84 matches found
Wrong logic in increaseUnlockTime() function in case undelegated lock and call _checkpoint()
Lines of code Vulnerability details Impact In increaseUnlockTime function, in case it’s undelegated lock, it calls checkpoint for msg.sender with oldLocked and locked. But actually, these 2 locks oldLocked and locked are the same. It makes the logic in checkpoint function works incorrectly. Proof...
Inconsistent logic of increase unlock time to the expired locks
Lines of code Vulnerability details 2022-08-fiatdao Inconsistent logic of increase unlock time to the expired locks Impact Can not prevent expired locks being extended. Proof of Concept Call function function increaseUnlockTime with an expired lock lockedmsg.sender.end block.timestamp Case 1: if...
Signature Replay Attack - Signatures are reusable
Lines of code Vulnerability details checkSignatureValidity performs a check to verify that the signer is the correct address. In the case of Community this is done on the following data: uint256 communityID, address builder, address lender, address agent, address project, uint256 repayAmount, byt...
Builder can reduce his debt more than expected by replaying signature
Lines of code Vulnerability details Impact A builder can, after it convened with the lender and an external agent to reduce his debt through escrow, reuse the signature and pass it again to escrow many times. This allows him to reduce his debt more than expected, leaving the lender at a loss. Pro...
Attacker can use the same param to call Community.escrow() multiple times and reduce all the debt
Lines of code Vulnerability details Impact In Community contract, function escrow is used to reduce debt when lender comed in terms with the builder and agent to reduce debt. It checks that all lender, builder and agent are signed the data. But the issue is there is no nonce value in data which...
Community's escrow allows for signature replay
Lines of code Vulnerability details checkSignatureValidity verification by signature do not utilize nonces and can be tricked by using owner / builder signatures from earlier calls. Namely, while checkSignatureValidity's approvedHashes based way can used only once as it deletes the corresponding...
Malicious code in kleros-escrow (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d5b582b63c12a7fb0ab724a759c4a1418f334500dde5aa0cc143911a163a8a8b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2022-4176 Malicious code in kleros-escrow (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d5b582b63c12a7fb0ab724a759c4a1418f334500dde5aa0cc143911a163a8a8b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Voting Escrow System could be wrapped and made useless without contract whitelisting
Lines of code Vulnerability details Impact Anyone could create a contract or a contract factory, say “Velo Locker" with a fonction to deposit VELO tokens through a contract, lock them and delegate the voting power to the contract owner. Then, the ownership of this contract could be sold, or the...
Rugpull vector : a single admin address can withdraw all funds
Lines of code Vulnerability details Impact Someone with access to admin keys could rug pull all funds Proof of Concept The gravity.sol contract should work as an escrow to mint equivalent tokens in the cosmos chain. This is maintained by a system of validators. The possible decentralization of th...
RaidForums Gets Raided, Alleged Admin Arrested
The U.S. Department of Justice DOJ said today it seized the website and user database for RaidForums, an extremely popular English-language cybercrime forum that sold access to more than 10 billion consumer records stolen in some of the worlds largest data breaches since 2015. The DOJ also charge...
Escrowed NFT can be stolen by anyone if no active buyPrice or auction exists for it
Lines of code Vulnerability details Impact If a NFT happens to be in escrow with neither buyPrice, nor auction being initialised for it, there is a way to obtain it for free by any actor via makeOffer, acceptOffer combination. I.e. a malicious user can track the FNDNFTMarket contract and obtain a...
Private sale spoofing
Lines of code Vulnerability details Impact Similar to spoofing in finance, users can create private sales with correct signatures but then frontrun the buy with a transfer to a different wallet they control. No funds are lost as this the NFT FETH exchange is atomic but it can be bad if third...
Upgradable escrow contract
Lines of code Vulnerability details Impact Upgradable escrow contract pose great risk to user who approved their NFT to the contract. Most popular token / NFT exchange do not require user approve their asset to admin upgradable contract. This also increase user gas usage because they would have t...
Incorrect implementation when accepting offer from unsettled auctions
Lines of code Vulnerability details Impact FNDNFTMarket allows market offer to be made on auctioned NFTs that have not been finalised by the auction winner. Auction winner can call acceptOffer to accept the offer and finalise the auction in a single call. However, the current implementation has a...
tokenOut is only required on finalize
Lines of code Vulnerability details Impact I thought of a potential rug pull from the owner: when users buy tokenOut, it is not required that the contract has already escrowed enough tokenOut. It is only required when finalizing the sale: require tokenOut.balanceOfaddressthis = totalTokenOutBough...
No guarantee sale organizer will fulfil their end of the deal
Lines of code Vulnerability details Impact Sale participants will only be able to claim their CTDL tokens once the sale is finalized. However, there is no guarantee that it ever will be, because: Sale finalisation can only be performed by the owner The owner is able to change the sale parameters...
Griefing attack on migrateLPT can prevent token transfer to L2
Handle harleythedog Vulnerability details Impact In L1Migrator.sol the function migrateLPT can be called by anyone. A malicious user can call migrateLPT with a small maxSubmissionCost argument to intentionally make the retryable ticket creation fail. This will lock the LPT in the L1 escrow. Now,...
Admin can rug L2 Escrow tokens leading to reputation risk
Handle harleythedog Vulnerability details Impact The L1Escrow contract has the function approve that is callable by the admin to approve an arbitrary spender with an arbitrary amount so they can steal all of the escrow's holdings if they want. Even if the admin is well intended, the contract can...
L1Migrator.migrateLPT` can be used to take away protocol's access to LPT tokens in BridgeMinter
Handle Ruhum Vulnerability details Vulnerability details Impact Same thing as the ETH issue I reported earlier. I wasn't sure if those are supposed to be a single issue or not. The concept is the same. But, now you lose LPT tokens. The L1Migrator.migrateLPT function can be called by anyone. It...