CVE-2022-37450

Go Ethereum aka geth through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making RUM, as exploited in the wild in 2020 through 2022...

Malicious code in beta-moon-fast-authorize-deploy (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 04718f9575365342a95b182394e3faf16985b0f54304fe8408cb783b9ba9d07e This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in inquirer-loop-airbnb-proxima (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector de8366fb7af261b96acb44c44992384f7e1c7b11ce57f40c11ab549619a5a443 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in inufgi-goa-jamiana (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9cc578b359cbc3d657f8934e29a1026a9207b5e5b6763fa88faad682d0c4cc6 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in nightwatch-subscription-gemini-regulus (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d0ec004a9b8dc4a23c4d08c038f547db7c94aa33f71776a9d79d0e9d9cd27421 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-97869 Malicious code in hadi-mieayam5-tititugel (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7cc005bff092263682629973930c80bc3aac279ab9b7b5777f2f277b63854172 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in top_porcupine_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8145e653bce6fc6a8bec01a03fa52d88fb21a867c4374da8bdd329f7daff22f0 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-64154 Malicious code in lutfi-sate58-sluey (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6c6b0ae8848ee87ccff1080a946374b7b69bb91fb673763d0d7ce3f51744c776 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2022-6621

Malicious code in bioql PyPI...

Missing Access Control on setConcRewards and setAmbRewards

Lines of code Vulnerability details Impact The function setConcRewards and setAmbRewards are accessible by any user to set the rewardsConcentrated and Ambient rewards. Proof of Concept The access validations are commented out. function setConcRewardsbytes32 poolIdx, uint32 weekFrom, uint32 weekTo...

Integer underflow/overflow is possible in some of the timestamp calculations if sequenceOffset or auctionDuration are set maliciously

Lines of code Vulnerability details Impact An attacker could exploit this to make auctionElapsedTime return a low value when it should be high, thereby manipulating the reward calculation. Proof of Concept The vulnerability comes from the subtraction currentTime - sequenceOffset which could...

Attacker can abuse rounding down to get reward without depositing anything in LP pool

Lines of code Vulnerability details Impact In function withdrawLP, it calculates the amount of points from the amount input parameter. unchecked uint256 points = amount 100 / 1e18 lpPosition.multiplier / DIVISOR; // Update the caller's LP token stake. lpPosition.amount -= amount; lpPosition.point...

Arbitrage on stake()

Lines of code Vulnerability details Issue: there is a huge arb opportunity for people who deposit 1 block before the rebase Consequences: then they can call instantUnstakeReserve or instantUnstakeCurve to unstake the staked amount, in this way the profit that needs to be distributed on the next...

Unauthorized notifyRewardAmount

Lines of code Vulnerability details Impact Anyone can trick Bribe and Gauge contracts by calling notifyRewardAmount with arbitrary tokens until MAXREWARDTOKENS is reached. However, later team can replace these fake tokens by calling swapOutRewardToken. However, still, a malicious actor can force...

Locks can be denied

Handle cmichel Vulnerability details The XDEFIDistribution.lock function mints a new token and the generateNewTokenId function returns a token ID as the concatenation of the points and totalSupply + 1: function generateNewTokenIduint256 points internal view returns uint256 tokenId // Points is...

Reward rates can be changed through flash borrows

Handle @cmichelio Vulnerability details Vulnerability Details The rewards per market are proportional to their totalBorrows which can be changed by a large holder who deposits lots of collateral, takes out a huge borrow in the market, updates the rewards, and then unwinds the position. They'll on...