14 matches found
ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories
You scroll past one incident and see another that feels familiar, like it should have been fixed years ago, but it still works with small changes. Same bugs. Same mistakes. The supply chain is messy. Packages you did not check are stealing data, adding backdoors, and spreading. Attacking the...
Malicious code in layerzero-v2 (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e38548e48278e6b84fe1732117aef2c443aee26ea8e5694692002fe7342e1e30 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2024-12077 Malicious code in layerzero-v2 (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e38548e48278e6b84fe1732117aef2c443aee26ea8e5694692002fe7342e1e30 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Masa Network Integrates with LayerZero to Power Its Cross-chain AI Data Network
By Waqas Masa Network’s AI Data Marketplace will be an interoperable network for the world’s personal data, launching across multiple blockchains from day one. This is a post from HackRead.com Read the original post: Masa Network Integrates with LayerZero to Power Its Cross-chain AI Data Network...
LayerZero endpoint can get blocked by a malicious user (or even a honest one)
Lines of code Vulnerability details Description Contract Endpoint, from LayerZero is the one responsible of sending/receiving messages to/from other chains. Specifically it has function receivePayload, which is called by contract UltraLightNodeV2 the current default library of the protocol after...
Gas that was sent by LayerZero can get stuck in the contract in some cases
Lines of code Vulnerability details If a tx on the destination chain calls back the chain from where the transaction was initiated by the user, the first transaction on the source chain needs to "airdrop" gas to the destination chain so it is able to call back the source chain. The problem is tha...
Incorrect srcAddress check renders all layerzero messages unusable
Lines of code Vulnerability details Impact The source address of LayerZero messages is validated on a wrong part of the calldata, which will cause all cross-chain-messages to fail on a live deployment. Proof of Concept The receivers of cross-chain-messages BranchBridgeAgent and RootBridgeAgent bo...
User can selectively turn on the fallback flag to take all ETH on the agent contract as layerzero fee refund
Lines of code Vulnerability details Impact performFallbackCall can revert sliently when refundee is not capable of taking ETH refund from layerzero side Proof of Concept In RootBridgeAgent.sol when the has fall back toggle flag is on, the smart contract aim to perform a fallback call to notify th...
Lack of force resume support for LZ which is crucially important to have
Lines of code Vulnerability details Impact The User Application LZReceiver should implement the ILayerZeroUserApplicationConfig interface which includes the forceResumeReceive function. This is very important as in the worst case, it can allow the owner to unblock the queue of messages if somethi...
ChainLink should be used as an Oracle for messaging instead of Google Cloud
Lines of code Vulnerability details Impact Each User Application contract e.g. BranchBidgeAgent built on LayerZero will work without configuration using defaults, but a UA will also be able to configure its own. Maia intends to use the default config. However, Google Cloud Oracle is the default a...
Tenet and LayerZero Forge Cross-Chain LSD Adoption
By Owais Sultan Tenet and LayerZero Partner to Pioneer Cross-Chain Liquidity for Liquid Staking Derivatives. This is a post from HackRead.com Read the original post: Tenet and LayerZero Forge Cross-Chain LSD Adoption...
LayerZero Channel can be blocked by an attacker
Lines of code Vulnerability details Impact According to the LayerZero docs, the default behavior is that when a transaction on the destination application fails, the channel between the source and destination is blocked. Before any new transactions can be executed, the failed transaction has to b...
Attacker can block LayerZero channel
Lines of code Vulnerability details Impact According to the LayerZero docs, the default behavior is that when a transaction on the destination application fails, the channel between the src and dst app is blocked. Before any new transactions can be executed, the failed transaction has to be retri...
@0xwen/core (>=0.0.1 <=0.0.3), @0xwen/core-v5 (>=0.0.1 <=0.0.3) +128 more potentially affected by CVE-2021-46320 +1 more via @openzeppelin/contracts-upgradeable (>=3.4.0 <=4.3.3)
@openzeppelin/contracts-upgradeable NPM version =3.4.0, =0.0.1, =0.0.1, =0.0.2, =0.0.1, =2.0.0, =3.0.0-alpha0, =2.0.0, =3.0.1-alpha, =1.0.0, =1.0.0-beta.0, =1.0.0, =1.0.4 and more Source cves: CVE-2021-46320, CVE-2022-39384 Source advisory: OSV:GHSA-9C22-PWXW-P6HX...