微信打赏（Wechat Reward) Security Vulnerabilities

Huge over calculating user rewards

Lines of code https://github.com/code-423n4/2023-03-neotokyo/blob/dfa5887062e47e2d0c801ef33062d44c09f6f36e/contracts/staking/NeoTokyoStaker.sol#L1331-L1332 https://github.com/code-423n4/2023-03-neotokyo/blob/dfa5887062e47e2d0c801ef33062d44c09f6f36e/contracts/staking/NeoTokyoStaker.sol#L1342-L1343.....

Ability to receive LP rewards without having any LP staked

Lines of code Vulnerability details Impact The impact of this is high as a user is able to first stake LP tokens, then craftily withdraw them in specific increments without any change to their staking rewards. The user is able to get to a state in which they have 0 LP tokens staked, but have >0 ...

ZERO TRUNCATION COULD LEAD TO UNEXPECTED RESULTS

Lines of code https://github.com/code-423n4/2023-03-neotokyo/blob/main/contracts/staking/NeoTokyoStaker.sol#L1155 https://github.com/code-423n4/2023-03-neotokyo/blob/main/contracts/staking/NeoTokyoStaker.sol#L1623 Vulnerability details Impact Precision issue leading to zero truncation due to...

Unclaimed rewards will be stuck unrecoverable

Lines of code https://github.com/code-423n4/2023-03-neotokyo/blob/dfa5887062e47e2d0c801ef33062d44c09f6f36e/contracts/staking/NeoTokyoStaker.sol#L1409 https://github.com/code-423n4/2023-03-neotokyo/blob/dfa5887062e47e2d0c801ef33062d44c09f6f36e/contracts/staking/NeoTokyoStaker.sol#L1264...

Updating a pool's total points doesn't affect existing stake positions for rewards calculation

Lines of code Vulnerability details Impact Staking rewards are calculated based on the user's share of total points in the corresponding asset pool, this is the sum of the points associated to the staker's positions divided by the total points from all positions in the pool. We can see this...

How AI Could Write Our Laws

Nearly 90% of the multibillion-dollar federal lobbying apparatus in the United States serves corporate interests. In some cases, the objective of that money is obvious. Google pours millions into lobbying on bills related to antitrust regulation. Big energy companies expect action whenever there...

The Prolificacy of LockBit Ransomware

Today, the LockBit ransomware is the most active and successful cybercrime organization in the world. Attributed to a Russian Threat Actor, LockBit has stepped out from the shadows of the Conti ransomware group, who were disbanded in early 2022. LockBit ransomware was first discovered in September....

Upgraded Q -> 2 from #29 [1678626286403]

Judge has assessed an item in Issue #29 as 2 risk. The relevant finding follows: Maximum fixed reward is $6553.5 - too small in case of selectionSize = 16 The text was updated successfully, but these errors were encountered: All...

Risk of flashloan attacks in the Staking contract

Lines of code https://github.com/code-423n4/2023-03-wenwin/blob/main/src/staking/Staking.sol#L79-L89 https://github.com/code-423n4/2023-03-wenwin/blob/main/src/staking/Staking.sol#L103-L106 https://github.com/code-423n4/2023-03-wenwin/blob/main/src/staking/Staking.sol#L91-L101 Vulnerability...

Rewards for the Staking.sol contract may be stolen via the first staker

Lines of code https://github.com/code-423n4/2023-03-wenwin/blob/main/src/staking/Staking.sol#L122 Vulnerability details Impact The return amount of the function rewardPerToken() may be inflated for the first in the Staking.sol contract. Proof of Concept The Staking.sol contract is designed for the....

Fixed rewards may also be cut

Lines of code Vulnerability details Impact Fixed rewards may change when packed. Proof of Concept In LotterySetup.packFixedRewards function packFixedRewards(uint256[] memory rewards) private view returns (uint256 packed) { if (rewards.length != (selectionSize) || rewards[0] != 0) { ...

Ticket: Owner of winning ticket can frontrun secondary sales

Lines of code Vulnerability details The Wenwin docs note that tickets "can be traded on the secondary market before or after the draw," since they are standard ERC721 tokens. After a ticket draw, the owner of a winning ticket may call Lottery#claimWinningTickets, which transfers lottery winnings...

Wrong calculation in calculateNewProfit

Lines of code https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L240 https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L209 https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L212 Vulnerability details Impact There is a wrong...

Reentrancy in staking function exit

Lines of code Vulnerability details Impact The user on calling exit calls the updateReward function twice. Proof of Concept First entry is in function withdraw() _burn() https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/staking/Staking.sol#L85 Calling...

Loss of reward for stakingRewardRecipient

Lines of code https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L249-L257 https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotteryMath.sol#L119-L130 Vulnerability details Impact Anyone can call claimRewards function with rewardType = LotteryRewardType.STAKING, in...

Wrong reward calculation if the reward token doesn't have 18 decimals

Lines of code https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/LotterySetup.sol#L120 Vulnerability details Impact If the rewardToken has less than 16 decimals, users will not be able to claim the correct value of their prize. Try not to think it will...

Division before multiplication lead to truncation

Lines of code Vulnerability details Impact Calculation could result in truncation. Proof of Concept Staking.sol#L60-L64 : function earned(address account) public view override returns (uint256 _earned) { return balanceOf(account) * (rewardPerToken() - userRewardPerTokenPaid[account]) / 1e18 +...

Minimum referral requirement is incorrectly computed

Lines of code Vulnerability details As per the docs: Referrer rewards are allocated on a per draw basis Referrers who meet the minimum referral requirement according to the following table will be eligible for the Individual Referrer Allocation The minimum referral requirement for a draw N + 1...

Calculation in calculateNewProfit function is broken when jackpot is not won

Lines of code Vulnerability details The function calculateNewProfit present in the LotteryMath library is used when finalizing the current draw in the Lottery to track and update the currentNetProfit variable in the contract....

Fixed rewards in DAI (or similar token) can potentially overflow when being packed

Lines of code Vulnerability details When the lottery is initialized, fixed rewards are tightly packed in a 256 bit word. This is implemented in the packFixedRewards function: https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotterySetup.sol#L164-L176 function packFixedRewards(uint256[]...

Lottery Insolvency can lead to unclaimable winning tickets despite paying out Frontend and Staking rewards

Lines of code https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotterySetup.sol#L80 https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotterySetup.sol#L161 https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L151 Vulnerability details Impact Lottery Insolvency....

The state of stalkerware in 2022

The state of stalkerware in 2022 (PDF) Main findings of 2022 The State of Stalkerware is an annual report by Kaspersky which contributes to a better understanding of how many people in the world are affected by digital stalking. Stalkerware is a commercially available software that can be...

Exploit for Code Injection in Vmware Spring Cloud Function

CVE-2022-22963 (spring cloud function sple rce) spring...

Inexistent Prevention of Duplicates

Lines of code https://github.com/code-423n4/2023-02-ethos/blob/main/Ethos-Core/contracts/StabilityPool.sol#L626-L635 https://github.com/code-423n4/2023-02-ethos/blob/main/Ethos-Core/contracts/LQTY/LQTYStaking.sol#L203-L211 Vulnerability details Impact The CollateralConfig::initialize function...

Command Execution Vulnerability in Pan-Asia Classroom

Pan-Asia Classroom is an online classroom software. A command execution vulnerability exists in Pantheon Classroom, which can be exploited by an attacker to execute arbitrary...

Experts Identify Fully-Featured Info Stealer and Trojan in Python Package on PyPI

A malicious Python package uploaded to the Python Package Index (PyPI) has been found to contain a fully-featured information stealer and remote access trojan. The package, named colourfool, was identified by Kroll's Cyber Threat Intelligence team, with the company calling the malware...

Upgraded Q -> 2 from #752 [1677633810856]

Judge has assessed an item in Issue #752 as 2 risk. The relevant finding follows: Possibility of MultiRewardEscrow.claimReward() to be vulnerable to a reentrancy attack There are a bunch of external calls before setting accruedRewards[user][_rewardTokens[i]]to zero. Malicious actors can add some...

Panmicro ecology9 SQL Injection Vulnerability

Ecology9 is a new and efficient collaborative office system created by Panmicro for medium and large organizations. There is a SQL injection vulnerability in Panmicro ecology9, which can be exploited by attackers to obtain sensitive database...

Banning TikTok

Congress is currently debating bills that would ban TikTok in the United States. We are here as technologists to tell you that this is a terrible idea and the side effects would be intolerable. Details matter. There are several ways Congress might ban TikTok, each with different efficacies and...

Exploit for CVE-2023-23752

CVE-2023-23752-Joomla 免责声明：...

Exploit for CVE-2023-23752

受影响版本 4.0.0 <= Joomla <= 4.2.7 不受影响版本Joomla >= 4.2.8 ...

CVE-2022-45564

SQL Injection vulnerability in znfit Home improvement ERP management system V50_20220207,v42 allows attackers to execute arbitrary sql commands via the userCode parameter to the wechat...

CVE-2022-45564

SQL Injection vulnerability in znfit Home improvement ERP management system V50_20220207,v42 allows attackers to execute arbitrary sql commands via the userCode parameter to the wechat...

Sql injection

SQL Injection vulnerability in znfit Home improvement ERP management system V50_20220207,v42 allows attackers to execute arbitrary sql commands via the userCode parameter to the wechat...

Mozilla Critical Services: Email user account in indexacao waybackurl

Indexing a large number of user emails on the Internet Archive. When leaked data, like user email addresses, are found in online search engine cache's like archive.org, Mozilla rewards bounty hunters who report it in two cases: - The volume of leaked data is large enough to warrant us contacting...

CVE-2022-45564

SQL Injection vulnerability in znfit Home improvement ERP management system V50_20220207,v42 allows attackers to execute arbitrary sql commands via the userCode parameter to the wechat...

RewardThrottle: If an epoch does not have any profit, then there may not be rewards for that epoch at the start of the next epoch.

Lines of code Vulnerability details Impact In RewardThrottle, both checkRewardUnderflow and fillInEpochGaps call _fillInEpochGaps to fill the state of the previous epoch without profit, the difference being that checkRewardUnderflow will request the reward from the overflowPool and distribute the.....

Weak password vulnerability exists in CGW9000 of Shanghai Huanchuang Communication Technology Co.

Shanghai Huanchuang Communication Technology Co., Ltd. is a high-tech enterprise focusing on the research and development of wireless communication products for private networks, providing private network solutions for rail transportation, fire emergency, intelligent manufacturing, coal mining,...

Weak Password Vulnerability in CGW4700-RC of Shanghai Huanchuang Communication Technology Co.

Shanghai Huanchuang Communication Technology Co., Ltd. is a high-tech enterprise focusing on the research and development of wireless communication products for private network with the core of wireless communication technology, providing solutions for private network in rail transportation, fire.....

LinearDistributor.declareReward can revert due to dependency of balance

Lines of code https://github.com/code-423n4/2023-02-malt/blob/main/contracts/RewardSystem/LinearDistributor.sol#L185-L186 https://github.com/code-423n4/2023-02-malt/blob/main/contracts/RewardSystem/LinearDistributor.sol#L123-L136 Vulnerability details Impact LinearDistributor.declareReward will...

Weak Password Vulnerability in CGW4900 of Shanghai Huanchuang Communication Technology Co.

Shanghai Huanchuang Communication Technology Co., Ltd. is a high-tech enterprise focusing on the research and development of wireless communication products for private network with the core of wireless communication technology, providing solutions for private network in rail transportation, fire.....

LinearDistributor.declareReward: previouslyVested may update incorrectly, which will cause some rewards to be lost

Lines of code Vulnerability details Impact In LinearDistributor.declareReward , distributed represents the reward to distribute and is calculated using netVest(currentlyVested - previouslyVested). At the same time, distributed cannot exceed balance, which means that if balance < linearBondedValu...

Experts Warn of RambleOn Android Malware Targeting South Korean Journalists

Suspected North Korean nation-state actors targeted a journalist in South Korea with a malware-laced Android app as part of a social engineering campaign. The findings come from South Korea-based non-profit Interlab, which coined the new malware RambleOn. The malicious functionalities include the.....

Early staker can disable staking by issuing and sending a bit to Furance

Lines of code Vulnerability details This one is caused by mitigation to issue M-05 Impact Early issuer can issue less than one wad (e.g. 9e17 wei) and send it to the Furnace contract, then whenever anyone is trying to issue more RTokens melt() would be called, since there’s less than 1 wad in...

Wordfence Intelligence CE Weekly Vulnerability Report (Feb 6, 2023 to Feb 12, 2023)

In case you missed it, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence Community Edition. This database is continuously updated, maintained, and populated by Wordfence's highly...

Upgraded Q -> 2 from #206 [1676531414343]

Judge has assessed an item in Issue #206 as 2 risk. The relevant finding follows: Issue 2: receipts are not burned upon claiming reward. In my opinion, current system of just claiming some tokens to be "used" has some downsides: in any claim check, users spend gas to iterate over these tokens too.....

There is no way to recover from error state

Lines of code Vulnerability details Impact There is no way to recover from error state Proof of Concept To address report M-3, in PR, https://github.com/multisig-labs/gogopool/pull/20/files The finishFailedMinipoolByMultisig method removed, while this does not block user from withdraw the fund in.....

Slashed amount may not be cover the staker reward payout

Lines of code Vulnerability details Impact Slashed amount may not be cover the staker reward payout Proof of Concept In the current fix, https://github.com/multisig-labs/gogopool/pull/41 If the staked balance cannot cover the slashed amount, seize the staked balance. Staking staking =...

RewardsStartTime should be reset when decreaseAVAXAssigned is called

Lines of code https://github.com/multisig-labs/gogopool/blob/4bcef8b1d4e595c9ba41a091b2ebf1b45858f022/contracts/contract/Staking.sol#L125 https://github.com/multisig-labs/gogopool/blob/4bcef8b1d4e595c9ba41a091b2ebf1b45858f022/contracts/contract/ClaimNodeOp.sol#L78 Vulnerability details Impact...

What Will It Take?

What will it take for policy makers to take cybersecurity seriously? Not minimal-change seriously. Not here-and-there seriously. But really seriously. What will it take for policy makers to take cybersecurity seriously enough to enact substantive legislative changes that would address the...