This security audit report summarizes the findings of an audit of the My Master WAR project. The audit reviewed the project's Solidity codebase and smart contracts to identify any vulnerabilities or issues. A total of 12 findings were discovered, ranging from critical to informational. Several issues related to centralization risks and initial token distribution. Recommendations included enhancing coding practices, adding more tests, and providing more documentation. The report also includes a table listing each finding's title, category, severity, and status. In general, the audit aimed to ensure the smart contracts are secure, functional as intended, and follow best practices.
The audit report identifies 6 issues in the Umee protocol smart contracts ranging from low to medium severity. The key findings include 1 medium severity issue related to the trust of admin keys, and 5 lower severity issues involving asset lockup logic, pool weight changes, handling of non-ERC20 tokens, potential reentrancy, and uniswap adapter logic. Most issues were addressed and resolved by the developers.
[2022.02] umee blockchain final report - publicKennyNajarro2
The Umee blockchain and Peggo orchestrator were reviewed for security issues. Several high severity issues were found, including vulnerabilities that could allow attackers to manipulate asset prices or disable collateral. Additional issues included integer overflows, invalid comparisons, and lack of input validation. Comprehensive testing of system invariants and edge cases was limited due to project timelines.
IRJET- Survey on Mitigation Techniques of Economical Denial of Sustainabi...IRJET Journal
The document summarizes various techniques that have been proposed to mitigate economic denial of sustainability (EDoS) attacks in cloud computing. It describes EDoS-Shield, an early mechanism that uses virtual firewalls and verification nodes to filter requests. Enhanced versions add checks on TTL values and request timestamps. EDoS-Eye uses a game theory approach with honeypots and rate limiting. EDoS-ADS operates in different modes depending on system utilization and uses trust factors to identify suspicious users. Each technique aims to filter attack traffic while minimizing impacts on legitimate users, but they also have drawbacks like increased delays, inability to prevent sophisticated attacks, or potential flooding from redirects.
The audit summary provides an overview of the security assessment conducted on the Strips Finance project. The assessment examined the smart contracts for compliance with best practices, logic correctness, and vulnerabilities. A total of 17 issues were found ranging from critical to informational. Centralization of roles, third party dependencies, and type conversions were among the issues identified. The report recommends improving access controls, testing functionality, and monitoring third parties. Addressing the findings would help ensure a secure system aligned with industry standards.
The audit report summarizes an audit of the smart contracts for Strips Finance. The auditors identified 6 issues total, including 1 high severity vulnerability allowing improved logic, 3 medium severity issues around reentrancy, price calculations and admin keys, and 1 low severity possible reentrancy. The report provides detailed descriptions of each issue and their statuses.
During the audit, 10 issues were found including 1 medium risk issue that has been resolved. Several issues related to unclear specifications that require clarification. All issues have now been resolved according to the recent updates. The audit evaluated the code for security vulnerabilities, adherence to best practices, and specifications. Both automated analysis and manual review were performed, finding issues such as missing access controls, unchecked parameters, and clone-and-own risks.
We're very thrilled to announce 🚨
🛡 We have successfully completed our #securityaudit with #hacksafe
Browse full audit report : https://hacksafe.io/blockchain-land-token/
🌐 https://blockchain.land
#Metaverse #blockchainland #VR #AR #cryptocurrency #blockchain
Sacred CertiK security assessment for Sacred31bridgeport
This security assessment report summarizes the audit of the Sacred smart contracts. The audit found 6 issues, all informational, including missing checks for zero addresses, unused functions not declared as external, and lack of events for sensitive actions. The report recommends adding checks for zero addresses, using external for unused functions, adding version locking and unit tests.
The audit report identifies 6 issues in the Umee protocol smart contracts ranging from low to medium severity. The key findings include 1 medium severity issue related to the trust of admin keys, and 5 lower severity issues involving asset lockup logic, pool weight changes, handling of non-ERC20 tokens, potential reentrancy, and uniswap adapter logic. Most issues were addressed and resolved by the developers.
[2022.02] umee blockchain final report - publicKennyNajarro2
The Umee blockchain and Peggo orchestrator were reviewed for security issues. Several high severity issues were found, including vulnerabilities that could allow attackers to manipulate asset prices or disable collateral. Additional issues included integer overflows, invalid comparisons, and lack of input validation. Comprehensive testing of system invariants and edge cases was limited due to project timelines.
IRJET- Survey on Mitigation Techniques of Economical Denial of Sustainabi...IRJET Journal
The document summarizes various techniques that have been proposed to mitigate economic denial of sustainability (EDoS) attacks in cloud computing. It describes EDoS-Shield, an early mechanism that uses virtual firewalls and verification nodes to filter requests. Enhanced versions add checks on TTL values and request timestamps. EDoS-Eye uses a game theory approach with honeypots and rate limiting. EDoS-ADS operates in different modes depending on system utilization and uses trust factors to identify suspicious users. Each technique aims to filter attack traffic while minimizing impacts on legitimate users, but they also have drawbacks like increased delays, inability to prevent sophisticated attacks, or potential flooding from redirects.
The audit summary provides an overview of the security assessment conducted on the Strips Finance project. The assessment examined the smart contracts for compliance with best practices, logic correctness, and vulnerabilities. A total of 17 issues were found ranging from critical to informational. Centralization of roles, third party dependencies, and type conversions were among the issues identified. The report recommends improving access controls, testing functionality, and monitoring third parties. Addressing the findings would help ensure a secure system aligned with industry standards.
The audit report summarizes an audit of the smart contracts for Strips Finance. The auditors identified 6 issues total, including 1 high severity vulnerability allowing improved logic, 3 medium severity issues around reentrancy, price calculations and admin keys, and 1 low severity possible reentrancy. The report provides detailed descriptions of each issue and their statuses.
During the audit, 10 issues were found including 1 medium risk issue that has been resolved. Several issues related to unclear specifications that require clarification. All issues have now been resolved according to the recent updates. The audit evaluated the code for security vulnerabilities, adherence to best practices, and specifications. Both automated analysis and manual review were performed, finding issues such as missing access controls, unchecked parameters, and clone-and-own risks.
We're very thrilled to announce 🚨
🛡 We have successfully completed our #securityaudit with #hacksafe
Browse full audit report : https://hacksafe.io/blockchain-land-token/
🌐 https://blockchain.land
#Metaverse #blockchainland #VR #AR #cryptocurrency #blockchain
Sacred CertiK security assessment for Sacred31bridgeport
This security assessment report summarizes the audit of the Sacred smart contracts. The audit found 6 issues, all informational, including missing checks for zero addresses, unused functions not declared as external, and lack of events for sensitive actions. The report recommends adding checks for zero addresses, using external for unused functions, adding version locking and unit tests.
This security assessment report summarizes the audit of the Sacred smart contracts. The audit found 6 issues, all informational, including missing checks for zero addresses, unused functions declared as public instead of external, and lack of comments. The report recommends adding checks for zero addresses, using external instead of public, adding more comments, and discussing the business model.
This document discusses end-to-end security in mobile cloud computing. It defines mobile cloud computing and explains its advantages over mobile devices alone. The document outlines challenges to end-to-end security in service-oriented architectures and mobile cloud computing. It proposes a security framework that uses taint analysis and aspect-oriented programming to monitor service executions and detect unauthorized external service invocations. A trust broker would maintain trust sessions and evaluate the trustworthiness of services to ensure end-to-end security.
This security assessment report for ShibaSwap summarizes the audit findings. The audit discovered 34 total issues ranging from critical to informational. No critical issues were found. 8 issues were rated as major, 1 as medium, 11 as minor, and 14 as informational. The major issues involved lack of input validation, centralization risks, and other logical issues. Most issues were resolved, with 1 issue partially resolved. The report provides descriptions and recommendations to address the issues found and improve the overall security of the ShibaSwap protocol.
RMAC – A LIGHTWEIGHT AUTHENTICATION PROTOCOL FOR HIGHLY CONSTRAINED IOT DEVICESijcisjournal
Nowadays, highly constrained IoT devices have earned an important place in our everyday lives. These devices mainly comprise RFID (Radio-Frequency Identification) or WSN (Wireless Sensor Networks) components. Their adoption is growing in areas where data security or privacy or both must be guaranteed. Therefore, it is necessary to develop appropriate security solutions for these systems. Many papers have proposed solutions for encryption or authentication. But it turns out that sometimes the proposal has security flaw or is ill-suited for the constrained IoT devices (which has very limited processing and storage capacities).In this paper, we introduce a new authentication protocol inspired by Mirror-Mac (MM) which is a generic construction of authentication protocol proposed by Mol et al. Our proposal named RMAC is well suited for highly constrained IoT devices since its implementation uses simple and lightweight algorithms. We also prove that RMAC is at least as secure as the MM protocol and thus secure against man-in-the-middle attacks.
The document is a source code review report for Talla prepared by Coinspect in December 2017. It summarizes Coinspect's audit of Ambisafe's token contracts, identifying 5 low risk issues: problems in the ERC20 specification allowing race conditions; a race condition after contract creation; lack of visibility modifiers; use of outdated Solidity versions; and potential issues with the opt-out upgrade system. The report provides recommendations to address each issue found. In general, Coinspect found no critical defects but noted some improvements could be made to best practices and upgradeability.
The security audit report summarizes the audit of the LiveCGI MarketPlace smart contracts. The audit found 1 critical issue, 1 high issue, and 3 low issues. The code quality and documentation were found to be well written overall. Key functions in the smart contracts were confirmed to work as claimed. Investors should exercise caution and conduct further due diligence on the project.
Automotive Cybersecurity: Test Like a HackerForAllSecure
Learn the techniques used by award-winning hacking teams (as well as in some real-world attacks) to identify and exploit vulnerabilities in OEM components and other automotive software. This presentation covers fundamental principles, as well as how to easily incorporate these techniques into unit or functional test stages - bringing an extra layer of protection to connected automobiles. We'll cover both how to best fit this type of testing into your pipeline to maximize speed and coverage, as well as discuss how to fit this offensive cyber security approach alongside your existing vulnerability scanning programs. Whether you're a vehicle manufacturer, integrator, or OEM - we'll discuss how to leverage hacking-based security techniques to improve protection across the supply chain and keep vehicles and drivers safer. What we'll cover:
- Successful exploits of components and vehicles - what these attacks had in common
- Layering offensive techniques atop existing security programs - what to do and what to avoid
- How to test integrated systems with multiple components from different OEMs working in tandem
- Integrating offensive testing into different stages in software development and component integration
Originally presented at https://www.automotive-iq.com/events-automotive-cybersecurity
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101Simone Onofri
After web 1.0 and web 2.0, web3 has arrived! After a brief introduction, where we will look at the evolution of the web and what has changed as far as security is concerned, we will dive into blockchain to understand how to attack Smart Contracts on Ethereum, how these intersect with more classic vulnerabilities, and what are the main vulnerabilities we can find in contracts written in Solidity.
The document discusses code coverage from the perspective of DO178B certification. It explains that testing of code coverage is essential for safety-critical software certification. It describes the five levels of software criticality in DO178B from Level A to E, with A being the highest. The level of testing required varies according to the software's criticality level, from no structural testing needed for Level D to modified condition/decision coverage required for Level A.
Variability-Aware Safety Analysis
using Delta Component Fault Diagrams
Christoph Seidl
Technische Universität
Dresden
Software Technology Group
01062 Dresden, Germany
[email protected]
dresden.de
Ina Schaefer
Technische Universität
Braunschweig
Software Engineering Institute
38106 Braunschweig,
Germany
[email protected]
Uwe Aßmann
Technische Universität
Dresden
Software Technology Group
01062 Dresden, Germany
[email protected]
dresden.de
ABSTRACT
Component Fault Diagrams (CFD) allow the specification
of fault propagation paths, which is employed for the design
of safety-critical systems as well as their certification. Even
though families of safety-critical systems exist with many
similar, yet not equal, variants there is no dedicated variabil-
ity mechanism for CFDs to reuse commonalities of all family
members and to alter only variable parts. In this paper,
we present a variability representation approach for CFDs
based on delta modeling that allows to transform an initial
CFD within a closed or open variant space. Furthermore, we
provide delta-aware analysis techniques for CFDs in order
to analyse multiple variants efficiently. We show the feasibil-
ity of our approach by means of an example scenario based
on the personal home robot TurtleBot using a prototypical
implementation of our concepts.
Categories and Subject Descriptors
D.2.2 [Software Engineering]: Design Tools and Tech-
niques—Modules and interfaces; D.2.4 [Software Engineer-
ing]: Software/Program Verification—Formal methods
General Terms
Algorithms, Measurement
Keywords
Delta Modeling, Component Fault Diagrams, Software Fault
Trees, Safety, Variability, Minimum Cut Set
1. INTRODUCTION
Safety-critical systems contain software controlling hard-
ware that is capable of causing harm to humans or to the
environment through accidents, e.g., in domains such as the
defense sector, automated processing or personal robotics.
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are not
made or distributed for profit or commercial advantage and that copies bear
this notice and the full citation on the first page. Copyrights for components
of this work owned by others than ACM must be honored. Abstracting with
credit is permitted. To copy otherwise, or republish, to post on servers or to
redistribute to lists, requires prior specific permission and/or a fee. Request
permissions from [email protected]
SPLC 2013 workshops August 26 - 30 2013, Tokyo, Japan
Copyright 2013 ACM 978-1-4503-2325-3/13/08 ...$15.00.
In order to assure safety, safety-critical systems are certified
by independent certification authorities, which require ex-
tensive documentation of the system’s safety aspects in the
form of safety artifacts such as Component Fault Diagrams
(CFDs) [9] (see Section 2).
Many similar, yet not equal, software systems are built
that address similar tasks but adhere to specific require ...
[2022.02] Umee blockchain - Final Report - Public(1).pdfKennyNajarro2
The document provides an overview of Trail of Bits, a security consulting firm that conducted a security assessment of Umee. Trail of Bits has extensive experience securing critical software and infrastructure. The assessment identified several significant vulnerabilities, including issues that could allow attackers to manipulate prices provided to the oracle, disable the use of assets as collateral, and crash nodes by triggering integer overflows. The report also notes concerns around exchange rate manipulation and a lack of comprehensive simulation testing.
The document summarizes a source code audit of The Update Framework conducted by X41 D-Sec GmbH. The audit found 4 vulnerabilities, with 1 rated as medium severity and 3 as low severity. An additional 8 issues with no direct security impact were identified. The most severe issue allows an attacker with local system access to read private key files, potentially allowing signing of malicious updates. Overall the project shows high security maturity through its use of a human-readable specification. Further testing of dependencies is recommended.
Deployment of Debug and Trace for features in RISC-V CoreIRJET Journal
1) The document discusses verification and debugging techniques for RISC-V cores, specifically using instruction and data tracing.
2) It describes the phases of verification including test planning, testbench building, test writing, code coverage analysis, and debugging.
3) Debugging with tracing allows reconstructing the program flow by decoding traced instruction and data accesses and comparing them to the simulation flow to check for errors.
This document discusses securing layer 2 switching by implementing port security on network switches. It begins by explaining how switches can be configured to filter traffic and thwart attacks at layer 2. It then discusses how port security allows limiting the number of MAC addresses learned on each switch port, preventing MAC flooding attacks. The document provides examples of configuring port security and outlines some other layer 2 security vulnerabilities to address for a more complete layer 2 security solution. It concludes by promoting additional network security courses from Global Knowledge that cover related topics.
This year, the focus goes beyond technology to mining business insights around how cloud enables strategic industry trends such as Open and Virtual Banking and Insurance, Security and Compliance, Data Analytics and AI/ ML, FinTech and RegTech, Surveillance and more through sharing of best practices and use cases. In sessions led by customers, partners, industry leaders and AWS subject matter experts, you’ll learn how AWS helps financial institutions to focus on the innovation and outcomes that truly drive business forward. Business stakeholders, market makers, and technology owners will all learn something new, valuable and actionable.
This document discusses implementing a lightweight zero-trust network using the open source tools Keycloak and NGINX. It begins by explaining the transition from a traditional network security model with clear boundaries between public and private networks to a zero-trust model where security boundaries are defined individually for each service or pod. It then covers how to implement the underlying technologies of JWT validation, mutual TLS authentication, and OAuth MTLS using Keycloak as an authorization server and NGINX as an API gateway. Additional topics discussed include how to secure east-west internal traffic and resolve potential policy decision point chokepoints.
HD Video Player All Format - 4k & live streamHD Video Player
Discover the best video playback experience with HD Video Player. Our powerful, user-friendly app supports all popular video formats and codecs, ensuring seamless playback of your favorite videos in stunning HD and 4K quality. Whether you're watching movies, TV shows, or personal videos, HD Video Player provides the ultimate viewing experience on your device. 🚀
This security assessment report summarizes the audit of the Sacred smart contracts. The audit found 6 issues, all informational, including missing checks for zero addresses, unused functions declared as public instead of external, and lack of comments. The report recommends adding checks for zero addresses, using external instead of public, adding more comments, and discussing the business model.
This document discusses end-to-end security in mobile cloud computing. It defines mobile cloud computing and explains its advantages over mobile devices alone. The document outlines challenges to end-to-end security in service-oriented architectures and mobile cloud computing. It proposes a security framework that uses taint analysis and aspect-oriented programming to monitor service executions and detect unauthorized external service invocations. A trust broker would maintain trust sessions and evaluate the trustworthiness of services to ensure end-to-end security.
This security assessment report for ShibaSwap summarizes the audit findings. The audit discovered 34 total issues ranging from critical to informational. No critical issues were found. 8 issues were rated as major, 1 as medium, 11 as minor, and 14 as informational. The major issues involved lack of input validation, centralization risks, and other logical issues. Most issues were resolved, with 1 issue partially resolved. The report provides descriptions and recommendations to address the issues found and improve the overall security of the ShibaSwap protocol.
RMAC – A LIGHTWEIGHT AUTHENTICATION PROTOCOL FOR HIGHLY CONSTRAINED IOT DEVICESijcisjournal
Nowadays, highly constrained IoT devices have earned an important place in our everyday lives. These devices mainly comprise RFID (Radio-Frequency Identification) or WSN (Wireless Sensor Networks) components. Their adoption is growing in areas where data security or privacy or both must be guaranteed. Therefore, it is necessary to develop appropriate security solutions for these systems. Many papers have proposed solutions for encryption or authentication. But it turns out that sometimes the proposal has security flaw or is ill-suited for the constrained IoT devices (which has very limited processing and storage capacities).In this paper, we introduce a new authentication protocol inspired by Mirror-Mac (MM) which is a generic construction of authentication protocol proposed by Mol et al. Our proposal named RMAC is well suited for highly constrained IoT devices since its implementation uses simple and lightweight algorithms. We also prove that RMAC is at least as secure as the MM protocol and thus secure against man-in-the-middle attacks.
The document is a source code review report for Talla prepared by Coinspect in December 2017. It summarizes Coinspect's audit of Ambisafe's token contracts, identifying 5 low risk issues: problems in the ERC20 specification allowing race conditions; a race condition after contract creation; lack of visibility modifiers; use of outdated Solidity versions; and potential issues with the opt-out upgrade system. The report provides recommendations to address each issue found. In general, Coinspect found no critical defects but noted some improvements could be made to best practices and upgradeability.
The security audit report summarizes the audit of the LiveCGI MarketPlace smart contracts. The audit found 1 critical issue, 1 high issue, and 3 low issues. The code quality and documentation were found to be well written overall. Key functions in the smart contracts were confirmed to work as claimed. Investors should exercise caution and conduct further due diligence on the project.
Automotive Cybersecurity: Test Like a HackerForAllSecure
Learn the techniques used by award-winning hacking teams (as well as in some real-world attacks) to identify and exploit vulnerabilities in OEM components and other automotive software. This presentation covers fundamental principles, as well as how to easily incorporate these techniques into unit or functional test stages - bringing an extra layer of protection to connected automobiles. We'll cover both how to best fit this type of testing into your pipeline to maximize speed and coverage, as well as discuss how to fit this offensive cyber security approach alongside your existing vulnerability scanning programs. Whether you're a vehicle manufacturer, integrator, or OEM - we'll discuss how to leverage hacking-based security techniques to improve protection across the supply chain and keep vehicles and drivers safer. What we'll cover:
- Successful exploits of components and vehicles - what these attacks had in common
- Layering offensive techniques atop existing security programs - what to do and what to avoid
- How to test integrated systems with multiple components from different OEMs working in tandem
- Integrating offensive testing into different stages in software development and component integration
Originally presented at https://www.automotive-iq.com/events-automotive-cybersecurity
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101Simone Onofri
After web 1.0 and web 2.0, web3 has arrived! After a brief introduction, where we will look at the evolution of the web and what has changed as far as security is concerned, we will dive into blockchain to understand how to attack Smart Contracts on Ethereum, how these intersect with more classic vulnerabilities, and what are the main vulnerabilities we can find in contracts written in Solidity.
The document discusses code coverage from the perspective of DO178B certification. It explains that testing of code coverage is essential for safety-critical software certification. It describes the five levels of software criticality in DO178B from Level A to E, with A being the highest. The level of testing required varies according to the software's criticality level, from no structural testing needed for Level D to modified condition/decision coverage required for Level A.
Variability-Aware Safety Analysis
using Delta Component Fault Diagrams
Christoph Seidl
Technische Universität
Dresden
Software Technology Group
01062 Dresden, Germany
[email protected]
dresden.de
Ina Schaefer
Technische Universität
Braunschweig
Software Engineering Institute
38106 Braunschweig,
Germany
[email protected]
Uwe Aßmann
Technische Universität
Dresden
Software Technology Group
01062 Dresden, Germany
[email protected]
dresden.de
ABSTRACT
Component Fault Diagrams (CFD) allow the specification
of fault propagation paths, which is employed for the design
of safety-critical systems as well as their certification. Even
though families of safety-critical systems exist with many
similar, yet not equal, variants there is no dedicated variabil-
ity mechanism for CFDs to reuse commonalities of all family
members and to alter only variable parts. In this paper,
we present a variability representation approach for CFDs
based on delta modeling that allows to transform an initial
CFD within a closed or open variant space. Furthermore, we
provide delta-aware analysis techniques for CFDs in order
to analyse multiple variants efficiently. We show the feasibil-
ity of our approach by means of an example scenario based
on the personal home robot TurtleBot using a prototypical
implementation of our concepts.
Categories and Subject Descriptors
D.2.2 [Software Engineering]: Design Tools and Tech-
niques—Modules and interfaces; D.2.4 [Software Engineer-
ing]: Software/Program Verification—Formal methods
General Terms
Algorithms, Measurement
Keywords
Delta Modeling, Component Fault Diagrams, Software Fault
Trees, Safety, Variability, Minimum Cut Set
1. INTRODUCTION
Safety-critical systems contain software controlling hard-
ware that is capable of causing harm to humans or to the
environment through accidents, e.g., in domains such as the
defense sector, automated processing or personal robotics.
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are not
made or distributed for profit or commercial advantage and that copies bear
this notice and the full citation on the first page. Copyrights for components
of this work owned by others than ACM must be honored. Abstracting with
credit is permitted. To copy otherwise, or republish, to post on servers or to
redistribute to lists, requires prior specific permission and/or a fee. Request
permissions from [email protected]
SPLC 2013 workshops August 26 - 30 2013, Tokyo, Japan
Copyright 2013 ACM 978-1-4503-2325-3/13/08 ...$15.00.
In order to assure safety, safety-critical systems are certified
by independent certification authorities, which require ex-
tensive documentation of the system’s safety aspects in the
form of safety artifacts such as Component Fault Diagrams
(CFDs) [9] (see Section 2).
Many similar, yet not equal, software systems are built
that address similar tasks but adhere to specific require ...
[2022.02] Umee blockchain - Final Report - Public(1).pdfKennyNajarro2
The document provides an overview of Trail of Bits, a security consulting firm that conducted a security assessment of Umee. Trail of Bits has extensive experience securing critical software and infrastructure. The assessment identified several significant vulnerabilities, including issues that could allow attackers to manipulate prices provided to the oracle, disable the use of assets as collateral, and crash nodes by triggering integer overflows. The report also notes concerns around exchange rate manipulation and a lack of comprehensive simulation testing.
The document summarizes a source code audit of The Update Framework conducted by X41 D-Sec GmbH. The audit found 4 vulnerabilities, with 1 rated as medium severity and 3 as low severity. An additional 8 issues with no direct security impact were identified. The most severe issue allows an attacker with local system access to read private key files, potentially allowing signing of malicious updates. Overall the project shows high security maturity through its use of a human-readable specification. Further testing of dependencies is recommended.
Deployment of Debug and Trace for features in RISC-V CoreIRJET Journal
1) The document discusses verification and debugging techniques for RISC-V cores, specifically using instruction and data tracing.
2) It describes the phases of verification including test planning, testbench building, test writing, code coverage analysis, and debugging.
3) Debugging with tracing allows reconstructing the program flow by decoding traced instruction and data accesses and comparing them to the simulation flow to check for errors.
This document discusses securing layer 2 switching by implementing port security on network switches. It begins by explaining how switches can be configured to filter traffic and thwart attacks at layer 2. It then discusses how port security allows limiting the number of MAC addresses learned on each switch port, preventing MAC flooding attacks. The document provides examples of configuring port security and outlines some other layer 2 security vulnerabilities to address for a more complete layer 2 security solution. It concludes by promoting additional network security courses from Global Knowledge that cover related topics.
This year, the focus goes beyond technology to mining business insights around how cloud enables strategic industry trends such as Open and Virtual Banking and Insurance, Security and Compliance, Data Analytics and AI/ ML, FinTech and RegTech, Surveillance and more through sharing of best practices and use cases. In sessions led by customers, partners, industry leaders and AWS subject matter experts, you’ll learn how AWS helps financial institutions to focus on the innovation and outcomes that truly drive business forward. Business stakeholders, market makers, and technology owners will all learn something new, valuable and actionable.
This document discusses implementing a lightweight zero-trust network using the open source tools Keycloak and NGINX. It begins by explaining the transition from a traditional network security model with clear boundaries between public and private networks to a zero-trust model where security boundaries are defined individually for each service or pod. It then covers how to implement the underlying technologies of JWT validation, mutual TLS authentication, and OAuth MTLS using Keycloak as an authorization server and NGINX as an API gateway. Additional topics discussed include how to secure east-west internal traffic and resolve potential policy decision point chokepoints.
HD Video Player All Format - 4k & live streamHD Video Player
Discover the best video playback experience with HD Video Player. Our powerful, user-friendly app supports all popular video formats and codecs, ensuring seamless playback of your favorite videos in stunning HD and 4K quality. Whether you're watching movies, TV shows, or personal videos, HD Video Player provides the ultimate viewing experience on your device. 🚀
From Teacher to OnlyFans: Brianna Coppage's Story at 28get joys
At 28, Brianna Coppage left her teaching career to become an OnlyFans content creator. This bold move into digital entrepreneurship allowed her to harness her creativity and build a new identity. Brianna's experience highlights the intersection of technology and personal branding in today's economy.
Sara Saffari: Turning Underweight into Fitness Success at 23get joys
Uncover the remarkable journey of Sara Saffari, whose transformation from underweight struggles to being recognized as a fitness icon at 23 underscores the importance of perseverance, discipline, and embracing a healthy lifestyle.
Leonardo DiCaprio Super Bowl: Hollywood Meets America’s Favorite Gamegreendigital
Introduction
Leonardo DiCaprio is synonymous with Hollywood stardom and acclaimed performances. has a unique connection with one of America's most beloved sports events—the Super Bowl. The "Leonardo DiCaprio Super Bowl" phenomenon combines the worlds of cinema and sports. drawing attention from fans of both domains. This article delves into the multifaceted relationship between DiCaprio and the Super Bowl. exploring his appearances at the event, His involvement in Super Bowl advertisements. and his cultural impact that bridges the gap between these two massive entertainment industries.
Follow us on: Pinterest
Leonardo DiCaprio: The Hollywood Icon
Early Life and Career Beginnings
Leonardo Wilhelm DiCaprio was born in Los Angeles, California, on November 11, 1974. His journey to stardom began at a young age with roles in television commercials and educational programs. DiCaprio's breakthrough came with his portrayal of Luke Brower in the sitcom "Growing Pains" and later as Tobias Wolff in "This Boy's Life" (1993). where he starred alongside Robert De Niro.
Rise to Stardom
DiCaprio's career skyrocketed with his performance in "What's Eating Gilbert Grape" (1993). earning him his first Academy Award nomination. He continued to gain acclaim with roles in "Romeo + Juliet" (1996) and "Titanic" (1997). the latter of which cemented his status as a global superstar. Over the years, DiCaprio has showcased his versatility in films like "The Aviator" (2004). "Start" (2010), and "The Revenant" (2015), for which he finally won an Academy Award for Best Actor.
Environmental Activism
Beyond his film career, DiCaprio is also renowned for his environmental activism. He established the Leonardo DiCaprio Foundation in 1998, focusing on global conservation efforts. His commitment to ecological issues often intersects with his public appearances. including those related to the Super Bowl.
The Super Bowl: An American Institution
History and Significance
The Super Bowl is the National Football League (NFL) championship game. is one of the most-watched sporting events in the world. First played in 1967, the Super Bowl has evolved into a cultural phenomenon. featuring high-profile halftime shows, memorable advertisements, and significant media coverage. The event attracts a diverse audience, from avid sports fans to casual viewers. making it a prime platform for celebrities to appear.
Entertainment and Advertisements
The Super Bowl is not only about football but also about entertainment. The halftime show features performances by some of the biggest names in the music industry. while the commercials are often as anticipated as the game itself. Companies invest millions in Super Bowl ads. creating iconic and sometimes controversial commercials that capture public attention.
Leonardo DiCaprio's Super Bowl Appearances
A Celebrity Among the Fans
Leonardo DiCaprio's presence at the Super Bowl has noted several times. As a high-profile celebrity. DiCaprio attracts
Tom Cruise Daughter: An Insight into the Life of Suri Cruisegreendigital
Tom Cruise is a name that resonates with global audiences for his iconic roles in blockbuster films and his dynamic presence in Hollywood. But, beyond his illustrious career, Tom Cruise's personal life. especially his relationship with his daughter has been a subject of public fascination and media scrutiny. This article delves deep into the life of Tom Cruise daughter, Suri Cruise. Exploring her upbringing, the influence of her parents, and her current life.
Follow us on: Pinterest
Introduction: The Fame Surrounding Tom Cruise Daughter
Suri Cruise, the daughter of Tom Cruise and Katie Holmes, has been in the public eye since her birth on April 18, 2006. Thanks to the media's relentless coverage, the world watched her grow up. As the daughter of one of Hollywood's most renowned actors. Suri has had a unique upbringing marked by privilege and scrutiny. This article aims to provide a comprehensive overview of Suri Cruise's life. Her relationship with her parents, and her journey so far.
Early Life of Tom Cruise Daughter
Birth and Immediate Fame
Suri Cruise was born in Santa Monica, California. and from the moment she came into the world, she was thrust into the limelight. Her parents, Tom Cruise and Katie Holmes. Were one of Hollywood's most talked-about couples at the time. The birth of their daughter was a anticipated event. and Suri's first public appearance in Vanity Fair magazine set the tone for her life in the public eye.
The Impact of Celebrity Parents
Having celebrity parents like Tom Cruise and Katie Holmes comes with its own set of challenges and privileges. Suri Cruise's early life marked by a whirlwind of media attention. paparazzi, and public interest. Despite the constant spotlight. Her parents tried to provide her with an upbringing that was as normal as possible.
The Influence of Tom Cruise and Katie Holmes
Tom Cruise's Parenting Style
Tom Cruise known for his dedication and passion in both his professional and personal life. As a father, Cruise has described as loving and protective. His involvement in the Church of Scientology, but, has been a point of contention and has influenced his relationship with Suri. Cruise's commitment to Scientology has reported to be a significant factor in his and Holmes' divorce and his limited public interactions with Suri.
Katie Holmes' Role in Suri's Life
Katie Holmes has been Suri's primary caregiver since her separation from Tom Cruise in 2012. Holmes has provided a stable and grounded environment for her daughter. She moved to New York City with Suri to start a new chapter in their lives away from the intense scrutiny of Hollywood.
Suri Cruise: Growing Up in the Spotlight
Media Attention and Public Interest
From stylish outfits to everyday activities. Suri Cruise has been a favorite subject for tabloids and entertainment news. The constant media attention has shaped her childhood. Despite this, Suri has managed to maintain a level of normalcy, thanks to her mother's efforts.
The Evolution and Impact of Tom Cruise Long Hairgreendigital
Tom Cruise is one of Hollywood's most iconic figures, known for his versatility, charisma, and dedication to his craft. Over the decades, his appearance has been almost as dynamic as his filmography, with one aspect often drawing significant attention: his hair. In particular, Tom Cruise long hair has become a defining feature in various phases of his career. symbolizing different roles and adding layers to his on-screen characters. This article delves into the evolution of Tom Cruise long hair, its impact on his roles. and its influence on popular culture.
Follow us on: Pinterest
Introduction
Tom Cruise long hair has often been more than a style choice. it has been a significant element of his persona both on and off the screen. From the tousled locks of the rebellious Maverick in "Top Gun" to the sleek, sophisticated mane in "Mission: Impossible II." Cruise's hair has played a pivotal role in shaping his image and the characters he portrays. This article explores the various stages of Tom Cruise long hair. Examining how this iconic look has evolved and influenced his career and broader fashion trends.
Early Days: The Emergence of a Style Icon
The 1980s: The Birth of a Star
In the early stages of his career during the 1980s, Tom Cruise sported a range of hairstyles. but in "Top Gun" (1986), his hair began to gain significant attention. Though not long by later standards, his hair in this film was longer than the military crew cuts associated with fighter pilots. adding a rebellious edge to his character, Pete "Maverick" Mitchell.
Risky Business: The Transition Begins
In "Risky Business" (1983). Tom Cruise's hair was short but longer than the clean-cut styles dominant at the time. This look complemented his role as a high school student stepping into adulthood. embodying a sense of youthful freedom and experimentation. It was a precursor to the more dramatic hair transformations in his career.
The 1990s: Experimentation and Iconic Roles
Far and Away: Embracing Length
One of the first films in which Tom Cruise embraced long hair was "Far and Away" (1992). Playing the role of Joseph. an Irish immigrant in 1890s America, Cruise's long, hair added authenticity to his character's rugged and determined persona. This look was a stark departure from his earlier. more polished styles and marked the beginning of a more adventurous phase in his hairstyle choices.
Interview with the Vampire: Gothic Elegance
In "Interview with the Vampire" (1994). Tom Cruise long hair reached new lengths of sophistication and elegance. Portraying the vampire Lestat. Cruise's flowing blonde locks were integral to the character's ethereal and timeless allure. This hairstyle not only suited the gothic aesthetic of the film but also showcased Cruise's ability to transform his appearance for a role.
Mission: Impossible II: The Pinnacle of Long Hair
One of the most memorable instances of Tom Cruise long hair came in "Mission: Impossible II" (2000). His character, Ethan
Morgan Freeman is Jimi Hendrix: Unveiling the Intriguing Hypothesisgreendigital
In celebrity mysteries and urban legends. Few narratives capture the imagination as the hypothesis that Morgan Freeman is Jimi Hendrix. This fascinating theory posits that the iconic actor and the legendary guitarist are, in fact, the same person. While this might seem like a far-fetched notion at first glance. a deeper exploration reveals a rich tapestry of coincidences, speculative connections. and a surprising alignment of life events fueling this captivating hypothesis.
Follow us on: Pinterest
Introduction to the Hypothesis: Morgan Freeman is Jimi Hendrix
The idea that Morgan Freeman is Jimi Hendrix stems from a mix of historical anomalies, physical resemblances. and a penchant for myth-making that surrounds celebrities. While Jimi Hendrix's official death in 1970 is well-documented. some theorists suggest that Hendrix did not die but instead reinvented himself as Morgan Freeman. a man who would become one of Hollywood's most revered actors. This article aims to delve into the various aspects of this hypothesis. examining its origins, the supporting arguments. and the cultural impact of such a theory.
The Genesis of the Theory
Early Life Parallels
The hypothesis that Morgan Freeman is Jimi Hendrix begins by comparing their early lives. Jimi Hendrix, born Johnny Allen Hendrix in Seattle, Washington, on November 27, 1942. and Morgan Freeman, born on June 1, 1937, in Memphis, Tennessee, have lived very different lives. But, proponents of the theory suggest that the five-year age difference is negligible and point to Freeman's late start in his acting career as evidence of a life lived before under a different identity.
The Disappearance and Reappearance
Jimi Hendrix's death in 1970 at the age of 27 is a well-documented event. But, theorists argue that Hendrix's death staged. and he reemerged as Morgan Freeman. They highlight Freeman's rise to prominence in the early 1970s. coinciding with Hendrix's supposed death. Freeman's first significant acting role came in 1971 on the children's television show "The Electric Company," a mere year after Hendrix's passing.
Physical Resemblances
Facial Structure and Features
One of the most compelling arguments for the hypothesis that Morgan Freeman is Jimi Hendrix lies in the physical resemblance between the two men. Analyzing photographs, proponents point out similarities in facial structure. particularly the cheekbones and jawline. Both men have a distinctive gap between their front teeth. which is rare and often highlighted as a critical point of similarity.
Voice and Mannerisms
Supporters of the theory also draw attention to the similarities in their voices. Jimi Hendrix known for his smooth, distinctive speaking voice. which, according to some, resembles Morgan Freeman's iconic, deep, and soothing voice. Additionally, both men share certain mannerisms. such as their calm demeanor and eloquent speech patterns.
Artistic Parallels
Musical and Acting Talents
Jimi Hendrix was regarded as one of t
Leonardo DiCaprio House: A Journey Through His Extravagant Real Estate Portfoliogreendigital
Introduction
Leonardo DiCaprio, A name synonymous with Hollywood excellence. is not only known for his stellar acting career but also for his impressive real estate investments. The "Leonardo DiCaprio house" is a topic that piques the interest of many. as the Oscar-winning actor has amassed a diverse portfolio of luxurious properties. DiCaprio's homes reflect his varied tastes and commitment to sustainability. from retreats to historic mansions. This article will delve into the fascinating world of Leonardo DiCaprio's real estate. Exploring the details of his most notable residences. and the unique aspects that make them stand out.
Follow us on: Pinterest
Leonardo DiCaprio House: Malibu Beachfront Retreat
A Prime Location
His Malibu beachfront house is one of the most famous properties in Leonardo DiCaprio's real estate portfolio. Situated in the exclusive Carbon Beach. also known as "Billionaire's Beach," this property boasts stunning ocean views and private beach access. The "Leonardo DiCaprio house" in Malibu is a testament to the actor's love for the sea and his penchant for luxurious living.
Architectural Highlights
The Malibu house features a modern design with clean lines, large windows. and open spaces blending indoor and outdoor living. The expansive deck and patio areas provide ample space for entertaining guests or enjoying a quiet sunset. The house has state-of-the-art amenities. including a gourmet kitchen, a home theatre, and many guest suites.
Sustainable Features
Leonardo DiCaprio is a well-known environmental activist. whose Malibu house reflects his commitment to sustainability. The property incorporates solar panels, energy-efficient appliances, and sustainable building materials. The landscaping around the house is also designed to be water-efficient. featuring drought-resistant plants and intelligent irrigation systems.
Leonardo DiCaprio House: Hollywood Hills Hideaway
Privacy and Seclusion
Another remarkable property in Leonardo DiCaprio's collection is his Hollywood Hills house. This secluded retreat offers privacy and tranquility. making it an ideal escape from the hustle and bustle of Los Angeles. The "Leonardo DiCaprio house" in Hollywood Hills nestled among lush greenery. and offers panoramic views of the city and surrounding landscapes.
Design and Amenities
The Hollywood Hills house is a mid-century modern gem characterized by its sleek design and floor-to-ceiling windows. The open-concept living space is perfect for entertaining. while the cozy bedrooms provide a comfortable retreat. The property also features a swimming pool, and outdoor dining area. and a spacious deck that overlooks the cityscape.
Environmental Initiatives
The Hollywood Hills house incorporates several green features that are in line with DiCaprio's environmental values. The home has solar panels, energy-efficient lighting, and a rainwater harvesting system. Additionally, the landscaping designed to support local wildlife and promote
The Future of Independent Filmmaking Trends and Job OpportunitiesLetsFAME
The landscape of independent filmmaking is evolving at an unprecedented pace. Technological advancements, changing consumer preferences, and new distribution models are reshaping the industry, creating new opportunities and challenges for filmmakers and film industry jobs. This article explores the future of independent filmmaking, highlighting key trends and emerging job opportunities.
The cats, Sunny and Rishi, are brothers who live with their sister, Jessica, and their grandmother, Susie. They work as cleaners but wish to seek other kinds of employment that are better than their current jobs. New career adventures await Sunny and Rishi!
Taylor Swift: Conquering Fame, Feuds, and Unmatched Success | CIO Women MagazineCIOWomenMagazine
From country star to global phenomenon, delve into Taylor Swift's incredible journey. Explore chart-topping hits, feuds, & her rise to billionaire status!
2. Table of Contents
Summary
Overview
Project Summary
Audit Summary
Vulnerability Summary
Audit Scope
Findings
AMA-01 : Ineffective `isContract()` Check
MAA-01 : Potential Risks on Approval/TransferFrom Methods
MAA-02 : Public Function that Could be Declared External
MAA-03 : Initial token distribution
MAC-01 : Vesting duration too short
MAC-02 : Centralization Risk
MAE-01 : Centralization Risk
MAM-01 : Centralization Risk
MAP-01 : Centralization Risk
MAP-02 : Missing Validation for total amount
MAT-01 : Vesting duration too short
MAT-02 : Centralization Risk
Appendix
Disclaimer
About
My Master WAR Security Assessment
3. Summary
This report has been prepared for My Master WAR to discover issues and vulnerabilities in the source code
of the My Master WAR project as well as any contract dependencies that were not part of an officially
recognized library. A comprehensive examination has been performed, utilizing Static Analysis and Manual
Review techniques.
The auditing process pays special attention to the following considerations:
Testing the smart contracts against both common and uncommon attack vectors.
Assessing the codebase to ensure compliance with current best practices and industry standards.
Ensuring contract logic meets the specifications and intentions of the client.
Cross referencing contract structure and implementation against similar smart contracts produced
by industry leaders.
Thorough line-by-line manual review of the entire codebase by industry experts.
The security assessment resulted in findings that ranged from critical to informational. We recommend
addressing these findings to ensure a high level of security standards and industry practices.
We suggest
recommendations that could better serve the project from the security perspective:
Enhance general coding practices for better structures of source codes;
Add enough unit tests to cover the possible use cases;
Provide more comments per each function for readability, especially contracts that are verified in
public;
Provide more transparency on privileged activities once the protocol is live.
My Master WAR Security Assessment
4. Overview
Project Summary
Project Name My Master WAR
Description DeFi
Platform Ethereum
Language Solidity
Codebase
https://github.com/MyMasterWar/MAT-
erc20/tree/1a37ac523295601bad40fab657c1a6647085d739
https://github.com/MyMasterWar/MAT-claim
Commit
1a37ac523295601bad40fab657c1a6647085d739
46a88f7c862b9a45ef44a04dc737077ba99ab834
8231f7c8149b09b3d1820ff889cd2957e046b42e
Audit Summary
Delivery Date Oct 04, 2021
Audit Methodology Static Analysis, Manual Review
Key Components
Vulnerability Summary
Vulnerability Level Total Pending Declined Acknowledged Partially Resolved Resolved
Critical 0 0 0 0 0 0
Major 6 0 0 0 6 0
Medium 1 0 0 0 0 1
Minor 4 0 0 1 0 3
Informational 1 0 0 0 0 1
Discussion 0 0 0 0 0 0
My Master WAR Security Assessment
5. Audit Scope
ID File SHA256 Checksum
BEP contracts/ERC20/BEP20.sol 24706a337b39e0a035c54c489b583b9d69e6642eca75e2fdc02239fc77c9c48b
IBE contracts/ERC20/IBEP20.sol afc0a51377b2d84a9e6df323b6e61b1c4688d9546c83f702e0e8c738d24774b1
IBP contracts/ERC20/IBEP20Metadata.sol 573808a11e25bfb889a00391e30d8e6a7860e87251ab069af149b1146ded4b28
SBE contracts/ERC20/SafeBEP20.sol 2d0197ae0ad87713a28aec66b866f368a7aad45b0a2de03c63a6d4c1b25fe655
OMA contracts/access/Ownable.sol 3f4b02cdb1bc35cd0fdc225d7feb55236d31e8e382685b6685273d64332cb941
AMA contracts/util/Address.sol 274634e4c81504956c51b25ae887062e79f10497ebc2a12441de4ce5fde49a8b
CMA contracts/util/Context.sol dd81b252b7a67cc5abef9a6d2e6731a00a217620d14133797cdf06ca22aa63f8
SMM contracts/util/SafeMath.sol 517d4367224491a4cd8e145f020fb17615a5620779b813d8989b8b33ec77ea90
MAA contracts/MAT.sol c316fc1c20f2d4975d4e40d7df93bda1fb668ab6a5c5de94426a21b11f7cacb2
My Master WAR Security Assessment
6. Findings
ID Title Category Severity Status
AMA-01 Ineffective isContract() Check Volatile Code Medium Resolved
MAA-01
Potential Risks on Approval/TransferFrom
Methods
Mathematical
Operations
Minor Resolved
MAA-02
Public Function that Could be Declared
External
Gas Optimization Informational Resolved
MAA-03 Initial token distribution
Centralization /
Privilege
Major Partially Resolved
MAC-01 Vesting duration too short Logical Issue Minor Resolved
MAC-02 Centralization Risk
Centralization /
Privilege
Major Partially Resolved
MAE-01 Centralization Risk
Centralization /
Privilege
Major Partially Resolved
MAM-01 Centralization Risk
Centralization /
Privilege
Major Partially Resolved
My Master WAR Security Assessment
12
Total Issues
Critical 0 (0.00%)
Major 6 (50.00%)
Medium 1 (8.33%)
Minor 4 (33.33%)
Informational 1 (8.33%)
Discussion 0 (0.00%)
7. ID Title Category Severity Status
MAP-01 Centralization Risk
Centralization /
Privilege
Major Partially Resolved
MAP-02 Missing Validation for total amount Logical Issue Minor Acknowledged
MAT-01 Vesting duration too short Logical Issue Minor Resolved
MAT-02 Centralization Risk
Centralization /
Privilege
Major Partially Resolved
My Master WAR Security Assessment
8. AMA-01 | Ineffective isContract() Check
Category Severity Location Status
Volatile Code Medium contracts/Address.sol (sale): 23~33 Resolved
Description
The implementation of the isContract check can not cover all scenarios. The check can be bypassed if
the call is from the constructor of a smart contract or when the contract is destroyed. Because, in that
case, the codesize will also be zero.
The "isContract" function in the OpenZeppelin "Address" library uses the same implementation, but
comments mention that "it's unsafe to rely on the check and it can be bypassed". Reference:
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/Address.sol
Recommendation
It is recommended to add the additional msg.sender == tx.origin check to cover all the scenarios. Do
note that the check still works for the current EVM (London) version, but future updates to the EVM or EIP
(ex. EIP-3074) might cause the check to become ineffective.
modifier
modifier notContract
notContract(
()
) {
{
require
require(
((
(!
!_isContract
_isContract(
(msg
msg.
.sender
sender)
))
) &&
&& (
(msg
msg.
.sender
sender ==
== tx
tx.
.origin
origin)
),
, "contract not
"contract not
allowed"
allowed")
);
;
_
_;
;
}
}
function
function _isContract
_isContract(
(address
address addr
addr)
) internal
internal view
view returns
returns (
(bool
bool)
) {
{
uint256
uint256 size
size;
;
assembly
assembly {
{
size
size :=
:= extcodesize
extcodesize(
(addr
addr)
)
}
}
return
return size
size >
> 0
0;
;
}
}
Alleviation
[My Master War Team] : This function is redundant. We've already removed in the contract.
My Master WAR Security Assessment
9. MAA-01 | Potential Risks on Approval/TransferFrom Methods
Category Severity Location Status
Mathematical Operations Minor contracts/MAT.sol (1): 133~145, 245~255 Resolved
Description
The approve function could be used in an attack that allows a spender to transfer more tokens than the
owner of the tokens ever wanted to allow the spender to transfer.
Here is a possible attack scenario:
Alice allows Bob to transfer N of Alice's tokens (N>0) by calling
approve method on Token smart contract passing Bob's address and N as method arguments After some
time, Alice decides to change from N to M (M>0) the number of Alice's tokens Bob is allowed to transfer,
so she calls approve method again, this time passing Bob's address and M as method arguments Bob
notices Alice's second transaction before it was mined and quickly sends another transaction that calls
·transferFrom· method to transfer N Alice's tokens somewhere If Bob's transaction will be executed before
Alice's transaction, then Bob will successfully transfer N Alice's tokens and will gain the ability to transfer
another M tokens Before Alice noticed that something went wrong, Bob calls ·transferFrom· method again,
this time to transfer M Alice's tokens.
So, Alice's attempt to change Bob's allowance from N to M (N>0 and M>0) made it possible for Bob to
transfer N+M of Alice's tokens, while Alice never wanted to allow so many of her tokens to be transferred
by Bob.
ERC20 API: An Attack Vector on Approve/TransferFrom Methods
https://docs.google.com/document/d/1YLPtQxZu1UAvO9cZ1O2RPXBbT0mooh4DYKjA_jp-
RLM/edit#heading=h.m9fhqynw2xvt
Recommendation
We recommend using safeApprove instead of approve method.
safeApprove(contract IERC20 token, address spender, uint256 value)
Alleviation
The response from MyMasterWar team:
We add ./ERC20/BEP20.sol file with the safeApprove function and
MAT.sol is derived from BEP20.sol
My Master WAR Security Assessment
10. MAA-02 | Public Function that Could be Declared External
Category Severity Location Status
Gas Optimization Informational contracts/MAT.sol (1): 159~161, 185 Resolved
Description
public functions that are never called by the contract should be declared external to save gas.
Recommendation
We recommend using the external attribute for functions never called from the contract.
My Master WAR Security Assessment
11. MAA-03 | Initial token distribution
Category Severity Location Status
Centralization / Privilege Major contracts/MAT.sol (1): 20~27 Partially Resolved
Description
All of the MAT tokens are sent to the contract deployer when deploying the contract.
Recommendation
We recommend the team to be transparent regarding the initial token distribution process.
Alleviation
The response from MyMasterWar team:
We transfer token to the wallet addresses as the allocation
described in the whitepaper (from line 12-40)
My Master WAR Security Assessment
12. MAC-01 | Vesting duration too short
Category Severity Location Status
Logical Issue Minor contracts/MATTeamClaim.sol (sale): 18 Resolved
Description
Currently, the vesting duration is set to 10 minutes, which is way too short.
Recommendation
We recommend having a longer vesting duration.
Alleviation
[My Master War Team]: The vesting time is for test only. In real deployment, We change to vesting time as
denote in whitepaper.
My Master WAR Security Assessment
13. MAC-02 | Centralization Risk
Category Severity Location Status
Centralization / Privilege Major contracts/MATTeamClaim.sol (sale) Partially Resolved
Description
In linked contracts, the role Owner has the authority over the following function:
setTgeTime
governanceRecoverUnsupported
Any compromise to the Owner account may allow the hacker to take advantage of this.
Recommendation
We advise the client to carefully manage the Owner account's private key to avoid any potential risks of
being hacked.
In general, we strongly recommend centralized privileges or roles in the protocol to be
improved via a decentralized mechanism or smart-contract-based accounts with enhanced security
practices, e.g., Multisignature wallets.
Indicatively, here is some feasible suggestions that would also mitigate the potential risk at the different
level in term of short-term and long-term:
Time-lock with reasonable latency, e.g., 48 hours, for awareness on privileged operations;
Assignment of privileged roles to multi-signature wallets to prevent a single point of failure due to the
private key;
Introduction of a DAO/governance/voting module to increase transparency and user involvement.
Alleviation
[My Master War Team] : We already known that the owner has the right to call the setTgeTime and
governanceRecoverUnsupported function. It's our design as the TGE is set only one time and the owner is
the only one can transfer back the unexpected tokens sending to the contracts. The deployer (owner) has
a clear legal binding, and the private key for deploying contract is from hardware wallet. We believe that It's
the easy and secure way to interact with smart contracts.
My Master WAR Security Assessment
14. MAE-01 | Centralization Risk
Category Severity Location Status
Centralization / Privilege Major contracts/MATEcosystemClaim.sol (sale) Partially Resolved
Description
In linked contracts, the role Owner has the authority over the following function:
setTgeTime
governanceRecoverUnsupported
Any compromise to the Owner account may allow the hacker to take advantage of this.
Recommendation
We advise the client to carefully manage the Owner account's private key to avoid any potential risks of
being hacked.
In general, we strongly recommend centralized privileges or roles in the protocol to be
improved via a decentralized mechanism or smart-contract-based accounts with enhanced security
practices, e.g., Multisignature wallets.
Indicatively, here is some feasible suggestions that would also mitigate the potential risk at the different
level in term of short-term and long-term:
Time-lock with reasonable latency, e.g., 48 hours, for awareness on privileged operations;
Assignment of privileged roles to multi-signature wallets to prevent a single point of failure due to the
private key;
Introduction of a DAO/governance/voting module to increase transparency and user involvement.
Alleviation
[My Master War Team] : We already known that the owner has the right to call the setTgeTime and
governanceRecoverUnsupported function. It's our design as the TGE is set only one time and the owner is
the only one can transfer back the unexpected tokens sending to the contracts. The deployer (owner) has
a clear legal binding, and the private key for deploying contract is from hardware wallet. We believe that It's
the easy and secure way to interact with smart contracts.
My Master WAR Security Assessment
15. MAM-01 | Centralization Risk
Category Severity Location Status
Centralization / Privilege Major contracts/MATMarketingClaim.sol (sale) Partially Resolved
Description
In linked contracts, the role Owner has the authority over the following function:
setTgeTime
governanceRecoverUnsupported
Any compromise to the Owner account may allow the hacker to take advantage of this.
Recommendation
We advise the client to carefully manage the Owner account's private key to avoid any potential risks of
being hacked.
In general, we strongly recommend centralized privileges or roles in the protocol to be
improved via a decentralized mechanism or smart-contract-based accounts with enhanced security
practices, e.g., Multisignature wallets.
Indicatively, here is some feasible suggestions that would also mitigate the potential risk at the different
level in term of short-term and long-term:
Time-lock with reasonable latency, e.g., 48 hours, for awareness on privileged operations;
Assignment of privileged roles to multi-signature wallets to prevent a single point of failure due to the
private key;
Introduction of a DAO/governance/voting module to increase transparency and user involvement.
Alleviation
[My Master War Team] : We already known that the owner has the right to call the setTgeTime and
governanceRecoverUnsupported function. It's our design as the TGE is set only one time and the owner is
the only one can transfer back the unexpected tokens sending to the contracts. The deployer (owner) has
a clear legal binding, and the private key for deploying contract is from hardware wallet. We believe that It's
the easy and secure way to interact with smart contracts.
My Master WAR Security Assessment
16. MAP-01 | Centralization Risk
Category Severity Location Status
Centralization / Privilege Major contracts/MATPrivateSaleClaim.sol (sale) Partially Resolved
Description
In linked contracts, the role Owner has the authority over the following function:
setTgeTime
setWhilelist
governanceRecoverUnsupported
Any compromise to the Owner account may allow the hacker to take advantage of this.
Recommendation
We advise the client to carefully manage the Owner account's private key to avoid any potential risks of
being hacked.
In general, we strongly recommend centralized privileges or roles in the protocol to be
improved via a decentralized mechanism or smart-contract-based accounts with enhanced security
practices, e.g., Multisignature wallets.
Indicatively, here is some feasible suggestions that would also mitigate the potential risk at the different
level in term of short-term and long-term:
Time-lock with reasonable latency, e.g., 48 hours, for awareness on privileged operations;
Assignment of privileged roles to multi-signature wallets to prevent a single point of failure due to the
private key;
Introduction of a DAO/governance/voting module to increase transparency and user involvement.
Alleviation
[My Master War Team] : We already known that the owner has the right to call the setTgeTime and
governanceRecoverUnsupported function. It's our design as the TGE is set only one time and the owner is
the only one can transfer back the unexpected tokens sending to the contracts. The deployer (owner) has
a clear legal binding, and the private key for deploying contract is from hardware wallet. We believe that It's
the easy and secure way to interact with smart contracts.
My Master WAR Security Assessment
17. MAP-02 | Missing Validation for total amount
Category Severity Location Status
Logical Issue Minor contracts/MATPrivateSaleClaim.sol (sale): 66~79 Acknowledged
Description
When function setWhilelist is called, it is possible that the total amount within the locks mapping is
larger than the total balance in the contract. In this case, some address could not claim their rewards.
Recommendation
We advise adding the check for the passed-in values to prevent unexpected error.
My Master WAR Security Assessment
18. MAT-01 | Vesting duration too short
Category Severity Location Status
Logical Issue Minor contracts/MATTreasuryClaim.sol (sale): 17 Resolved
Description
Currently, the vesting duration is set to 10 minutes, which is way too short.
Recommendation
We recommend having a longer vesting duration.
Alleviation
[My Master War Team]: The vesting time is for test only. In real deployment, We change to vesting time as
denote in whitepaper.
My Master WAR Security Assessment
19. MAT-02 | Centralization Risk
Category Severity Location Status
Centralization / Privilege Major contracts/MATTreasuryClaim.sol (sale) Partially Resolved
Description
In linked contracts, the role Owner has the authority over the following function:
setTgeTime
governanceRecoverUnsupported
Any compromise to the Owner account may allow the hacker to take advantage of this.
Recommendation
We advise the client to carefully manage the Owner account's private key to avoid any potential risks of
being hacked.
In general, we strongly recommend centralized privileges or roles in the protocol to be
improved via a decentralized mechanism or smart-contract-based accounts with enhanced security
practices, e.g., Multisignature wallets.
Indicatively, here is some feasible suggestions that would also mitigate the potential risk at the different
level in term of short-term and long-term:
Time-lock with reasonable latency, e.g., 48 hours, for awareness on privileged operations;
Assignment of privileged roles to multi-signature wallets to prevent a single point of failure due to the
private key;
Introduction of a DAO/governance/voting module to increase transparency and user involvement.
Alleviation
[My Master War Team] : We already known that the owner has the right to call the setTgeTime and
governanceRecoverUnsupported function. It's our design as the TGE is set only one time and the owner is
the only one can transfer back the unexpected tokens sending to the contracts. The deployer (owner) has
a clear legal binding, and the private key for deploying contract is from hardware wallet. We believe that It's
the easy and secure way to interact with smart contracts.
My Master WAR Security Assessment
20. Appendix
Finding Categories
Centralization / Privilege
Centralization / Privilege findings refer to either feature logic or implementation of components that act
against the nature of decentralization, such as explicit ownership or specialized access roles in
combination with a mechanism to relocate funds.
Gas Optimization
Gas Optimization findings do not affect the functionality of the code but generate different, more optimal
EVM opcodes resulting in a reduction on the total gas cost of a transaction.
Mathematical Operations
Mathematical Operation findings relate to mishandling of math formulas, such as overflows, incorrect
operations etc.
Logical Issue
Logical Issue findings detail a fault in the logic of the linked code, such as an incorrect notion on how
block.timestamp works.
Volatile Code
Volatile Code findings refer to segments of code that behave unexpectedly on certain edge cases that may
result in a vulnerability.
Checksum Calculation Method
The "Checksum" field in the "Audit Scope" section is calculated as the SHA-256 (Secure Hash Algorithm 2
with digest size of 256 bits) digest of the content of each file hosted in the listed source repository under
the specified commit.
The result is hexadecimal encoded and is the same as the output of the Linux "sha256sum" command
against the target file.
My Master WAR Security Assessment
21. Disclaimer
This report is subject to the terms and conditions (including without limitation, description of services,
confidentiality, disclaimer and limitation of liability) set forth in the Services Agreement, or the scope of
services, and terms and conditions provided to you (“Customer” or the “Company”) in connection with the
Agreement. This report provided in connection with the Services set forth in the Agreement shall be used
by the Company only to the extent permitted under the terms and conditions set forth in the Agreement.
This report may not be transmitted, disclosed, referred to or relied upon by any person for any purposes,
nor may copies be delivered to any other person other than the Company, without CertiK’s prior written
consent in each instance.
This report is not, nor should be considered, an “endorsement” or “disapproval” of any particular project or
team. This report is not, nor should be considered, an indication of the economics or value of any
“product” or “asset” created by any team or project that contracts CertiK to perform a security
assessment. This report does not provide any warranty or guarantee regarding the absolute bug-free
nature of the technology analyzed, nor do they provide any indication of the technologies proprietors,
business, business model or legal compliance.
This report should not be used in any way to make decisions around investment or involvement with any
particular project. This report in no way provides investment advice, nor should be leveraged as investment
advice of any sort. This report represents an extensive assessing process intending to help our customers
increase the quality of their code while reducing the high level of risk presented by cryptographic tokens
and blockchain technology.
Blockchain technology and cryptographic assets present a high level of ongoing risk. CertiK’s position is
that each company and individual are responsible for their own due diligence and continuous security.
CertiK’s goal is to help reduce the attack vectors and the high level of variance associated with utilizing
new and consistently changing technologies, and in no way claims any guarantee of security or
functionality of the technology we agree to analyze.
The assessment services provided by CertiK is subject to dependencies and under continuing
development. You agree that your access and/or use, including but not limited to any services, reports,
and materials, will be at your sole risk on an as-is, where-is, and as-available basis. Cryptographic tokens
are emergent technologies and carry with them high levels of technical risk and uncertainty. The
assessment reports could include false positives, false negatives, and other unpredictable results. The
services may access, and depend upon, multiple layers of third-parties.
ALL SERVICES, THE LABELS, THE ASSESSMENT REPORT, WORK PRODUCT, OR OTHER MATERIALS,
OR ANY PRODUCTS OR RESULTS OF THE USE THEREOF ARE PROVIDED “AS IS” AND “AS
My Master WAR Security Assessment
22. AVAILABLE” AND WITH ALL FAULTS AND DEFECTS WITHOUT WARRANTY OF ANY KIND. TO THE
MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW, CERTIK HEREBY DISCLAIMS ALL
WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE
SERVICES, ASSESSMENT REPORT, OR OTHER MATERIALS. WITHOUT LIMITING THE FOREGOING,
CERTIK SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT, AND ALL WARRANTIES ARISING FROM
COURSE OF DEALING, USAGE, OR TRADE PRACTICE. WITHOUT LIMITING THE FOREGOING, CERTIK
MAKES NO WARRANTY OF ANY KIND THAT THE SERVICES, THE LABELS, THE ASSESSMENT REPORT,
WORK PRODUCT, OR OTHER MATERIALS, OR ANY PRODUCTS OR RESULTS OF THE USE THEREOF,
WILL MEET CUSTOMER’S OR ANY OTHER PERSON’S REQUIREMENTS, ACHIEVE ANY INTENDED
RESULT, BE COMPATIBLE OR WORK WITH ANY SOFTWARE, SYSTEM, OR OTHER SERVICES, OR BE
SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE, OR ERROR-FREE. WITHOUT LIMITATION
TO THE FOREGOING, CERTIK PROVIDES NO WARRANTY OR UNDERTAKING, AND MAKES NO
REPRESENTATION OF ANY KIND THAT THE SERVICE WILL MEET CUSTOMER’S REQUIREMENTS,
ACHIEVE ANY INTENDED RESULTS, BE COMPATIBLE OR WORK WITH ANY OTHER SOFTWARE,
APPLICATIONS, SYSTEMS OR SERVICES, OPERATE WITHOUT INTERRUPTION, MEET ANY
PERFORMANCE OR RELIABILITY STANDARDS OR BE ERROR FREE OR THAT ANY ERRORS OR
DEFECTS CAN OR WILL BE CORRECTED.
WITHOUT LIMITING THE FOREGOING, NEITHER CERTIK NOR ANY OF CERTIK’S AGENTS MAKES ANY
REPRESENTATION OR WARRANTY OF ANY KIND, EXPRESS OR IMPLIED AS TO THE ACCURACY,
RELIABILITY, OR CURRENCY OF ANY INFORMATION OR CONTENT PROVIDED THROUGH THE
SERVICE. CERTIK WILL ASSUME NO LIABILITY OR RESPONSIBILITY FOR (I) ANY ERRORS, MISTAKES,
OR INACCURACIES OF CONTENT AND MATERIALS OR FOR ANY LOSS OR DAMAGE OF ANY KIND
INCURRED AS A RESULT OF THE USE OF ANY CONTENT, OR (II) ANY PERSONAL INJURY OR
PROPERTY DAMAGE, OF ANY NATURE WHATSOEVER, RESULTING FROM CUSTOMER’S ACCESS TO
OR USE OF THE SERVICES, ASSESSMENT REPORT, OR OTHER MATERIALS.
ALL THIRD-PARTY MATERIALS ARE PROVIDED “AS IS” AND ANY REPRESENTATION OR WARRANTY
OF OR CONCERNING ANY THIRD-PARTY MATERIALS IS STRICTLY BETWEEN CUSTOMER AND THE
THIRD-PARTY OWNER OR DISTRIBUTOR OF THE THIRD-PARTY MATERIALS.
THE SERVICES, ASSESSMENT REPORT, AND ANY OTHER MATERIALS HEREUNDER ARE SOLELY
PROVIDED TO CUSTOMER AND MAY NOT BE RELIED ON BY ANY OTHER PERSON OR FOR ANY
PURPOSE NOT SPECIFICALLY IDENTIFIED IN THIS AGREEMENT, NOR MAY COPIES BE DELIVERED TO,
ANY OTHER PERSON WITHOUT CERTIK’S PRIOR WRITTEN CONSENT IN EACH INSTANCE.
NO THIRD PARTY OR ANYONE ACTING ON BEHALF OF ANY THEREOF, SHALL BE A THIRD PARTY OR
OTHER BENEFICIARY OF SUCH SERVICES, ASSESSMENT REPORT, AND ANY ACCOMPANYING
My Master WAR Security Assessment
23. MATERIALS AND NO SUCH THIRD PARTY SHALL HAVE ANY RIGHTS OF CONTRIBUTION AGAINST
CERTIK WITH RESPECT TO SUCH SERVICES, ASSESSMENT REPORT, AND ANY ACCOMPANYING
MATERIALS.
THE REPRESENTATIONS AND WARRANTIES OF CERTIK CONTAINED IN THIS AGREEMENT ARE
SOLELY FOR THE BENEFIT OF CUSTOMER. ACCORDINGLY, NO THIRD PARTY OR ANYONE ACTING
ON BEHALF OF ANY THEREOF, SHALL BE A THIRD PARTY OR OTHER BENEFICIARY OF SUCH
REPRESENTATIONS AND WARRANTIES AND NO SUCH THIRD PARTY SHALL HAVE ANY RIGHTS OF
CONTRIBUTION AGAINST CERTIK WITH RESPECT TO SUCH REPRESENTATIONS OR WARRANTIES OR
ANY MATTER SUBJECT TO OR RESULTING IN INDEMNIFICATION UNDER THIS AGREEMENT OR
OTHERWISE.
FOR AVOIDANCE OF DOUBT, THE SERVICES, INCLUDING ANY ASSOCIATED ASSESSMENT REPORTS
OR MATERIALS, SHALL NOT BE CONSIDERED OR RELIED UPON AS ANY FORM OF FINANCIAL, TAX,
LEGAL, REGULATORY, OR OTHER ADVICE.
My Master WAR Security Assessment
24. About
Founded in 2017 by leading academics in the field of Computer Science from both Yale and Columbia
University, CertiK is a leading blockchain security company that serves to verify the security and
correctness of smart contracts and blockchain-based protocols. Through the utilization of our world-class
technical expertise, alongside our proprietary, innovative tech, we’re able to support the success of our
clients with best-in-class security, all whilst realizing our overarching vision; provable trust for all
throughout all facets of blockchain.
My Master WAR Security Assessment