audits Completed - 0 Exploits Post-Audit - 100% Client Retention ## Services - Security Audits - Infrastructure Review - Frontend Review - vCISO Consulting ## Pages - [Home](https://sujithsomraaj.com): Overview, stats, services, and client portfolio - [Security Portfolio](https://sujithsomraaj.com/security-work): 90+ private audits, contest results, and CTF achievements - [OSS Contributions](https://sujithsomraaj.com/dev-work): Open source projects and developer tools - [Blog](https://sujithsomraaj.com/blog): Technical writings on security research, blockchain, and cross-chain development --- ## Blog Posts (Full Content) ### Permanent DoS of refunds through 1 wei donation URL: https://sujithsomraaj.com/blog/eco-refund-dos-vulnerability Date: 2025-10-26 | Tags: bug bounty, security During a recent security audit of an Eco integration for LI.FI, I discovered a denial-of-service (DoS) vulnerability in Eco's Vault contract that could prevent legitimate users from receiving their refunds. What makes this vulnerability particularly interesting is its simplicity — an attacker needs just 1 wei to completely block refunds for certain users. Eco.com's Vault contract manages user deposits and refunds for their intent-based system. Users can lock tokens (like USDC) as rewards in the vault, and under certain conditions (if bridging fails), they're entitled to refunds of their locked funds. The vulnerable code is in the Vault contract at line 130. When the Vault processes a refund, it attempts to send any accumulated ETH back to the user along with their tokens. However, if the user is a smart contract that cannot accept ETH payments (i.e., lacks a payable fallback or receive function), the entire refund transaction will revert. Attack scenario: A smart contract creates an intent with 100 USDC as a reward and locks it in the vault. An attacker force-sends just 1 wei of ETH to the vault on behalf of the victim contract (using selfdestruct or other force-send methods). When the smart contract attempts to claim their refund, the transaction fails because the vault tries to send back the 1 wei along with the USDC, the victim contract cannot accept ETH payments, and the entire refund transaction reverts. The victim's funds remain permanently locked in the vault. Key takeaways: Beware of forced ETH sends — contracts should never assume they only receive ETH through intended channels. Separate concerns — don't let ETH refund failures block critical token operations. Consider smart contract users — many protocols integrate via smart contracts that may not handle ETH. --- ### Access Control Flaw in Hyperlane's Rate-Limited ISM and Hook URL: https://sujithsomraaj.com/blog/hyperlane-rate-limited-hook-access-control Date: 2025-06-27 | Tags: bug bounty, security, cross-chain The issue lies in Hyperlane's RateLimited contract, specifically in the validateAndConsumeFilledLevel() function. This function implements a token bucket algorithm for rate limiting, but is marked as public without any access control. Anyone can call this function directly and consume the entire available rate limit capacity, effectively performing a denial-of-service attack. This vulnerability affects two critical components: RateLimitedHook (prevents legitimate token transfers from being dispatched, up to 1 day duration) and RateLimitedIsm (prevents legitimate message verification, up to 1 day until the rate limit naturally refills, attack can be performed continuously). Attack: Monitor the rate limit via calculateCurrentLevel(), exhaust the limit via validateAndConsumeFilledLevel() with the full available amount, repeat as the rate limit refills. The Hyperlane team resolved the issue by implementing proper access control measures. --- ### Discovering a Vulnerability in Relay Bridge's Solver Signature API URL: https://sujithsomraaj.com/blog/relay-bridge-solver-signature-vulnerability Date: 2024-11-20 | Tags: bug bounty, security, bridge Relay Bridge is an instant, low-cost bridging and swapping solution. The vulnerability is simple: the solvers sign a wrong message hash. The hash is generated by encoding the request ID, sourceChainId, user address, sending token address, destination chain ID, receiver address on the destination, and the receiving token address. However, instead of using the receiving token address, the hash is generated using the sending token address, leading to the generation of the wrong hash. For example, generating a request for bridging USDC from Ethereum to USDC.e on Polygon, the destination currency returned is the same as the origin currency (USDC instead of USDC.e). Impact: The solver signs an invalid message hash, which can prevent verifying the intent on the chain. The issue was escalated and fixed promptly. --- ### Discovering a Vulnerability in Hyperlane's RateLimited ISM URL: https://sujithsomraaj.com/blog/hyperlane-rate-limited-ism-vulnerability Date: 2024-10-17 | Tags: bug bounty, security, cross-chain Hyperlane's rate-limited ISM works differently from other ISMs, maintaining its own state. The verify() function does not check to ensure that the payload is intended for a particular recipient/ISM, leading to DoS using a random message ID. A malicious user can encode a message that consumes the entire sender limit and send it to a random receiver. Later, they can use the same message and call the verify() method on the targeted ISM to consume all limits and DoS temporarily. Since this attack is not cost-intensive, in most L2s, it'll take only a few dollars to DoS the ISM for several weeks. The vulnerability was discovered during a warp route assignment interview. After reporting on October 2nd, 2024, a fix was merged by October 7th, 2024, adding recipient validations. --- ### Writing Cross-Chain PoC Using Pigeon URL: https://sujithsomraaj.com/blog/cross-chain-poc-pigeon Date: 2024-05-12 | Tags: developer notes, cross-chain, security The Pigeon library is an open-source testing toolkit designed for cross-chain application development and testing. It provides helper contracts and utilities that simulate cross-chain transactions and interactions, enabling developers and security researchers to test dApps in a forked mainnet environment. It supports simulating off-chain infrastructure of Arbitrary Message Bridges (AMBs) like LayerZero, Hyperlane, and Wormhole. The post walks through using Pigeon to demonstrate a replay attack vulnerability where a contract validates msg.sender is Hyperlane Mailbox but fails to check the source chain sender, allowing anyone to update state. This was the cross-chain problem from Paradigm CTF 2023. --- ### Post-Mortem: Colluded Transmitters in Socket DL URL: https://sujithsomraaj.com/blog/socket-colluded-transmitters-postmortem Date: 2023-10-06 | Tags: bug bounty, security This vulnerability permits colluded transmitters to run malicious commands on any plug connected to Socket DL, completely bypassing switchboard validations. Reward: $20,000 in bounties via Socket Surge. The exploit: propose a random packetId with a differing remoteSlug, watchers trip the path removing you as transmitters. Once the timeoutPeriod surpasses the gap, invoke execute() with a msgId of your preference. The absence of validation between the packetId's source chain and the msg id's chain, combined with root authentication only against local state, creates the vulnerability. --- ### Unearthing a $7k SocketSurge LootBox Exploit URL: https://sujithsomraaj.com/blog/socket-lootbox-7k-exploit Date: 2023-10-06 | Tags: bug bounty, security Claimed $7k from SocketSurge LootBox-II within two hours. The challenge required maintaining position as the cross-chain caller to the loot box contract for a whole hour. Strategy: utilized SocketTech's defense mechanisms against itself — when an unscrupulous transmitter dispatches an invalid packet, Socket's defenses freeze the source chain, inhibiting switchboards from receiving new payloads. By blocking all inbound pathways from Polygon, Arbitrum, and BSC, maintained exclusive access for 60 minutes. --- ### Cross-Chain Immutability: Security Considerations URL: https://sujithsomraaj.com/blog/cross-chain-immutability-security Date: 2023-03-14 | Tags: developer notes, bridge, cross-chain, security Explores the problem of data immutability in cross-chain applications. Today's cross-chain messaging paradigm is highly concentrated on fewer validator groups that aren't as secure as PoW or PoS. A corrupted validator network could override cross-chain messages, altering borrowed amounts or other critical state. The article proposes exploring on-chain validation and data integrity mechanisms that are AMB agnostic, cheap, and easy to integrate. --- ### Data Paths: Essential Guide for Cross-Chain Developers URL: https://sujithsomraaj.com/blog/cross-chain-data-paths-developers Date: 2022-09-19 | Tags: developer notes, bridge, cross-chain Introduces the concept of data paths for cross-chain applications: cyclic vs acyclic, immutable vs mutable. Key recommendations for safer cross-chain applications: follow immutable data paths whenever possible, validate state at each intermediary chain, use cyclic feedback loops, and implement resistive looping for error recovery. --- ### Dynamic Memory Arrays in Solidity URL: https://sujithsomraaj.com/blog/dynamic-memory-arrays-solidity Date: 2022-03-26 | Tags: solidity, developer notes Practical guide to constructing dynamic memory arrays in Solidity view functions. The challenge: memory arrays cannot be dynamically resized. Solution: iterate twice — first to calculate the required size, then to populate the array. Gas safe limit: ~200 IDs. Alternative approach: use total array size but accept zero entries for non-matching items (98,435 vs 600,000 gas). --- ### Decoding Investing: The Brain Language URL: https://sujithsomraaj.com/blog/decoding-investing-brain-language Date: 2022-03-22 | Tags: psychology, investing Explores how the Ventromedial Prefrontal Cortex (vmPFC) influences investment decisions, fear-greed dynamics, and the psychology behind market behavior. The vmPFC plays a major role in emotional response to fear and risk and becomes dominant when core investment values are threatened, leading to inappropriate decisions at critical levels. Key insight: rather than "never let emotions enter trading," investors should build strong core values that keep the vmPFC less influential. --- ## Open Source Projects ### Superform Core URL: https://github.com/superform-xyz/superform-core A cross-chain yield marketplace for ERC-4626 powered by Hyperlane, LayerZero, Wormhole, LIFI, and Socket. ### ERC1155A URL: https://github.com/superform-xyz/erc1155A ERC-1155 token standard extension. ### Pigeon URL: https://github.com/exp-table/pigeon A Foundry development tool for cross-chain apps simulating more than 6 different message bridges. ### Multi-Bridge URL: https://github.com/MultiMessageAggregation/multibridge Major contributor to multi-bridge product, used by Uniswap's Governance. ### Superform Beta Contracts URL: https://github.com/superform-xyz/superform-contracts-beta Developed the core smart contracts of superform.xyz from ideation to a working prototype. ### Infinite Approval Checker URL: https://ethglobal.com/showcase/variable-finance-taat4 ETHGlobal 2021 project to check and revoke approvals (created before the issue became viral). ### Execution Layer Aggregator URL: https://github.com/sujithsomraaj/ethglobal-nyc-monorepo ETHGlobal NYC 2023 project implementing a common execution layer using Hyperlane. ### iContracts URL: https://github.com/sujithsomraaj/icontracts A research project aimed at incorporating intelligence into smart contracts. --- ## Contact - Work with me: https://cantina.xyz/u/sujithsomraaj - Twitter: https://twitter.com/sujithsomraaj - GitHub: https://github.com/sujithsomraaj - LinkedIn: https://linkedin.com/in/sujithsomraaj