DFINITY Orbit

Findings · 23

1. 1 Paginated queries may return the wrong list of items Medium
2. 2 Transfer execution function may set an incorrect transfer status Informational
3. 3 The station accepts invalid transfers Informational
4. 4 The station canister allows for the creation of invalid assets Informational
5. 5 Insufficient validation of address book addresses Informational
6. 6 Request specifier validation does not validate canister IDs Informational
7. 7 Use of old Rust toolchain Informational
8. 8 Outdated and vulnerable dependencies Informational
9. 9 ShellCheck warnings Informational
10. 10 Overly broad GitHub workflow permissions Low
11. 11 Potential credential persistence through GitHub actions artifacts Informational
12. 12 Unpinned external GitHub CI/CD action versions Low
13. 13 New requests may arbitrarily delay earlier requests Low
14. 14 Web UI shows an update’s result, not its diff High
15. 15 Metadata rules allowed where they are inapplicable Medium
16. 16 request_recovery silently fails if caller is not a committee member Low
17. 17 Asset edit requests can set conflicting or invalid asset metadata High
18. 18 The asset edit API endpoint ignores request expiration times Low
19. 19 Request approval submission API does not update modification timestamp Informational
20. 20 Balance request API silently ignores invalid account IDs Informational
21. 21 Ad hoc validation of request operation inputs Informational
22. 22 Measurable test coverage is low Undetermined
23. 23 validate_dependencies is not recursive Informational

Findings extracted from the published report PDF. See the full report below for details and remediation.