Malicious Package

Overview chainlink-price-feed-aggregator is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and th...

Malicious code in chainlink-price-feed-aggregator (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 557bc05b86e81155a6305c13693641f32ca21520bac827af82b2a785f4f669d4 Package name impersonates Chainlink branding while being published by an unrelated identity author 'Web3 Developer Tools ', repo github.com/web3/...

MAL-2026-4233 Malicious code in chainlink-price-feed-aggregator (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 557bc05b86e81155a6305c13693641f32ca21520bac827af82b2a785f4f669d4 Package name impersonates Chainlink branding while being published by an unrelated identity author 'Web3 Developer Tools ', repo github.com/web3/...

MAL-2026-2746 Malicious code in chainlink-docs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector faa71a3bbe3ac61328a09a14db5bdffc3fa0db05f8af79d28c0a31f7c1d3cd7c The package chainlink-docs was found to contain malicious code...

Malicious code in chainlink-docs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector faa71a3bbe3ac61328a09a14db5bdffc3fa0db05f8af79d28c0a31f7c1d3cd7c The package chainlink-docs was found to contain malicious code...

Malicious code in solhint-plugin-chainlink-solidity (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 707e27ec2b3a13dafcee9d4ecd372bfd4422048e3ea95c8c5e57a6463777cee4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

First deposit of 1 Wei will block further rsETH minting

Lines of code Vulnerability details Impact If the initial deposit in the DepositPool is 1 wei of any supported token rETH, cbETH, or stETH, 1 wei of rsETH will be minted for the first depositor. However, subsequent rsETH minting will be prevented because the rsethAmountToMint will always round do...

getAssetPrice in ChainlinkPriceOracle.sol can return stale price.

Lines of code Vulnerability details Summary On chainlink oracle for every pair of tokens price updating time is different. After that particular time the price will be updated. getAssetPrice function is not checking when the last time the price was updated. So it may return stale price . So the...

DepositPool is susceptible to the inflation attack

Lines of code Vulnerability details Summary The DepositPool contract is susceptible to the Inflation Attack, in which the first depositor can be front-runned by an attacker to steal their deposit. Impact The DepositPool pool contract acts mainly as a vault: accounts deposit LST assets and get bac...

ChainLink's latestAnswer is deprecated

Lines of code Vulnerability details Impact Chainlink's documentation indicates that the latestAnswer function is deprecated. This function lacks reversion if no answer is obtained, instead returning 0. Additionally, the reported latestAnswer varies with 18 decimals for some token quotes and 8...

Users could game oracle price deviation

Lines of code Vulnerability details Summary Prices returned from Chainlink oracles have different conditions to update the reported values, which can be abused by Impact Prices for the different LST assets supported in the Kelp protocol are obtained from a Chainlink oracle. The data feeds for eac...

Missing sanity checks in Chainlink response

Lines of code Vulnerability details Summary Chainlink responses from price feeds are being used without any sanity checks. Impact The ChainlinkPriceOracle contract is used to interface with the Chainlink price feeds for the different LST assets in scope in the protocol. The current implementation...

stETH/ETH, rETH/ETH and cbETH/ETH chainlink oracles has too long of heartbeat and deviation threshold which can cause loss of funds

Lines of code Vulnerability details ChainlinkPriceOracle fetches prices from the Chainlink contracts. But the price feeds in the consideration has a very long price heartbeat and deviation rate which might lead to wrong price calculation and loss of token to the user. Impact According to the...

Failure to Initialize Default Price Feeds Can Cause Unexpected Reverts

Lines of code Vulnerability details Impact The ChainlinkPriceOracle contract does not initialize default price feed mappings for supported assets. This means calling the getAssetPrice function before explicitly setting a feed will result in a revert instead of a defined failure response. Details:...

No Chainlink error handling in case of ethereums gas prices increasing or subscription running out of Link.

Lines of code Vulnerability details Impact Any collections making use of the ChainLink VRF2 randomizer could potentially get 0x0 hashes for their nfts. Due to uint32 public callbackGasLimit = 40000; being hardcoded, any gas fluctuations on Ethereum main net, could potentially not be enough for th...

There is no check that price from Chainlink hits min/max answer

Lines of code Vulnerability details Impact Chainlink aggregator has bounds minAnswer and maxAnswer within which the price can be set. In a case like LUNA, Chainlink will return minAnswer instead of real asset value, overvaluing it. Proof of Concept Here is explained that current Aggregators have...

ChainLink should be used as an Oracle for messaging instead of Google Cloud

Lines of code Vulnerability details Impact Each User Application contract e.g. BranchBidgeAgent built on LayerZero will work without configuration using defaults, but a UA will also be able to configure its own. Maia intends to use the default config. However, Google Cloud Oracle is the default a...

Users can deposit() even when Chainlink's price feed for CVX is stale

Lines of code Vulnerability details Bug Description In VotiumStrategy.sol, the price of vAfEth is determined by the price function: VotiumStrategy.solL31-L33 function price external view override returns uint256 return cvxPerVotium ethPerCvxfalse / 1e18; As seen from above, it calls ethPerCVX wit...

Intrinsic arbitrage from price discrepancy

Lines of code Vulnerability details Impact The up to 2 % price discrepancy from Chainlink creates an intrinsic arbitrage. Especially, it makes withdrawals worth more than deposits in the sense that one can immediately withdraw more than just deposited. Proof of Concept When depositing ETH into...

VotiumStrategy.price() does not validate Chainlink response

Lines of code Vulnerability details Impact AfEth.deposit may mint an incorrect amount of afEth. VotiumStrategy.price may return an incorrect price of vAfEth. AfEth.price may return an incorrect price of afEth. Proof of Concept VotiumStrategy.price function price external view override returns...