Lucene search
K

12 matches found

OSV
OSV
added 2024/01/19 10:7 p.m.20 views

GHSA-WG2X-RV86-MMPX SPV Merkle proof malleability allows the maintainer to prove invalid transactions

Summary By publishing specially crafted transactions on the Bitcoin blockchain, the SPV maintainer can produce seemingly valid SPV proofs for fraudulent transactions. The issue was originally identified by Least Authority in the tBTC Bridge V2 Security Audit Report as Issue B: Bitcoin SPV Merkle...

7.5AI score
Exploits0References7
Github Security Blog
Github Security Blog
added 2024/01/19 10:7 p.m.24 views

SPV Merkle proof malleability allows the maintainer to prove invalid transactions

Summary By publishing specially crafted transactions on the Bitcoin blockchain, the SPV maintainer can produce seemingly valid SPV proofs for fraudulent transactions. The issue was originally identified by Least Authority in the tBTC Bridge V2 Security Audit Report as Issue B: Bitcoin SPV Merkle...

7.5AI score
Exploits0References7Affected Software1
Positive Technologies
Positive Technologies
added 2024/01/19 12:0 a.m.5 views

PT-2024-40497 · Bitcoin · Bitcoind

Name of the Vulnerable Software and Affected Versions: Bitcoin affected versions not specified Description: The issue allows an attacker to create seemingly valid SPV proofs for fraudulent transactions by publishing specially crafted transactions on the Bitcoin blockchain. This is achieved by...

6.9AI score
Exploits0References8
Github Security Blog
Github Security Blog
added 2023/06/19 7:46 p.m.36 views

OpenZeppelin Contracts using MerkleProof multiproofs may allow proving arbitrary leaves for specific trees

Impact When the verifyMultiProof, verifyMultiProofCalldata, processMultiProof, or processMultiProofCalldata functions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitrary set of leaves. A contract may be vulnerable if it uses multiproofs for...

5.9CVSS6.7AI score0.00371EPSS
Exploits0References5Affected Software2
Code423n4
Code423n4
added 2022/10/10 12:0 a.m.7 views

Merkle verifier library verifies intermediate inputs

Lines of code Vulnerability details Vulnerability details Description MerkleVerifier provides a set of functions for verification of a Merkle proof by performing an inclusion check of input against a binary tree. This is implemented as consecutively hashing concatenated sibling nodes until a root...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2022/09/27 12:0 a.m.12 views

A malicious user can claim and successfuly steal a gobbler NFT token.

Lines of code Vulnerability details Impact A malicious user can claim and successfuly steal a gobbler NFT token in the function claimGobbler. Proof of Concept The function claimGobbler is used from the mintlisted users to claim a gobbler using a merkle proof. However there is no check to ensure...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2022/09/12 12:0 a.m.16 views

Potential DoS in _claim()

Lines of code Vulnerability details Impact An attacker could call claim in an infinite loop to conduct DoS attack. Proof of Concept Here is the implementation of claim: // User provides the the cToken & the amount they should get, and it is verified against the merkle root for that cToken ///...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2022/06/03 12:0 a.m.13 views

Verifying criteria is prone to known merkle proof attacks

Lines of code Vulnerability details The Merkle hash root does not indicate the tree depth, enabling a second-preimage attack in which an attacker creates a document other than the original that has the same Merkle hash root. For the example above, an attacker can create a new document containing...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2022/04/01 12:0 a.m.13 views

One co-creator with a small share can get 100% of the funds in the splitter

Lines of code Vulnerability details Impact One co-creator with a small share can get 100% of the funds by calling the incrementWindow function from an attacker contract that mimics RoyaltyVault. He can then create one or multiple fake windows and claim them to get the full balance of the splitter...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2022/02/17 12:0 a.m.9 views

[WP-H4] Input should be validated on-chain to avoid fund loss caused by admin's misinput

Lines of code Vulnerability details In the current design/implementation, the admin of BribeVault is a super privileged role of the system. However, the inputs of the admin to some of the most critical methods are not being validated properly. This can lead to loss of funds to users caused by the...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2022/02/17 12:0 a.m.14 views

Rewards can be claimed if merkle proof is known

Lines of code Vulnerability details Impact The README describes the following when a voting ends: Outside of the Hidden Hand contract scope, after the Tokemak CoRE round ends, proposal data is compiled and these two things happen: - The following is derived from the data: its hash KECCAK-256 and...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/12/22 12:0 a.m.9 views

Users can lock themselves out of being able to convert VETH, becoming stuck with the deprecated asset

Handle TomFrenchBlockchain Vulnerability details I've put this as a medium issue as we're leaking value as users are stuck with assets which are likely to be worth much less as they are deprecated. It could also be low as it's not exploitable by outside parties and the loss isn't taken by the...

6.6AI score
Exploits0
Rows per page
Query Builder