19 matches found
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package version contains malicious code that monitors network traffic when run in a browser and targets crypto transactions. The injected malicious code activates a hook whenever a Web3 wallet is present...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package version contains malicious code that monitors network traffic when run in a browser and targets crypto transactions. The injected malicious code activates a hook whenever a Web3 wallet is present...
Functions that send Ether to arbitrary destinations
Lines of code Vulnerability details Impact Unprotected call to a function sending Ether to an arbitrary address. Dangerous calls: GnosisSafe.handlePaymentuint256,uint256,uint256,address,address Tools Used Manual Auditing line by line Recommended Mitigation Steps Ensure that an arbitrary user cann...
Return value of ETH
Lines of code Vulnerability details Impact It is recommended that the return values of ether transfers be checked, however if transfer to the hardcoded address fails, it does not revert. Proof of Concept uint256 sc = uint256uint1600x0000000000000000000000000000000000000000; assembly "memory-safe"...
Reappearance of M-02 in SafEth.unstake()
Reappearance of M-02 in SafEth.unstake Description The changes in SafEth.unstake has introduced a new issue parallel to the one present in SfrxEth.withdraw which was reported in M-02: sFrxEth may revert on redeeming non-zero amount, i.e. SafEth.unstake may revert as a consequence of a valid call ...
Reentrancy in callBatched
Lines of code Vulnerability details Proof of Concept The Caller contract implements callBatched function in order to execute a batch of calls within one call. The function has payable declaration to be able to send ETH inside the call. The NATSPEC is also provided in parallel; /// @notice Execute...
finalise() lacks authenticate calls to this method as anyone can access it.
Lines of code Vulnerability details Impact Unprotected call to a function sending Ether to an arbitrary address. This can be exploited by attackers . Proof of Concept function finalize public Sale memory temp = sale; requireblock.number = temp.endTime, "TOO SOON";...
Buy can be executed after sale end
Lines of code Vulnerability details Impact In LPDA.sol buy function when all tokens are minted, the final price is set and the ether from the sale and fee is sent to the saleReceiver and feeReceiver addresses. Since there is no check to validate if sale has ended the function can be executed with...
Upgraded Q -> M from #164 [1668687728737]
Judge has assessed an item in Issue 164 as M risk. The relevant finding follows: 01 Lack of check if dust ether transfer is successful --- The text was updated successfully, but these errors were encountered: All reactions...
_returnDust does not revert ether transfer failure
Lines of code Vulnerability details Impact In function returnDust the return value of call is not checked for success. If a user had sent excess ether or if an order in a bulk order had failed, and if the call fails ether will remain in the contract. Users who execute orders later will be able to...
Upgraded Q -> M from 460 [1666364175291]
Judge has assessed an item in Issue 460 as Medium risk. The relevant finding follows: 7. transfer is used to transfer Ether Description: GolomTrader uses transfer method to send Ether. This is generally less recommended these days see article from Consensys Diligence, mainly because gas costs can...
# Arbitrary send of non protected function may lead into loss of funds
Lines of code Vulnerability details Arbitrary send of non protected function may lead into loss of funds Impact Unprotected call to a function sending Ether to an arbitrary address may lead into loss of funds. Proof Of Concept In BlurExchange.sol, method trasnferTo uses an arbitrary user to send...
Upgraded Q -> M from 93 [1659526885300]
Judge has assessed an item in Issue 93 as Medium risk. The relevant finding follows: Use call instead of transfer Contract ETHRegistrarController.sol Description It was observed that withdraw function is using transfer function instead of call for transferring ether. This could become a problem i...
Reentrancy for function call before state update
Lines of code Vulnerability details Impact An external call "transfer" is made before updating state data through "setFuses" and "setFuses" does not depend on any data from "transfer". . Proof of Concept Reentrancy is not only an effect of Ether transfer but of any function call on another...
rescueEth does not transfer ether in contract
Lines of code Vulnerability details Impact The InfinityStakerrescueETH and InfinityExchangerescueETH payable functions sends msg.value to the destination and not the ether in the contract, so the fees and accidentally transferred ether is not sent to the destination address Proof of Concept...
transfer is used for transfering ether
Originally submitted by warden pauliax in 173, duplicate of 52. .transfer is used for transfering ether, e.g.: payableto.transferamount; payablemsg.sender.transferamount; It is currently not recommended as recipients with custom fallback functions smart contracts will not be able to handle that...
dangerous payable function
Lines of code Vulnerability details A user might accidently send ether if sendingAssetId is not ether. Recommendation add in line 54: requiremsg.value == 0; --- The text was updated successfully, but these errors were encountered: All reactions...
TokenHandler.sol, L174 - .transfer is bad practice
Handle tensors Vulnerability details Impact The use of .transfer to send ether is now considered bad practice as gas costs can change which would break the code. See: Proof of Concept TokenHandler.sol, L174 Recommended Mitigation Steps Use call instead, and make sure to check for reentrancy. ---...
.transfer is not safe to use with custom smart contracts
Handle paulius.eth Vulnerability details Impact .transfer is used for transferring ether. It is no longer recommended as recipients with custom fallback functions smart contracts will not be able to handle that. You can read more here: Recommended Mitigation Steps Solution don't forget re-entranc...