Fund redirection
Recipient and payout details mutated mid-flight so money lands in the wrong account.
Christopher “Zugo” Nwobi — ranked #1, Paystack Vulnerability Disclosure 2026. Money-movement security for Nigerian & UK fintech.
I specialise in money-movement vulnerabilities — fund redirection, race conditions, IDOR on money endpoints. The bugs that don’t trip an alarm. They just move the balance.
Verify on HackerOne →Recipient and payout details mutated mid-flight so money lands in the wrong account.
Concurrent requests that spend one balance twice before the ledger settles.
Retried or replayed operations that credit or debit more than once.
Refund, reversal and promo-credit flows coerced into minting value.
Sub-unit rounding and conversion skimmed quietly, at scale.
One account reaching another’s balances, statements or instruments.
Limits and verification gates bypassed on the money path.
Forged or replayed settlement events that desync the books.
We hold the secret so you can fix it — not so the world can read it.
The same yardstick, every time: a reproducible assessment an institution can display to show its money rails were measured the way an adversary would.
Idempotency · double-spend · refund & credit abuse · FX rounding · KYC-skip.
Cross-tenant money IDOR · privilege boundaries · tenant isolation.
Every finding proven on the ledger. Attested only to what survives re-test.
Awarded only on a passing, re-tested assessment — a mark an institution earns and displays. The ruler everyone gains by holding.
Edition 2026 · in formationStart read-only — fixed scope, fixed fee, full report, re-test included. No production access in phase one.