GHSA-MJFQ-3QR2-6G84 Cosmos EVM Allows Partial Precompile State Writes

Impact Setting lower EVM call gas allows users to partially execute precompiles and error at specific points in the precompile code without reverting the partially written state. If executed on the distribution precompile when claiming funds, it could cause funds to be transferred to a user witho...

Cosmos EVM Allows Partial Precompile State Writes

Impact Setting lower EVM call gas allows users to partially execute precompiles and error at specific points in the precompile code without reverting the partially written state. If executed on the distribution precompile when claiming funds, it could cause funds to be transferred to a user witho...

Homograph attack allows Unicode lookalike characters to bypass validation.

Impact Attackers can deceive users into sending funds to an unintended address. Patches https://github.com/cryptocoinjs/base-x/pull/86...

CVE-2025-30073

An issue was discovered in OPC cardsystems Webapp Aufwertung 2.1.0. The reference assigned to transactions can be reused. When completing a payment, the first or all transactions with the same reference are completed, depending on timing. This can be used to transfer more money onto employee card...

CVE-2024-13724

The Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction plugin for WordPress is vulnerable to unauthorized access to functionality in all versions up to, and including, 2.6.2. This makes it possible for unauthenticated attackers to increase their...

CVE-2024-7747

CVE-2024-7747 affects Wallet for WooCommerce (WordPress). The vulnerability is an incorrect conversion between numeric types in all versions up to and including 1.5.6, caused by a numerical logic flaw during transfers. When exploited by an authenticated user with Subscriber+ privileges, an attack...

CVE-2024-7747 Wallet for WooCommerce <= 1.5.6 - Authenticated (Subscriber+) Incorrect Conversion between Numeric Types

The Wallet for WooCommerce plugin for WordPress is vulnerable to incorrect conversion between numeric types in all versions up to, and including, 1.5.6. This is due to a numerical logic flaw when transferring funds to another user. This makes it possible for authenticated attackers, with...

Missing pause check in transferAssetToNodeDelegator()

Lines of code Vulnerability details Summary The function transferAssetToNodeDelegator present in the LRTDepositPool contact ignores the contract's pause state. Impact The LRTDepositPool contract contains a functionality to pause the contract in case of an emergency. 208: function pause external...

Based on the functionality, if the releaseEscrow() function can be called by unauthorized entities, it can lead to potential misuse or unintended transfer of assets.

Lines of code Vulnerability details Impact The absence of access control on the releaseEscrow function presents a significant security risk. As it currently stands, any external actor or contract can invoke this function, which may result in the unintended release of escrowed funds. This opens up...

CVE-2023-32675

CVE-2023-32675 affects Vyper prior to 0.3.8. In contracts with more than one regular nonpayable function, funds could be sent to the default function even if it is nonpayable due to an early calldatasize check, as described in public advisories. The issue was fixed by removing the global calldata...

Lack of Access Control in GrantFund Smart Contract's fundTreasury Function

Lines of code Vulnerability details Impact The fundTreasury function in the GrantFund.sol contract allows anyone to add funds to the contract's treasury without any access control, which can lead to unauthorized access to the contract's funds. The problem with this function is that it doesn't hav...

CVE-2023-30543

@web3-react is a framework for building Ethereum Apps . In affected versions the chainId may be outdated if the user changes chains as part of the connection flow. This means that the value of chainId returned by useWeb3React may be incorrect. In an application, this means that any data derived...

withdraw() function uses faulty burn() function for transfer and it has no access control implemented.

Lines of code Vulnerability details Impact The withdraw function has no access control implemented and can be called by anyone. It also uses the burn function to transfer funds. A Malicious actor can withdraw the balance of Lendgine.sol. Proof of Concept Alice a malicious actor uses a contract to...

Upgraded Q -> M from #173 [1673098404536]

Judge has assessed an item in Issue 173 as M risk. The relevant finding follows: L-03 - Depreciating-soon selfdestruct is used to transfer funds to seller after sale ends. --- The text was updated successfully, but these errors were encountered: All reactions...

_transferFrom() in Pair contract doesn't update approval amounts when transferring user fractional tokens

Lines of code Vulnerability details Impact Contract Pair is and ERC20 token which represents user fractional token balance and it has all the features of the standard ERC20 tokens. function transferFrom has been written for transferring token but the logic isn't complete and it doesn't consider...

The seller could stoln the Creator Royalties

Lines of code Vulnerability details Impact the seller could set their address to get the Creator Royalties Proof of Concept execute == executeFundsTransfer == transferFees for uint8 i = 0; i fees.length; i++ uint256 fee = price feesi.rate / INVERSEBASISPOINT; transferTopaymentToken, from,...

Accidentally cancel order

Lines of code Vulnerability details Accidentally cancel order Impact Some market maker's limit order might be accidentally cancelled, and has to be resubmitted again. If the user did not do this on purpose, without knowing the fact that the order has been cancelled, it may lead to unexpected...

Current implementation of arbitrary call execute failure handler may break some use case for example NFT bridge.

Lines of code Vulnerability details Impact Current implementation of arbitrary call execute failure handler may break some use case for example NFT Bridge. In the case of NFT Bridge, NFT may be lost forever. This is likely to be happened in the case of out of gas. Proof of Concept Relayer receive...

Usage of deprecated transfer to send ETH

Lines of code Vulnerability details Vulnerability details The usage of address.send is considered a bad practice as it only uses 2300 gas and you create a high dependency of gas. It is true that this is only used in an emergency to transfer the funds to the vault, but it always a better practice ...

SSRF Flaw in Fintech Platform Allowed for Compromise of Bank Accounts

A server-side request forgery SSRF flaw in an API of a large financial technology fintech platform potentially could have compromised millions of bank customers, allowing attackers to defraud clients by controlling their bank accounts and funds, researchers have found. A team at Salt Security’s...