Allowance manipulation in UserEscrow struct leads to unauthorized token transfers due to overreliance on maximum allowance check

Lines of code Vulnerability details Summary The UserEscrow smart contract contains a vulnerability that can possibly allow unauthorized users to transfer tokens out of the contract. Specifically, an attacker can exploit this flaw by manipulating the allowances, thus enabling them to bypass the...

Tokens with multiple addresses can be stolen due to reliance on balanceOf()

Lines of code Vulnerability details Impact Some ERC20 tokens have multiple valid contract addresses that serve as entrypoints for manipulating the same underlying storage such as Synthetix tokens like SNX and sBTC and the TUSD stablecoin. The accrueUser function holds all rewards for all pools,...

Audit Findings for BYTES Token Contract - Burn Function Vulnerabilities

Lines of code Vulnerability details Impact BYTES2.burn: The function burn allows authorized callers to burn BYTES tokens from a specific address and mint DAO taxes. However, the function does not check if the from address actually has enough BYTES tokens to burn. This means that an attacker could...

Misconfiguration of LP token contract

Lines of code Vulnerability details Impact If the LP token contract is set to a non-contract address or a no-revert-on-transfer token, users will be able to: 1. Mint huge amounts of BYTES 2.0 tokens. 2. Drain the contract of all its LP tokens. Vulnerability Details Throughout the contract, it is...

No data validation, will result in all funds from the DAO contract stolen

Lines of code Vulnerability details Impact The vulnerability relies on the proposal creation function which forwards the proposal once accepted for the DAO contract to execute. Each proposal has a set of actions attached. struct Action address to; uint256 value; bytes data; function createProposa...

Proper use of dependecy

Lines of code Vulnerability details Impact Using safeTransferFrom of solmate. There is no checking the token address is exist Proof of Concept After consulting the dev, the only check for making sure the token exist is a list on the UI/fontend side. A highly motivated attacker can easily disable...

Solmate's ERC20 does not check for token contract's existence

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Not checking for token existence is a know issue for Solmate. This can cause unexpected contract functionality for transfers implemented in the codes. Proof of Concept Provide direct links to all...

Can overflow linear vest calculation and lock up funds

Lines of code Vulnerability details Impact If a Claim object for a user has a large enough vesting time and/or linear vesting amount, then that object can get into a state such that the calculations in baseVestedAmount overflow. If the baseVestedAmount calculations overflow, then the associated...

Lack of check if token is a contract

Lines of code Vulnerability details Impact solmate won't check if the token is a contract or not. It's possible for an attacker to the create a vault for a non existing token with a deterministic address. The problem occurs if the token gets deployed later, and another user tries to use this toke...

founderPct variable cast

Lines of code Vulnerability details Description There is a function addFounders in Token contract. It accepts array of FounderParams as an input. For each of founders it uses founderPct as an variable to store percent ownership for such founder. It is unsafe to cast it to from uint256 to uint8 in...

baseTokenId variable calculation

Lines of code Vulnerability details Description There is addFounders function in the Token contract. There is the following loop: // Used to store the base token id the founder will recieve uint256 baseTokenId; // For each token to vest: for uint256 j; j founderPct; ++j // Get the available token...

SimpleFeiDaiPSM contract user can lose DAI funds after having their FEI tokens burned

Lines of code Vulnerability details Impact The FEI token contract contain a burnFrom function which allow the BURNER account to burn a given amount of FEI tokens from an account. When a user transfers DAI to the SimpleFeiDaiPSM contract he get an equivalent amount of FEI tokens in return, those F...

Controlling the ERC20 Token contract from symbol is not secure

Lines of code Vulnerability details Impact BaseV1-periphery.solL491 in the getUnderlyingPrice function , the correctness of the CToken contract received from the instance is done with if compareStringssymbol, "cCANTO" on line BaseV1-periphery.solL490 This is not a safe way, fake contracts similar...

Lack of check if token is a contract

Lines of code Vulnerability details Impact TransferHelper.sol and solmate won't check if the token is a contract or not. A hacker could set traps for non existing tokens to steal future funds from users. Proof of Concept The safeTransfer functions used in the contract are wrappers around the...

oldToken.transferOwnership() to contract may be irreversible

Lines of code Vulnerability details oldToken.transferOwnership to contract may be irreversible Proof of Concept JBTokenStore.sol 265-266: if newOwner != address0 && oldToken != IJBTokenaddress0 oldToken.transferOwnershipprojectId, newOwner; OpenZeppelin library Ownerable.sol: function...

Malicious code in zilliqa-token-contract (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e8c2e147930c89e1cb1f2017aa92d3c015029eaaf2f85f1d6163453cf03934f9 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-7392 Malicious code in zilliqa-token-contract (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e8c2e147930c89e1cb1f2017aa92d3c015029eaaf2f85f1d6163453cf03934f9 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

[WP-H4] anchor_basset_reward pending yields can be stolen

Lines of code Vulnerability details For yield farming aggregators, if the pending yield on an underlying strategy can be harvested and cause a surge of rewards to all existing investors, especially if the harvest can be triggered permissionlessly. Then the attacker can amplify the attack using a...

Updating the hub’s token contract address may lead to incorrect undelegation amount

Lines of code Vulnerability details Updating the hub’s token contract address may lead to incorrect undelegation amounts Impact The hub contract allows config updates to the tokencontract config values in anchor-bAsset-contracts/contracts/anchorbassethub/src/config.rs Such updates can cause wrong...

Reentrancy in depositBribeERC20 function

Lines of code Vulnerability details Impact depositBribeERC20 function in BriveVault is reentrant in line 187, where an address supplied by the caller is called. A bad actor that has DEPOSITORROLE and is a contract can execute a folowing attack: 1. Create a dummy token contract, reentrant in the...