Locked ether

Lines of code Vulnerability details Impact In contract Party.sol there is a receive declared. This means that the contract can accept eth payments. But there is no function defined , to withdraw those sent ether. So if a user accidently sent ether to the contract, the ether would be locked, as...

Withdraw Function hasnt Timelock

Lines of code Vulnerability details Withdraw Function Timelock should be added, it is a very important criterion for investors. --- The text was updated successfully, but these errors were encountered: 👎 1 Shungy reacted with thumbs down emoji All reactions 👎 1 reaction...

Some tokens may break VotingScrow contract in transfer and transferFrom functions

Lines of code Vulnerability details Vulnerability details Some ERC20 tokens such as USDT don't return boolean values from transfer and transferFrom methods. The require checks will therefore revert causing the functions to be unusable. Impact This would prevent withdraw and createLock functions t...

wfCashERC4626.withdraw() missing some asset balance checks and calculations can drain contract

Lines of code Vulnerability details Impact The withdraw function in wfCashERC4626.sol has no check for asset token balanceOf and calculations before and after transfer. With this, a user can keep calling withdraw multiple times and keep gaining more assets. Proof of Concept 1. Assume redeemIntern...

UpdateReward Modifier is brickable

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. The private variable RewardTokens is an unbounded list of addresses that the modifier updateReward loops over and updates the state variable rewardTokenInfo. The gas consumption can become increasingly...

In VoterProxy the address veAsset is not added to protectedTokens[] list so it's possible to call withdraw() with veAsset address by stash protocol and withdraw veAsset Balance of VoterProxy

Lines of code Vulnerability details Impact Stash contract can withdraw extra incentive reward tokens out of VoterProxy contract. and Stash calls withdraw function of VoterProxy for extra reward tokens of gauges. but veAsset was in gauges reward tokens then Stash will call withdraw with veAsset...

Rugpull vector : a single admin address can withdraw all funds

Lines of code Vulnerability details Impact Someone with access to admin keys could rug pull all funds Proof of Concept The gravity.sol contract should work as an escrow to mint equivalent tokens in the cosmos chain. This is maintained by a system of validators. The possible decentralization of th...

[WP-H4] Deleting nft Info can cause users' nft.unpaidRewards to be permanently erased

Lines of code Vulnerability details function withdrawuint256 nftId, address payable to external whenNotPaused nonReentrant address msgSender = msgSender; uint256 nftsStakedLength = nftIdsStakedmsgSender.length; uint256 index; for index = 0; index...

QA Report

Low and non-critical bugs wrong implementation of ERC4626RouterBase's withdraw function In the interface we can see the function description: / @notice withdraw amount from an ERC4626 vault. @param vault The ERC4626 vault to withdraw assets from. @param to The destination of assets. @param amount...

missing check on claimed token

Lines of code Vulnerability details Impact the withdraw can be used by user to claim a token, however this function didnt check of the user had already claimed or not, therefore setting claimedtokento = true; is useless, therefore the user can claimed in multiple times, till the contract is...

All Tokens Can Be Stolen From Shelter Contract

Lines of code Vulnerability details Impact function withdrawIERC20 token, address to external override requireactivatedtoken != 0 && activatedtoken + GRACEPERIOD block.timestamp, "shelter not activated"; uint256 amount = savedTokenstoken client.shareOftoken, msg.sender / client.totalSharetoken;...

[WP-M1] withdraw() transactions can often fail

Handle WatchPug Vulnerability details function withdraw address to, uint256 memory ids, bool force internal uint256 localTotalShares = totalShares; uint256 localTotalPrincipal = totalUnderlyingMinusSponsored; uint256 amount; for uint8 i = 0; i ids.length; i++ amount += withdrawDeposit idsi,...

Failed transfer with low level call could be overlooked

Handle harleythedog Vulnerability details Impact There are several places where low level call is used within the contract. In particular, in SavingsAccount.sol, the external withdraw function has the to argument, which is eventually used in this code in transfer: bool success, = to.callvalue:...

unstreamed variable is not updated in withdraw function

Handle csanuragjain Vulnerability details Impact Contract variable unstreamed is not updated in withdraw function which can lead to unstability Proof of Concept 1. Observe the stake function of Stream contract function stakeuint112 amount public lock updateStreammsg.sender ... unstreamed +=...

User funds are lost in case of non supported market token deposit

Handle csanuragjain Vulnerability details Impact User funds can be lost as current logic cannot withdraw unsupported market token even though deposit can be done for same Proof of Concept 1. Navigate to 2. Check the function deposit function depositaddress token, uint256 amount external override...

withdraw() not defined (Router.sol#217)

Handle 7811 Vulnerability details Impact withdraw not defined. iWBNBWBNB.withdrawamount; Router.sol217 Proof of Concept Tools Used editor Recommended Mitigation Steps --- The text was updated successfully, but these errors were encountered: All reactions...

Rewards cannot be withdrawn

Email address [email protected] Handle @cmichelio Eth address 0x6823636c2462cfdcD8d33fE53fBCD0EdbE2752ad Vulnerability details The rewards for a recipient in IncentiveDistribution.sol are stored in the storage mapping indexed by recipient accruedRewardrecipient and the recipient is the actual margi...

Other vulnerabilities in Ethernet smart contract FALCON 0x5AEf06eC39e98c05201ee1e54b653c372ECb9Cf3

FALCON is an ERC20 token on ethereum. The smart contract address is 0x5AEf06eC39e98c05201ee1e54b653c372ECb9Cf3, and its function Mining24 on line 102 can modify Owner and has no permission check, leading to an attacker being able to call the withdraw function line 274 to transfer all the ether in...

Other vulnerabilities exist in the ethereum smart contract Tubigo 0x43EFc486d1c7c5Cb0193E409a73Aa33786F5197c

TubigoToken is an ERC20 token on a table. The smart contract address is 0x43EFc486d1c7c5Cb0193E409a73Aa33786F5197c, and its function Mining24 at line 102 can modify the Owner without any permission check. The attacker can call the withdraw function line 274 to transfer all the ether in the contra...