7 matches found
Clawdrain: Exploiting Tool-Calling Chains for Stealthy Token Exhaustion in OpenClaw Agents
Modern generative agents such as OpenClaw - an open-source, self-hosted personal assistant with a community skill ecosystem, are gaining attention and are used pervasively. However, the openness and rapid growth of these ecosystems often outpace systematic security evaluation. In this paper, we...
Attacker can drain the token from the user's account
Lines of code Vulnerability details Vulnerability details Impact There is a potential vulnerability if the increaseLPAllowance function is not implemented safely and allows for arbitrary increases to the token allowance. File: ajna-core/src/PositionManager.sol pool.increaseLPAllowanceowner,...
All the FRX_ETH tokens of SfrxEth contract can be drained by a malicious user.
Lines of code Vulnerability details Impact The impact of this finding is severe, as it can result in the complete loss of FRXETH tokens held by the SfrxEth contract. This could lead to a significant financial loss for the contract and its users. Proof of Concept For demonstration purpose, Alice i...
Reentrancy attack to swap()
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. A malicious contract can initiate a reentrancy attack to the swap function: it can swap token0 for token1, receiving token0 but without effectively providing the due token1 amount used to mint instead...
Reentrancy attacks : if the functions in the interfaces are called in a malicious contract that calls back into the calling contract before the first call completes.
Lines of code Vulnerability details Impact Reentrancy attacks could be possible if the functions in the interfaces are called in a malicious contract that calls back into the calling contract before the first call completes. Proof of Concept A malicious contract is created that calls the...
Seller can game the bidIndices[] in finalize()
Lines of code Vulnerability details Impact High bidders will be taken advantage of by malicious seller. It is likely that the high bidders will place bids above the market price, then the seller can effectively steal the price difference from them. And the other bidders are grieved, wasting time...
Re-entrancy in wfCashERC4626.redeem() can lead to more gains in assets and/or shares
Lines of code Vulnerability details Impact The redeem function in wfCashERC4626.sol can be re-entered at the point of redeemInternal. Assume underlying tokens are sent to receiver after shares are burnt, and user re-enters redeem after redeemInternal is completed., P.S: there's a separate issue o...