17 matches found
ThreatsDay Bulletin: Wi-Fi Hack, npm Worm, DeFi Theft, Phishing Blasts— and 15 More Stories
Think your Wi-Fi is safe? Your coding tools? Or even your favorite financial apps? This week proves again how hackers, companies, and governments are all locked in a nonstop race to outsmart each other. Here's a quick rundown of the latest cyber stories that show how fast the game keeps changing...
Malicious code in cascade-yearn-mhs812-project (npm)
The package cascade-yearn-mhs812-project was found to contain malicious code...
Malicious code in abide-yearn-lze294-project (npm)
The package abide-yearn-lze294-project was found to contain malicious code...
Malicious code in yearn-illume-hpg276-project (npm)
The package yearn-illume-hpg276-project was found to contain malicious code...
MAL-2025-16598 Malicious code in cascade-yearn-mhs812-project (npm)
The package cascade-yearn-mhs812-project was found to contain malicious code...
MAL-2025-13949 Malicious code in abide-yearn-lze294-project (npm)
The package abide-yearn-lze294-project was found to contain malicious code...
MAL-2025-40409 Malicious code in yearn-illume-hpg276-project (npm)
The package yearn-illume-hpg276-project was found to contain malicious code...
MAL-2025-8809 Malicious code in @malware-test-nests-metre-acold-yearn/test-mlw3-nests-metre-acold-yearn (npm)
The package @malware-test-nests-metre-acold-yearn/test-mlw3-nests-metre-acold-yearn was found to contain malicious code...
Malicious code in solhint-plugin-yearn (npm)
--- -= Per source details. Do not edit below this line.=-...
MAL-2024-11462 Malicious code in solhint-plugin-yearn (npm)
--- -= Per source details. Do not edit below this line.=-...
Yearn Stragety tolerant 0 loss, which is too strict and can block withdraw
Lines of code Vulnerability details Impact Yearn Stragety tolerant 0 loss, which is too strict Proof of Concept When withdraw from Yearn Stragety result = vault.withdrawtoWithdraw, addressthis, 0; @param maxLoss The maximum acceptable loss to sustain on withdrawal. Defaults to 0.01%. If a loss is...
Mismatch in withdraw() between Yearn and other protocols can prevent Users from redeeming zcTokens and permanently lock funds
Lines of code Vulnerability details Impact As defined in the docs for Euler, ERC4626, Compound and Aave, when withdrawing and depositing funds the amount specified corresponds excactly to how many of the underlying assets are deposited or withdrawn. However, as specified by Yearn, the yearn...
Yearn Curve vault can be removed without withdrawing all deposited tokens. Causing these token to be locked forever unless an owner is added this vault back.
Lines of code Vulnerability details Impact Yearn Curve vault can be removed without withdrawing all deposited tokens. Causing these token to be locked forever unless an owner is added this vault back. Proof of Concept function removeVaultaddress vault external onlyOwner requirevaultsvault !=...
YearnTokenAdapter's wrap can become stuck as it uses one step approval for an arbitrary underlying
Lines of code Vulnerability details Some tokens do not allow for approval of positive amount when allowance is positive already to handle approval race condition, most known example is USDT. This can cause the function to stuck whenever a combination of such a token and leftover approval be met...
Yearn token <> shares conversion decimal issue
Handle cmichel Vulnerability details The yearn strategy YearnYield converts shares to tokens by doing pricePerFullShare shares / 1e18: function getTokensForSharesuint256 shares, address asset public view override returns uint256 amount if shares == 0 return 0; // @audit should divided by...
safeApprove() for Yearn Vault may revert preventing deposits causing DoS
Handle 0xRajeev Vulnerability details Impact The depositInVault function for Yearn yield source uses ERC20 safeApprove from OpenZeppelin's SafeERC20 library to give maximum allowance to the Yearn Vault address if the current allowance is less than contract’s token balance. However, the safeApprov...
Yearn vault withdrawals in redeems will always fail leading to lock/loss of user deposits
Handle 0xRajeev Vulnerability details Impact The withdrawFromVault calculates the token balance of contract before withdrawal and saves it in previousBalance. It then withdraws from the Yearn vault and calculates the token balance after withdrawal to save it in currentBalance. So currentBalance...