TurboRouter can't interact with existing TurboSafe because of the authentication modifier

Lines of code Vulnerability details Impact The TurboRouter is not able to interact with an existing TurboSafe because of the authentication modifier of the respective TurboSafe functions. Because of that, those router functions are unusable. Proof of Concept Here's the test file I used to confirm...

CVE-2022-25335

RigoBlock Dragos through 2022-02-17 lacks the onlyOwner modifier for setMultipleAllowances. This enables token manipulation, as exploited in the wild in February 2022. NOTE: although 2022-02-17 is the vendor's vulnerability announcement date, the vulnerability will not be remediated until a major...

Spoofing

RigoBlock Dragos through 2022-02-17 lacks the onlyOwner modifier for setMultipleAllowances. This enables token manipulation, as exploited in the wild in February 2022. NOTE: although 2022-02-17 is the vendor's vulnerability announcement date, the vulnerability will not be remediated until a major...

VulnCheck KEV: CVE-2022-25335

RigoBlock Dragos through 2022-02-17 lacks the onlyOwner modifier for setMultipleAllowances. This enables token manipulation, as exploited in the wild in February 2022. NOTE: although 2022-02-17 is the vendor's vulnerability announcement date, the vulnerability will not be remediated until a major...

RigoBlock Dragos 安全漏洞

RigoBlock Dragos is a decentralized token management platform from Swiss company RigoBlock. RigoBlock Dragos suffers from a security vulnerability that stems from the lack of a unique owner modifier for setmultiallowances in rigblock Dragos until 2022-02-17...

Reentrancy in depositBribeERC20

Lines of code Vulnerability details Description The contract was found vulnerable to Reentrancy attack. It was noticed that the function depositBribeERC20 makes an external call to another untrusted address or a contract before it resolves any effects at line "" If the attacker controls the...

Reentrancy in depositBribe in TokemakBribe.sol

Lines of code Vulnerability details Description The contract was found vulnerable to Reentrancy attack. It was noticed that the function depositBribe makes an external call to another untrusted address or a contract before it resolves any effects at line "" If the attacker controls the untrusted...

Owner never calls finalize() = rug pull

Lines of code Vulnerability details Impact In order for users to claim their promised tokenOut tokens, the contract owner must call the finalize function. If the owner never calls the finalize function, no user can call the claim function to get their tokens. The owner can call the sweep function...

anyone can change Parameters state

Handle jayjonah8 Vulnerability details Impact In BurnFlashStakeDeposit.sol the parameterize function can be called by anyone setting all the Parameters state in the contract. A user should not be able to do this. This function deals with important governance decisions being execute and should onl...

A Single Malicious Trusted Account Can Takeover Parent Contract

Handle leastwood Vulnerability details Impact The requiresTrust modifier is used on the strategy, vault and factory contracts to prevent unauthorised accounts from calling restricted functions. Once an account is considered trusted, they are allowed to add and remove accounts by calling...

Re-entracy leading to increasing points in undesired way

Handle hack3r-0m Vulnerability details Current state: the attacker has a few nfts minted already by locking position call lock function with very high duration and very high amount from a contract attacker has control of this contract It will pass the non-re-entrant check and call lock function...

sendAllocatedYETI() can be called by anyone

Handle jayjonah8 Vulnerability details Impact In TeamAllocation.sol, the sendAllocatedYETI function simply distributes YETI to the team. This is a transfer of value and it currently can be called by anyone as the onlyTeam modifier is not used here. Proof of Concept Tools Used Manual code review...

Security Bulletin: Vulnerability exists in Watson Explorer (CVE-2021-44228)

Summary Log4j is used by IBM Watson Explorer to log system events for diagnostics. This bulletin provides a remediation for the vulnerability, CVE-2021-44228 by upgrading Watson Explorer and thus addressing the exposure to the log4j vulnerability. Vulnerability Details CVEID: CVE-2021-44228...

MixinPurchase:shareKey allows to generate keys without purchasing

Handle GiveMeTestEther Vulnerability details Impact the shareKey function allows a user to share some time with another user that doesn't already has/had a key and this generates a new key. This even allows to generate more keys than maxNumberOfKeys. attacker generates a lot of EOA adresses, buys...

Open-xchange OX App Suite Information Disclosure Vulnerability (CNVD-2021-90765)

Open-xchange OX App Suite is a web-based cloud desktop environment from Open-Xchange Open-xchange, a US-based company that allows users to more intuitively manage email, tasks, files, etc. An information disclosure vulnerability exists in Open-xchange OX App Suite. An information disclosure...

Open-xchange OX App Suite 安全漏洞

Open-xchange OX App Suite is a web-based cloud desktop environment from Open-Xchange Open-xchange, a US-based company that allows users to more intuitively manage email, tasks, files, etc. An information disclosure vulnerability exists in Open-xchange OX App Suite. An information disclosure...

BasePool.mint() Is Callable By Anyone

Handle leastwood Vulnerability details Impact The BasePool.mint function differs from its implementation in BasePoolV2.mint in which it lacks an onlyRouter modifier. This ensures that users cannot call this function directly as VaderRouter.addLiquidity performs some necessary input validation whi...

FSDVesting.updateVestedTokens doesn't have any control modifiers and anyone can increase vested amount for a beneficiary

Handle hyh Vulnerability details Impact In current implementation all vesting beneficiaries can increase their vested amounts unlimitedly by calling updateVestedTokensmyfsdvestingaddress, anyamounttobeaddedtovesting. Beneficiary can then surpass vesting schedule by calling claimVestedTokens It wi...

Vesting benRevocable flag can be switched on and off by anyone and doesn't provide any additional control

Handle hyh Vulnerability details Impact Griefing attack is possible for revoke mechanics by calling vest with a tiny amount and zero isRevocable. This will switch revocable off for the whole vesting amount i.e. the whole set of timelocks flag is being set via last vest call. And vice versa,...

Basket.sol#mint() Malfunction due to extra nonReentrant modifier

Handle WatchPug Vulnerability details function mintuint256 amount public nonReentrant override mintToamount, msg.sender; function mintTouint256 amount, address to public nonReentrant override requireauction.auctionOngoing == false; The mint method is malfunction because of the extra nonReentrant...