EUVD-2021-18236

Malware in sbrugna...

Potential Issues with Address Casting and Validation in _calculateOceanId Function

Lines of code Vulnerability details Impact The use of abi.encodePacked without padding might introduce ambiguity in situations where input lengths are not fixed. Additionally, assuming tokenId can be any uint256 value without enforcing constraints could lead to unexpected behavior if constraints...

AuctionDemo opens itself several DoS attack vectors

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept The auctionDemo.auctionInfoData map holds important info on auctions, and hold this info per tokenId. Needless to say, for many auctions that may become popular and/or long running, the...

[MEDIUM] NFTBoostVault#addNftAndDelegate - Not setting a delegatee in the addNftAndDelegate will cause the addTokens function and updateNft to revert

Lines of code Vulnerability details Impact The absence of a delegatee in the addNftAndDelegate function in the NFTBoostVault contract will cause the addTokens and updateNft functions to revert. This is due to the assumption that a delegatee has been set, which is not always true. This issue may...

Upgraded Q -> 2 from #410 [1684435015507]

Judge has assessed an item in Issue 410 as 2 risk. The relevant finding follows: QA-2 Publicly Callable memorializePositions Function Allows Unauthorized memorization of User Positions memorializePositions function in positionManager.sol allows any caller to modify position information of any use...

CVE-2023-22436

The kernel subsystem function checkpermissionforsettokenid within OpenHarmony-v3.1.5 and prior versions has an UAF vulnerability which local attackers can exploit this vulnerability to escalate the privilege to root...

PT-2023-18495 · Unknown · Openharmony

Name of the Vulnerable Software and Affected Versions: OpenHarmony versions prior to 3.1.5 Description: The issue is related to a Use After Free UAF vulnerability in the kernel subsystem function check permission for set tokenid. This vulnerability can be exploited by local attackers to escalate...

TimeswapV2LiquidityToken should not use totalSupply()+1 as tokenId

Lines of code Vulnerability details Impact Assuming ERC1155Enumerable is acting normally, there is a Accounting Issue about TimeswapV2LiquidityToken and TimeswapV2Token's tokenId. Different liquidities can have the same tokenId, leading to serious balance manipulation. I'm submitting this issue a...

Upgraded Q -> M from #22 [1673008228404]

Judge has assessed an item in Issue 22 as M risk. The relevant finding follows: L-02 RuniverseLandMinter.ownerMintUsingTokenId doesn't check if tokenId and plotSize are matched. function ownerMintUsingTokenId IRuniverseLand.PlotSize plotSize, uint256 tokenId, address recipient public onlyOwner...

RuniverseLand.sol#mint() can be bricked

Lines of code Vulnerability details Impact RuniverseLand.solmint can be bricked. Proof of Concept The mint function uses numMinted to generate the tokenId: File: RuniverseLand.sol 72: function mintaddress recipient, PlotSize size 73: public 74: override 75: returns uint256 76: 77: uint256 tokenId...

In case the winner is the address(0)

Lines of code Vulnerability details Impact Temporary freezing NFT this can be more than one period Proof of Concept On VRFNFTRandomDraw.fulfillRandomWords 254 request.currentChosenTokenId = 255 randomWords0 % tokenRange + 256 settings.drawingTokenStartId; In case ownerOfrequest.currentChosenToken...

The existence of the tokenID is not validated in distributeFees()

Lines of code Vulnerability details Impact Turnstile contract has distributeFees function which the Canto team/smart contract utilizes to distribute the fees to the tokenID's for the smart contract that is registered through register function. The existence of the tokenID's are checked both in...

distributeFees did not check if tokenId exist can lead to loss of asset

Lines of code Vulnerability details Impact distributeFees did not check if tokenId existed, can lead to loss of asset Proof of Concept inside Turnstile.sol file, the distributeFees function did not check if the tokenId exist or not. 148: function distributeFeesuint256 tokenId public onlyOwner...

Not checking if tokenId exist on distributeFees

Lines of code Vulnerability details Impact Not checking if tokenId exist on distributeFees can set the msg.value to uncreated tokenId Proof of Concept For example an Owner mistakenly call distributeFee with a tokenId which doesn't exist, then the function will success, but unfortunately any user...

Lack of input validation to check whether the tokenId of the NFT exists or not - this lead to misallocation of fee earned

Lines of code Vulnerability details Impact In the distributeFees function, there is no input validation to check whether the tokenId of the NFT exists or not. If a caller inputs tokenId that does not exist, the fee earned will be added to the balance of tokenId that does not exist. Although this...

The _recipient address has no limits to the amount of tokenID (NFTs) it can own

Lines of code Vulnerability details Impact Since the recipient address has no limit to the number of tokenIds it can hold, this makes it possible for an attacker to call the register function many times with different addresses and send many tokenIds to the same recipient, which could cause a...

lack of unregiestered function existen

Lines of code Vulnerability details there is no function to let a smart contract to unregester from a tokenid , since a smart contract can only be regestered once its highly recommended to give it an ability to unregister from a tokenid and register again bob calls register bob has two...

_expectMint is not checked when tokenId != 0

Lines of code Vulnerability details Impact In the mintBestAvailableTier function from the JBTiered721Delegate contract the expectMint variable is used to determine if the user is expecting the contract to mint tokens with the left over funds or not, but the boolean value of expectMint is only...

Merkle Tree criteria can be resolved by wrong tokenIDs

Lines of code Vulnerability details Impact The protocol allows specifying several tokenIds to accept for a single offer. A merkle tree is created out of these tokenIds and the root is stored as the identifierOrCriteria for the item. The fulfiller then submits the actual tokenId and a proof that...

Collection Owners Can Reinitialize CoreCollection.sol and Mint Duplicate NFTs

Lines of code Vulnerability details Impact The initialize function is called by CoreFactory.sol when creating projects or adding collections to an existing project. When ownership of the CoreCollection.sol contract is transferred to the project owner, it gives the owner access to a subset of...