A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Timestamp | Email Address | Bitcointalk Username | Bug Source | Bug Name | Bug Description | Github Issue / Bug Link | Priority | Steps to Reproduce | Your ETH Address | Status | Comment | Bounty | |||
2 | 9/29/2017 18:45:50 | myself@danielkelly.me | dafky2000 | Website | No verification on dashboard -> account fields | No verification done on BTT Username, Ethereum and Bitcoin addresses, accepts invalid characters and invalid addresses https://imgur.com/TK8fFlG | https://pastebin.com/18SZ1Qen | Suggestion / Feedback | Enter any invalid characters and hit update. | 0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6f | Approved | 50 | ||||
3 | 9/29/2017 18:47:31 | myself@danielkelly.me | dafky2000 | Website | Cannot remove Dashboard -> Account field data | Account details cannot be removed if found to be invalid | https://pastebin.com/18SZ1Qen | Suggestion / Feedback | Clear the field and hit update, the old value persists | 0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6f | Approved | 50 | ||||
4 | 9/29/2017 18:48:59 | myself@danielkelly.me | dafky2000 | Website | Cookies not using secure flags | They are transmitted unencrypted because the Secure flag wasn't used. For example, the PHPSESSID session cookie can be hijacked. ini_set("session.cookie_secure", 1); | https://pastebin.com/18SZ1Qen | Suggestion / Feedback | N/A | 0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6f | Approved | 100 | ||||
5 | 9/29/2017 18:50:24 | myself@danielkelly.me | dafky2000 | Website | X-Frame-Options is not set | Clickjacking vulnerability on *.rewards.network This is SERIOUS front-end vulnerability. It means that the website could be embedded in an iframe. With a 0% opacity, the user might not think he is clicking or typing on the website. This might lead to password change, funds withdrawal etc. To fix it, simply add the following header: X-Frame-Options: SAMEORIGIN For more information see : https://www.owasp.org/index.php/Clickjacking | https://pastebin.com/18SZ1Qen | Critical | N/A | 0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6f | Approved | Will be considered as MEDIUM | 1500 | |||
6 | 9/29/2017 18:51:27 | myself@danielkelly.me | dafky2000 | Website | Newsletter subscription spam | Can bypass newsletter subscriptions by accessing https://alloy.rewards.network/subscribe?email=user@host.com directly. Subscription also allows multiple submissions of the same email address, refreshing this url is an easy way to get your servers marked as spam and blacklisted. Simply record who's already been sent newsletters and fail on subsequent tries. | https://pastebin.com/18SZ1Qen | Medium | N/A | 0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6f | Approved | Will be considered as LOW | 1000 | |||
7 | 9/29/2017 18:52:25 | myself@danielkelly.me | dafky2000 | Website | Strict-Transport-Security: HSTS not set | future proofing against MITM | https://pastebin.com/18SZ1Qen | Low | N/A | 0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6f | Approved | 500 | ||||
8 | 9/29/2017 18:53:34 | myself@danielkelly.me | dafky2000 | Website | X-XSS-Protection header is not set | future proofing against XSS | https://pastebin.com/18SZ1Qen | Low | N/A | 0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6f | Approved | 500 | ||||
9 | 9/29/2017 18:54:34 | myself@danielkelly.me | dafky2000 | Smart Contract | StandardToken.sol -> violates ERC-20 standard (not critical) | https://github.com/OpenZeppelin/zeppelin-solidity/issues/438 https://github.com/SylTi/zeppelin-solidity/commit/d74b10adcd3fbb2ab3db7e41d6873bbc8a619e57 | https://pastebin.com/18SZ1Qen | Low | N/A | 0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6f | Approved | 650 | ||||
10 | 9/29/2017 18:55:22 | myself@danielkelly.me | dafky2000 | Smart Contract | MintableToken.sol -> Token transfers on minted tokens from crowdsale contract will not appear on EtherScan as token transfers | https://github.com/OpenZeppelin/zeppelin-solidity/issues/433 https://github.com/OpenZeppelin/zeppelin-solidity/pull/345/files#diff-b325b8c2471f700034909594251cd896 | https://pastebin.com/18SZ1Qen | Medium | N/A | 0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6f | Approved | 2500 | ||||
11 | 9/29/2017 18:56:40 | myself@danielkelly.me | dafky2000 | Smart Contract | SafeMath.sol -> Revert/require instead of assert/throw. Saves fees if failures and follows the ERC20 definitions. | https://github.com/OpenZeppelin/zeppelin-solidity/issues/435 https://github.com/nedodn/zeppelin-solidity/commit/06e8de46571c662dc189205f6f204e9daf41986b The more preferred method would be something like below. function sub(uint256 a, uint256 b) internal constant returns (uint256) { - assert(b <= a); + require(b <= a); return a - b; } | https://pastebin.com/18SZ1Qen | Low | N/A | 0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6f | Approved | 400 | ||||
12 | 9/29/2017 18:58:03 | myself@danielkelly.me | dafky2000 | Smart Contract | AlloyCrowdsale.sol -> In the spirit of keeping the crowdsale trustless, don't allow the hardcap to be increased. | /** * Lets the owner set the Hardcap for the sale based on the balance from the previous sale */ function setHardCap(uint256 _cap) public onlyOwner { + // Don't allow owner to increase hard cap or change the hard cap after the ICO has ended + require(hasEnded() == false); + require(_cap < cap); cap = _cap; } | https://pastebin.com/18SZ1Qen | Suggestion / Feedback | N/A | 0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6f | Approved | 100 | ||||
13 | 9/29/2017 19:01:27 | myself@danielkelly.me | dafky2000 | Smart Contract | nextSpecialBonus is redundant and wastes gas | The function is duplicated/redundant by getBonusSlab :) | https://github.com/codemojo-dr/Alloy-ICO-Contracts/pull/2/commits/34c74b9e32aa8a7efcc69c34ad41842b53d5d81d | Improvement | N/A | 0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6f | N/A | Both are functions for different purposes | 0 | |||
14 | 9/30/2017 11:15:07 | pflashispunk@gmail.com | Website | email enumeration | Enumeration of email addresses of already registered users is possible, and or, checking if a user with specific email address is registered in the website and will then be used for phising attacks or any malicious intent. | https://alloy.rewards.network/password/reset | Medium | 1) open https://alloy.rewards.network/password/reset 2) type a email to check whether email is registered or not. 3) if email is not registered you'll get a message " We can't find a user with that e-mail address." 4) if email is registered you'll get a message "We have e-mailed your password reset link!" | 0x758423cB715492C8E269C7Ec46159F2f71737224 | Approved | Will be considered Low | 700 | ||||
15 | 9/30/2017 18:44:59 | pauliax6@gmail.com | Smart Contract | Add keyword "constant" to the variables that do not change their values | Reading from a const variable doesn't cost any gas so this would save you some money | https://github.com/codemojo-dr/Alloy-ICO-Contracts/issues/3 | Suggestion / Feedback | Please read the description on the issue | 0xaAbf60384137D460427fD5B849017e59479797A1 | Approved | 150 | |||||
16 | 9/30/2017 18:47:16 | pauliax6@gmail.com | Smart Contract | Functions visibility | Explicitly mark visibility of the function to save some gas | https://github.com/codemojo-dr/Alloy-ICO-Contracts/issues/4 | Suggestion / Feedback | Please read the description on the issue | 0xaAbf60384137D460427fD5B849017e59479797A1 | Approved | 200 | |||||
17 | 9/30/2017 18:49:11 | pauliax6@gmail.com | Smart Contract | Timestamp usage | Timestamps can be manipulated by the miners | https://github.com/codemojo-dr/Alloy-ICO-Contracts/issues/5 | Low | Please read the description on the issue | 0xaAbf60384137D460427fD5B849017e59479797A1 | Awaiting response from the reported on the Issue | ||||||
18 | 9/30/2017 18:51:19 | pauliax6@gmail.com | Smart Contract | Unused functions | There are unused functions in SafeMath.sol. It will cost less gas to deploy the contract without it. | https://github.com/codemojo-dr/Alloy-ICO-Contracts/issues/6 | Suggestion / Feedback | Please read the description on the issue | 0xaAbf60384137D460427fD5B849017e59479797A1 | N/A | These are not unused | 0 | ||||
19 | 9/30/2017 18:54:02 | pauliax6@gmail.com | Smart Contract | Unused parameter | Parameter in function transferableTokens is not used | https://github.com/codemojo-dr/Alloy-ICO-Contracts/issues/7 | Suggestion / Feedback | Please read the description on the issue | 0xaAbf60384137D460427fD5B849017e59479797A1 | N/A | This is overriden in another contract with both the values passed | 0 | ||||
20 | 9/30/2017 18:57:19 | pauliax6@gmail.com | Smart Contract | Code duplication | Consider reusing functionality of Ownable.sol to improve code's maintainability | https://github.com/codemojo-dr/Alloy-ICO-Contracts/issues/8 | Suggestion / Feedback | Please read the description on the issue | 0xaAbf60384137D460427fD5B849017e59479797A1 | Approved | 250 | |||||
21 | 9/30/2017 19:00:23 | pauliax6@gmail.com | Smart Contract | Method Approve is vulnerable | https://docs.google.com/document/d/1YLPtQxZu1UAvO9cZ1O2RPXBbT0mooh4DYKjA_jp-RLM/edit#heading=h.m9fhqynw2xvt | https://github.com/codemojo-dr/Alloy-ICO-Contracts/issues/9 | Low | Please read the description on the issue | 0xaAbf60384137D460427fD5B849017e59479797A1 | N/A | Latest patch from Zeppelin negates this for ERC20 compliance | 0 | ||||
22 | 10/6/2017 17:02:38 | st2000@outlook.com | FruitsBasket | Website | Spam signup | There are bots that can make fake account with fake emails so fast that there will be so many more fake accounts than real accounts. | https://alloy.rewards.network | Low | Bot signup | 0xdd30dd6fbaae31ffc01c08e2392f76c0459c8527 | Approved | 700 | ||||
23 | 10/6/2017 17:04:34 | st2000@outlook.com | FruitsBasket | Website | Spam Password Reset | You can simply spam anyones email with the password reset function, just buy a vps and install macro bot, or write a simple autobot script that will submit an email in the password reset field and hit submit and do this over and over again all day long. | https://alloy.rewards.network | Low | Read description | 0xdd30dd6fbaae31ffc01c08e2392f76c0459c8527 | Approved | 1000 | ||||
24 | 10/6/2017 17:15:43 | st2000@outlook.com | FruitsBasket | Website | DDOS | DDOS Protection Required | https://alloy.rewards.network | Low | DDOS | 0xdd30dd6fbaae31ffc01c08e2392f76c0459c8527 | Approved | Protected by AWS Shield | 200 | |||
25 | 10/7/2017 7:21:38 | pflashispunk@gmail.com | Website | Rate limit | As there is no rate limit set,an attacker can successfully perform brute force/huge email bombing/cookie bombing/email spoofing on the victim's account. | https://alloy.rewards.network/login | Medium | ->No rate limit has been set for login form ->As there is no rate limit set,an attacker can successfully perform brute force/huge email bombing/cookie bombing/email spoofing on the victim's account. | 0x758423cB715492C8E269C7Ec46159F2f71737224 | Approved | Throttling of Login was already present but with no Visual clues. Visual message has been added in this effect. | 100 | ||||
26 | 10/7/2017 7:25:55 | pflashispunk@gmail.com | Website | Form Password Field with Autocomplete Enabled | form that included a password input field. The autocomplete attribute was not set to off. This may result in some browsers storing values input by users locally, where they may be retrieved by third parties. | https://alloy.rewards.network/login | Medium | A password value may be stored on the local filesystem of the client. Locally stored passwords could be retrieved by other users or malicious code. | 0x758423cB715492C8E269C7Ec46159F2f71737224 | N/A | User's privilege & convinence. Many popular browsers allow users to save the Login credentials. How and where the creds are stored by the browser is a different topic altogether | 0 | ||||
27 | 10/7/2017 7:28:18 | pflashispunk@gmail.com | Website | Cookie HttpOnly Flag Not Set | cookie was set without the HttpOnly flag. When this flag is not present, it is possible to access the cookie via client-side script code. The HttpOnly flag is a security measure that can help mitigate the risk of cross-site scripting attacks that target session cookies of the victim. If the HttpOnly flag is set and the browser supports this feature, attacker-supplied script code will not be able to access the cookie. | https://alloy.rewards.network | Medium | ... | 0x758423cB715492C8E269C7Ec46159F2f71737224 | N/A | Duplicate of #4 | 0 | ||||
28 | 10/7/2017 12:15:44 | st2000@outlook.com | FruitsBasket | Website | Missing HTTP security headers: X-Content-Type-Options is not set | The HTTP X-Content-Type-Options header is addressed to Internet Explorer browser and prevents it from reinterpreting the content of a web page (MIME-sniffing) and thus overriding the value of the Content-Type header). Lack of this header could lead to attacks such as Cross-Site Scripting or phishing. | Alloy.rewards.network | Low | I recommend setting the X-Content-Type-Options header to "X-Content-Type-Options: nosniff". | 0xdd30dd6fbaae31ffc01c08e2392f76c0459c8527 | Accepted | 100 | ||||
29 | 10/7/2017 12:11:45 | st2000@outlook.com | FruitsBasket | Website | HTTP Security Header: Strict-Transport-Security is not set. | The HTTP Strict-Transport-Security header instructs the browser not to load the website via plain HTTP connection but always use HTTPS. Lack of this header exposes the application users to the risk of data theft or unauthorized modification in case the attacker implements a man-in-the-middle attack and intercepts the communication between the user and the server. | Alloy.rewards.network | Low | I recommend setting the Strict-Transport-Security header. | 0xdd30dd6fbaae31ffc01c08e2392f76c0459c8527 | N/A | Duplicate of #7 | 0 | |||
30 | 10/9/2017 8:12:18 | bitkolik@gmail.com | bitkolik | Smart Contract | possible bugs and fixes | in github. | https://github.com/RequestNetwork/RequestTokenSale/issues/7 | Critical | xxx | 0x7bd81F41D03135D366F942dEF3B1479B49113C07 | N/A | 0 | ||||
31 | 10/9/2017 9:30:55 | bitkolik@gmail.com | bitkolik | Smart Contract | typo fault | check pls. https://github.com/codemojo-dr/Alloy-ICO-Contracts/blob/master/contracts/crowdsale/Crowdsale.sol "Gets the Human readable progress for the current crowsale" "crowsale" is false... it must be "crowdsale" | read bug description | Low | read bug description | 0x7bd81F41D03135D366F942dEF3B1479B49113C07 | N/A | 0 | ||||
32 | 10/11/2017 12:15:43 | pflashispunk@gmail.com | Website | fb / twitter connect | After connecting fb/twitter you can remove the app of alloy from fb and twitter setting. But in site it will still show connected & number of alloy's including fb/ twitter bounty. | https://alloy.rewards.network/facebook-bounty | Medium | connect ffb/twitter then remove it. | 0xe477292f1b3268687a29376116b0ed27a9c76170 | N/A | This is by design. Anyone participating in the bounty, if they unlink the accounts, wont be eligible. The Pending ALLOYs will be rechecked against the connection status before being issued. | 0 | ||||
33 | ||||||||||||||||
34 | 10750 | |||||||||||||||
35 | ||||||||||||||||
36 | ||||||||||||||||
37 | ||||||||||||||||
38 | ||||||||||||||||
39 | ||||||||||||||||
40 | ||||||||||||||||
41 | ||||||||||||||||
42 | ||||||||||||||||
43 | ||||||||||||||||
44 | ||||||||||||||||
45 | ||||||||||||||||
46 | ||||||||||||||||
47 | ||||||||||||||||
48 | ||||||||||||||||
49 | ||||||||||||||||
50 | ||||||||||||||||
51 | ||||||||||||||||
52 | ||||||||||||||||
53 | ||||||||||||||||
54 | ||||||||||||||||
55 | ||||||||||||||||
56 | ||||||||||||||||
57 | ||||||||||||||||
58 | ||||||||||||||||
59 | ||||||||||||||||
60 | ||||||||||||||||
61 | ||||||||||||||||
62 | ||||||||||||||||
63 | ||||||||||||||||
64 | ||||||||||||||||
65 | ||||||||||||||||
66 | ||||||||||||||||
67 | ||||||||||||||||
68 | ||||||||||||||||
69 | ||||||||||||||||
70 | ||||||||||||||||
71 | ||||||||||||||||
72 | ||||||||||||||||
73 | ||||||||||||||||
74 | ||||||||||||||||
75 | ||||||||||||||||
76 | ||||||||||||||||
77 | ||||||||||||||||
78 | ||||||||||||||||
79 | ||||||||||||||||
80 | ||||||||||||||||
81 | ||||||||||||||||
82 | ||||||||||||||||
83 | ||||||||||||||||
84 | ||||||||||||||||
85 | ||||||||||||||||
86 | ||||||||||||||||
87 | ||||||||||||||||
88 | ||||||||||||||||
89 | ||||||||||||||||
90 | ||||||||||||||||
91 | ||||||||||||||||
92 | ||||||||||||||||
93 | ||||||||||||||||
94 | ||||||||||||||||
95 | ||||||||||||||||
96 | ||||||||||||||||
97 | ||||||||||||||||
98 | ||||||||||||||||
99 | ||||||||||||||||
100 |