Lucene search
K

65 matches found

Code423n4
Code423n4
added 2023/08/10 12:0 a.m.12 views

Anyone can call perform in SecurityCouncilMemberSyncAction to update members of security council multisig

Lines of code Vulnerability details Impact Anyone can update members of security council multisig Proof of Concept SecurityCouncilMemberSyncAction contract has a perform function which is used to update members of security council multisig. File: SecurityCouncilMemberSyncAction.sol /// @notice...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2023/08/07 12:0 a.m.14 views

call() should be used instead of transfer() on an address payable

Lines of code Vulnerability details Impact The use of the transfer function for sending ETH to an address will inevitably make the transaction fail when: The claimer smart contract does not implement a payable function. The claimer smart contract does implement a payable fallback which uses more...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2023/07/21 12:0 a.m.7 views

Multisig's functionality is impaired when Signers#threshold is 1

Lines of code Vulnerability details Impact Multisig's functionality is impaired when Signersthreshold is 1. Imagine the Signersthreshold is 1, so an individual signer is possible claim all the funds from Multisig without the need for other signers to vote. It is logical that at least 2 people...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2023/07/21 12:0 a.m.17 views

Risk of Rogue Signer Control: Potential for Malicious Signer to Modify Threshold and Gain Unauthorized Control of Multisig Contract

Lines of code Vulnerability details Impact The "Rotation of Signers" mechanism in the Multisig contract poses a risk of a single rogue or compromised signer gaining unauthorized control of the contract. If a signer with malicious intent or compromised credentials utilizes the rotateSigners...

7.4AI score
Exploits0
Code423n4
Code423n4
added 2023/07/21 12:0 a.m.7 views

funds can be stolen in InterchainGovernance, Multisig and AxelarServiceGovernance contracts

Lines of code Vulnerability details Impact In InterchainGovernance users can execute the proposal by passing required data and the amount of native value they want to send with executeProposal function, this function calls call function in Caller contract, but this function insted of checking...

7.3AI score
Exploits0
Code423n4
Code423n4
added 2023/07/21 12:0 a.m.6 views

Insecure minimum threshold in _rotateSigners function

Lines of code Vulnerability details Impact Insecure minimum threshold in rotateSigners function can cause execution of malicious multisig proposals with unexpected results. Proof of Concept The rotateSigners is the only function which can initialize multisig parameters. This function has zero che...

7.1AI score
Exploits0
Code423n4
Code423n4
added 2023/06/09 12:0 a.m.13 views

Challenger can change the output root or delete output root arbitrarily to authorize invalid withdrawal or block withdrawal infinitely

Lines of code Vulnerability details Impact Challenger can change the output root or delete output root arbitrarily Proof of Concept In the OptimismPortal.sol, when prove and finalize the transaction the output root needs to be verificated // Grab the OutputProposal from the L2OutputOracle, will...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2023/05/26 12:0 a.m.14 views

SignatureValidator.recoverAddrImpl for mode Multisig checks only the last value is different to zero address

Lines of code Vulnerability details Description Current implementation when mode == SignatureMode.Multisig only checks that the last time signer is calculated is different from zero address. The variable signer is overwritten with a new value, based on the previous value and the current signature...

6.9AI score
Exploits0
vulnersOsv
vulnersOsv
added 2023/04/24 10:33 p.m.13 views

ape-safe (=0.6.0), ape-vyper (>=0.7.1 <=0.8.3) +19 more potentially affected by CVE-2023-30629 via vyper (>=0.3.1 <=0.3.7)

vyper PYPI version =0.3.1, =0.7.1, =0.5.0, =0.5.0, =0.2.0, =0.1.0, =0.7.2, =0.1.10.0, =1.0.1, =0.1.0, =1.17.2, =0.0.0, =0.6.0, =2.0.0a1, =2.2.4 and more Source cves: CVE-2023-30629 Source advisory: OSV:GHSA-W9G2-3W7P-72G9...

7.5CVSS7.1AI score0.00883EPSS
Exploits1
Code423n4
Code423n4
added 2023/03/10 12:0 a.m.8 views

Multisig: Users can approve proposals even after getting removed

Lines of code Vulnerability details Impact The Multisig contract intends to enable the creation and approval of proposals among a predetermined list of multisig addresses. The multisig addresses can be added or removed by a authorative identity. While creating a new proposal a snapshotBlock...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/03/10 12:0 a.m.9 views

createProposal snapshot block can temporarily desync with minApproval / minVotingPower

Lines of code Vulnerability details Impact minApproval and member list will be temporarily out of sync, potentially causing approval issues Proof of Concept uint64 snapshotBlock = block.number.toUint64 - 1; ... // Create the proposal Proposal storage proposal = proposalsproposalId;...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/03/10 12:0 a.m.8 views

Make proposals fail, no-revert on error, loss of funds

Lines of code Vulnerability details Impact The issue exists because anyone can call executein the multisig contract with will execute the proposal in the DAO contract. The problem here is that certain proposal will not revert when they fail because they have the uint256 allowFailureMap param set ...

7.3AI score
Exploits0
Code423n4
Code423n4
added 2023/02/15 12:0 a.m.18 views

There is no way to recover from error state

Lines of code Vulnerability details Impact There is no way to recover from error state Proof of Concept To address report M-3, in PR, The finishFailedMinipoolByMultisig method removed, while this does not block user from withdraw the fund in the error state in the current implementation. I think...

6.6AI score
Exploits0
Code423n4
Code423n4
added 2023/02/14 12:0 a.m.10 views

Mitigation Confirmed for Mitigation of H-06 Issue mitigated

C4 issue H-06: MinipoolManager: node operator can avoid being slashed Comments In the original implementation, there were a few scenarios where malicious node operators can avoid being slashed. Mitigation PR 41 This PR includes mitigation for various issues H-03, H-06, M-13. Just focusing on the...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2023/02/03 12:0 a.m.8 views

Upgraded Q -> 2 from #65 [1675444463774]

Judge has assessed an item in Issue 65 as 2 risk. The relevant finding follows: Unusual multisig logic --- The text was updated successfully, but these errors were encountered: All reactions...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/02/03 12:0 a.m.7 views

Upgraded Q -> 2 from #338 [1675444014859]

Judge has assessed an item in Issue 338 as 2 risk. The relevant finding follows: L-07 It should be possible to assign Minipool to a new Multisig MinipoolManager.sol 1 --- The text was updated successfully, but these errors were encountered: All reactions...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2023/02/03 12:0 a.m.5 views

Upgraded Q -> 2 from #365 [1675443623313]

Judge has assessed an item in Issue 365 as 2 risk. The relevant finding follows: L-4 Misleading comments - Multisig are still managing pool --- The text was updated successfully, but these errors were encountered: All reactions...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2023/02/03 12:0 a.m.5 views

Upgraded Q -> 2 from #769 [1675429128999]

Judge has assessed an item in Issue 769 as 2 risk. The relevant finding follows: L-1 requireNextActiveMultisig always returns the 1st enabled Multisig Relevant code: As the name suggested, MultisigManager.requireNextActiveMultisig should return the next enabled Multisig. However, it actually alwa...

7.1AI score
Exploits0
Code423n4
Code423n4
added 2023/02/03 12:0 a.m.9 views

Upgraded Q -> 2 from #846 [1675451731129]

Judge has assessed an item in Issue 846 as 2 risk. The relevant finding follows: L-2 no way to remove compromised/broken multisigs without upgrading the contract --- The text was updated successfully, but these errors were encountered: All reactions...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2023/02/03 12:0 a.m.15 views

Upgraded Q -> 2 from #508 [1675443068820]

Judge has assessed an item in Issue 508 as 2 risk. The relevant finding follows: Cannot add additional Multisig when 10 Multisig addresses are registered --- The text was updated successfully, but these errors were encountered: All reactions...

7AI score
Exploits0
Rows per page
Query Builder