Malicious code in smart-wallet-permissions (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 438e7146621a62ca96ad70b6bcd6f1c28b3a10ad7649aae209b0d05def80752f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-3585 Malicious code in smart-wallet-permissions (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 438e7146621a62ca96ad70b6bcd6f1c28b3a10ad7649aae209b0d05def80752f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in coinbase-smart-wallet-documentation (npm)

--- -= Per source details. Do not edit below this line.=-...

MAL-2024-9560 Malicious code in coinbase-smart-wallet-documentation (npm)

--- -= Per source details. Do not edit below this line.=-...

@jup-ag/dca-v2-sdk (>=0.0.0-beta-1 <=0.0.0-beta-9), @jup-ag/smart-wallet (>=0.0.0-beta-1 <=0.0.0-beta-56) +1 more potentially affected by CVE-2024-30253 via @solana/web3.js (=1.75.0)

@solana/web3.js NPM version =1.75.0 is affected by a known vulnerability. The following packages have a transitive dependency on @solana/web3.js and may be impacted: - @jup-ag/dca-v2-sdk =0.0.0-beta-1, =0.0.0-beta-1, =0.0.31, =1.0.3 Source cves: CVE-2024-30253 Source advisory:...

Frontrunning of smart wallet deployment

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. An attacker could obtain information about the owner and 'index' parameters to front-run the deployment of a smart wallet. Proof of Concept Provide direct links to all referenced code in GitHub. Add...

Upgraded Q -> M from #16 [1669734774225]

Judge has assessed an item in Issue 16 as M risk. The relevant finding follows: AQ6: This function provides too much power to Dao, if the dao calls the function, then he can be the node runner of each smart wallet and then call withdrawETHForKnot to drain each smart wallet. --- The text was updat...

Incorrect revenue calculation will lead to revenue theft through proxy attacks

Lines of code Vulnerability details Impact The incorrect way revenue is calculated can lead to CSR being stolen through proxy attacks, which is likely to lead the ecology into CSR bribery war. Eventually, this feature will translate into reduced gas fees for all transactions, regardless of whethe...

Medium: Attacker may withdraw arbitrary amount from smart wallet, even if state checks would not normally allow it

Lines of code Vulnerability details Description withdrawETHForKnot in LiquidStakingManager suffers from reentrancy attack. function withdrawETHForKnotaddress recipient, bytes calldata blsPublicKeyOfKnot external requirerecipient != address0, "Zero address";...

withdrawETHForKnot is vulnerable to reentrancy attack

Lines of code Vulnerability details Impact The withdrawETHForKnot is vulnerable to reentrancy because the transfer is done before an important state change. Proof of Concept function withdrawETHForKnotaddress recipient, bytes calldata blsPublicKeyOfKnot external requirerecipient != address0, "Zer...

MochiTreasuryV0.sol Is Unusable In Its Current State

Handle leastwood Vulnerability details Impact MochiTreasuryV0.sol interacts with Curve's voting escrow contract to lock tokens for 90 days, where it can be later withdrawn by the governance role. However, VotingEscrow.vy does not allow contracts to call the following functions; createlock,...

QuickAccManager Smart Contract signature verification can be exploited

Handle cmichel Vulnerability details Several different signature modes can be used and Identity.execute forwards the signature parameter to the SignatureValidator library. The returned signer is then used for the privileges check: address signer = SignatureValidator.recoverAddrImplhash, signature...