13 matches found
CVE-2025-70956
Summary of CVE-2025-70956 (TON TVM) : A State Pollution vulnerability exists in TON’s Virtual Machine (TVM) prior to v2025.04, in RUNVM’s VmState::run_child_vm. The code moves critical resources (libraries and logs) from the parent to a new child VM in a non-atomic fashion. If an Out-of-Gas (OOG)...
Improper Resource Limitation
github.com/mantra-chain/mantrachain is vulnerable to improper resource limitation. The vulnerability is due to the send hooks not enforcing transaction gas limits, which allows an attacker to trigger recursive wasm contract calls that exponentially exhaust gas...
CVE-2025-61595 MANTRA tx gas limit is not enforced in send hooks
MANTRA is a purpose-built RWA Layer 1 Blockchain, capable of adherence to real world regulatory requirements. Versions 4.0.1 and below do not enforce the tx gas limit in its send hooks. Send hooks can spend more gas than what remains in tx, combined with recursive calls in the wasm contract,...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the send hooks. An attacker can exhaust system resources by triggering excessive gas consumption through recursive calls in the wasm contract. Remediation There is no fixed versio...
PT-2025-40058
Name of the Vulnerable Software and Affected Versions MANTRA versions prior to 4.0.2 Description The software does not enforce transaction gas limits within its send hooks. This allows send hooks to consume more gas than available in the transaction, and recursive calls within the WebAssembly Was...
PYSEC-2025-33
Vyper is a Pythonic Smart Contract Language for the EVM. When the Vyper Compiler uses the precompiles EcRecover 0x1 and Identity 0x4, the success flag of the call is not checked. As a consequence an attacker can provide a specific amount of gas to make these calls fail but let the overall executi...
Upgraded Q -> 2 from #203 [1699029806392]
Judge has assessed an item in Issue 203 as 2 risk. The relevant finding follows: L-1 Function updateScores spends all gas and reverts if a user has score updated Summary Function updateScores incorrectly handles case when a user’s score is already updated. Vulnerability Details There is a for loo...
setWithdrawalQueue never removes items from the queue and can get out of gas
Lines of code Vulnerability details Impact setWithdrawalQueue calls delete, this sets to 0 each element of the array rather than removing elements what it's done with .pop. After that, strategies are pushed in a for loop, therefore, each time setWithdrawalQueue is called, length of the queue is...
Upgraded Q -> 2 from #154 [1676532286167]
Judge has assessed an item in Issue 154 as 2 risk. The relevant finding follows: Quest.claim can risk gas exhaustion on large receipt claims due to multiple mandatory loops function claim public virtual onlyQuestActive if isPaused revert QuestPaused; uint256 memory tokens =...
Unbounded loop can block claim
Lines of code Vulnerability details Unbounded loop can block claim Impact There are no bounds on the number of rewardTokens in the loop, this can run out of gas due to cost of the operations. Proof Of Concept function claimERC20 producerToken, address user external ... uint256 rLen =...
# Potential unbounded loops in JBTiered721DelegateStore
Lines of code Vulnerability details Impact Multiple loops in JBTiered721DelegateStore are iterating over maxTierIdOf for a nft address. This value is incremented when calling recordAddTiers. The contract doesn't seem to have a functionality for decreasing this value. Proof of Concept Over time...
ConcentratedLiquidityPoolHelper: getTickState() might run out of gas
Handle hickuphh3 Vulnerability details Impact getTickState attempts to fetch the state of all inserted ticks including MINTICK and MAXTICK of a pool. Depending on the tick spacing, this function may run out of gas. Recommended Mitigation Steps Have a starting index parameter to start the iteratio...
Removing NFT could exceed block size limit
Handle Sherlock Vulnerability details Impact On line 129 it loops over all the NFTs stored in the contract. Although a break statement is included it can cause the transaction to run out of gas in case of an extreme amount of NFTs Proof of Concept N/A Tools Used Hardhat Recommended Mitigation Ste...