-
Notifications
You must be signed in to change notification settings - Fork 49
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
afec6a2
commit b32ebec
Showing
36 changed files
with
385 additions
and
0 deletions.
There are no files selected for viewing
5 changes: 5 additions & 0 deletions
5
...figuration/improper_authorization/insufficient_signature_validation/guidance.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| # Guidance | ||
|
|
||
| Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. | ||
|
|
||
| Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). |
9 changes: 9 additions & 0 deletions
9
...ion/improper_authorization/insufficient_signature_validation/recommendations.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| # Recommendation(s) | ||
|
|
||
| Implementing the following defensive measures in the decentralized application can prevent and limit the impact of the vulnerability: | ||
|
|
||
| - Use strict signature verification methods to check that the sender’s public key matches the signature and that no modifications of the transaction details can occur. | ||
| - Implement replay protection mechanisms to prevent attackers from reusing valid signatures for unauthorized transactions. | ||
| - Use established cryptographic libraries that handle signature verification securely and correctly. | ||
| - Conduct regular security audits of smart contracts and their transaction handling mechanisms to identify potential weaknesses in signature validation. | ||
| - For high value or sensitive transactions, consider implementing multi-signature authorization that include multiple private keys to sign off on the action before it is executed. |
19 changes: 19 additions & 0 deletions
19
...figuration/improper_authorization/insufficient_signature_validation/template.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| This vulnerability occurs when a decentralized application (dApp) implements improper validation of cryptographic signatures, which serve as proof of ownership, authorization or validation. It can occur when a dApp fails to verify the public key against the signature, implements weak checks (or is missing checks) on transaction parameters, or it reuses previously valid signatures. Insufficient signature validation results in an attacker being able to forge or otherwise manipulate signatures to perform unauthorized actions on the blockchain. | ||
|
|
||
| **Business Impact** | ||
|
|
||
| Improper authorization can result in loss of user trust, and damage to the dApp’s reputation. Additionally, businesses may face legal consequences and regulatory scrutiny which can lead to financial losses and penalties. | ||
|
|
||
| **Steps to Reproduce** | ||
|
|
||
| 1. Navigate to the following URL: {{URL}} | ||
| 1. Identify an interaction within the dApp that requires a signature for authorization: {{define specific function}} | ||
| 1. Alter the signature parameters by performing {{action}} | ||
| 1. Submit the altered request to the dApp | ||
| 1. Observe that the dApp improperly validates the signature and accepts the request without verifying the correct private key ownership | ||
|
|
||
| **Proof of Concept (PoC)** | ||
|
|
||
| The screenshot(s) below demonstrate(s) the vulnerability: | ||
| > | ||
| > {{screenshot}} |
5 changes: 5 additions & 0 deletions
5
...cation_misconfiguration/insecure_data_storage/plaintext_private_key/guidance.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| # Guidance | ||
|
|
||
| Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. | ||
|
|
||
| Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). |
8 changes: 8 additions & 0 deletions
8
...misconfiguration/insecure_data_storage/plaintext_private_key/recommendations.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # Recommendation(s) | ||
|
|
||
| Implementing the following defensive measures in the decentralized application can prevent and limit the impact of the vulnerability: | ||
|
|
||
| - Avoid storing private keys in the browser’s `localStorage` or other insecure client-side storage mechanisms. Use more secure alternatives, such as session-based tokens or encrypted cookies. | ||
| - Use strong encryption algorithms to encrypt private keys before storing them. | ||
| - Implement secure key management practices, such as using hardware security modules or key vaults for sensitive key storage. | ||
| - Use access controls to limit who and what can access sensitive key storage. |
17 changes: 17 additions & 0 deletions
17
...cation_misconfiguration/insecure_data_storage/plaintext_private_key/template.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| This vulnerability occurs when a decentralized application (dApp) stores a private key in plaintext within its data storage. This can stem from improper data security practices, such as failing to encrypt sensitive information, using insecure client-side storage mechanisms (e.g., `localStorage` or `sessionStorage`), hardcoding private keys directly into the code, or neglecting to implement proper access controls. As a result, attackers with access to the storage can easily retrieve and misuse the private key, compromising the integrity of the associated blockchain accounts as they are able to access users' blockchain accounts or wallets. | ||
|
|
||
| **Business Impact** | ||
| The exposure of a plaintext private key can result in loss of user trust, and damage to the dApp’s reputation. Additionally, businesses may face legal consequences and regulatory scrutiny which can lead to financial losses and penalties. | ||
|
|
||
| **Steps to Reproduce** | ||
|
|
||
| 1. Navigate to the following URL: {{URL}} | ||
| 1. Access the decentralized application’s storage mechanism: {{define storage mechanism}} | ||
| 1. Search for the private key by performing {{action}} | ||
| 1. Observe the private key is stored in plaintext without encryption | ||
| 1. Confirm that the plaintext private key gives access to the associated blockchain account or wallet | ||
|
|
||
| **Proof of Concept (PoC)** | ||
| The screenshot(s) below demonstrate(s) the vulnerability: | ||
| > | ||
| > {{screenshot}} |
5 changes: 5 additions & 0 deletions
5
...sconfiguration/insecure_data_storage/sensitive_information_exposure/guidance.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| # Guidance | ||
|
|
||
| Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. | ||
|
|
||
| Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). |
8 changes: 8 additions & 0 deletions
8
...uration/insecure_data_storage/sensitive_information_exposure/recommendations.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # Recommendation(s) | ||
|
|
||
| Implementing the following defensive measures in the decentralized application can prevent and limit the impact of the vulnerability: | ||
|
|
||
| - Use strong encryption algorithms to encrypt sensitive information both at rest and in transit before storing them. | ||
| - Only use and store the minimum amount of sensitive information necessary for the function of the application. Remove or anonymise sensitive information when it is no longer needed. | ||
| - Use access controls to limit who and what can access the sensitive information. | ||
| - Conduct regular security audits to ensure compliance with relevant privacy regulations of your application’s user base. |
18 changes: 18 additions & 0 deletions
18
...sconfiguration/insecure_data_storage/sensitive_information_exposure/template.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| This vulnerability occurs when a decentralized application (dApp) fails to securely store sensitive information, such as Personally Identifiable Information (PII), or Protected Health Information (PHI). This can stem from improper data security practices, such as storing sensitive data in plaintext, failing to encrypt sensitive information, using insecure client-side storage mechanisms (e.g., `localStorage`), failing to encrypt sensitive data, or neglecting to implement proper access controls. As a result, attackers with access to the storage can easily retrieve and exploit the sensitive information, leading to breaches in the privacy of individual users. | ||
|
|
||
| **Business Impact** | ||
|
|
||
| The exposure of sensitive information can result in loss of user trust, and reputational damage to the business. Additionally, businesses may face legal consequences and regulatory scrutiny for non-compliance with privacy laws. which can lead to financial losses and penalties. | ||
|
|
||
| **Steps to Reproduce** | ||
|
|
||
| 1. Navigate to the following URL: {{URL}} | ||
| 1. Access the decentralized application’s storage mechanism: {{define storage mechanism}} | ||
| 1. Search for the sensitive information by performing {{action}} | ||
| 1. Observe that the sensitive information is stored in plaintext without encryption | ||
|
|
||
| **Proof of Concept (PoC)** | ||
|
|
||
| The screenshot(s) below demonstrate(s) the vulnerability: | ||
| > | ||
| > {{screenshot}} |
5 changes: 5 additions & 0 deletions
5
...application_misconfiguration/marketplace_security/denial_of_service/guidance.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| # Guidance | ||
|
|
||
| Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. | ||
|
|
||
| Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). |
8 changes: 8 additions & 0 deletions
8
...tion_misconfiguration/marketplace_security/denial_of_service/recommendations.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # Recommendation(s) | ||
|
|
||
| Implementing the following defensive measures in the decentralized application can prevent and limit the impact of the vulnerability: | ||
|
|
||
| - Implement rate limiting on all marketplace interactions, including order placements, asset queries, and transactions. | ||
| - Optimize smart contract functions to handle large numbers of interactions without degrading performance. | ||
| - Use monitoring tools to detect unusual spikes in traffic and throttle malicious activity in real-time. | ||
| - Establish backup and failover systems to keep the marketplace operational in the event of an attack. |
19 changes: 19 additions & 0 deletions
19
...application_misconfiguration/marketplace_security/denial_of_service/template.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| Denial of Service (DoS) vulnerabilities occur when attackers overload the marketplace with excessive transactions, requests, or interactions, causing it to become unavailable or unresponsive. This can result from a lack of rate limiting, unoptimized smart contract functions, or exploitable transaction loops. An attacker can overwhelm a marketplace through DoS, preventing legitimate users from accessing services. | ||
|
|
||
| **Business Impact** | ||
|
|
||
| A successful DoS attack can render the platform unusable, leading to significant downtime, loss of revenue, and frustrated users. It also exposes the marketplace to reputational damage, as users may seek alternatives if the platform is frequently unavailable due to attacks. | ||
|
|
||
| **Steps to Reproduce** | ||
|
|
||
| 1. Navigate to the following URL: {{URL}} | ||
| 1. Identify a vulnerable marketplace function that allows unlimited interactions | ||
| 1. Spam the vulnerable function with excessive requests {{Describe exactly how}} | ||
| 1. Observe the marketplace’s performance as it becomes unresponsive or crashes | ||
| 1. Observe that legitimate users are unable to access the marketplace or complete transactions | ||
|
|
||
| **Proof of Concept** | ||
|
|
||
| The screenshot(s) below demonstrate(s) the vulnerability: | ||
| > | ||
| > {{screenshot}} |
5 changes: 5 additions & 0 deletions
5
...ecurity/improper_validation_and_checks_for_deposits_and_withdrawals/guidance.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| # Guidance | ||
|
|
||
| Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. | ||
|
|
||
| Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). |
8 changes: 8 additions & 0 deletions
8
.../improper_validation_and_checks_for_deposits_and_withdrawals/recommendations.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # Recommendation(s) | ||
|
|
||
| Implementing the following defensive measures in the decentralized application can prevent and limit the impact of the vulnerability: | ||
|
|
||
| - Implement strict validation mechanisms for deposits and withdrawals, ensuring that transactions are fully confirmed before allowing withdrawals. | ||
| - Use decentralized oracles to verify external wallet balances and ensure synchronization with the marketplace. | ||
| - Regularly audit the deposit and withdrawal logic for potential vulnerabilities. | ||
| - Introduce rate limits and monitoring to prevent multiple withdrawal attempts in a short period. |
19 changes: 19 additions & 0 deletions
19
...ecurity/improper_validation_and_checks_for_deposits_and_withdrawals/template.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| Improper validation and checks for deposits and withdrawals occur when the marketplace fails to adequately verify user deposits or withdrawals, leading to potential double-spending, unauthorized transactions, or incorrect balances. This misconfiguration is caused by poor validation logic or synchronization issues between the marketplace and external wallets. | ||
|
|
||
| **Business Impact** | ||
|
|
||
| Incorrect validation can lead to financial discrepancies, enabling attackers to withdraw funds without proper deposits or double-spend assets. It may also cause user dissatisfaction due to incorrect balances, damaging the platform’s reputation and leading to potential legal disputes. | ||
|
|
||
| **Steps to Reproduce** | ||
|
|
||
| 1. Navigate to the following URL: {{URL}} | ||
| 1. Deposit funds into a marketplace account | ||
| 1. Identify and exploit any inconsistencies in the validation or synchronization logic between the marketplace and the external wallet | ||
| 1. Trigger a withdrawal request that exceeds the deposited amount or simulate multiple withdrawals in quick succession | ||
| 1. Observe that the account balances to verify that unauthorized or excess withdrawals were successful | ||
|
|
||
| **Proof of Concept** | ||
|
|
||
| The screenshot(s) below demonstrate(s) the vulnerability: | ||
| > | ||
| > {{screenshot}} |
5 changes: 5 additions & 0 deletions
5
...ication_misconfiguration/marketplace_security/malicious_order_offer/guidance.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| # Guidance | ||
|
|
||
| Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. | ||
|
|
||
| Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). |
8 changes: 8 additions & 0 deletions
8
..._misconfiguration/marketplace_security/malicious_order_offer/recommendations.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # Recommendation(s) | ||
|
|
||
| Implementing the following defensive measures in the decentralized application can prevent and limit the impact of the vulnerability: | ||
|
|
||
| - Enforce strict validation and verification processes for order offers, ensuring terms are clear and transparent. | ||
| - Implement user alerts for unusually high or suspicious order offers. | ||
| - Audit the metadata and descriptions associated with each order to prevent deceptive practices. | ||
| - Educate users on how to recognize potentially malicious offers and encourage double-checking before acceptance. |
20 changes: 20 additions & 0 deletions
20
...ication_misconfiguration/marketplace_security/malicious_order_offer/template.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| A malicious order offer involves an attacker creating fraudulent or malicious order offers designed to deceive users into accepting terms that favor the attacker. This is often caused by a lack of order verification mechanisms or misleading metadata. Users may accept these malicious offers without realizing they are unfavorable or fraudulent. | ||
|
|
||
| **Business Impact** | ||
|
|
||
| Users who fall victim to malicious orders may lose assets or overpay for goods, leading to financial losses and diminished trust in the marketplace. The platform may face legal repercussions for allowing fraudulent activities and could suffer reputational damage as users leave for more secure alternatives. | ||
|
|
||
| **Steps to Reproduce** | ||
|
|
||
| 1. Navigate to the following URL: {{URL}} | ||
| 1. Create a malicious order offer with deceptive terms | ||
| 1. Submit the offer to the marketplace | ||
| 1. Present the order in a way that conceals the malicious intent | ||
| 1. Trick a user into accepting the malicious offer {{describe how}} | ||
| 1. Observe that the transaction executed under fraudulent terms | ||
|
|
||
| **Proof of Concept** | ||
|
|
||
| The screenshot(s) below demonstrate(s) the vulnerability: | ||
| > | ||
| > {{screenshot}} |
5 changes: 5 additions & 0 deletions
5
...isconfiguration/marketplace_security/miscalculated_accounting_logic/guidance.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| # Guidance | ||
|
|
||
| Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. | ||
|
|
||
| Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). |
8 changes: 8 additions & 0 deletions
8
...guration/marketplace_security/miscalculated_accounting_logic/recommendations.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # Recommendation(s) | ||
|
|
||
| Implementing the following defensive measures in the decentralized application can prevent and limit the impact of the vulnerability: | ||
|
|
||
| - Implement safe mathematical operations in smart contracts, including safeguards against integer overflows and underflows. | ||
| - Regularly audit and test accounting logic for rounding errors or other flaws. | ||
| - Use precise decimal handling to ensure accurate balance calculations across transactions. | ||
| - Establish independent validation checks for all balance updates and asset transfers. |
19 changes: 19 additions & 0 deletions
19
...isconfiguration/marketplace_security/miscalculated_accounting_logic/template.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| Miscalculated accounting logic refers to errors or flaws in the marketplace’s accounting system that lead to incorrect balance calculations, discrepancies in user funds, or misallocation of assets. This often stems from improper rounding, underflows/overflows, or poor handling of transaction data. Attackers can exploit these weaknesses to alter balances in their favor. | ||
|
|
||
| **Business Impact** | ||
|
|
||
| Accounting errors can result in significant financial losses, both for the platform and its users. Users may see incorrect balances, leading to disputes and mistrust in the platform. If left unaddressed, such issues can cause significant reputational and legal damage to the marketplace. | ||
|
|
||
| **Steps to Reproduce** | ||
|
|
||
| 1. Navigate to the following URL: {{URL}} | ||
| 1. Identify a transaction that involves a balance update | ||
| 1. Exploit the accounting logic {{Describe exactly how}} | ||
| 1. Observe that the balance calculations are incorrect as a result | ||
| 1. Observe that the affected accounts to confirm the accounting error | ||
|
|
||
| **Proof of Concept** | ||
|
|
||
| The screenshot(s) below demonstrate(s) the vulnerability: | ||
| > | ||
| > {{screenshot}} |
4 changes: 4 additions & 0 deletions
4
...lized_application_misconfiguration/marketplace_security/ofac_bypass/guidance.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| # Guidance | ||
|
|
||
| Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. | ||
| Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). |
8 changes: 8 additions & 0 deletions
8
...pplication_misconfiguration/marketplace_security/ofac_bypass/recommendations.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # Recommendation(s) | ||
|
|
||
| Implementing the following defensive measures in the decentralized application can prevent and limit the impact of the vulnerability: | ||
|
|
||
| - Implement strict geolocation checks using IP and blockchain analysis tools to block users from sanctioned jurisdictions. | ||
| - Introduce robust Know Your Customer (KYC) procedures to validate user identities before allowing transactions. | ||
| - Regularly update the platform’s list of sanctioned entities and cross-reference it with all active users. | ||
| - Automate compliance checks to flag and block users violating OFAC restrictions. |
19 changes: 19 additions & 0 deletions
19
...lized_application_misconfiguration/marketplace_security/ofac_bypass/template.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| Office of Foreign Assets Control (OFAC) bypass refers to the failure of a marketplace to properly enforce OFAC sanctions or restrictions. This can happen due to insufficient compliance mechanisms, such as missing geolocation checks or improper validation of user identities, allowing sanctioned entities to engage in transactions. | ||
|
|
||
| **Business Impact** | ||
|
|
||
| Allowing sanctioned entities to use the platform could result in severe legal consequences, including fines, regulatory penalties, and sanctions against the marketplace itself. Additionally, reputational damage can occur if users or regulators perceive the platform as not complying with global laws and standards. | ||
|
|
||
| **Steps to Reproduce** | ||
|
|
||
| 1. Navigate to the following URL: {{URL}} | ||
| 1. Create a user from a sanctioned country or entity | ||
| 1. Bypass geolocation checks or identity verification to register on the platform | ||
| 1. Execute trades, transfers, or listings as the sanctioned entity | ||
| 1. Observe that the marketplace does not block or restrict the user based on their location or identity | ||
|
|
||
| **Proof of Concept** | ||
|
|
||
| The screenshot(s) below demonstrate(s) the vulnerability: | ||
| > | ||
| > {{screenshot}} |
5 changes: 5 additions & 0 deletions
5
...cation_misconfiguration/marketplace_security/orderbook_manipulation/guidance.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| # Guidance | ||
|
|
||
| Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. | ||
|
|
||
| Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). |
8 changes: 8 additions & 0 deletions
8
...misconfiguration/marketplace_security/orderbook_manipulation/recommendations.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # Recommendation(s) | ||
|
|
||
| Implementing the following defensive measures in the decentralized application can prevent and limit the impact of the vulnerability: | ||
|
|
||
| - Implement strong cryptographic signature validation on all order submissions to ensure the integrity of the original terms. | ||
| - Introduce non-modifiable order hashes or unique order IDs that prevent post-signature modification. | ||
| - Regularly audit order processing logic to detect potential manipulation points. | ||
| - Provide users with clear confirmation of their orders before execution and alert them to any changes. |
Oops, something went wrong.