微信打赏（Wechat Reward) Security Vulnerabilities

Transferring the allotAmount reward to MultisigManager leads to the loss of reward when no wallet is enabled in the RewardsPool

Lines of code https://github.com/multisig-labs/gogopool/blob/4bcef8b1d4e595c9ba41a091b2ebf1b45858f022/contracts/contract/RewardsPool.sol#L227 Vulnerability details Impact Transferring the allotAmount reward to MultisigManager leads to the loss of reward Proof of Concept If we refers to the...

The node operators are likely to be slashed in an unfair way

Lines of code Vulnerability details C4 issue H-04: Hijacking of node operators minipool causes loss of staked funds Comments In the original implementation, the protocol had some unnecessary state transitions and it was possible for node operators to interfere the recreation process. The main...

StRSR: attacker can steal excess rsr that is returned after seizure

Lines of code https://github.com/reserve-protocol/protocol/blob/27a3472d553b4fa54f896596007765ec91941348/contracts/p1/StRSR.sol#L496-L530 Vulnerability details Note: This issue deals with excess rsr that was seized from stRSR but is returned again. The M-12 issue also deals with excess rsr....

There is no way to retrieve the rewards from the MultisigManager and rewards are locked in the vault.

Lines of code Vulnerability details C4 issue M-21: Division by zero error can block RewardsPool#startRewardCycle if all multisig wallet are disabled. Comments The protocol provides an external function startRewardsCycle() so that anyone can start a new reward cycle if necessary. Before mitigation,....

North Korean Hackers Targeting Healthcare with Ransomware to Fund its Operations

State-backed hackers from North Korea are conducting ransomware attacks against healthcare and critical infrastructure facilities to fund illicit activities, U.S. and South Korean cybersecurity and intelligence agencies warned in a joint advisory. The attacks, which demand cryptocurrency ransoms...

Exploit for Code Injection in Codecentric Spring Boot Admin

CVE-2022-46166 靶场环境 漏洞描述 Spring Boot...

SolarWinds and Market Incentives

In early 2021, IEEE Security and Privacy asked a number of board members for brief perspectives on the SolarWinds incident while it was still breaking news. This was my response. The penetration of government and corporate networks worldwide is the result of inadequate cyberdefenses across the...

RewardTokens can be locked in MultiRewardStaking contract when the rewardsEndTimestamp of the rewardsTokens are different.

Lines of code Vulnerability details Impact To claim reward tokens from the MultiRewardStaking contract deployed, a user must call claimRewards(address user, IERC20[] memory _rewardsTokens). The _rewardsTokens array is populated with getAllRewardsTokens() which returns all the reward Tokens the...

Unsafe token transfer in MultiRewardStaking and VaultController contracts

Lines of code https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/VaultController.sol#L457 https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/VaultController.sol#L526 Vulnerability details Impact...

Changing reward speed calculates wrong rewardsEndTimestamp

Lines of code Vulnerability details Impact In MultiRewardStaking.changeRewardSpeed the new rewardsEndTimetamp is calculated based on the current balance of reward tokens in the contract. However, a fraction of this balance might already be accrued and accounted as reward, but just has not been...

claimRewards is not re-entrancy safe.

Lines of code Vulnerability details Impact In MultiRewardStaking the function claimRewards doesn’t have nonReentrant which makes it possible to re-enter the function. If one of the reward tokens in ERC-777 token, it is possible to re-enter and claim the reward again and again until the contract is....

Core functionality is not working due to revert in _verifyCreatorOrOwner()

Lines of code https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/VaultController.sol#L448 https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/VaultController.sol#L608...

Missed owner accrual in MultiRewardStaking _withdraw() leads to reward loss

Lines of code https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/utils/MultiRewardStaking.sol#L127 Vulnerability details Impact Function _withdraw() can be called from an approved caller to withdraw owner funds. The function accrues rewards for caller...

Vault creator can prevent users from claiming staking rewards

Lines of code Vulnerability details Impact Vault creator can prevent users from claiming rewards from the staking contract. This can boost his liquidity and lure depositors to stake vault tokens. He can present a high APY and low fee percentage which will incentivize stakers When the staking...

MultiStakingReward.sol assumes all RewardTokens are in 18 decimal places

Lines of code Vulnerability details Impact Calculation of accrued rewards will be affected. Proof of Concept The function _accrueRewards is called anytime rewards needs to be accrued. The variable supplyTokens is the total supply of the reward token. deltaIndex is calculated by taking the accrued.....

MultiRewardStaking.addRewardToken can eventually break the contract

Lines of code Vulnerability details When adding a reward token, the token address is added to rewardTokens. 263: rewardTokens.push(rewardToken); If rewardTokens is large enough, accrueRewards will revert with an out-of-gas error, as it loops through rewardsToken 373: for (uint8 i; i <...

Incorrect computation in MultiRewardStaking changeRewardSpeed() leads to loss of rewards

Lines of code https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/utils/MultiRewardStaking.sol#L357 Vulnerability details Impact The changeRewardSpeed() function computes rewardsEndTimestamp incorrectly for the case block.timestamp < prevEndTime. For.....

MultiRewardStaking claimRewards() reentrancy for ERC-777 reward tokens

Lines of code https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/utils/MultiRewardStaking.sol#L179 https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/utils/MultiRewardStaking.sol#L200 Vulnerability details...

MultiRewardStaking._accrueRewards can lead to loss of rewards for lower decimal tokens

Lines of code Vulnerability details Rewards accrual is computed in the following way: 406: deltaIndex = accrued.mulDiv(uint256(10**decimals()), supplyTokens, Math.Rounding.Down).safeCastTo224(); This can lead to truncation for low decimal tokens: Consider an instance with DAI as the asset, with a.....

Any user can drain the entire reward fund in MultiRewardStaking due to incorrect calculation of supplierDelta

Lines of code https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/utils/MultiRewardStaking.sol#L427 https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/utils/MultiRewardStaking.sol#L274 Vulnerability details...

Use safeTransferFrom and safeApprove foe the reward tokens in Vault Controller instead of transferFrom and approve functions

Lines of code https://github.com/code-423n4/2023-01-popcorn/blob/main/src/vault/VaultController.sol#L456-L457 https://github.com/code-423n4/2023-01-popcorn/blob/main/src/vault/VaultController.sol#L526 Vulnerability details Impact In 3 functions return values of ERC20 contracts (either approve or...

Wrong first parameter for _calcRewardsEnd when changing reward speed

Lines of code https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/utils/MultiRewardStaking.sol#L351-L360 Vulnerability details Impact The function _calcRewardsEnd is called with the previousEndTime as first parameter in...

Re-entrancy in MultiRewardStaking.claimRewards

Lines of code Vulnerability details Impact If an ERC-777 token is used as reward token for any Staking contract in the system, that reward token can be completely drained from the Staking contract. Proof of Concept Re-entrancy can be done in the MultiRewardStaking.claimRewards function because of.....

Risk of reentrancy attacks in the claimRewards function

Lines of code Vulnerability details Impact The claimRewards function in the MultiRewardStaking contract is used by users to claim token rewards, but because the function does not contain a nonReentrant modifier and does not implement the CEI standard (check-effect-interact) it can be subject to...

Upgraded Q -> 3 from #599 [1675723538994]

Judge has assessed an item in Issue #599 as 3 risk. The relevant finding follows: [L-01] Erc1155Quest's tokens can be withdrawn before every reward has been claimed Impact The owner can withdraw all the remaining tokens after the Quest endTime. Thus, users who have not claimed their reward at the.....

Upgraded Q -> 2 from #670 [1675726386915]

Judge has assessed an item in Issue #670 as 2 risk. The relevant finding follows: [L-03] DoS if address owns too many receipts With time it is viable for users to acquire thousands and tens of thousands of receipts. This may happen as a result of buying receipts for example, which was highlighted.....

Flying Spin eBook Reader Windows Client has xss Vulnerability

Fly Turn eBook Reader is a powerful tool for reading and managing eBooks. An xss vulnerability exists in the Windows client of FlyTurn eBook Reader, which can be exploited by an attacker to obtain user cookie...

Multiple accounts can have the same identity

Lines of code Vulnerability details Users can register their on-chain identity (ie their CID NFT) by calling AddressRegistry.register() File: src/AddressRegistry.sol 42: function register(uint256 _cidNFTID) external { 43: if (ERC721(cidNFT).ownerOf(_cidNFTID) != msg.sender)...

I’m Now a Full-Time Professional Open Source Maintainer

or, "Holy shit, it works!" Last May I left my job on the Go team at Google to experiment with more sustainable paths for open-source maintainers. I held on to my various maintainer hats (Go cryptography, transparency tooling, age, mkcert, yubikey-agent…), iterated on the model since September, and....

Exploit for Deserialization of Untrusted Data in Apache Log4J

Log4j...

protocolFeeRecipient might take unclaimed reward token after quest ends.

Lines of code Vulnerability details Impact Since there is no code to check whether fee has been drawn, withdrawFee() might be called multiple times. This allows protocolFeeRecipient to steal all of the unclaimed reward tokens after quest ended. Proof of Concept Provide direct links to all...

Malicious user can send the quest reward tokens to the protocol fee contract preventing users from claiming their rewards.

Lines of code Vulnerability details Impact Malicious user can take advantage of the function withdrawFee after the quest end time and successfuly send the quest reward tokens to the protocol fee contract preventing users from claiming their rewards. Proof of Concept Every receipt minted should...

Any user is able to mint a new receipt/ticket tokens

Lines of code https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L47-L50 Vulnerability details Impact In the RabbitHoleReceipt and RabbitHoleTickets contracts the minterAddress should be the only account allowed to mint a...

Owner can stop user from claiming rewards in the Erc1155Quest

Lines of code Vulnerability details Impact After completing their tasks users can mint a new receipt token which they can later claim reward with it using the claim function, this function can not be called when the Quest contract is paused so the users can't claim when quest contract is paused....

Immutable varibles should be checked to there default values

Lines of code https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Quest.sol#L17-L18 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Quest.sol#L13 Vulnerability details Impact It is very...

withdrawFee() can be called indefinitely

Lines of code https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Quest.sol#L76-L79 Vulnerability details The function withdrawFee() does not account whether the fees have already been collected or not, therefore it can be called multiple times or....

Quest owner can withdraw the reward for unclaimed receipt.

Lines of code Vulnerability details Impact Erc1155Quest.withdrawRemainingTokens() will withdraw all tokens even if there are users who minted a receipt but didn't claimed their rewards before endTime Proof of Concept Whitelisted account creates a new ERC1155 quest. Whitelisted account becames the.....

Wrongly implemented modifier allow everybody to mint Rabbit Hole tickets.

Lines of code https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L83 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L97 Vulnerability details...

claim can run out of gas

Lines of code Vulnerability details Impact If the claim function runs out of gas, the caller can never claim any rewards without transferring the nfts to another address first Proof of Concept Currently, the claim function loops over the msg.senders NFT's. If this list ever becomes too large, the.....

Hive! Hive! Hive! Ransomware site submerged by FBI

On January 26, 2023, the United States Department of Justice (DoJ) released details about a disruption campaign against the Hive ransomware group. The disruption campaign has reportedly had access to Hive's infrastructure since July of 2022. Its access became public on Thursday when Hive's dark...

Upgraded Q -> M from #229 [1674661320954]

Judge has assessed an item in Issue #229 as M risk. The relevant finding follows: Centralization Risk Contract: https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/tokenization/base/MintableIncentivizedERC721.sol#L131 Impact: It seems the poolAdmin holds too....

Introducing the GitHub Bug Bounty swag store

Our bug bounty team has had an exciting year, including celebrating the eighth year of our program, hosting a live hacking event in June, spotlighting one of our hackers for cybersecurity awareness month, and spending more time with our community at events such as DEFCON 30. Along the way, we have....

user funds loss in withdraw() of StRSR because code don't revert when calculated rsrAmount is zero

Lines of code Vulnerability details Impact Function withdraw() in StRSR completes an account's unstaking. but when calculated amount of RSR token is 0 code still burn user draftRSR and returns. This would cause users small amount of deposits to get burned and user won't receive any funds. as...

KesionCMS X 1.5 Add Administrator

...

Cyberattack halts Royal Mail's overseas post

If you're looking to send letters or parcels outside of the UK using Royal Mail, you'll want to hold off for a little while. Royal Mail is suffering from "severe disruption" after an unnamed cyber incident. While no specifics are currently available, Royal Mail has disclosed enough to let us know.....

StrongPity Hackers Distribute Trojanized Telegram App to Target Android Users

The advanced persistent threat (APT) group known as StrongPity has targeted Android users with a trojanized version of the Telegram app through a fake website that impersonates a video chat service called Shagle. "A copycat website, mimicking the Shagle service, is used to distribute StrongPity's.....

Pokemon NFT card game malware chooses you

Pokemon fans are urged to be on their guard after bogus card game portals have been offering up malware under the guise of NFTs. The sites in question offer up an enticing looking mix of card gaming with a splash of money making on the side. Digital card games are big business in gaming circles,...

Exploit for Stack-based Buffer Overflow in Modbustools Modbus Slave

CVE-2022-1068 Modbus Slave缓冲区溢出漏洞CVE-2022-1068分析与复现 使用参考：...

JIT(JUST-IN TIME) LIQUIDITY OPPORTUNITIES EXISTS FOR USERS

Lines of code Vulnerability details Impact The MEV opportunity created robs the honest users who deposit before the start of a reward cycle. Leading to loss of rewards for said users. Proof of Concept A user deposits AVAX into tokenggAVAX.sol and in return gets an lp token to represent their...

PROTOCOL MIGHT NOT BE ABLE TO OPERATE DUE TO LACK OF FUNDS

Lines of code https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/tokens/TokenggAVAX.sol#L191 Vulnerability details Impact Redeem/withdraw functionality will fail under certain conditions and users who want to redeem/withdraw their AVAX...