18 matches found
Always-Incorrect Control Flow Implementation
Overview Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to incorrect state handling in nested execution paths involving the ICS20 precompile. An attacker can repeatedly utilize the same token balance within a single transaction by exploiting...
Willchain: Decentralized, Privacy-Preserving, Self-Executing, Digital Wills
This work presents a novel decentralized protocol for digital estate planning that integrates advances distributed computing, and cryptography. The original proof-of-concept was constructed using purely solidity contracts. Since then, we have enhanced the implementation into a layer-1 protocol th...
MAL-2025-1599 Malicious code in interchain-attestation-docs (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 62cc6bf711c9a215813941fee025df8878d105a26cff9eaf31791d55a0b4410d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
GHSA-7225-M954-23V7 ASA-2024-010: cosmossdk.io/math: Mismatched bit-length validation in sdk.Int and sdk.Dec can lead to panic
Name: ASA-2024-010: Mismatched bit-length in sdk.Int and sdk.Dec can lead to panic Component: Cosmos SDK / Math Criticality: High Considerable Impact, and Possible Likelihood per ACMv1.2 Affected versions: cosmossdk.io/math package versions !NOTE When on a lower version than cosmossdk.io/math...
Improper Input Validation
github.com/cosmos/interchain-security is vulnerable to Improper Input Validation. The vulnerability is caused due to a missing validation on the ICS side to check if the signer matches the provider address. This can lead to any user opt-in, opt-out, change the commission rate, or change what publ...
GO-2024-3121 Interchain Security: The signers of ICS messages do not need to match the provider address in github.com/cosmos/interchain-security
Interchain Security: The signers of ICS messages do not need to match the provider address in github.com/cosmos/interchain-security...
Missing Cryptographic Equivocation
github.com/cosmos/gaia is vulnerable to Missing Cryptographic Equivocation. The vulnerability is caused due to an issue in the Interchain Security ICS module that could result in the slashing of a validator for an "old" equivocation...
GO-2024-2903 Contract balance not updating correctly after interchain transaction in github.com/evmos/evmos
Contract balance not updating correctly after interchain transaction in github.com/evmos/evmos...
Session Fixation
Evmos is vulnerable to Session Fixation. The vulnerability is due to the improper handling of contract balances during interchain transactions involving a local state change and an ICS20 transfer. An attacker can exploit this flaw to artificially increase the supply of Evmos tokens by manipulatin...
CVE-2024-37153 Evmos's contract balance not updating correctly after interchain transaction
Evmos is the Ethereum Virtual Machine EVM Hub on the Cosmos Network. There is an issue with how to liquid stake using Safe which itself is a contract. The bug only appears when there is a local state change together with an ICS20 transfer in the same function and uses the contract's balance, that...
Contract balance not updating correctly after interchain transaction
Summary Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server. Details We discovered a bug walking through how to liquid stake using Safe which...
GHSA-XGR7-JGQ3-MHMC Contract balance not updating correctly after interchain transaction
Summary Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server. Details We discovered a bug walking through how to liquid stake using Safe which...
Evmos Security Vulnerabilities
Evmos is a scalable, high-throughput proof-of-equity blockchain. It is used for full compatibility and interoperability with Ether. A security vulnerability exists in Evmos version 18.1.0 and earlier, which stems from contract balances not being updated correctly after interchain transactions...
GHSA-555P-M4V6-CQXV ASA-2024-004: Default configuration param for Evidence may limit window of validity
ASA-2024-004: Default configuration param for Evidence may limit window of validity Component: CometBFT Criticality: Low Affected versions: All Affected users: Validators, Chain Builders + Maintainers Summary A default configuration in CometBFT has been found to be small for common use cases, and...
ASA-2024-004: Default configuration param for Evidence may limit window of validity
ASA-2024-004: Default configuration param for Evidence may limit window of validity Component: CometBFT Criticality: Low Affected versions: All Affected users: Validators, Chain Builders + Maintainers Summary A default configuration in CometBFT has been found to be small for common use cases, and...
Cosmos-SDK Cosmovisor component may be vulnerable to denial of service
Component: Cosmovisor Criticality: Medium Affected Versions: Cosmovisor v1.0.0 distributed with Cosmos-SDK 0.46 Affected Users: Validators and Node operators utilizing unsupported versions of Cosmovisor Impact: DOS, potential RCE on node depending on configuration An issue has been identified on...
Interchain token transfer can be Dossed Due To Flow Limit
Lines of code Vulnerability details Impact A large token holder can send back and forth tokens, using the flow limit to the capacity in start of every epoch making the system unusable for everyone else. Proof of Concept Interchain tokens can be transferred from one chain to another via the token...
I’m Now a Full-Time Professional Open Source Maintainer
or, "Holy shit, it works!" Last May I left my job on the Go team at Google to experiment with more sustainable paths for open-source maintainers. I held on to my various maintainer hats Go cryptography, transparency tooling, age, mkcert, yubikey-agent…, iterated on the model since September, and ...