IndraMotion MLC L20, L40 Security Vulnerabilities

fund steal by crating a lot of bad long positions and then transferring NFT token of long position to all users and trick them(or by mistake) to click on exercise()

Lines of code Vulnerability details Impact when fillOrder() is called code mints two PuttyV2 NFT token, one for Long position and one for Short Position and It's possible to transfer this NFT tokens to others. exercising unwanted bad Long positions can cause users to lose funds and tokens, for...

Multiple functions in GovernorBravoDelegator.sol could cause dangerous future mistakes

Lines of code Vulnerability details Submitting as med risk because these are very important functions and using requires like this seems very likely to cause future mistakes Impact Increases likelihood of future vulnerabilities Proof of Concept _initiateDelegated() _acceptInitialAdminDelegated()...

_updateTwav() and _getTwav() will revert when cumulativePrice overflows

Lines of code https://github.com/code-423n4/2022-06-nibbl/blob/8c3dbd6adf350f35c58b31723d42117765644110/contracts/Twav/Twav.sol#L40 Vulnerability details Impact Contract will break when cumulativeValuation overflows. PoC Cumulative prices are designed to work with overflows/underflows because in...

Missing zero address check can set treasury to zero address

Lines of code Vulnerability details Impact AccountantDelegate.initialize() is missing a zero address check for treasury_ parameter, which could may allow treasury to be mistakenly set to 0 address. Proof of Concept Tools Used Manual review Recommended Mitigation Steps Add a require() check for...

openSUSE 15 Security Update : tensorflow2 (openSUSE-SU-2022:10014-1)

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:10014-1 advisory. In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution....

Division round down 2 times may cause convertToShares calculation incorrect if underlying token with decimals less than 8.

Lines of code https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/wfCashERC4626.sol#L52 Vulnerability details Impact In case fCash has not matured yet, convertToShares() may return incorrect value due to division...

Upgraded Q -> H from 25 [1655007954017]

Judge has assessed an item in Issue #25 as High risk. The relevant finding follows: Fees should have a boundary of 100% (10000): https://github.com/code-423n4/2022-03-joyn/blob/main/royalty-vault/contracts/RoyaltyVault.sol#L68 Otherwise the contract will try to transfer more than possible which...

RewardHandler.burnFees() could fail depending on number of pools with underlying = address(0)

Lines of code Vulnerability details Impact If more than one pool has underlying = address(0) then RewardHandler.burnFees() will fail or use ETH balance from FeeBurner.sol. Proof of Concept RewardHandler.sol#L40-L50 uint256 ethBalance = address(this).balance; address[] memory tokens = new...

Integer Overflow in Nonce Possible Via EIP 1271 Compliant Contract

Lines of code Vulnerability details Impact The current NonceManager (deployed version) does not expect a nonce to go as high to actually trigger an integer overflow and is therefore, unchecked. However, it is completely possible to have the nonce go as high with EIP 1271 contracts that hold the...

Duplicate Advisory: tree-kill vulnerable to remote code execution

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-884p-74jh-xrg2. Ths link is maintained to preserve external references. Original Description A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to...

Path Traversal in WellKnownServlet

Description The WellKnownServlet is vulnerable to path traversal. This allows reading local files. For example the files in WEB-INF that contain secrets and API keys can be read. https://github.com/jgraph/drawio/blob/v18.0.4/src/main/java/com/mxgraph/online/WellKnownServlet.java#L40-L66...

No Storage Gap for Upgradeable Contract Might Lead to Storage Slot Collision

Lines of code https://github.com/code-423n4/2022-05-alchemix/blob/de65c34c7b6e4e94662bf508e214dcbf327984f4/contracts-full/CrossChainCanonicalBase.sol#L12 https://github.com/code-423n4/2022-05-alchemix/blob/de65c34c7b6e4e94662bf508e214dcbf327984f4/contracts-full/TransmuterV2.sol#L26...

amount requires to be updated to contract balance increase (17)

Lines of code Vulnerability details Impact Every time transferFrom or transfer function in ERC20 standard is called there is a possibility that underlying smart contract did not transfer the exact amount entered. It is required to find out contract balance increase/decrease after the transfer....

centralization risk

Lines of code Vulnerability details Impact Can lead to unlimited minting of tokens Proof of Concept If any of the provided roles / actors get malicious, then unlimited number for tokens either for mint or redeem, can lead to loss for the protocol. It should be onlyadmin based or either should be...

the governance can mint citadel tokens for themselves

Lines of code Vulnerability details the governance can call mint in citadel token and mint for themselves as much as they want and sell, which will cause the token price to drop to zero. The text was updated successfully, but these errors were encountered: All...

A large platformFee (>10000), would cause underflow during sendToSplitter (at RoyaltyVault.sol)

Lines of code https://github.com/code-423n4/2022-03-joyn/blob/c9297ccd925ebb2c44dbc6eaa3effd8db5d2368a/royalty-vault/contracts/RoyaltyVault.sol#L40-L41 Vulnerability details Impact (at RoyaltyVault.sol) Presently platformFee, does not have a upper limit and can be set to any value through...

DoS: Attacker May Front-Run CoreFactory.createProject() With A _projectId Causing Future Transactions With The Same _projectId to Revert

Lines of code https://github.com/code-423n4/2022-03-joyn/blob/c9297ccd925ebb2c44dbc6eaa3effd8db5d2368a/core-contracts/contracts/CoreFactory.sol#L34-L40 Vulnerability details Impact A _projectId may only be used once in CoreFactory.createProject() since the modifier onlyAvailableProject will revert....

Using payable.transfer functions in WithdrawFacet.sol and Libasset.sol is not usable for smart contract calls due to possible shortage of gas.

Lines of code https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/WithdrawFacet.sol#L20-L38 Vulnerability details Impact Withdrawals and transferERC20 tokens are executed via transferERC20() and withdraw() functions. Since these functions calls.....

admin can rug

Lines of code Vulnerability details admin can steal all user funds The text was updated successfully, but these errors were encountered: All...

Risk of centralization

Lines of code https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/OwnershipFacet.sol#L8-L15 Vulnerability details Medium Risk Risk of centralization Impact Diamond owner has too many roles on setting the functions, initiating payable functions......

Add a timelock to DiamondCutFacet

Lines of code Vulnerability details Impact To give more trust to users: functions that set key/critical variables should be put behind a timelock. Proof of Concept Tools Used Remix Recommended Mitigation Steps Add a timelock to setter functions of key/critical variables. The text was updated...

Enforced Owner Can Extract Funds From The Contract

Lines of code Vulnerability details Impact During the code review, It has been observed that access control mechanisms are checked with the following line. LibDiamond.enforceIsContractOwner(); The withdraw gaves abilitiy to contract owner extract all funds are sent to contract. This poses...

DoS attack the system and steal all the users' funds

Lines of code https://github.com/code-423n4/2022-03-prepo/blob/f63584133a0329781609e3f14c3004c1ca293e71/contracts/core/SingleStrategyController.sol#L32-L40 https://github.com/code-423n4/2022-03-prepo/blob/f63584133a0329781609e3f14c3004c1ca293e71/contracts/core/SingleStrategyController.sol#L79-L81.....

Remote Code Execution (RCE)

razorengine is vulnerable to remote code execution. The vulnerability exists because it does not sanitize the CAS (code access security) of an insecure sandboxed environment, allowing an attacker to execute maliciously crafted .NET code into the...

NPM Dependency confusion. Unclaimed NPM Package and Scope/Org

Lines of code Vulnerability details Impact I discovered an npm package and the scope of the package is unclaimed on the NPM website. This will give any User to claim that package and be able to Upload a Malicious Code under that unclaimed package. This results in achieving the Remote code...

Primary seller can avoid paying the primary fee

Lines of code https://github.com/code-423n4/2022-02-foundation/blob/4d8c8931baffae31c7506872bf1100e1598f2754/contracts/mixins/NFTMarketFees.sol#L188 Vulnerability details Impact A primary seller can circumvent the 15% fee and pay 5% as a secondary seller. Context The foundation protocol charges a.....

Bypass MAX_LOCK duration + External calls even when delegation is locked

Lines of code https://github.com/pooltogether/v4-twab-delegator/blob/master/contracts/Delegation.sol#L40 Vulnerability details Impact Delegation owner can change the MAX_LOCK duration even though current lock set on delegation has not yet expired Also Delegation owner can execute calls even when...

Privilege Escalation

snipe/snipe-it is vulnerable to privilege escalation. The vulnerability exists in AssetMaintenancesController.php and AssetMaintenancesController.php due to missing edit / delete Asset gates which allows an unauthenticated user to create maintenance for...

Basis points constant BPS_MAX is used as minimal fee amount requirement

Lines of code Vulnerability details Impact Base fee modules require minimum fixed fee amount to be at least BPS_MAX, which is hard coded to be 10000. This turns out to be a functionality restricting requirement for some currencies. For example, WBTC...

Re-entrancy vulnerabilities

Lines of code Vulnerability details Impact Function claimRewards in ConcurRewardPool should be re-entrancy protected or first nullify the reward before sending it, otherwise, if any token contains a transfer callback hook, users can claim the same rewards multiple times, by re-entering the...

Exposure of Sensitive Information to an Unauthorized Actor in transloadit/uppy

Description First thanks to my friend Haxatron for this awsome report I review the @uppy/companion code from the source to the sink, and I figure out a significant issue that makes any SSRF protection Effectless. I put myself as a Developer and started to read the companion document, and then I...

Lack of access control in the parameterize function of proposal contracts

Handle shw Vulnerability details Impact Most of the proposal contracts have a parameterize function for setting the proposal parameters, and these functions are protected only by the notCurrent modifier. When the proposal is proposed through a lodgeProposal transaction, an attacker can front-run...

_supportDexs array length not checked in constructor

Handle jayjonah8 Vulnerability details Impact In OpenLevDelegator.sol an array of _supportDexs is passed to the constructor function and then passed to the delegateTo function but the _supportDexs arrays length is not checked which can result in costly errors. Proof of Concept Tools Used Manual...

Path traversal in Onionshare

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test. Vulnerability ID: OTF-013 Vulnerability type: Improper Hardening Threat level:...

Path traversal in Onionshare

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test. Vulnerability ID: OTF-013 Vulnerability type: Improper Hardening Threat level:...

in detekt/detekt

Description The read() function makes use of SAXParser generated from a SAXParserFactory with no FEATURE_SECURE_PROCESSING set, allowing for XXE attacks. In...

safeSymbol() can revert causing DoS

Handle sirhashalot Vulnerability details Impact The safeSymbol() function, found in the SafeMetadata.sol contract and called in 4 Timeswap Convenience contracts in the symbol() functions, can cause a revert. This could make the 4 contracts not compliant with the ERC20 standard for certain asset...

safeName() can revert causing DoS

Handle sirhashalot Vulnerability details Impact The safeName() function, found in the SafeMetadata.sol contract and called in 4 Timeswap Convenience contracts in the name() functions, can cause a revert. This could make the 4 contracts not compliant with the ERC20 standard for certain asset pairs,....

Laravel Valet 2.0.3 Privilege Escalation

...

Laravel Valet 2.0.3 - Local Privilege Escalation (macOS)

...

Laravel Valet 2.0.3 - Local Privilege Escalation Exploit

...

Cracken - A Fast Password Wordlist Generator, Smartlist Creation And Password Hybrid-Mask Analysis Tool

Cracken is a fast password wordlist generator, Smartlist creation and password hybrid-mask analysis tool written in pure safe Rust (more on talk/). Inspired by great tools like maskprocessor, hashcat, Crunch and 珞 HuggingFace's tokenizers. What? Why? Woot?? At DeepSec2021 we presented a new method....

No way to remove GasThrottle after deployment

Handle TomFrench Vulnerability details Impact Potential DOS on swaps Proof of Concept BasePool and BasePoolV2 make use of a validateGas modifier on swaps which checks that the user's gas price is below the value returned by _FAST_GAS_ORACLE....

MochiTreasuryV0.withdrawLock() Is Callable When Locking Has Been Toggled

Handle leastwood Vulnerability details Impact withdrawLock() does not prevent users from calling this function when locking has been toggled. As a result, withdraws may be made unexpectedly. Proof of Concept Tools Used Manual code review Recommended Mitigation Steps Consider adding...

Users could lose funds if owner took out reward which is not multiplier of allocatedTokensPerEpoch

Handle xYrYuYx Vulnerability details Impact User could lost funds if owner take reward which is not multiplier of allocatedTokensPerEpoch. Proof of Concept This is my test case to proof this issue. This issue occur because of Line 104...

Bosch Rexroth IndraMotion Mlc Cross-Site Scripting Vulnerability

The Bosch Rexroth IndraMotion Mlc is a new device that combines motion and logic control, as well as robot control.A cross-site scripting vulnerability exists in the Bosch Rexroth IndraMotion Mlc, which stems from the lack of proper validation of client-side data by the WEB application. An...

Bosch Rexroth IndraMotion Mlc has an unspecified vulnerability

Bosch Rexroth IndraMotion Mlc is a new device that combines motion and logic control, as well as robotics control.A security vulnerability exists in Bosch Rexroth IndraMotion Mlc, which stems from a network system or product that does not properly use the relevant cryptographic algorithms, and...

Bosch Rexroth IndraMotion Mlc Licensing Issue Vulnerability

Bosch Rexroth IndraMotion Mlc is a new device that combines motion and logic control, as well as robotics control.A security vulnerability exists in Bosch Rexroth IndraMotion Mlc, which stems from a network system or product that does not properly use the relevant cryptographic algorithms, and...

CVE-2021-23856

The web server is vulnerable to reflected XSS and therefore an attacker might be able to execute scripts on a client’s computer by sending the client a manipulated...

CVE-2021-23857

Login with hash: The login routine allows the client to log in to the system not by using the password, but by using the hash of the password. Combined with CVE-2021-23858, this allows an attacker to subsequently login to the...