English
« Back
Completed

2023-DoraHacks Bug Bounty

Outdated2023/01/03 → 2023/08/29, 07:40

1500USDC

...

  • Security / Bug Hunting
  • DoraHacks
Payment network
Funder
DoraHacks
Organization
Participants
Multiple winners
Details

Bug Bounty has change to anohter link:

https://dorahacks.io/bugbounty/1

Activities
  • The bounty was completed on 2023/09/07 23:49:55

  • DoraBugBounty posted a comment on

  • <h1>DD</h1>{{3*3}} submitted a solution on 2023/07/09 13:51:37
    Description
    I have discovered a significant security vulnerability on your website that allows for stored Cross-Site Scripting (XSS) attacks through file uploads. Attackers can upload malicious SVG or HTML files containing malicious scripts that can be executed when accessed by other users. This poses a serious risk of unauthorized data manipulation, session hijacking, or information theft. Please find the details below for your reference.

  • karanpargal submitted a solution on 2023/06/26 06:18:47
    Description
    Basic functionality bugs which can create bad user experience and a multiple data entry bug.

  • alone-breecher submitted a solution on 2023/06/26 01:20:27

  • alone-breecher submitted a solution on 2023/06/26 00:54:30

  • shubhsinghal17 submitted a solution on 2023/06/21 17:33:52
    Description
    I have identified a vulnerability in an organization's invitation system, where the request to invite a user has no rate limit. This vulnerability can be exploited to send mass invitations to a single email address, which can be annoying for the invited users.

  • shubhsinghal17 submitted a solution on 2023/06/21 17:31:31
    Description
    I have identified a vulnerability in an organization's invitation system, where the request to invite a user has no rate limit. This vulnerability can be exploited to send mass invitations to a single email address, which can be annoying for the invited users.

  • Calebux submitted a solution on 2023/06/01 08:11:28
    Description
    The provided Solidity code defines a contract named BugReport that showcases a vulnerability related to address validation. Let's provide a description of the code: solidity Copy code // SPDX-License-Identifier: MIT pragma solidity ^0.8.0; import "@openzeppelin/contracts/utils/Address.sol"; import "@openzeppelin/contracts/introspection/ERC165.sol"; The code begins with SPDX License Identifier indicating that it is licensed under the MIT License. The pragma directive specifies that the contract is compatible with Solidity versions greater than or equal to 0.8.0. solidity Copy code contract BugReport { using Address for address; // This is a vulnerable contract that does not implement the ERC165 interface contract VulnerableContract {} The contract BugReport is defined, which uses the Address library by employing the using keyword. Inside BugReport, there is an inner contract VulnerableContract that does not implement the ERC165 interface. This makes it susceptible to the vulnerability. solidity Copy code function exploit() external { // This address is a contract, but the `isNotContract` function incorrectly returns true address contractAddress = address(new VulnerableContract()); // This check should fail due to the incorrect address validation require(AddressUtils.isNotContract(contractAddress), "Invalid address detected!"); } } The exploit function is defined as an external function within the BugReport contract. Inside the function, a new instance of VulnerableContract is created, and its address is assigned to the contractAddress variable. The require statement is used to check if the contractAddress is not a contract by utilizing the isNotContract function from the Address library. However, due to a bug, the function incorrectly returns true, indicating that the address is not a contract. If the require condition fails, it reverts the transaction and displays the error message "Invalid address detected!". The code demonstrates a critical bug where the address validation mechanism using the isNotContract function from the Address library is incorrect. It mistakenly identifies a contract address as not being a contract. This vulnerability could lead to security issues or incorrect behavior in the contract that relies on the isNotContract function for validating addresses. To address this bug, it is crucial to correct the address validation logic and ensure that it accurately identifies contract addresses. Thorough testing and proper implementation of address validation mechanisms are essential to prevent potential vulnerabilities in smart contracts.

  • Calebux submitted a solution on 2023/05/26 00:22:42
    Description
    The problem I identified is an incorrect address validation in the AddressUtils library used in the project. Specifically, the isNotContract function fails to accurately determine whether an address is a contract or not. This issue can have serious consequences, including the unintentional transfer of funds to undesired contracts, exploitation of vulnerabilities in falsely identified non-contracts, and potential loss of user funds due to unexpected contract behavior. I have provided a suggested solution to address this problem by utilizing the ERC165 interface detection standard, which would improve the accuracy of the address validation process and mitigate the associated risks.

  • Calebux submitted a solution on 2023/05/24 07:26:54
    Description
    In the code review, i identified a potential issue with the initialization of the epoch array for token locking in the vcDORA contract. The code correctly initializes the array with the current timestamp rounded down to the nearest multiple of a week. However, the subsequent loop that populates the array has a fixed number of iterations (9 iterations) that may not align with the desired number of future epochs.

  • ImmanuelOlivia1 submitted a solution on 2023/05/19 21:12:12

  • Calebux submitted a solution on 2023/05/19 20:51:49
    Description
    The batchVotingCost function in the Grant smart contract fails to accurately calculate the cost of batch voting. It incorrectly considers only the cost of the last project in the batch, ignoring the costs of previous projects. As a result, users are charged an incorrect amount when submitting batch votes, potentially leading to financial losses.

  • Otaiki1 submitted a solution on 2023/05/18 22:36:52
    Description
    An analysis of the qf grant contract. Contact me on discord at Otaiki#8030

  • ilyar submitted a solution on 2023/05/09 21:24:23
    Description
    Bug report: Successful upvote with zero balance

  • ilyar submitted a solution on 2023/05/09 09:51:51
    Description
    # Bug report: Obscure error while uploading a logo during BUIDL creation When a logo is being uploaded, the API returns a `400` error: ```json {"file_name":["Ensure this field has no more than 64 characters."]} ``` However, the user doesn't receive any notification in the user interface. Given that the logo field is mandatory, users may encounter an inability to create a BUIDL, with the reason being unclear. ![](https://hackmd.io/_uploads/r1d1t6PVh.gif) ## Possible solution Display the error in the BUIDL creation form.

  • Longkali2021 submitted a solution on 2023/04/30 08:23:53
    Description
    hi team I see the image values in the BUIDLs logo feature are not validating properly. where as when an attacker creates an XSS payload then edits it into the BUIDLs logo URL, it will be accepted and the XSS will be triggered when someone opens the Image Tab in Chrome or Edge browser. production steps: 1. create or edit your BUIDL at https://dorahacks.io/home 2. Then intercept the BUIDL edit request using Brupsuite : sample request: PATCH /api/hack-list/self-projects/4677/ HTTP/1.1 Host: dorahacks.io Cookie: - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json Hackerlink-Token: 641c03db26dd56d90e1553c671fead50 Content-Length: 682 Origin: https://dorahacks.io Referer: https://dorahacks.io/home Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close {"name":"XSSttestes","source":"Grants-","tech_trees":[0],"infrastructure_tags":[1,10,91,92],"other_infrastructures":["infra:\"><img src=/ onerror=alert(1)> {{4*4}}"],"vision":"XSS","project_description":"\"><img src=/ onerror=alert(1)> {{4*4}}","pictures":["data:text/html;base64,PHNjcmlwdD5hbGVydCgiZG9yYWhhY2tzLmlvIik8L3NjcmlwdD4K"],"contact":"11111","members":[{"email":"***@***","nickname":null,"avatar":null}],"team_description":"\"><img src=/ onerror=alert(1)> {{4*4}}","github_page":"https://github.com","demo_link":"https://demo.com","demo_video":"https://demo.com","twitter":"tetes","facebook":"https://facebook.com/testes","discord":"testes","whatsapp":null,"wechat":null} 3. Then change the "pictures" value to the XSS payload URL XSS payloads: - data:text/html;base64,PHNjcmlwdD5hbGVydCgiZG9yYWhhY2tzLmlvIik8L3NjcmlwdD4K open hashing payload XSS base64 : - data:text/html;base64,<script>alert(1)</script> 4. after saving, then open the image tab, and see !! XSS will be triggered POC videos : - https://drive.google.com/file/d/1hbx7l77a7remCEyRqa3CJr-_gEJgwb9z/view?usp=sharing impact : XSS through the BUIDL logo feature

  • Profilbio submitted a solution on 2023/04/13 22:41:44
    Description
    there is no authentication of the linked social media or gtihub accounts. then each user can freely use someone else's account and can falsify identity. it is safer for every registered user to do KYC so that there are no fake accounts.

  • itz_mg submitted a solution on 2023/02/14 02:39:29
    Description
    It is a broken access control which is more of a business logic error found on dorahacks.io. The bug needs to be remediated as soon as possible. I am happy to provide any additional information required.

  • priyanshuparmar submitted a solution on 2023/02/05 16:40:00
    Winner
    Description
    Title : No rate limit on invite user in organization I have identified that when a user being invited in organization, the request has no rate limit which then can be used to loop through one request. Which can be annoying to the invited users sending the mass invitation to one email.

  • priyanshuparmar submitted a solution on 2023/01/24 00:32:30
    Description
    EXIF metadata not stripped from uploaded profile photo and organization logo Description: In dorahacks.io you can upload a profile picture and organization logo and if you upload a JPEG with EXIF metadata on it, it isn't stripped. This can lead to disclosure of location where photo was taken or other personal information by the photo uploader if their post is public and everyone can view the post . anyone can download the logo and check the metadata. As a result, anyone can get sensitive information of users like their Geolocation, their Device information like Device Name, Version, Software & Software version used etc.

  • priyanshuparmar received 100.0000 USDC reward on 2023/01/19 18:03:26
    Transaction
    0x877f...3ffe

  • Tamil-dev submitted a solution on 2023/01/11 15:18:47
    Description
    Hai Team, I found a vulnerability on https://dorahacks.io. Vulnerability name: IDOR

  • evilboyajay received 100.0000 USDC reward on 2023/01/11 00:39:28
    Transaction
    0x877f...3ffe

  • evilboyajay submitted a solution on 2023/01/11 00:30:22
    Winner
    Description
    It has been discovered that the website dorahacks is vulnerable to email disclosure. This vulnerability allows an attacker to gain access to sensitive information, such as the email addresses of any registered users.

  • Tamil-dev submitted a solution on 2023/01/08 14:46:16
    Description
    It has been discovered that the website dorahacks is vulnerable to IDOR. This vulnerability allows an attacker to invite any members , without the permission of the organisation owner.

  • priyanshuparmar submitted a solution on 2023/01/06 23:48:51
    Description
    Description : Title: Stealing sensitive information of users (Like IP, LOCATION, DEVICE INFORMATION) A vulnerability using which an attacker can obtain the information of all the users without their knowledge. He can steal his IP address, ISP, country name, city name, region, Device info, and browser details.

  • DoraBugBounty created the bounty on 2023/01/03 09:46:41
    Transaction
    0x877f...3ffe