Skip to content

Security Vulnerabilities Found #1

New issue
New issue
Open
Open
Security Vulnerabilities Found#1
@xrdavies

Description

@xrdavies
xrdavies
opened on Feb 11, 2025

Security Vulnerabilities Found

During a security audit, we identified several vulnerabilities in our blockchain-related dependencies. These vulnerabilities don't affect the basic website functionality but should be addressed in future updates.

High Severity Issues

  1. WebSocket (ws) Package

    • Vulnerability: DoS when handling requests with many HTTP headers
    • Affected versions: 7.0.0 - 7.5.9 || 8.0.0 - 8.17.0
    • CVE: GHSA-3h5v-q93c-6h6q
    • Dependency path: viemws

  2. Viem Package

    • Uses vulnerable version of ws
    • Affected versions: <=0.0.0-wagmiv2-20230628182101 || 0.2.2 - 2.15.0

Low Severity Issues

  1. Elliptic Package
    • Multiple cryptographic vulnerabilities:
      • EDDSA missing signature length check
      • ECDSA missing check for leading bit of r and s
      • Allows BER-encoded signatures
      • Valid ECDSA signatures erroneously rejected
      • Verify function omits uniqueness validation
    • Affects multiple @ethersproject/* packages

Affected Dependencies

  • @seedao/sns-js and related packages
  • ethers (v5.7.2)
  • wagmi (v1.4.12)
  • @joyid/wagmi (v0.1.0)
  • Various @ethersproject/* packages

Required Actions

  1. Coordinate with SeeDAO Team

    • Update @seedao/sns-js and related packages to use latest versions of ethers and wagmi
    • Test updates thoroughly as they involve breaking changes

  2. Package Updates Needed

    • Update ethers to v6.13.5
    • Update wagmi to latest compatible version
    • Update viem to latest compatible version
    • Update or replace affected @ethersproject/* packages

  3. Testing Requirements

    • Test all blockchain interactions
    • Verify wallet connections still work
    • Test contract interactions
    • Test transaction signing and sending

Implementation Plan

  1. Create a new branch for dependency updates
  2. Update packages one at a time, starting with core dependencies
  3. Fix any breaking changes
  4. Test thoroughly in a staging environment
  5. Deploy to production after successful testing

Notes

  • These vulnerabilities are primarily in the blockchain interaction code
  • Basic website functionality and SEO are not affected
  • Updates should be coordinated with the SeeDAO team due to potential breaking changes

Related Links

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions