Evmos vulnerable to unauthorized account creation with vesting module

Impact What kind of vulnerability is it? Who is impacted? Using the vesting module, a malicious attacker can create a new vesting account at a given address, before a contract is created on that address. Addresses of smart contracts deployed to the EVM are deterministic. Therefore, it would be...

Unrestricted delegator contract deployment risks gas abuse; implement mitigations.

Lines of code Vulnerability details Impact deployProxyDelegatorIfNeeded deploys a new delegator contract if one does not exist. This could be abused to spam deploy many delegators and waste gas. Proof of Concept The issue with potentially spam deploying many delegator contracts occurs in the...

Anyone can steal funds in the Contract Deployer

Lines of code Vulnerability details Impact If ContractDeployer.sol ever holds funds, it could potentially be drained via the chained creation of new contracts. Proof of Concept When creating a contract the create/create2 functions will be called inside the contract deployer here: , which after...

Bypass depositFor Contract Check

Lines of code Vulnerability details Validation will pass for a contract in construction; an address where a contract will be created; an address where a contract lived, but was destroyed. --- The text was updated successfully, but these errors were encountered: All reactions...

The isContract function in LibAddress that uses EXTCODESIZE can be vulnerable to the "Contract Creation Code Execution" attack

Lines of code Vulnerability details Impact It will allow the attacker to potentially execute malicious code in the implementation contract at Proof of Concept contract Victim function isContractaddress account public view returnsbool uint32 csize; assembly size := extcodesizeaccount return csize ...

Anyone could steal the funds

Lines of code Vulnerability details Impact Anyone can create a contract. and send all the funds if maximumPrice == 0 or at the list he can get the maximumPrice Proof of Concept Create a contract to send the funds to it Invoke buy on CollectionBuyCrowdfund.sol or BuyCrowdfund And it will transfer...

OpenZeppelin 安全漏洞

OpenZeppelin is a software application. A standard for secure blockchain applications. A security vulnerability exists in OpenZeppelin =v4.4.0 that stems from initializer functions that are called separately from contract creation the most notable example being minimal proxies and can be re-enter...

Cross-Site Request Forgery (CSRF) in devcode-it/openstamanager

✍️ Description Attacker able to create any Contract if users visit attacker site. 🕵️‍♂️ Proof of Concept 1.Open the PoC.html In Firefox or safari. 2.now you can check a Contract with aaaa name have been created. // PoC.html history.pushState'', '', '/' document.forms0.submit; 💥 Impact This...

Dtracker <= 1.5 - Unauthorised Contract Creation

Plugin is still affected and has been closed...