Using non cleaned up variables inside of inline assembly

Lines of code Vulnerability details Impact There is a revealGobblers function in a ArtGobblers smart contract. Inside the function is an assembly insert, which operates with a variable with a size less than a machine word. But the code inside the assembly not checking that variable is cleaned up...

Users can regain gobblers they use to mint Legendary Gobbler with.

Lines of code Vulnerability details Impact Users can mint legendary gobblers without actually burning their gobblers by using the GobblersERC721.approve function to approve themselves before minting their legendary gobbler the burn mechanism, doesn't delete the getApproved approved entry for that...

[M3] It is impossible to recover stucked non complying ERC-20 tokens

Lines of code Vulnerability details Impact Contract frxETHMinter is unable to recover tokens like USDT PoC Tokens that return void on transfer, that is, those who do not follow ERC20 standard will revert when you try to assign the output to a boolean variable. This is the case in you function...

removeMinter function DoS

Lines of code Vulnerability details Description There is a removeMinter function in ERC20PermitPermissionedMint. The function performs the removal minteraddress from the special address list. In other words, the function is needed to remove special access for a specific address. // Remove a minte...

lack of check if claim is active in vestedAmount,claimableAmount and finalVestedAmount.

Lines of code Vulnerability details Impact According to the contract, finalVestedAmount function calculates the total vested at the end of the schedule. vestedAmount function calculates the amount vested for a given recipient at a reference timestamp. claimableAmount function Calculates how much...

Unbounded proposal calls array length could cause DoS

Lines of code Vulnerability details Impact It's possible to render the governance and execution contract inoperable for a period of time and effectively kill some proposals due to execution failure, which will break the governance routine and function. This could be a mistake or on purpose. Proof...

Locked ether

Lines of code Vulnerability details Impact In contract Party.sol there is a receive declared. This means that the contract can accept eth payments. But there is no function defined , to withdraw those sent ether. So if a user accidently sent ether to the contract, the ether would be locked, as...

Eth can be stucked in contract when NFT was gifted to party (AuctionCrowdfund.sol)

Lines of code Vulnerability details Impact We can call function finalize, which will claim the NFT if we won. After claiming the NFT, function will check if contract is the owner of NFT or not. if lastBid == 0 // The NFT was gifted to us. Everyone who contributed wins. lastBid = totalContribution...

havent specify the solidity compiler version, 8.15 and older version may lead to a mis encoded struct parameter

Lines of code Vulnerability details Impact the structure: struct ExecuteProposalParams uint256 proposalId; bytes proposalData; bytes progressData; bytes extraData; uint256 flags; IERC721 preciousTokens; uint256 preciousTokenIds; there are some unknown length elementbytes, in 8.15 and older...

# _safeMint() should be used rather than _mint() wherever possible

Lines of code Vulnerability details safeMint should be used rather than mint wherever possible Impact In Token.sol.sol, eventually it is called ERC721 mint. Calling mint this way does not ensure that the receiver of the NFT is able to accept them, making possible to lose them. safeMint should be...

Signature replay in RariMerkleRedeemer

Lines of code Vulnerability details Impact It is possible to reuse the signature used in the sign method in different chains or forks. Proof of Concept Neither the signed content nor the signature are associated with the contract DOMAINSEPARATOR. Therefore, both can be repeated in other contracts...

Add to Blacklist function

Lines of code Vulnerability details L-2. Add to Blacklist function Description: Cryptocurrency mixing service, Tornado Cash, has been blacklisted in the OFAC. A lot of blockchain companies, token projects, NFT Projects have blacklisted all Ethereum addresses owned by Tornado Cash listed in the US...

Miscalculation for cUSDT and cUSDC

Lines of code Vulnerability details Impact getUnderlyingPrice stated that it would return the underlying price of the assets as a mantissa scaled by 1e18. However, the arithmetic setup on lines 503 and 507 could result in answers not scaled by 1e18. Proof of Concept 1e18 1e18 / 10 decimals is...

USING SYMBOL FOR TOKEN IDENTIFICATION

Lines of code Vulnerability details Impact Proof of Concept An exploiter may create a fake tokens whose symbols are cNOTE, cUSDT or cUSDC. When somebody call computrolle’s liquidateCalculateSeizeTokens ，it will give an unlisted token with other token's it can be unlisted token or listed token...

Lack of minimal sufficient liquidity check can result in unreliable prices

Lines of code Vulnerability details function getPriceCantoaddress token internal view returnsuint erc20 token = erc20token; address pair = pairForaddresswcanto, addresstoken, false; if !isPairpair return 0; // this pair does not exist with Canto uint decimals = 10 token.decimals; // get decimals ...

USE SAME SYMBOL CAN GET FAKED PRICE OF TOKEN

Lines of code Vulnerability details Impact it compare symbol to identify token，it can be exploit to produce fake price of token. Proof of Concept attacker can create a token which is like cToken and has symbol of cNOTE .When somebody call comptroller’s liquidateCalculateSeizeTokens ，it will give ...

LP token price calculation suceptible to oracle attack manipulation

Lines of code Vulnerability details Impact The current calculation of the LP token its no accurate. Currently you formula is a the sum of the underlying asset value; sumPiRi / supply Sumatory of each token prices times reserve, divided by total supply, but this is suceptible to oracle manipulatio...

Newton's iteration convergence might not converge

Lines of code Vulnerability details Impact In getAmountOut for stable pair, Newton's method is used, however there is no check for the solution convergence. The numerical stability for Newton's method only applies to initial value close enough to the real solution. If the iteration fail to...

TRSRY: front-runnable setApprovalFor

Lines of code Vulnerability details Impact An attacker may be able to withdraw more than intended Proof of Concept Let's say the alice had approval of 100. Now the treasury custodian reduced the approval to 50. Alice could frontrun the setApprovalFor of 50, and withdraw 100 as it was before. Then...

ERC20 return value not checked and not compatible with tokens like USDT, OMG, etc

Lines of code Vulnerability details ERC20 return value not checked and not compatible with tokens like USDT, OMG, etc Detail The ERC20.transfer and ERC20.transferFrom functions return a boolean value indicating success. This parameter needs to be checked for success. Furthermore, some tokens like...

Proposal functions are lacking access control for Governance.sol

Lines of code Vulnerability details Impact For the Governance.sol contract, the functions activateProposal and executeProposal can be called by anyone. Proof of Concept An malicious user could monitor the protocal DAO and activate or execute a proposal in a time not intended by the proposal...

[NAZ-M2] Centralization Risk with "voter_admin" Has The Ability To mintTo/BurnFrom Any Arbitrary Amount of VOTES

Lines of code Vulnerability details Impact "voteradmin" has the ability to mint/burn any arbitrary amount of VOTES. Creating a centralization risk that allows "voteradmin" to pass or veto any proposal. Proof of Concept 1. Alice submits a proposal that benefits the users at an expense of Mallory's...

Olympus votes can be locked in OlympusGovernance contract

Lines of code Vulnerability details Impact Olympus votes can be locked in Governance.sol OlympusGovernance contract. Proof of Concept When a user votes for a proposal, their current balance of VOTE is transferred to the OlympusGovernance contract. Those votes can be reclaimed once the proposal is...

Upgraded Q -> M from 69 [1661781432655]

Judge has assessed an item in Issue 69 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Multiple storage slot collisions between versions - due to different order in declaration

Lines of code Vulnerability details Impact If we list the sequence of how variables receive slots, we will see the failure to follow "append-only" principle. Many variable added "in-between" V2 version can read/write wrong slots. Proof of Concept Here is the table/list of variable, built taking...

Incorrect Withdraw Pattern

Lines of code Vulnerability details Context: NounsDAOLogicV2.solL783-L792 Description: 1 -When we transfer ether with call, we have to check with require whether the bool value will be successful.This part is missing in the code in the contract Proof Of Concept: 2- Since the bool value is not...

Not calling approve(0) before setting a new approval might cause reverts when used with Tether (USDT)

Lines of code Vulnerability details Impact Some tokens do not implement the ERC20 standard properly but are still accepted by most code that accepts ERC20 tokens. For example Tether USDT's approve function will revert if the current approval is not zero, to protect against front-running changes o...

Using large liquidation fees to steal funds

Lines of code Vulnerability details The liquidation fees can be higher than the liquidation buffer i.e., cleanLiquidationFee LTVPRECISION - maxLTV. Lenders are not fully repaid during liquidation when this is true. In a malicious scenario, an attacker may deploy a pool with very large liquidation...

Chainlink's latestRoundData() might return stale or incorrect data

Lines of code Vulnerability details Impact The only value being checked from the return of latestRoundData is answer. Chainlink will return more fields that can be checked to ensure the data is not stale/incorrect. Proof of Concept Lack of checks inside the function updateExchangeRate might cause...

Unchecked Call Return Value

Lines of code Vulnerability details Impact The return value of a message call is not checked. Execution will resume even if the called contract throws an exception. If the call fails accidentally or an attacker forces the call to fail, this may cause unexpected behaviour in the subsequent program...

When a user is given the owner privilege of multiple MIMOProxy through transferOwnership, the user cannot choose which MIMOProxy to use as the current Proxy

Lines of code Vulnerability details Impact currentProxies is only set when the user calls the deployFor function of the MIMOProxyRegistry contract, function deployForaddress owner public override returns IMIMOProxy proxy IMIMOProxy currentProxy = currentProxiesowner; // Do not deploy if the proxy...

If a MIMOProxy owner destroys their proxy, they cannot deploy another from the same address

Lines of code Vulnerability details When deploying a new MIMOProxy, the MIMOProxyRegistry first checks whether a proxy exists with the same owner for the given address. If an existing proxy is found, the deployment reverts: MIMOProxyRegistrydeployFor function deployForaddress owner public overrid...

Contract name will point to old implementation

Lines of code Vulnerability details Impact The owner can update implementation of contract Name. However it was observed that the updation is not done correctly and contract fails to update contractAddresscontractName variable which mean contract name will still point to old implementation Proof ...

Ownership transfer not correctly handled for flash loans

Lines of code Vulnerability details Impact In response to a flashloan, proxyRegistry.getCurrentProxyowner is used to retrieve the correct user proxy and check that this proxy has initiated the flash loan. This can be problematic after ownership transfers of the proxy, where...

Malicious DepositBase may stole dust fund from ReceiverImplementation

Lines of code Vulnerability details Impact Malicious DepositBase may stole dust fund from ReceiverImplementation Proof of Concept // @dev This function is used for delegate by DepositReceiver deployed above // Context: msg.sender == AxelarDepositService, this == DepositReceiver function...

Anyone can steal the ether or the ReceiverImplementation tokens

Lines of code Vulnerability details Impact Anyone can steal the ether or the ReceiverImplementation tokens. Proof of Concept As you can see in the receiveAndSendNative method: function receiveAndSendNative address payable refundAddress, string calldata destinationChain, string calldata...

XC20Wrapper may lost received token forever if LocalAsset(xc20).mint is reverted indefinitely

Lines of code Vulnerability details Impact XC20Wrapper may lost received token forever if LocalAssetxc20.mint is reverted indefinitely. Similar to ERC20, the spec said that if mitn returns false it means minting is failed. But it is commonly revert instead of returning false which is also a minti...

AxelarDepositService: When wrappedToken is not weth, sendNative may cause users to lose ether.

Lines of code Vulnerability details Impact In the sendNative function of the AxelarDepositService contract, the wrappedToken address is treated as weth-like and the wrappedToken's deposit function is called. If the wrappedToken address is TokenType.External token and is not weth-like and the...

AxelarAuthWeighted.sol#_validateSignature fails for valid transaction if early signer submits invalid signature

Lines of code Vulnerability details Impact Valid transactions deemed invalid Proof of Concept for ; operatorIndex function isSortedAscAndContainsNoDuplicateaddress memory accounts internal pure returns bool for uint256 i; i = accountsi + 1 return false; return accounts0 != address0; Va...

Change Admin and Opertorship address through setup function in AxelarGateway

Lines of code Vulnerability details Impact Anyone can set the Admin address and transferOperatorShip to a new address. Proof of Concept A Simple call to the setup function. That will call setAdmins of Axelar Multisig Base contract. Recommended Mitigation Steps Can Add access control on setup...

NameWrapper._transferAndBurnFuses() allows reentrancy on onERC1155Received callback

Lines of code Vulnerability details Impact When calling the internal function transferAndBurnFuses in NameWrapper.setSubnodeOwner or NameWrapper.setSubnodeRecord , ERC1155Fuse.transfer is called before setFuses which creates a reentrancy opportunity when newOwner is a contract, which may allow a...

Some implementation mistakes in dnssec-oracle/BytesUtils.compare

Lines of code Vulnerability details Impact There are some implementation mistakes in dnssec-oracle/BytesUtils.compare. There should be a sanity check for offsets and lens if shortest 32 is not a correct condition. It should check the size of the last block. shortest is the total size of the bytes...

Validation check for payFYToken and payBase functions to allow only valid users.

Lines of code Vulnerability details Impact This will prevent from calling the functions by invalid users. Unnecessary condition verification. Proof of Concept Tools Used Manual code review Recommended Mitigation Steps At the start of the functions, add validation check such that only the user who...

Collateral limit can be bypassed in auction

Lines of code Vulnerability details Collateral limit could be bypassed, allowing more collateral to be auctioned concurrently than intended by governance. // There is a limit on how much collateral can be concurrently put at auction, but it is a soft limit. // If the limit has been surpassed, no...

There is no boundaries for starting an auction.

Lines of code Vulnerability details Impact The team has brought this contest to be fairer to their users in terms of liquidation mechanism. Looking through this perspective, it can be developed more on the process to be much fairer to the users in volatile market conditions. Proof of Concept The...

Someone can create non-liquidatable auction if the collateral asset fails on transferring to address(0)

Lines of code Vulnerability details Impact might lead to systematic debt. Cause errors for liquidators to run normally. Proof of Concept In the function auction, there is on input validation around whether the to is address0 or not. and if the auctioneerReward is set to an value 0 as default, eac...

Cannot withdraw or redeem approved tokens

Lines of code Vulnerability details Title Cannot withdraw or redeem approved tokens Impact A contract/EOA which has been approved some ZcToken cannot redeem or withdraw the approved tokens since these functions always revert if msg.sender != holder. Proof of Concept In the withdraw function...

Migration Module: The assets can be taken by a failed proposal

Lines of code Vulnerability details Impact HIGH - Assets can be stolen directly When there are multiple proposals for a vault, a failed proposal can withdraw the assets. Proof of Concept proof of concept: testMultiProposalpoc The proof of concept shows a scenario alice is taking assets. 1. setup:...

Don't trust in references contracts

Lines of code Vulnerability details Impact The references contracts don't check anything, and the function receive a lot of parameters to manipulate the call Proof of Concept If somebody approveERC20/777/721/1155 the TransferReference contract or use a delegatecall the tokens can be stolen...

Any token approved for the base vault can be stolen

Lines of code Vulnerability details Impact All tokens approved for the BaseVault contract can be stolen by any attacker. The batchDeposit functions lack proper access controls and allow the token source to be an arbitrary address as opposed to restricting it to msg.sender. Since token approvals...