139 matches found
Draw admin/owner can rug the winner after recoverTimelock expires.
Lines of code Vulnerability details Impact The admin/owner of VRFNFTRandomDraw can wait for recoverTimelock to expire before making the draw. This way he can use lastResortTimelockOwnerClaimNFT to take back the reward NFT from the contract without any time to allow for the winner to claim. He cou...
lastResortTimelockOwnerClaimNFT() can retrieve the token although drawing is in progress
Lines of code Vulnerability details Impact owner can retrieve the token although drawing is in progress Proof of Concept lastResortTimelockOwnerClaimNFT Be used in: " If no users ultimately claim the NFT, the admin specifies a timelock period after which they can retrieve the raffled NFT. " But i...
Admin can withdraw the NFT before the winner timelock ends
Lines of code Vulnerability details Impact The admin could set recoverTimelock before drawBufferTime , thus he can withdraw the NFT before the winner Draw buffer time ends. Proof of Concept The drawBufferTime need to be more then an hour and less then a month and the recoverTimelock need to be at...
Medium: DAO can drain all funds of all node runners immediately
Lines of code Vulnerability details Description The DAO can steal all funds of all node runners in the system, which means the system is heavily centralized. function executeAsSmartWallet address nodeRunner, address to, bytes calldata data, uint256 value external payable onlyDAO address smartWall...
Exchange owner can consume all orders at arbitrary price
Lines of code Vulnerability details Impact The choice of policy to use for a transaction is determined by the listingTime. The listingTime can be supplied by the caller of execute/bulkExecute and can be arbitrary as along as it passes validation. And the policy of a given order is used to determi...
Upgraded Q -> M from #334 [1668467418003]
Judge has assessed an item in Issue 334 as M risk. The relevant finding follows: 2. Rug vectors by the owner A malicious owner can call setLBPairImplementation, setFeeRecipient, setFlashLoanFee , setFeesParameters and forceDecay to advantage himself at expenses of the users...
A single point of failure is not acceptable for this project
Lines of code Vulnerability details Impact The pause function on WardenPledge.sol has a single point of failure and onlyOwner can stop all project. Owner is not behind a multisig and changes are not behind a timelock.This information hasnt got in documents Even if protocol admins/developers are n...
Timelock Contract should be used to avoid malicious governance
Lines of code Vulnerability details Impact Governance of Market.sol can call following function at anytime. This is not ideal since they can call this function for their own benefits. For example they can change liquidationFactorBps to gain more liquidationFee. They can change collateralFactorBps...
Governor can rug all GRT by setting the gateway to her wallet (Governor may be hacked)
Lines of code Vulnerability details Impact Governor can rug all GRT by setting the gateway to her wallet Governor may be hacked. Proof of Concept First, the Governor set the gateway contract to her wallet function setGatewayaddress gw external onlyGovernor requiregw != address0, "INVALIDGATEWAY";...
Requiring Timelock For Setter Functions
Lines of code Vulnerability details Vulnerability Details We noticed that the following owner-privileged setter functions can update important state variables without a time delay. 1. setExecutionDelegate function of the BlurExchange contract L215 - 222 in code snippet 1 2. setPolicyManager...
Contract Upgradeable Without Timelock
Lines of code Vulnerability details Vulnerability Details The BlurExchange is an upgradeable smart contract. We found that its upgrade mechanism is not bound to any time delay. In case the owner's private key is leaked or compromized, an attacker can upgrade the contract containing a malicious co...
Emergency functions recoverEther recoverERC20, moveWithheldETH and setWitholdRatio should not allow owner to call them
Lines of code Vulnerability details Impact True trustlessness is hard, but there's not much point in having open source smart contracts unless the goal is achieved completely. The moment a vector exists where a rug pull could occur a user should be rightly suspicious. Although TimelockController ...
Risk of ETH funds Rug Pull in the moveWithheldETH and recoverEther functions
Lines of code Vulnerability details Impact In the frxETHMinter contract both the owner and governance timelock have the power to call the functions moveWithheldETH and recoverEther, those functions allow the transfer of the ETH from frxETHMinter to the owner or a given account, this means that th...
TIMELOCK_ROLE Can Withdraw FUND from the Contracts via recoverEther()
Lines of code Vulnerability details Impact The Timelock Address role is misidentified in this agreement and has high authority. While I believe developer have good intention to use these functions. It often associate with Rug Pull by developer in the eyes of investors because Rug Pull is not...
Admin rug vector in moveWithheldETH()
Lines of code Vulnerability details According to the documentation, currentWithheldETH is meant to: withhold part of the ETH deposit for future use, such as to earn yield in other places to supplement the ETH 2.0 staking yield The issue is that the owner can call moveWithheldETH with an arbitrary...
TIMELOCK CAN BE BYPASSED
Lines of code Vulnerability details Impact The purpose of a Timelock contract is to put a limit on the privileges of the governor, by forcing a two step process with a preset delay time. However, we found that the current implementation actually wonโt serve that purpose as it allows the...
An admin can revoke the claim of a given claimant at any time then withdraw the claim due to said claimant.
Lines of code Vulnerability details Impact I understand the reasoning why admins are given the ability to revoke claims but that power in combination with the fact that an admin can then withdraw said claim that was due to a claimant gives rug vibes. This ability should at least be behind a...
Race condition on vesting revokes
Lines of code Vulnerability details Impact Race condition with vesting revokes, frontrunning decides who gets the funds. Proof of Concept An admin can revoke a vesting for a given receiver. Revoking will disallow the receiver to get his already released tokens since active will be set to false an...
Queued proposals can be blocked from execution by other proposals when using the same actions
Lines of code Vulnerability details Impact In NounsDAOLogicV1 and NounsDAOLogicV2, anyone can create proposal with the same actions as other proposal. In that case, if attacker calls cancel on his proposal, then other proposal with the same action cannot be executed. Proof of Concept Function...
NounsDAOLogicV2.sol funds will be instantaneously drained if the private keys become compromised
Lines of code Vulnerability details Impact If the admin gets compromised, all the ether in NounsDAOLogicV2.sol will be drained. function withdraw external if msg.sender != admin revert AdminOnly; uint256 amount = addressthis.balance; bool sent, = msg.sender.call value: amount ''; emit...