3 matches found
Hacked or malicious owner can steal all tokens
Lines of code Vulnerability details Tokens for all active drips are stored in the DripsHub contract. Since DripsHub is an upgradeable ERC1967Proxy, a malicious or hacked owner can simply upgrade the contract to include e.g., the following function: function stealTokensIERC20 token, address to,...
Lack of double step transfer in admin modification in a upgradeable contract is dangerous
Lines of code Vulnerability details Lack of double step transfer in admin modification in a upgradeable contract is dangerous Summary Double step transfer of admin / ownership should be a must in upgradeable contracts Vulnerability Detail Admin is changed with changeAdmin that calls changeAdmin,...
Deployer will deploy proxies that cannot be upgraded
Lines of code Vulnerability details Impact In contrast to the Test File, in which you're deploying the proxies directly, the setup from Deployer will keep the Proxy Admin to a zero value. Meaning nobody will be able to upgrade them after the deployment. See POC below to show that the admin slot i...