36 matches found
EUVD-2018-4656
Malware in sbrugna...
EUVD-2018-2540
Malware in sbrugna...
EUVD-2018-4912
Malware in sbrugna...
EUVD-2018-3442
Malware in sbrugna...
EUVD-2018-4655
Malware in sbrugna...
WalletProbe: a Testing Framework for Browser-Based Cryptocurrency Wallet Extensions
Serving as the first touch point for users to the cryptocurrency world, cryptocurrency wallets allow users to manage, receive, and transmit digital assets on blockchain networks and interact with emerging decentralized finance DeFi applications. Unfortunately, cryptocurrency wallets have always...
A malicious contract could steal assets via a flash loan
Lines of code Vulnerability details Impact A malicious contract could fail to return the assets, essentially stealing the Proof of Concept The key vulnerability is in the flashloan function. It transfers the assets to the receiver contract specified in info.receiver without any checks. Then it...
First mint user can inflate share which can steal asset from other user
Lines of code Vulnerability details Impact A well know inflation attack/first deposit mint bug. The attacker can steal assets from other user's deposit mint. Proof of Concept The Moonwell project is a fork from the Compound Protocol. The MToken the MToken on Compound represents a yield-bearing...
Lack of validation in opening positions parameters can lead to critical vulnerabilities at protocol level
Lines of code Vulnerability details Suspicious positions may be denied by voters if they don't seem legit, but over time it is very possible that one of them lands in the protocol, which can involve serious risks. Some attributes may not seem harmful with certain values at first sight, and can le...
Attacker can steal subprotocol NFT from user who use mint and add
Lines of code Vulnerability details Impact CidNFT.mintbytes allow user to mint and add subprotocol NFTs directly after minting. The addList args to the add call include the cidNFTID param, which can change if there are other mint before the user's transaction. Additionally, CidNFT.add only check ...
Unsecured usage of msg.sender in smart contract functions TimeswapV2Pool.sol.
Lines of code Vulnerability details Impact The bug is related to the use of the msg.sender in the smart contract functions. The msg.sender is a built-in variable in the Solidity programming language, which represents the address of the account that called the function, the msg.sender is used to...
“Payzero” Scams and The Evolution of Asset Theft in Web3
In this entry, we discuss a Web3 fraud scenario where scammers target potential victims via fake smart contracts, and then take over their digital assets, such as NFT tokens, without paying. We named this scam “Payzero”...
Underlying assets stealing in token via share price manipulation
Lines of code Vulnerability details Impact asset can be stolen from depositors in the vault by manipulating the price of a share. Proof of Concept ERC4626 vaults are subject to a share price manipulation attack that allows an attacker to steal underlying tokens from other depositors this is a kno...
Seller can stole users assets by create and then cancel the auction
Lines of code Vulnerability details Impact Seller can stole users assets by create and cancel auction Proof of Concept Seller can create an auction, then wait for people to participate in auction bidding, finally the seller cancel the auction and get the users assets. This scenario can happen wit...
Lack of notice period for critical operations
Lines of code Vulnerability details Impact All user assets can be locked or stolen. Proof of Concept All user assets can be locked or stolen if the L1ERC20Bridge or L1EthBridge is upgraded to a malicious contract. All user assets can be locked or stolen if governor is lost and...
Wrong accounting logic when syncRewards() is called within beforeWithdraw makes withdrawals impossible
Lines of code Vulnerability details Impact sfrxETH.beforeWithdraw first calls the beforeWithdraw of xERC4626, which decrements storedTotalAssets by the given amount. If the timestamp is greater than the rewardsCycleEnd, syncRewards is called. However, the problem is that the assets have not been...
An Investigation of Cryptocurrency Scams and Schemes
We provide an overview of the diverse range of NFT- and cryptocurrency-related scams that malicious actors use to steal assets worldwide...
Logic error in burnFlashGovernanceAsset can cause locked assets to be stolen
Handle shw Vulnerability details Impact A logic error in the burnFlashGovernanceAsset function that resets a user's pendingFlashDecision allows that user to steal other user's assets locked in future flash governance decisions. As a result, attackers can get their funds back even if they execute ...
Aditus Security Vulnerabilities
Aditus ADI is an ethereum-based digital currency.A security vulnerability exists in the 'approveAndCall' function in ADI's smart contract implementation. The vulnerability can be exploited by an attacker to steal assets e.g., transfer all contract balances to the attacker's account...
Logic flaw vulnerability in Globalvillage ecosystem
Globalvillage ecosystem GVE is a virtual currency system based on blockchain technology.A security vulnerability exists in the 'approveAndCallcode' function in GVE's smart contract implementation, which stems from the program's failure to validate the callcode. The vulnerability can be exploited ...