codex-solidity

⛓️ Codex Solidity — Smart Contract & Protocol Audit Agent Imp...

Improper Synchronisation

https://github.com/evmos/evmos/ is vulnerable to Improper Synchronisation. The vulnerability is due to a lack of synchronization between two states during transaction execution, allowing for arbitrary token minting. This exploit occurs because the stateDB.Commit method updates the Cosmos SDK...

CVE-2024-32644

Summary: CVE-2024-32644 affects Evmos pre-17.0.0. A state synchronization bug in stateDB.Commit() compares dirtyStorage to originStorage and only writes when they differ, which can allow non-atomic transactions and potentially mint arbitrary tokens or drain funds through creative smart-contract i...

imbalanced or invalid liquidity additions/removals could happen

Lines of code Vulnerability details Impact Potential for loss of funds or manipulation of the pool prices. Specifically: • By allowing deposit from only one of the xToken or yToken, it enables manipulating the price ratio between the tokens in the pool. This could benefit one token over the other...

User can bypass their approved redeem allowance

Lines of code Vulnerability details Impact The caller can bypass the allowance check by exploiting the exchange rate calculation and drain funds from the contract up to the full balance owned by msg.sender, not just the amount approved in the allowance. Proof of Concept The issue is that...

# Only part of keccak256() is used as hash, making it susceptible to collision attacks

Lines of code Vulnerability details At 2 places in the code only part of the output of keccak256 is used as the hash: At TokenDistributor - DistributionState.distributionHash15 - uses only a 15 bytes as a hash This one is intended to save storage At Crowdfund.governanceOptsHash a 16 bytes is used...

NounsDAOLogicV2.sol funds will be instantaneously drained if the private keys become compromised

Lines of code Vulnerability details Impact If the admin gets compromised, all the ether in NounsDAOLogicV2.sol will be drained. function withdraw external if msg.sender != admin revert AdminOnly; uint256 amount = addressthis.balance; bool sent, = msg.sender.call value: amount ''; emit...

CVE-2022-24738

Evmos prior to v2.0.1 is vulnerable to draining unclaimed funds by an attacker who creates a malicious chain that does not enforce signature verification and connects it to a target Evmos instance via IBC, enabling migration of claim records and fund transfer. The issue stems from a vulnerability...

The First User To Borrow a Particular Token Can Drain Funds In MarginSwap by Making An Undercollateralized Borrow Using Flash Loans

Handle jvaqa Vulnerability details The First User To Borrow a Particular Token Can Drain Funds In MarginSwap by Making An Undercollateralized Borrow Using Flash Loans Impact This attack can be performed with any two ERC20 tokens, where one of them has not yet been borrowed on MarginSwap. Since an...