Schain owner dictate fund usage after kill

Lines of code Vulnerability details Impact After a schain is killed by both the owner and the IMA admin, schain admin can control all the fund using e.g. DepositBoxERC20.getFunds functions. This pose a significant centralization risk after the schain is killed. Proof of Concept function...

BURNER_ROLE can burn any amount of EthErc20 from an arbitrary address

Lines of code Vulnerability details Proof of Concept Using the forceBurn function of EthErc20, an address with BURNERROLE can burn an arbitrary amount of tokens from any address. We believe this is unnecessary and poses a serious centralization risk. A malicious or compromised BURNERROLE address...

[WP-H3] Centralization Risk: Funds can be frozen when critical key holders lose access to their keys

Lines of code Vulnerability details The current implementation requires trusted key holders DEFAULTADMINROLE of BribeVault to send transactions transferBribes to move funds from BribeVault to RewardDistributor before the users can get rewards from the contract. This introduces a high centralizati...

[WP-H2] Funds can be frozen when critical key holders lose access to their keys

Lines of code Vulnerability details The current implementation requires trusted key holders Owner to send transactions finalize to finalize the sale before the buyers can claim the tokenOut from the contract. function finalize external onlyOwner require!finalized, "TokenSale: already finalized";...

[WP-M2] DEFAULT_ADMIN_ROLE can approve arbitrary address to spend any amount from the L1Escrow contract

Handle WatchPug Vulnerability details function approve address token, address spender, uint256 value public onlyRoleDEFAULTADMINROLE ApproveLiketoken.approvespender, value; emit Approvetoken, spender, value; L1Escrow.solapprove allows an address with DEFAULTADMINROLE can approve an arbitrary amou...

[WP-M1] BURNER_ROLE can burn any amount of L2LivepeerToken from an arbitrary address

Handle WatchPug Vulnerability details function burnaddress from, uint256 amount external override onlyRoleBURNERROLE burnfrom, amount; emit Burnfrom, amount; Using the burn function of L2LivepeerToken, an address with BURNERROLE can burn an arbitrary amount of tokens from any address. We believe...

[WP-H9] Centralization Risk: Funds can be frozen when critical key holders lose access to their keys

Handle WatchPug Vulnerability details The current implementation requires trusted key holders isTrustedmsg.sender to send transactions initRedeemStable to initialize withdrawals from EthAnchor before the users can withdraw funds from the contract. This introduces a high centralization risk, which...

Let there be light: Ensuring visibility across the entire API lifecycle

The following article is based on a webinar series on enterprise API security by Imvision, featuring expert speakers from IBM, Deloitte, Maersk, and Imvision discussing the importance of centralizing an organization's visibility of its APIs as a way to accelerate remediation efforts and improve t...

UberOwner has too much power

Handle tensors Vulnerability details Impact The Uber Owner has too much power within the system. This makes the protocol closer to a centralized prediction market whose rules are determined by the Uber Owner. Proof of Concept The above functions can be used by the Uber Owner to completely change...

Rewards can be migrated to an arbitrary address at anytime by owner

Handle 0xRajeev Vulnerability details Impact The migrateRewards function which is onlyOwner takes recipient and amount parameters, which effectively allows owner to migrate the contract’s entire rewardToken balance at any time to that address. While the stated purpose is that this “Allows to...

Faraday presents the latest version of their Security Platform for Vulnerability Management Automation

Miami, February 19, 2020 - Faraday is opening 2020 by strengthening their releases using the featured cybersecurity worldwide events calendar, starting next week with BSides and RSAC in San Francisco. As a Blackhat Global Partner, the company will also participate as a sponsor in all BH’s global...

huskyCI - Performing Security Tests Inside Your CI

huskyCI is an open-source tool that performs security tests inside CI pipelines of multiple projects and centralizes all results into a database for further analysis and metrics. How does it work? The main goal of this project is to help development teams improve the quality of their code by...

Partner Perspectives: Endpoint Security Analytics with Sumo Logic and Carbon Black

As the threat landscape continues to expand, having end-to-end visibility across your modern application stack and cloud infrastructures is crucial. Customers cannot afford to have blind spots in their environment; and that includes data being ingested from third-party tools. With the industry...

Security Flaw in Estonian National ID Card

We have no idea how bad this really is: On 30 August, an international team of researchers informed the Estonian Information System Authority RIA of a vulnerability potentially affecting the digital use of Estonian ID cards. The possible vulnerability affects a total of almost 750,000 ID-cards...

Introducing InsightOps: A New Approach to IT Monitoring and Troubleshooting

Today we are announcing the general availability of a brand new solution: Rapid7 InsightOps. This latest addition to the Insight platform continues our mission to transform data into answers, giving you the confidence and control to act quickly. InsightOps is Rapid7s first IT-specific solution,...

Legal Robot: unsecured legalrobot.co.uk assets

A security researcher found that multiple gTLD permutations of our legalrobot domain names like legalrobot.co.uk were allowing access to sensitive ports 22 and disclosing vulnerable server versions. While these other domains are, for the time being, intended to simply redirect to our main...

Black Hat 2015 Keynote Jennifer Granick

LAS VEGAS – The Internet is barreling down the same road of regulation and not-so-subtle censorship that has turned every other means of mass communication into a centralized and vanilla fountain of useless information. Kinda like television. That’s the fear that today Black Hat keynoter Jennifer...

Mail Server In a Box

Mail-Box : Mass electronic surveillance by governments revealed over the last year has spurred a new movement to re-decentralize the web, that is, to empower netizens to be their own service providers again. SMTP, the protocol of email, is decentralized in principle but highly centralized in...

Fedora Update for freeradius FEDORA-2014-3184

Check for the Version of freeradius OpenVAS Vulnerability Test Fedora Update for freeradius FEDORA-2014-3184 Authors: System Generated Check Copyright: Copyright C 2014 Greenbone Networks GmbH, http://www.greenbone.net This program is free software; you can redistribute it and/or modify it under...