_rejectBuyout() does not take buys and sells into account until next block, can lead to false effects due to timing

Lines of code Vulnerability details Impact Buyout that should be rejected will be allowed to happen. Proof of Concept Last user to call buy that could have pushed rejectBuyout to reject the buyout wont be accounted for because rejecBuyout is place before the minting of new tokens. Therefore even ...

FreeBSD : OpenSSL -- Command injection vulnerability (4eeb93bf-f204-11ec-8fbd-d4c9ef517024)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 4eeb93bf-f204-11ec-8fbd-d4c9ef517024 advisory. - In addition to the crehash shell command injection identified in CVE-2022-1292, further circumstances...

Command injection

In addition to the crehash shell command injection identified in CVE-2022-1292, further circumstances where the crehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there...

CVE-2022-2068

The Connected documents corroborate CVE-2022-2068 as a real OpenSSL issue: c_rehash can pass certificate filenames to shell commands, enabling local command execution. Fixed in OpenSSL 3.0.4 (affecting 3.0.0–3.0.3), in OpenSSL 1.1.1p (affecting 1.1.1–1.1.1o), and in OpenSSL 1.0.2zf (affecting 1.0...

CVE-2022-2068

In addition to the crehash shell command injection identified in CVE-2022-1292, further circumstances where the crehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there...

Vulnerability in OpenSSL - The c_rehash script allows command injection

In addition to the crehash shell command injection identified in CVE-2022-1292, further circumstances where the crehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there...

OpenSSL 1.0.2 < 1.0.2zf Vulnerability

The version of OpenSSL installed on the remote host is prior to 1.0.2zf. It is, therefore, affected by a vulnerability as referenced in the 1.0.2zf advisory. - In addition to the crehash shell command injection identified in CVE-2022-1292, further circumstances where the crehash script does not...

CVE-2022-2068

In addition to the crehash shell command injection identified in CVE-2022-1292, further circumstances where the crehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there...

OpenSSL 3.0.0 < 3.0.4 Vulnerability

The version of OpenSSL installed on the remote host is prior to 3.0.4. It is, therefore, affected by a vulnerability as referenced in the 3.0.4 advisory. - In addition to the crehash shell command injection identified in CVE-2022-1292, further circumstances where the crehash script does not...

Redeem function can silently fail

Lines of code Vulnerability details Impact During the code review, It has been observed that return value of redeem function is not checked. Redeem operation can silently fail and the protocol can expect It is successfully executed. From compound, the comment can be seen from below. CErc20 / CEth...

Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : OpenSSL vulnerability (USN-5488-1)

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-5488-1 advisory. Chancen and Daniel Fiala discovered that OpenSSL incorrectly handled the crehash script. A local attacker could possibly use this issue to...

OpenSSL -- Command injection vulnerability

The OpenSSL project reports: Circumstances where the crehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review...

Upgraded Q -> M from 225 [1655746320073]

Judge has assessed an item in Issue 225 as Medium risk. The relevant finding follows: C4-005 : Missing sanity check on the timestamps Impact During the code review, It has been observed that all timestamps are missing sanity checks. With the following scenario, that can have serious consequences...

Upgraded Q -> M from 225 [1655746069175]

Judge has assessed an item in Issue 225 as Medium risk. The relevant finding follows: C4-010 : The Dutch Auction Parameters Can be Manipulated By Owner After The Auction Started - LOW Impact - LOW Dutch Auction parameters can be changed by a malicious owner, after It is started. The malicious own...

Upgraded Q -> M from 225 [1655654402923]

Judge has assessed an item in Issue 225 as Medium risk. The relevant finding follows: C4-011 : Centralization Risk On The teamSummon Function - LOW Impact - LOW With the teamSummon function, owner can mint unlimited warriors. This poses a security risk. The max/min limit should be implemented at...

RewardHandler.burnFees() could fail depending on number of pools with underlying = address(0)

Lines of code Vulnerability details Impact If more than one pool has underlying = address0 then RewardHandler.burnFees will fail or use ETH balance from FeeBurner.sol. Proof of Concept RewardHandler.solL40-L50 uint256 ethBalance = addressthis.balance; address memory tokens = new address; for...

Incorrect accounting on transfer-on-fee/deflationary tokens in Gravity contract

Lines of code Vulnerability details Impact The sendToCosmos function of Gravity transfers amount of tokenContract from the sender using the function transferFrom. If the transferred token is a transfer-on-fee/deflationary token, the actually received amount could be less than amount. However, sin...

Missing Validations In Chainlink's latestRoundData Function

Lines of code Vulnerability details Impact Here, latestRoundData is missing an additional validation to ensure that the round is complete. Proof of Concept Affected code: core/contracts/inception/priceFeed/ChainlinkInceptionPriceFeed.sol:74: , int256 eurAnswer, , uint256 eurUpdatedAt, =...

Missing validations for return value of oracle data feed.

Lines of code Vulnerability details Impact In ChainlinkUsdWrapper there are no validations for answerthe price if the price is 0 or not. I checked ethOracle0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419..latestRoundData. However, this contract has no validation for the price too. In addition to that,...

Function deposit can receive both ETH and tokens, but only compute tokens

Lines of code Vulnerability details Impact ETH can be transfered to the contract without being computed as a deposit. Proof of Concept The function depositVaultReserve.sol can accept both tokens and ETH. Suppose that Vault accidentally transfer eth and an amount of tokens . The contract will...