CVE-2026-24889

soroban-sdk is a Rust SDK for Soroban contracts. Arithmetic overflow can be triggered in the Bytes::slice, Vec::slice, and Prng::genrange for u64 methods in the soroban-sdk in versions up to and including 25.0.1, 23.5.1, and 25.0.2. Contracts that pass user-controlled or computed range bounds to...

CVE-2026-24889

CVE-2026-24889 — soroban-sdk overflow in slice/gen_range (u64) Affected components: the soroban-sdk Rust SDK (core functions Bytes::slice, Vec::slice, Prng::gen_range for u64). Root cause: arithmetic overflow when handling range bounds, particularly under overflow-checks = false (default for rele...

CVE-2022-36061

Elrond go is the go implementation for the Elrond Network protocol. In versions prior to 1.3.35, read only calls between contracts can generate smart contracts results. For example, if contract A calls in read only mode contract B and the called function will make changes upon the contract's B...

Error Handling and Consistency in '_settleAuction' Function

Lines of code Vulnerability details Potential Risk: The 'settleAuction' function is responsible for settling an auction by finalizing the bid and handling payouts to various parties. It performs several operations and interactions with external contracts. However, the function lacks proper error...

Unchecked return value of low level

Lines of code Vulnerability details In the code you provided earlier, there is a potential "Unchecked return value of low-level call" vulnerability in the following line: addressstrategy.delegatecallabi.encodeWithSignature"harvest"; This line of code uses the delegatecall function to invoke the...

The USDOLeverageModule contract's leverageUp function allows for dangerous call delegation

Lines of code Vulnerability details Impact The USDOLeverageModule contract is a module that is used by the BaseUSDO contract to facilitate functionality for leverage actions. The module functionality is invoked through the invocation of a delegatecall within the BaseUSDO contract's executeModule...

tryMigrate() doesn't ensure that followerProfileId isn't already following

Lines of code Vulnerability details Bug Description In FollowNFT.sol, the tryMigrate function is used to migrate users who were following before the V2 upgrade. It does so by updating followTokenIdByFollowerProfileId and followDataByFollowTokenId, which are state variables introduced in the V2...

Use of block.timestamp

Lines of code Vulnerability details Impact Block timestamps have a purpose for a variety of applications, such as entropy for random numbers see the Entropy Illusion for further details, locking funds for periods of time, and various state-changing conditional statements that are time-dependent...

Improper Implementation of Interface

Lines of code Vulnerability details Impact The improper implementation of interfaces can cause unexpected behavior in the contract and lead to an unwanted state of the contract. This can potentially affect several functions. Description The DNSSECImpl contract contains two internal functions,...

function withdraw() in StRSR won't update contract state (totalDrafts) in all cases which can cause wrong fund distribution and fund stucking in the contract

Lines of code Vulnerability details Impact Function withdraw complete an account's unstaking. it transfers user draft withdrawals and updates totalDrafts. but when calculated rsrAmount is 0 code returns and won't updates totalDrafts which can cause wrong calculations as those draft items removed...