When a user performs a withdrawal operation, a rollback that is not considered by the program may be triggered.

Handle ACai Vulnerability details Impact When the Vault contract deposits all/most of the token into the strategy contract, so that the remaining tokens in the Vault contract are less than the user's deposit, the user's withdrawal operation will result in a rollback that is not considered by the...

NIST Cybersecurity Framework: A Quick Guide for SaaS Security Compliance

When I want to know the most recently published best practices in cyber security, I visit The National Institute of Standards and Technology NIST. From the latest password requirements NIST 800-63 to IoT security for manufacturers NISTIR 8259, NIST is always the starting point. NIST plays a key...

What you need to know about how cryptography impacts your security strategy

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest post of our Voice of the Community blog series post, Microsoft Security Product Marketing Manager Natalia Godyla talks with Taurus SA Co-founder...

What you need to know about how cryptography impacts your security strategy

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest post of our Voice of the Community blog series post, Microsoft Security Product Marketing Manager Natalia Godyla talks with Taurus SA Co-founder...

Exploit for Off-by-one Error in Sudo_Project Sudo

This is a PoC exploit for CVE-2021-3156, a sudo vulnerability dubbed Baron Samedit. The exploit is designed to achieve single-shot access to the system, without modifying system files. It is written in C and uses a heap overflow technique to bypass security restrictions. The exploit is typically...

Users Can Siphon AaveYield Rewards By Depositing And Withdrawing Collateral

Handle leastwood Vulnerability details Impact The AaveYield contract provides users with the option to choose Aave as their strategy of choice to generate yield. Users will make deposits to this strategy via the SavingsAccount contract. Upon deposit, shares are minted at a 1:1 exchange rate and t...

Yearn token <> shares conversion decimal issue

Handle cmichel Vulnerability details The yearn strategy YearnYield converts shares to tokens by doing pricePerFullShare shares / 1e18: function getTokensForSharesuint256 shares, address asset public view override returns uint256 amount if shares == 0 return 0; // @audit should divided by...

Wrong implementation of AaveYield.sol causing users to lose yields

Handle WatchPug Vulnerability details The current implementation of AaveYield.sol is taking AAVE aToken as a share token eg, cToken and yToken. However, AAVE's aTokens are quite different from cToken and yToken as it's always 1:1 to the underlying token, and the holder's balance will keep changin...

Incorrect safeApprove usage

Handle Jujic Vulnerability details Impact safeApprove won't work when current allowance 0, there may be cases when strategies will not use all allowance, so switch to new strategy will be blocked. Proof of Concept Tools Used Recommended Mitigation Steps I recommend approving to zero and then...

SavingsAccount withdrawAll and switchStrategy can freeze user funds by ignoring possible strategy liquidity issues

Handle hyh Vulnerability details Impact Full withdrawal and moving funds between strategies can lead to wrong accounting if the corresponding market has tight liquidity, which can be the case at least for AaveYield. That is, as the whole amount is required to be moved at once from Aave, both...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

l4j-info Compiling valuable links as I find them documenting C...

Apache Log4j Vulnerability - Lenovo Support US

No description provided...

What is Code Obfuscation?

Introduction The hazards of hacking and its corresponding disasters have become so precarious that the developers and organizations take utmost care to lessen their occurrence and the impact. Code obfuscation is one such strategic move that, when performed, keeps administered codes away from the...

Possibility to drain SavingsAccount contract assets

Handle kemmio Vulnerability details Impact A malicious actor can manipulate switchStrategy function in a way to withdraw tokens that are locked in SavingsAccount contract the risk severity should be reviewed Proof of Concept Firstly an attacker need to deploy a rogue strategy contract implementin...

How Zero Trust and XDR Work Together

As the Zero Trust approach gains momentum, more organizations are looking to apply it to their security strategy. Learn how XDR and Zero Trust work together to enhance your security posture...

A closer look at Qakbot’s latest building blocks (and how to knock them down)

Multiple Qakbot campaigns that are active at any given time prove that the decade-old malware continues to be many attackers’ tool of choice, a customizable chameleon that adapts to suit the needs of the multiple threat actor groups that utilize it. Since emerging in 2007 as a banking Trojan,...

A closer look at Qakbot’s latest building blocks (and how to knock them down)

Multiple Qakbot campaigns that are active at any given time prove that the decade-old malware continues to be many attackers’ tool of choice, a customizable chameleon that adapts to suit the needs of the multiple threat actor groups that utilize it. Since emerging in 2007 as a banking Trojan,...

Google Shuts Down Glupteba Botnet, Sues Operators

Google took steps to shut down the Glupteba botnet, at least for now. The botnet uses the bitcoin blockchain as a backup command-and-control mechanism, making it hard to get rid of it permanently. So Google is also suing the botnets operators. Its an interesting strategy. Lets see if its successf...

UniV3Vault.sol#collectEarnings() can be front run

Handle WatchPug Vulnerability details For UniV3Vault, it seems that lp fees are collected through collectEarnings callable by the strategy and reinvested rebalanced. However, in the current implementation, unharvested yields are not included in tvl, making it vulnerable to front-run attacks that...

Structured threat hunting: One way Microsoft Threat Experts prioritizes customer defense

Todays threat landscape is incredibly fast-paced. New campaigns surface all the time, and the amount of damage that they can cause is not always immediately apparent. Security operations centers SOCs must be equipped with the tools and insight to identify and resolve potentially high-impact threa...