6 matches found
Attacker can make group pay for tokenID that is not intended.
Lines of code Vulnerability details Description purchase in GroupBuy.sol executes the purchase call for the group. There are two possibilities for which tokenIDs can be bought in GroupBuy: 1. If the group is for a specific NFT, the tokenID is the value in pool.merkleRoot variable. 2. If the group...
Invalid tokens can be added to the pair
Lines of code Vulnerability details Impact merkleRoot is a bytes32 and it is compared to bytes230 which makes it possible for a non-zero merkleRoot to be set in the constructor and yet still all tokens will be declared as valid Proof of Concept Tools Used Manual Audit Recommended Mitigation Steps...
GroupBuy may purchase NFT not in the allowed list
Lines of code Vulnerability details Impact When purchaseProof.length == 0, GroupBuy.purchase compare the tokenId with the merkleRoot. This allow any tokenId that match the merkleRoot to be purchased, even if they are not included in the allow list during setup. if purchaseProof.length == 0 //...
merkleRoot can be set by delegatecall(), violate setMerkelRoot()
Lines of code Vulnerability details Impact When delegatecall to target, the context is on Caller contract, all state change logics reflect on Caller’s storage. If the Vault contract calls the malicious contract by function execute,the important storage variable merkleRoot can be modified. Accordi...
delegatecall() modify merkleRoot, vault may lose all
Lines of code Vulnerability details Impact If the vault contract delegatecall the malicious contract by execute,the important variable merkleRoot can be modified. If the merkleRoot is set well designed, the vault will lose all tokens. Because, there are two main requirements for function execute ...
DoS: Attacker May Front-Run createSplit() With A merkleRoot Causing Future Transactions With The Same merkleRoot to Revert
Lines of code Vulnerability details Impact A merkleRoot may only be used once in createSplit since it is used as salt to the deployment of a SplitProxy. The result is an attacker may front-run any createSplit transaction in the mem pool and create another createSplit transaction with a higher gas...