Issues

For insurance quotes, pop up screen reflects 30, 60, 90, 180 days prior to current date. i.e. 60 Day policy reflects as coverage thru March 8, 2025. See screenshot.

Vulnerable URL : https://vfat.io/ Severity : Critical I am writing to inform you about a critical vulnerability that we have identified on your website, which poses a severe risk to your application and its users, and we have discovered a series of interconnected vulnerabilities that will be exploited through clickjacking on the login functionality. Our assessment has revealed that your entire application is vulnerable to clickjacking attacks, thereby exposing your system and users to significant security risks. This vulnerability enables attackers to exploit multiple attack vectors, including account takeover, cross-site scripting (XSS), DOM-based XSS, CSRF attacks, account deletion, user account privilege escalation, victim privilege escalation, malware execution, victim PC hijack, and unauthorized access to user accounts. We have shown you only the login endpoint of your application to make you understand the flaw. This allows malicious actors to manipulate the login process and trick users into unknowingly providing their login credentials. By leveraging this vulnerability, attackers will be able to gain unauthorized access to any user account, potentially compromising sensitive user data and enabling further malicious activities within your system. In the login endpoint, attackers will be able to exploit this vulnerability to steal users' login credentials using X-frame (clickjacking) attacks. By leveraging this flaw, they will be able to gain unauthorized access to any user account, compromising the security and privacy of their email and password. Steps to Reproduce: To demonstrate the vulnerability and its potential impact, we have outlined the following steps to reproduce the exploit: 1) Open a text editor, such as Notepad, and paste the provided code snippet: <!DOCTYPE HTML> <html lang="en-US"> <head> <meta charset="UTF-8"> <title>i Frame</title> </head> <body> <h3>This is clickjacking vulnerable</h3> <iframe src=" https://vfat.io/ " frameborder="200 px" height="500px" width="1000px"></iframe> </body> </html> 2) Save the file with any name, for example, "s.html". 3) Open the saved HTML file in a web browser. Proof of concept: See the attached file. Impact: As it's found to be vulnerable in your whole application endpoints so attackers will be able to do a lot onto your application and onto your users. Attackers will be able to perform credentials stealing which will grant unauthorized access to any user account. More attackers will be able to perform DOM based xss on your users, csrf attacks, cross site scripting attacks, deletion of account, malware execution and in successful malware execution on victim will grant victim PC hijack as well to the attackers. For the login endpoint, Attackers will be able to take over the account of any user using this vulnerability. Attackers will be able to have unauthorized access to any user account enabling each user account privileges. Thus, victim privilege escalation will be performed by attackers. Attackers will be able to take over any account using this attack/vulnerability and perform other malicious attacks. Attackers will be able to take over all the user accounts of your application using this vulnerability. Attackers will be able to have unauthorized access on all the users accounts registered on your application. Also attackers will be able to chain this with other attacks as well like cross site scripting attacks. Attackers will be able to execute malicious scripts on victims using X-Frame (Clickjacking) exploit. Attackers will totally have control on the victim PC as well using x-frame exploits by chaining them with cross site scripting attacks. Attackers will be able to execute malware on victims by chaining them with cross site scripting attacks which will lead to the malware execution on the victim enabling user account privilege escalation, victim privilege escalation and victim PC hijack. Mitigations: To mitigate the clickjacking vulnerability and enhance the security of the login page, we recommend the following measures: Implement X-Frame-Options: Set the X-Frame-Options header to deny or same-origin to prevent your login page from being loaded within an iframe on other domains. Content Security Policy (CSP): Utilize a well-defined CSP to restrict the loading of your login page on external domains, thereby mitigating clickjacking attacks.

I want to partially withdraw 50% of funds in pool CL10-WETH/USDC (PancakeSwap). Keep getting failed transactions with messages "Transaction failed - Execution reverted for an unknown reason." or "Transaction failed - The contract function "decrease" reverted." Tried too disconnect wallet, refresh page, change token to receive to underlying or other tokens. Nothing of these fixes it...?

I can't harvest and keep getting an "unknown error" (see attached). I have already: disconnected wallet and reconnected. Restarted my browser. Restarted my machine. Still getting this issue.

Periodically, transactions, such as harvesting or withdrawing are not showing up in my metamask extension wallet, so I can't perform the actions. There aren't any errors. It's as if meta isn't receiving the information, so I just open it to the front token screen. Meta, however, does have the symbol indicator that there is a connection attempt and meta had already connected to vfat when I hit the connect button in vfat/metamask. Please advise

Pool: CL100-WETH/USDC on Base I've set: Price drops: 100 (Price drops to 100% below position lower boundary (1132.4)) Price rises: 5 (Price rises to 5% above position upper boundary (4238.6)) while focusing in USDC (which is actually important, because this changes). What I would expect by setting 5% for upper boundary is that I don't want to auto-rebalance till the price hits 4238.6 (which is what description says), and by 100% (to not rebalance when the price hits 1132.4). So exactly what descriptions says. So the description of the second custom buffer make sense, however when I go Manual Rebalance to see the Current position, this is when it become confusing, because it's showing this description: Auto-Rebalance buffer lower limit ($-5%). It's confusing, because I've sent to rebalance when it hit 4238.6, but the position shows buffer lower limit at 2927, and upper limit at 10595. So I don't know exactly what's going to happen at 2927. Is this correct, or a bug, or UI issue? Also, the boundaries goes off the area, not a big issue. Another thing is, that when you set in Manual tab Price in USDC or WETH, the values in Auto-Rebalance change (switch places) and it's even more confusing. At this point I'm hesitating to use custom buffers, as I don't know what's going to do. It would be good to have some status section (like for Auto-Compound) to report and summary in form of table what it actually does or waiting for. Update: Actually there is, but it's only visible when price goes out of range.

When picking USDC as a token to receive and specify a value to withdraw there is something wrong with numbers

if you click on idividual user, the position details are not showing

Farm USDT/USDC on BASE/aerodrome (contract 0xe68921dd3923e90e7970c109b0d6f3c4a8b28ca7). It shows USDT but in reality it is oUSDT: see address reported in the farm 0x1217bfe6c773eec6cc4a38b5dc45b92292b6e189 (which is openUSDT) vs address of USDT 0xe68921dd3923e90e7970c109b0d6f3c4a8b28ca7 - if I am not mistaken. Icon of currency shown by vfat is the one of oUSDT, not the icon of USDT.

please have a look to attached image. there is huge difference between APR of selected Farm in Farm table and inside of action table. This is a bug for sure.