Lucene search
K

20 matches found

The Hacker News
The Hacker News
added 2025/09/06 6:42 a.m.6 views

Malicious npm Packages Impersonate Flashbots, Steal Ethereum Wallet Keys

A new set of four malicious packages have been discovered in the npm package registry with capabilities to steal cryptocurrency wallet credentials from Ethereum developers. "The packages masquerade as legitimate cryptographic utilities and Flashbots MEV infrastructure while secretly exfiltrating...

7.4AI score
Exploits0
Code423n4
Code423n4
added 2023/12/20 12:0 a.m.13 views

Using block.timestamp as the deadline/expiry invites MEV

Lines of code 307 Vulnerability details Passing block.timestamp as the expiry/deadline of an operation does not mean "require immediate execution" - it means "whatever block this transaction appears in, I'm comfortable with that block's timestamp". Providing this value means that a malicious mine...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2023/12/19 12:0 a.m.8 views

Using block.timestamp as the deadline/expiry invites MEV

Lines of code 307 Vulnerability details Passing block.timestamp as the expiry/deadline of an operation does not mean "require immediate execution" - it means "whatever block this transaction appears in, I'm comfortable with that block's timestamp". Providing this value means that a malicious mine...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2023/12/12 12:0 a.m.9 views

Using block.timestamp as the deadline/expiry invites MEV

Lines of code 307 Vulnerability details Passing block.timestamp as the expiry/deadline of an operation does not mean "require immediate execution" - it means "whatever block this transaction appears in, I'm comfortable with that block's timestamp". Providing this value means that a malicious mine...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2023/11/29 12:0 a.m.11 views

Using block.timestamp as the deadline/expiry invites MEV

Lines of code 307 Vulnerability details Impact Passing block.timestamp as the expiry/deadline of an operation does not mean "require immediate execution" - it means "whatever block this transaction appears in, I'm comfortable with that block's timestamp". Providing this value means that a malicio...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2023/02/24 12:0 a.m.12 views

Upgraded Q -> 2 from #298 [1677237168746]

Judge has assessed an item in Issue 298 as 2 risk. The relevant finding follows: 01 MALICIOUS USER, WHO OWNS SPLITTABLE FUNDS, CAN CALL DripsHub.setSplits FUNCTION TO FRONTRUN OTHER USER'S DripsHub.split FUNCTION CALL, WHICH CAN BREAK AGREEMENT BETWEEN THESE USERS Based on the current...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2023/01/30 12:0 a.m.10 views

hash and signature_ can be obtained from the mempool when recoverSigner is executed

Lines of code Vulnerability details In the QuestFactory.sol contract, an attacker can monitor the mem pool and obtain the values of hash and signature which the other user has provided to the function Proof of Concept 210-213: function recoverSignerbytes32 hash, bytes memory signature public pure...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2022/10/25 12:0 a.m.14 views

MEV: Operator can bribe miner and steal honest operator's bond amount if gas price went high

Lines of code Vulnerability details Description Operators in Holograph do their job by calling executeJob with the bridged in bytes from source chain. If the primary job operator did not execute the job during his allocated block slot, he is punished by taking a single bond amount and transfer it...

7AI score
Exploits0
Code423n4
Code423n4
added 2022/10/25 12:0 a.m.17 views

Weak randomness

Lines of code Vulnerability details Vulnerability details Description In the function crossChainMessage of HolographOperator contract there is the following logic implemented for the calculation of the random value: / @dev use job hash, job nonce, block number, and block timestamp for generating ...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2022/07/08 12:0 a.m.7 views

Attacker can frontrun and reenter this function causing users to get griefed

Lines of code Vulnerability details Impact 1. attacker calls createFor and there is reentracy in safemint and an attacker can reenter and just keep increasing count just a side note 2. but what an attacker can do is when a user wants to call this function or launch a project an attacker frontruns...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2022/05/15 12:0 a.m.9 views

Title: Yield can be unfairly divided because of MEV/Just-in-time stablecoin deposits

Lines of code Vulnerability details Impact An attacker can use MEV via gas auction or Flashbots or control of miners to cause an unfair division of yield. By providing a very large relative to the size of all other stablecoin deposits combined stablecoin deposit Just-in-Time before an admin's cal...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2022/01/12 12:0 a.m.13 views

Missing slippage/min-return check in NonUSTStrategy

Handle cmichel Vulnerability details The contracts are missing slippage checks which can lead to being vulnerable to sandwich attacks. A common attack in DeFi is the sandwich attack. Upon observing a trade of asset X for asset Y, an attacker frontruns the victim trade by also buying asset Y, lets...

7.1AI score
Exploits0
Code423n4
Code423n4
added 2022/01/12 12:0 a.m.15 views

No slippage protection on _swapUstToUnderlying can lead to lost funds

Handle harleythedog Vulnerability details Impact The function swapUstToUnderlying exists to swap Ust to underlying tokens. The last argument to exchangeunderlying is mindy, which specifies the minimum number of underlying to be returned from the swap. Currently, this value is set to 0, so the...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/06 12:0 a.m.6 views

arbitraryCall enables streamCreator to remove incentive tokens before endStream

Handle bitbopper Vulnerability details Impact streamCreator can remove incentive tokens before endStream by calling approve on the token beforehand. streamCreator has following methods of attack: guess from whom and with what he is going to be incentiviced listen in the mempool and win PGA in ord...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/01 12:0 a.m.17 views

Missing slippage/min-return check in UniswapHandler

Handle cmichel Vulnerability details The contracts are missing slippage checks which can lead to being vulnerable to sandwich attacks. A common attack in DeFi is the sandwich attack. Upon observing a trade of asset X for asset Y, an attacker frontruns the victim trade by also buying asset Y, lets...

7.1AI score
Exploits0
Code423n4
Code423n4
added 2021/10/27 12:0 a.m.11 views

Missing slippage checks

Handle cmichel Vulnerability details The contracts are missing slippage checks which can lead to being vulnerable to sandwich attacks. A common attack in DeFi is the sandwich attack. Upon observing a trade of asset X for asset Y, an attacker frontruns the victim trade by also buying asset Y, lets...

7.1AI score
Exploits0
Code423n4
Code423n4
added 2021/09/29 12:0 a.m.7 views

IndexPool.mint The first liquidity provider is forced to supply assets in the same amount, which may cause a significant amount of fund loss

Handle WatchPug Vulnerability details When reserve == 0, amountIn for all the tokens will be set to the same amount: ratio, regardless of the weights, decimals and market prices of the assets. The first liquidity provider may not be aware of this so that it may create an arbitrage opportunity for...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/09/29 12:0 a.m.7 views

IndexPool.mint The first liquidity provider is forced to supply assets in the same amount, which may cause a significant amount of fund loss

Handle WatchPug Vulnerability details When reserve == 0, amountIn for all the tokens will be set to the same amount: ratio, regardless of the weights, decimals and market prices of the assets. The first liquidity provider may not be aware of this so that it may create an arbitrage opportunity for...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/06/28 12:0 a.m.10 views

executeTrade can be frontrun

Handle gpersoon Vulnerability details Impact An attacker could monitor the mempool and see an executeTrade transaction. He then could checkout the parameters and see if a better trade is possible for himself. He might even create and sign a new trade and then submit the new trade via an...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2021/05/01 12:0 a.m.10 views

Beebots.randomIndex() Can Be Manipulated To Not Be Random Without Costing Alice Anything

Handle jvaqa Vulnerability details Impact Beebots.randomIndex Can Be Manipulated To Not Be Random Without Costing Alice Anything. Since lower-numbered ids are seemingly more valuable, a malicious attacker can manipulate randomIndex to give themselves a more desirable value at no cost to themselve...

6.7AI score
Exploits0
Rows per page
Query Builder