The creator does not receive additional ether - it accumulates on the contract

Lines of code Vulnerability details Impact In some cases, the ERC20TokenEmitter contract may accumulate residual ether that was not sent to the creator. The contract does not have a function to pick up the remaining ether. When a user wants to buy tokens, he sends ether to the...

Lack of receive() inside MoneyMarketHook contract when interacting with WNATIVE.

Lines of code Vulnerability details Impact MoneyMarketHook is expected to work with the native balance when interacting with WNATIVE, especially when params.returnNative is set to true during the execute operation. However, due to the lack of a receive function inside the contract, MoneyMarketHoo...

Front-Running

Lines of code Vulnerability details Impact Visible computed input amounts could be susceptible to front-running by malicious actors. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used...

Unsafe usage of msg.value in a loop

Lines of code 140 Vulnerability details Impact The value of msg.value in a transaction's call never gets updated, even if the called contract ends up sending some or all of the Eth to another contract. This means that using msg.value in a for- or while-loop, without extra accounting logic, will...

Contract can be drained from the claimAuction contract

Lines of code Vulnerability details Impact Due to the way the claimAuction function is written, it is also possible to drain the contract when sending bids back to users. This can only happen if the highestBidder made multiple bids which is likely. Proof of Concept In this section of the...

A malicious contributor can increase voting power maliciously and eventually steal funds!

Lines of code Vulnerability details Impact Unlimited voting power for attacker and stealing of funds ! Proof of Concept All of the contribute functions uses msg.value to calculate the votingpower . For example , contribute function looks like this : function contribute uint256 tokenId, address...

ExecutorPlugin missing payable when execute the transaction

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept executeTransaction in ExecutorPlugin is meant to execute transaction but in executeTxnAsModule function executeTxnAsModuleaddress account, Types.Executable memory executable internal...

receive() in LendingLedger should be replaced by an appropriate function to prevent users from sending native by mistake

Lines of code Vulnerability details Impact Users lose funds by transferring them by mistake to LendingLedger. Proof of Concept Since the LendingLedger contract has a receive external payable function which receives native without any validation, which means that anyone can transfer native to it b...

receive function allows any user to lose funds

Lines of code Vulnerability details Impact Lending ledger receive function allows for any user to send funds and lose them forever. Proof of Concept Any user that sends funds to the Lending Ledger contract through the receive function, can't withdraw their funds meaning they would be stuck in...

Claim reward can be inaccessible if msg.sender is a smart contract with no fallback/receive function

Lines of code Vulnerability details Impact When calling claim on LendingLedger, the claim reward can be inaccessible if msg.sender is a smart contract with no fallback/receive function. Indeed, msg.sender.callvalue: cantoToSend"" would fail and the claim would revert, not allowing the user to...

RETURN VALUE OF LOW LEVEL call FUNCTION IS NOT CHECKED FOR SUCCESFUL VALUE TRANSFER

Lines of code Vulnerability details Impact The V3Proxy.swapTokensForExactETH and V3Proxy.swapExactTokensForETH functions use the low level call function to transfer Eth to the msg.sender as shown below: payablemsg.sender.callvalue: amountOut""; But there is no verification of the return value of...

call() should be used instead of transfer() on an address payable

Lines of code Vulnerability details Impact The use of the transfer function for sending ETH to an address will inevitably make the transaction fail when: The claimer smart contract does not implement a payable function. The claimer smart contract does implement a payable fallback which uses more...

Unauthorized Withdrawal of ETH by Admin in _withdraw.

Lines of code Vulnerability details Impact An attacker with admin privileges can maliciously execute the withdraw function, resulting in the unauthorized withdrawal of all the ETH in the contract. Proof of Concept withdrawNounsDAOStorageV3.StorageV3 storage ds external onlyAdminds returns uint256...

ETH might stuck in NounsDAOProxy.sol

Lines of code Vulnerability details Impact NounsDAOProxy.fallback and NounsDAOProxy.receive expect to receive ETH, but the contract and its implementation don't contain a function to withdraw the received ETH as NounsDAOLogicV3.withdraw and NounsDAOLogicV2.withdraw Proof of Concept In...

Functions will always return success even if it is failed

Lines of code Vulnerability details Impact In NounsAuctionHouseFork.sol, safeTransferETH function is used to transfer ETH. File: nouns-contracts/contracts/governance/fork/newdao/NounsAuctionHouseFork.sol 272 function safeTransferETHaddress to, uint256 value internal returns bool 273 bool success,...

Executing a script action with non-zero value results in frozen funds

Lines of code Vulnerability details Llama instances have a separate LlamaExecutor contract for action execution. When calling LlamaCore.executeAction, the flow is the following for simplicity, we ignore action guards: The function does internal validation: checking the current action state is...

NATIVE TOKENS TRANSFERRED TO THE LlamaAccount CONTRACT CAN GET STUCK

Lines of code Vulnerability details Impact In the LlamaAccount contract there is a payable recieve to receive native tokens as shown below: receive external payable Hence this contrat accepts native tokens sent to this. But the problem is if any amount of native token is sent to this contract via...

NATIVE TOKENS COULD GET STUCK INSIDE THE LlamaCore CONTRACT SINCE THERE IS NO WITHDRAWAL MECHANISM

Lines of code Vulnerability details Impact The LlamaCore contract has a single payable function LlamaCore.executeAction. It is used to execute actions by calling the executor.execute function. But the native token recieved by this contract is passed on to the executor.execute function call. Only...

[ H ] In executeAction function, ETH can remain stuck after reverting due to a failed call.

Lines of code Vulnerability details Impact If and when the executeAction function reverts at either of the checks, the amount of ETH sent along with the call will be locked in the contract forever, with no current measures of recovery. Proof of Concept executeAction is called, but the call fails ...

There is no check to see if eth was successfully sent from PermissionlessNodeRegistry to StaderInsuranceFund.

Lines of code Vulnerability details Impact Eth may not complete successfully. As a result, StaderInsuranceFund will not receive collateral. Tools Used Manual audit Recommended Mitigation Steps Add to StaderInsuranceFund.depositFund function: ifmsg.value == 0 revert Error Assessed type ETH-Transfe...