29 matches found
EUVD-2018-8889
Malware in sbrugna...
EUVD-2022-30014
Malicious code in bioql PyPI...
Bidders can bid at previous auction reserve price by frontrunning the setter transactions
Lines of code Vulnerability details Impact The AuctionHouse.settleCurrentAndCreateNewAuction can frontrun the setter functions such as setCreatorRateBps, setMinCreatorRateBps, setEntropyRateBps, setTimeBuffer, setMinBidIncrementPercentage & setReservePrice. As soon as the current auction ends, an...
CURRENT OWNER OF THE Market.sol CONTRACT CAN RENOUNCE THE OWNERSHIP AND DoS THE onlyOwner MODIFIER CONTROLLED FUNCTIONS IN THE Market.sol CONTRACT
Lines of code Vulnerability details Impact Market.sol contract inherits from the openzeppelin Ownable2Step.sol contract. The Ownable2Step.sol contract inherits from the openzeppelin Ownable.sol contract. There is Ownable.renounceOwnership function which can be called by the current owner to...
asD TOKEN CREATOR CAN PROFIT UNFAIRLY FROM THE cNote TOKENS DIRECLTY TRANSFERRED TO THE asD.sol CONTRACT
Lines of code Vulnerability details Impact The asD.withdrawCarry function is used to withdraw the interest that accrued in the asD contract in the form of NOTE tokens. Only the owner of the asD token is able to withdraw the interest accrued since the withdrawCarry is controlled by the onlyOwner...
lack of an ownership transfer mechanism
Lines of code Vulnerability details Issue: The code does not have a mechanism to transfer ownership of the contract. In the current implementation, once deployed, the contract owner's address cannot be changed. This can be problematic for contract maintenance and security, as it restricts the...
In DestinationBridge:rescueTokens function the owner can steal user tokens
Lines of code Vulnerability details Summary In the rescueToken function, it opens the door to potential insecurity for user funds because it lacks additional conditions specifying which types of tokens or under what conditions the onlyOwner can use this function. The function looks like: / @notic...
The owner can call _upgrade directly, skipping executeLensV2Upgrade.
Lines of code Vulnerability details Impact Loss of funds due to skipped checks before transfers Invalid system state due to assuming conditions not verified Hiding failed upgrade due to skipped revert/events Proof of Concept upgrade is missing an onlyOwner modifier By calling upgrade directly, th...
Anyone can receive funds from the Well.sol contract, thus reducing the token/tokenLp ratio for users
Lines of code Vulnerability details Impact In Well.sol skim, anyone can withdraw funds that are not in reserve by simply calling the function. Such funds may remain, for example, when transactions are rounded off. To credit extra tokens, reservetoken has sync. However, you can programmatically...
Upgraded Q -> 2 from #16 [1686928129422]
Judge has assessed an item in Issue 16 as 2 risk. The relevant finding follows: L-3 onlyOwner single point of failure Impact The onlyOwner role has a single point of failure and onlyOwner can use critical a few functions. Even if protocol admins/developers are not malicious there is still a chanc...
OffchainDNSResolver Contract Missing onlyOwner Modifier in Constructor Can Lead to DNS Hijacking Attacks
Lines of code Vulnerability details Impact The OffchainDNSResolver contract has a security vulnerability where it doesn't have a safeguard called the onlyOwner modifier in its constructor, this means that anyone can deploy the contract. This could allow a bad actor to create a version of the...
Calling execute() and executeBatch() functions in SmartAccount.sol from the EntryPoint will fail
Lines of code Vulnerability details Impact The function requireFromEntryPointOrOwner is being called within the execute and executeBatch functions to check if the msg.sender is either the owner or the EntryPoint contract, but these functions have onlyOwner modifier, which will only allow the owne...
Possible to block withdrawal of staked funds after recordStakingEnd or stakingError
Lines of code Vulnerability details Impact Node operators can lose their staked AVAX after stakingEnd or stakingError. Funds will be locked in the Staking contract, but impossible to withdraw. A bad actor does need to supply 1000 AVAX which he gets back and has not have real incentive to do it, b...
A compromised owner of VRFNFTRandomDraw can claim the NFT to another accomplice addresss
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. A compromised owner of VRFNFTRandomDraw can claim the NFT to another accomplice addresss Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other...
A single point of failure is not acceptable for this project
Lines of code Vulnerability details Impact The pause function on WardenPledge.sol has a single point of failure and onlyOwner can stop all project. Owner is not behind a multisig and changes are not behind a timelock.This information hasnt got in documents Even if protocol admins/developers are n...
No access control for function deployDeletateFor
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. There is no access control for the deployDelegateFor function, so anyone can call this function and initialize all the parameters for a project. Moreover, the caller can also transfer the owner to a...
Missing access Control to burnFeiHeld function
Lines of code Vulnerability details Impact burnFeiHeld hasn't any owner modifier , so everybody run it Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. function burnFeiHeld external uint256...
Users will be able to receive tokens through _executeWithToken() after RemoveWrapping() by onlyOwner
Lines of code Vulnerability details Impact Whenever owner removes wrapping by calling removeWrapping , it sets the wrappedaxelarToken to 0. This would allow users to be able to call executeWithToken when the function is used in the future by calling a function that calls it i.e if this function i...
Centralization Risk with onlyOwner modifier
Lines of code Vulnerability details Impact During the code review, It has been observed the all currency tokens can be withdraw by owner without timelock. The currency token should not be withdrawn by owner. This poses centralization risk. Proof of Concept 1. Navigate to the following contract...
updateSignValidity() May Break registerSelf() Due to Lack of Input Validation
Lines of code Vulnerability details Impact requireblock.timestamp Recommended Mitigation Steps requiresignValidity != 0, "signValidity Can't Be Zero" --- The text was updated successfully, but these errors were encountered: All reactions...