7 matches found
Cannot unfollow a profile without having access to the Follow NFT
Lines of code Vulnerability details Impact In scenarios where a user fails to unfollow a profile before selling his follow NFT, he could forever be unable to unfollow the profile. Proof of Concept A user could sell his follow NFT without unfollowing a profile. If the new owner of the follow NFT...
Using memory instead of storage in 'redeemPositions' will result in incorrect LP Balance
Lines of code Vulnerability details Impact This bug could lead to a situation where a user can 'redeem' their positions without the associated liquidity positions LPs being properly reset. This could result in the user being able to artificially inflate their LP balance, which could lead to...
Ownership NFT Can be Minted by Anyone
Lines of code Vulnerability details Impact In Turnstile.sol, register is a public function callable by anyone. Any msg.sender calling this function the first time is going to bypass the modifier onlyUnregistered. As long as a non-zero recipient has been inputted, a new NFT is going to be minted t...
Owner of project NFT has no purpose
Lines of code Vulnerability details Owner of project NFT has no purpose Impact Creating a new project mints a NFT to the sender builder. The builder of a project has special permissions and is required to perform various tasks. However, if the minted NFT is transferred to a different address, the...
The function _transferFrom doesn't work
Lines of code Vulnerability details In VoteEscrowDelegation.sol L242, the function removeDelegation is called externally with the syntax this., but that external call changes the msg.sender. So in the function removeDelegation, msg.sender will be the contract itself, not the user. But this functi...
When setSubnodeOwner transfers ownership of sub-domain the new owner can perform actions before fuses are burned
Lines of code Vulnerability details Impact Function NameWrapper.setSubnodeOwner can be used to transfer ownership of a sub-domain to a new owner and, at the same time, burn fuses. A possible use-case could be that a domain owner wants to transfer ownership of the sub-domain but burn fuses in orde...
_autoAcceptOffer doesn't check if caller of setBuyPrice owns the NFT
Lines of code Vulnerability details Impact An attacker can create an offer then auto accept that offer for an NFT they don't own. This can happen for any NFT that the contract is approved for, or any NFT left in escrow with no active limitations Proof of concept Alice has an NFT that they either...