writeups

findings, thoughts & things i learned along the way.

Stored XSS to Full Account Takeover on a Web3 Platform How a filename injection on a document viewer led to full wallet compromise via React fiber traversal.
Apr 2026
xss web3 pentest