96 matches found
User ETH will be stacked on Executor contract if the target script doesn't handle ETH.
Lines of code Vulnerability details Description When user wants to execute an action, he must send ETH equal to the actionInfo.value, this ETH should be forwarded to executor.execute contract. Note: the function currently does't forward the ETH, it's explained on another issue 48, the fix is to...
Gas griefing/thief in LlamaAccount execute()
Lines of code Vulnerability details Impact LlamaAccount execute function either delegatecall or call to the provided address. The address may contain malicious contract and should be treated as a malicious. This assumption was confirmed by implementation of this function and its comments...
Delegatecalls to contracts which have different storage layouts will cause unexpected behavor. Whitelisting of delegate-callable targets is required like LlamaCore.authorizeScript().
Lines of code Vulnerability details Impact Delegatecall to targets which have storage access will read/write each other's storage variables. Although slot 0 is protected from modification by delegatecall, reading slot 0 is not protected. Modifying storage slot other than 0 is not protected. It's...
Inconsistent Use of Error Handling in LlamaAccount Contract
Lines of code Vulnerability details Description: The LlamaAccount contract contains a bug that allows an attacker to execute arbitrary calls with the delegatecall opcode, which can lead to unintended consequences and potential security vulnerabilities. Steps to Reproduce: Deploy the LlamaAccount...
LlamaAccount can be tricked to selfdestruct with an upgradable contract
Lines of code Vulnerability details Impact The LlamaAccount contract will be destroyed and all the assets can be lost. Proof of Concept In execute, we use readSlot0 to prevent a malicious or buggy target from taking ownership of this contract. But the malicious target can send all the assets and...
LlamaAccount.llamaExecutor may be changed for a malicious purpose and be return to the initial state.
Lines of code Vulnerability details Impact If the delegatecall changes llamaExecutor to an malicious contract, then onlyLlama modifier cannot protect the contract. After the exploit, it can return the llamaExecutor as before. Proof of Concept Update test/mock/MockExtension.sol as below. //...
Llama Core and Policy implementation not only minimal proxy should not be allowed to be authorized as scripts
Lines of code Vulnerability details Impact authorizeScript function will be used to authorize any contract to be delegatecalled by executor's context. To be qualified as script, it should not access storage but immutable storage, because script's storage layout can be overlapped each other. I...
Arbitrary delegatecalls from LlamaAccount can be used to steal assets
Lines of code Vulnerability details Impact Using delegatecall to call arbitrary contracts is highly dangerous as it can be used to steal assets. An attacker could sneak in a contract that steals all the assets owned by the LlamaAccount contract. Proof of Concept Below is a diff to the existing...
Unsafe delegatecall functionality can break core protocol functionality
Lines of code Vulnerability details Impact There are multiple contracts which include delegatecall functionality, including the execute function of the LlamaAccount contract and the execute function of the LlamaExecutor contract. The issue is that there's no controls, other than the standard role...
VaultProxy can be selfdestructed using delegatecall
Lines of code Vulnerability details Impact Attacker can selfdestruct VaultProxy deployment. constructor //initialise the vault proxy with data function initialise bool isValidatorWithdrawalVault, uint8 poolId, uint256 id, address staderConfig external if isInitialized revert AlreadyInitialized;...
Unauthorized Access and Control in Proxy Contract
Lines of code Vulnerability details Summary: The code contains a bug that can lead to unauthorized access and control over the contract. This bug allows any caller, even those who are not the owner or address0, to bypass the intended access control mechanisms and execute arbitrary code on the...
VaultProxy implementation can be initialized by anyone and self-destructed
Lines of code Vulnerability details Impact When the VaultFactory contract is deployed and initialized, the initialise method on the newly created VaultProxy implementation contract is never called. As such, anyone can call that method and pass in whatever values they want as arguments. One...
H-100 Unmitigated
Lines of code L1 Vulnerability details test Assessed type call/delegatecall --- The text was updated successfully, but these errors were encountered: All reactions...
The return value of an external transfer call is not checked on the function uniswapV3SwapCallback in the contract named JBXBuybackDelegate
Lines of code Vulnerability details Impact Several tokens do not revert in case of failure and return false. If one of these tokens is used in MyBank, deposit will not revert if the transfer fails, and an attacker can call deposit for free...
Deflation bricking
Lines of code Vulnerability details Impact First staker can block staking by making exchangeRate == 0. Proof of Concept As can be seen function exchangeRate public view returns uint256 /// @dev if there are no tokens minted, return the initial exchange rate uint256 totalSupply = totalSupply; if...
DOS mint and add by frontrunning
Lines of code Vulnerability details Impact CidNFT.mintbytes allow user to mint and add subprotocol NFTs directly after minting. The addList args to the add call include the cidNFTID param, which can change if there are other mint before the user's transaction. Proof of Concept An attacker can DOS...
Attacker can take control over each SmartAccount proxy and steal all users' funds
Lines of code Vulnerability details Attacker can take control over each SmartAccount proxy and steal all users' funds Impact All users' funds can be stolen by a single attacker tx gas cost only Proof of Concept There are 2 main reasons for this vulnerability: The .checkSignatures in...
Uninialized or front-runnable .init function in proxy implementation contract
Lines of code Vulnerability details Uninialized or front-runnable .init function in proxy implementation contract Impact DoS for all users' smart account proxies leading to locked funds forever. Proof of Concept Nowhere in the code the SmartAccount.sol implementation contract is initialized by...
SmartAccount authorization can be bypassed using a contract signature
Lines of code Vulnerability details SmartAccount authorization can be bypassed using a contract signature The SmartAccount wallet supports contract signatures defined by EIP1271, similar to how Gnosis Safe does. Transactions to the wallet can be authorized by a contract that implements the...
SmartAccount implementation contract can be destroyed by owner
Lines of code Vulnerability details SmartAccount implementation contract can be destroyed by owner Impact Locking users' funds forever due to DoS for all deployed smart account proxies. Neither implementation upgrade will be possible nor withdrawing funds. Proof of Concept The expected behaviour ...