ChainPort

Findings · 22

1. 1 Several secrets checked into source control Medium
2. 2 Same credentials used for staging, test, and production environment databases Low
3. 3 Use of error-prone pattern for logging functions Low
4. 4 Use of hard-coded strings instead of constants Informational
5. 5 Use of incorrect operator in SQLAlchemy filter Undetermined
6. 6 Several functions receive the wrong number of arguments Undetermined
7. 7 Lack of events for critical operations Informational
8. 8 Lack of zero address checks in setter functions Informational
9. 9 Python type annotations are missing from most functions Low
10. 10 Use of libraries with known vulnerabilities Low
11. 11 Use of JavaScript instead of TypeScript Low
12. 12 Use of .format to create SQL queries Informational
13. 13 Many rules are disabled in the ESLint configuration Informational
14. 14 Congress can lose quorum after manually setting the quorum value Medium
15. 15 Potential race condition could allow users to bypass PORTX fee payments Low
16. 16 Signature-related code lacks a proper specification and documentation Medium
17. 17 Cryptographic primitives lack sanity checks and clear function names Informational
18. 18 Use of requests without the timeout argument Low
19. 19 Lack of noopener attribute on external links Low
20. 20 Use of urllib could allow users to leak local files Undetermined
21. 21 The front end is vulnerable to iFraming Low
22. 22 Lack of CSP header in the ChainPort front end Low

Findings extracted from the published report PDF. See the full report below for details and remediation.