MAL-2024-10430 Malicious code in etherscaan-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware be42ba48978db0a57c68b11966f5a91a0390bb266cd770e15b01d84c30f43d59 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2024-8847 Malicious code in ethersscan-api (npm)

The package contains the BeaverTail infostealer malware associated with DPRK threat actors. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2bdf32a4e45ba09760610d3f87cf8cfdae4d386a4ee4df99f1973ab577373620 Any computer that has this package installed or running shoul...

Malicious code in ethersscan-api (npm)

The package contains the BeaverTail infostealer malware associated with DPRK threat actors. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2bdf32a4e45ba09760610d3f87cf8cfdae4d386a4ee4df99f1973ab577373620 Any computer that has this package installed or running shoul...

MID-Risk Vulnerabilities in the Axelar Smart Contracts

Lines of code Vulnerability details Impact The vulnerabilities that I have identified could have a significant impact on the Axelar network. These vulnerabilities could be exploited by an attacker to: Gain control of the Axelar network by proposing and voting on malicious proposals. Mint or burn...

The ethlbrStakePool, which is used in LOC 155 in EUSDMiningIncentives.sol, has no function balanceOf()

Lines of code Vulnerability details Impact The EUSDMiningIncentives.sol in LOC 155 uint256 userStaked = IEUSDethlbrStakePool.balanceOfuser; calls balanceOf function of ethlbrStakePool. By asking one of the sponsors, the address of this pool was given as 0x857CC243b8494e13BdbAde27C25ef61c2e500fda...

Re-use Signature in different chains and contract from the same chain

Lines of code Vulnerability details Impact There is a signature vulnerability where you can re-use it in different chains and contracts. The vulnerability relies in the fact that there is no chainId specified neither addressthis inside the hash expected message: bytes32 expectedMessage =...

Signature Replay no nonce

Lines of code Vulnerability details Impact There is a signature replay vulnerability. That means that the signature can be reused in the same contract from anyone calling. The vulnerability relies in the fact that there is no nonce specified for every caller. This means that you can take a...

Malicious code in www.etherscan.com (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 51950d907fe18534fb3fc9aa8c8f7d2ed0ef897cb2b6f67968514bf8ebc4e05b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-7253 Malicious code in www.etherscan.com (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 51950d907fe18534fb3fc9aa8c8f7d2ed0ef897cb2b6f67968514bf8ebc4e05b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in wwww.etherscan.io (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0fb40a5631c7650cc4edd6d7203563c200c7639e3f7e16835240ee97a3b9b677 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

getWETHAddress() returns wrong address

Lines of code Vulnerability details Impact The hardcoded return value is the address of COMP token in mainnet not of WETH in getWETHAddress. grantCompInternal function depends on this return value which will cause unintended issues. Proof of Concept function grantCompInternaladdress user, uint...

MAL-2022-2870 Malicious code in etherscan-adapter (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7d1b77d568c0701023b8c41ed9b359277da9e90f196dc8d5131312f4d8cf3914 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in etherscan-adapter (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7d1b77d568c0701023b8c41ed9b359277da9e90f196dc8d5131312f4d8cf3914 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Rarible NFT Marketplace Flaw Could've Let Attackers Hijack Crypto Wallets

Cybersecurity researchers have disclosed a now-fixed security flaw in the Rarible non-fungible token NFT marketplace that, if successfully exploited, could have led to account takeover and theft of cryptocurrency assets. "By luring victims to click on a malicious NFT, an attacker can take full...

SAILFISH System to Find State-Inconsistency Bugs in Smart Contracts

A group of academics from the University of California, Santa Barbara, has demonstrated what it calls a "scalable technique" to vet smart contracts and mitigate state-inconsistency bugs, discovering 47 zero-day vulnerabilities on the Ethereum blockchain in the process. Smart contracts are program...

PepeAuctionSale Access Control Error Vulnerability

PepeAuctionSale is a DeFi aggregator on Etherscan. An access control error vulnerability exists in PepeAuctionSale, which stems from the fact that the time check operation in PepeAuctionSale 1.0 can be made invalid by assigning a large number to the duration variable, thus affecting access to the...

PepeAuctionSale 代码问题漏洞

PepeAuctionSale is a DeFi aggregator on Etherscan. An access control error vulnerability exists in PepeAuctionSale, which stems from the fact that the time check operation in PepeAuctionSale 1.0 can be made invalid by assigning a large number to the duration variable, thus affecting access to the...

Lending Pair initialize function can be front run.

Handle jonah1005 Vulnerability details Impact LendingPair does not initialize tokenMaster, controller, tokens. A hacker can listen the deployer address and front run the initialize transaction. The initialized contract would look almost exactly the same if the hacker only replace lpTokenMaster wi...

Etherscan ERC20 Token Security Vulnerability

Etherscan ERC20 Token is a validation service organized by Etherscan for use in EtherCurrency services. A security vulnerability exists in the Etherscan ERC20 Token version 2019-06-05 and prior versions, which stems from a typo in the constructor that implements the smart contract. An attacker...