微信打赏（Wechat Reward) Security Vulnerabilities

Exploit for SQL Injection in Jeecg Jeecg-Boot

CVE-2023-1454 jmreport/qurestSql 未授权SQL注入批量扫描poc...

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Minio

Minio-CVE-2023-28432...

Rorschach Ransomware Emerges: Experts Warn of Advanced Evasion Strategies

Cybersecurity researchers have taken the wraps off a previously undocumented ransomware strain called Rorschach that's both sophisticated and fast. "What makes Rorschach stand out from other ransomware strains is its high level of customization and its technically unique features that have not...

Upgraded Q -> 2 from #17 [1680620822176]

Judge has assessed an item in Issue #17 as 2 risk. The relevant finding follows: [L-10] It is possible in theory that stakes get locked due to call to LockTo with very small reward amount I pointed out and explained in my report #7 MuteBond.sol: deposit function reverts if remaining payout is very....

Upgraded Q -> 2 from #17 [1680620718364]

Judge has assessed an item in Issue #17 as 2 risk. The relevant finding follows: [L-05] Check that staking cannot occur when endTime is reached The MuteAmplifier.stake function should require that the current timestamp is smaller than endTime even when the call to stake is the first that ever...

reward-partners.net Cross Site Scripting vulnerability OBB-3245111

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

Award is still distributed when there aren't any stakers, allowing users to get reward without staking

Lines of code Vulnerability details Proof of Concept Consider the update modifier for the amplifier. modifier update() { if (_mostRecentValueCalcTime == 0) { _mostRecentValueCalcTime = firstStakeTime; } uint256 totalCurrentStake = totalStake(); if...

MuteAmplifier.rescueTokens() checks the wrong condition for muteToken

Lines of code Vulnerability details Impact There will be 2 impacts. The reward system would be broken as the rewards can be withdrawn before starting staking. Some rewards would be locked inside the contract forever as it doesn't check totalReclaimed Proof of Concept rescueTokens() checks the...

A user can 'borrow' dMute balance for a single block to increase their amplifier APY

Lines of code Vulnerability details The amplifier's APY is calculated based on the user's dMute balance (delegation balance to be more accurate) - the more dMute the user holds the higher APY they get. However, the contract only checks the user's dMute balance at staking, the user doesn't have to.....

Logic for RescueTokens is incorrect for muteTokens

Lines of code Vulnerability details Proof of Concept The logic for RescueTokens doesn't take into account the reward remainders. I wanted to write a POC but I'm in a bit of a time crunch. So, imagine the following situation: totalRewards = 100, and staker A, B (the only stakers) staked for the...

An edge case in amplifier allows user to stake after end time, causing reward to be locked in the contract

Lines of code Vulnerability details Proof of Concept Observe that if nobody has staked after the period has ended, it's still possible for a single user to stake even though the period has ended....

AD Manager Plus 7122 Remote Code Execution

...

MuteAmplifier.rescueTokens() should check conditions for fee tokens(token0/token1) as well

Lines of code Vulnerability details Impact rescueTokens() can be used to withdraw fee tokens without any validations. As a result, the reward logic would be broken due to the lack of fee tokens. Proof of Concept rescueTokens() doesn't validate anything for the fee tokens. So if some fee tokens...

AD Manager Plus 7122 - Remote Code Execution Vulnerability

...

MuteAmplifier.sol: multiplier calculation is incorrect which leads to loss of rewards for almost all stakers

Lines of code https://github.com/code-423n4/2023-03-mute/blob/4d8b13add2907b17ac14627cfa04e0c3cc9a2bed/contracts/amplifier/MuteAmplifier.sol#L366-L388 https://github.com/code-423n4/2023-03-mute/blob/4d8b13add2907b17ac14627cfa04e0c3cc9a2bed/contracts/amplifier/MuteAmplifier.sol#L417-L460...

AD Manager Plus 7122 - Remote Code Execution (RCE)

...

Users might lose their stETH rebased reward due to the weights change

Lines of code Vulnerability details Vulnerability Details Let's consider the following scenario: Bob deposits 10eth with the weights: stETH: weights[0] = 90e18, rETH: weights[1] = 5e18. sfrxETH: weights[2] = 5e18 Now, since the Lido has 80% of liquid staking market, Asymmetry Finance...

reward-partners.org Cross Site Scripting vulnerability OBB-3240056

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Minio

CVE-2023-28432 CVE-2023-28432 MinIO敏感信息泄露检测脚本 Usage ```...

Hacks at Pwn2Own Vancouver 2023

An impressive array of hacks were demonstrated at the first day of the Pwn2Own conference in Vancouver: On the first day of Pwn2Own Vancouver 2023, security researchers successfully demoed Tesla Model 3, Windows 11, and macOS zero-day exploits and exploit chains to win $375,000 and a Tesla Model...

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Minio

CVE-2023-28432...

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Minio

minio_unauth_check CVE-2023-28432,minio信息泄露检测工具...

weixin-python XML External Entity vulnerability

A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. The name....

weixin-python XML External Entity vulnerability

A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. The name....

CVE-2018-25082

A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. The...

CVE-2018-25082

A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. The...

CVE-2018-25082

A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. The...

Xxe

A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. The...

CVE-2018-25082 zwczou WeChat SDK Python to_xml xml external entity reference

A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. The...

Exploit for Missing Authentication for Critical Function in Linuxfoundation Harbor

CVE-2022-46463 (Harbor public镜像下载) Harbor是一款开源的镜像托管平台。...

bootloader doesn't add tighter gas limit to the IAccount.validateTransaction call

Lines of code Vulnerability details Impact As mentioned in the competition details: *Important, while the bootloader is out of scope, we may reward an additional bounty for valid bugs found in it by our judgement! As mentioned in the dev document,...

An attacker can manipulate the call stack of the transaction to impersonate another address and set a different value for the origin variable.

Lines of code Vulnerability details Impact By changing the transaction's call stack, an attacker can use the origin variable to pretend to be another address, as a result, the attacker can be able to enter the system without authorization and carry out evil deeds. Proof of Concept The...

Upgraded Q -> 3 from #197 [1678982150949]

Judge has assessed an item in Issue #197 as 3 risk. The relevant finding follows: [L-02] Instant reward calculation The text was updated successfully, but these errors were encountered: All...

Malicious users can claim BYTES rewards after withdrawing all of their LP stake

Lines of code Vulnerability details Impact Users are able to continue claiming BYTES rewards indefinitely on their initials points after withdrawing all of their LP stake. Proof of Concept A user can withdraw all of their LP staked tokens in multiple steps with an amount < 1e16. If the amount is...

BYTES2.getReward: no check for input

Lines of code Vulnerability details Impact the function getReward should validate that _to is not an empty address (0x0) to prevent accidental loss of BYTES. Impact: mint reward BYTES to address(0) will be lost Proof of Concept function getReward ( address _to ) external { ...

Flawed calculation in getPoolReward leads to permanent loss of rewards

Lines of code https://github.com/code-423n4/2023-03-neotokyo/blob/main/contracts/staking/NeoTokyoStaker.sol#L1390 Vulnerability details In NeoTokyoStaker.getPoolReward, a users reward is calculated as follows: 1388: uint256 share = points * _PRECISION / pool.totalPoints * totalReward; 1390: ...

Staker can withdraw a staked LP token amount that is small enough to ensure that lpPosition.points does not change when calling NeoTokyoStaker._withdrawLP function and cause extra reward shares, which the staker is not entitled to, to be minted to the staker when calling lpPosition.getPoolReward function later

Lines of code https://github.com/code-423n4/2023-03-neotokyo/blob/main/contracts/staking/NeoTokyoStaker.sol#L1264-L1396 Vulnerability details Impact When withdrawing the staked LP tokens, the staker can divide the total staked token amount into smaller amounts and call the NeoTokyoStaker.withdraw.....

Total reward is miscalculating

Lines of code Vulnerability details Impact In the getPoolReward the calcul of totalReward is wrong because the rewardRate is not updated. When block.timestamp is less or equal to windows.startTime the reward rate should equal to the current window rate not the previous one. Proof of Concept...

User Rewards will be lost in case of Withdraw

Lines of code https://github.com/code-423n4/2023-03-neotokyo/blob/dfa5887062e47e2d0c801ef33062d44c09f6f36e/contracts/staking/NeoTokyoStaker.sol#L1584 https://github.com/code-423n4/2023-03-neotokyo/blob/dfa5887062e47e2d0c801ef33062d44c09f6f36e/contracts/staking/NeoTokyoStaker.sol#L1519...

User can claim high rewards than he eligible

Lines of code https://github.com/code-423n4/2023-03-neotokyo/blob/dfa5887062e47e2d0c801ef33062d44c09f6f36e/contracts/staking/NeoTokyoStaker.sol#L1331 https://github.com/code-423n4/2023-03-neotokyo/blob/dfa5887062e47e2d0c801ef33062d44c09f6f36e/contracts/staking/NeoTokyoStaker.sol#L1342...

Attacker can abuse rounding down to get reward without depositing anything in LP pool

Lines of code Vulnerability details Impact In function _withdrawLP(), it calculates the amount of points from the amount input parameter. unchecked { uint256 points = amount * 100 / 1e18 * lpPosition.multiplier / _DIVISOR; // Update the caller's LP token stake. lpPosition.amount -=...

NeoTokyoStaker.getPoolReward function can be frontrun, which can cause staker and DAO to lose reward shares that they are entitled to

Lines of code https://github.com/code-423n4/2023-03-neotokyo/blob/main/contracts/staking/NeoTokyoStaker.sol#L1124-L1174 https://github.com/code-423n4/2023-03-neotokyo/blob/main/contracts/staking/NeoTokyoStaker.sol#L1264-L1396 Vulnerability details Impact When calling the following...

Infinite mint via points underflow (in scope)

Lines of code Vulnerability details Impact Due to unchecked math in the _withdrawLP() function, a user can trigger an underflow in their points and infinitely increase their rewards. The problem exists in several places. Problem 1. The configureTimelockOptions() function allows setting...

_withdrawLP is not re-setting the lpPosition.points when lpPosition.amount

Lines of code Vulnerability details Impact User can withdraw their LP tokens without affecting their lpPosition.points. Since the lpPosition.points could not deducted then and there whenever the LP token is drawn out, user can use the old lpPosition.points and new lpPosition.points value to...

BYTES can be used to increase points by staking them immediately before withdrawing them

Lines of code Vulnerability details Impact When staking BYTES, users don't need to lock them for any specific time. BYTES are locked in a Citizen, and they are withdrawn together with the Citizen. Users can stake all the BYTES they own before withdrawing the citizen, increasing their points in the....

An malicious user can mint a huge amount of BYTES 2.0 tokens for himself

Lines of code https://github.com/code-423n4/2023-03-neotokyo/blob/main/contracts/staking/NeoTokyoStaker.sol#L1622-L1631 Vulnerability details Impact An attacker can mint a huge amount of BYTES 2.0 tokens for himself. Additionally, the rewards system can be permanently damaged by making the...

Rewards calculation is unfair and leads to stakers losing rewards

Lines of code https://github.com/code-423n4/2023-03-neotokyo/blob/dfa5887062e47e2d0c801ef33062d44c09f6f36e/contracts/staking/NeoTokyoStaker.sol#L1388 Vulnerability details User rewards are updated upon staking actions (ie stake() or withdraw()): File: contracts/staking/NeoTokyoStaker.sol...

Wrong accounting of share leading to incorrect amount of BYTES be minted per second

Lines of code Vulnerability details Impact In NeoTokyoStaker, staker is a competitive system where stakers compete for a fixed emission rate in each of the S1 Citizen, S2 Citizen, and LP token staking pools. For each staking pool, there are some reward windows. Each reward window has different...

Staking BYTES to Citizen does not extend timelock, allowing attacker to manipulate totalPoints with flash loan

Lines of code Vulnerability details Impact In NeoTokyoStaker, BYTES token can be staked into a Citizen. First, the Citizen must be staked, it will be locked for a timelock duration in Staking contract. Staker want to stake BYTES can specify this Citizen ID and stake into it. However, when users...

User can call getReward multiple times causing 51% attack

Lines of code https://github.com/code-423n4/2023-03-neotokyo/blob/dfa5887062e47e2d0c801ef33062d44c09f6f36e/contracts/staking/BYTES2.sol#L114 Vulnerability details Impact The Neo Tokyo staking program operates as follows: The staker is a competitive system where stakers compete for a fixed emission....