Research
Writeups and methodology from real engagements.
Sanitized technical writeups from MemCyber engagements and independent research. Published to help engineering teams recognize the patterns we see in the wild — before they ship them.
Chaining IDOR and Object Metadata Leaks in Fintech APIs
How combining a seemingly low-impact IDOR with an object-metadata leak escalated to cross-tenant financial data access on a Series B fintech. Sanitized writeup and defenses.
Capability-Model Pitfalls in Move: Three Patterns We See in Audit
Move's capability and object model is safer than Solidity by default, but it has its own footguns. Three patterns that repeatedly show up during our audits of Sui and Aptos protocols.
Webhook Signature Validation: The Five Bugs We Find Most
Webhook handlers look simple and therefore get written carelessly. A quick tour of the signature-validation bugs we find over and over again across fintech and SaaS engagements.
Seeing your stack in these writeups?
We run targeted reviews against exactly these classes of bug. Scope a pentest or subscribe via RSS.