This page collects WhisperX intelligence signals tagged #stellar. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical vulnerability in the Soroban HTLC smart contract risks the permanent loss of user funds due to a fundamental flaw in how storage entries are managed. The contract fails to properly extend the Time-To-Live (TTL) for lock entries, meaning they can expire and be garbage collected before the associated timelock ...
A confirmed security audit reveals a critical flaw in the Henyey Stellar implementation that could trigger a consensus fork. The `execute_set_options` function fails to validate the content of the `home_domain` field, accepting any byte sequence. This directly contradicts the official stellar-core behavior, which stric...
A security audit of the Stellar blockchain's core transaction processing code has confirmed a medium-severity vulnerability. The code responsible for executing path payment and manage sell offer operations lacks essential checks to validate the legitimacy of the digital assets involved. This omission creates a potentia...
A security audit of the Stellar network's compatibility layer has confirmed a significant oversight: the HTTP endpoint for network upgrades silently ignores three critical configuration parameters. The `/upgrades?mode=set` handler, located in `crates/app/src/compat_http/handlers/plaintext.rs`, parses only six parameter...
A critical configuration validation gap has been confirmed in the Soroban smart contract platform's validator software. The `app` crate's configuration logic fails to enforce a key security rule, allowing a query server to be enabled on a networked validator node. This directly contradicts the upstream guard in the Ste...
A critical security vulnerability has been exposed in a Stellar-based payment service, where the system's core payment endpoint transmits users' private keys in plaintext within HTTP request bodies. This flaw, found in the `POST /intent` endpoint, directly accepts the `fromSecret` parameter—a Stellar private key—from i...
A critical security concern has been raised in the Nester decentralized application frontend. The `wallet-provider.tsx` component, located at `apps/dapp/frontend/components/wallet-provider.tsx`, persistently stores the connected wallet's public key and wallet provider identifier in the browser's `localStorage` under th...
A critical security flaw has been identified in the Stellar protocol's APY relayer implementation. The `FetchProtocolAPY` function in `internal/stellar/apy_relayer.go` constructs HTTP request URLs by concatenating a base URL with a `protocolID` parameter sourced directly from the on-chain yield registry — without any U...
A critical security gap has been identified in Nuup's custodial wallet infrastructure. The platform's `Wallet` model includes an `encrypted_secret` field intended to store AES-256-CBC encrypted Stellar private keys, but the actual implementation in `authController.js` stores raw secret keys in plaintext. This means any...
A critical authentication bypass vulnerability has been identified in the `flag_suspicious` function within the fraud-prevention module of a Soroban smart contract deployment. The flaw, documented in `contracts/fraud-prevention/src/lib.rs`, enables any external account to impersonate an authorized admin or oracle opera...
A critical security gap has been identified in the hackathon_registry smart contract within the Stellar ecosystem. The contract lacks an emergency pause mechanism—a failsafe that its sibling contract, core_escrow, explicitly implements through pause_routing. Without this capability, administrators have no way to halt o...