Lucene search
K

65 matches found

Code423n4
Code423n4
added 2023/01/25 12:0 a.m.9 views

Upgraded Q -> M from #229 [1674661320954]

Judge has assessed an item in Issue 229 as M risk. The relevant finding follows: Centralization Risk Contract: Impact: It seems the poolAdmin holds too much power including changing reward controller, rescue tokens etc. This can allow poolAdmin to impact all users by changing the config or draini...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/01/03 12:0 a.m.16 views

The owner minipool count is not decreased in the case of a staking error

Lines of code Vulnerability details Impact When a node operator creates a new pool or the recreateMinipool function is called the minipool count of the owner is increased by 1 and when the staking ends the multisig calls the recordStakingEnd function which will decrease the owner minipool count b...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2023/01/03 12:0 a.m.5 views

Wrong reward distribution because protocol won't reset avaxAssignedHighWater value for a user if calculateAndDistributeRewards() doesn't get called for that user in that cycle

Lines of code Vulnerability details Impact node operators ggp rewards are distributed by function calculateAndDistributeRewards which is called by Multisig and function calculateAndDistributeRewards can only distribute current cycle rewards. the rewards are calculated based on user's...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2022/12/19 12:0 a.m.7 views

Centralization Risks, Rug pull vectors

Lines of code Vulnerability details Impact Owner can mint or burn unlimited tokens, functions can be used to rug pull the project. Proof of Concept Although owner role is supposedly not malicious, if owner's wallet keys are compromised, an attacker could rug the project. Based on the fact that we...

6.6AI score
Exploits0
Code423n4
Code423n4
added 2022/12/19 12:0 a.m.13 views

## MALICIOUS OWNER CAN CLOSE AND WITHDRAW AS HE WANT

Lines of code Vulnerability details MALICIOUS OWNER CAN CLOSE AND WITHDRAW AS HE WANT These functions below are set some emergency scenarios. But caviar.Owner able to triggered these functions as he want. Need to set some require statement in order to actually check these scenarios before his...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2022/12/16 12:0 a.m.8 views

Use safeTransferFrom instead of transferFrom for ERC721 transfers

Lines of code Vulnerability details Impact In the contract VRFNFTRandomDraw.sol every transfer of ERC721 are done with the transferFrom instead of the recommended safeTransferFrom. This transferFrom does not check whether the receiver is capable of proper handling of NFTs. Proof of Concept If the...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2022/11/14 12:0 a.m.15 views

Upgraded Q -> M from #334 [1668467418003]

Judge has assessed an item in Issue 334 as M risk. The relevant finding follows: 2. Rug vectors by the owner A malicious owner can call setLBPairImplementation, setFeeRecipient, setFlashLoanFee , setFeesParameters and forceDecay to advantage himself at expenses of the users...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2022/11/10 12:0 a.m.10 views

call() should be used instead of transfer() on address payable

Lines of code Vulnerability details Proof of Concept The use of the deprecated transfer function for an address will inevitably make the transaction fail when: 1. The claimer smart contract does not implement a payable function. 2. The claimer smart contract does implement a payable fallback whic...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2022/09/25 12:0 a.m.9 views

TIMELOCK_ROLE Can Withdraw FUND from the Contracts via recoverEther()

Lines of code Vulnerability details Impact The Timelock Address role is misidentified in this agreement and has high authority. While I believe developer have good intention to use these functions. It often associate with Rug Pull by developer in the eyes of investors because Rug Pull is not...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2022/09/17 12:0 a.m.5 views

Why emergencyExecute() is required?

Lines of code Vulnerability details Impact Now PartyDAO multisig can steal all funds from all PartyGovernance instances If malicious user will get control over PartyDAO multisig, he will steal of funds from all projects Tools Used vs code Recommended Mitigation Steps Remove this funtion --- The...

7AI score
Exploits0
Code423n4
Code423n4
added 2022/07/19 12:0 a.m.10 views

call() should be used instead of transfer() on an address payable

Lines of code Vulnerability details Impact The use of the deprecated transfer function for an address will inevitably make the transaction fail when the caller is a smart contract and: 1. Does not implement a payable function. 2. Implements a payable fallback which uses more than 2300 gas unit. 3...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2022/07/19 12:0 a.m.11 views

Usage of deprecated transfer to send ETH

Lines of code%20%7B-,payablemsg.sender.transfer,-msg.valueL183 Vulnerability details Impact The use of the deprecated transfer function for an address will inevitably make the transaction fail when: The claimer smart contract does not implement a payable function. The claimer smart contract does...

7AI score
Exploits0
Snyk
Snyk
added 2022/06/23 9:26 a.m.3 views

Malicious Package

Overview multisig-wallet-generator is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this...

9.8CVSS7AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2022/06/20 8:14 p.m.3 views

Malicious code in multisig-tool (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 83594d962f64139d79a73c5baea85a2f9209738f61ae923a83ce94fbbddc1174 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

6.9AI score
Exploits0References1
OSV
OSV
added 2022/06/20 8:14 p.m.8 views

MAL-2022-4736 Malicious code in multisig-tool (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 83594d962f64139d79a73c5baea85a2f9209738f61ae923a83ce94fbbddc1174 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

7AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2022/06/08 9:1 a.m.2 views

Malicious code in multisig (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4eb9c4b4228a3a5f5b0a57247fb0920a79451a4f5b183a7568412f2d8be3a61b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

6.9AI score
Exploits0References1
OSV
OSV
added 2022/06/08 9:1 a.m.6 views

MAL-2022-4735 Malicious code in multisig (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4eb9c4b4228a3a5f5b0a57247fb0920a79451a4f5b183a7568412f2d8be3a61b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

7AI score
Exploits0References1
Code423n4
Code423n4
added 2022/06/03 12:0 a.m.10 views

call() should be used instead or transfer() on an address payable

Lines of code Vulnerability details This is a classic Code4rena issue: code-423n4/2021-04-meebits-findings2 code-423n4/2021-10-tally-findings20 code-423n4/2022-01-openleverage-findings75 Impact The use of the deprecated transfer function for an address will inevitably make the transaction fail...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2022/05/05 12:0 a.m.16 views

The ownership context is too centralized leaving room for other attack surfaces

Lines of code Vulnerability details Impact The ownership context is too centralized leaving room for other attack surfaces and leaving impression of distrust for the participants. Proof of Concept Almost all of the functions have onlyOwner modifier which allows accessing all the vital points of t...

7.1AI score
Exploits0
Code423n4
Code423n4
added 2022/03/30 12:0 a.m.9 views

Risk of centralization

Lines of code Vulnerability details Medium Risk Risk of centralization Impact Diamond owner has too many roles on setting the functions, initiating payable functions. If the Owner account is compromised, the assets may be drained in this trustless system. Proof of Concept Tools Used Static testin...

6.9AI score
Exploits0
Rows per page
Query Builder