65 matches found
Anyone can call perform in SecurityCouncilMemberSyncAction to update members of security council multisig
Lines of code Vulnerability details Impact Anyone can update members of security council multisig Proof of Concept SecurityCouncilMemberSyncAction contract has a perform function which is used to update members of security council multisig. File: SecurityCouncilMemberSyncAction.sol /// @notice...
call() should be used instead of transfer() on an address payable
Lines of code Vulnerability details Impact The use of the transfer function for sending ETH to an address will inevitably make the transaction fail when: The claimer smart contract does not implement a payable function. The claimer smart contract does implement a payable fallback which uses more...
Multisig's functionality is impaired when Signers#threshold is 1
Lines of code Vulnerability details Impact Multisig's functionality is impaired when Signersthreshold is 1. Imagine the Signersthreshold is 1, so an individual signer is possible claim all the funds from Multisig without the need for other signers to vote. It is logical that at least 2 people...
Risk of Rogue Signer Control: Potential for Malicious Signer to Modify Threshold and Gain Unauthorized Control of Multisig Contract
Lines of code Vulnerability details Impact The "Rotation of Signers" mechanism in the Multisig contract poses a risk of a single rogue or compromised signer gaining unauthorized control of the contract. If a signer with malicious intent or compromised credentials utilizes the rotateSigners...
funds can be stolen in InterchainGovernance, Multisig and AxelarServiceGovernance contracts
Lines of code Vulnerability details Impact In InterchainGovernance users can execute the proposal by passing required data and the amount of native value they want to send with executeProposal function, this function calls call function in Caller contract, but this function insted of checking...
Insecure minimum threshold in _rotateSigners function
Lines of code Vulnerability details Impact Insecure minimum threshold in rotateSigners function can cause execution of malicious multisig proposals with unexpected results. Proof of Concept The rotateSigners is the only function which can initialize multisig parameters. This function has zero che...
Challenger can change the output root or delete output root arbitrarily to authorize invalid withdrawal or block withdrawal infinitely
Lines of code Vulnerability details Impact Challenger can change the output root or delete output root arbitrarily Proof of Concept In the OptimismPortal.sol, when prove and finalize the transaction the output root needs to be verificated // Grab the OutputProposal from the L2OutputOracle, will...
SignatureValidator.recoverAddrImpl for mode Multisig checks only the last value is different to zero address
Lines of code Vulnerability details Description Current implementation when mode == SignatureMode.Multisig only checks that the last time signer is calculated is different from zero address. The variable signer is overwritten with a new value, based on the previous value and the current signature...
ape-safe (=0.6.0), ape-vyper (>=0.7.1 <=0.8.3) +19 more potentially affected by CVE-2023-30629 via vyper (>=0.3.1 <=0.3.7)
vyper PYPI version =0.3.1, =0.7.1, =0.5.0, =0.5.0, =0.2.0, =0.1.0, =0.7.2, =0.1.10.0, =1.0.1, =0.1.0, =1.17.2, =0.0.0, =0.6.0, =2.0.0a1, =2.2.4 and more Source cves: CVE-2023-30629 Source advisory: OSV:GHSA-W9G2-3W7P-72G9...
Multisig: Users can approve proposals even after getting removed
Lines of code Vulnerability details Impact The Multisig contract intends to enable the creation and approval of proposals among a predetermined list of multisig addresses. The multisig addresses can be added or removed by a authorative identity. While creating a new proposal a snapshotBlock...
createProposal snapshot block can temporarily desync with minApproval / minVotingPower
Lines of code Vulnerability details Impact minApproval and member list will be temporarily out of sync, potentially causing approval issues Proof of Concept uint64 snapshotBlock = block.number.toUint64 - 1; ... // Create the proposal Proposal storage proposal = proposalsproposalId;...
Make proposals fail, no-revert on error, loss of funds
Lines of code Vulnerability details Impact The issue exists because anyone can call executein the multisig contract with will execute the proposal in the DAO contract. The problem here is that certain proposal will not revert when they fail because they have the uint256 allowFailureMap param set ...
There is no way to recover from error state
Lines of code Vulnerability details Impact There is no way to recover from error state Proof of Concept To address report M-3, in PR, The finishFailedMinipoolByMultisig method removed, while this does not block user from withdraw the fund in the error state in the current implementation. I think...
Mitigation Confirmed for Mitigation of H-06 Issue mitigated
C4 issue H-06: MinipoolManager: node operator can avoid being slashed Comments In the original implementation, there were a few scenarios where malicious node operators can avoid being slashed. Mitigation PR 41 This PR includes mitigation for various issues H-03, H-06, M-13. Just focusing on the...
Upgraded Q -> 2 from #65 [1675444463774]
Judge has assessed an item in Issue 65 as 2 risk. The relevant finding follows: Unusual multisig logic --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> 2 from #338 [1675444014859]
Judge has assessed an item in Issue 338 as 2 risk. The relevant finding follows: L-07 It should be possible to assign Minipool to a new Multisig MinipoolManager.sol 1 --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> 2 from #365 [1675443623313]
Judge has assessed an item in Issue 365 as 2 risk. The relevant finding follows: L-4 Misleading comments - Multisig are still managing pool --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> 2 from #769 [1675429128999]
Judge has assessed an item in Issue 769 as 2 risk. The relevant finding follows: L-1 requireNextActiveMultisig always returns the 1st enabled Multisig Relevant code: As the name suggested, MultisigManager.requireNextActiveMultisig should return the next enabled Multisig. However, it actually alwa...
Upgraded Q -> 2 from #846 [1675451731129]
Judge has assessed an item in Issue 846 as 2 risk. The relevant finding follows: L-2 no way to remove compromised/broken multisigs without upgrading the contract --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> 2 from #508 [1675443068820]
Judge has assessed an item in Issue 508 as 2 risk. The relevant finding follows: Cannot add additional Multisig when 10 Multisig addresses are registered --- The text was updated successfully, but these errors were encountered: All reactions...