1738 matches found
Slashing can prevent Protected Staking Pool depositors from redeeming their ETH
Lines of code Vulnerability details The documentation states that: The Protected Staking Pool is free from any slashing and leaking risk. While the penalties affect the node operator first, then the Fees and MEV Pool stakers, if the slashing amount is higher, it will also impact the Protected...
Validator can revert block at no cost.
Lines of code Vulnerability details Impact Validator can revert block at no cost. Proof of Concept the validator should only call this function on Executor.sol to revert the unexecuted blocks if the block is not really not executable. /// @notice Reverts unexecuted blocks /// @param newLastBlock...
Hacker can front-run the L2 ERC20 token deployment.
Lines of code Vulnerability details Impact hacker can front-run the L2 ERC20 token deployment to block L2 ERC20 token finalizeDeposit Proof of Concept I intend to prove this piece of code is front-runnable by hacker: /// @notice Finalize the deposit and mint funds /// @param l1Sender The account...
Security Bulletin: Vulnerability in Hibernate Validator affects Liberty for Java for IBM Cloud (CVE-2020-10693)
Summary There is a vulnerability in the Hibernate Validator library used by WebSphere Application Server Liberty. Vulnerability Details CVEID:CVE-2020-10693 DESCRIPTION: Hibernate Hibernate Validator could allow a remote attacker to bypass security restrictions, caused by a flaw in the message...
the validator would able to manipulate the Time Stamp ant
Lines of code Vulnerability details Impact attacker able to make manipulation in the function of pageprice Proof of Concept validators can make some manipulation in the timestamp. bob validator even if can make time stamp manipulation or 2 secend able to call function faster than others then mint...
Same validator can deposit Ether multiple times
Lines of code Vulnerability details Impact Same validator may stake more than 1 time. Proof of Concept At frxETHMinter.solL140 and frxETHMinter.solL151, validator can only call the depositEther function for 1 time only. However, after calling the depositEther funciton, the same validator can call...
CVE-2022-41340
The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery...
Frontrunning by malicious validator
Lines of code Vulnerability details Impact Frontrunning by malicious validator changing withdrawal credentials Proof of Concept A malicious validator can frontrun depositEther transaction for its pubKey and deposit 1 ether for different withdrawal credential, thereby setting withdrawal credit...
Security Bulletin: Vulnerability in Hibernate Validator may affect IBM WebSphere Application Server Liberty shipped with IBM Digital Business Automation Workflow family products (CVE-2020-10693)
Summary WebSphere Application Server Liberty is shipped as part of the optional components Process Federation Server since 8.5.6, and User Management Service since 18.0.0.1 in IBM Business Automation Workflow and IBM Business Process Manager. Information about security vulnerabilities affecting I...
CVE-2021-3765
A vulnerability was found in the validator package. Affected versions of this package are vulnerable to Regular expression denial of service ReDoS attacks, affecting system availability...
NLnet Labs Routinator å®å Øę¼ę“
NLnet Labs Routinator is an RPKI Resource Public Key Infrastructure validator from NLnet Labs in the Netherlands written in the Rust language. A security vulnerability exists in NLnet Labs Routinator versions 0.9.0 through 0.11.2, which stems from an error in error handling, where data in RRDP...
Denial Of Service (DOS)
Indynode is vulnerable to Denial of Service DOS. An attacker can max out the connections to the ledger, resulting in Denial of Service. This vulnerability exploits the trade-off between resilience and availability, where any attacker firewall mitigation will restrict legitimate users. It is...
Hyperledger: DOS validator nodes of blockchain to block external connections
Attack was documented in the in the github repo: https://github.com/hyperledger/indy-node/security/advisories/GHSA-x996-7qh9-7ff7 Attack: The attacker sends 500 read requests to each node and opens a new one when holding 500 parallel connections. Every user is able to send read requests since it'...
Malicious Package
Overview mdcs-validator is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package wa...
The vulnerability of the RPKI validator OctoRPKI, related to insufficient validation of input data, allows a violator to trigger a service failure.
The vulnerability of the RPKI validator OctoRPKI is related to the use of a zero value during the generation of Route Origin Authorisations. Exploiting this vulnerability could allow a malicious actor to cause a service failure...
PT-2022-23037 Ā· Nextcloud Ā· Nextcloud Password Policy
Name of the Vulnerable Software and Affected Versions: Nextcloud Password Policy versions prior to 22.2.10 Nextcloud Password Policy versions prior to 23.0.7 Nextcloud Password Policy versions prior to 24.0.3 Description: The random password generator in Nextcloud Password Policy may, in very rar...
Security Bulletin:IBM TRIRIGA discloses CVE-2019-10219
Summary IBM TRIRIGA discloses CVE-2019-10219 Vulnerability Details CVEID:CVE-2019-10219 DESCRIPTION: Hibernate-Validator is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the SafeHtml validator annotation A remote attacker could exploit this...
Malicious operators within epoch can not be manually invalidated
Lines of code Vulnerability details Impact Messages are verified and validated by a set of operators. Operators their weights and threshold are defined per epoch and stored as a hash. Transferring operatorship which means creating a new set of valid operators creates a new epoch. Operator sets th...
Malicious relayer can execute stale transactions by spoofing validator weights/threshold in proof
Lines of code Vulnerability details Impact Transaction is submit with wrong validator information, allowing stale commands to be executed Proof of Concept This vulnerability is a result of allowing msg.sender to provide key information identifying operators. First we need to understand how the...
CVE-2022-24912
The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an...