Malicious code in 7702-eoa-implementation (npm)

The package communicates with a domain associated with malicious activity...

_safeMint() should be used rather than _mint() wherever possible

Lines of code 139, 178, 204 Vulnerability details mint is discouraged in favor of safeMint which ensures that the recipient is either an EOA or implements IERC721Receiver. Both OpenZeppelin and solmate have versions of this function. In the cases below, mint does not call...

sendToken() shouldn't have metadata parameter

Lines of code Vulnerability details Impact Users calling sendToken with metadata may trigger a revert or lose the calldata if its size is 1-3 bytes when the destination is an EOA. Proof of Concept In transmitSendToken, we discard the calldata if it's less than 4 bytes, and revert if it's bigger o...

Potential Reversion in Transfer due to LSP1 Interface Support Check

Lines of code Vulnerability details Impact The transfer function in LSP7DigitalAssetCore & LSP8DigitalAssetCore includes a mandatory hook, notifyTokenSender, which verifies if the sender supports INTERFACEIDLSP1. However, if a token owner who initially implemented LSP1 interface ceases to support...

Wherever possible, _safeMint() should be used rather than _mint()

Lines of code Vulnerability details Impact mint is not recommended in favour of safeMint, which guarantees that the recipient is either an EOA. Proof of Concept, , Tools Used Vscode use safeMint instead of mint. Assessed type Upgradable --- The text was updated successfully, but these errors were...

Poor detection of disputed trees allows claiming tokens from a disputed tree

Lines of code Vulnerability details Targets Impact Users can claim rewards from a Merkle tree that's being disputed. This can potentially lead to loss of funds since a malicious trusted EOA can claim funds from a malicious tree while it's being disputed. Proof of Concept The...

depositERC20To() and withdrawTo() is missing onlyEOA() modifier - Leading to loss of user funds

Lines of code Vulnerability details Impact StandardBridge.sol contract has a modifier called onlyEOA. The comment says 132 / 133 @notice Only allow EOAs to call the functions. Note that this is not safe against contracts 134 calling code within their constructors, but also doesn't really matter...

Centralization risk for trusted owners

Lines of code Vulnerability details Description: Contracts have owners that have privileged rights to perform admin tasks. These owners need to be trusted to not perform malicious updates or drain funds. Having a single Externally Owned Account EOA as the sole owner represents a significant...

A Smart Contract can repeatedly call mint, increasing gas costs due to storage

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. The functions fuse and mint do not check if the caller is an EOA account. Therefore a smart contract can call fuse over and again Proof of Concept Provide direct links to all referenced code in GitHub...

validateUserOp does not check if missingAccountFunds matchs the signature

Lines of code Vulnerability details validateUserOp function does not check to see if missingAccountFunds uint256 matchs the signature or not . this can be abused if an attacker front run the tx and call validateUserOp in entrypoint using same sig but with a different missingaccountfunds number...

Upgraded Q -> M from #400 [1670235895275]

Judge has assessed an item in Issue 400 as M risk. The relevant finding follows: L01 - EOA restriction of wallet representative can be bypassed A node operator can call registerBLSPublicKeys to register a node runner to LSD and create a new smart wallet. The protocol only allows EOAs to be...

Upgraded Q -> M from #205 [1669936745167]

Judge has assessed an item in Issue 205 as M risk. The relevant finding follows: L01 - No check if EOARepresentative or EOARepresentativeOfNodeRunner is an EOA or a smart contract Impact A smart contract can end up being assigned as a smartWalletRepresentative. Such smart contract might not have...

isContract might return false for the contracts

Lines of code Vulnerability details Impact The Turnstile contract's register function assumes the msg.sender is a smart contract. The validation of this is carried out in eventhandler.go's ValidateContract function. ValidateContract checks whether the address has an emptyCodeHash which is zero...

Upgraded Q -> M from #334 [1668467418003]

Judge has assessed an item in Issue 334 as M risk. The relevant finding follows: 2. Rug vectors by the owner A malicious owner can call setLBPairImplementation, setFeeRecipient, setFlashLoanFee , setFeesParameters and forceDecay to advantage himself at expenses of the users...

Quotetoken can be address(0) or any EOA and still allow auctions and bids to be created

Lines of code Vulnerability details Impact createAuction in SizeSealed.sol performs no validation of the auction parameters AuctionParameters sent to it and will allow a Seller to create an auction with an ERC20 quoteToken of address0 putting at risk the baseToken that has real value. In addition...

Misleading code in BorrowController including no validation of the amounts to be borrowed.

Lines of code Vulnerability details Impact BorrowController contract checks if any contract is in the borrow list. However, due to the use of msg.sender == tx.origin statement, it returns true for the EOA addresses. It's also observed that any amount of borrowing is acceptable by the...

TokenHelper.sol#L40 : safeTransfer will revert due to insufficient gas.

Lines of code Vulnerability details Impact I am adding as high issue since most of the calling is done using the safeTransfer TokenHelper.solL40 : safeTransfer will revert due to insufficient gas. All the fuctions that are using the safeTransfer could fail due to insufficient gas. I see the...

Potential of token lost permanently when highest bid is made by a Contract

Lines of code Vulnerability details Impact When auction is happening, there is no checks on who can participate to createBid. In order to work well, contract need to confirm that the Bidder is capable of receiving ERC721 or else their token may be permanently lost. After a bidder decided to be th...

GHSA-9J3M-G383-29QR OpenZeppelin Contracts's Cross chain utilities for Arbitrum L2 see EOA calls as cross chain calls

Impact Contracts using the cross chain utilies for Arbitrum L2, CrossChainEnabledArbitrumL2 or LibArbitrumL2, will classify direct interactions of externally owned accounts EOAs as cross chain calls, even though they are not started on L1. This is assessed as low severity because any action taken...

OpenZeppelin Contracts's Cross chain utilities for Arbitrum L2 see EOA calls as cross chain calls

Impact Contracts using the cross chain utilies for Arbitrum L2, CrossChainEnabledArbitrumL2 or LibArbitrumL2, will classify direct interactions of externally owned accounts EOAs as cross chain calls, even though they are not started on L1. This is assessed as low severity because any action taken...