125 matches found
Return values of transfer()/transferFrom() not checked
Lines of code 377, 509, 491, 530, 42, 50 Vulnerability details Not all IERC20 implementations revert when there's a failure in transfer/transferFrom. The function signature has a boolean return value and they indicate errors that way instead. By not checking the return value, operations that shou...
Use of transferFrom() rather than safeTransferFrom() for NFTs in will lead to the loss of NFTs
Lines of code 230, 342, 514, 536 Vulnerability details The EIP-721 standard says the following about transferFrom: /// @notice Transfer ownership of an NFT -- THE CALLER IS RESPONSIBLE /// TO CONFIRM THAT to IS CAPABLE OF RECEIVING NFTS OR ELSE /// THEY MAY BE PERMANENTLY LOST /// @dev Throws...
Use of transferFrom() rather than safeTransferFrom() for NFTs in will lead to the loss of NFTs
Lines of code 230, 342, 514, 536 Vulnerability details The EIP-721 standard says the following about transferFrom: /// @notice Transfer ownership of an NFT -- THE CALLER IS RESPONSIBLE /// TO CONFIRM THAT to IS CAPABLE OF RECEIVING NFTS OR ELSE /// THEY MAY BE PERMANENTLY LOST /// @dev Throws...
Unsafe use of transfer()/transferFrom() with IERC20
Lines of code 377, 509, 491, 530, 42, 50 Vulnerability details Some tokens do not implement the ERC20 standard properly but are still accepted by most code that accepts ERC20 tokens. For example Tether USDT's transfer and transferFrom functions on L1 do not return booleans as the specification...
Contracts are vulnerable to fee-on-transfer accounting-related issues
Lines of code 359, 448, 509, 530, 42, 797, 162 Vulnerability details The functions below transfer funds from the caller to the receiver via transferFrom, but do not ensure that the actual number of tokens received is the same as the input amount to the transfer. If the token is a fee-on-transfer...
Unsafe use of transfer()/transferFrom() with IERC20
Lines of code 377, 509, 491, 530, 42, 50 Vulnerability details Impact Some tokens do not implement the ERC20 standard properly but are still accepted by most code that accepts ERC20 tokens. For example Tether USDT's transfer and transferFrom functions on L1 do not return booleans as the...
Use of transferFrom() rather than safeTransferFrom() for NFTs in will lead to the loss of NFTs
Lines of code 230, 342, 514, 536 Vulnerability details Impact The EIP-721 standard says the following about transferFrom: /// @notice Transfer ownership of an NFT -- THE CALLER IS RESPONSIBLE /// TO CONFIRM THAT to IS CAPABLE OF RECEIVING NFTS OR ELSE /// THEY MAY BE PERMANENTLY LOST /// @dev...
Return values of transfer()/transferFrom() not checked
Lines of code 377, 509, 491, 530, 42, 50 Vulnerability details Impact Not all IERC20 implementations revert when there's a failure in transfer/transferFrom. The function signature has a boolean return value and they indicate errors that way instead. By not checking the return value, operations th...
_reimburse and createProxyDelegatorAndTransfer uses ERC20Votes.transferFrom with user as msg.sender, but allowance is given for ERC20MultiDelegate contract.
Lines of code Vulnerability details Description The delegateMulti external method is called by user. This function call some internal functions like reimburse and transferBetweenDelegators, which doesn't change the msg.sender because they are internal. So, when these functions try to use...
In transferFrom() address "from" can be put of contract address and bypass Errors.FromNotCreateOfferer(from)
Lines of code Vulnerability details Impact In transferFrom address "from" can be put of contract address and bypass Errors.FromNotCreateOffererfrom Proof of Concept the code should be function transferFromaddress from, address targetTokenReceiver, uint256 createOrderHashAsTokenId external...
No way to revoke Approval in DelegateToken.approve leads to un authorized calling of DelegateToken.transferFrom
Lines of code Vulnerability details Impact There is no way to revoke the approval which given via DelegateToken.approveaddress,delegateTokenId. They can able call the DelegateToken.transferFrom even the tokenHolder revoke the permission using the DelegateToken.setApprovalForAll if the spender...
The rUSDY.transferFrom function can cause reentrancy if is a contract been approved
Lines of code Vulnerability details Impact The rUSDY.transferFrom function can cause reentrancy if is a contract been approved, the function looks like: function transferFrom address sender, address recipient, uint256 amount public returns bool uint256 currentAllowance = allowancessendermsg.sende...
Missing owner check on from when transferring tokens
Lines of code Vulnerability details Impact The LensBaseERC721.transferFrom/safeTransferFrom/burn they check approvals on msg.sender through isApprovedOrOwnermsg.sender, tokenId, it is never checked that the specified from parameter is actually the owner of the NFT. An attacker can decrease other...
Arbitrary from in transferFrom
Lines of code Vulnerability details Impact function aaddress from, address to, uint256 amount public erc20.transferFromfrom, to, am; Alice approves this contract to spend her ERC20 tokens. Bob can call a and specify Alice's address as the from parameter in transferFrom, allowing him to transfer...
Users' registration amounts and contract balance state will be incremented incorrectly if the NFTBoostVault::_lockTokens() silently fails
Lines of code Vulnerability details Users can add and lock tokens to the NFTBoostVault contract to increase their voting power using addTokens function. This function will increment the contract's balance state and the user's registration.amount. Then, it will sync the voting power according to t...
Using transferFrom on ERC721 tokens transfer
Lines of code Vulnerability details Impact The transferFrom method is used instead of safeTransferFrom which is not recommended. It can result in loss of NFT if the address is not able to handle the received NFT. OpenZeppelin’s documentation discourages the use of transferFrom, use safeTransferFr...
Using transferFrom on ERC20 tokens transfer
Lines of code Vulnerability details Impact The transferFrom method is used instead of safeTransferFrom which is not recommended. OpenZeppelin’s documentation discourages the use of transferFrom, use safeTransferFrom whenever possible Some tokens do not implement the ERC20 standard properly but ar...
Function trigering
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. The redeemPayment funtion does not check if the payment token being transferred to the delegation terms contract is approved by the sender. This can allow an attacker to call this function and transfer...
can launch a challenge without any collateral in MintingHub.sol
Lines of code Vulnerability details Impact launchChallenge... function in MintingHub.sol ignores return value by challenge.position.collateral.transferFrom Several tokens do not revert in case of failure and return false. If the token used as collateral return false, the user can launch a challen...
Allowance not updated correctly
Lines of code Vulnerability details Impact allowance doesn't get updated properly therefore an attacker contract can exploit the token contract by transferring some tokens and still spend the same amount of allowance. Here are the steps: calling approve function from ERC20.sol with the spender...