Active Boosts

Shardeum Core II

Reports by Severity

Critical

  • #35526 [BC-Critical] An attacker can change the account balance after the transaction has been processed.

  • #35839 [BC-Critical] Slash avoidance: Ineffective controls on unstaking allow unstaking before taking an action that should be slashed

  • #35707 [BC-Critical] Reusing old transaction receipt to rollback account balance

  • #35531 [BC-Critical] Absence of signature deduplication for receipt in the binary_repair_oos_accounts P2P handler

  • #35695 [BC-Critical] validateTxnFields check for internal transactions can be bypassed

  • #35601 [BC-Critical] Consensus algorithm doesn't deduplicate votes, allowing a malicious validator to completely falsify transactions

  • #35694 [BC-Critical] Consensus can be bypassed by single validator node from transaction execution group

  • #35696 [BC-Critical] Specifically crafted penalty TX may cause total network shutdown.

Insight

  • #35710 [BC-Insight] addressToPartition input is unsanitized, allowing to take whole network down

  • #35697 [BC-Insight] [Informational] Code logic contains potential risk of full network shutdown

  • #35641 [BC-Insight] node p2p remote denial of service

  • #35415 [BC-Insight] [Informational] debugMiddleware query parameters can be partially modified by request submitter or via MITM

  • #35965 [BC-Insight] Unverified Data in Safety Sync

  • #36024 [BC-Insight] Use of Vulnerable function results in prediction of archivers

  • #36029 [BC-Insight] Node.js crash on counterMap overflow

Reports by Type

Blockchain/DLT

  • #35710 [BC-Insight] addressToPartition input is unsanitized, allowing to take whole network down

  • #35697 [BC-Insight] [Informational] Code logic contains potential risk of full network shutdown

  • #35641 [BC-Insight] node p2p remote denial of service

  • #35526 [BC-Critical] An attacker can change the account balance after the transaction has been processed.

  • #35415 [BC-Insight] [Informational] debugMiddleware query parameters can be partially modified by request submitter or via MITM

  • #35839 [BC-Critical] Slash avoidance: Ineffective controls on unstaking allow unstaking before taking an action that should be slashed

  • #35707 [BC-Critical] Reusing old transaction receipt to rollback account balance

  • #35965 [BC-Insight] Unverified Data in Safety Sync

  • #36024 [BC-Insight] Use of Vulnerable function results in prediction of archivers

  • #35531 [BC-Critical] Absence of signature deduplication for receipt in the binary_repair_oos_accounts P2P handler

  • #35695 [BC-Critical] validateTxnFields check for internal transactions can be bypassed

  • #35601 [BC-Critical] Consensus algorithm doesn't deduplicate votes, allowing a malicious validator to completely falsify transactions

  • #35694 [BC-Critical] Consensus can be bypassed by single validator node from transaction execution group

  • #36029 [BC-Insight] Node.js crash on counterMap overflow

  • #35696 [BC-Critical] Specifically crafted penalty TX may cause total network shutdown.

Previous#34851 [SC-Low] Adversary can freeze users' fund in stBTC using donation attack on MezoAllocatorNext#36029 [BC-Insight] Node.js crash on counterMap overflow