Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VRT Addition - Blockchain Security #426

Open
nnons opened this issue Nov 19, 2024 · 1 comment
Open

VRT Addition - Blockchain Security #426

nnons opened this issue Nov 19, 2024 · 1 comment

Comments

@nnons
Copy link

nnons commented Nov 19, 2024
edited
Loading

Description

Addition of Blockchain / Crypto Related Vulnerabilities from protocols, smart contracts, and zero knowledge.

Changes

Decentralized Application Misconfiguration

Decentralized Application Misconfiguration.Insecure Data Storage.Plaintext Private Key
Decentralized Application Misconfiguration.Insecure Data Storage.Sensitive Information Exposure
Decentralized Application Misconfiguration.Improper Authorization.Insufficient Signature Validation
Decentralized Application Misconfiguration.DeFi Security.Flash Loan Attack
Decentralized Application Misconfiguration.DeFi Security.Pricing Oracle Manipulation
Decentralized Application Misconfiguration.DeFi Security.Function-Level Accounting Error
Decentralized Application Misconfiguration.DeFi Security.Improper Implementation of Governance
Decentralized Application Misconfiguration.Marketplace Security.Signer Account Takeover
Decentralized Application Misconfiguration.Marketplace Security.Unauthorized Asset Transfer
Decentralized Application Misconfiguration.Marketplace Security.Orderbook Manipulation
Decentralized Application Misconfiguration.Marketplace Security.Malicious Order Offer
Decentralized Application Misconfiguration.Marketplace Security.Price or Fee Manipulation
Decentralized Application Misconfiguration.Marketplace Security.OFAC Bypass
Decentralized Application Misconfiguration.Marketplace Security.Improper Validation and Checks For Deposits and Withdrawals
Decentralized Application Misconfiguration.Marketplace Security.Miscalculated Accounting Logic
Decentralized Application Misconfiguration.Marketplace Security.Denial of Service
Decentralized Application Misconfiguration.Protocol Security Misconfiguration.Node-level Denial of Service

Protocol Security Misconfiguration

Protocol Security Misconfiguration.Frontrunning-Enabled Attack
Protocol Security Misconfiguration.Sandwich-Enabled Attack
Protocol Security Misconfiguration.Misconfigured Staking Logic
Protocol Security Misconfiguration.Improper Validation and Finalization Logic

Smart Contract Misconfiguration

Smart Contract Misconfiguration.Reentrancy Attack
Smart Contract Misconfiguration.Smart Contract Owner Takeover
Smart Contract Misconfiguration.Uninitialized Variables
Smart Contract Misconfiguration.Unauthorized Transfer of Funds
Smart Contract Misconfiguration.Integer Overflow / Underflow
Smart Contract Misconfiguration.Unauthorized Smart Contract Approval
Smart Contract Misconfiguration.Irreversible Function Call
Smart Contract Misconfiguration.Function-level Denial of Service
Smart Contract Misconfiguration.Malicious Superuser Risk
Smart Contract Misconfiguration.Improper Fee Implementation
Smart Contract Misconfiguration.Improper Use of Modifier
Smart Contract Misconfiguration.Improper Decimals Implementation
Smart Contract Misconfiguration.Inaccurate Rounding Calculation
Smart Contract Misconfiguration.Bypass of Function Modifiers & Checks

Zero Knowledge Security Misconfiguration

Zero Knowledge Security Misconfiguration.Missing Constraint
Zero Knowledge Security Misconfiguration.Mismatching Bit Lengths
Zero Knowledge Security Misconfiguration.Misconfigured Trusted Setup
Zero Knowledge Security Misconfiguration.Missing Range Check
Zero Knowledge Security Misconfiguration.Improper Proof Validation and Finalization Logic
Zero Knowledge Security Misconfiguration.Deanonymization of Data

Blockchain Infrastructure Misconfiguration
Blockchain Infrastructure Misconfiguration.Improper Bridge Validation and Verification Logic
@nnons
Copy link
Author

nnons commented Nov 19, 2024
edited
Loading

Template Drafted Priority VRT Category Specific vulnerability names Variant / Affected function CVSS String
X P1 Decentralized Application Misconfiguration Insecure Data Storage Plaintext Private Key
X Varies Decentralized Application Misconfiguration Insecure Data Storage Sensitive Information Exposure
X Varies Decentralized Application Misconfiguration Improper Authorization Insufficient Signature Validation
X Varies Decentralized Application Misconfiguration DeFi Security Flash Loan Attack
X Varies Decentralized Application Misconfiguration DeFi Security Pricing Oracle Manipulation
X Varies Decentralized Application Misconfiguration DeFi Security Flash Loan Attack
X Varies Decentralized Application Misconfiguration DeFi Security Pricing Oracle Manipulation
X Varies Decentralized Application Misconfiguration DeFi Security Function-Level Accounting Error
X Varies Decentralized Application Misconfiguration DeFi Security Improper Implementation of Governance
X P1 Decentralized Application Misconfiguration Marketplace Security Signer Account Takeover
X P1 Decentralized Application Misconfiguration Marketplace Security Unauthorized Asset Transfer
X P1 Decentralized Application Misconfiguration Marketplace Security Orderbook Manipulation
X P2 Decentralized Application Misconfiguration Marketplace Security Malicious Order Offer
X P2 Decentralized Application Misconfiguration Marketplace Security Price or Fee Manipulation
X P3 Decentralized Application Misconfiguration Marketplace Security OFAC Bypass
X Varies Decentralized Application Misconfiguration Marketplace Security Improper Validation and Checks For Deposits and Withdrawals
X Varies Decentralized Application Misconfiguration Marketplace Security Miscalculated Accounting Logic
X Varies Decentralized Application Misconfiguration Marketplace Security Denial of Service
X P1 Decentralized Application Misconfiguration Protocol Security Misconfiguration Node-level Denial of Service
X P2 Protocol Security Misconfiguration Frontrunning-Enabled Attack
X P2 Protocol Security Misconfiguration Sandwich-Enabled Attack
X Varies Protocol Security Misconfiguration Misconfigured Staking Logic
X Varies Protocol Security Misconfiguration Improper Validation and Finalization Logic
X P1 Smart Contract Misconfiguration Reentrancy Attack
X P1 Smart Contract Misconfiguration Smart Contract Owner Takeover
X P1 Smart Contract Misconfiguration Uninitialized Variables
X P1 Smart Contract Misconfiguration Unauthorized Transfer of Funds
X P2 Smart Contract Misconfiguration Integer Overflow / Underflow
X P2 Smart Contract Misconfiguration Unauthorized Smart Contract Approval
X P3 Smart Contract Misconfiguration Irreversible Function Call
X P3 Smart Contract Misconfiguration Function-level Denial of Service
X P3 Smart Contract Misconfiguration Malicious Superuser Risk
X P3 Smart Contract Misconfiguration Improper Fee Implementation
X P4 Smart Contract Misconfiguration Improper Use of Modifier
X P4 Smart Contract Misconfiguration Improper Decimals Implementation
X Varies Smart Contract Misconfiguration Inaccurate Rounding Calculation
X Varies Smart Contract Misconfiguration Bypass of Function Modifiers & Checks
X Varies Zero Knowledge Security Misconfiguration Missing Constraint
X Varies Zero Knowledge Security Misconfiguration Mismatching Bit Lengths
X Varies Zero Knowledge Security Misconfiguration Misconfigured Trusted Setup
X Varies Zero Knowledge Security Misconfiguration Missing Range Check
X P1 Zero Knowledge Security Misconfiguration Improper Proof Validation and Finalization Logic
X P1 Zero Knowledge Security Misconfiguration Deanonymization of Data
X Varies Blockchain Infrastructure Misconfiguration Improper Bridge Validation and Verification Logic

Note

Severities are up for discussion as there can be pre-requisites and conditions for certain attacks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nnons