3 matches found
DEPLOYER can drain underlying asset deposited by AaveV2Strategy and drain SHER token in SherDistributionManager
Handle wuwe1 Vulnerability details Proof of Concept For sdm. DEPOLYER can call pullReward and send arbitrary amount of sher in sdm to the DEPOLYER. For AaveV2Strategy.sol , attacker can call withdrawAll and drain the underlying asset if there is any. Recommended Mitigation Steps Add Timelock on...
isActive doesn't prevent owner from sweeping token from AaveV2Strategy, SDM and SPM
Handle wuwe1 Vulnerability details Proof of Concept isActive appear in these places: owner can bypass isActive check by setting a different address in sherlockCore Recommended Mitigation Steps Add Timelock on setting sherlockCore. --- The text was updated successfully, but these errors were...
setSherlockCoreAddress can be frontruned.
Handle wuwe1 Vulnerability details Proof of Concept SherDistributionManager.sol and AaveV2Strategy.sol are affected by this. For sdm, attacker can monitor mempool and frontrun the setSherlockCoreAddress . By setting the sherlockCore as a address controlled by attacker. Attacker can call pullRewar...