17 matches found
Malicious code in gita-semur99-ruro (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bd57eea9cb468177282437da4a01fd02958d32b7fca458dedaf51cc3006197cd This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
FBI Creates Fake Cryptocurrency to Expose Widespread Crypto Market Manipulation
The U.S. Department of Justice DoJ has announced arrests and charges against several individuals and entities in connection with allegedly manipulating digital asset markets as part of a widespread fraud operation. The law enforcement action – codenamed Operation Token Mirrors – is the result of...
Single lender can game markets into unexpected states of delinquency
Lines of code Vulnerability details Impact Wildcat Markets allow for for a borrower to accept the risks they are willing to manage when agreeing to terms of uncollatoralised lending. Namely authorised borrowers will permit certain lenders and control certain market parameters like interest rate,...
Unrestricted Name and Symbol Modification in LSP7 and LSP8 Digital Assets
Lines of code Vulnerability details I HAVE ALREADY SUBMITTED THIS ISSUE HOWEVER I MESSED UP THE LINKS FOR IT. CAN YOU PLEASE DISREGARD THE PREVIOUS SUBMISSION? Impact The owner of a contract in LSP8IdentifiableDigitalAsset and LSP7DigitalAsset can arbitrarily change the name and symbol of a token...
Unrestricted Token Transfer and Minting
Lines of code Vulnerability details Impact An attacker could exploit this vulnerability to mint an unlimited number of tokens, potentially devaluing the token and manipulating the market. Proof of Concept: Proof of Concept --The contract allows anyone to call the onTokenTransfer function without...
User can abuse tight stop losses and high leverage to make risk free trades
Lines of code Vulnerability details Impact User can abuse how stop losses are priced to open high leverage trades with huge upside and very little downside Proof of Concept function limitClose uint id, bool tp, PriceData calldata priceData, bytes calldata signature external checkDelayid, false;...
There is no boundaries for starting an auction.
Lines of code Vulnerability details Impact The team has brought this contest to be fairer to their users in terms of liquidation mechanism. Looking through this perspective, it can be developed more on the process to be much fairer to the users in volatile market conditions. Proof of Concept The...
Moral hazard of borrower calling liquidate() and potential Oracle manipulation
Lines of code Vulnerability details Impact In the InceptionVaultsCore contract, the liquidate and liquidatePartial function can be called anyone. This means that the borrower for a specific vaultId can call liquidate or liquidatePartial on his own vault. Furthermore, the project incentivizes...
Investment scams are on the rise
Preying on one of the most basic human flaws, investment scams and other get-rich-quick schemes are making up an ever larger portion of the online scammers cake. The number of victims, for now, is lower than the number of victims of fraudulent sales, identity fraud, and dating fraud, but the cost...
A market's hourly average price can be biased by a large number of trades
Handle shw Vulnerability details Impact An attacker can artificially move a market's hourly average price i.e., the result of getHourlyAvgTracerPrice by executing a large number of trades on the market with only paying gas fees. Proof of Concept The hourly average price is calculated by the...
Black Hat 2020: Using Botnets to Manipulate Energy Markets for Big Profits
Researchers are warning that a new class of botnets could be marshaled and used to manipulate energy markets via zombie armies of power-hungry connected devices such as air conditioners, heaters, dryers and digital thermostats. A coordinated attack could cause an energy stock index to predictably...
Two Hackers Charged with Hacking SEC System in Stock-Trading Scheme
The U.S. authorities have charged two Ukrainian hackers for hacking into the Securities and Exchange Commission's EDGAR filing system and stealing sensitive market-moving reports of companies before their public release. EDGAR, or Electronic Data Gathering, Analysis, and Retrieval, is an online...
Augur: A miner can manipulate the gas reporting bond
Not entirely confident I've understood this system correctly, apologies if it's wrong and feel free to stop reading if you run into an obvious mistake... Summary: add summary of the vulnerability By creating a market with themselves as designated reporter and setting a very high gas price for the...
1834: The First Cyberattack
Tom Standage has a great story of the first cyberattack against a telegraph network. The Blanc brothers traded government bonds at the exchange in the city of Bordeaux, where information about market movements took several days to arrive from Paris by mail coach. Accordingly, traders who could ge...
Stellar.org: Exploitable vulnerability in SDEX
Hi, Last Thursday I discovered the exploitable vulnerability in SDEX. I immediately reported the bug directly to Jed by email and he confirmed it. It's all about rounding during trades. You see, I found that orders are always executed if the price matches market, even if the amount is as small as...
Stellar.org: It's possible to put SDX orderbook into invalid state and execute trades at arbitrary price
stellar-core improperly handles creation of a buy offer which crosses existing sell offers immediate execution but can only be filled partially due to a trustline limit on the source account. This makes it possible to create a valid offer to buy any custom asset at higher price than existing sell...
Russian Hackers Manipulate Ruble-Dollar Exchange Rate with Malware
Russian Group of Hackers reportedly cracked into the Kazan-based Energobank and messed up with the Ruble-Dollar exchange rates. In Feb 2015, a hacking group, known by the name METEL, successfully breached into the Russian Regional Bank for just 14 minutes and caused the exchange rate to fluctuate...