微信打赏（Wechat Reward) Security Vulnerabilities

New Book: A Hacker’s Mind

I have a new book coming out in February. It's about hacking. A Hacker's Mind: How the Powerful Bend Society's Rules, and How to Bend them Back isn't about hacking computer systems; it's about hacking more general economic, political, and social systems. It generalizes the term hack as a means of.....

Upgraded Q -> M from #43 [1668210521611]

Judge has assessed an item in Issue #43 as M risk. The relevant finding follows: Q-02 - Huge trust assumption in recoverErc20() https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L653-L661 Reward tokens are transferred into this...

Warning: New Massive Malicious Campaigns Targeting Top Indian Banks' Customers

Cybersecurity researchers are warning of "massive phishing campaigns" that distribute five different malware targeting banking users in India. "The bank customers targeted include account subscribers of seven banks, including some of the most well-known banks located in the country and potentially....

Validator can revert block at no cost.

Lines of code Vulnerability details Impact Validator can revert block at no cost. Proof of Concept the validator should only call this function on Executor.sol to revert the unexecuted blocks if the block is not really not executable. /// @notice Reverts unexecuted blocks /// @param _newLastBlock.....

Blockchain Power Binance Football Fever 2022 to Offer Fans $1 Million in Reward

By Deeba Ahmed FIFA World Cup is about to happen, and football fever has already taken the world hostage. Binance isn’t… This is a post from HackRead.com Read the original post: Blockchain Power Binance Football Fever 2022 to Offer Fans $1 Million in...

The Worrying Rise of Cybercrime as a Service (CaaS)

What is CaaS? Put simply, Cybercrime as a Service (CaaS) means black hat hackers for hire. Now, any ex-employee with a grudge, any disgruntled customer, any troubled ex-partner, or vindictive competitor, literally anyone with the right browser, can hire a dark web bad actor to perform...

LinkedIn Adds Verified Emails, Profile Creation Dates

Responding to a recent surge in AI-generated bot accounts, LinkedIn is rolling out new features that it hopes will help users make more informed decisions about with whom they choose to connect. Many LinkedIn profiles now display a creation date, and the company is expanding its domain validation.....

Researchers Find Links b/w Black Basta Ransomware and FIN7 Hackers

A new analysis of tools put to use by the Black Basta ransomware operation has identified ties between the threat actor and the FIN7 (aka Carbanak) group. This link "could suggest either that Black Basta and FIN7 maintain a special relationship or that one or more individuals belong to both...

A weak password vulnerability exists in the Tianqing Application Delivery Control System of Qisda Information Technology Group Co.

Tianqing Application Delivery Control System is equipped with a virtualized cloud computing center traffic management solution. Ltd. Tianqing Application Delivery Control System has a weak password vulnerability, which attackers use to log into the system backend and obtain sensitive...

How to Teach Colleagues About the Dangers of Phishing

Every day worldwide, tens of thousands of employees fall prey to phishing scams. In the second quarter of 2022, the Anti-Phishing Working Group (APWG) saw 1,097,811 total phishing attacks, the worst quarter on record. The results can be devastating: from lost data and identity theft to compromised....

Excessive owner privilege - can freeze pledge creator's funds after pledging period completed.

Lines of code Vulnerability details Description The retrievePledgeRewards() function is used by pledge creator, only after pledge endTimestamp has passed. It will collect for the creator all unused reward tokens. Since it can only operate after endTimestamp, the pledge has for all intents and...

Liquidatin function does not consider cases where the liquidate user does not have enough collateral to pay.

Lines of code Vulnerability details Impact Liquidatin function does not consider cases where the liquidate user does not have enough collateral to pay. Proof of Concept The problem is the paid collateral in determined by repaid_debt: (I ingnored decimals for simplifcation of the formulas I'm gonna....

Reuse of previous voting difference in extendPledge() charges too much fees

Lines of code Vulnerability details Description In Warden Pledge, creators can extend the life span of an existing pledge using extendPledge. Here's the implementation: uint256 addedDuration = newEndTimestamp - oldEndTimestamp; if(addedDuration < minDelegationTime) revert...

Divide before multiply

Lines of code Vulnerability details division before multiply Impact Solidity integer division might truncate. As a result, performing multiplication before division can sometimes avoid loss of precision. Proof of Concept In general, this is a problem due to precision. In this case, it also affects....

Owner can bypass reward token protection in recoverERC20 to instantly steal all tokens in contract

Lines of code https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L585 Vulnerability details Description WardenPledge contract has a sweeping function (recoverERC20) to handle mistakenly sent ERC20 tokens: function...

Pledge creator can extend pledge without paying in edge cases.

Lines of code Vulnerability details Impact Pledge creator can extend pledge without paying in edge cases. Proof of Concept When pledge creators wants to extend their pledges, they must transfer an additional reward amount and fee: uint256 totalRewardAmount = (pledgeParams.rewardPerVote *...

Owner can steal all the rewards token from the WardenPledge.sol smart contract and break the internal accounting

Lines of code Vulnerability details Impact The owner of the WardenPledge.sol smart contract can steal all the reward tokens from the contract and break the internal accounting. With the recoverERC20 function, the owner can transfer to him/herself the whole balance of the token. The check at L654...

The pledge creators might lose all of their funds by recoverERC20().

Lines of code Vulnerability details Impact There is a recoverERC20() function to withdraw ERC20 tokens from the contract. Currently, it checks if the token isn't an active reward token but it can be passed easily if the admin removes the reward token using removeRewardToken(). So if the admin...

Decimals are computed in the wrong way if the collateral token doesn't have 18 decimals

Lines of code https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Market.sol#L326 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Market.sol#L597 Vulnerability details Impact Huge accounting errors and...

Pledge creator can increase their pledges' reward per vote without paying in edge cases

Lines of code Vulnerability details Impact Pledge creator can increase their pledges' reward per vote without paying in edge cases. Proof of Concept When pledge creators wants to increase their pledges' reward per vote, they must transfer an additional reward amount and fee: uint256...

Wrong reward calculation when reward token's decimals are different than 18

Lines of code https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L265 https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L327 Vulnerability details Impact When a.....

Arbitrary user can prevent withdrawals on any users through liquidation

Lines of code Vulnerability details Impact The function liquidate() is a public function that handles the repayment of debt and provides a reward for users who call this function. Any user can be liquidated if they have debt outstanding. A user incurs debt if they borrow from the market, based on.....

Fees charged from entire theoretical pledge amount instead of actual pledge amount

Lines of code Vulnerability details Description Paladin receives a 5% cut from Boost purchases, as documented on the website "Warden takes a 5% fee on Boost purchases, and 5% on Quest incentives. However, there are various pricing tiers for Quest creators. Contact the Paladin team for more info.".....

Malicious owner can steal reward tokens

Lines of code Vulnerability details The recoverERC20 function allows the contract owner to transfer arbitrary ERC20 tokens owned by the WardenPledge contract in order to recover tokens sent by mistake to the contract. In order to protect against withdrawal of deposited reward tokens, it includes a....

Owner can bypass ERC20 recovery restrictions and take all rewards

Lines of code https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L653-L661 Vulnerability details Impact There is a function that is intended to be used to recover ERC20 tokens that were sent to the WardenPledge contract by...

Pausing WardenPledge contract, which takes effect immediately, by its owner can unexpectedly block pledge creator from calling closePledge or retrievePledgeRewards function

Lines of code https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L488-L515 https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L456-L480 Vulnerability details Impact The owner of the WardenPledge contract is able to call the pause...

[M1] Owner can steal any createdPledge's tokens

Lines of code https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L585-L592 Vulnerability details Impact Malicious owner can steal any created pledge even to drain the whole contract Proof of Concept Functions like recoverERC20 are....

Liquidator is paid too much

Lines of code Vulnerability details Impact Liquidator is paid (1 + liquidationIncentive) * repaidDebt, instead of liquidationIncentive * repaidDebt. Proof of Concept liquidatorReward is currently calculated in Market.liquidate() as follows: uint liquidatorReward = repaidDebt * 1 ether / price;...

Compromised or malicious owner of WardenPledge contract can steal pledge creator's deposited reward token amount

Lines of code https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L653-L661 Vulnerability details Impact There is no guarantee that the owner of the WardenPledge contract does not become compromised or malicious in the future. If this owner becomes compromised or...

Admin can rug

Lines of code https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L653-L661 Vulnerability details Impact Admin can rug all of the contract's funds Proof of Concept The function recoverERC20() is only callable by the owner and its...

_pledge function has mathematical calculation error

Lines of code Vulnerability details Impact the mathematical formula is incorrect, which will lead to protocol insolvency Proof of Concept the original code is : uint256 slope = amount / boostDuration; uint256 bias = slope * boostDuration; // Rewards are set in the Pledge as...

no interest calculation charging & lp provider reward in market contract

Lines of code https://github.com/code-423n4/2022-10-inverse/blob/HEAD/src/DBR.sol#L1-L388 Vulnerability details Impact there is no accrued interest charging for the borrower' debt, borrower at the same time cannot decrease their accured interest(this bug's detail is present in my previous...

Incorrect implementation of extendPledge()

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. The extendPledge() function is not correctly implemented because even though the duration is extended, no changes are made to existing delegates who boost to this pledge. A few things need to change: 1).....

Insufficient validation in enforcer's OnERC20Received() callback may lead to loss of funds in implementations.

Lines of code Vulnerability details Description HolographERC20's onERC20Received() is presumably a callback that is called when the Holographer receives tokens. Its implementation is: if (_isEventRegistered(HolographERC20Event.beforeOnERC20Received)) { ...

If user sets a low gasPrice the operator would have to choose between being locked out of the pod or executing the job anyway

Lines of code https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographOperator.sol#L593-L596 https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/module/LayerZeroModule.sol#L277-L294...

Black Reward Hackers Steal Trove of Emails from Iran’s Atomic Energy Agency

By Waqas The group claims they launched this attack to demand the release of political prisoners arrested during the countrywide protests. This is a post from HackRead.com Read the original post: Black Reward Hackers Steal Trove of Emails from Iran's Atomic Energy...

Exploit for Path Traversal in Zimbra Collaboration

CVE-2022-37042 Usage 查看漏洞信息。 ```bash go run main.go -s...

Reserved token rounding can be abused to honeypot and steal user's funds

Lines of code Vulnerability details Description When the project wishes to mint reserved tokens, they call mintReservesFor which allows minting up to the amount calculated by DelegateStore's _numberOfReservedTokensOutstandingFor. The function has this line: // No token minted yet? Round up to 1....

Exploit for Code Injection in Apache Commons Text

cve-2022-42889-intercept 低于...

Social Engineering dos and don’ts

Another day, another success at sneaking into a building and pretending to be staff. I do so love drinking other people's expensive office coffee. No fruit bowls though. Close, but no banana. It got me thinking, again, about what makes for good social engineering (SE), and what advice would I give....

Exploit for Missing Authentication for Critical Function in Terra-Master Terramaster Operating System

terraMaster-CVE-2022-24990 工具简介 针对 CVE-2022-24990...

Exploit for OS Command Injection in Telesquare Sdt-Cs3B1 Firmware

CVE-2021-46422 安装 下载py,使用cmd打开 使用 poc ```...

セキュリティ更新プログラムの通知・配信の改善 – 新しい配信方法について

本ブログは、Improvements in Security Update Notifications Delivery – And a New Delivery Method...

How To Build a Career as a Freelance Cybersecurity Analyst — From Scratch

With each passing year, the cybersecurity threat landscape continues to worsen. That reality makes cybersecurity analysts some of the most sought-after technology professionals in the world. And there are nowhere near enough of them to meet the demand. At last count, there were over 3.5 million...

Romance scammer given 25 years of alone time

Romance scams are often low risk, high reward strategies for ciminals, who use them to steal large sums of money from vulnerable people in the cruellest ways possible. Once the victim wires the cash, there's a good chance that it's never coming back. The perpetrator has almost certainly covered...

Malwarebytes' modernized bug bounty program—here's all you need to know

Malwarebytes welcomes and encourages independent researchers reporting vulnerabilities in our products, and has run a bug bounty program for several years. Our security team has spent the last few months modernizing the program and we thought you'd like to hear about it. What is a bug bounty...

Former Uber Security Chief Found Guilty of Data Breach Coverup

A U.S. federal court jury has found former Uber Chief Security Officer Joseph Sullivan guilty of not disclosing a 2016 breach of customer and driver records to regulators and attempting to cover up the incident. Sullivan has been convicted on two counts: One for obstructing justice by not...

Uncommon infection and malware propagation methods

Introduction We are often asked how targets are infected with malware. Our answer is nearly always the same: (spear) phishing. There will be exceptions, naturally, as we will encounter RCE vulnerabilities every now and then, or if the attacker is already on the network, they will use tools like...

Want More Secure Software? Start Recognizing Security-Skilled Developers

Professional developers want to do the right thing, but in terms of security, they are rarely set up for success. Organizations must support their upskilling with precision training and incentives if they want secure software from the ground up. The cyber threat landscape grows more complex by the....

Popular YouTube Channel Caught Distributing Malicious Tor Browser Installer

A popular Chinese-language YouTube channel has emerged as a means to distribute a trojanized version of a Windows installer for the Tor Browser. Kaspersky dubbed the campaign OnionPoison, with all of the victims located in China. The scale of the attack remains unclear, but the Russian...