MAL-2026-4216 Malicious code in polymarket-trader (npm)

A coordinated supply-chain attack comprising 9 npm packages published by maintainer polymarketdev GitHub actor texsellix, repo texsellix/polymarket-trading-bot within a 2-minute window on 2026-05-20T23:30Z–23:32Z. All packages masquerade as legitimate Polymarket CLOB trading tools while...

Malicious code in keccak256-helper (npm)

The package keccak256-helper was found to contain malicious code...

MAL-2025-24372 Malicious code in keccak256-helper (npm)

The package keccak256-helper was found to contain malicious code...

Nonce update

Lines of code Vulnerability details return uint256keccak256abi.encodePackedownersHash, ownerSafeCountownersHash++, salt, VERSION; here ownerSafeCountownersHash++ is used as nonce for different ownerSafeCount mapping if ownersHash is 0 or 1 the mapping will be 0 for the first item.This will cause ...

Possible hash collision in retrieveProxyContractAddress()

Lines of code Vulnerability details Impact implemention of keccak256abi.encodePackeda, b with both dynamic types or same type with dynamic nature leads to collision in hash. Proof of Concept From the sol docs:link. i.e If you use keccak256abi.encodePackeda, b and both a and b are dynamic types, i...

Upgraded Q -> 2 from #55 [1693255720314]

Judge has assessed an item in Issue 55 as 2 risk. The relevant finding follows: If we take a look at the EIP712 standard it states the following The array values are encoded as the keccak256 hash of the concatenated encodeData of their contents i.e. the encoding of SomeType5 is identical to that ...

Replay Attack Vulnerability Due to Uniqueness Invariant Violation in AxelarServiceGovernance Contract's Proposal Hash Generation

Lines of code Vulnerability details Impact The current implementation of the AxelarServiceGovernance contract relies solely on the Keccak256 algorithm to generate proposal hashes, using only the target contract's address, encoded function call data, and the native token transfer value as...

SignatureValidator.recoverAddrImpl for mode Multisig checks only the last value is different to zero address

Lines of code Vulnerability details Description Current implementation when mode == SignatureMode.Multisig only checks that the last time signer is calculated is different from zero address. The variable signer is overwritten with a new value, based on the previous value and the current signature...

Upgraded Q -> 2 from #245 [1681331462696]

Judge has assessed an item in Issue 245 as 2 risk. The relevant finding follows: 3. Insecure random number generation: Link : The current implementation of the drawing function uses a simple modulo operation with the seed as an argument, which can be easily predicted by attackers. I recommend usi...

Split vulnerable to preimage attack

Lines of code Vulnerability details Impact A motivated attacker could invest the resources to craft a malicious SplitsReceiver to steal all of a users' pending funds. Proof of Concept This is a non-practical implementation of the attack, but shows by extending the SplitsReceiver array by any numb...

Use abi.encode instead of abi.encodePacked to prevent data collisions for object hashing

Lines of code Vulnerability details M-01 Use abi.encode instead of abi.encodePacked Impact hash collisions on the data stored for object hashing Proof of Concept From the solidity documentation: If you use keccak256abi.encodePackeda, b and both a and b are dynamic types, it is easy to craft...

Cross-chain replay attacks are possible with delegateBySig

Lines of code Vulnerability details If a user does a delegateBySig using the wrong network, an attacker can replay the action on the correct chain, and steal the funds a-la the wintermute gnosis safe attack, where the attacker can create the same address that the user tried to, and steal the fund...

Using keccak256(abi.encoded()) can result in collisions

Lines of code Vulnerability details Proof of Concept The code in mutualConsent makes use of keccak256abi.encodePacked but this can result in a collision when the arguments of abi.encodePacked are aligned in a way that gives the same result. Impact Having hash collisions in mutualConsent...

Injection into the mintlist merkle tree

Lines of code Vulnerability details Description There is claimGobbler function in ArtGobblers contract. It accepts proof as an array of bytes32 values and uses such a proof for the check whether msg.sender is available to claim a gobbler. But there is no check on the length of the proof, so it is...

# Only part of keccak256() is used as hash, making it susceptible to collision attacks

Lines of code Vulnerability details At 2 places in the code only part of the output of keccak256 is used as the hash: At TokenDistributor - DistributionState.distributionHash15 - uses only a 15 bytes as a hash This one is intended to save storage At Crowdfund.governanceOptsHash a 16 bytes is used...

QuickAccManager.sol#cancel() Wrong hashTx makes it impossible to cancel a scheduled transaction

Handle WatchPug Vulnerability details In QuickAccManager.solcancel, the hashTx to identify the transaction to be canceled is wrong. The last parameter is missing. As a result, users will be unable to cancel a scheduled transaction. function cancelIdentity identity, QuickAccount calldata acc, uint...

artillery-core (>=0.1.2 <=0.1.2-alpha.3), bastion (>=0.3.5 <=0.4.5) +500 more potentially affected by CVE-2021-38195 via libsecp256k1 (>=0.1.3 <=0.3.5)

libsecp256k1 CARGO version =0.1.3, =0.1.2, =0.3.5, =0.1.0, =0.1.1, =0.7.0, =0.1.0, =0.2.0, =1.0.0, =0.7.0, =0.8.2 and more Source cves: CVE-2021-38195 Source advisory: OSV:GHSA-G4VJ-X7V9-H82M...

Decoder++ - An Extensible Application For Penetration Testers And Software Developers To Decode/Encode Data Into Various Formats

An extensible application for penetration testers and software developers to decode/encode data into various formats. Setup Decoder++ can be either installed by using pip or by pulling the source from this repository: Install using pip pip3 install decoder-plus-plus Overview This section provides...