4 matches found
GHSA-JCXM-7WVP-G6P5 Modified package published to npm, containing malware that exfiltrates private key material
Earlier today, a publish-access account was compromised for @solana/web3.js, a JavaScript library that is commonly used by Solana dapps. This allowed an attacker to publish unauthorized and malicious packages that were modified, allowing them to steal private key material and drain funds from...
Centralization Risk for trusted owners
Lines of code https://github.com/code-423n4/2023-02-ethos/blob/73687f32b934c9d697b97745356cdf8a1f264955/Ethos...
Malicious relayer could exploit sponsor vaults
Lines of code Vulnerability details Impact Sponsor vaults drained Proof of Concept reimburseRelayerFees uses SponsorVault funds to repay users the fees they pay to relayers. A malicious relayer could create a large number of transactions with the max reimbursed relay fee specified in SponsorVault...
User can refund the received airdropped (free) "key"
Handle GiveMeTestEther Vulnerability details Impact User can refund the received airdropped free "key". If a lot of users received a airdropped "key" they can drain the funds of the lock. e.g. key owner cannot withdraw anything, user that purchased a key can't cancel and refund. Proof of Concept ...