Rating: 5.0
TLDR:
There is an off-by-one in the name field (it is too big) and you can corrupt the size of a note's content in EEPROM. When the "list" function reads the note onto the stack it can overflow. The ropchain needs to scan for TWI devices (7-bit brute force) and then you can read the flag from the target device (at 0x6a)
