The federal Zero Trust strategy and Microsoft’s deployment guidance for all

You’d be forgiven for missing the White House announcement on federal Zero Trust strategy on January 26, 2022.1 After all, on that day alone a Supreme Court Justice announced his intention to retire, the Federal Reserve announced its plan to raise interest rates, and the State Department was busy...

BlackCat Ransomware group attacks on the rise

THREAT LEVEL: Red. For a detailed advisory, download the pdf file here The Blackcat Ransomware gang also known as ALPHV has targeted around 25 organizations belonging to multiple sectors globally since November 2021. The group has claimed responsibility for the recent cyber attack on Swissport...

Zyxel Buffer Overflow / File Disclosure / CSRF / XSS / Broken Access Control Vulnerabilities

Multiple Zyxel devices suffer from buffer overflow, local file disclosure, unsafe storage of sensitive data, command injection, broken access control, symbolic link processing, cross site request forgery, and cross site scripting vulnerabilities...

What’s Next in Security from Microsoft

One of the biggest challenges in security today is complexity. Not only is there an ever-growing number of threats, but many organizations are defending their companies with a patchwork of security solutions that don’t work well together. This piecemeal approach is costly, less secure, and hinder...

Cybersecurity threats are always changing—staying on top of them is vital, getting ahead of them is paramount

With a 1,070 percent increase in ransomware attacks year-over-year between July 2020 and June 2021, staying on top of attack trends—such as ransomware and supply chain threats—is more important than ever.1 To successfully detect and defend against security threats, we need to come together as a...

What You Need to Do Today to Protect Against Account Takeover Attacks

Historically, account takeover ATO has been recognized as an attack in which cybercriminals take ownership of online accounts using stolen passwords and usernames. Cybercriminals purchase a list of account credentials from the dark web that are usually compiled by hackers through social...

This Week in Security News - January 28th, 2022

Welcome to our weekly roundup, where we share what you need to know about cybersecurity news and events that happened over the past few days. This week, read the third installment of Trend Micro’s Codex series. Also, read about the White House’s latest zero-trust approach to its cybersecurity...

Re-try withdrawAll from inactive strategy

Handle pauliax Vulnerability details Impact When the withdrawAll from yieldStrategy fails, it nevertheless sets the new yieldStrategy and the old one is forgiven. try yieldStrategy.withdrawAll catch bytes memory reason emit YieldStrategyUpdateWithdrawAllErrorreason; emit...

Sherlock: Decouple yield strategy with withdrawals

Handle GreyArt Vulnerability details Impact If there are funds remaining in an old strategy, there is only 1 way to claim those funds which is through Sherlock.updateYieldStrategy . It is quite an inconvenience to do this. Recommended Mitigation Steps Create an additional function to allow anyone...

Owner should be able to choose to not ignore failures in updateYieldStrategy

Handle harleythedog Vulnerability details Impact In Sherlock.sol, the function updateYieldStrategy ignores all errors when yieldStrategy.withdrawAll is called, and I believe this is an dangerous design choice. If yieldStrategy.withdrawAll reverts, then all the funds that are deposited in the yiel...

updateYieldStrategy will freeze some funds with the old Strategy if yieldStrategy fails to withdraw all the funds because of liquidity issues

Handle hyh Vulnerability details Impact Part of the funds held with the strategy can be frozen if the current strategy has tight liquidity when updateYieldStrategy is run as this function makes an attempt to withdraw all the funds and then unconditionally removes the strategy. The Sherlock to...

Real Big Phish: Mobile Phishing & Managing User Fallibility

According to a recent survey from Ivanti, nearly three-quarters 74 percent of IT professionals reported that their organizations have fallen victim to a phishing attack – and 40 percent of those happened in the last month alone. Increasingly, mobile phishing is the culprit. What’s more, nearly ha...

requestWithdraw without obligation to withdraw allow underwriter to avoid payout

Handle gzeon Vulnerability details Impact To prevent withdrawal front-running, a lockup period is set between withdrawal request and withdrawal. However, there are no obligation to withdraw after the lockup period and the capital will keep earning premium during lockup. A strategy for underwriter...

Vault: Reduce reliance on manual rebalances from strategy to vault

Handle hickuphh3 Vulnerability details Impact Withdrawals are processed solely with funds that are held by the vault. Should there be insufficient liquidity Eg. many withdrawals in a short time, users have to rely on a trusted party operator to move funds from the investment strategy to the vault...

Race condition to withdraw funds

Handle pedroais Vulnerability details Impact Users may have to wait more time than predicted to withdraw funds. Proof of Concept The vault's funds are distributed between the vault and the investment strategy but withdrawals come only from funds that are currently inside the vault. This means tha...

Vault withdraws should withdraw from strategy if necessary

Handle harleythedog Vulnerability details Impact When a user calls withdraw, the amount of underlying assets that they are owed is dependent on their number of shares, and the number of underlying assets in the vault + strategy. If x is the number of underlying tokens intended to be sent to the...

Possible griefing attack on vault setStrategy

Handle harleythedog Vulnerability details Impact In the function setStrategy within Vault.sol, there is a requirement that strategy.investedAssets == 0 so that no funds are left stuck in the strategy. A malicious user could strategically transfer 1 wei of underlying to the strategy or any other...

strategy change can be prevented

Handle danb Vulnerability details strategy change requires the invested assets to be zero. anyone can make it fail by transferring aust to the strategy. --- The text was updated successfully, but these errors were encountered: All reactions...

Possibility of insufficient funds in Vault

Handle palina Vulnerability details Impact In Vault.sol, totalUnderlying and, therefore, totalUnderlyingMinusSponsored include both funds available in the Vault as well as those invested in the Strategy. The calculation of amounts returned to depositors and sponsors in withdraw and unsponsor also...

Changing a strategy can be bricked

Handle kenzo Vulnerability details A vault wouldn't let the strategy be changed unless the strategy holds no funds. Since anybody can send funds to the strategy, a griefing attack is possible. Impact Strategy couldn't be changed. Proof of Concept setStrategy requires strategy.investedAssets == 0...