27 matches found
Unsafe usage of msg.value in a loop
Lines of code 140 Vulnerability details The value of msg.value in a transaction's call never gets updated, even if the called contract ends up sending some or all of the Eth to another contract. This means that using msg.value in a for- or while-loop, without extra accounting logic, will either...
Unsafe usage of msg.value in a loop
Lines of code 140 Vulnerability details The value of msg.value in a transaction's call never gets updated, even if the called contract ends up sending some or all of the Eth to another contract. This means that using msg.value in a for- or while-loop, without extra accounting logic, will either...
Unsafe usage of msg.value in a loop
Lines of code 140 Vulnerability details The value of msg.value in a transaction's call never gets updated, even if the called contract ends up sending some or all of the Eth to another contract. This means that using msg.value in a for- or while-loop, without extra accounting logic, will either...
Unsafe usage of msg.value in a loop
Lines of code 140 Vulnerability details Impact The value of msg.value in a transaction's call never gets updated, even if the called contract ends up sending some or all of the Eth to another contract. This means that using msg.value in a for- or while-loop, without extra accounting logic, will...
Potential drain of EthCrowdFund contract
Lines of code Vulnerability details Impact In the emergencyExecute function in the EthCrowdFundBase contract, the external call msg.value is decided by the user input which could lead to draining of funds by compromised wallet or human error. Also there is no check if the value of amoutnEth is at...
A malicious contributor can increase voting power maliciously and eventually steal funds!
Lines of code Vulnerability details Impact Unlimited voting power for attacker and stealing of funds ! Proof of Concept All of the contribute functions uses msg.value to calculate the votingpower . For example , contribute function looks like this : function contribute uint256 tokenId, address...
if lzReceiveNonBlocking failed to execute , they don't send back ,accumulated msg.value . malicious user drain that
Lines of code Vulnerability details Impact PerformFallBack is gonna fail and msg.value will be accumulated in that BranchBridgeAgent and malicious user can take over them Proof of Concept User deposited and When it's not executed ,user want to retrieve and callRetrieveSettlement ,send message to...
Allowing delegate call with msg.value in executeBatch() is dangerous
Lines of code Vulnerability details Bug Description ERC725XCore's execute function allows four types of operations: 1. CALL for normal calls 2. DELEGATECALL 3. CREATE/CREATE2 for contract deployment 4. STATICCALL The executeBatch function simply calls execute in a loop to perform multiple calls i...
Execution does not work if the action has a non-zero value
Lines of code Vulnerability details Llama instances have a separate LlamaExecutor contract for action execution. When calling LlamaCore.executeAction, the flow is the following for simplicity, we ignore action guards: The function does internal validation: checking the current action state is...
addCredit() DOS Attack
Lines of code Vulnerability details Impact DOS Attack Proof of Concept addCredit can be called by anyone, and the msg.value is as small as 1 wei. Users can modify Lien at a small cost, causing the value stored in lienslienId=keccak256abi.encodelien to change By front-run, the normal user's...
Mitigation Confirmed for Mitigation of H-06 Issue mitigated
C4 issue H-06: MinipoolManager: node operator can avoid being slashed Comments In the original implementation, there were a few scenarios where malicious node operators can avoid being slashed. Mitigation PR 41 This PR includes mitigation for various issues H-03, H-06, M-13. Just focusing on the...
outboundTransfer should return excess msg.value
Lines of code Vulnerability details Impact In function outboundTransfer, if users sends more msg.value than required, by accident, then the remaining msg.value is not sent back. So, if msg.value amount argument, then the excess msg.value is not sent back to msg.sender. This causes loss of funds f...
Payable with no way of taking funds out / using msg.value can lock funds
Lines of code Vulnerability details Impact External execute function may lock funds --- The text was updated successfully, but these errors were encountered: All reactions...
Possible lost msg.value
Lines of code Vulnerability details In call submit can will send value and the asset can be an ERC20!= address0, if frxETHMinter.sol contract receive this call the fouds will lost. Recommended Mitigation Steps In frxETHMinter, submit function: Check if the msg.value is zero when the asset is...
Missing payable
Lines of code Vulnerability details Impact The following functions are not payable but uses msg.value - therefore the function must be payable. This can lead to undesired behavior. Proof of Concept frxETHMinter.sol, submit should use payable since it uses msg.value Tools Used Manual review...
Buyout's buyFractions can be called multiple time reusing the same msg.value with Multicall
Lines of code Vulnerability details Passing multiple buyFractions calls to Multicall's multicall will use the same msg.value many times. This will inflate his contribution without real fund transfers with the corresponding fund loss for the system. Proof of Concept Buyout uses Multicall: contract...
rescueETH function doesn't works as expected
Lines of code Vulnerability details Impact The rescueETH function is implemented to collect any unexpected ETH transferred to the infinityExchange.sol contract, But this function will not work as expected. The function is supposed to return the eth from the contract to the specified destination...
ETH rescue does not work
Lines of code Vulnerability details Impact Both contracts InfinityExchange and InfinityStaker have a function rescueETH to allow an admin to rescue any ETH accidentally sent to the contracts. However, this ETH rescue functionality does not work. The code expects ETH to be sent to this function an...
Incorrect msg.value usage could lead to fund loss
Lines of code Vulnerability details Impact The burnToTarget function is using msg.value in a loop which is passed to swapAll function of swapperRouter. Since msg.value amount will not change within loop, contract will end up using its own ETH Proof of Concept 1. User calls burnToTarget function...
unsafe call using msg.value in loop
Lines of code Vulnerability details description with the function burnToTarget in FeeBurner.sol, a malicious user can swap more funds than they input in ETH if they include multiple address0 in the addresses tokens parameter during the function call, there is a for loop that loops through tokens...