微信打赏（Wechat Reward) Security Vulnerabilities

Costa Rica continues defence against sustained Conti ransomware attacks

It's not been plain sailing recently for Conti ransomware, the Ransomware as a Service (RaaS) group with several major attacks under its belt. In August last year, a pen tester leaked valuable manuals and documents related to the operation. These leaks continued as the Conti gang expressed support....

U.S. Offering $10 Million Reward for Information on Conti Ransomware Hackers

The U.S. State Department has announced rewards of up to $10 million for any information leading to the identification of key individuals who are part of the infamous Conti cybercrime gang. Additionally, it's offering another $5 million for intelligence information that could help arrest or...

Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager

CVE-2022-1388 https://support.f5.com/csp/article/K23605346...

Panmicro Cloud Bridge has SQL injection vulnerability

Panmicro Cloud Bridge (e-Bridge) is a system integration middleware for bridging open Internet resources and enterprise information systems. There is a SQL injection vulnerability in Panmicro Cloud Bridge, which can be exploited by attackers to obtain sensitive database...

PermissionlessBasicPoolFactory\addPool() doesn’t check whether pool.excessBeneficiary is address(0)

Lines of code https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L252 Vulnerability details Impact In PermissionlessBasicPoolFactory\addPool(), it doesn’t check whether pool.excessBeneficiary is address(0). Therefore, when doing...

Re-entrancy attack on the main functions

Lines of code https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L180 Vulnerability details Impact A malicious token, or one that implemented transfer hooks, could re-enter the public calling function (such as withdraw()) before proper internal.....

setGlobalTax() Can Be Manipulated By The Global Beneficiary To Steal Reward Tokens Or Censor Pool Creators

Lines of code https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L110 https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L227 Vulnerability details Impact Upon pool creation, the pool...

if user send uninitialized poolId to function deposit() of PermissionlessBasicPoolFactory, then attacker can cause user fund to be locked forever, and only unlock it if user pays ransom

Lines of code Vulnerability details Impact Function deposit() of PermissionlessBasicPoolFactory supposed to revert if user send uninitialized poolId by mistake, but if user does this, attacker can perform front-running attack and create multiple pools with his smart contract and be owner of that...

Users Can Prevent Excess Tokens From Being Withdrawn By The Pool Creator In withdrawExcessRewards()

Lines of code https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L185-L189 https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L221 Vulnerability details Impact Because pools will likely never.....

Not all ERC20 tokens return boolean on transfer

Lines of code Vulnerability details Impact Some ERC20 tokens do not conform to the standard of returning a boolean when transfer is called. If one of these tokens is included as a reward token, the withdraw function will be irrevocably broken, and users won't be able to collect their reward or...

PermissionlessBasicPoolFactory use hard coded decimals of 18

Lines of code Vulnerability details Once reward/deposit tokens decimals differ from 18 the calculations with a hard coded 1e18 will become grossly incorrect. This will lead either to receiving no rewards: say deposit is USDC with decimals of 6, being divided by 1e18 it adds 1e-12 to the rewards...

PermissionlessBasicPoolFactory.sol Does Not Support Reward Tokens With Decimals Other Than 18

Lines of code https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L220 https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L279-L283...

PermissionlessBasicPoolFactory.sol Does Not Support Reward Tokens With Decimals Other Than 18

Lines of code https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L156-L173 https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L142...

Reward Token Transfer Failure Can Lead to Loss of Deposit in PermissionlessBasicPoolFactory

Lines of code Vulnerability details Impact If transfer of any reward token returns False or reverts for whatever reason, users who deposited will not be able to withdraw their deposit. A malicious pool creator could abuse this to lock tokens from victims by using two reward tokens, one...

Pool Creators Can Reject Taxes From Being Withdrawn

Lines of code https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L224-L231 Vulnerability details Impact Upon pool creation, stakers can opt to earn rewards by staking their deposit tokens. When these deposit tokens are withdrawn, reward tokens...

Attacker could make deposits of 1 wei in the yield contract to prevent excess rewards from being withdrawn

Lines of code https://github.com/code-423n4/2022-05-factorydao/blob/db415804c06143d8af6880bc4cda7222e5463c0e/contracts/PermissionlessBasicPoolFactory.sol#L224 Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept If an attacker makes many deposits of 1...

Steer clear of fake premium mobile app unlockers

A site has been bouncing around YouTube comments for the past couple of weeks. The site sometimes changes, the messages alter slightly, but the essence remains the same: In all cases, people acting in suspiciously automated fashion ask if everyone is using this "glitch" or generator without ever...

Airdrop phishing: what is it, and how is my cryptocurrency at risk?

Airdrop phishing is a really popular tactic at the moment. It emerged alongside the explosion of Web3/NFT/cryptocurrency popularity, and ensures scammers get a slice of the money pie. You may well have heard the term in passing, and wondered what an Airdrop is. Is your iPhone about to be Airdrop...

Users can use updateBoost function to claim unfairly large rewards from liquidity mining contracts for themselves at cost of other users.

Lines of code https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/liquidityMining/v2/GenericMinerV2.sol#L88-L94 Vulnerability details Impact Users aware of this vulnerability could effectively steal a portion of liquidity mining rewards from...

Fund theft In PARMinerV2 with depositing in VotingEscrow and calling updateBoost() to update user.stakeWithBoost without updating accAmountPerShare and accParAmountPerShare. and then collecting more rewards

Lines of code Vulnerability details Impact Attacker can generate more PAR and MIMO reward for himself and steal others rewards by staking in VotingEscrow then calling updateBoost() (which updates user.stakeWithBoost based on user boost multiplier (which is based on user VotingEscrow balance)...

In GenericMinerV2 get more reward by staking in votingEscrow and calling syncStake()

Lines of code https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/liquidityMining/v2/VotingMinerV2.sol#L67-L71 Vulnerability details Impact User can withdraw & deposit in votingEscrow contract and then call syncStake() function of VotingMinerV2...

Manager or owner can send rewards to any address

Lines of code Vulnerability details Impact In the claimRewards function, manager or owner can send rewards to any address. function claimRewards(address _to) external onlyManagerOrOwner returns (bool) { require(_to != address(0), "AaveV3YS/payee-not-zero-address"); address[] memory...

Exploit for Code Injection in Vmware Spring Framework

漏洞简介 最近spring爆出重磅级CVE漏洞，cve信息显示"A Spring MVC or Spring...

claimRewards() didnt follow the safe check effect pattern

Judge @GalloDaSballo has assessed the 2nd item in QA Report #230 as Medium risk. The relevant finding follows: … Impact a user can claim a reward by calling the claimRewards(), however this function didnt follow the correct check effect pattern, where the zero address is set after making an...

Reentrency in claimRewards in ConcurRewardPool

Judge @GalloDaSballo has assessed the 1st item in QA Report #163 as Medium risk. The relevant finding follows: … Reentrency in claimRewards in ConcurRewardPool The function claimRewards is open to reenterncy, if the safeTransfer function of a token calls the claimRewards again the tokens can be...

Potential Sandwich Attack: Arbitrage bots can front run reward tokens being sent to the liquidity mining contracts

Lines of code https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/liquidityMining/PARMiner.sol#L257-L279 Vulnerability details Impact For the PARMiner and DemandMiner contracts, arbitrage bots could harvest significant portion of rewards by...

Cisco Adaptive Security Appliance和Firepower Threat Defense信息泄露漏洞

Cisco Firepower Threat Defense and Cisco Adaptive Security Appliances Software are both products of Cisco, Inc. Cisco Adaptive Security Appliances Software is a firewall and network security platform. The platform provides highly secure access to data and network resources, among other...

Beijing Netnifty Security Gateway has a weak password vulnerability

Beijing Netnifty Information Technology Company is a leading enterprise in the domestic information security industry, specializing in the research and development, production and sales of information security products, and providing hierarchical overall security solutions and security...

Reward lost

Judge @GalloDaSballo has assessed the 11th item in QA Report #26 as Medium risk. The relevant finding follows: … Contract: https://github.com/code-423n4/2022-02-concur/blob/main/contracts/StakingRewards.sol In notifyRewardAmount function, if Admin added a reward 100 once block.timestamp >=...

Potential reentrance in claimRewards

Judge @GalloDaSballo has assessed the 1st item in QA Report #36 as Medium risk. The relevant finding follows: … POC IERC20(_tokens[i]).safeTransfer(msg.sender, getting); reward[msg.sender][_tokens[i]] = 0; Considering there are exterTokens, it is possible that some token...

U.S. Offers $10 Million Bounty for Information on 6 Russian Military Hackers

The U.S. government on Tuesday announced up to $10 million in rewards for information on six hackers associated with the Russian military intelligence service. "These individuals participated in malicious cyber activities on behalf of the Russian government against U.S. critical infrastructure in.....

AmmGauge stake allows for reentrancy that can lead to stealing the contract balance

Lines of code Vulnerability details Impact Some ERC20 do allow for user's control of execution. For example, ERC777 has tokensReceived() hook. This way, an ability to reenter can be executed with the usage of any such tokens. AmmGauge stake do not control for reentrancy and uses balance difference....

_incrementGaugeWeight allows user to add weight to nonexistent gauges

Lines of code Vulnerability details Impact User adds weight to a gauge that hasn't been added In addition to adding to a nonexistent gauge it also increments _totalWeight which only contains weight for live gauges. This value then results in...

setFlywheelRewards can take any rewardToken

Lines of code Vulnerability details Impact Though setFlywheelRewards has requiresAuth, it still has rug risk that a privileged user can move all rewardToken of flywheelRewards to new (malicious) newFlywheelRewards unconditionally. Proof of Concept A malicious user or a compromised admin can call...

[WP-H15] AmmConvexGauge.sol#poolCheckpoint() cvxStakedIntegral can be manipulated by the attacker

Lines of code Vulnerability details function poolCheckpoint() public virtual override returns (bool) { if (killed) { return false; } uint256 timeElapsed = block.timestamp - uint256(ammLastUpdated); uint256 currentRate =...

FlywheelCore's setFlywheelRewards can remove access to reward funds from current users

Lines of code Vulnerability details Impact FlywheelCore.setFlywheelRewards can remove current reward funds from the current users' reach as it doesn't check that newFlywheelRewards' FlywheelCore is this contract. If it's not, by mistake or with a malicious intent, the users will lose the access to....

Unlimited reward minting with Function Transfer in StakerVault (updates balances before calling userCheckpoint)

Lines of code Vulnerability details Impact The bug in "StakerVault.transfer" function (which is externally callable) is that first it is updating the balance of sender and receiver then it calls ILpGauge(lpGauge).userCheckpoint for those addresses. Function userCheckpoint use balance of address to....

Researchers Takeover Unpatched 3rd-Party Antivirus Sandboxes via VirusTotal

Security researchers have disclosed a security issue that could have allowed attackers to weaponize the VirusTotal platform as a conduit to achieve remote code execution (RCE) on unpatched third-party sandboxing machines employed antivirus engines. The flaw, now patched, made it possible to...

Exploit for Uncontrolled Search Path Element in Honeywell Softmaster

CVE-2022-2333 搞了大半年，给大家康个好康的 sxf vpn 大家喜欢吗 我不太喜欢...

Exploit for Command Injection in Gerapy

cve-2021-32849 cve-2021-32849(gerapy命令执行) 使用方式...

FBI Warns of BlackCat Ransomware That Breached Over 60 Organisations Worldwide

The U.S. Federal Bureau of Investigation (FBI) is sounding the alarm on the BlackCat ransomware-as-a-service (RaaS), which it said victimized at least 60 entities worldwide between as of March 2022 since its emergence last November. Also called ALPHV and Noberus, the malware is notable for being...

User can steal all rewards due to checkpoint after transfer

Lines of code Vulnerability details Impact I believe this to be a high severity vulnerability that is potentially included in the currently deployed StakerVault.sol contract also. The team will be contacted immediately following the submission of this report. In StakerVault.sol, the user...

FlywheelCore.setBooster() can be used to steal unclaimed rewards

Lines of code Vulnerability details Impact A malicious authorized user can steal all unclaimed rewards and break the reward accounting Even if the authorized user is benevolent the fact that there is a rug vector available may negatively impact the protocol's reputation. Furthermore since this...

Exploit for Incorrect Default Permissions in Kingsoft Wps Office

CVE-2022-24934 漏洞概述 WPS...

Beware of fake Twitter philanthropists offering to put $750 into your Cash App account

Twitter philanthropists are a controversial emergence on the social media platform. In essence, Twitter-based philanthropy is about incredibly rich people helping out those who need it. The help is random, and often focused around performing a task like listening to a podcast or simply retweeting.....

ERC20Gauges: The _incrementGaugeWeight function does not check the gauge parameter enough, so the user may lose rewards.

Lines of code Vulnerability details Impact The _incrementGaugeWeight function is used to increase the user's weight on the gauge. However, in the _incrementGaugeWeight function, it is only checked that the gauge parameter is not in _deprecatedGauges, but not checked that the gauge parameter is in.....

WordPress VikBooking Hotel Booking Engine ＆ PMS plugin信息泄露漏洞

WordPress and WordPress plugin are products of the WordPress Foundation. WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL. WordPress plugin is an application plugin. WordPress VikBooking Hotel...

Exploit for Unrestricted Upload of File with Dangerous Type in Elementor Website Builder

CVE-2022-1329-WordPress-Elementor-RCE...

Tyler Technologies Tyler Odyssey信息泄露漏洞

Tyler Technologies Tyler Odyssey is a court and judicial software system from Tyler Technologies, Inc. An information disclosure vulnerability exists in versions of Tyler Technologies Tyler Odyssey prior to 17.1.20, which stems from an insecure direct object reference issue in the platform. An...

IBM Aspera High-Speed Transfer信息泄露漏洞

IBM Aspera is a fast file transfer and streaming solution built on the IBM FASP protocol from IBM U.S.A. An information disclosure vulnerability exists in IBM Aspera High-Speed Transfer, which could be exploited by attackers to obtain information from non-sensitive operating system files to which.....