TLDR:)Two years ago I submitted a bug in Balancer V2 that let attackers create infinite token balances by front-running ERC20 deployments. I was paid $250k for this critical bug and it was made public recently.The Curiosity That Led to a Major DiscoveryIt all started with a simple curiosity: what happens when delegatecall is made to an address that doesn’t have any code? While I already knew the answer, I wanted to confirm it. If the call is placed using assembly, it returns success. However,...

TLDR:)Two years ago I submitted a bug in Balancer V2 that let attackers create infinite token balances by front-running ERC20 deployments. I was paid $250k for this critical bug and it was made public recently.The Curiosity That Led to a Major DiscoveryIt all started with a simple curiosity: what happens when delegatecall is made to an address that doesn’t have any code? While I already knew the answer, I wanted to confirm it. If the call is placed using assembly, it returns success. However,...