CVE-2023-47034

A vulnerability in UniswapFrontRunBot 0xdB94c allows attackers to cause financial losses via unspecified vectors...

PT-2024-13403 · Unknown · Uniswapfrontrunbot

Name of the Vulnerable Software and Affected Versions: UniswapFrontRunBot version 0xdB94c Description: A vulnerability in UniswapFrontRunBot allows attackers to cause financial losses via unspecified vectors. Recommendations: At the moment, there is no information about a newer version that...

L1 TO L2 ERC20 TOKEN TRANSFER CAN BE DoS IN THE FxERC20ChildTunnel CONTRACT SINCE A MALICIOUS USER CAN SET THE fxRootTunnel ADDRESS TO AN INVALID ADDRESS

Lines of code Vulnerability details Impact The FxERC20ChildTunnel is a smart contract which is used for the L2 token management. The FxERC20ChildTunnel contract inherits from the FxBaseChildTunnel contract. The FxBaseChildTunnel contract has the validateSender modifier which requires the sender o...

A MALICIOUS USER CAN FRONT RUN AND EXECUTE THE Tokenomics.initializeTokenomics TRANSACTION TO BECOME THE OWNER OF THE Tokenomics CONTRACT

Lines of code Vulnerability details Impact The Tokenomics.initializeTokenomics is an external function which can be called by anyone, Since there is no access control. Hence a malicious user can front-run the valid initialization transaction and become the owner of the Tokenomics contract. This i...

Sandwich attack on buy()

Lines of code Vulnerability details Impact Function Market:buy does not check or take in a minimum buy amount. This makes users' funds vulnerable to sandwich attacks. buy will increase shareDataid.tokenCount, and thus change the exchange rate of share price. price, fee =...

DepositPool is susceptible to the inflation attack

Lines of code Vulnerability details Summary The DepositPool contract is susceptible to the Inflation Attack, in which the first depositor can be front-runned by an attacker to steal their deposit. Impact The DepositPool pool contract acts mainly as a vault: accounts deposit LST assets and get bac...

CreateOffererLib#createOrderHash function can be front-run by attacker and cause user create order failed

Lines of code Vulnerability details Impact Function CreateOffererLibcalculateOrderHashAndId is used to calculate ERC20/ERC721/ERC1155 order hash and delegateTokenId. It create delegateTokenId parameter by calling DelegateTokenStorageHelpersdelegateIdNoRevert function, this function calculate...

Users are able to front-run settlements to avoid loss

Lines of code Vulnerability details Impact A user is able to front-run the call to settle function in to avoid paying the loss. settle is called by Admin which is a public function, When this functions is called the transaction will appear in the mem pool. A user may then call redeem from LP Vaul...

You can front-run to enrich yourself

Lines of code Vulnerability details Impact An attacker can use flash loan and withdraw significant part of funding intended for collateral providers. Proof of Concept Let's consider code snippet from deposit: requireshares = previewDepositassets != 0, "ZEROSHARES";...

GaugeController - Vulnerability with changing gauge weight would make the contract stop working

Lines of code Vulnerability details Impact The issue is applied differently based on how changegaugeweight works. 1. When changing gauge weight is essential for every enabled gauge before any vote happens An attacker can front-run changegaugeweight transaction to manipulate slope which can result...

Front run attacks during the 7 day cooldown period in setGSCAllowance.

Lines of code Vulnerability details Impact A malicious miner can send a transaction from the GSC to drain the new allowance before the admin's transaction sets it. Proof of Concept The setGSCAllowance function sets a 7 day cooldown period between allowance changes for each token. This prevents th...

Upgraded Q -> 2 from #422 [1689707351452]

Judge has assessed an item in Issue 422 as 2 risk. The relevant finding follows: 01 In the function PrizePool.setDrawManager, anyone can frontrun it and become the drawManager Reading the documentation of the Prize Pool contract, the following is specified: The Prize Pool allows a 'draw manager'...

Stealing excess tokens from other users by either front-running skim function or calling it before legitimate user

Lines of code Vulnerability details Impact File /src/interfaces/IWell.sol comment's defines what the skim function is being responsible for: / @notice Sends excess tokens held by the Well to the recipient. @param recipient The address to send the tokens @return skimAmounts The amount of each toke...

Lender can front-run calls to auctionBuyNft() to DoS auctions

Lines of code Vulnerability details Lender can front-run calls to auctionBuyNft to DoS auctions Lenders can DoS auction offers by resetting the auction process. Impact The Particle protocol allows lenders to auction their loans in case any interested party wants to repay the NFT of the loan. The...

Burning an NFT can be used to block voting

Lines of code Vulnerability details Burning an NFT can be used to block voting Impact A new validation in the accept function has been introduced in order to mitigate a potential attack to the party governance. By burning an NFT, a party member can reduce the total voting power of the party just...

Attacker can front-run didPay() by calling payParams() to set mintedAmount & reservedRate, reducing output amount

Lines of code Vulnerability details Impact Attacker can front-run didPay by calling payParams to set mintedAmount & reservedRate. This will reduce the output amount the caller to didPay was expecting to receive. Proof of Concept Anyone can call payParams and provide arbitrary input to set...

wxETH is vulnerable to the inflation attack

Lines of code Vulnerability details wxETH is vulnerable to the inflation attack The wxETH contract is vulnerable to the attack known as "inflation attack" in which a bad actor can front-run initial stake transactions and steal all deposit funds. Impact The staking functionality of wxETH is...

ReraiseETHCrowdfund.sol: party card transfer can be front-run by claiming pending voting power which results in a loss of the voting power

Lines of code Vulnerability details Impact In this report I show how an attacker can abuse the fact that anyone can call ReraiseETHCrowdfund.claim for any user and add voting power to an existing party card. The result can be a griefing attack whereby the victim loses voting power. In some cases...

Attacker can front-run Bond buyer and make them buy it for a lower payout than expected

Lines of code Vulnerability details The MuteBond contract contains a feature in which after each purchase the epochStart increases by 5% of the time passed since epochStart, this in most cases lowers the bond's price i.e. buyer gets less payout for future purchases. An attacker can exploit this...

An attacker can front-run setMaxPayout() and freeze deposit() and the whole protocol from progressing in epochs.

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. When the owner calls setMaxPayout to decrease maxPayout to newMaxPayout, an attacker can front-run it and deposit so that termsepoch.payoutTotal newMaxPayout. This will freeze deposit and the whole...