EUVD-2019-2206

Malware in sbrugna...

Race condition vulnerability in positionManager minting function

Lines of code Vulnerability details Impact race condition vulnerability can result in the issuance of duplicate token IDs. When multiple transactions are executed in quick succession attempting to mint tokens, they may end up being assigned the same ID due to a shared counter or variable used to...

Upgraded Q -> M from #445 [1674423223201]

Judge has assessed an item in Issue 445 as M risk. The relevant finding follows: 5 Function crossChain in GovNFT should have limit for maximum tokens allowed to be transferred, because of gas limit in the dest chain. if a user transferred a lot of tokens because there was two loop inside each oth...

ownerMintUsingTokenId can brick the whole contract

Lines of code Vulnerability details Impact With the function ownerMintUsingTokenId, it is possible for the owner to mint a token with an arbitrary token ID. However, this can brick the whole contract and cause a situation where no more mints / buys are possible. This happens when a token ID is...

ETH can get stuck (and possibly be stolen as well).

Lines of code Vulnerability details Impact The Turnstile contract contains a distributeFees function which can only be called by owner to assign and distribute fee for a tokenId. However the function does not validates the tokenId input value. So it is possible for the owner to provide any uint25...

Non unique token ID might lead to collusion when merging

Handle kenzo Vulnerability details Token IDs are defined as concatenation of points, total supply + 1. The total supply can decrease when merging. This means that the contract might try to mint a token with an ID which already exists. Impact Under specific circumstances, users won't be able to lo...

Cross-site Scripting (XSS)

pki-core is vulnerable to cross-site scripting XSS. A remote attacker is able to inject and execute arbitrary Javascript code in a user's browser via the Token IDs from the Activity page...