微信打赏（Wechat Reward) Security Vulnerabilities

Wrong reward distribution because protocol won't reset avaxAssignedHighWater value for a user if calculateAndDistributeRewards() doesn't get called for that user in that cycle

Lines of code Vulnerability details Impact node operators ggp rewards are distributed by function calculateAndDistributeRewards() which is called by Multisig and function calculateAndDistributeRewards() can only distribute current cycle rewards. the rewards are calculated based on user's...

Owner may lose funds if Minipool is recreated before funds are withdrawn

Lines of code Vulnerability details The createMinipool function of the MinipoolManager contract can be used to reinitialize an existing minipool and potentially lose user funds. If the given nodeID has an existing minipool index, then the state for the minipool is reset:...

Exploit for Code Injection in Vmware Spring Framework

CVE-2022-22965-rexbb springboot core...

Governance NFT holder, whose NFT was minted before Trading._handleOpenFees function is called, can lose deserved rewards after Trading._handleOpenFees function is called

Lines of code https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/Trading.sol#L762-L810 https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/GovNFT.sol#L287-L294 Vulnerability details Impact Calling the following Trading._handleOpenFees function does not approve the GovNFT....

Generalized frontrunning risk for claiming winnings due to request.currentChosenTokenId being public

Lines of code Vulnerability details Impact The function VRFNFTRandomDraw.sol:fulfillRandomWords() called by Chainlink receives an array of random words, and uses it to choose a random offset by which the winning tokenId is selected. The chosen tokenId is stored on the public request variable in...

Lack of access control

Lines of code Vulnerability details The 'createReferralCode' function in the 'Referrals' contract allows any address to create a referral code. This could potentially lead to spam or misuse of the system. Impact If an attacker is able to create a large number of referral codes, they could...

GovNFT contract's owner can stop Governance NFT holders from receiving more rewards from trades' DAO fees, and such reward amounts can remain in Trading contract without belonging to anyone

Lines of code https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/GovNFT.sol#L287-L294 Vulnerability details Impact According to https://docs.tigris.trade/protocol/governance, "Profits from trading fees are paid out to [Governance] NFT holders in real-time...Rewards are paid out in...

The raffle could be slightly unfair as the owner of NFT ID which is closer to drawingTokenStartId could have more chance to win

Lines of code Vulnerability details Impact The raffle could be slightly unfair as the owner of NFT ID which is closer to drawingTokenStartId could have more chance to win. Proof of Concept As written in https://code4rena.com/contests/2022-12-forgeries-contest, "We want to raffle away a single NFT.....

Draw admin/owner can rug the winner after recoverTimelock expires.

Lines of code Vulnerability details Impact The admin/owner of VRFNFTRandomDraw can wait for recoverTimelock to expire before making the draw. This way he can use lastResortTimelockOwnerClaimNFT() to take back the reward NFT from the contract without any time to allow for the winner to claim. He...

Unreleased locks cause the reward distribution to be flawed in BondNFT

Lines of code https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/BondNFT.sol#L225 Vulnerability details Impact After a lock has expired, it doesn't get any rewards distributed to it. But, unreleased locks cause other existing bonds to not receive the full amount of tokens either. The....

Draw organizer can rig the draw to favor certain participants such as their own account.

Lines of code Vulnerability details Description In RandomDraw, the host initiates a draw using startDraw() or redraw() if the redraw draw expiry has passed. Actual use of Chainlink oracle is done in _requestRoll: request.currentChainlinkRequestId = coordinator.requestRandomWords({ keyHash:...

Stripe: Possible XSS vulnerability without a content security bypass

Summary: Hi security team members, Hope you are well and doing great :) I found a Possible XSS vulnerability in https://dashboard.stripe.com but I was not able to bypass a content security policy. Although, I don't have much knowledge about CSP and its bypasses. But, I read that you accept the XSS....

WPQA < 5.9.3 - Missing validation lead to functionality abuse

The plugin (which is a companion plugin used with Discy and Himer themes) incorrectly tries to validate that a user already follows another in the wpqa_following_you_ajax action, allowing a user to inflate their score on the site by having another user send repeated follow actions to...

Permanent freeze of yield when TokenSender rewards bank is depleted and deposit or withdraw is called.

Lines of code Vulnerability details Description In collateral deposit() and withdraw() flow, a fee is calculated as a percentage of user's requested amount. It is passed to the DepositHook and WithdrawHook, for example in deposit(): uint256 _amountAfterFee = _amount - _fee; if...

suppliers funds loss because attacker can transfer his collateralized tokens when health factor is below liquidation threshold by reentrancy attack during executeLiquidateERC20() logic and transferring collateralize

Lines of code https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/protocol/libraries/logic/LiquidationLogic.sol#L516-L556...

Microsoft Alerts Cryptocurrency Industry of Targeted Cyberattacks

Cryptocurrency investment companies are the target of a developing threat cluster that uses Telegram groups to seek out potential victims. Microsoft's Security Threat Intelligence Center (MSTIC) is tracking the activity under the name DEV-0139, and builds upon a recent report from Volexity that...

Understanding NIST CSF to assess your organization's Ransomware readiness

Ransomware attacks keep increasing in volume and impact largely due to organizations' weak security controls. Mid-market companies are targeted as they possess a significant amount of valuable data but lack the level of protective controls and staffing of larger organizations. According to a...

CVE-2022-3858

The Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button WordPress plugin before 3.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as...

CVE-2022-3858

The Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button WordPress plugin before 3.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as...

Sql injection

The Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button WordPress plugin before 3.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as...

CVE-2022-3858 Chaty < 3.0.3 - Admin+ SQLi

The Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button WordPress plugin before 3.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as...

Exploit for Authentication Bypass by Spoofing in Apache Apisix

POC 收集的POC CVE-2022-24112...

What Developers Need to Fight the Battle Against Common Vulnerabilities

Today's threat landscape is constantly evolving, and now more than ever, organizations and businesses in every sector have a critical need to consistently produce and maintain secure software. While some verticals - like the finance industry, for example - have been subject to regulatory and...

Irish Regulator Fines Facebook $277 Million for Leak of Half a Billion Users' Data

Ireland's Data Protection Commission (DPC) has levied fines of €265 million ($277 million) against Meta Platforms for failing to safeguard the personal data of more than half a billion users of its Facebook service, ramping up privacy enforcement against U.S. tech firms. The fines follow an...

Privacy predictions 2023

Our last edition of privacy predictions focused on a few important trends where business and government interests intersect, with regulators becoming more active in a wide array of privacy issues. Indeed, we saw regulatory activity around the globe. In the US, for example, the FTC has requested...

Deposits and compounds will be frozen after a PirexGmx migration

Lines of code https://github.com/code-423n4/2022-11-redactedcartel/blob/main/src/vaults/AutoPxGlp.sol#L390-L400 https://github.com/code-423n4/2022-11-redactedcartel/blob/main/src/vaults/AutoPxGmx.sol#L281-L283...

compound could be used by uniswap stakers to maximize fees for AutoPxGmx users

Lines of code Vulnerability details Impact Anyone can call AutoPxGmx::compound. Hence a staker in the 10000 (1% fee) uniswap pool can call compound with that pool and take a larger fee from AutoPxGmx users maximizing their gains and griefing users. Proof of Concept fee chooses which uniswap pool...

Potential PirexReward's producerTokens's rewardToken unsynced with PirexGmx rewardToken can miss calculate the actual reward for user

Lines of code https://github.com/code-423n4/2022-11-redactedcartel/blob/main/src/PirexRewards.sol#L151-L197 Vulnerability details Impact Potential PirexReward's producerTokens's rewardToken unsynced with PirexGmx rewardToken can miss calculate the actual reward for user Proof of Concept...

Functions like AutoPxGmx.withdraw and AutoPxGmx.redeem do not provide effective slippage control

Lines of code https://github.com/code-423n4/2022-11-redactedcartel/blob/main/src/vaults/AutoPxGmx.sol#L339-L362 https://github.com/code-423n4/2022-11-redactedcartel/blob/main/src/vaults/AutoPxGmx.sol#L242-L313 Vulnerability details Impact As shown below, calling the AutoPxGmx.withdraw and...

Division by zero could cause DOS in function harvest() and claim() in PirexRewards contract

Lines of code Vulnerability details Impact When functions harvest() or claim() of PirexRewards are called, they will claim rewards by calling PirexGmx.claimRewards() function. If there is any case that esGmx reward is existed but not base rewards or vice versa, the value returned from...

´userAccrue` rewards manipulation

Lines of code https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/vaults/PxGmxReward.sol#L68-L84 Vulnerability details Impact A flashloan can be used to set a huge last balance which later will accrue a huge reward. Proof of Concept Buy lots of a.....

fee loss in AutoPxGmx and AutoPxGlp and reward loss in AutoPxGlp by calling PirexRewards.claim(pxGmx/pxGpl, AutoPx*) directly which transfers rewards to AutoPx* pool without compound logic get executed and fee calculation logic and pxGmx wouldn't be executed for those rewards

Lines of code https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/vaults/AutoPxGmx.sol#L230-L313 Vulnerability details Impact Function compound() in AutoPxGmx and AutoPxGlp contracts is for compounding pxGLP (and additionally pxGMX) rewards. it...

Lack Of Proper Access Control Might Lead To User Getting Lesser Rewards

Lines of code Vulnerability details Impact We can call the function userAccrue for some other user and make their rewards lesser then they expect. In the function https://github.com/code-423n4/2022-11-redactedcartel/blob/main/src/PirexRewards.sol#L281-L295 it calculates the rewards for a user that....

DoS on claiming rewards in PirexRewards is possible

Lines of code Vulnerability details Proof of Concept The claim method in PirexRewards iterates over the rewardTokens array for a producerToken. Now this array is completely managed by the contract’s owner who can call addRewardToken which pushes a new value in that array, as many times as he...

Incentive fund loss when calling claim() in AutoPxGlp/PxGmxRewards because it calls this.compound(,,true) which would transfer incentive to contract itself and those funds won't be calculated as rewards or fee and won't be accessible to withdraw

Lines of code Vulnerability details Impact Function claim() in PxGmxReward contract is used for claiming available pxGMX rewards of a user. but this function calls IAutoPxGlp(address(this)).compound(1, 1, true); to harvest new rewards and stake them to compound rewards. but this call is external...

Rewards calculation does not consider GMX reward rate fluctuation

Lines of code https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/PirexRewards.sol#L315-L317 https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/PirexRewards.sol#L402-L403...

User can continuosly accrue rewards they are not due

Lines of code Vulnerability details Impact It is possible that block.timestamp can be manipulted by a user, thus allowing a malicious user to continuously acrue rewards they are not due, as long as the value is not 0 then rewards will be accrued function userAccrue(ERC20 producerToken, address...

Add reward token existence check in order to avoid user reward lost.

Lines of code Vulnerability details Impact The user can lost his rewards if the reward token is removed from the producerTokens[producerToken].rewardTokens list. If the reward token is removed, the rewardToken length is going to be zero, the user rewards going to be zero and the for statement will....

AutoPxGmx.compound function can be directly called with a fee input value that is not the configured Uniswap pool fee

Lines of code https://github.com/code-423n4/2022-11-redactedcartel/blob/main/src/vaults/AutoPxGmx.sol#L339-L362 https://github.com/code-423n4/2022-11-redactedcartel/blob/main/src/vaults/AutoPxGmx.sol#L242-L313 Vulnerability details Impact Calling the following AutoPxGmx.withdraw and...

gmxBaseReward must not be the same as asset

Lines of code https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/vaults/AutoPxGlp.sol#L232-L250 Vulnerability details Impact Compounding will attempt to swap/deposit all assets instead of just the rewards, which reverts because of integer...

Unbounded loop can block claim

Lines of code https://github.com/code-423n4/2022-11-redactedcartel/blob/684627b7889e34ba7799e50074d138361f0f532b/src/PirexGmx.sol#L824 Vulnerability details Unbounded loop can block claim Impact There are no bounds on the number of rewardTokens in the loop, this can run out of gas due to cost of...

Iran’s Fars News Agency website hacked as part of anti-govt protests

By Habiba Rashid The hackers from Black Reward Team are also claiming to have deleted nearly 250 terabytes of data from the website from its servers and computers. This is a post from HackRead.com Read the original post: Iran's Fars News Agency website hacked as part of anti-govt...

Who tracked internet users in 2021–2022

Every time you go online, someone is watching over you. The services you use, the websites you visit, the apps on your phone, smart TVs, gaming consoles, and any networked devices collect data on you with the help of trackers installed on web pages or in software. The websites and services send...

Funds are locked if can’t transfer reward to recipient in withdraw

Lines of code Vulnerability details Impact When recipient not able to received reward when call withdraw, as natspec: If contract is using proxy pattern, it's possible to register retroactively, however past fees will be lost. We not handle that case to get locked funds back. We should add...

Bahamut Cyber Espionage Hackers Targeting Android Users with Fake VPN Apps

The cyber espionage group known as Bahamut has been attributed as behind a highly targeted campaign that infects users of Android devices with malicious apps designed to extract sensitive information. The activity, which has been active since January 2022, entails distributing rogue VPN apps...

Ltd. temperature and humidity management platform APP has SQL injection vulnerability

The temperature and humidity management platform APP is an intelligent hardware application that presents customers with a convenient and fast natural environment temperature and humidity manipulation role. Ltd. temperature and humidity management platform APP has SQL injection vulnerability,...

Yanluowang Ransomware Leaks Analysis: Organization, Collaboration with HelloKitty, Babuk and Conti

Yanluowang Ransomware Leaks Analysis: Organization, Collaboration with HelloKitty, Babuk and Conti By Jambul Tologonov· November 22, 2022 Introduction On October 31, 2022, Yanluowang’s TOR site was hacked displaying a message “check and mate!! Yanluowang Matrix chat hacked @yanluowangleaks Time’s.....

Yanluowang Ransomware Leaks Analysis: Organization, Collaboration with HelloKitty, Babuk and Conti

Yanluowang Ransomware Leaks Analysis: Organization, Collaboration with HelloKitty, Babuk and Conti By Jambul Tologonov· November 22, 2022 Introduction On October 31, 2022, Yanluowang’s TOR site was hacked displaying a message “check and mate!! Yanluowang Matrix chat hacked @yanluowangleaks Time’s.....

Beijing Muhua Information Technology Co., Ltd. has a logic flaw vulnerability in the Web version of Xue Tang Cloud 3.0 network teaching platform

Beijing Muhua Information Technology Co., Ltd. was registered in the Haidian Branch on 2014-03-28. The company's business scope includes technology development of Internet technology, software technology, e-commerce technology, electronic publishing technology, etc. Beijing MUHUA Information...

Top Zeus Botnet Suspect “Tank” Arrested in Geneva

Vyacheslav "Tank" Penchukov, the accused 40-year-old Ukrainian leader of a prolific cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses in the United States and Europe, has been arrested in Switzerland, according to multiple sources. Wanted Ukrainian...