Marginal 安全漏洞

Marginal is an asset trading platform developed by Marginal OpenSource. There is a security vulnerability in Marginal, which stems from the execution of insecure downcasting operations. This vulnerability could allow attackers to settle large debt positions at a negligible cost for assets...

Undefined behaviour in `kvm_ioctls::ioctls::vm::VmFd::create_device`

An issue was identified in the VmFd::createdevice function, leading to undefined behavior and miscompilations on rustc 1.82.0 and newer due to the function's violation of Rust's pointer safety rules. The function downcasted a mutable reference to its struct kvmcreatedevice argument to an immutabl...

User able to steal all votes escrowed in LockingVault due to downcasting

Lines of code Vulnerability details Even though the LockingVault is considered out of scope, it contains very serious vulnerability allowing anyone to steal ALL Arcade voting tokens. The vulnerability is possible due to downcasting amount to withdraw to uint96. In case that the amount of tokens...

Upgraded Q -> 3 from #635 [1683219244120]

Judge has assessed an item in Issue 635 as 3 risk. The relevant finding follows: Unsafe downcasting PrivatePool.sol - 230, 231 --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 3 from #903 [1683219188466]

Judge has assessed an item in Issue 903 as 3 risk. The relevant finding follows: L-2. Use SafeCast Library Description Downcasting from uint256/int256 in Solidity does not revert on overflow. This can easily result in undesired exploitation or bugs, since developers usually assume that overflows...

Upgraded Q -> 3 from #407 [1683102761347]

Judge has assessed an item in Issue 407 as 3 risk. The relevant finding follows: L01 Unsafe downcasting On PrivatePool.solL230-L231 there are two unsafe downcasting from uint256 to uint128; virtualBaseTokenReserves += uint128netInputAmount - feeAmount - protocolFeeAmount; virtualNftReserves -=...

Upgraded Q -> 3 from #222 [1683017474019]

Judge has assessed an item in Issue 222 as 3 risk. The relevant finding follows: L-02 Downcasting uint or int may result in overflow Consider using OpenZeppelin's SafeCast library to prevent unexpected overflows. Instances: 2 File: src/PrivatePool.sol 231: virtualNftReserves -= uint128weightSum;...

Mozilla: Invalid downcast in Worklets

The Mozilla Foundation Security Advisory describes this flaw as: While implementing AudioWorklets, some code may have cast one type to another, invalid, dynamic type. This could have led to a potentially exploitable crash...

Unsafe downcasting operation truncate numberOfTickets input

Lines of code Vulnerability details Impact Unsafe downcasting operation truncate numberOfTickets input . Player and Referrer may lose their earning because of the wrong downcasting Proof of Concept There are a few unsafe downcasting operation that truncate numberOfTickets input. The impact can be...

Unsafe downcasting in TWA.sol truncate TWAP price

Lines of code Vulnerability details Impact Unsafe casting operation in TWA.sol truncation price. Proof of Concept the pool relies on the TWAP price to function properly, however, the code in TWA.sol sliently downcasting the price, which can truncate the price and affect user's trading unexpectedl...

The tier setting parameter are unsafely downcasted from type uint256 to type uint80 / uint48 / uint40 / uint16

Lines of code Vulnerability details Impact The tier setting parameter are unsafely downcasted from uint256 to uint80 / uint48 / uint16 the tier is setted by owner is crucial because the parameter affect how nft is minted. the the callstack is JBTiered721Delegate.solinitialize - StorerecordAddTier...

Type confusion if __private_get_type_id__ is overriden

An issue was discovered in the failure crate through 0.1.5 for Rust. It may introduce "compatibility hazards" in some applications, and has a type confusion flaw when downcasting. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: This may overlap...

GHSA-JQ66-XH47-J9F3 Type confusion if __private_get_type_id__ is overriden

An issue was discovered in the failure crate through 0.1.5 for Rust. It may introduce "compatibility hazards" in some applications, and has a type confusion flaw when downcasting. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: This may overlap...

Incorrect reliance on Trait memory layout in mopa

The mopa crate redefines the deprecated TraitObject struct from core::raw. This is done to then transmute a reference to a trait object &dyn Trait for any trait Trait into this struct and retrieve the data field for the purpose of downcasting. This is used to implement downcastrefunchecked, in...

GHSA-2GXJ-QRP2-53JV Incorrect reliance on Trait memory layout in mopa

The mopa crate redefines the deprecated TraitObject struct from core::raw. This is done to then transmute a reference to a trait object &dyn Trait for any trait Trait into this struct and retrieve the data field for the purpose of downcasting. This is used to implement downcastrefunchecked, in...

Downcasting Can Freeze The Chain

Handle nascent Vulnerability details M-01 Downcasting Can Freeze The Chain Severity: Medium Likelihood: Low The function utils::downcastuint256 - Option returns None if the input value is greater than U64MAX. If the value being downcast is read from a contract e.g. a nonce, and the contract could...

Rust Failure Crate Vulnerable to Type confusion

Safe Rust code can implement malfunctioning privategettypeid and cause type confusion when downcasting, which is an undefined behavior. Users who derive Fail trait are not affected...

GHSA-R98R-J25Q-RMPR Rust Failure Crate Vulnerable to Type confusion

Safe Rust code can implement malfunctioning privategettypeid and cause type confusion when downcasting, which is an undefined behavior. Users who derive Fail trait are not affected...

`mopa` is technically unsound

The mopa crate redefines the deprecated TraitObject struct from core::raw like so: rust reprC deriveCopy, Clone dochidden pub struct TraitObject pub data: mut , pub vtable: mut , This is done to then transmute a reference to a trait object &dyn Trait for any trait Trait into this struct and...

DEBIAN-CVE-2020-25575

An issue was discovered in the failure crate through 0.1.5 for Rust. It may introduce "compatibility hazards" in some applications, and has a type confusion flaw when downcasting. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: This may overlap...