Property
Language	apex
Severity
CWE	CWE-540: Inclusion of Sensitive Information in Source Code
Confidence Level	High
Impact Level	High
Likelihood Level	Low

Description

Named Credentials (and callout endpoints) should be used instead of hard-coding credentials. 1. Hard-coded credentials are hard to maintain when mixed in with application code. 2. It is particularly hard to update hard-coded credentials when they are used amongst different classes. 3. Granting a developer access to the codebase means granting knowledge of credentials, and thus keeping a two-level access is not possible. 4. Using different credentials for different environments is troublesome and error-prone.

Property
Language
Severity
CWE	CWE-540: Inclusion of Sensitive Information in Source Code
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

$VALUE Found a string literal assignment to a production Rails session secret in secrets.yaml. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control.

Property
Language
Severity
CWE	CWE-540: Inclusion of Sensitive Information in Source Code
OWASP	A01:2021 - Broken Access Control
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

The application assigns a hardcoded string value to a Rails session secret (such as secret_key_base) directly in the source code. Storing secrets this way exposes them to anyone with access to the codebase, making it insecure.

Impact

If an attacker obtains the exposed session secret, they can forge or tamper with session data, potentially impersonating users or escalating privileges. This compromises user authentication and can lead to unauthorized access, data breaches, and loss of trust.

Property
Language
Severity
CWE	CWE-444: Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’)
OWASP	A04:2021 - Insecure Design
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Low

Description

The app service is not configured to use HTTP/2, which means it may be missing important security and performance updates provided by newer protocols. Enabling HTTP/2 helps ensure secure and efficient communication between clients and your application.

Impact

If HTTP/2 is not enabled, the app may be more susceptible to certain attacks like HTTP request smuggling, and could miss out on protocol-level security improvements. This can expose the application to vulnerabilities that could allow attackers to intercept, manipulate, or disrupt traffic, potentially compromising user data or application functionality.

Property
Language
Severity
CWE	CWE-444: Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’)
OWASP	A04:2021 - Insecure Design
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The Azure Function App resource is not configured to use HTTP/2 by setting ‘http2_enabled = true’. This means your app may be using an older HTTP version that lacks important security and performance improvements.

Impact

Without HTTP/2 enabled, your function app is more susceptible to certain security issues like request smuggling and may miss out on protocol-level protections. Attackers could exploit these weaknesses to interfere with HTTP requests or degrade service reliability, potentially leading to unauthorized access or data leaks.

Property
Language	generic
Severity
CWE	CWE-444: Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’)
OWASP	A04:2021 - Insecure Design
Confidence Level	Medium
Impact Level	Low
Likelihood Level	Low

Description

Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.

Property
Language	apex
Severity
CWE	CWE-863: Incorrect Authorization
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

Native Salesforce DML operations execute in system context, ignoring the current user’s permissions, field-level security, organization-wide defaults, position in the role hierarchy, and sharing rules. Be mindful when using native Salesforce DML operations.

Property
Language	solidity
Severity
CWE	CWE-682: Incorrect Calculation
Confidence Level	High
Impact Level	High
Likelihood Level	Low

Description

Using Keep3rV2.current() to fetch price data exposes your contract to oracle manipulation, as an attacker only needs to alter two data points to influence the reported value. This makes the price feed unreliable for critical operations like swaps, lending, or liquidations.

Impact

If exploited, an attacker could manipulate token prices within your contract, leading to financial losses such as draining funds, executing unfair trades, or triggering unintended liquidations. This could compromise user funds and damage trust in your application.

Property
Language	solidity
Severity
CWE	CWE-682: Incorrect Calculation
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	High

Description

The code performs Uniswap v2/v3 token swaps without properly checking for slippage by setting the minimum output or maximum input value to zero or the maximum possible value. This means trades can execute even if the price moves drastically against the user.

Impact

Without a slippage check, attackers or front-runners can manipulate prices so users receive far fewer tokens than expected during a swap, causing significant financial losses. This undermines user trust and can result in drained assets from the contract or user accounts.

Property
Language	solidity
Severity
CWE	CWE-682: Incorrect Calculation
Confidence Level	Low
Impact Level	High
Likelihood Level	Medium

Description

The price oracle calculates token prices based on current reserves and total supply, but does not protect against rapid manipulation (e.g., via flashloans). This allows attackers to temporarily skew prices and exploit the system before the calculation resets.

Impact

An attacker can use flashloans to artificially inflate or deflate asset prices, enabling theft of funds, draining of liquidity pools, or unfair arbitrage. This could lead to major financial losses and undermine trust in your smart contract or platform.