12 matches found
DeFeed: Secure Decentralized Cross-Contract Data Feed in Web 3.0 for Connected Autonomous Vehicles
Smart contracts have been a topic of interest in blockchain research and are a key enabling technology for Connected Autonomous Vehicles CAVs in the era of Web 3.0. These contracts enable trustless interactions without the need for intermediaries, as they operate based on predefined rules encoded...
Some tokens may revert when zero value transfers are made
Lines of code 356, 371, 145, 272, 252, 116, 445, 374, 506, 488https://github.com/Tapioca-DAO/tap-token-audit/blob/59749be5bc2286f0bdbf59d7ddc258ddafd49a9f/contracts/options/TapiocaOptionBroker...
Some tokens may revert when zero value transfers are made
Lines of code 356, 371, 145, 272, 252, 116, 445, 374, 506, 488https://github.com/Tapioca-DAO/tap-token-audit/blob/59749be5bc2286f0bdbf59d7ddc258ddafd49a9f/contracts/options/TapiocaOptionBroker...
cancelBid() and cancelAllBids() functions are incorrectly implemented, resulting in partial/complete DoS-ing of bid cancelling functionality.
Lines of code Vulnerability details Impact cancelBid and cancelAllBids functions are incorrectly implemented, resulting in partial/complete DoS-ing of bid cancelling functionality. bidder could lose funds when they change their mind and want to cancel their bid, imagine they were the top bidder a...
High Gas Costs Due to Unnecessary String Iteration in HexUtils Library's hexStringToBytes32() Function.
Lines of code Vulnerability details Impact The hexStringToBytes32 function in the HexUtils library iterates over the entire input string, even though only a portion of it is needed to compute the output, but still, this can lead to unnecessarily high gas costs, especially for large input strings...
Params of Lien struct are not emitted when lien is created making it difficult to track
Lines of code Vulnerability details Impact Protocol does not store any information about Lien. When users want to interact, they have to send the whole Lien struct along with lienId, and the protocol will verify if this data is correct by hash. This approach reduces onchain storage and can save a...
setDrips may distribute the drip too fast if the time hints are not good enough
Lines of code Vulnerability details Impact The setDrips function is used to configure a drip. It can either be withdrawing it, adding a new one, or even managing an existing one by updating the configuration. Internally, it account for the drips that are yet to be distributed to refund them to th...
Gas Optimizations
See the markdown file with the details of this report here. --- The text was updated successfully, but these errors were encountered: All reactions...
Leftover balance in the Executioner contract can be drained
Handle gzeon Vulnerability details Impact Leftover balance in the Executioner contract can be drained by swapping the target assetnative/erc20 into another asset. Slingshot.executeTrades allow user to execute trade using modules as long as the module is registered in the ModuleRegistry. The...
Gas griefing attack on the removeUserActiveBlocks function
Handle shw Vulnerability details Impact The consumed gas to remove a user's active block is proportional to the total number of array elements i.e., block numbers. However, the array size can be arbitrarily increased by an attacker with only paying gas fees, causing a gas griefing attack when the...
activeTransactionBlocks are vulnerable to DDoS attacks
Handle pauliax Vulnerability details Impact There is a potential issue in function removeUserActiveBlocks and the for loop inside it. I assume you are aware of block gas limits they may be less relevant on other chains but still needs to be accounted for, so as there is no limit for...
usage of safeApprove
Handle pauliax Vulnerability details Impact depositInVault in contract YearnV2YieldSource calls safeApprove when the allowance is less than the token balance: if token.allowanceaddressthis, addressv token.balanceOfaddressthis token.safeApproveaddressv, typeuint256.max; This does not mean that the...