8 matches found
EUVD-2023-0276
Malicious code in bioql PyPI...
PYSEC-2023-307
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine EVM. Contracts containing large arrays might underallocate the number of slots they need by 1. Prior to v0.3.8, the calculation to determine how many slots a storage variable needed used math.ceiltype.sizeinbytes / 32. T...
Config update happening in memory instead of at storage slot
Lines of code Vulnerability details Impact While adding configs in addConfig function, configs is updated in memory as shown at . It should accept configs parameter to a function as storage. Proof of Concept function addConfiguint256 memory configs, uint256 configsLen, DripsReceiver memory receiv...
Multiple storage slot collisions between versions - due to different order in declaration
Lines of code Vulnerability details Impact If we list the sequence of how variables receive slots, we will see the failure to follow "append-only" principle. Many variable added "in-between" V2 version can read/write wrong slots. Proof of Concept Here is the table/list of variable, built taking...
No storage gap for Upgradable contract might lead to storage slot collision
Lines of code Vulnerability details Impact For Upgradable contracts, there must be storage gap to “allow developers to freely add new state variables in the future without compromising the storage compatibility with existing deployments” quote OpenZeppelin. Otherwise it may be very difficult to...
minGasReserve of MIMOProxy can be overwritten
Lines of code Vulnerability details Impact While there is a check that owner is not changed in a delegatecall, such a check is missing for minGasReserve, which means that the variable can be changed either maliciously or accidentally because of a storage slot collision. The consequences of this a...
No storage gap for Upgradable contract might lead to storage slot collision
Lines of code Vulnerability details Impact For upgradeable contracts, there must be storage gap to “allow developers to freely add new state variables in the future without compromising the storage compatibility with existing deployments” quote OpenZeppelin. Otherwise it may be very difficult to...
Missing a storage slot
Lines of code Vulnerability details Impact By using a pre-increment in our instantiations, we are potentially missing out on using the first 0th slot. Tools Used Manual Inspection Recommended Mitigation Steps Use post-incement --- The text was updated successfully, but these errors were...