Any user can withdraw a delegate token after expiration

Lines of code Vulnerability details Impact The withdraw function in the DelegateToken contract does not check the caller msg.sender when the expiration time has ended, thus anyone can make a call to withdraw to steal the funds/tokens associated with a delegate token owned by another user after th...

Reentrancy vulnerability in BaseUSDO._executeModule() function

Lines of code Vulnerability details Impact the success variable in the executeModule function in the BaseUSDO contract is written in both line 366 and line 369. This could potentially lead to a reentrancy vulnerability. In line 366, the success variable is set to true. In line 369, the success...

Unauthorized Withdrawal of ETH by Admin in _withdraw.

Lines of code Vulnerability details Impact An attacker with admin privileges can maliciously execute the withdraw function, resulting in the unauthorized withdrawal of all the ETH in the contract. Proof of Concept withdrawNounsDAOStorageV3.StorageV3 storage ds external onlyAdminds returns uint256...

Anyone can receive funds from the Well.sol contract, thus reducing the token/tokenLp ratio for users

Lines of code Vulnerability details Impact In Well.sol skim, anyone can withdraw funds that are not in reserve by simply calling the function. Such funds may remain, for example, when transactions are rounded off. To credit extra tokens, reservetoken has sync. However, you can programmatically...

Risk assessment of the finalizeETHWithdrawal function in the bridge contract

Lines of code Vulnerability details Summary The finalizeBridgeETH function: function finalizeETHWithdrawal address from, address to, uint256 amount, bytes calldata extraData external payable finalizeBridgeETHfrom, to, amount, extraData; is a public function, which means that anyone can call it...

MuteAmplifier.sol: rescueTokens function does not prevent fee tokens from being transferred

Lines of code Vulnerability details Impact The MuteAmplifier.rescueTokens function allows the owner to withdraw tokens that are not meant to be in this contract. The contract does protect tokens that ARE meant to be in the contract by not allowing them to be transferred: Link function...

Anyone can withdraw contract funds

Lines of code Vulnerability details Impact There is a critical impact that an attacker could drain the entire eth balance of the contract by calling this refundETH function which lacks a modifier. The funds will go always to the caller of the function. Proof of Concept It is not a complex attack ...

Proper use of dependecy

Lines of code Vulnerability details Impact Using safeTransferFrom of solmate. There is no checking the token address is exist Proof of Concept After consulting the dev, the only check for making sure the token exist is a list on the UI/fontend side. A highly motivated attacker can easily disable...

Attacker can steal any funds in the contract by state confusion (no preconditions)

Lines of code Vulnerability details HIGH: Attacker can steal any funds in the contract by state confusion no preconditions LOC: Description Auctions in SIZE can be in one of several states, as checked in the atState modifier: modifier atStateAuction storage a, States state if block.timestamp...

Calling Governor.execute function without sending any ETH can withdraw general ETH funds from the Treasury contract

Lines of code Vulnerability details Impact When calling the following Governor.execute function, the Treasury.execute function is executed. Because Governor.execute is payable, ETH can be sent to the Treasury contract. function execute address calldata targets, uint256 calldata values, bytes...

transferTokenOut does not restrict withdraw to requested amount of token

Handle samruna Vulnerability details function transferTokensOutaddress receiver, uint256 amount internal // Transfers any premiums owed to stakers from the protocol manager to this contract sherlockProtocolManager.claimPremiumsForStakers; // The amount of tokens in this contract uint256 mainBalan...

Governor can steal funds from vaults

Handle 0x0x0x Vulnerability details reclaimTokens function is as follows function reclaimTokensaddress to, address memory tokens external nonReentrant requirenft 0, ExceptionsLibrary.INITIALIZATION; IProtocolGovernance governance = vaultGovernance.internalParams.protocolGovernance; bool...