← Back to Veridian Labs COORDINATED DISCLOSURE

VL-2026-041: Multiple Critical Vulnerabilities in veNFT Lending Protocol

Published: April 3, 2026 • Last Updated: April 5, 2026 • Status: Vendor Notified • CVSSv3: 9.1

Responsible Disclosure Notice: This advisory is part of a coordinated disclosure process. The affected vendor has been notified and technical details are partially redacted until patches are deployed. Full technical details and proof-of-concept code will be published 90 days after vendor notification.

Summary

During independent security research, Veridian Labs identified multiple critical vulnerabilities in a veNFT lending and borrowing protocol deployed across Base, Avalanche, and Optimism. The findings include unauthenticated API endpoints that allow vote manipulation, prototype pollution vectors in the backend API, and missing security headers that enable cross-origin attacks.

Affected Software

Component	Version	Status
Web Application (Next.js)	Production	Vulnerable
Vote API	v1	Vulnerable
Staging Environment	Build a1NccSPm*	Exposed

Findings

CRITICAL

Finding 1: Unauthenticated Vote Manipulation API

Two API endpoints accept POST requests without any authentication, wallet signature verification, or rate limiting. An attacker can inject arbitrary vote data for any tokenId, potentially manipulating protocol governance and reward distribution.

POST /api/[REDACTED]-vote
Content-Type: application/json

{"tokenId":"[ANY]","userAddress":"[ANY]",
 "pools":["[ATTACKER_POOL]"],"weights":[100],
 ...}

Response: {"success": true}

The same vulnerability exists in the corresponding deletion endpoint, allowing an attacker to remove legitimate votes without authorization.

CRITICAL

Finding 2: Prototype Pollution via API Input

The vote API does not sanitize input objects, allowing __proto__ and constructor.prototype properties to be stored in the database. If the backend processes these records using unsafe deep merge operations (e.g., lodash.merge), this could lead to remote code execution on the bot server.

POST /api/[REDACTED]-vote
{"tokenId":"1", ...,
 "__proto__": {"isAdmin": true}}

Response: {"success": true}  // Stored in DB

HIGH

Finding 3: CORS Wildcard + Missing Email Security

The application returns Access-Control-Allow-Origin: * for all API endpoints, enabling cross-origin attacks. Additionally, the primary domain lacks SPF, DKIM, and DMARC records, making it trivially spoofable for phishing attacks targeting protocol team members.

HIGH

Finding 4: Exposed Staging Environment

A staging deployment is publicly accessible at staging.[DOMAIN] with a different build from production. Error messages from the staging environment leak internal RPC URLs, contract addresses, and library versions.

Impact Assessment

The combination of unauthenticated vote APIs and missing input sanitization creates a pathway for an attacker to:

Manipulate governance votes for all deposited veNFTs
Potentially achieve remote code execution on the bot server
Spoof team communications for social engineering
Extract sensitive protocol data via cross-origin requests

Recommendations

Implement wallet signature verification (EIP-712) for all state-changing API endpoints
Sanitize all input objects — strip __proto__ and constructor properties
Replace CORS wildcard with explicit allowed origins
Deploy SPF, DKIM, and DMARC records for the primary domain
Restrict staging environment access

Timeline

Date	Event
2026-04-03	Vulnerabilities discovered during independent research
2026-04-05	Advisory drafted, vendor notification initiated
2026-04-05	Attempted contact via Discord
2026-07-05	Full disclosure deadline (90 days)

Credit

Discovered by Marcus Kim and James Thompson of Veridian Labs.