GHSA-H9CC-W26M-J342 nimiq-keys: Denial of service in Ed25519 multisig delinearization via invalid curve points

Impact A denial-of-service vulnerability exists in the Ed25519 multisig delinearization code path. Ed25519PublicKey::delinearize in keys/src/multisig/mod.rs called .unwrap on curve point decompression, which panics when a public key is constructed from 32 bytes that do not represent a valid point...

nimiq-keys: Denial of service in Ed25519 multisig delinearization via invalid curve points

Impact A denial-of-service vulnerability exists in the Ed25519 multisig delinearization code path. Ed25519PublicKey::delinearize in keys/src/multisig/mod.rs called .unwrap on curve point decompression, which panics when a public key is constructed from 32 bytes that do not represent a valid point...

PT-2026-42670

Impact A denial-of-service vulnerability exists in the Ed25519 multisig delinearization code path. Ed25519PublicKey::delinearize in keys/src/multisig/mod.rs called .unwrap on curve point decompression, which panics when a public key is constructed from 32 bytes that do not represent a valid point...

PT-2026-42628

Impact A denial-of-service vulnerability exists in the Ed25519 multisig delinearization code path. Ed25519PublicKey::delinearize in keys/src/multisig/mod.rs called .unwrap on curve point decompression, which panics when a public key is constructed from 32 bytes that do not represent a valid point...

1inch Named Exclusive Swap Provider at Launch for Ledger Multisig

Road Town, British Virgin Islands, 11th December 2025, CyberNewsWire...

Malicious code in eth-multisig-v4 (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0011f8c820d2bf5736f029e749e3b1eb172ec056d5d712b620b95ef9ba5aa4dd Any computer that has this package installed or running should be considered...

MAL-2025-5643 Malicious code in eth-multisig-v4 (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0011f8c820d2bf5736f029e749e3b1eb172ec056d5d712b620b95ef9ba5aa4dd Any computer that has this package installed or running should be considered...

Malicious code in cosmos-multisig-ui (npm)

--- -= Per source details. Do not edit below this line.=-...

MAL-2025-4169 Malicious code in cosmos-multisig-ui (npm)

--- -= Per source details. Do not edit below this line.=-...

North Korean Hackers Steal $1.5B in Cryptocurrency

It looks like a very sophisticated attack against the Dubai-based exchange Bybit: Bybit officials disclosed the theft of more than 400,000 ethereum and staked ethereum coins just hours after it occurred. The notification said the digital loot had been stored in a "Multisig Cold Wallet" when,...

Malicious code in flow-multisig (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f805322cd47cf2193208d8b266a34b3960d291fa94c74ad6769dedfa9658eb64 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Time delay for operations scheduled by the community multisig (CM) in timelock pose a risk to the protocol and it users

Lines of code Vulnerability details Impact Time sensitive operations done by the CM, like taking actions in case of an security exploit, are subject to the minDelay of the Timelock contract. Such operations are time sensitive and executing them several minutes later can result in significant loss...

CM can delegatecall to any address and bypass all restrictions

Lines of code Vulnerability details Impact The GuardCM contract is designed to restrict the Community Multisig CM actions within the protocol to only specific contracts and methods. This is achieved by implementing a checkTransaction method, which is invoked by the CM GnosisSafe before every...

When unpausing the GuardCM, not setting governorCheckProposalId to 0 puts the assets of the protocol at risk

Lines of code Vulnerability details Impact If the GuardCM was paused once, the community multisig CM can pause it again without checking for the governances activity. This moves the power within the system from the governance to the CM and can, in the worst case, result in the lose of all funds o...

Decisionmaking in the DAO is to slow which results in the DAO not been able to use the CANCELLER_ROLE properly

Lines of code Vulnerability details Impact The time that takes the DAO to vote on a proposal is to long for the DAO to be a proper address to cancel scheduled operations. That is why no scheduled operation will ever be cancelled and potentially malicious operations from security exploits will be...

Changing the quorumNumerator should not be only possible by the governance

Lines of code Vulnerability details Impact Only the DAO can reduce the quorumNumerator. This means that if the participation for proposals in the DAO decreases below the quorumNumerator, there is no way to reduce the quorumNumerator so the DAO can start making decisions again. Proof of Concept Fo...

The same console addresses on other chains can be captured by compromised or malicious owner

Lines of code Vulnerability details Impact The same order of owners addresses lets generate the same console address on all chains. But any owner from the list can deploy console accounts on other chains with threshold parameter equals 1 and then change owners in these accounts, i.e. capture thes...

if the Virtual Account's owner is a Contract Account (multisig wallet), attackers can gain control of the Virtual Accounts by gaining control of the same owner's address in a different chain

Lines of code Vulnerability details Impact Attackers can gain control of User's Virtual Accounts and steal all the assets these accounts hold in the Root environment Proof of Concept When sending signed messages from a Branch to Root, the RootBridgeAgent contract calls the...

Anyone can call perform in SecurityCouncilMemberSyncAction to update members of security council multisig

Lines of code Vulnerability details Impact Anyone can update members of security council multisig Proof of Concept SecurityCouncilMemberSyncAction contract has a perform function which is used to update members of security council multisig. File: SecurityCouncilMemberSyncAction.sol /// @notice...

call() should be used instead of transfer() on an address payable

Lines of code Vulnerability details Impact The use of the transfer function for sending ETH to an address will inevitably make the transaction fail when: The claimer smart contract does not implement a payable function. The claimer smart contract does implement a payable fallback which uses more...