A Surveillance Evasion Game with Continuous Sensor Redeployment Via Bilevel Optimization

Uncrewed Aerial Systems UASs have become a growing threat to the security of critical infrastructure, exploiting spatiotemporal gaps in sensor perimeters to infiltrate restricted airspace undetected. We formulate this interaction as a two-player zero-sum differential game between an adversarial U...

Malicious code in vulcan-browserify-non-blocking-relay (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 44f75a901684e76d93228851b85ee37e80b481a39a673e1769eefa38f79d23ba This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-122410 Malicious code in oral_mandrill_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b5c91b33709a5fbfd14ae7a4106da540b7e9cd3cef263b5d4c13b4eaf50cc413 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2022-4252

Malicious code in bioql PyPI...

Code injection

era-compiler-vyper is the EraVM Vyper compiler for zkSync Era, a layer 2 rollup that uses zero-knowledge proofs to scale Ethereum. Prior to era-compiler-vype version 1.3.10, a bug prevented the initialization of the first immutable variable for Vyper contracts meeting certain criteria. The proble...

Virtuozzo Hybrid Infrastructure 5.4 Update 3 (5.4.3-100)

In this release, Virtuozzo Hybrid Infrastructure provides a range of new features that cover core storage, the system configuration, updates, documentation, and the compute services. Additionally, this release delivers stability improvements and addresses issues found in previous releases...

Lack of zero address check throughout the codebase could lead to unwanted redeployments, address(0) ownership and onTokenTransfer unsuccessful.

Lines of code Vulnerability details Impact User defined address should always have zero address check. This checks SHOULD NOT BE MISSED IN CASE OF A FACTORY CONTRACT. This will lead to redeployments of contract and blockage of certain functionality as described below. It is also worth to note tha...

ProfilePicture subprotocol is immutably linked by subprotocolName to the CID protocol

Lines of code Vulnerability details Impact Besides having to re-register the protocol, it will also have to be redeployed. Proof of Concept A protocol is registered by name in the SubprotocolRegistry. Quoting the Canto Identity Protocol contest details: "In theory, someone can front-run a call to...

Lack of flexibility in updating cycle length leading to potential contract redeployment.

Lines of code Vulnerability details Impact function cycleOfuint32 timestamp private view returns uint32 cycle unchecked return timestamp / cycleSecs + 1; and function currCycleStart private view returns uint32 timestamp uint32 currTimestamp = currTimestamp; // slither-disable-next-line weak-prng...

Upgraded Q -> M from #258 [1674661917738]

Judge has assessed an item in Issue 258 as M risk. The relevant finding follows: L-03 Use of deprecated functions Impact The contract uses deprecated function latestAnswer. Such functions might suddenly stop working if no longer supported. Impact: Deprecated API stops working. Prices cannot be...

Governor ownership can be lost because of not sanity check

Lines of code Vulnerability details Governor ownership can be lost because of no checks Impact Sanity checks are important to not affect reputation / flows and users of the protocol when a mistake is done. 0 address should be checked for important address assignments in this case, only done in th...

JB721Delegate#initialize _fundingCycleStore lack of zero address check can lead to redeployment

Lines of code Vulnerability details Impact initialize function does not check that fundingCycleStore is not zero. Given that state variable fundingCycleStore can not be set anywhere else, setting it to zero can lead to contract redeployment POC The deployer mistakenly call JB721Delegateinitialize...

GHSA-9JJV-524M-JM98 @netlify/ipx vulnerable to Full Response SSRF and Stored XSS via Cache Poisoning and Improper Host Validation

Impact By sending specially crafted headers an attacker can bypass the source image domain allowlist, causing the handler to load and return arbitrary images. Because the response is cached globally, this image will then be served to visitors without requiring those headers to be set. XSS can be...

VotingEscrow Ownership Management Lacks Basic Protections

Lines of code Vulnerability details Impact A comment saying "Owner should always be a timelock contract" is not sufficient protection for something as critical as ownership. There should be: a zero address check on addr a propose/transfer method of ownership transfer, not a unilateral transfer...

GHSA-GWJ5-WP6R-5Q9F Cronos vulnerable to DoS through unintended Contract Selfdestruct

In Cronos nodes running versions before v0.7.0, the contract selfdestruct invocation permanently removes the corresponding bytecode from the internal database storage. However, due to a bug in Ethermint, all contracts that used the identical bytecode i.e shared the same CodeHash will also stop...

Use of deprecated Chainlink's latestAnswer API

Handle UncleGrandpa925 Vulnerability details Issue In EIP1271Wallet.sol, the function validateOrder uses the deprecated latestAnswer of Chainlink. This function might suddenly stop working if Chainlink stopped supporting it, and also will not error if no answer has been reached but returns 0...

Use of deprecated Chainlink API

Handle 0xRajeev Vulnerability details Impact The contract uses Chainlink’s deprecated API latestAnswer. Such functions might suddenly stop working if Chainlink stopped supporting deprecated APIs. Impact: Deprecated API stops working. Prices cannot be obtained. Protocol stops and contracts have to...

finalize is susceptible to front-running leading to DoS and contract redeployment

Handle 0xRajeev Vulnerability details Impact PostAuctionLauncher finalize has removed the requirement of admin-only finalize as noted in the function comment and lets anyone call it. This makes it susceptible to front-running by anyone when tokens token1 or token2 are yet to be added to pool. The...

Use of deprecated Chainlink API

Handle 0xRajeev Vulnerability details Impact The contracts use Chainlink’s deprecated API latestAnswer. Such functions might suddenly stop working if Chainlink stopped supporting deprecated APIs. Impact: Deprecated API stops working. Prices cannot be obtained. Protocol stops and contracts have to...

Use of deprecated Chainlink API

Handle 0xRajeev Vulnerability details Impact The contracts use Chainlink’s deprecated API latestAnswer. Such functions might suddenly stop working if Chainlink stopped supporting deprecated APIs. Impact: Deprecated API stops working. Prices cannot be obtained. Protocol stops and contracts have to...