Lucene search
K

6 matches found

Code423n4
Code423n4
added 2023/06/14 12:0 a.m.8 views

NATIVE TOKENS TRANSFERRED TO THE LlamaAccount CONTRACT CAN GET STUCK

Lines of code Vulnerability details Impact In the LlamaAccount contract there is a payable recieve to receive native tokens as shown below: receive external payable Hence this contrat accepts native tokens sent to this. But the problem is if any amount of native token is sent to this contract via...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2023/06/13 12:0 a.m.13 views

Arbitrary delegatecalls from LlamaAccount can be used to steal assets

Lines of code Vulnerability details Impact Using delegatecall to call arbitrary contracts is highly dangerous as it can be used to steal assets. An attacker could sneak in a contract that steals all the assets owned by the LlamaAccount contract. Proof of Concept Below is a diff to the existing...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/06/13 12:0 a.m.7 views

Inconsistent Use of Error Handling in LlamaAccount Contract

Lines of code Vulnerability details Description: The LlamaAccount contract contains a bug that allows an attacker to execute arbitrary calls with the delegatecall opcode, which can lead to unintended consequences and potential security vulnerabilities. Steps to Reproduce: Deploy the LlamaAccount...

7.5AI score
Exploits0
Code423n4
Code423n4
added 2023/06/13 12:0 a.m.15 views

LlamaAccount can be tricked to selfdestruct with an upgradable contract

Lines of code Vulnerability details Impact The LlamaAccount contract will be destroyed and all the assets can be lost. Proof of Concept In execute, we use readSlot0 to prevent a malicious or buggy target from taking ownership of this contract. But the malicious target can send all the assets and...

7.2AI score
Exploits0
Code423n4
Code423n4
added 2023/06/13 12:0 a.m.12 views

LlamaAccount.llamaExecutor may be changed for a malicious purpose and be return to the initial state.

Lines of code Vulnerability details Impact If the delegatecall changes llamaExecutor to an malicious contract, then onlyLlama modifier cannot protect the contract. After the exploit, it can return the llamaExecutor as before. Proof of Concept Update test/mock/MockExtension.sol as below. //...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/06/13 12:0 a.m.12 views

Unsafe delegatecall functionality can break core protocol functionality

Lines of code Vulnerability details Impact There are multiple contracts which include delegatecall functionality, including the execute function of the LlamaAccount contract and the execute function of the LlamaExecutor contract. The issue is that there's no controls, other than the standard role...

7.4AI score
Exploits0
Rows per page
Query Builder