vulnerability
2,406 προβολές
7 Δημοσιεύσεις
Δημοφιλές
Πιο πρόσφατα
Is Your Web3 Contract Safe? 🔐
#Thirdweb , a smart contract development firm, reported a critical security flaw in a widely-used open-source library affecting various Web3 smart contracts, urging immediate action.
The #vulnerability , impacting contracts like DropERC20 and ERC721, remained unexploited, giving a brief window for prevention.
Thirdweb advised contract users to take mitigation steps or use #revoke.cash for protection.
The firm heightened security measures, doubled bug bounty payouts, and promised grants for contract mitigations, post-raising $24 million in Series A funding.
With over 70,000 developers using their services, Thirdweb's proactive warning highlights the urgent need for secure smart contract development in Web3.
#Binance
#crypto2023
#Thirdweb , a smart contract development firm, reported a critical security flaw in a widely-used open-source library affecting various Web3 smart contracts, urging immediate action.
The #vulnerability , impacting contracts like DropERC20 and ERC721, remained unexploited, giving a brief window for prevention.
Thirdweb advised contract users to take mitigation steps or use #revoke.cash for protection.
The firm heightened security measures, doubled bug bounty payouts, and promised grants for contract mitigations, post-raising $24 million in Series A funding.
With over 70,000 developers using their services, Thirdweb's proactive warning highlights the urgent need for secure smart contract development in Web3.
#Binance
#crypto2023
Yu Xiang, the founder of SlowMist, has disclosed a private key leakage incident affecting BitBrowser users, resulting in losses of at least $410,000. Earlier, Foresight News had covered a #vulnerability in specific versions of WPS for #Windows that allowed remote code execution. This vulnerability led to the unauthorized access of private keys belonging to multiple #BitBrowser users, ultimately resulting in the reported financial losses.
$BTC
$BTC
The developer of #LNbank has announced another critical #vulnerability in the software, urging users to upgrade to LNbank v1.9.2 immediately. This version addresses the specific vulnerability and also disables the sending functionality to prevent further issues.
However, despite the fix, the developer has decided to discontinue the development of LNbank due to the inability to ensure its safety. This decision was made after considering the recent vulnerability reports and the potential risks involved in using the plugin. LNbank v1.9.2 will be the final version, and users are strongly advised to phase out its usage, particularly if it's publicly accessible.
The developer acknowledges the unexpected number of users using LNbank and emphasizes the importance of not risking significant funds with such plugins or nodes. The final version, v1.9.2, disables the sending functionality for added security, meaning users will need to manage their funds through Lightning node CLI or third-party tools.
For those having trouble upgrading to LNbank v1.9.2, the developer suggests uninstalling and then reinstalling the plugin. The data stored in the database will be retained during uninstallation, only removing the plugin code from the file system.
Any users requiring further assistance with the upgrade or other matters related to LNbank are encouraged to contact the developer (d11n) on their #Mattermost platform.
However, despite the fix, the developer has decided to discontinue the development of LNbank due to the inability to ensure its safety. This decision was made after considering the recent vulnerability reports and the potential risks involved in using the plugin. LNbank v1.9.2 will be the final version, and users are strongly advised to phase out its usage, particularly if it's publicly accessible.
The developer acknowledges the unexpected number of users using LNbank and emphasizes the importance of not risking significant funds with such plugins or nodes. The final version, v1.9.2, disables the sending functionality for added security, meaning users will need to manage their funds through Lightning node CLI or third-party tools.
For those having trouble upgrading to LNbank v1.9.2, the developer suggests uninstalling and then reinstalling the plugin. The data stored in the database will be retained during uninstallation, only removing the plugin code from the file system.
Any users requiring further assistance with the upgrade or other matters related to LNbank are encouraged to contact the developer (d11n) on their #Mattermost platform.
New #GoFetch attack on Apple Silicon CPUs can steal #crypto keys.
A new side-channel attack named "GoFetch" has been discovered, impacting Apple M1, M2, and M3 processors. This attack targets constant-time cryptographic implementations using data memory-dependent prefetchers (DMPs) found in modern Apple CPUs, allowing attackers to steal secret cryptographic keys from the CPU's cache. GoFetch was developed by a team of researchers who reported their findings to Apple in December 2023. Since this is a hardware-based vulnerability, impacted CPUs cannot be fixed. While software fixes could mitigate the flaw, they would degrade cryptographic performance. The attack leverages flaws in Apple's implementation of the DMP system, violating constant-time programming principles. Owners of affected Apple devices are advised to practice safe computing habits, including regular updates and cautious software installation. While Apple may introduce mitigations through software updates, they could impact performance. Disabling DMP may be an option for some CPUs but not for M1 and M2. The attack can be executed remotely, making it a serious concern for users. Apple has yet to provide further comments on this issue.
#hack #exploit #vulnerability
A new side-channel attack named "GoFetch" has been discovered, impacting Apple M1, M2, and M3 processors. This attack targets constant-time cryptographic implementations using data memory-dependent prefetchers (DMPs) found in modern Apple CPUs, allowing attackers to steal secret cryptographic keys from the CPU's cache. GoFetch was developed by a team of researchers who reported their findings to Apple in December 2023. Since this is a hardware-based vulnerability, impacted CPUs cannot be fixed. While software fixes could mitigate the flaw, they would degrade cryptographic performance. The attack leverages flaws in Apple's implementation of the DMP system, violating constant-time programming principles. Owners of affected Apple devices are advised to practice safe computing habits, including regular updates and cautious software installation. While Apple may introduce mitigations through software updates, they could impact performance. Disabling DMP may be an option for some CPUs but not for M1 and M2. The attack can be executed remotely, making it a serious concern for users. Apple has yet to provide further comments on this issue.
#hack #exploit #vulnerability
Via #AnciliaAlerts on X, @rugged_dot_art has identified a re-entrancy #vulnerability in a smart contract with address 0x9733303117504c146a4e22261f2685ddb79780ef, allowing an attacker to #exploit it and gain 11 #ETH . The attack transaction can be traced on #Etherscan at https://etherscan.io/tx/0x5a63da39b5b83fccdd825fed0226f330f802e995b8e49e19fbdd246876c67e1f. Despite reaching out to the owner three days ago, there has been no response.
The vulnerability resides in the targetedPurchase() function, where a user can input arbitrary swapParams, including commands to 4. This triggers the UNIVERSAL_ROUTER.execute() function, and as per Uniswap Technical Reference, command 4 corresponds to SWEEP, invoking the sweep() function. This function sends ETH back to the user's contract, leading to a re-entrancy issue.
Within targetedPurchase(), a balance check is performed before and after calling _executeSwap(). Due to the re-entrancy problem, a user can stake tokens (e.g., from a flashloan) to satisfy the balance check, ensuring a successful purchase action where tokens are transferred to the user. The urgency of the situation is underscored by the ongoing waiting period for the owner's response, emphasizing the need for prompt attention to mitigate potential exploitation.
The vulnerability resides in the targetedPurchase() function, where a user can input arbitrary swapParams, including commands to 4. This triggers the UNIVERSAL_ROUTER.execute() function, and as per Uniswap Technical Reference, command 4 corresponds to SWEEP, invoking the sweep() function. This function sends ETH back to the user's contract, leading to a re-entrancy issue.
Within targetedPurchase(), a balance check is performed before and after calling _executeSwap(). Due to the re-entrancy problem, a user can stake tokens (e.g., from a flashloan) to satisfy the balance check, ensuring a successful purchase action where tokens are transferred to the user. The urgency of the situation is underscored by the ongoing waiting period for the owner's response, emphasizing the need for prompt attention to mitigate potential exploitation.
𝙏𝙧𝙚𝙣𝙙𝙞𝙣𝙜 𝙊𝙣 𝘽𝙞𝙣𝙖𝙣𝙘𝙚 𝙁𝙚𝙚𝙙🔥
- Jamf Threat Labs finds a persistent attack method in iOS 16.
- Attackers can #fake flight mode status to seem normal.
- After infiltrating the device, attackers add a fake flight mode and alter the UI to show the icon.
- Internet access is restricted for all apps except the attacker's app.
- Intruders can retain control even if users assume the device is offline.
- This #vulnerability affects attacked or jailbroken #devices only.
- Jamf Threat Labs finds a persistent attack method in iOS 16.
- Attackers can #fake flight mode status to seem normal.
- After infiltrating the device, attackers add a fake flight mode and alter the UI to show the icon.
- Internet access is restricted for all apps except the attacker's app.
- Intruders can retain control even if users assume the device is offline.
- This #vulnerability affects attacked or jailbroken #devices only.
