CVE-2024-45304

Cairo-Contracts are OpenZeppelin Contracts written in Cairo for Starknet, a decentralized ZK Rollup. This vulnerability can lead to unauthorized ownership transfer, contrary to the original owner's intention of leaving the contract without an owner. It introduces a security risk where an unintend...

CVE-2024-45304 OwnableTwoStep allows a pending owner to accept ownership after the original owner has renounced ownership in cairo-contracts

Cairo-Contracts are OpenZeppelin Contracts written in Cairo for Starknet, a decentralized ZK Rollup. This vulnerability can lead to unauthorized ownership transfer, contrary to the original owner's intention of leaving the contract without an owner. It introduces a security risk where an unintend...

setBooster() function may be used to steal unclaimed rewards in FlywheelCore contract

Lines of code Vulnerability details Lines of code Vulnerability details Impact A malicious owner can steal all unclaimed rewards and break the reward accounting mechanism Proof of Concept Even if the owner is a good guy but the fact that there exists a rug vector available may negatively impact t...

Malicious owner can steal funds

Lines of code Vulnerability details Impact if the owner is malicious, he can drain all funds to his wallet Proof of Concept Tools Used manual review Recommended Mitigation Steps 1. Transfer funds to special trusted contract so funds can be locked and safe. 2. amount input value limit so there...

## MALICIOUS OWNER CAN CLOSE AND WITHDRAW AS HE WANT

Lines of code Vulnerability details MALICIOUS OWNER CAN CLOSE AND WITHDRAW AS HE WANT These functions below are set some emergency scenarios. But caviar.Owner able to triggered these functions as he want. Need to set some require statement in order to actually check these scenarios before his...

DoS on claiming rewards in PirexRewards is possible

Lines of code Vulnerability details Proof of Concept The claim method in PirexRewards iterates over the rewardTokens array for a producerToken. Now this array is completely managed by the contract’s owner who can call addRewardToken which pushes a new value in that array, as many times as he...

Upgraded Q -> M from #334 [1668467418003]

Judge has assessed an item in Issue 334 as M risk. The relevant finding follows: 2. Rug vectors by the owner A malicious owner can call setLBPairImplementation, setFeeRecipient, setFlashLoanFee , setFeesParameters and forceDecay to advantage himself at expenses of the users...

Compromised or malicious owner of WardenPledge contract can steal pledge creator's deposited reward token amount

Lines of code Vulnerability details Impact There is no guarantee that the owner of the WardenPledge contract does not become compromised or malicious in the future. If this owner becomes compromised or malicious, after a pledge is created and the corresponding reward token amount is deposited, su...

Malicious owner can steal reward tokens

Lines of code Vulnerability details The recoverERC20 function allows the contract owner to transfer arbitrary ERC20 tokens owned by the WardenPledge contract in order to recover tokens sent by mistake to the contract. In order to protect against withdrawal of deposited reward tokens, it includes ...

ArtGobbler can be abused to squirt more goo without providing any NFT

Lines of code Vulnerability details Impact Some ERC20 tokens don’t throw but just return false when a transfer fails. This can be abused to trick the gobble function to gobble without providing any valid art. A good example of such a token is ZRX: Etherscan code This issue can be abused by a...

Admin rug vector in moveWithheldETH()

Lines of code Vulnerability details According to the documentation, currentWithheldETH is meant to: withhold part of the ETH deposit for future use, such as to earn yield in other places to supplement the ETH 2.0 staking yield The issue is that the owner can call moveWithheldETH with an arbitrary...

Upgraded Q -> M from 225 [1655746069175]

Judge has assessed an item in Issue 225 as Medium risk. The relevant finding follows: C4-010 : The Dutch Auction Parameters Can be Manipulated By Owner After The Auction Started - LOW Impact - LOW Dutch Auction parameters can be changed by a malicious owner, after It is started. The malicious own...

NO TIMELOCK ON setProtocolFee() CAN LEAD TO SELLERS LOSING THEIR NFTs

Lines of code Vulnerability details NO TIMELOCK ON setProtocolFee CAN LEAD TO SELLERS LOSING THEIR NFTs In InfinityExchange.sol, there is no timelock on setProtocolFee. This is the fee that is applied in orders, and determines how much the Exchange receives in fee VS how much the seller receives...

Malicious Owner can steal all user funds

Lines of code Vulnerability details Submitting as med risk because it would require malicious multisig, but there should never be absolute trust in any party especially when there's no reason fees would ever need to be that high anyways Impact Owner steals all of user funds Proof of Concept...

Upgraded Q -> M from 98 [1654475216526]

Judge has assessed an item in Issue 98 as Medium risk. The relevant finding follows: Set Limits on setFee A Malicious owner could set feeRate to = 100 1e18 / 100; which would give the entire value of an exercise transaction to the protocol, create a limit on the fees the owner can set. --- The te...

Add max fee in setFee and emit event

Lines of code Vulnerability details Impact Malicious owner can steal all ETH of a sell. Proof of Concept The function setFeeCallyNFT.sol is critical as it set the amount of ETH that the protocol will receive. A malicious owner can set the fee to 1e18 and all ETH after exercise will go to the owne...

Malicious owner can steal some funds from borrower

Lines of code Vulnerability details Impact Owner can make changes to the protocol with immediate effect. Malicious owner can watch for big lend in the mempool and front run it by maxing out originationFeeRate to 5%. The users, both lender and borrower, will still think that originationFeeRate is...

Owner can whitelist addresses for swaps and steal approved assets from users

Lines of code Vulnerability details Impact There is a common vulnerability with aggregator/bridge contracts where passing in arbitrary calldata can do unwanted actions such as steal tokens that were approved to that contract. While there is a whitelist system set up, there is no stopping a...

SwappableYieldSource: Missing same deposit token check in transferFunds()

Handle hickuphh3 Vulnerability details Impact transferFunds will transfer funds from a specified yield source yieldSource to the current yield source set in the contract currentYieldSource. However, it fails to check that the deposit tokens are the same. If the specified yield source's assets are...

Malicious owner can drain the market at any time using SafetyWithdraw

Handle 0xRajeev Vulnerability details Impact The withdrawERC20Token in SafetyWithdraw inherited in TracerPerpetualSwaps is presumably a guarded launch emergency withdrawal mechanism. However, given the trust model where the market creator/owner is potentially untrusted/malicious, this is a...