MAL-2026-4609 Malicious code in mev-shield (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9783d5e48d62da6de516b1cf5d36474143528a9c6f33a86892ee558266a4e5ec The package advertises itself as an 'MEV protection layer for Ethereum trading bots' but does the opposite. On npm install, a postinstall script...

EUVD-2023-1704

Malicious code in bioql PyPI...

GovernorOLAS is susceptible to DOS via proposal frontrunning

Lines of code Vulnerability details Impact The GovernorOLAS contract inherits from OpenZeppelin's GovernorCompatibilityBravo v4.8.3, which has a known vulnerability in the proposal creation process that can be exploited to halt proposals sent to the governor. The root cause of this vulnerability ...

burn() and borrow() in LendingPool are very likely to revert due to insufficient cash and could be triggered maliciously

Lines of code Vulnerability details Impact Users might not always be able to burn or borrow due to being frontrunned by other borrow or burn calls, potentially in a malicious manner so funds don't leave the LendingPool. Proof of Concept This attack could happen frequently because the health of a...

Bidders can bid at previous auction reserve price by frontrunning the setter transactions

Lines of code Vulnerability details Impact The AuctionHouse.settleCurrentAndCreateNewAuction can frontrun the setter functions such as setCreatorRateBps, setMinCreatorRateBps, setEntropyRateBps, setTimeBuffer, setMinBidIncrementPercentage & setReservePrice. As soon as the current auction ends, an...

Liquidations can be prevented by frontrunning and liquidating 1 debt (or more) due to wrong assumption in POS_MANAGER

Lines of code Vulnerability details Impact Users can avoid being liquidated if they frontrun liquidation calls with a liquidate call with 1 wei. Or, they may do a partial liquidation and avoid being liquidated before the interest reaches the value of the debt pre liquidation. The total interest...

Only ensure the Lp is repaid when close the position invites MEV bot

Lines of code Vulnerability details Impact Only ensure the Lp is repaid when close the position invites MEV bot Proof of Concept in the function closePosition function closePosition DataStruct.ClosePositionParams calldata params, DataCache.ClosePositionCache memory cache, Lien.Info memory lien,...

buggy reward calculation

Lines of code Vulnerability details Impact This is very similar to an inflation attack. Rewards increase whenever splitFees is being called which is anywhere buy/sell/mint/burn. The calculation is done like this: shareDataid.shareHolderRewardsPerTokenScaled += shareHolderFee 1e18 / tokenCount;...

The approve function can be frontrun

Lines of code Vulnerability details Impact Bob steals tokens from Alice. Proof of Concept In the file WildcatMarketToken.sol there is an approve function: function approveaddress spender, uint256 amount external virtual nonReentrant returns bool approvemsg.sender, spender, amount; return true; th...

DoS Any Market by Frontrunning Creation with a Codehash Change

Lines of code Vulnerability details Impact Any market contract can be DoSed by sending a 1 wei transaction to the market address that will be created for a user. When an account has no code and has never been interacted with, the codehash will be bytes320. This will result in market creation...

approve function can be frontrun and funds will be stolen as a result

Lines of code Vulnerability details Impact The user that gives allowances will lose funds. Proof of Concept In the file ERC20.sol there is a function approve. This function is problematic as it is susceptible to frontrunning attacks. PoC: Consider the following scenario: Alice calls the function...

Lack of slippage parameter in swap can cause losses for users

Lines of code Vulnerability details Impact Users can incure losses do to lack of slippage control. Detailed description of the impact of this finding. Slippage control helps to safeguard user funds against price falling below a certain threshold. This can be caused byfrontrunning attack. Proof of...

treasury approveSmallSpending, approveMediumSpend and approveLargeSpend and setThreshold and setGSCAllowance can be frontrunned

Lines of code Vulnerability details Line of code: Impact treasury approveSmallSpending, approveMediumSpend and approveLargeSpend can be frontrunned Proof of Concept the AracheTreasury, there are three spending relate function: approveSmallSpend, approveMediumSpend, approveLargeSpend both of these...

Predictability of cloned address may be susceptible to frontrunning

Lines of code Vulnerability details Impact DoS for the Aquifer.boreWell function due to frontrunning. Proof of Concept From the video documentation, Anyone can call boreWell in Aquifer.sol after confirming an implementation contract. The address of the new Well depends solely upon the salt...

NodeOperator will steal other NodeOperators' validators through frontrunning

Lines of code Vulnerability details Impact People that want to earn staking rewards, but do not have the resources to run validators, will see Stader as an avenue where they can easily steal and use others validators and they will actually earn Operator rewards from Stader. This could lead to two...

OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunning

Impact By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the Governor contract in v4.9.0 only, and the...

GHSA-5H3X-9WVQ-W4M2 OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunning

Impact By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the Governor contract in v4.9.0 only, and the...

CVE-2023-34234

OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the...

Design/Logic Flaw

OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the...

CVE-2023-34234 Governor proposal creation may be blocked by frontrunning in OpenZeppelin

OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the...