CosmWasm Allows Bypass of Capability Restrictions in Blockchains

An issue in CosmWasm prior to v2.2.0 allows attackers to bypass capability restrictions in blockchains by exploiting a lack of runtime capability validation. This allows attackers to deploy a contract without capability enforcement, and execute unauthorized actions on the blockchain...

Upgraded Q -> 2 from #193 [1699029806458]

Judge has assessed an item in Issue 193 as 2 risk. The relevant finding follows: Missing functions in the BasicActions to reach ODSafeManager Description Both functions allowing other users and handlers to manage the safe are restricted with access control. Only callable by the owner of the safe...

Deployment issues with chains not compatible with Shanghai hardfork

Lines of code Vulnerability details Impact Besides issues with deployment &maintenance contracts; A Big Issues is quoted below from an audit finding... "This could also become a problem if different versions of Solidity are used to compile contracts for different chains. The differences in byteco...

The USDOMarketModule contract's lend function allows for dangerous call delegation

Lines of code Vulnerability details Impact The USDOMarketModule contract is a module that is used by the BaseUSDO contract to facilitate functionality for market actions. The module functionality is invoked through the invocation of a delegatecall within the BaseUSDO contract's executeModule...

[H] Address collisions due to lack of check on the salt parameter

Lines of code Vulnerability details Impact In ConstAddressDeployer, functions deploy and deployAndInit do not check for the same salt value being passed in by different users. This can lead to address collisions. If someone passes the same salt value as someone else, even with different bytecode...

The initial total supply of the role can be miscalculated in some cases

Lines of code Vulnerability details Impact Due to miscalculations during LlamaPolicy contract deployment the initial supply of the role can be set wrongly. And most of strategies will not work as intended. Moreover users will not be able to start an Action for some strategies as well. Proof of...

When deploying contracts in PermissionedNodeRegistry.deployWithdrawVault(), PermissionlessNodeRegistry.deployWithdrawVault(), an attacker can find out in advance the address of the future deployed contract and deploy his own at this address

Lines of code Vulnerability details Impact The address of the new contract depends solely on the salt parameter, which is calculated from user-provided data. Once a user's create transaction is broadcast, the parameters for calculating salt can be viewed by anyone viewing the public mempool. This...

function _nonSystemDeployOnAddress() should try another nonces when getNewAddressCreate() result is in kernel space otherwise some logics would be broken

Lines of code Vulnerability details Impact Function createAccount Deploys a contract account with similar address derivation rules to the EVM's CREATE opcode. the deployed contract address is calculated based on sender deployed nonce. code uses nonSystemDeployOnAddress to deploy the contract to n...

deploying contracts with forceDeployOnAddress will break contracts when callConstructor is false

Lines of code Vulnerability details Impact when function forceDeployOnAddress used for deploying contract and callConstructor is false, then contract's bytecodehash would stay in constructing state and calling the contract won't be possible. it can cause protocol and other contracts that are usin...

Elrond go 安全漏洞

Elrond go is an open source go implementation of the Elrond Network protocol by Elrond Network. Elrond go 1.3.50 before the version of a security vulnerability , the vulnerability stems from the existence of a processing problem , in trying to use smart contracts to deploy transaction data...

RuniverseLand.sol#mint() can be bricked

Lines of code Vulnerability details Impact RuniverseLand.solmint can be bricked. Proof of Concept The mint function uses numMinted to generate the tokenId: File: RuniverseLand.sol 72: function mintaddress recipient, PlotSize size 73: public 74: override 75: returns uint256 76: 77: uint256 tokenId...

reentrancyGuardInitializer modifier used on constructor and Initialize functions

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. In L1EthBridge.sol there are two places where the reentrancyGuardInitializer modifier is used. It's found on both the constructor function and also on the initialize function. This is a problem because...

Holograph contracts can be deployed by any user successfully through user-crafted signature and signer input

Lines of code Vulnerability details Impact HolographFactory.deployHolographableContract deploys holographable smart contract by accepting config, signature and signer inputs. Due to user input signer passed by the caller, it is possible for signature verification to pass by using the known signer...

rewarding is not started after StakingRewards contract deployment and there is no specific time set for contract start time of rewarding, users stacked their funds has no way knowing when is rewarding is going to be started

Lines of code Vulnerability details Impact after StakingRewards the constructor logic set value for rewardRate and rewardsDuration but rewarding is not started for stackers and users has no way to find out when is rewarding going to be started. only reward Distributer can start rewarding process...

Wrong exchange rates after some time, because It's not possible to change excahngeRates after contract deployments, the rates can be changed after some times in real life but it's not possible to change rates in contract

Lines of code Vulnerability details Impact exchange rates are used to calculate amounts of baseToken users received for their cTokens, exchange rates are set when contracts get deployed but it's not possible to change them after some time, so users would get the wrong exchange rates after some ti...

Storage layout collision issue between NounsDAOStorageV1 and NounsDAOStorageV1Adjusted

Lines of code Vulnerability details Impact Since two new variables are added in the contract NounsDAOStorageV1Adjusted at the end of the struct proposal, the memory layout between the NounsDAOStorageV1 and NounsDAOStorageV1Adjusted is colluding. This affects the variable type and values in the...

Improper Validation Of create2 Return Value

Handle leastwood Vulnerability details Impact The BeaconProxyDeployer.deploy function is used to deploy lightweight proxy contracts that act as each asset's vault. The function does not revert properly if there is a failed contract deployment or revert from the create2 opcode as it does not...

Potential DOS in Contracts Inheriting UUPSUpgradeable.sol

Handle leastwood Vulnerability details Impact There are a number of contracts which inherit UUPSUpgradeable.sol, namely; GovernanceAction.sol, PauseRouter.sol and NoteERC20.sol. All these contracts are deployed using a proxy pattern whereby the implementation contract is used by the proxy contrac...

Design/Logic Flaw

Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy at 0x00...04 contract di...

CVE-2020-26241 Shallow copy bug in geth

Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy at 0x00...04 contract di...