3 matches found
Unchecked return value of low-level call()/delegatecall()
Lines of code 120, 141, 411, 184, 160, 189, 152, 444, 625, 638https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contract...
In the BaseTOFT, removeCollateral(), any marketHelper can be specified, allowing all the ETH to be stolen from a mTapiocaOFT with ETH as erc
Lines of code Vulnerability details Impact All the ETH in mTapiocaOFT can be stolen, which is relevant when the underlying asset erc is ETH. Proof of Concept mTapiocaOFT allows removing collateral from Singularity through a cross chain call, but the address of the MarketHelper is not validated. T...
TOFT in (m)TapiocaOft contracts can be stolen by calling removeCollateral() with a malicious removeParams.market
Lines of code Vulnerability details Impact The TOFT available in the TapiocaOFT contract can be stolen when calling removeCollateral with a malicious market. Proof of Concept mTapiocaOFT inherit BaseTOFT, which has a function removeCollateral that accepts a market address as an argument. This...