5 matches found
The Treasury.sol contract changes the address for the different manager contract in one function call.
Lines of code Vulnerability details Impact In a case where either one of the manager addresses the tokenomics, depositiory or dispenser contracts are compromised or deprecated, attempting to replace the compromised manager contract address necessitates an overall replacement of all the other...
Silent failure in user reward transfer in Treasury.withdrawToAccount() can lead to loss of rewards
Lines of code Vulnerability details Impact The withdrawToAccount function of the Treasury contract is designed to send ETH rewards and OLAS top-ups to a specified account. However, there is a potential issue where a user's reward transfer could silently fail. This occurs when the...
Change owner() function can pass in wrong address and authorize malicious user in Treasury.sol
Lines of code Vulnerability details Impact A Wrong or malicious address can be made owner of the treasury.sol contract which is used to manage the Olas treasury. This is possible because there is no additional function in the treasury.sol Contract which will enable a new Owner actually meant to b...
Unchecked return value from ERC20
Handle cmichel Vulnerability details Vulnerability Details The ERC20.transfer and ERC20.transferFrom functions return a boolean value indicating success. This parameter needs to be checked for success. According to the standard the return value must be checked for true, otherwise the transfer wil...
Missing Factory-only access check leads to loss of funds
Handle 0xRajeev Vulnerability details Impact The Market sponsoraddress sponsorAddress, uint256 amount function is an externally callable function that is specified to be callable only by the Factory contract during market creation, as documented in the Natspec @dev comment: "called by Factory...