1/ percolator-prog: TradeCpi lets a taker force a position onto any margined LP who never signed the txs. The program trusts a "matcher consent" account to stand in for the LP - but that account is attacker-owned and writable, so you just write the bytes a real opt-in would. there's no engine-enfor
@toly·2026年6月4日·ネガティブ
記事を読むAI要約
A vulnerability in TradeCpi lets attackers force positions onto LPs without their consent due to a flawed consent mechanism.
関連プロジェクト
