5 matches found
Tokens are directly transferred from briber to BribeVault
Lines of code Vulnerability details Impact Function depositBribeERC20 in BribeVault transfers tokens directly from the briber: // Since this method is called by a depositor contract, we must transfer from the account // that called the depositor contract - amount must be approved beforehand...
[WP-H0] DEFAULT_ADMIN_ROLE of BribeVault can steal tokens from users' wallets
Lines of code Vulnerability details The current design/implementation allows the DEFAULTADMINROLE of BribeVault to steal funds from any address that approved this contract up to allowance: As a DEFAULTADMINROLE, the attack is simply do the following steps: 1. grantDepositorRole to self; 2...
Reentrancy in depositBribeERC20 function
Lines of code Vulnerability details Impact depositBribeERC20 function in BriveVault is reentrant in line 187, where an address supplied by the caller is called. A bad actor that has DEPOSITORROLE and is a contract can execute a folowing attack: 1. Create a dummy token contract, reentrant in the...
Unsafe ERC20 transfers are used in BribeVault and ThecosomataETH
Lines of code Vulnerability details Impact For some ERC20 tokens no revert occurs but false is returned if transfer failed for any reason. If this isn't checked, the system will enter a wrong state with an accounted, but not executed transfer. Such effect can pile up, messing the logic altogether...
[WP-H3] Centralization Risk: Funds can be frozen when critical key holders lose access to their keys
Lines of code Vulnerability details The current implementation requires trusted key holders DEFAULTADMINROLE of BribeVault to send transactions transferBribes to move funds from BribeVault to RewardDistributor before the users can get rewards from the contract. This introduces a high centralizati...