EulerOS 2.0 SP10 : openssl (EulerOS-SA-2022-2432)

According to the versions of the openssl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In addition to the crehash shell command injection identified in CVE-2022-1292, further circumstances where the crehash script does not properl...

Lack of check for contract existance can cause loss of funds during transfers

Lines of code Vulnerability details Impact The current transfers will not check if the to address is for an existing token contract. This can cause loss of funds if an user attempts to make a swap for a tokens added to a pool and destructed later. Proof of Concept TokenA gets added to a pool The...

AlgebraPool.sol#L488 : onlyValidTicks modifier is missing for function

Lines of code Vulnerability details Impact Invalid ticks can be allowed for collection. Proof of Concept function collect address recipient, int24 bottomTick, int24 topTick, uint128 amount0Requested, uint128 amount1Requested external override lock returns uint128 amount0, uint128 amount1 Position...

AlgebraPool.sol#L501-L507 : position.fees are updated without checking whether the amount value is greater than zero or not

Lines of code Vulnerability details Impact Incorrect fee update if any one of the amount is zero. Proof of Concept if amount0 | amount1 != 0 position.fees0 = positionFees0 - amount0; position.fees1 = positionFees1 - amount1; if amount0 0 TransferHelper.safeTransfertoken0, recipient, amount0; if...

Missing payable

Lines of code Vulnerability details Impact The following functions are not payable but uses msg.value - therefore the function must be payable. This can lead to undesired behavior. Proof of Concept frxETHMinter.sol, submit should use payable since it uses msg.value Tools Used Manual review...

EulerOS Virtualization 2.9.0 : openssl (EulerOS-SA-2022-2396)

According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The crehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by...

Division Before Multiplication Can Lead To Zero

Lines of code Vulnerability details Impact There is a division before multiplication bug that exists in truncatedCurrentVestingDurationSecs calculations Proof of Concept uint40 truncatedCurrentVestingDurationSecs = currentVestingDurationSecs / claim.releaseIntervalSecs claim.releaseIntervalSecs;...

Missing ReEntrancy Guard to Withdraw function

Lines of code Vulnerability details Impact Missing ReEntrancy Guard to Withdraw function Proof of Concept There is no re-entry risk on true ERC-20 tokens that work according to the spec i.e. audited, etc.. However you can write a malicious ERC-20 with custom transferFrom or approve that have...

[NAZ-H2] withdraw() does not update allowances

Lines of code Vulnerability details Impact withdraw is meant for the owner or approved receiver to withdraw the owner's deposited assets and burn the owner's shares. Since it does this for all of the owner's shares, the approved receiver should not be approved for all anymore after burning. Proof...

Missing access Control to burnFeiHeld function

Lines of code Vulnerability details Impact burnFeiHeld hasn't any owner modifier , so everybody run it Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. function burnFeiHeld external uint256...

The mint function is missing the minAmountOut control, this will cause the user to lose their funds.

Lines of code Vulnerability details Impact The mint function of the SimpleFeiDaiPSM contract receives DAI from the user, mints the FEI and sends it to the user. amountIn argument ; the amount of DAI received from the user, minAmountOut argument ; requests output for the amount of FEI given to the...

setPeriodSize need check for value range

Lines of code Vulnerability details Impact If periodSize is mistakenly set too small, 0 or a small value, the price oracle might be easier to manipulate. As a consequence, multiple functionality depending on oracle price feed may lose accuracy, and even incur large fund loss. Proof of Concept The...

permissioned modifier has a mismatch with TRSRY.withdrawReserves

Lines of code Vulnerability details Proof of Concept TRSRY.withdrawReserves is used in two polices: BondCallback and Operator. Permission is added in BondCallback, but not in Operator. And actually TRSRY.withdrawReserves does not have permissioned modifier, and there is no problem here. But...

Non-standard/Malicious token transfers may cause loans not to be paid.

Lines of code Vulnerability details Impact Non-standard token transfers may cause loans not to be paid. Proof of Concept The TRSRY.sol has repayLoan function for the users to repay their loan as per the ERC20 token. The function is as below; function repayLoanERC20 token, uint256 amount external...

Even if the _isBorrowerWhitelistActive is not active, contract can get deployed if _maxLTV < LTV_PRECISION

Lines of code Vulnerability details Impact FraxlendPairCore can get deployed even if isBorrowerWhitelistActive is not active. Proof of Concept if maxLTV = LTVPRECISION && !isBorrowerWhitelistActive revert BorrowerWhitelistRequired; The above condition revert when both condition is true. Incase,...

delegated value can go to negative value during subtracting with amount. This will cause issue when delegating amount again.

Lines of code Vulnerability details Impact re-delegating / delegating again could not get actual delegated value. Proof of Concept Tools Used Manual code review. VS code Recommended Mitigation Steps update delegated value to zero when it goes to negative value ifdelegated 0 delegated = 0; --- The...

Amazon Linux 2 : openssl (ALAS-2022-1831)

The version of openssl installed on the remote host is prior to 1.0.2k-24. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2022-1831 advisory. A flaw was found in OpenSSL. The issue in CVE-2022-1292 did not find other places in the crehash script where it possibly passed...

Amazon Linux 2 : openssl11 (ALAS-2022-1832)

The version of openssl11 installed on the remote host is prior to 1.1.1g-12. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2022-1832 advisory. A flaw was found in OpenSSL. The issue in CVE-2022-1292 did not find other places in the crehash script where it possibly passe...

Omise: Secret API Key is logged in cleartext

Summary: While code-reviewing the repository , I have found that you log in clear-text some sensitive data. Steps To Reproduce: 1. Check here omise/request.pyL88 and here omise/request.pyL111 1. The code source explicitly logs in debugging mode the secret API key. logger.debug'Authorization: %s',...

Everyone can perform emptyVaultOperation. Everyone can steal leftover par after repaying the loan from any vault. This pattern also applied to other files.

Lines of code Vulnerability details Impact Everyone can perform emptyVaultOperation. Everyone can steal leftover par after repaying the loan from any vault. It is intended to only be able to call from executeOperation through MIMOProxy callback but in fact everyone can execute it. Proof of Concep...