Technical writeups, vulnerability research, and methodology notes from MemCyber engagements. Sanitized and published for the engineering community.https://www.memcyber.com/en-ushttps://www.memcyber.com/research/idor-chaining-fintech/https://www.memcyber.com/research/idor-chaining-fintech/How combining a seemingly low-impact IDOR with an object-metadata leak escalated to cross-tenant financial data access on a Series B fintech. Sanitized writeup and defenses.Fri, 10 Apr 2026 00:00:00 GMTAPIIDORBOLAfintechchainingAtilla Mammadlihttps://www.memcyber.com/research/move-capability-model-pitfalls/https://www.memcyber.com/research/move-capability-model-pitfalls/Move's capability and object model is safer than Solidity by default, but it has its own footguns. Three patterns that repeatedly show up during our audits of Sui and Aptos protocols.Fri, 03 Apr 2026 00:00:00 GMTSmart ContractMoveSuiAptoscapabilitiesauditAtilla Mammadlihttps://www.memcyber.com/research/webhook-forgery-signature-validation/https://www.memcyber.com/research/webhook-forgery-signature-validation/Webhook handlers look simple and therefore get written carelessly. A quick tour of the signature-validation bugs we find over and over again across fintech and SaaS engagements.Fri, 20 Mar 2026 00:00:00 GMTWeb AppwebhookssignaturesHMACreplayAtilla Mammadli