6 matches found
Manager and DEFAULT_ADMIN_ROLE can create a scenario where user deposits more than he is permitted to withdraw
Lines of code Vulnerability details Impact manager and DEFAULTADMINROLE can update conflicting values as max deposit limit and max withdrawal limit, where maxDepositAmount is than maxWithdrawAmount. Users will be able to deposit more than they are permitted to withdraw. considering the extremes i...
The admin address used in initialize function, can behave maliciously
Lines of code Vulnerability details N.B : This bug is different that the other one titled "Risk of losing admin access if updateAdmin set with same current admin address". Both issues are related to access control, but the impact, root cause and bug fix are different, so DO NOT mark it as dupliat...
[NAZ-H1] Anyone Can Call removeFeeder()
Lines of code Vulnerability details Impact Currently anyone can call removeFeeder which can cause an ample amount of issues across the protocol. It is also stated in the NatSpec: Allows owner to remove feeder. Proof of Concept Anyone can remove a feeder and only the admin should be able to remove...
Centralisation Risk: Admin Role of TokenManagerEth can Rug Pull All Eth from the Bridge
Lines of code Vulnerability details Impact There is a Centralisation risk of the bridge where the DEFAULTADMINROLE of TokenManagerEth.sol is able to modify the ERC20 token on the SChain to any arbitrary address. This would allow the admin role to change the address to one where they have infinite...
[WP-H0] DEFAULT_ADMIN_ROLE of BribeVault can steal tokens from users' wallets
Lines of code Vulnerability details The current design/implementation allows the DEFAULTADMINROLE of BribeVault to steal funds from any address that approved this contract up to allowance: As a DEFAULTADMINROLE, the attack is simply do the following steps: 1. grantDepositorRole to self; 2...
no check that DEFAULT_ADMIN_ROLE is not the contract itself in L1Escrow.sol
Handle jayjonah8 Vulnerability details Impact In L1Escrow.sol the constructor sets up the DEFAULTADMINROLE without requiring that the msgSender is not the L1Escrow contract itself. Proof of Concept constructor setupRoleDEFAULTADMINROLE, msgSender; Tools Used Manual code review Recommended...