1288H V5; 2288H V5 Security Vulnerabilities

Possible centralization issue in PrizePool.closeDraw

Lines of code Vulnerability details The winning random number is chosen by DrawManager, which will lead to centralization risk. Despite haventt really deep dive in codebase of this issue, but if DrawManager ,can somehow calculate which random number can make their controlled address is winner with....

The _currentExchangeRate of the Vault contract can't increase, and always be lower than or equal to _assetUnit

Lines of code Vulnerability details Impact The _currentExchangeRate of the Vault contract can not increase, and always be lower than or equal to _assetUnit. Therefore, when the vault is undercollateralized (_currentExchangeRate < _assetUnit), it can't be further collateralized. Proof of concept....

Attacker can steal vault funds through the deposit function.

Lines of code Vulnerability details Impact In the deposit function, a check is made to see if the amount of assets being deposited by the user is greater than the amount of assets the vault currently holds. The vault then transfers the difference between the assets being deposited and the vault’s.....

_amountOut is representing assets and shares at the same time in the liquidate function

Lines of code Vulnerability details Impact In the liquidate function from the Vault contract, the input argument _amountOut is used as if it was representing a value of asset amount and share amount at the same time which is impossible a there a conversion rate between them, this error will make...

Claim failure can result to loss of funds

Lines of code Vulnerability details Impact Caller will lose funds through gas fees when claim fails Proof of Concept The claimPrize function allows any caller to claim a prize by providing the necessary parameters: _winner (address of the winner), _tier (prize tier), _prizeIndex (prize index),...

Vault.mintYieldFee FUNCTION CAN BE CALLED BY ANYONE TO MINT Vault Shares TO ANY RECIPIENT ADDRESS

Lines of code Vulnerability details Impact The Vault.mintYieldFee external function is used to mint Vault shares to the yield fee _recipient. The function is an external function and can be called by anyone since there is no access control. The function will revert only under following two...

FIRST DEPOSITOR ATTACK IS PRESENT IN THE Vault.sol CONTRACT

Lines of code Vulnerability details Impact The Vault.deposit() function is vulnerable to first depositor attack. It can be described as follows: A malicious early depositor can deposit() with 1 wei of asset token as the first depositor of the Vault, and get 1 wei of shares. Then the first...

balanceOf method can be manipulate to liquidated vault

Lines of code Vulnerability details Impact Deriving price from balanceOf can be manipulated to liquidate vault see example https://solodit.xyz/issues/deriving-price-with-balanceof-is-dangerous-spearbit-connext-pdf Attacker can provide ERC20 token to the vaultAsset and mint vault shares. The...

Depositors might lose funds due to the lack of zero share check

Lines of code Vulnerability details Impact Depositors might lose funds due to the lack of checking whether the shares to be minted is equal to zero. When this happens, the assets will be deposited into the vault, but the depositors will receive zero shares. This is independent from the initial...

CONFIGURING ALLOWANCE TO ZERO FOR THE _previousLiquidationPair CAN BE FRONT RUN

Lines of code Vulnerability details Impact The Vault.setLiquidationPair is used to change the liquidationPair_ address to a new address. In the process it sets the allowance of the _previousLiquidationPair to zero as shown below: if (_previousLiquidationPair != address(0)) { ...

Yield fee can be stolen

Lines of code Vulnerability details Impact The _yieldFeeRecipient can claim some of the fees earned in the vault by calling mintYieldFee. The function has no access control so anyone can call the function and claim the yield fee for themselves. Proof of Concept In the below test an attacker...

Anyone can mint to themselves type(uint96).max if _isVaultCollateralized() returns true

Lines of code Vulnerability details Impact There is no check that ensures the caller to mint is a trusted one. Moreover, there is a flaw which lets anyone to mint type(uint96).max number of shares Proof of Concept First, the mint function does not implement any check for the caller to be someone...

Malicious Yield Vault could deny Pool Together withdrawing assets

Lines of code Vulnerability details Impact Since vaults can be created by anyone as long as they provide an ERC-4626 compliant yield source, an attacker could set up a malicious ERC-4626 contract and set that as the yield source for a newly created Vault. The attacker could then have the malicious....

Malicious yield vault owners can manipulate the interaction between the vault and yield vault

Lines of code Vulnerability details Impact Malicious yield vault owners can steal depositor's assets. Proof of Concept yieldVault_ is the Address of the ERC4626 vault in which assets are deposited to generate yield. After tokens are deposited into the vault, the deposit function of yieldVault is...

Deposit transaction is prone to being front-run by bad actors.

Lines of code Vulnerability details Impact It is possible for an attacker to front-run a user's deposit transaction while transferring fewer amount of assets than the user and minting an equivalent amount of shares as the user could have. Proof of Concept The scenario described below is for the...

IF THE UNDERLYING ASSET IS A FEE ON TRANSFER TOKEN IT COULD BREAK THE INTERNAL ACCOUNTING OF THE VAULT

Lines of code https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L959 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L1026-L1027 Vulnerability details Impact The Vault._deposit....

Vault.sponsor may take away the prize chance from the receiver.

Lines of code https://github.com/generationsoftware/pt-v5-twab-controller/blob/1cdf78e87a3d9127f85a3755024f143664643c5e/src/TwabController.sol#L500-L502 https://github.com/generationsoftware/pt-v5-twab-controller/blob/1cdf78e87a3d9127f85a3755024f143664643c5e/src/TwabController.sol#L656-L661...

Permit does not revert for tokens that do not implement it.

Lines of code https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L468 Vulnerability details Impact Callers should not rely on permit to revert for arbitrary tokens especially if permit is used as a security check. Tokens which do not...

mintYieldFee function does not check for the maxMint amount.

Lines of code Vulnerability details Impact Theoretically, it is possible to mint more than the maxMint amount using the mintYieldFee function in the Vault contract. Proof of Concept The functions in Vault contract like mint, mintWithPermit call the _beforeMint function which checks whether _shares....

deposit function does not check for the maxMint amount.

Lines of code Vulnerability details Impact It is theoretically possible for the deposit amount to mint shares more than the maxMint amount Proof of Concept The deposit function has a check for maxDeposit and reverts if the deposit value is more than max(uint96). But, it does not check the shares...

isTimeSafe and isTimeRangeSafe not implemented in the functions getBalanceAt and getTwabBetween

Lines of code https://github.com/GenerationSoftware/pt-v5-twab-controller/blob/0145eeac23301ee5338c659422dd6d69234f5d50/src/libraries/TwabLib.sol#L254-L276 Vulnerability details Impact The Natspec of both getBalanceAt and getTwabBetween functions indicates that they should implement the functions.....

Missing access control in mintYieldFee allowing everybody to mint the available YieldFee to himself

Lines of code Vulnerability details Impact Everybody can call the mintYieldFee function in the Vault, when there is _yieldFeeTotalSupply available and mint shares to himself for free, which latter results in stealing funds form the Vault. (if this is a desired behavior, which it shouldn't based on....

An identical vault can be deployed with existing values, the logic controlling this is missing

Lines of code Vulnerability details VaultFactory. The deployVault() function deploys a new vault with 10 arguments, but does not check if there is a vault already deployed with the same arguments This seems to have been preferred as a design, but malicious people with copy safes can direct users...

No access control on mintYieldFee

Lines of code Vulnerability details Impact Lack of access-control allows anyone to mint the yield fee to himself. Proof of Concept Vault.mintYieldFee does not restrict the _recipient yield fees: function mintYieldFee(uint256 _shares, address _recipient) external { ...

The exchange rate is decreasing in Vault

Lines of code Vulnerability details Impact The exchange rate of the vaults will be decreasing and this will block core functionalities. Proof of Concept The exchange rate of the Vault is calculated as follows: min(_withdrawableAssets, _totalSupplyToAssets) * _assetUnit / _totalSupplyAmount =...

The liquidate function lets the caller mint amountOut tokens without providing any

Lines of code Vulnerability details Impact Ther are a lot of check to ensure the parameters of the liquidate function are correct. However, it does not checki for _amountIn to NOT be 0, thus it lets the caller proceed and mint _amountOut tokens to _account without providing any Proof of Concept...

Unsecure and predictable random number generation in closeDraw.winningRandomNumber_()

Lines of code Vulnerability details Impact Unsecure and predictable random number generation in closeDraw.winningRandomNumber_() can lead to external influence by malicious attackers. Leading to undermining of the fairness and security and unpredictability of the draw function. Both the timestamp.....

Users might lose their balances when they set delegates

Lines of code Vulnerability details Impact Undelegated users will lose their balances if they set delegate to themselves. Proof of Concept A User can set a delegate and the delegated balance of the user will be accounted on the delegate's delegated balance in the TWAB controller. The internal...

Malicious claimer could arbitrage the prize-claiming functionality

Lines of code Vulnerability details Impact The _feePerClaim is a user controlled parameter which tops at tierLiquidity.prizeSize for a given _tier (see here for that). That means the CLAIMER can set arbitrary fees for a given call to claimPrize to increase maliciously the collected fees with //...

Missing External Transfer Function In Vault

Lines of code Vulnerability details Impact Balances of TwabController for a vault can not be transferred. Proof of Concept The Vault implements an internal _transfer function meant to be used to transfer balances within the TwabController: function _transfer(address _from, address _to, uint256...

Incorrect distribution of shares and liquidity as a result of total number of shares not equaling 100

Lines of code Vulnerability details Impact If the shares are not properly validated and do not add up to 100, there will be an imbalance in the distribution of funds resulting in loss of funds or locked funds that cannot be accessed or distributed correctly. Proof of Concept The constructor of the....

No access control for mintYieldFee()

Lines of code Vulnerability details Impact Anyone can mint the yield fee using mintYieldFee(). Proof of Concept mintYieldFee() mints the shares for yield fee. function mintYieldFee(uint256 _shares, address _recipient) external { _requireVaultCollateralized(); if (_shares >...

The output amount validation in Vault.liquidate() is not correct.

Lines of code Vulnerability details Impact The output amount validation is not correct in Vault.liquidate(), so the method might accept invalid output amount and refuse valid output amount. Proof of Concept In Vault.liquidate(), there is a validation about the output share amount should be less...

Vault funds can be stolen by a malicious Yield Vault.

Lines of code Vulnerability details Impact When a vault is initialized, it sets Max Token Approval for the Yield Vault which allows the Yield Vault to ALWAYS have access to the funds in the vault. Since vaults can be created by anyone as long as they provide an ERC-4626 compliant yield source, an.....

withdrawReserve will revert when withdrawing tokens with on chain tx fees

Lines of code Vulnerability details Impact Function will revert when _reserve is equal to _amount, when the token being transferred is a fee on transfer token. Proof of Concept function withdrawReserve( address _to, uint104 _amount ) external onlyDrawManager { function withdrawReserve( address...

TwabLib::getTwabBetween can return innacurate balances if _startTime and _endTime aren't safely bounded

Lines of code Vulnerability details M-01 TwabLib::getTwabBetween can return innacurate balances if _startTime and _endTime aren't safely bounded Vulnerability details Here's the documentation of the get TwabLib::getTwabBetween function : File: twab-controller\src\libraries\TwabLib.sol 278: /**...

Attacker can force users to delegate to SPONSORSHIP_ADDRESS

Lines of code https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L494-L504 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L982-L994 Vulnerability details Impact An attacker can....

Incorrect amount of tokens is transferred before updating the accumulator and emitting the ContributePrizeTokens event

Lines of code Vulnerability details Impact An attacker can call the contributePrizeTokens function with a lower amount of tokens than claimed, misleading the contract to update the accumulator and emit the event based on the incorrect amount. As a result, the prize pool's internal state will be...

BuildaGate5library v5 - Reflected Cross-Site Scripting (XSS)

...

Game Jackal Server 5 Unquoted Service Path

...

BuildaGate5library v5 - Reflected Cross-Site Scripting Vulnerability

...

Game Jackal Server v5 - Unquoted Service Path "GJServiceV5"

...

Game Jackal Server v5 - Unquoted Service Path (GJServiceV5) Vulnerability

...

virt:ol and virt-devel:rhel security and bug fix update

hivex libguestfs [1.44.0-9.0.1] - Replace upstream references from description tag - Config supermin to use host yum.conf in ol8 [Orabug: 29319324] - Set DISTRO_ORACLE_LINUX correspeonding to ol [1:1.44.0-9] - Fix CVE-2022-2211 Denial of Service in --key parameter resolves: rhbz#2101280...

Exploit for Use After Free in Linux Linux Kernel

fork from https://github.com/veritas501/hbp_attack_demo...

CVE-2023-32623

Directory traversal vulnerability in Snow Monkey Forms v5.1.1 and earlier allows a remote unauthenticated attacker to delete arbitrary files on the...

Directory traversal

Directory traversal vulnerability in Snow Monkey Forms v5.1.1 and earlier allows a remote unauthenticated attacker to delete arbitrary files on the...

Supporting Our U.S. Federal Customers for BOD 23–02 by Mitigating the Risk From Internet-Exposed Management Interfaces

On June 13, 2023, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released Binding Operational Directive (BOD) 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces. The directive requires federal civilian executive-branch agencies to adhere to two primary actions: ....

CVE-2023-36358

TP-Link TL-WR940N V2/V3/V4, TL-WR941ND V5/V6, TL-WR743ND V1 and TL-WR841N V8 were discovered to contain a buffer overflow in the component /userRpm/AccessCtrlAccessTargetsRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET...

CVE-2023-36354

TP-Link TL-WR940N V4, TL-WR841N V8/V10, TL-WR740N V1/V2, TL-WR940N V2/V3, and TL-WR941ND V5/V6 were discovered to contain a buffer overflow in the component /userRpm/AccessCtrlTimeSchedRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET...