security-review-skill

Security Review Skill for Claude Code A comprehensive securit...

Miners Can Re-Roll the VRF Output to Game the Protocol

Lines of code Vulnerability details Impact Miners are able to rewrite a chain's history if they dislike the VRF output used by the protocol. Consider the following example: A miner or well-funded user is participating in the PoolTogether protocol. A VRF request is made and fulfilled in the same...

AlgebraPool.sol#L488 : onlyValidTicks modifier is missing for function

Lines of code Vulnerability details Impact Invalid ticks can be allowed for collection. Proof of Concept function collect address recipient, int24 bottomTick, int24 topTick, uint128 amount0Requested, uint128 amount1Requested external override lock returns uint128 amount0, uint128 amount1 Position...

Validation check for payFYToken and payBase functions to allow only valid users.

Lines of code Vulnerability details Impact This will prevent from calling the functions by invalid users. Unnecessary condition verification. Proof of Concept Tools Used Manual code review Recommended Mitigation Steps At the start of the functions, add validation check such that only the user who...

Chainlink oracle might return stale data

Lines of code Vulnerability details Impact Oracle might return stale data for basePrice and quotePrice. Proof of Concept refreshedAssetPerBaseInUQ in ChainlinkPriceOracle.sol does not check if the data from Chainlink is fresh . If there is a problem with the Chainlink oracle, this contract may be...

CONSTANT_SETTER_ROLE is never assigned in CommunityLocker.sol

Lines of code Vulnerability details Impact In CommunityLocker.sol only the caller with the CONSTANTSETTERROLE can call the setTimeLimitPerMessage function. The problem is that the CONSTANTSETTERROLE is never assigned in the contract. Only the DEFAULTADMINROLE is assigned in the initialize functio...

Malicious Users Can Transfer Vault Collateral To Other Accounts To Extract Additional Yield From The Protocol

Handle leastwood Vulnerability details Impact ConvexYieldWrapper.sol is a wrapper contract for staking convex tokens on the user's behalf, allowing them to earn rewards on their deposit. Users will interact with the Ladle.sol contract's batch function which: Approves Ladle to move the tokens...

PoolTemplate.sol initialize() can be called by attacker during deployment

Handle jayjonah8 Vulnerability details Impact In PoolTemplate.sol the initialize function sets important storage variables like conditions and references and this function can only be called once. During deployment an attacker can monitor the blockchain byte code and call the initialize function...

_mint721() function can be broken because of strict equality check on token balance

Handle jayjonah8 Vulnerability details Impact In NFTXMarketplaceZap.sol the mint721 function has a require check that the balance must be equal to the amount of vault tokens in the contract. uint256 balance = count BASE - count INFTXVaultvault.mintFee; requirebalance ==...

Unable To Call emergencyWithdraw ETH in NoYield Contract

Handle leastwood Vulnerability details Impact The emergencyWithdraw function is implemented in all yield sources to allow the onlyOwner role to drain the contract's balance in case of emergency. The contract considers ETH as a zero address asset. However, there is a call made on asset which will...

LockeERC20 is vulnerable to frontrun attack

Handle egjlmn1 Vulnerability details Impact a user can steal another user's tokens if he frontrun before he changes the allowance. The approve function receives an amount to change to. Lets say user A approved user B to take N tokens, and now he wants to change from N to M, if he calls approveM t...

Missing Emergency Pause Check

Handle defsec Vulnerability details Impact During the manual code review, It has been observed that minting progress is not checked when the contract is emergency paused. This can cause misfunctionality and unlocking user funds during the emergency pausing. Proof of Concept 1- Navigate to ""...

Copy your own portfolio to keep earning royalties

Handle jayjonah8 Vulnerability details Impact In NestedFactory.sol going through the create function which leads to the sendFeesWithRoyalties = addShares function, Im not seeing any checks preventing someone from copying their own portfolio and receiving royalty shares for it and simply repeating...

Multicall.sol batch calls don't update msg.value

Handle jayjonah8 Vulnerability details Impact In NestedFactory.sol using Multicall.sol can be dangerous when it has a msg.value inside a loop since the msg.value doesn't update every iteration. This can lead to a user sending ETH one time and it being counted for every iteration. There is a...

Users Can Frontrun revoke() By Calling vest()

Handle leastwood Vulnerability details Impact The onlyOwner role typically calls revoke if a member leaves the BootFinance team, resulting in vested tokens being transferred to the multisig account. Each vesting account has a revocable state variable that is set to either true or false. As any us...

_sendForReceiver is vulnerable to reentrancy. This enables a receiver to drain the remaining fees to distribute.

Handle janbro Vulnerability details Summary sendForReceiver is vulnerable to reentrancy. This enables a receiver to drain the remaining fees to distribute. Risk Rating Critical Vulnerability Details NFTXFeeDistributor.sol Line 163: bool success, bytes memory returnData =...

[Binrev] Automate Reversing Windows Binaries for Pentesters

What you can do with this? Static analysis: you can do a basic manual code review for decompiled sources to discover hidden communication channels, search for hard-coded passwords, or SQL injection vulnerabilities. Import decompiled projects to an IDE to reconstruct and modify the original source...