EUVD-2022-1323

Malicious code in bioql PyPI...

CVE-2022-24738

Evmos is the Ethereum Virtual Machine EVM Hub on the Cosmos Network. In versions of evmos prior to 2.0.1 attackers are able to drain unclaimed funds from user addresses. To do this an attacker must create a new chain which does not enforce signature verification and connects it to the target evmo...

Attacker can create additional canonical token bridge

Lines of code Vulnerability details Impact Deployers of custom TokenManagers can subvert the limitation imposed in the documentation that allows only one Canonical Bridges for each existing ERC20 token: “deployers can deploy a Canonical Bridge for any token they want, this can be done only once p...

withdrawFee() can be called indefinitely

Lines of code Vulnerability details The function withdrawFee does not account whether the fees have already been collected or not, therefore it can be called multiple times or even indefinitely, until the contract balance reaches zero. All funds will be transferred to the protocolFeeRecipient, bu...

[PNM-001] finalize with malicious input may allow multiple calls leading to fund draining

Lines of code Vulnerability details Description The finalize function of the contract SizeSealed is used to finalize an auction, allowing the auctioner or seller to be paid quote tokens and also eventually allowing successful bidders to withdraw base tokens. Once the finalize function is called,...

# WRONG DESIGN/IMPLEMENTATION OF ADDLIQUIDITY() ALLOWS ATTACKER TO STEAL FUNDS FROM THE LIQUIDITY POOL

Lines of code Vulnerability details The current design/implementation of Vader pool allows users to addLiquidity using arbitrary amounts instead of a fixed ratio of amounts in comparison to Uni v2. We believe this design is flawed and it essentially allows anyone to manipulate the price of the po...

CNote updates the accounts after sending the funds, allowing for reentrancy

Lines of code Vulnerability details Having no reentrancy control and updating the records after external interactions allows for funds draining by reentrancy. Setting the severity to medium as this is conditional to transfer flow control introduction on future upgrades, but the impact is up to th...

Lack of Access Restriction for Conduit Creation

Lines of code Vulnerability details Impact Anyone can call the createConduit function in the ConduitController contract to create new channels and set the conduit owner. This is dangerous because a hacker can create a new conduit and set himself as the owner of the conduit. The hacker can use the...