2 matches found
CoinMate.io: POST /api/bitcoinWithdrawalFees returns financial data without authentication despite being documented as a USER OPERATION (private endpoint)
A vulnerability was discovered in the CoinMate API where the POST /api/bitcoinWithdrawalFees endpoint was accessible without authentication, despite being documented as a private endpoint. The endpoint returned real-time Bitcoin withdrawal fee data without requiring any authentication, unlike oth...
Deposit doesn't initialize WithdrawalMeta
Lines of code Vulnerability details Impact Though LiquidityPool.sol is not in scope, this is related to the PoolMigrationZap.migrate which performs deposits into new pools. The deposit functionality of LiquidityPool.sol does not set the withdrawalMeta for the depositor, meaning that their...