Eva-al10; Eva-cl00; Eva-dl00; Eva-l09; Eva-l19; Eva-l29; Eva-tl00; Vie-l09; Vie-l29 Security Vulnerabilities

NATIVE TOKENS TRANSFERRED TO THE LlamaAccount CONTRACT CAN GET STUCK

Lines of code https://github.com/code-423n4/2023-06-llama/blob/main/src/accounts/LlamaAccount.sol#L147-L150 https://github.com/code-423n4/2023-06-llama/blob/main/src/LlamaExecutor.sol#L29-L36 https://github.com/code-423n4/2023-06-llama/blob/main/src/LlamaCore.sol#L333-L334 Vulnerability details...

LlamaExecutor#execute is not payable

Lines of code Vulnerability details Impact Since the execute function in LlamaExecutor.sol is not payable, nor the contract has the ability to receive ether, any action that requires sending ETH will eventually fail. Proof of Concept Tools Used Manual review Recommended Mitigation Steps One of the....

NATIVE TOKENS COULD GET STUCK INSIDE THE LlamaCore CONTRACT SINCE THERE IS NO WITHDRAWAL MECHANISM

Lines of code https://github.com/code-423n4/2023-06-llama/blob/main/src/LlamaCore.sol#L333-L334 https://github.com/code-423n4/2023-06-llama/blob/main/src/LlamaExecutor.sol#L29-L35 Vulnerability details Impact The LlamaCore contract has a single payable function LlamaCore.executeAction(). It is...

Execution does not work if the action has a non-zero value

Lines of code https://github.com/code-423n4/2023-06-llama/blob/aac904d31639c1b4b4e97f1c76b9c0f40b8e5cee/src/LlamaCore.sol#L334 Vulnerability details Llama instances have a separate LlamaExecutor contract for action execution. When calling LlamaCore.executeAction(), the flow is the following (for...

Success value and msg.value not checked in llamaExecutor.sol

Lines of code Vulnerability details Impact Success value not checked. Result can fail silently. Msg.value can be lost. Proof of Concept Function execute does not check the validity of success. If execute is called and msg.value is greater than value, then excess msg.value will be stucked in...

Unsafe delegatecall functionality can break core protocol functionality

Lines of code https://github.com/code-423n4/2023-06-llama/blob/main/src/LlamaCore.sol#L454-L458 https://github.com/code-423n4/2023-06-llama/blob/main/src/accounts/LlamaAccount.sol#L297-L331 Vulnerability details Impact There are multiple contracts which include delegatecall functionality,...

CVE-2023-27706

Bitwarden Windows desktop application versions prior to v2023.4.0 store biometric keys in Windows Credential Manager, accessible to other local unprivileged...

CVE-2023-27706

Bitwarden Windows desktop application versions prior to v2023.4.0 store biometric keys in Windows Credential Manager, accessible to other local unprivileged...

CVE-2023-27706

Bitwarden Windows desktop application versions prior to v2023.4.0 store biometric keys in Windows Credential Manager, accessible to other local unprivileged...

Anyone Can selfdestruct The VaultProxy Contract.

Lines of code https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/factory/VaultFactory.sol#L29 https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/factory/VaultFactory.sol#L42...

CVE-2023-27706

Bitwarden Windows desktop application versions prior to v2023.4.0 store biometric keys in Windows Credential Manager, accessible to other local unprivileged...

Recipient address is not appropriately validated or sanitized in the BaseFeeVault contract (loss of funds)

Lines of code Vulnerability details Impact If the recipient address is not properly validated, an attacker could supply a malicious address as the recipient. This could result in the accumulated fees being sent to an unintended or unauthorized party. It could lead to financial loss or disruption...

eva-photo.com Cross Site Scripting vulnerability OBB-3364793

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

Introducing: ‘Saved Filters’ in InsightCloudSec

Last year, when we launched Layered Context in InsightCloudSec, we knew we had something great on our hands. Not just because we provided a single view for cloud security practitioners to see their full cloud risk posture (though, if we do say so ourselves, that’s pretty sweet). No, we knew we had....

Wrong blocksPerYear in WhitePaperInterestRateModel

Lines of code https://github.com/code-423n4/2023-05-venus/blob/main/contracts/BaseJumpRateModelV2.sol#L23 Vulnerability details Impact Venus is deployed on BNB Chain instead of Ethereum. Their block times are different. And WhitePaperInterestRateModel.sol is modified from compound. Therefore,...

Imprecise block calculation

Lines of code Vulnerability details Vulnerability details Impact * @dev Roughly equivalent to the number of blocks in 7 days. * @dev Roughly equivalent to the number of blocks in 90 days. * @dev Roughly equivalent to the number of blocks in 10 days. As described...

m.static Directory Traversal vulnerability

All versions of the package m.static are vulnerable to Directory Traversal due to improper input sanitization of the path being requested via the requestFile...

m.static Directory Traversal vulnerability

All versions of the package m.static are vulnerable to Directory Traversal due to improper input sanitization of the path being requested via the requestFile...

Slot and block number proofs not required for verification of withdrawal (multiple withdrawals possible)

Lines of code https://github.com/code-423n4/2023-04-eigenlayer/blob/5e4872358cd2bda1936c29f460ece2308af4def6/src/contracts/libraries/BeaconChainProofs.sol#L245-L295...

CVE-2022-33281

Memory corruption due to improper validation of array index in computer vision while testing EVA kernel without sending any...

CVE-2022-33281

Memory corruption due to improper validation of array index in computer vision while testing EVA kernel without sending any...

Memory corruption

Memory corruption due to improper validation of array index in computer vision while testing EVA kernel without sending any...

CVE-2022-33281 Improper validation of array index in computer vision.

Memory corruption due to improper validation of array index in computer vision while testing EVA kernel without sending any...

Missing important check in getOwnerAddress() function in DNSClaimChecker.sol

Lines of code Vulnerability details Impact getOwnerAddress() function used in DNSClaimChecker.sol is missing important check on the type and class of the records. Also this getOwnerAddress() function is used in DNSRegistar.sol _claim function to claim a name using the given proofs Since there are.....

SHA1Digest Contract Vulnerability

Lines of code Vulnerability details Impact The vulnerability is related to the use of the SHA1 hashing algorithm in the SHA1Digest contract. SHA1 is an outdated cryptographic hash function that has been deprecated by most security experts due to its weaknesses and susceptibility to collision...

Timing Attack

github.com/iofinnet/thresh, github.com/thorchain/thorchain-tss and github.com/bnb-chain/tss-lib are vulnerable to Timing Attacks. The vulnerability exists due to a timing side-channel attack because it relies on the scalar-multiplication implementation in Go crypto/elliptic which allows an...

From integer Overflow to DoS attack that leads to financial losses in ModexpPrecompile.modexp function and RSAVerify library.

Lines of code https://github.com/code-423n4/2023-04-ens/blob/main/contracts/dnssec-oracle/algorithms/ModexpPrecompile.sol#L7 Vulnerability details Impact This vulnerability to cause unexpected behavior or even a denial-of-service attack on a contract that uses the RSAVerify library on...

VetoProposal#voteToVeto can be called repeatedly by same voter and be used to lock party

Lines of code Vulnerability details Impact Party can be locked due to not being able to pass and proposals Proof of Concept VetoProposal.sol#L37-L59 uint96 votingPower = party.getVotingPowerAt( msg.sender, proposalValues.proposedTime - 1, snapIndex ); uint96...

Voters can call VetoProposal.voteToVeto() as many times as they like.

Lines of code Vulnerability details Impact Each voter can veto a proposal if they want by calling voteToVeto() several times to pass the passThresholdBps. Proof of Concept Every voter shouldn't vote several times, otherwise, the voting system will be broken. But voteToVeto() doesn't check the...

eva-thiel.de Cross Site Scripting vulnerability OBB-3256856

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

VetoProposal: proposals cannot be vetoed in all states in which it should be possible to veto proposals

Lines of code Vulnerability details Impact The VetoProposal contract allows to veto proposals with the voteToVeto function. The proposal can only be vetoed when it is in the Voting state, otherwise the voteToVeto function reverts. The issue is that the Voting state is not the only state in which...

VetoProposal: user can veto multiple times so every proposal can be votoed by any user that has a small amount of votes

Lines of code Vulnerability details Impact The VetoProposal contract allows to veto proposals with the voteToVeto function. When the amount of votes collected to veto a proposal exceeds a certain threshold (the passThresholdBps, which is determined upon initialization of the party), the proposal...

science-et-vie-junior.fr Cross Site Scripting vulnerability OBB-3234144

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

KangarooVault.initiateDeposit, KangarooVault.processDepositQueue, KangarooVault.initiateWithdrawal, and KangarooVault.processWithdrawalQueue functions do not use whenNotPaused modifier

Lines of code https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L183 https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L243 https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L215...

DefaultAccount will add system call flag to any call with msg.value

Lines of code https://github.com/code-423n4/2023-03-zksync/blob/main/contracts/libraries/EfficientCall.sol#L134-L145 https://github.com/code-423n4/2023-03-zksync/blob/main/contracts/MsgValueSimulator.sol#L22-L29...

Threat Source newsletter (March 9, 2023) — Stop freaking out about ChatGPT

Welcome to this week's edition of the Threat Source newsletter. There is no shortage of hyperbolic headlines about ChatGPT out there, everything from how it and other AI tools like it are here to replace all our jobs, make college essays a thing of the past and change the face of cybersecurity as.....

International Women’s Day: The power of diversity to build stronger cybersecurity teams

Women’s History Month is a special time for me as I reflect on all the great innovations women have made over the years. Women have driven technology forward throughout history. Notable women in cybersecurity like cryptologists Agnes Meyer Driscoll and Genevieve Grotjan Feinstein worked behind the....

International Women’s Day: The power of diversity to build stronger cybersecurity teams

Women’s History Month is a special time for me as I reflect on all the great innovations women have made over the years. Women have driven technology forward throughout history. Notable women in cybersecurity like cryptologists Agnes Meyer Driscoll and Genevieve Grotjan Feinstein worked behind the....

Contract not initialized after deployment

Lines of code https://github.com/code-423n4/2023-02-ethos/blob/73687f32b934c9d697b97745356cdf8a1f264955/Ethos-Vault/contracts/ReaperStrategyGranarySupplyOnly.sol#L62...

ReaperBaseStrategyv4 is not Initializable

Lines of code https://github.com/code-423n4/2023-02-ethos/blob/73687f32b934c9d697b97745356cdf8a1f264955/Ethos-Vault/contracts/ReaperStrategyGranarySupplyOnly.sol#L62...

la-vie-dor.com Cross Site Scripting vulnerability OBB-3180604

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

Proxy admin of DripsHub, AddressDriver, NFTDriver and ImmutableSplitsDriver can steal users' tokens by upgrading the contract

Lines of code https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/AddressDriver.sol#L19 https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/NFTDriver.sol#L19...

No support non-18 decimals token

Lines of code https://github.com/code-423n4/2023-01-numoen/blob/2ad9a73d793ea23a25a381faadc86ae0c8cb5913/src/core/JumpRate.sol#L21 https://github.com/code-423n4/2023-01-numoen/blob/2ad9a73d793ea23a25a381faadc86ae0c8cb5913/src/core/JumpRate.sol#L37...

Mitigation of M-06: Issue not mitigated

Lines of code Vulnerability details The sponsor disputes the issue, but never follows up after judge's comments, so the same issue remains in the new code. The text was updated successfully, but these errors were encountered: All...

Mitigation of M-06: Issue not mitigated

Lines of code Vulnerability details Mitigation of M-06: Issue not mitigated The text was updated successfully, but these errors were encountered: All...

Only one GroupBuy can ever use USDT or similar tokens with front-running approval protections

Lines of code Vulnerability details The issue that is described in code-423n4/2022-12-tessera-findings#37 was not mitigated and still applies like it is described there. The text was updated successfully, but these errors were encountered: All...

eva-va.nl Cross Site Scripting vulnerability OBB-3132201

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

CVE-2022-44564

Huawei Aslan Children's Watch has a path traversal vulnerability. Successful exploitation may allow attackers to access or modify protected system...

CVE-2022-45874

Huawei Aslan Children's Watch has an improper authorization vulnerability. Successful exploit could allow the attacker to access certain...

CVE-2022-39012

Huawei Aslan Children's Watch has an improper input validation vulnerability. Successful exploitation may cause the watch's application service...