Active Boosts

Movement Labs Attackathon

Reports by Severity

Critical

  • #43014 [BC-Critical] finite Deadlock of Transactions (No Automatic Timeout + Sequential Execution) on multisig implementation

  • #43108 [BC-Critical] Attackers can front-run transactions in celestia mempool to cause transactions of many users revert unexpectedly

  • #43110 [BC-Critical] Validator can DoS the DA Layer by requesting a big range of blobs

  • #41987 [BC-Critical] Oversized blocks split the chain

  • #42143 [BC-Critical] Decompressing a maliciously crafted blob leads to shutting down all Movement DA Light Nodes in a Movement based network which using a centralized Sequencer.

  • #42749 [BC-Critical] Attacker can send digests directly to Celestia to reorder block execution

  • #43214 [BC-Critical] Unchecked transaction size allows malicious users to DOS honest users transactions

  • #42153 [BC-Critical] Attackers can exploit bug in Blob Verification to execute replay attack by re-executing blobs

  • #43246 [BC-Critical] Lack of TCP timeout allows attacker to crash the sequencer via the maptos-opt-executor service

  • #43253 [BC-Critical] Attackers can drain TIA from nodes in networks running in sequencer mode

  • #43243 [BC-Critical] Attacker can halt chains operating in sequencer mode

  • #43244 [BC-Critical] Lack of TCP timeout allows attacker to crash the sequencer via the Light Node Service

  • #42233 [BC-Critical] Critical DoS Vulnerability in Movement Network's DA Layer Due to Zstd bomb blob exploit

  • #43288 [BC-Critical] Attackers could force Nodes to process TraAttackers could force Nodes to process Transactions in wrong order, by attacking moveRocks/sequencing implementation

  • #43290 [BC-Critical] Anyone can send a write_batch to the DA node, enabling a DOS attack that shuts down the network

  • #42837 [BC-Critical] Total network shutdown

  • #43315 [BC-Critical] DA Light Node Can Be DoSed Due to Lack of Batch Validation

  • #42298 [BC-Critical] Blocks from Celestia are not executed in order which breaks sequencer logic and application priorities

  • #42941 [BC-Critical] [Critical] Network-Wide Denial of Service Through Unrecoverable Block Execution Failures

  • #41531 [BC-Critical] Attackers can drain the sequencer’s wallet and DoS network by submitting transactions from unfunded accounts

  • #43250 [BC-Critical] Excessive TCP timeout allows attacker to crash the sequencer via the indexer service

  • #43251 [BC-Critical] Lack of TCP timeout allows attacker to crash the sequencer via the finality viewer service

  • #43190 [BC-Critical] Deadlock in `submit_transaction()`

  • #43330 [BC-Critical] Freezing new transaction processing by sending invalid requests to movement DA light node

  • #41334 [BC-Critical] Attacker can publish a blob that cannot be deserialized and shut down the movement chain

  • #43177 [BC-Critical] DoS Vulnerability in DA Light Node via Unbounded Height Parameter

  • #41489 [BC-Critical] Blob sizes remain unchecked leading to chain halt

  • #43114 [BC-Critical] Attackers can cause total shutdown network by exploiting missing of blob size check in DA Lightnode

  • #42112 [BC-Critical] Using `blob.GetAll` instead of `blob.Get` for Celestia DA opens full nodes to fraudulent block attacks

  • #42936 [BC-Critical] Potential Deadlock or Panic Due to Concurrent Lock Acquisition in `TransactionPipe`

  • #43333 [BC-Critical] Missing Depths Checks in Cached TypeLayout leads to Network Divergence

  • #41012 [BC-Critical] Unintended Chain Split in Movement Full Node

High

  • #41794 [BC-High] Not having any whitelisted account completely disables the prevalidator leading to transactions that cannot be deserialized

  • #41686 [BC-High] The passthrough DA light node streams transactions instead of blocks which means that the block cannot be deserialized

  • #41878 [BC-High] Edge-case allows replaying user transactions to fill the mempool

  • #43322 [BC-High] Inadequate Transaction Validation in DA Light Node Allows Unprocessable Block Creation

  • #43054 [BC-High] Malicious Light Node can DoS the Full Node

  • #43191 [BC-High] DOS attack by sending transactions that pass the sufficient balance test when entering mempool but fail it in execution

  • #42761 [BC-High] Memseq does not verify client-specified expiration for transactions before including them in DA (Data Availability).

  • #43241 [BC-High] Attackers can drain TIA from nodes in networks running in passthrough mode

  • #43307 [BC-High] Not verifying the signatures upon execution leads to direct loss of funds

  • #42011 [BC-High] Duplicate tx IDs in blockchain blocks are possible

  • #43323 [BC-High] Inadequate Sequence Number Validation in DA Light Node Enables Transaction Censorship

  • #43324 [BC-High] Insufficient Validation in DA Light Node Allows Malicious Override of `application_priority`

  • #41373 [BC-High] Premature transaction acceptance to mempool/DA without signature validation

  • #42395 [BC-High] Movement does not allow overwriting transactions with a higher priority, breaking Aptos mempool logic

  • #42903 [BC-High] Attackers are able to submit multiple dupplicate transactions due to mismatched Mempool Implementation

  • #41516 [BC-High] The attacker exceeds the number of transactions TOO_NEW_TOLERANCE and performs a DoS attack.

  • #41518 [BC-High] The transaction to modify the gas price was not processed.

  • #42535 [BC-High] Garbage collecting in flight transactions can lead to spiraling network delays

  • #41368 [BC-High] JSON-RPC no batch query limitation allows really large responses | RPC server takedown

  • #42991 [BC-High] User can reuse sequence number causing DOS & breaking core invariant

  • #41715 [BC-High] Manipulating the Sequence Number of signed transactions to reorder them or prevent their execution

  • #41714 [BC-High] Tampering the ID of signed transactions to prevent others from executing

  • #42762 [BC-High] New accounts break the pipe mempool invariant that prevents duplicate transactions from filling the mempool

  • #43017 [BC-High] Prevalidation does not validate application priority, sequence number and ID

  • #42930 [BC-High] Users are unable to increase their gas resulting in stuck funds

  • #42896 [BC-High] Attackers can exploit sequence_number tolerance mechanism to to cause Movement Network DA Lightnode loose money for submitting failed blocks to Celestia

  • #43150 [BC-High] Excessive transaction processing caused by a faulty garbage collector in transaction_pipe.rs

  • #43136 [BC-High] Multiple transactions sent by the same account in the same block timeframe can get stuck in the TranactionPipe core_mempool

  • #43135 [BC-High] `epilogue_gas_payer` Silently Drops Excess Storage Fee Refunds Under Governed Gas Pool

  • #43222 [BC-High] A transaction with sequence number 0 can be submitted multiple times

  • #42648 [BC-High] Altering the application_priority to fill a block, temporary freezing user transactions

  • #41722 [BC-High] The passthrough DA light node does not prevalidate transactions which leads to non-deserializable transactions that prevent execution

  • #42934 [BC-High] Improper input validation in KeylessSignature causes full-node panic

  • #43229 [BC-High] There is a bug can allows malicious data to enter the DA layer and be signed by a legitimate node

  • #42513 [BC-High] Users might loose Storage Gas Fee Refund Due to Governed Gas Pool Feature of Movement logic bug

  • #42495 [BC-High] The Tonic Request/Response Size Limit prevents data from being submitted to the da_light_node

  • #42102 [BC-High] uncontrolled resource consumption is resulting in OOM via RPC (public one)

  • #41437 [BC-High] An edge-case allows duplicate transactions to be added to the mempool of the sequencer

Medium

  • #42940 [BC-Medium] Suboptimal Lock Holding During Logging in `decrement_transactions_in_flight`

  • #41678 [BC-Medium] Transactions directly sent to the passthrough will cause the mempool to accept more transactions than the `inflight_limit`

  • #41864 [BC-Medium] When Memseq selects a transaction from a particular user to include in a block, it does not remove transactions from Memseq that have a sequence_number less than or equal to the t...

  • #43312 [BC-Medium] get_state_proof() is called with the current version leading to the epoch_changes of the StateProof always being empty

  • #42933 [BC-Medium] Integer Underflow in Garbage Collection Logic of UsedSequenceNumberPool disrupting transaction processing

  • #43148 [BC-Medium] Potential unhandled panic in protocol-units::execution::maptos::opt-executor::executor/mod::decrement_transactions_in_flight

  • #42480 [BC-Medium] Unable to deposit the gas fee into the `governed_gas_pool` when using `deposit_from_fungible_store`

  • #41466 [BC-Medium] Incorrect sequence number tracking in mempool commit

  • #42928 [BC-Medium] Depositing gas fees into the governed gas pool does not work when the CoinStore is frozen

  • #43137 [BC-Medium] Multiple Transactions from the same account with increasing sequence number and priorities will be sorted incorrectly in the block causing some to fail

  • #43255 [BC-Medium] User Transactions might be lost due to missing Error Handling in Celestia RPC Client Requests `blob_submit` failure

  • #43132 [BC-Medium] upgrade_burn_percentage Resets Block Proposer, Blocking Fee Distribution

  • #41255 [BC-Medium] Blocking sleep in async context leads to thread pool exhaustion and DoS

  • #41669 [BC-Medium] Incorrect Gas Cost Used for BLS12381 Subgroup Check Causes ~70% Undercharge

  • #43303 [BC-Medium] The call to `commit_transaction()` includes the wrong sequence number

Low

  • #43287 [BC-Low] Certain fees are unaccounted for causing failed transactions

  • #42557 [BC-Low] Remote signing methods can fail which will turn off the light node block proposer

Insight

  • #41594 [BC-Insight] Invalid URL format in TcpListener binding prevents REST API from starting

  • #43326 [BC-Insight] Stale Transaction State in Mempool When Sender/Receiver Pipe Fails

  • #43187 [BC-Insight] Movement Full Node Panics and Crashes Uncleanly on Connection failure with DA Light Node

  • #41023 [BC-Insight] Incomplete transaction decrementing leading to undesired behaviour

  • #41978 [BC-Insight] Values of the current gc_slot can be garbage collected in edge case

  • #42938 [BC-Insight] Inefficient Garbage Collection Implementation in `UsedSequenceNumberPool`

  • #43217 [BC-Insight] Incorrect public key notification after key rotation

  • #43220 [BC-Insight] The GC_INTERVAL might not be fitting for the configured sequence_number_ttl_ms

  • #41235 [BC-Insight] Incorrect celestia bridge keyring flag causes network partition in data availability layer

  • #41243 [BC-Insight] The mempool garbage collector doesn't fully execute garbage collection on each iteration

  • #42234 [BC-Insight] Missing Match Arm in to_single_key_authenticators() Allows WebAuthn Signatures Despite WEBAUTHN_SIGNATURE Being Disabled

  • #41811 [BC-Insight] Configuration data loss in configfile's `try_set_with_guard` due to missing file cursor reset

  • #41731 [BC-Insight] Race Condition in try_to_sign can lead to unverifiable blocks and/or blobs

  • #41618 [BC-Insight] Timestamp unit doesn't match in GcCounter which causes premature transaction eviction

  • #41324 [BC-Insight] Celestia auth tokens can be stolen by sniffing websocket requests

  • #43346 [BC-Insight] Transactions arriving at the node out of sequence order will be rejected due to the has_invalid_sequence_number function

  • #42925 [BC-Insight] Transactions won't be included on Celestia when the gas price is high, and the transactions on Movement will be forgotten

  • #42430 [BC-Insight] `add_mempool_transaction()` does not check if the transaction already exist in the mempool

  • #41560 [BC-Insight] BlobType of BlobResponse can never be SequencedBlobBlock

  • #42895 [BC-Insight] Misuse of error

  • #43168 [BC-Insight] Under normal usage of the blockchain, transactions will not be persisted

  • #41985 [BC-Insight] Using the test keyring backend is insecure

  • #41899 [BC-Insight] NatSpec of several functions in `ethereum.move` is wrong

  • #42859 [BC-Insight] Pub key format mismatch in `InKnownSignersVerifier`

  • #43184 [BC-Insight] Vulnerable `Secp256k1` version allows validation of malformed signatures

  • #41945 [BC-Insight] Optimization in `to_eip55_checksumed_address()` in `aptos_framework::ethereum::()` module

  • #43186 [BC-Insight] Flawed documentation when streaming da blobs leads to confusion

  • #42939 [BC-Insight] Transaction expiration is not validated correctly in mempool and sequencer

  • #41337 [BC-Insight] Channel buffer size in block proposer is too low leading to network delays and resource exhaustion

  • #43038 [BC-Insight] There is a permanent operator lockout came from an unsafe key rotation

  • #41855 [SC-Insight] User is able to circumvent blocklist check by utilizing Solidity's implementation

  • #41980 [BC-Insight] Full nodes panic in read-only mode whenever a transaction is sent

  • #42222 [BC-Insight] Garbage Collector can fail to run in a timely manner if building_time_ms is set to a low value

  • #42937 [BC-Insight] Public Exposure of Validator Signer Private Key in Executor Struct

  • #43267 [BC-Insight] Potential Indefinite Hang (Denial of Service) in Full Node DA Sync Due to Missing Stream Timeout For Light Node Connection

  • #43221 [BC-Insight] Expired transactions prevent new submissions due to delayed garbage collection

Reports by Type

Smart Contract

  • #41855 [SC-Insight] User is able to circumvent blocklist check by utilizing Solidity's implementation

Blockchain/DLT

  • #42940 [BC-Medium] Suboptimal Lock Holding During Logging in `decrement_transactions_in_flight`

  • #41794 [BC-High] Not having any whitelisted account completely disables the prevalidator leading to transactions that cannot be deserialized

  • #41678 [BC-Medium] Transactions directly sent to the passthrough will cause the mempool to accept more transactions than the `inflight_limit`

  • #41686 [BC-High] The passthrough DA light node streams transactions instead of blocks which means that the block cannot be deserialized

  • #43014 [BC-Critical] finite Deadlock of Transactions (No Automatic Timeout + Sequential Execution) on multisig implementation

  • #41878 [BC-High] Edge-case allows replaying user transactions to fill the mempool

  • #41864 [BC-Medium] When Memseq selects a transaction from a particular user to include in a block, it does not remove transactions from Memseq that have a sequence_number less than or equal to the t...

  • #41594 [BC-Insight] Invalid URL format in TcpListener binding prevents REST API from starting

  • #43312 [BC-Medium] get_state_proof() is called with the current version leading to the epoch_changes of the StateProof always being empty

  • #43326 [BC-Insight] Stale Transaction State in Mempool When Sender/Receiver Pipe Fails

  • #43108 [BC-Critical] Attackers can front-run transactions in celestia mempool to cause transactions of many users revert unexpectedly

  • #43322 [BC-High] Inadequate Transaction Validation in DA Light Node Allows Unprocessable Block Creation

  • #43110 [BC-Critical] Validator can DoS the DA Layer by requesting a big range of blobs

  • #43187 [BC-Insight] Movement Full Node Panics and Crashes Uncleanly on Connection failure with DA Light Node

  • #41023 [BC-Insight] Incomplete transaction decrementing leading to undesired behaviour

  • #41978 [BC-Insight] Values of the current gc_slot can be garbage collected in edge case

  • #41987 [BC-Critical] Oversized blocks split the chain

  • #43054 [BC-High] Malicious Light Node can DoS the Full Node

  • #42933 [BC-Medium] Integer Underflow in Garbage Collection Logic of UsedSequenceNumberPool disrupting transaction processing

  • #42938 [BC-Insight] Inefficient Garbage Collection Implementation in `UsedSequenceNumberPool`

  • #43148 [BC-Medium] Potential unhandled panic in protocol-units::execution::maptos::opt-executor::executor/mod::decrement_transactions_in_flight

  • #42143 [BC-Critical] Decompressing a maliciously crafted blob leads to shutting down all Movement DA Light Nodes in a Movement based network which using a centralized Sequencer.

  • #42749 [BC-Critical] Attacker can send digests directly to Celestia to reorder block execution

  • #43191 [BC-High] DOS attack by sending transactions that pass the sufficient balance test when entering mempool but fail it in execution

  • #43214 [BC-Critical] Unchecked transaction size allows malicious users to DOS honest users transactions

  • #43217 [BC-Insight] Incorrect public key notification after key rotation

  • #43220 [BC-Insight] The GC_INTERVAL might not be fitting for the configured sequence_number_ttl_ms

  • #42761 [BC-High] Memseq does not verify client-specified expiration for transactions before including them in DA (Data Availability).

  • #42153 [BC-Critical] Attackers can exploit bug in Blob Verification to execute replay attack by re-executing blobs

  • #43241 [BC-High] Attackers can drain TIA from nodes in networks running in passthrough mode

  • #41235 [BC-Insight] Incorrect celestia bridge keyring flag causes network partition in data availability layer

  • #43246 [BC-Critical] Lack of TCP timeout allows attacker to crash the sequencer via the maptos-opt-executor service

  • #43253 [BC-Critical] Attackers can drain TIA from nodes in networks running in sequencer mode

  • #41243 [BC-Insight] The mempool garbage collector doesn't fully execute garbage collection on each iteration

  • #43243 [BC-Critical] Attacker can halt chains operating in sequencer mode

  • #43244 [BC-Critical] Lack of TCP timeout allows attacker to crash the sequencer via the Light Node Service

  • #42233 [BC-Critical] Critical DoS Vulnerability in Movement Network's DA Layer Due to Zstd bomb blob exploit

  • #42234 [BC-Insight] Missing Match Arm in to_single_key_authenticators() Allows WebAuthn Signatures Despite WEBAUTHN_SIGNATURE Being Disabled

  • #43287 [BC-Low] Certain fees are unaccounted for causing failed transactions

  • #43288 [BC-Critical] Attackers could force Nodes to process TraAttackers could force Nodes to process Transactions in wrong order, by attacking moveRocks/sequencing implementation

  • #43290 [BC-Critical] Anyone can send a write_batch to the DA node, enabling a DOS attack that shuts down the network

  • #43307 [BC-High] Not verifying the signatures upon execution leads to direct loss of funds

  • #41811 [BC-Insight] Configuration data loss in configfile's `try_set_with_guard` due to missing file cursor reset

  • #42011 [BC-High] Duplicate tx IDs in blockchain blocks are possible

  • #42837 [BC-Critical] Total network shutdown

  • #43315 [BC-Critical] DA Light Node Can Be DoSed Due to Lack of Batch Validation

  • #43323 [BC-High] Inadequate Sequence Number Validation in DA Light Node Enables Transaction Censorship

  • #42298 [BC-Critical] Blocks from Celestia are not executed in order which breaks sequencer logic and application priorities

  • #43324 [BC-High] Insufficient Validation in DA Light Node Allows Malicious Override of `application_priority`

  • #41373 [BC-High] Premature transaction acceptance to mempool/DA without signature validation

  • #42395 [BC-High] Movement does not allow overwriting transactions with a higher priority, breaking Aptos mempool logic

  • #42903 [BC-High] Attackers are able to submit multiple dupplicate transactions due to mismatched Mempool Implementation

  • #41516 [BC-High] The attacker exceeds the number of transactions TOO_NEW_TOLERANCE and performs a DoS attack.

  • #41518 [BC-High] The transaction to modify the gas price was not processed.

  • #41731 [BC-Insight] Race Condition in try_to_sign can lead to unverifiable blocks and/or blobs

  • #42480 [BC-Medium] Unable to deposit the gas fee into the `governed_gas_pool` when using `deposit_from_fungible_store`

  • #42941 [BC-Critical] [Critical] Network-Wide Denial of Service Through Unrecoverable Block Execution Failures

  • #42535 [BC-High] Garbage collecting in flight transactions can lead to spiraling network delays

  • #41618 [BC-Insight] Timestamp unit doesn't match in GcCounter which causes premature transaction eviction

  • #41324 [BC-Insight] Celestia auth tokens can be stolen by sniffing websocket requests

  • #41531 [BC-Critical] Attackers can drain the sequencer’s wallet and DoS network by submitting transactions from unfunded accounts

  • #43346 [BC-Insight] Transactions arriving at the node out of sequence order will be rejected due to the has_invalid_sequence_number function

  • #43250 [BC-Critical] Excessive TCP timeout allows attacker to crash the sequencer via the indexer service

  • #43251 [BC-Critical] Lack of TCP timeout allows attacker to crash the sequencer via the finality viewer service

  • #42925 [BC-Insight] Transactions won't be included on Celestia when the gas price is high, and the transactions on Movement will be forgotten

  • #43190 [BC-Critical] Deadlock in `submit_transaction()`

  • #43330 [BC-Critical] Freezing new transaction processing by sending invalid requests to movement DA light node

  • #42430 [BC-Insight] `add_mempool_transaction()` does not check if the transaction already exist in the mempool

  • #41368 [BC-High] JSON-RPC no batch query limitation allows really large responses | RPC server takedown

  • #41334 [BC-Critical] Attacker can publish a blob that cannot be deserialized and shut down the movement chain

  • #41466 [BC-Medium] Incorrect sequence number tracking in mempool commit

  • #43177 [BC-Critical] DoS Vulnerability in DA Light Node via Unbounded Height Parameter

  • #41489 [BC-Critical] Blob sizes remain unchecked leading to chain halt

  • #42991 [BC-High] User can reuse sequence number causing DOS & breaking core invariant

  • #41715 [BC-High] Manipulating the Sequence Number of signed transactions to reorder them or prevent their execution

  • #41714 [BC-High] Tampering the ID of signed transactions to prevent others from executing

  • #43114 [BC-Critical] Attackers can cause total shutdown network by exploiting missing of blob size check in DA Lightnode

  • #42762 [BC-High] New accounts break the pipe mempool invariant that prevents duplicate transactions from filling the mempool

  • #43017 [BC-High] Prevalidation does not validate application priority, sequence number and ID

  • #42112 [BC-Critical] Using `blob.GetAll` instead of `blob.Get` for Celestia DA opens full nodes to fraudulent block attacks

  • #42930 [BC-High] Users are unable to increase their gas resulting in stuck funds

  • #42936 [BC-Critical] Potential Deadlock or Panic Due to Concurrent Lock Acquisition in `TransactionPipe`

  • #42896 [BC-High] Attackers can exploit sequence_number tolerance mechanism to to cause Movement Network DA Lightnode loose money for submitting failed blocks to Celestia

  • #42928 [BC-Medium] Depositing gas fees into the governed gas pool does not work when the CoinStore is frozen

  • #42557 [BC-Low] Remote signing methods can fail which will turn off the light node block proposer

  • #43150 [BC-High] Excessive transaction processing caused by a faulty garbage collector in transaction_pipe.rs

  • #43137 [BC-Medium] Multiple Transactions from the same account with increasing sequence number and priorities will be sorted incorrectly in the block causing some to fail

  • #43333 [BC-Critical] Missing Depths Checks in Cached TypeLayout leads to Network Divergence

  • #43136 [BC-High] Multiple transactions sent by the same account in the same block timeframe can get stuck in the TranactionPipe core_mempool

  • #43135 [BC-High] `epilogue_gas_payer` Silently Drops Excess Storage Fee Refunds Under Governed Gas Pool

  • #43255 [BC-Medium] User Transactions might be lost due to missing Error Handling in Celestia RPC Client Requests `blob_submit` failure

  • #43132 [BC-Medium] upgrade_burn_percentage Resets Block Proposer, Blocking Fee Distribution

  • #43222 [BC-High] A transaction with sequence number 0 can be submitted multiple times

  • #42648 [BC-High] Altering the application_priority to fill a block, temporary freezing user transactions

  • #41255 [BC-Medium] Blocking sleep in async context leads to thread pool exhaustion and DoS

  • #41722 [BC-High] The passthrough DA light node does not prevalidate transactions which leads to non-deserializable transactions that prevent execution

  • #41669 [BC-Medium] Incorrect Gas Cost Used for BLS12381 Subgroup Check Causes ~70% Undercharge

  • #43303 [BC-Medium] The call to `commit_transaction()` includes the wrong sequence number

  • #42934 [BC-High] Improper input validation in KeylessSignature causes full-node panic

  • #43229 [BC-High] There is a bug can allows malicious data to enter the DA layer and be signed by a legitimate node

  • #42513 [BC-High] Users might loose Storage Gas Fee Refund Due to Governed Gas Pool Feature of Movement logic bug

  • #42495 [BC-High] The Tonic Request/Response Size Limit prevents data from being submitted to the da_light_node

  • #41012 [BC-Critical] Unintended Chain Split in Movement Full Node

  • #41560 [BC-Insight] BlobType of BlobResponse can never be SequencedBlobBlock

  • #42895 [BC-Insight] Misuse of error

  • #42102 [BC-High] uncontrolled resource consumption is resulting in OOM via RPC (public one)

  • #43168 [BC-Insight] Under normal usage of the blockchain, transactions will not be persisted

  • #41985 [BC-Insight] Using the test keyring backend is insecure

  • #41899 [BC-Insight] NatSpec of several functions in `ethereum.move` is wrong

  • #42859 [BC-Insight] Pub key format mismatch in `InKnownSignersVerifier`

  • #43184 [BC-Insight] Vulnerable `Secp256k1` version allows validation of malformed signatures

  • #41945 [BC-Insight] Optimization in `to_eip55_checksumed_address()` in `aptos_framework::ethereum::()` module

  • #43186 [BC-Insight] Flawed documentation when streaming da blobs leads to confusion

  • #42939 [BC-Insight] Transaction expiration is not validated correctly in mempool and sequencer

  • #41337 [BC-Insight] Channel buffer size in block proposer is too low leading to network delays and resource exhaustion

  • #43038 [BC-Insight] There is a permanent operator lockout came from an unsafe key rotation

  • #41437 [BC-High] An edge-case allows duplicate transactions to be added to the mempool of the sequencer

  • #41980 [BC-Insight] Full nodes panic in read-only mode whenever a transaction is sent

  • #42222 [BC-Insight] Garbage Collector can fail to run in a timely manner if building_time_ms is set to a low value

  • #42937 [BC-Insight] Public Exposure of Validator Signer Private Key in Executor Struct

  • #43267 [BC-Insight] Potential Indefinite Hang (Denial of Service) in Full Node DA Sync Due to Missing Stream Timeout For Light Node Connection

  • #43221 [BC-Insight] Expired transactions prevent new submissions due to delayed garbage collection

Previous#42773 [BC-Medium] Signers can be compromised by a libp2p DoS attackNext#41023 [BC-Insight] Incomplete transaction decrementing leading to undesired behaviour

Was this helpful?