initiateBuyout and sell functions on NibbleVault.sol Reentrancy vulnerability

Lines of code Vulnerability details Impact 1. In NibbleVault.sol, it is possible for a contract to prevent the Sell event from being fired after being sent ether. From calling the sell function on line 390, an attacker contract is able to keep the event hidden from being listened to by stopping t...

attacker steals funds from the weth contract

Lines of code Vulnerability details attacker steals funds from the weth contract 1.Attacker has balance of 1 weth 2.Attacker calls withdraw with 1 weth 3.Transfer is called to fallback function in attacker contract 4.Attacker Fallback function sends 1 ether to the weth fallback function 5. It...

rescueEth does not transfer ether in contract

Lines of code Vulnerability details Impact The InfinityStakerrescueETH and InfinityExchangerescueETH payable functions sends msg.value to the destination and not the ether in the contract, so the fees and accidentally transferred ether is not sent to the destination address Proof of Concept...

TimelockControllerEmergency: The sent ether may be locked in the OwnerProxy contract

Lines of code Vulnerability details Impact The call function in the TimelockControllerEmergency contract will send ether to the OwnerProxy contract, and the OwnerProxy contract will delegatecall the script contract. The two existing script contracts will neither use ether nor withdraw ether, whic...

Ether can be locked in the LidoVault contract without a way to retrieve it

Lines of code Vulnerability details Impact If a borrower deposits stETH into the LidoVault contract via the payable function GeneralVault.depositCollateraladdress asset, uint256 amount and accidentally sends a non-zero Ether value with it, then the Ether value sent will be locked within the...

no-revert-on-transfer ERC20 tokens can be drained

Lines of code Vulnerability details Impact Some ERC20 tokens don't throw but just return false when a transfer fails. This can be abused to trick the createVault function to initialize the vault without providing any tokens. A good example of such a token is ZRX: Etherscan code When such a vault ...

FixedPricePassThruGate locked ether

Lines of code Vulnerability details Impact Contract FixedPricePassThruGate is a pass thru gate that is passing funds to the gate's beneficiary. Function passThruGate requires to send ether that is equal or more than gate.ethCost. In the case of receiving more ether than gate.ethCost, passThruGate...

transfer is used for transfering ether

Originally submitted by warden pauliax in 173, duplicate of 52. .transfer is used for transfering ether, e.g.: payableto.transferamount; payablemsg.sender.transferamount; It is currently not recommended as recipients with custom fallback functions smart contracts will not be able to handle that...

If A User Mistakenly Provides Too Much Ether To The passThruGate() Function, This Additional Amount Will Be Forever Locked Within The Contract

Lines of code Vulnerability details Impact The passThruGate function acts as a proxy function to the beneficiary address by attaching Ether to the call. If an excess of Ether is provided to the call, only gate.ethCost will be sent to the beneficiary. Excess Ether will be forever be locked in the...

dangerous payable function

Lines of code Vulnerability details A user might accidently send ether if sendingAssetId is not ether. Recommendation add in line 54: requiremsg.value == 0; --- The text was updated successfully, but these errors were encountered: All reactions...

dangerous receive function

Lines of code Vulnerability details the receive function doesn't check the msg.sender is supposed to pay, risking someone to accidentally sending ether and losing it. --- The text was updated successfully, but these errors were encountered: All reactions...

WordPress Ether and ERC20 tokens WooCommerce Payment Gateway plugin <= 4.12.8 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Ether and ERC20 tokens WooCommerce Payment Gateway plugin versions = 4.12.8. Solution Update the WordPress Ether and ERC20 tokens WooCommerce Payment Gateway plugin to the latest available version at least 4.12.9...

Russia Cracks Down on 4 Dark Web Marketplaces for Stolen Credit Cards

A special law enforcement operation undertaken by Russia has led to the seizure and shutdown of four online bazaars that specialized in the theft and sales of stolen credit cards, as the government continues to take active measures against harboring cybercriminals on its territory. To that end, t...

SAILFISH System to Find State-Inconsistency Bugs in Smart Contracts

A group of academics from the University of California, Santa Barbara, has demonstrated what it calls a "scalable technique" to vet smart contracts and mitigate state-inconsistency bugs, discovering 47 zero-day vulnerabilities on the Ethereum blockchain in the process. Smart contracts are program...

Unchecked return value from low-level call()

Handle JMukesh Vulnerability details Impact The return value of the low-level call is not checked, so if the call fails, the Ether will be locked in the contract. If the low level is used to prevent blocking operations, consider logging failed calls. Proof of Concept Tools Used manual review...

Unchecked low level calls

Handle Reigada Vulnerability details Impact The return value of these low-level calls are not checked, so if the call fails, the Ether will be locked in the contract. Setting the risk as medium as the smart contract has no function to withdraw the Ether. This Ether would remain stuck in the...

Unchecked low-level calls

Handle 0v3rf10w Vulnerability details Impact Unchecked low-level calls Proof of Concept Unchecked cases at 2 places :- BasicSale.receive 2021-11-bootfinance/tge/contracts/PublicSale.sol148-156 ignores return value by burnAddress.callvalue: msg.value...

.transfer is used for transferring ether

Handle pauliax Vulnerability details Impact payablemsg.sender.transfertoTransfer; feeRecipient.transferaddressthis.balance; It is no longer recommended to use .transfer when sending ether as recipients with custom fallback functions smart contracts will not be able to handle that. You can read mo...

TokenHandler.sol, L174 - .transfer is bad practice

Handle tensors Vulnerability details Impact The use of .transfer to send ether is now considered bad practice as gas costs can change which would break the code. See: Proof of Concept TokenHandler.sol, L174 Recommended Mitigation Steps Use call instead, and make sure to check for reentrancy. ---...

CVE-2021-32752

Ether Logs is a package that allows one to check one's logs in the Craft 3 utilities section. A vulnerability was found in versions prior to 3.0.4 that allowed authenticated admin users to access any file on the server. The vulnerability has been fixed in version 3.0.4. As a workaround, one may...