530 matches found
SA44858 - 9.1R12 Security Fixes
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. Resolutions for Pulse Connect Secure CVEs Issue: As part of a rigorous code review that we have undertaken in close partnership with industry-leading third-party experts, we have...
Upgraded Q -> 2 from #308 [1676219092947]
Judge has assessed an item in Issue 308 as 2 risk. The relevant finding follows: 03 Upgradeable contract is missing a gap50 storage variable to allow for new storage variables in later versions --- The text was updated successfully, but these errors were encountered: All reactions...
Unsafe casting of an int128 to uint128 can cause wrong accounting in _receiveDripsResult
Lines of code Vulnerability details Impact Unsafe casting of int128 to uint128 is dangerous and makes user receive more assets than they should. Proof of Concept state.amtDeltascycle can be a negative value. The delta value at each point is simply the relative change from the previous cycle. If...
Everyone can call mint function (no checks for msg.sender)
Lines of code Vulnerability details Impact Everyone can call mint function. There is no checks for msg.sender. I am not sure that this is okay and by method design. Proof of Concept Tools Used Static analytics Recommended Mitigation Steps Think about how to protect method --- The text was updated...
Lack of access control in Lendgine.sol.withdraw()
Lines of code Vulnerability details Impact Because the function does not check if the person has access to it, anyone can call it. After calling the function the malicious user can increase his position. 175: positions.updatemsg.sender, -SafeCast.toInt256size, rewardPerPositionStored; He can then...
Lendgine contract can be drained through mint() function due to lack of Access Control
Lines of code Vulnerability details Impact Anybody can call the mint function on lendgine.sol and enter any amount of collateral. This allows them to mint any number of tokens to their address for free. Proof of Concept The mint function in lendgine.sol is external with no additional modifiers or...
Config update happening in memory instead of at storage slot
Lines of code Vulnerability details Impact While adding configs in addConfig function, configs is updated in memory as shown at . It should accept configs parameter to a function as storage. Proof of Concept function addConfiguint256 memory configs, uint256 configsLen, DripsReceiver memory receiv...
Upgraded Q -> M from #449 [1674665297296]
Judge has assessed an item in Issue 449 as M risk. The relevant finding follows: Lā03 MintableIncentivizedERC721 does not implement ERC721.safeTransferFrom properly MintableIncentivizedERC721 is described as: 27: @notice Basic ERC721 implementation which will be used as a parent contract for...
Upgraded Q -> M from #100 [1674425909347]
Judge has assessed an item in Issue 100 as M risk. The relevant finding follows: Lines of code Vulnerability details Impact The wrong amount of LP tokens will be minted and the wrong amount of A/B tokens will be deposited. Proof of Concept According to the PDF document provided, the number of LP...
Wrong decoding of paymaster data makes validatePaymasterUserOp always fail, DoS
Lines of code Vulnerability details Impact DoS of validatePaymasterUserOp makes UserOperation's with paymaster not executable Proof of Concept . decodePaymasterData on line 102 in VerifyingSingletonPaymaster.validatePaymasterUserOp returns wrong data and makes function always fail due to the...
buyQuote should be rounded up
Lines of code Vulnerability details Impact The buyQuote is not rounded up, which can cause a leak of value, due to the buyQuote being underestimated. Proof of Concept The function Pair.buyQuote does not round up, which can cause the issue described under Impact: function buyQuoteuint256...
Miners Can Re-Roll the VRF Output to Game the Protocol
Lines of code Vulnerability details Impact Miners are able to rewrite a chain's history if they dislike the VRF output used by the protocol. Consider the following example: A miner or well-funded user is participating in the PoolTogether protocol. A VRF request is made and fulfilled in the same...
Attacker can make anyone as allowedMsgSender
Lines of code Vulnerability details Impact The contract AllowedMsgSenders have a role allowedMsgSender, and the function to set that role is made public with no access control allowing the attacker to set anyone and escalate his privileges to that role Proof of Concept truffle console --networkId...
Buy can be executed after sale end
Lines of code Vulnerability details Impact In LPDA.sol buy function when all tokens are minted, the final price is set and the ether from the sale and fee is sent to the saleReceiver and feeReceiver addresses. Since there is no check to validate if sale has ended the function can be executed with...
Nonce is not updated after EVM Transaction
Lines of code Vulnerability details Impact It was observed that nonce is not updated while performing the EVM transaction. This could lead to Replay attacks Proof of Concept 1. Observe the CallEVM function func k Keeper CallEVM ctx sdk.Context, from common.Address, to common.Address, amount...
Unchecked transfer
Lines of code Vulnerability details Impact The return value of an external transfer/transferFrom call is not checked Proof of Concept you can check Vulnerability in code here: Tools Used Recommended Mitigation Steps Use SafeERC20, or ensure that the transfer/transferFrom return value is checked...
Users are unable to revoke consents
Lines of code Vulnerability details Impact Neither lenders nor borrowers can revoke mutualConsents. This can pose an issue if a lender has given consent to lend funds but a borrower has proven untrustworthy either through actions in another credit line or some other public way. A lender should be...
Cross-chain replay attacks are possible with create2()
Lines of code Vulnerability details Impact Mistakes made on one chain can be re-applied to a new chain There is no chain.id in the create2 function data If a user does create2 using the wrong network, an attacker can replay the action on the correct chain, and steal the funds a-la the wintermute...
reentrancyGuardInitializer modifier used on constructor and Initialize functions
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. In L1EthBridge.sol there are two places where the reentrancyGuardInitializer modifier is used. It's found on both the constructor function and also on the initialize function. This is a problem because...
StandardPolicyERC1155.sol returns amount == 1 instead of amount == order.amount
Lines of code Vulnerability details Impact The canMatchMakerAsk and canMatchMakerBid functions in StandardPolicyERC1155.sol will only return 1 as the amount instead of the order.amount value. This value is then used in the executeTokenTransfer call during the execution flow and leads to only 1...