Malicious code in compound-protocol (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware af5d6716f9bf59535bb198a6a0def45229c19613577dde244bb2a4562790b3db Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in compound-protocol-alpha (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 03d150fbb080030ea3445a65033db1386bff9efd41db369c041100a4eedbcea6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-597 Malicious code in compound-protocol (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware af5d6716f9bf59535bb198a6a0def45229c19613577dde244bb2a4562790b3db Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-598 Malicious code in compound-protocol-alpha (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 03d150fbb080030ea3445a65033db1386bff9efd41db369c041100a4eedbcea6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

asD::withdrawCarry assumes wrong number of decimals returned by exchangeRateCurrent which will cause owner to not be able to withdraw revenue

Lines of code Vulnerability details tl;dr asD::withdrawCarry assumes that the exchange rate returned by the cNote contract will be scaled by 1e28, but in reality it will be only scaled by 1e18. It will cause withdrawCarry to always revert with Integer Underflow, which means that owner won't ever ...

The withdrawCarry() function always reverts because of an incorrect assumption.

Lines of code Vulnerability details Impact The Compound protocol's CTokens have 8 decimal places, but the team mistakenly believed that cNote also had only 8 decimal places. However, it was discovered that cNote actually has 18 decimal places. This discrepancy caused the withdrawCarry function to...

Adversary can abuse a quirk of compound redemption to manipulate the underlying exchange rate and maliciously disable cToken collaterals

Lines of code Vulnerability details Impact Adversary can maliciously disable cToken collateral to cause loss to rToken during restructuring Proof of Concept if referencePrice 0: / if redeemTokensIn 0 / We calculate the exchange rate and the amount of underlying to be redeemed: redeemTokens =...

TurboSafe - should override maxWithdraw and maxRedeem

Lines of code Vulnerability details Impact Considering the EIP , as withdraw must revert if it is not possible to withdraw assets , it is important to have an accurate maxWithdraw function. However, here, maxWithdraw does not account for the current max withdrawal in the cToken contract. Liquidit...

fee-on-transfer underlying can cause problems

Handle 0xsanson Vulnerability details Impact The current implementation doesn't work with fee-on-transfer underlying tokens. Considering that Compound can have these kind of tokens ex. USDT can activate fees, this issue can affect the protocol. The problem arise when transferring tokens, basicall...