, a security researcher at iosiro, identified a critical bug in the [](https://88mph.app/](https://uploads-ssl.webflow.com/5e39239f2e417c1a357f71f5/60c814a59913cd8419d876eb_88mph-bug.png "Smart Contract Auditing")
Smart Contract Auditing
On 7 June 2021, [Ashiq Amien](https://twitter.com/AshiqAmien), a security researcher at iosiro, identified a critical bug in the [](https://88mph.app/)fixed-interest-rate lending protocol [88mph](https://88mph.app/). The bug was reported to 88mph through [Immunefi](https://immunefi.com/) for a bounty of $42,069...nice.
The initialization bug was identified in 88mph's NFT contract, and resulted in allowing anyone to claim ownership of the contract and steal the underlying assets. The 88mph team responded quickly after receiving the disclosure, restricting access to the vulnerable functionality within 2 hours and extracting the funds to the treasury within 24 hours. The vulnerability affected three pools:
- yaLINK [[Pool Deposit](https://etherscan.io/address/0xF0b7DE03134857391d8D43Ed48e20EDF21461097), [Pool](https://etherscan.io/address/0x904F81EFF3c35877865810CCA9a63f2D9cB7D4DD)]
- CRV:STETH [[Pool Deposit](https://etherscan.io/address/0x6a76f1c362f2C871BEB9d930c9eFd02B07841A28), [Pool](https://etherscan.io/address/0x303CB7Ede0c3AD99CE017CDC3aBAcD65164Ff486)]
