CVE-2026-9831

A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issu...

Malicious user can still native tokens of MoneyMarketHook caller

Lines of code Vulnerability details Proof of Concept MoneyMarketHook allows user to chain some actions into one multicall to the InitCore. In the end user can get all wrapped native tokens that he withdrew in a form of native token. Note, that this part of code withdraws all balance from wrapped...

payable.transfer() call will result in loss of unused Ether

Lines of code Vulnerability details Impact batchContribute function carries out funding and transfer in batches by using the payable.transfer call. This is unsafe as transfer has hard coded gas budget and can fail when the user is a smart contract. This way programmatical usage of batchContribute...

The Liquidity mining callpath sidecar owner can pull native tokens from the Dex

Lines of code Vulnerability details Impact The owner of liquidity mining sidecar can pull the native coins that are stored in the CrocSwapDex to reward the users. Proof of Concept The setConcRewards and setAmbRewards functions doesn't check if the quoted amount of rewards are actually sent by the...

The protocolCmd is permisionless but does not check if the user provide native tokens

Lines of code Vulnerability details Proof of Concept Anyone can call protocolCmd which calls setConcRewards and setAmbRewards to set rewards. LiquidityMiningPath.solL26-L37 function protocolCmdbytes calldata cmd public virtual uint8 code, bytes32 poolHash, uint32 weekFrom, uint32 weekTo, uint64...

The current axelar router's implementation can't interact with any calls that requires native tokens

Lines of code Vulnerability details Impact Medium... this completely blocks off users that would need to call a contract and want to pass value to them, as they can't do this since the functions are not payable Proof of Concept See summary Additionally take a look at the Axelar's Router.sol and s...

Users do not get charged for the value their proposal will need

Lines of code Vulnerability details Impact Depending on whether the destination chain InterchainProposalExecutor's native token balance the transaction will either steal funds or will fail. Proof of Concept Users can provide an amount of native tokens they want to send to the call they will make ...

The is no way for native tokens to get sent to InterchainProposalExecutor

Lines of code Vulnerability details Impact Proposals that require value cannot be executed as native tokens on the other side of the bridge cannot be provided. Proof of Concept Proposals have a value parameter, which allows users to specify what amount of native tokens should be passed when calli...

Wrong implementation of rescueETH, causing the fees in native tokens to be frozen in the contract

Lines of code Vulnerability details /// @dev used for rescuing exchange fees paid to the contract in ETH function rescueETHaddress destination external payable onlyOwner bool sent, = destination.callvalue: msg.value''; requiresent, 'failed'; Recommendation Change to: /// @dev used for rescuing...

Potential lock of rewards in the custody contracts

Lines of code Vulnerability details Impact The swaptostabledenom function in the custody contracts swaps all other native tokens into a specific one. The function creates swap messages for all the other native tokens and adds them as sub-messages, and handles the reply only when the last...