diff --git a/JavaScript/PwnCollegeV8Exploitation/Level8/README.md b/JavaScript/PwnCollegeV8Exploitation/Level8/README.md
index 1d7a4be..06f910e 100644
--- a/JavaScript/PwnCollegeV8Exploitation/Level8/README.md
+++ b/JavaScript/PwnCollegeV8Exploitation/Level8/README.md
@@ -14,6 +14,9 @@ The elimination of `CheckBounds` node had been changed to:
         - [JITSploitation I: A JIT Bug](https://googleprojectzero.blogspot.com/2020/09/jitsploitation-one.html)
         - [CVE-2020-9802 JSC CSE漏洞分析](https://www.anquanke.com/post/id/245946)
         - [CVE-2020-9802-WebKit JIT优化漏洞分析](https://xz.aliyun.com/t/8913)
+    - `String.lastIndexOf` Off By One bug in V8
+        - [Security: off by one in TurboFan range optimization for String.indexOf](https://issues.chromium.org/issues/40088942)
+        - [Attacking Client-Side JIT Compilers, Page 76-86](https://i.blackhat.com/us-18/Wed-August-8/us-18-Gross-New-Trends-In-Browser-Exploitation-Attacking-Client-Side-JIT-Compilers.pdf#page=76)
     - Bound Check Elimination related Simplified Lowering Phase in V8
         - [浅析 V8-turboFan](https://kiprey.github.io/2021/01/v8-turboFan/#4-SimplifiedLoweringPhase)
     - Use this technique to corrupt array's length.