Update README.md

README.md

@@ -73,7 +73,7 @@ If you would like to contribute, there are two ways to do so:
 
 The below table shows known hacks since 2021:
 
-| <div style="width:2900px">Date</div>  | Protocol | Funds At Risk | Root Cause | References | Code to Reproduce |
+| Date &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  | Protocol | Funds At Risk | Root Cause | References | Code to Reproduce |
 | ------------- | ------------- | ------------- | ------------- | ------------- | ------------- |
 | 2022-10-07 | BNB Bridge  | $586M | <details><summary>BSC has a special precompile to verify IAVL trees, which is buggy</summary>*in [proofInnerNode.Hash function](https://github.com/cosmos/iavl/blob/de0740903a67b624d887f9055d4c60175dcfa758/proof.go#L53), the value of Right is ignored if Left is not empty, so you were able to change the path yet the (path, nleaf) hash did not change.*</details> | [twitter](https://twitter.com/dedaub/status/1578428002701959170?s=46&t=baZxJq2wl8J6EeoDaM_o2w) [gist](https://gist.github.com/samczsun/8635f49fac0ec66a5a61080835cae3db) | N/A |
 | 2022-08-02 | [Nomad](https://docs.nomad.xyz/nomad-101/introduction)  | $152M | <details><summary>custodian: transaction replay attack <br> `acceptableRoot[address(0)] == true`</summary>*Within the process() function is an assert (line 185) that validates that the message for the transfer is associated with a valid root.  By default, a root for an unproven message would be 0x00. <br><br> In an upgrade to the protocol, Nomad decided to initialize the value of trusted roots to 0x00.  While this is common practice, it also matches the value for an untrusted root, so all messages are automatically viewed as proven.<br>[...](https://halborn.com/explained-the-nomad-hack-august-2022/)*</details> | [Meidum](https://medium.com/nomad-xyz-blog/nomad-bridge-hack-root-cause-analysis-875ad2e5aacd) [twitter](https://twitter.com/samczsun/status/1554252024723546112) | [.sol](https://github.com/0xDatapunk/DeFiHackLabs/blob/main/src/test/NomadBridge.exp.sol) |
@@ -91,7 +91,7 @@ The below table shows known hacks since 2021:
 
 # <a name="Confirmed-Bug-Bounties-header">Confirmed Bug Bounties</a>
 
- | <div style="width:2900px">Date</div>  | Protocol | References | Vuln | Exploit |
+ | Date &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  | Protocol | References | Vuln | Exploit |
 | ------------- | ------------- | ------------- | ------------- | ------------- |
 | 2022-09-19 | [Arbitrum](https://developer.arbitrum.io/)  | [twitter](https://twitter.com/0xriptide/status/1572051111246467074)<br>[medium](https://medium.com/@0xriptide/hackers-in-arbitrums-inbox-ca23272641a2) | <details><summary>`postUpgradeInit` function wipes slots 0,1 & 2 and sets the bridge and allowListEnabled slots to new values — but leaves sequencerInbox and the two booleans set by the intializer modifier empty.</summary>*call the public initialize() function and set our own address as the bridge to accept all incoming ETH deposits … but only because of this gas optimization in the code from a month prior.*</detail> | Once initialized the contact with our own bridge contract address, we can hijack all incoming ETH deposits from users attempting to bridge to Arbitrum via the depositEth() function | 
 | 2022-06-07 | [Aurora](https://doc.aurora.dev/) | [blog](https://aurora.dev/blog/aurora-mitigates-its-inflation-vulnerability), [immunefi](https://medium.com/immunefi/aurora-infinite-spend-bugfix-review-6m-payout-e635d24273d#b405), [source](https://github.com/aurora-is-near/aurora-engine/blob/5c8691ea6ea5f1b309ef227f7f5c719ffea45d28/engine-precompiles/src/native.rs#L198), [disclosure](https://app.ardrive.io/#/drives/7ba902d8-d26a-4dad-99b8-807eaaf8d925/folders/c63e6e8b-0d66-4018-b5ac-e93afe948d46) | <details><summary>delegateCall to precompiles</summary>*In the exit to NEAR and exit to Ethereum precompiles, the contract address was hardcoded with disregard to how DelegateCall works. When someone calls the contract it comes from the address of the contract always, and not from the input. Also, since the balance is from the EOA and not the contract, there is no transfer of ETH. This results in the Aurora Engine scheduling a transfer from its NEP-141 ETH balance to the adversary while it has not received an ETH transfer.*</detail> | Instead of removing the hardcoded contract address, given context, it turned out to be better to instead return an exit error if the address given does not match the inputs' address. |