# Whitehat Portfolio — RunItBack (@RunItBackNow)

On-chain fund recovery & responsible disclosure. Everything here is verifiable on-chain.

## Liquality / COMIT atomic-swap recovery — ~$171k returned to 60+ owners

When Liquality shut its wallet (June 2024), users with failed cross-chain swaps had funds

locked in on-chain HTLCs with no UI to reclaim them. I reverse-engineered the HTLC bytecode,

found the permissionless refund path — which pays the **original owner, hardcoded in

bytecode**, never the caller — and triggered it for stuck swaps on Ethereum and Polygon.

- ETH side: USDT, USDC, DAI, WBTC, ETH returned across ~22 refunds

- Polygon: 17,000 DAI returned

- Total: **~$171,000 to 60+ distinct owners.** Kept nothing; paid gas.

- Rescuer wallet (all txs): https://etherscan.io/address/0x71488ab1cD8705f247D7bf1d95Cf532035B580bE

### Mechanism

The Liquality/COMIT HTLC is a ~200-byte hand-written contract with two exits:

- **claim** — reveal the sha256 preimage → pays the buyer

- **refund** — after the timelock expires → pays the hardcoded seller (original depositor)

The refund is permissionless and its recipient is fixed in the bytecode, so anyone can

trigger it and the funds can *only* return home. That's what makes the recovery white-hat.

## Uninitialized-proxy disclosure

Swept EIP-1967 proxies for a callable initialize() (ownership takeover). Disclosed a

finding responsibly → rewarded.

## Skills

EVM bytecode analysis · storage layout · access-control review · HTLC / atomic-swap

mechanics · upgradeable-proxy patterns · multi-chain on-chain forensics (Dune + RPC).