CVE-2026-40069

BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLESPENDATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINEDINSTALEBLOCK, or any ORPHAN-containing extraInfo / txStatus are...

GHSA-3VMH-33XR-9CQH Zebra has a Consensus Failure due to Improper Verification of V5 Transactions

--- CVE-2026-34377: Consensus Failure via Crafted V5 Authorization Data Summary A logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By matching a valid transaction's txid while providing invalid authorization data, a miner could cause...

GHSA-H54M-C522-H6QR AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance

Summary The transferBalance method in plugin/YPTWallet/YPTWallet.php contains a Time-of-Check-Time-of-Use TOCTOU race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new balance — all without database transactions or row-level locking. An attack...

CVE-2026-34368 AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the transferBalance method in plugin/YPTWallet/YPTWallet.php contains a Time-of-Check-Time-of-Use TOCTOU race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new...

mdanter/ecc affected by timing vulnerability in cryptographic side-channels

phpecc, as used in all versions of mdanter/ecc, as well as paragonie/ecc before 2.0.1, has a branch-based timing leak in Point addition. This Composer package is also known as phpecc/phpecc on GitHub, previously known as the Matyas Danter ECC library. Paragon Initiative Enterprises hard-forked...

Double-Spend Attacks

snarkjs is vulnerable to Double-Spend Attacks. The vulnerability exists because the library does not validate the publicSignal when the user input publicSignals length is less than the field modulus...

GHSA-XP5G-JHG3-3RG2 Double spend in snarkjs

iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus...

Attacker can spoof remainingETH and double-spend their input ETH to Exchange

Lines of code Vulnerability details Description remainingETH is an important state variable in Exchange.sol, which keeps track of how many ETH have yet to be used as payment from the current msg.value. The setupExecution modifier sets the value before and after execution: modifier setupExecution...

Double spend in execute function from the MIMOProxy

Lines of code Vulnerability details There is batch function in MIMOProxy smart contract. The function is inherited from the BoringBatchable contract. The function accept an array of bytes - call parameters, and do delegate call to addressthis for each of the call parameters. There also is execute...

Double Spend in AirDropDistribution.sol

Handle elprofesor Vulnerability details HIGH Impact Due to improper validation of input, approved airdrop users are able to double spend airdrop allocated tokens. This is due to insufficient validation in validate and claimExact which allows the user to reset the amount of tokens they have claime...

Possible miner incentive for chain reorgs if ETHBlockDelay is too small

Handle tensors Vulnerability details Impact If ETHBlockDelay is too small and the incentive for miners is large enough, it would profitable for miners to attempt to double spend by depositing assets, waiting for confirmation on the cosmos-SDK and then reorging the blockchain. Although an attack...

addFunds and execute may send tokens twice

Handle pauliax Vulnerability details Impact Both calls to IFulfillHelper addFunds and execute are wrapped in separate try/catch statements so basically if addFunds succeeds but execute fails or both of these functions fail, the catch will still send assets to the receivingAddress. I think these...

Transaction-Order-Dependence race condition for approveTransferERC20()

Handle 0xRajeev Vulnerability details Impact Similar to ERC20 approve being susceptible to double-spend allowance due to front-running, approveTransferERC20 here is also susceptible. For reference, see . This is the classic ERC20 approve race condition where a malicious spender can double-spend...

A malicious receiver can cause another receiver to lose out on distributed fees by returning false for tokensReceived when receiveRewards is called on their receiver contract.

Handle janbro Vulnerability details Summary A malicious receiver can cause another receiver to lose out on distributed fees by returning false for tokensReceived when receiveRewards is called on their receiver contract. Risk Rating Medium Vulnerability Details A malicious receiver can cause anoth...

Electric Coin Company Zcashd Security Breach

Zcash is a decentralized open source data currency. Electric Coin Company Zcashd before 2.1.1-1 suffers from a security vulnerability that allows an attacker to trigger a consensus failure and double spend...

Agoric: Improper Input Validation allows an attacker to "double spend" or "respend", violating the integrity of the message command history or causing DoS

Summary: Improper Input Validation allows an attacker to "double spend" or "respend", violating the integrity of the message command history or causing DoS Steps To Reproduce: I was curling random integers and found that I could do the following: json "type":"doEval","number":500,"body":"test"...

Ledger SAS Live Code Issue Vulnerability

Ledger SAS Live is a cryptocurrency wallet product from the French company Ledger SAS. A security vulnerability exists in Ledger SAS Live versions prior to 2.7.0. Unprocessed Bitcoin's Replacement of Fees RBF, which increases a user's balance with the value of an unconfirmed transaction immediate...

Ethereum Classic (ETC) Hit by Double-Spend Attack Worth $1.1 Million

Popular cryptocurrency exchange Coinbase has suspended all transactions of Ethereum Classic ETC—the original unforked version of the Ethereum network—on their trading platforms, other products and services after detecting a potential attack on the cryptocurrency network that let someone spend the...

Ethereum Classic (ETC) Hit by Double-Spend Attack Worth $1.1 Million

Popular cryptocurrency exchange Coinbase has suspended all transactions of Ethereum Classic ETC—the original unforked version of the Ethereum network—on their trading platforms, other products and services after detecting a potential attack on the cryptocurrency network that let someone spend the...

[ASA-201809-2] bitcoin-qt: denial of service

Arch Linux Security Advisory ASA-201809-2 ========================================= Severity: Medium Date : 2018-09-22 CVE-ID : CVE-2018-17144 Package : bitcoin-qt Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-766 Summary ======= The package bitcoin-qt before...