9 matches found
Upgraded Q -> M from 221 [1665738683985]
Judge has assessed an item in Issue 221 as Medium risk. The relevant finding follows: L‑01 Don't use payable.transfer/payable.send The use of payable.transfer is heavily frowned upon because it can lead to the locking of funds. The transfer call requires that the recipient is either an EOA accoun...
Upgraded Q -> M from 182 [1664281111530]
Judge has assessed an item in Issue 182 as Medium risk. The relevant finding follows: L00: Usage of transfer to send eth The transfer function has a fixed gas stipend of 2300. If a contract as well as EOA can call the function, it is advised to use call function instead of transfer. Here are...
Upgraded Q -> M from 143 [1663859521800]
Judge has assessed an item in Issue 143 as Medium risk. The relevant finding follows: 2.ETHRegistrarController.register can pass any "resolver" and "data" parameters , then ETHRegistrarController do "functionCall " It is possible to pass malicious parameters example : resolver =...
Upgraded Q -> M from 93 [1659526885300]
Judge has assessed an item in Issue 93 as Medium risk. The relevant finding follows: Use call instead of transfer Contract ETHRegistrarController.sol Description It was observed that withdraw function is using transfer function instead of call for transferring ether. This could become a problem i...
Contracts calls to main ENS services will fail. Plus, ETHRegistrarController#withdraw() with future upgrades will revert
Lines of code Vulnerability details This is a classic Code4rena issue. The transfer call has a hard coded gas budget whenever this affect another part of the EVM will be very harmful for those usage which will make the system and its users at risk. There is two parts of this issue; when the calle...
ETHRegistrarController's register and renew use payable.transfer calls with an arbitrary receiver
Lines of code Vulnerability details ETHRegistrarController's register and renew transfer out remainder native tokens via payableto.transfer call. This is unsafe as transfer has hard coded gas budget and can fail when msg.sender is a smart contract. Such transactions will fail for smart contract...
[PNM-004] An additional domain can be registered for free
Lines of code Vulnerability details Description The ETHRegistrarController added new functionality to support set multiple records while registering a ETH 2LD. It uses the following code to support this functionality. function setRecords address resolver, bytes32 label, bytes calldata data intern...
ETHRegistrarController._setRecords can register invalid domains and to some degree, its possible to register any domain name
Lines of code Vulnerability details Impact 1. Register invalid domains at Registrar. 2. It's possible to register any domain name. Proof of Concept ETHRegistrarController.setRecords call function at address resolveruser input with call data bytes calldata datauser input. So it can bypass any meth...
ETHRegistrarController.sol#register() preforms a low-level call to a user desired target.data
Lines of code Vulnerability details When using low-level call to target that entered by the caller we need to make sure it will only do what it meant to do without any extra power. The ETHRegistrarController.solregister takes a resolver and data to preform a low-level call to the resolver. Howeve...