M-08 Unmitigated

Lines of code Vulnerability details Comments The success of low-level calls is not checked in V3Proxy. If msg.sender is a contract and the fallback function has additional logic, the protocol will succeed transfer by default, which will result in the loss of user funds. Mitigation There is no...

Low level calls to accounts with no code will succeed in multiexcall function

Lines of code Vulnerability details Impact Low level calls behave differently than function calls in Solidity. Calls at the EVM level to accounts with no code are successful, this is the expected and normal behavior. It is Solidity that adds checks to prevent accidental calls to accounts with no...

Unchecked Call Return Value

Lines of code Vulnerability details Impact The functions do not check the return value of low-level calls. This can lock Ether in the contract if the call fails or may compromise the contract if the ownership is being changed. The following calls were detected without return value validations -...

InitialETHCrowdfund.batchContributeFor() doesn't refund for failed contributes

Lines of code Vulnerability details Impact InitialETHCrowdfund.batchContributeFor doesn't refund for failed contributes when args.revertOnFailure is false. The funds will be locked in the initial crowdfund contract, so it should be refunded. Proof of Concept InitialETHCrowdfund.batchContributeFor...

Lack of a contract existence check may lead to undesired behavior

Lines of code Vulnerability details Impact The functions NeoTokyoStaker.assetTransferFrom and NeoTokyoStaker.assetTransfer are both used as helper functions to perform low level calls, both functions revert if the low-level call fails, but no checks are made if the contract that's being called...

AdminProxy should do some extra security checks

Lines of code Vulnerability details Impact AdminProxy is the hot spot for all low-level calls, therefore it should do some extra security checks that are currently not in place. By design a Solidity low level call to a zero address or an EOA non contract address will return success true. The only...

Lack of a contract existence check may lead to undefined behavior

Lines of code Vulnerability details Impact Low-level calls call/delegatecall/staticcall return true even if the account called is non-existent per EVM design. Solidity documentation warns: “The low-level functions call, delegatecall and staticcall return true as their first return value if the...

missing input validation for _liquidityPool

189 comment Warden: kenta missing input validation for liquidityPool. The owner can change always liquidityPool but this liquidityPool will be used to execute low-level calls. To avoid errors with an empty address this must be checked always. requireliquidityPool != address0, “liquidityPool canno...

Low-level transfer via call() can fail silently

Lines of code Vulnerability details Impact In the call function in TimelockController.sol, a call is executed with the following code: function call bytes32 id, uint256 index, address target, uint256 value, bytes memory data private // solhint-disable-next-line avoid-low-level-calls bool success,...

Unchecked low level calls

Handle Reigada Vulnerability details Impact The return value of these low-level calls are not checked, so if the call fails, the Ether will be locked in the contract. Setting the risk as medium as the smart contract has no function to withdraw the Ether. This Ether would remain stuck in the...

Unchecked low-level calls

Handle 0v3rf10w Vulnerability details Impact Unchecked low-level calls Proof of Concept Unchecked cases at 2 places :- BasicSale.receive 2021-11-bootfinance/tge/contracts/PublicSale.sol148-156 ignores return value by burnAddress.callvalue: msg.value...

Actual yield source check on address will succeed for non-existent contract

Handle 0xRajeev Vulnerability details Impact Low-level calls call/delegatecall/staticcall return true even if the account called is non-existent per EVM design. Solidity documentation warns: "The low-level functions call, delegatecall and staticcall return true as their first return value if the...

Slither v0.6.7 - Static Analyzer For Solidity

Slither is a Solidity static analysis framework written in Python 3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code...

Slither - Static Analyzer For Solidity

Slither is a Solidity static analysis framework written in Python 3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code...