github.com/MANTRA-Chain/mantrachain/x/tokenfactory tx gas limit is not enforced in send hooks

Impact send hooks can spend more gas than what's remained in tx, combined with recursive calls in the wasm contract, can amplify the gas consumption exponentially. Patches It's patched in v4.0.2 and v5.0.0 Workarounds Is there a way for users to fix or remediate the vulnerability without upgradin...

changeRegistries() from the Tokenomics contract changes different registries at the same time.

Lines of code Vulnerability details Impact In a case where either one of the agent, component or service registry are deprecated, attempting to replace the compromised registry necessitates an overall replacement of all the other registries. This not only utilizes excess gas but can also bring...

CometBFT's default for `BlockParams.MaxBytes` consensus parameter may increase block times and affect consensus participation

Amulet Security Advisory for CometBFT: ASA-2023-002 Component: CometBFT Criticality: Low Affected versions: All Affected users: Validators, Chain Builders + Maintainers Summary A default configuration in CometBFT has been found to be large for common use cases, and may affect block times and...

Upgraded Q -> 2 from #615 [1675724239375]

Judge has assessed an item in Issue 615 as 2 risk. The relevant finding follows: Unbounded gas usage in claim function of Quest contract The claim function has an unbounded gas usage that traverses different arrays many times. The call to RabbitHoleReceipt.getOwnedTokenIdsOfQuest iterates all...

call() should be used instead of transfer() on an address payable

Lines of code Vulnerability details Impact call should be used instead of transfer on an address payable Proof of Concept The use of the deprecated transfer function for an address will inevitably make the transaction fail when: 1. The claimer smart contract does not implement a payable function...

call() should be used instead of transfer() on address payable

Lines of code Vulnerability details Proof of Concept The use of the deprecated transfer function for an address will inevitably make the transaction fail when: 1. The claimer smart contract does not implement a payable function. 2. The claimer smart contract does implement a payable fallback whic...

Iterations over all tiers in recordMintBestAvailableTier can render system unusable

Lines of code Vulnerability details Impact JBTiered721DelegateStore.recordMintBestAvailableTier potentially iterates over all tiers to find the one with the highest contribution floor that is lower than amount. When there are many tiers, this loop can always run out of gas, which will cause some...

Usage of deprecated transfer to send ETH

Lines of code%20%7B-,payablemsg.sender.transfer,-msg.valueL183 Vulnerability details Impact The use of the deprecated transfer function for an address will inevitably make the transaction fail when: The claimer smart contract does not implement a payable function. The claimer smart contract does...

Call() should be used instead of transfer() on an address payable

Lines of code Vulnerability details Impact The use of the deprecated transfer function for an address will inevitably make the transaction fail when : 1. The withdrawer smart contract does not implement a payable fallback function. 2. The withdrawer smart contract implements a payable fallback...

call() should be used instead or transfer() on an address payable

Lines of code Vulnerability details This is a classic Code4rena issue: code-423n4/2021-04-meebits-findings2 code-423n4/2021-10-tally-findings20 code-423n4/2022-01-openleverage-findings75 Impact The use of the deprecated transfer function for an address will inevitably make the transaction fail...

Upgradable escrow contract

Lines of code Vulnerability details Impact Upgradable escrow contract pose great risk to user who approved their NFT to the contract. Most popular token / NFT exchange do not require user approve their asset to admin upgradable contract. This also increase user gas usage because they would have t...

Denial of service for NFT's

Handle gpersoon Vulnerability details Impact The function removeNft uses more gas as more NFT's are added. An attacker can send random NFT's to the contract, which are received via onERC721Received. This functions adds the NFT's to the array nfts, using the function addNft. The longer the nfts...