James Cramer

7 exploits Active since Nov 2019
CVE-2019-16761 WRITEUP MEDIUM WRITEUP
slp-validate @1.0.0 - Code Injection
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0.0 have been patched.
CVSS 5.7
CVE-2019-16762 WRITEUP MEDIUM WRITEUP
slpjs < 0.21.4 - Bitcoin Script Validation Bypass via Crafted Script
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any version >= 0.21.4.
CVSS 5.7
CVE-2020-11014 WRITEUP MEDIUM WRITEUP
Electron-Cash-SLP <3.6.2 - Privilege Escalation
Electron-Cash-SLP before version 3.6.2 has a vulnerability. All token creators that use the "Mint Tool" feature of the Electron Cash SLP Edition are at risk of sending the minting authority baton to the wrong SLP address. Sending the mint baton to the wrong address will give another party the ability to issue new tokens or permanently destroy future minting capability. This is fixed version 3.6.2.
CVSS 6.1
CVE-2020-11071 WRITEUP HIGH WRITEUP
slpjs < 0.27.2 - Incorrect Comparison in MINT Transaction Validation
SLPJS (npm package slpjs) before version 0.27.2, has a vulnerability where users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user's minting baton. This is fixed in version 0.27.2.
CVSS 8.6
CVE-2020-11072 WRITEUP HIGH WRITEUP
SLP Validate <1.2.1 - Info Disclosure
In SLP Validate (npm package slp-validate) before version 1.2.1, users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user's minting baton. This has been fixed in slp-validate in version 1.2.1. Additonally, slpjs version 0.27.2 has a related fix under related CVE-2020-11071.
CVSS 8.6
CVE-2020-15130 WRITEUP HIGH WRITEUP
slpjs < 0.27.4 - Incorrect NFT1 Child Genesis Transaction Validation
In SLPJS (npm package slpjs) before version 0.27.4, there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification. This is fixed in version 0.27.4.
CVSS 7.5
CVE-2020-15131 WRITEUP HIGH WRITEUP
SLP Validate <1.2.2 - Info Disclosure
In SLP Validate (npm package slp-validate) before version 1.2.2, there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification. This is fixed in version 1.2.2.
CVSS 7.5