16 matches found
Malicious code in nft-transfer-transformer (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 90b61c51743bbb7e45afbab35984b72d25a2743ce9b95ce35a49bf6637a29bca Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in nft-transfer-transforme (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a09653a1d426cf6f90d650d5969507f62361acd5a0358bc0fa0dc59045a160cf Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2025-1155 Malicious code in nft-transfer-transformer (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 90b61c51743bbb7e45afbab35984b72d25a2743ce9b95ce35a49bf6637a29bca Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2025-1154 Malicious code in nft-transfer-transforme (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a09653a1d426cf6f90d650d5969507f62361acd5a0358bc0fa0dc59045a160cf Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Use of transferFrom() rather than safeTransferFrom() for NFTs in will lead to the loss of NFTs
Lines of code 230, 342, 514, 536 Vulnerability details The EIP-721 standard says the following about transferFrom: /// @notice Transfer ownership of an NFT -- THE CALLER IS RESPONSIBLE /// TO CONFIRM THAT to IS CAPABLE OF RECEIVING NFTS OR ELSE /// THEY MAY BE PERMANENTLY LOST /// @dev Throws...
withdrawNftWithInterest() possible take away other Lien's NFT
Lines of code Vulnerability details Impact Possible take away other Lien's NFT Proof of Concept withdrawNftWithInterest Used to retrieve NFT The only current restriction is that if you can transfer out of NFT, it means an inactive loan function withdrawNftWithInterestLien calldata lien, uint256...
claim can run out of gas
Lines of code Vulnerability details Impact If the claim function runs out of gas, the caller can never claim any rewards without transferring the nfts to another address first Proof of Concept Currently, the claim function loops over the msg.senders NFT's. If this list ever becomes too large, the...
The NFT can be transferred to the owner immediately after startDraw()
Lines of code Vulnerability details lastResortTimelockOwnerClaimNFT as the name says is used in case the winning user doesn't retrieve the won NFT token and in such case the owner can rescue the NFT from the contract. The mentioned function can be only called after a certain period is passed: if...
_executeTokenTransfer() can silently fail for malicious ERC721 implementations.
Lines of code Vulnerability details Impact execute calls executeTokenTransfer to perform the NFT transfer from seller to buyer. The function assumes correct safeTransferFrom functionality and does not check balances. In case of malicious - or poorly designed pausable ERC721 implementations, this...
NFT could be locked in settlement
Lines of code Vulnerability details Impact transferFrom is used to transfer NFT in settlement. If the receiver is a contract without appropriate way to handle the NFT, the NFT might be locked in there and non retrievable. Proof of Concept There is no check if the receiver can deal with NFT if it ...
Elrond go 输入验证错误漏洞
Elrond go is an open source go implementation of the Elrond Network protocol by Elrond Network. An input validation error vulnerability exists in Elrond go versions prior to 1.3.34, which stems from a missing function name in MultiESDTNFTTransfer...
User is unable to remove delegation and transfer NFT
Lines of code Vulnerability details Impact The transferFrom in VoteEscrowDelegation.sol should be change to an external function. Currently, the function is unable to be called by any user since it is an internal function and there's no call to the function from another Golom contract. With above...
_transferNFTs can end up transferring nothing
Lines of code Vulnerability details Malicious maker can list an NFT that conforms to ERC-165, but reports that it's neither ERC721, nor ERC1155, i.e. both supportsInterface0x80ac58cd and supportsInterface0xd9b67a26 are false. In all other regards it can be fully valid NFT, for example having...
Maker buy order with no specified NFT tokenIds may get fulfilled in matchOneToManyOrders without receiving any NFT
Lines of code Vulnerability details The call stack: matchOneToManyOrders - matchOneMakerSellToManyMakerBuys - execMatchOneMakerSellToManyMakerBuys - execMatchOneToManyOrders - transferMultipleNFTs Based on the context, a maker buy order can set OrderItem.tokens as an empty array to indicate that...
Approvals not cleared when transferring profile
Lines of code Vulnerability details Impact The ApprovalFollowModule.approve function is indexed by both owner = IERC721HUB.ownerOfprofileId, profileId in case the profileId NFT is transferred. However, upon transfer, the old approvals are not cleared. This can lead to similar issues as OpenSea no...
NFT transfer approvals are not removed and cannot be revoked thus leading to loss of NFT tokens
Handle 0xRajeev Vulnerability details Impact NFT transfer approvals that are set to true in approveTransferERC721 are never set to false and there is no way to remove such an nft approval. Impact-1: The approval is not removed set to false after a transfer in transferERC721. So if the NFT is ever...