Front-Running during Proxy Creation

Lines of code Vulnerability details Impact An ill-intentioned party might front run every proxy contracts creation and deploy one first causing the transaction for every user to revert. It is worth noting that for this attack to succeed, the attacker would need to get their transaction mined in t...

amount could still have some dust left

Lines of code Vulnerability details Impact Amount can still remain after transfer process that can lead unbalancing of length between sources, targets and amount that can lead to unexpected behavior. Proof of Concept There is no means to check inside delegateMulti function that either all amount ...

Possibility of losing users funds due to not checking for zero address (address 0x0)

Lines of code Vulnerability details Impact As there is no function for checking whether the addresses of the sources and targets are zero or not in the delegateMulti function it may cause issues for users Sending tokens to a zero address address 0x0 is generally not a recommended practice in...

DakshSCRA - Source Code Review Assist

Daksh SCRA Source Code Review Assist tool is built to enhance the efficiency of the source code review process, providing a well-structured and organized approach for code reviewers. Rather than indiscriminately flagging everything as a potential issue, Daksh SCRA promotes thoughtful analysis,...

The reality of Apple watch pen testing

Introduction We were approached to do an Apple Watch application test. It seems this isnt a service offered by many companies including us, although we’ve done plenty of work on Android Wear before but also, little information exists online about attempts, experiences or if it’s even possible. So...

Access control vulnerability due to dismissive git & test politics

Lines of code Vulnerability details Impact High risk access control vulnerability due to overutilizing rewards logic Proof of Concept Commenting out accessibility checks may lead to overutilizing existing rewards logic Tools Used Manual review Recommended Mitigation Steps git diff test coverage...

Time-weighted liquidity accounting assumes consecutive activity; double counting possible, needs validation.

Lines of code Vulnerability details Impact Time-weighted liquidity accounting in accrueConcentratedPositionTimeWeightedLiquidity and similar functions assumes ticks were active consecutively between entry/exit timestamps. However, a tick could exit and re-enter in the same week, leading to double...

Protect against griefing by allowing only owner to manipulate global liquidity.

Lines of code Vulnerability details Impact There don't seem to be protections against a malicious actor griefing others by manipulating the global liquidity accounting. This could potentially block honest users from claiming their earned rewards. Proof of Concept The main risk of griefing by...

Gas Limit Issues/DoS with Block Gas Limit

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Iterating through the users array without a limitation might cause the function to consume a lot of gas, especially when the array size is large. It may potentially reach the block gas limit and get...

Lack of Input Validation

Lines of code Vulnerability details Impact Neither function appears to validate the length of the users array, which opens the door for misuse or unexpected behavior. Proof of Concept A user can pass an empty array or an exceedingly large array to disrupt expected behavior. Tools Used Manual code...

PT-2024-14766

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The issue is related to a possible out-of-bound write in the ath12k wmi ext hal reg caps function. The reg cap.phy id is extracted from a WMI event and could be an unexpected value in ca...

curl: NULL Pointer dereference in idn.c

Vulnerability description not provided...

Qualys Is the Outperformer in the New GigaOm Radar Report for Continuous Vulnerability Management

GigaOm has unveiled its third-annual Radar for Continuous Vulnerability Management featuring Qualys. In this Report, GigaOm provides a detailed analysis of the value and progression of vulnerability management VM capabilities to help organizations build the best security and vulnerability...

The onlySeaport is a single point of failure and a centralization risk

Lines of code Vulnerability details Impact The onlySeaport holds a lot of power within the system, which can compromise the system integrity and it's permission-less nature. Having a single EOA as onlySeaport is a large centralization risk and a single point of failure. A single private key may b...

The code uses assembly for memory allocation, which can be complex and prone to errors.

Lines of code Vulnerability details Impact The code uses assembly for memory allocation, which can be complex and prone to errors. Inefficient memory management can lead to gas inefficiency and potential vulnerabilities. Proof of Concept The code uses assembly for memory allocation, which can be...

A user with the BURNER_ROLE role should be able to burn rUSDY tokens from the balance of a blocked address

Lines of code Vulnerability details Impact There are functions for blocking users: setBlocklist - setAllowlist - setSanctionsList - Suppose the user has rUSDY tokens. Then it was added to the blocklist. His tokens will then be blocked. There is a burn function where you can burn rUSDY tokens from...

Attacker can steal funding yield from the PerpetualAtlanticVaultLP contract atomically

Lines of code Vulnerability details Impact An attacker is able to atomically steal large amounts of the funding yield from the PerpetualAtlanticVaultLP contract. This is due to the fact that the deposit function of the PerpetualAtlanticVaultLP contract will first issue the attacker shares based o...

Division before multiplication incurs larger precision loss

Lines of code Vulnerability details Impact There are couple of instance of using result of a division for multiplication while can cause larger precision loss. Proof of Concept In contract EvolvingProteus.sol, value of int128 two at line 709 is calculated by using ABDKMath64x64.divu function. The...

Invalid Error Reverts in Some Cases

Lines of code Vulnerability details Description: While reviewing the code, I noticed that there is a potential issue with the error revert conditions in the getPointGivenXandUtility and getPointGivenYandUtility functions. The error handling mechanism in these functions might not be functioning as...

Potential Overflow Bug in sync_ledger Function

Lines of code Vulnerability details Impact The syncledger function in the provided Solidity smart contract is vulnerable to potential overflow issues when processing a large value for the delta parameter. Depending on the magnitude of the delta value, the contract may encounter various undesired...