filecoin-audit-kit

Filecoin Security Devnet Spin up a local Filecoin network for...

Integer Overflow

github.com/filecoin-project/go-f3 is vulnerable to a Integer Overflow. The vulnerability is due to improper signer index validation, where a crafted “poison” message can trigger an integer overflow and cause go-f3 to panic, allowing attackers to crash any Filecoin node that directly consumes the...

GO-2025-3990 go-f3 module vulnerable to integer overflow leading to panic in github.com/filecoin-project/go-f3

go-f3 module vulnerable to integer overflow leading to panic in github.com/filecoin-project/go-f3...

Malicious Package

Overview filecoin-checker-shared is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...

EUVD-2021-0938

Malware in sbrugna...

CVE-2025-59941

go-f3 is a Golang implementation of Fast Finality for Filecoin F3. In versions 0.8.8 and below, go-f3's justification verification caching mechanism has a vulnerability where verification results are cached without properly considering the context of the message. An attacker can bypass...

Authentication Bypass by Primary Weakness

Overview Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the justification verification process. An attacker can influence consensus decisions and potentially disrupt network liveness by reusing cached justifications in inappropriate message...

Go implementation of Fast Finality in Filecoin 安全漏洞

Go implementation of Fast Finality in Filecoin is a Golang library for a fast validation mechanism open-sourced by Filecoin. A security vulnerability exists in Go implementation of Fast Finality in Filecoin version 0.8.8 and earlier, which stems from the validation result caching mechanism not...

PT-2025-39916

Name of the Vulnerable Software and Affected Versions go-f3 versions 0.8.8 and below Description go-f3’s justification verification caching mechanism improperly caches verification results without considering the message context. An attacker can bypass justification verification by submitting a...

Go implementation of Fast Finality in Filecoin 输入验证错误漏洞

Go implementation of Fast Finality in Filecoin is an open source Golang library for Filecoin with a fast validation mechanism. An input validation error vulnerability exists in Go implementation of Fast Finality in Filecoin 0.8.6 and prior versions, which stems from an integer overflow when...

PT-2025-39917

Name of the Vulnerable Software and Affected Versions go-f3 versions 0.8.6 and earlier Description go-f3 is a Golang implementation of Fast Finality for Filecoin F3. Versions 0.8.6 and below experience a panic when validating specific "poison" messages. These messages can trigger an integer...

Malicious code in filecoin-checker-shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6196805b97dfa338fede5b1f871b87e26bfe4909ed5ac6a26c580e29f40cd85d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-47603 Malicious code in filecoin-checker-shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6196805b97dfa338fede5b1f871b87e26bfe4909ed5ac6a26c580e29f40cd85d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2021-21405

Lotus is an Implementation of the Filecoin protocol written in Go. BLS signature validation in lotus uses blst library method VerifyCompressed. This method accepts signatures in 2 forms: "serialized", and "compressed", meaning that BLS signatures can be provided as either of 2 unique byte arrays...

How These Decentralized AI Solutions Secure Their Services in a Disruptive Industry

This article looks at the measures AI solutions take to secure their offering with insights from platforms like OORT and Filecoin who are creating new security models for their AI infrastructure...

GO-2022-0905 BLS Signature "Malleability" in github.com/filecoin-project/lotus

BLS Signature "Malleability" in github.com/filecoin-project/lotus...

bellperson (>=0.3.4 <=0.15.0), ff-cl-gen (>=0.1.0 <=0.3.0) +10 more potentially affected by CVE-2021-25908 via fil-ocl (=0.19.6)

fil-ocl CARGO version =0.19.6 is affected by a known vulnerability. The following packages have a transitive dependency on fil-ocl and may be impacted: - bellperson =0.3.4, =0.1.0, =5.0.0, =5.0.0, =2.3.0, =0.1.0, =0.1.0, =5.0.0, =5.4.0, =5.0.0, =5.0.0, =0.1.1, =0.1.2 Source cves: CVE-2021-25908...

br.com.swconsultoria:java-cte (>=3.00.4 <=3.00.8), br.com.swconsultoria:java-mdfe (>=3.00.3 <=3.00.4) +1215 more potentially affected by CVE-2020-15522 via org.bouncycastle:bcprov-jdk16 (>=1.38 <=1.46)

org.bouncycastle:bcprov-jdk16 MAVEN version =1.38, =3.00.4, =3.00.3, =4.00.10, =1.0, =2.0, =1.2.4, =2.0.0, =2.1, =2.1, =2.10.0, =2.10.0, =2.11.0 and more Source cves: CVE-2020-15522 Source advisory: OSV:GHSA-6XX3-RG99-GC3P...

br.com.swconsultoria:java-cte (>=3.00.4 <=3.00.8), br.com.swconsultoria:java-mdfe (>=3.00.3 <=3.00.4) +1215 more potentially affected by CVE-2020-26939 via org.bouncycastle:bcprov-jdk16 (>=1.38 <=1.46)

org.bouncycastle:bcprov-jdk16 MAVEN version =1.38, =3.00.4, =3.00.3, =4.00.10, =1.0, =2.0, =1.2.4, =2.0.0, =2.1, =2.1, =2.10.0, =2.10.0, =2.11.0 and more Source cves: CVE-2020-26939 Source advisory: OSV:GHSA-72M5-FVVV-55M6...

CVE-2021-21405

Lotus is an Implementation of the Filecoin protocol written in Go. BLS signature validation in lotus uses blst library method VerifyCompressed. This method accepts signatures in 2 forms: "serialized", and "compressed", meaning that BLS signatures can be provided as either of 2 unique byte arrays...