Upgraded Q -> M from 463 [1666363539691]

Judge has assessed an item in Issue 463 as Medium risk. The relevant finding follows: Ignores return value of onERC721Received The try block should include a check to make sure the function returns its selector as specified by IERC721Receiver. While the function may have the same parameters as th...

Upgraded Q -> M from 400 [1666366553858]

Judge has assessed an item in Issue 400 as Medium risk. The relevant finding follows: Use safeTransferFrom instead of transferFrom transferFrom can be replaced with safeTransferFrom as it makes sure that the receiver can handle ERC721 tokens and prevents it from being stuck in the contracts Refer...

outboundTransfer should return excess msg.value

Lines of code Vulnerability details Impact In function outboundTransfer, if users sends more msg.value than required, by accident, then the remaining msg.value is not sent back. So, if msg.value amount argument, then the excess msg.value is not sent back to msg.sender. This causes loss of funds f...

After proposed 0.8.0 upgrade kicks in, L2 finalizeInboundTransfer might not work.

Lines of code Vulnerability details Description L2GraphTokenGateway uses the onlyL1Counterpart modifier to make sure finalizeInboundTransfer is only called from L1GraphTokenGateway. Its implementation is: modifier onlyL1Counterpart require msg.sender ==...

No check transferFrom() return value

Lines of code Vulnerability details Impact The smart contract doesn’t check the return value of token.transferFrom, some erc20 token might not revert in case of error but return false. Proof of Concept as seen in several contests, for ex: Tools Used Visual inspection Recommended Mitigation Steps...

Permanent lockup of tokens without recovery possible

Lines of code Vulnerability details Impact The callhook for whitelisted contracts adds an additional layer of complexity that can have multiple points of failure. If the execution of L2GraphTokenGateway.finalizeInboundTransfer fails indefinitely, there is currently no way to recover the...

Using ifAdminOrPendingImpl modifier to forcefully interact with implementation contracts via _fallback() call.

Lines of code Vulnerability details Impact The modifier ifAdminOrPendingImpl allows internal delegation to the implementation contract if caller is not admin by calling the fallback function which delegates the current call to implementation. This allows a user who is not admin to call to make a...

The arithmetic operator can overflow

Lines of code Vulnerability details Impact It is possible to cause an integer overflow or underflow in the arithmetic operation. Proof of Concept Contract: GraphProxyAdmin Function name: getProxyPendingImplementationaddress PC address: 1898 Estimated Gas Usage: 1387 - 36513 In file:...

revokeApproval() only work with WETH

Lines of code Vulnerability details Impact User can invoke execute successfully even if revokedApprovalmsg.sender == true Proof of Concept If buyer did invoke revokeApproval it only block matching the orders if paymentToken == WETH but if the paymentToken == address0 the buyer could invoke execut...

Transfer reminder of msg.value is bad practice

Lines of code Vulnerability details Impact Transfer reminder of msg.value is bad practice. Can lead to out of gas, reentrancy and so on. Proof of Concept Tools Used Static analytics Recommended Mitigation Steps Can create method getReminder and user to call to get all reminders for him. --- The...

Reentrancy

Lines of code Vulnerability details Reentrancy in BlurExchange.executeInput,Input contracts/BlurExchange.sol128-175: External calls: - executeFundsTransfersell.order.trader,buy.order.trader,sell.order.paymentToken,sell.order.fees,price contracts/BlurExchange.sol147-153 -...

_executeTokenTransfer() can silently fail for malicious ERC721 implementations.

Lines of code Vulnerability details Impact execute calls executeTokenTransfer to perform the NFT transfer from seller to buyer. The function assumes correct safeTransferFrom functionality and does not check balances. In case of malicious - or poorly designed pausable ERC721 implementations, this...

BlurExchange Contract May Not Be Upgradeable

Lines of code Vulnerability details Vulnerability Details The BlurExchange is designed to be an implementation contract supporting an upgradeable feature. However, we found that some contracts define state variables without allocating the reserved storage slots gap which may impede the BlurExchan...

Wrong amount of ERC1155 token result in loss of funds for buyer

Lines of code Vulnerability details Impact In StandardPolicyERC1155 contract, the amount of ERC1155 token always return 1 instead of amount value in Order struct. The result is when ERC1155 orders is matched, buyers will only receive 1 token even they specify amount 1, which means loss of funds f...

ERC20 return values not checked

Lines of code Vulnerability details Vulnerability details Some tokens like USDT don't correctly implement the EIP20 standard and their transfer/transferFrom function return void instead of a success boolean. Calling these functions with the correct EIP20 function signatures will always revert...

AlgebraPool.sol#L488 : onlyValidTicks modifier is missing for function

Lines of code Vulnerability details Impact Invalid ticks can be allowed for collection. Proof of Concept function collect address recipient, int24 bottomTick, int24 topTick, uint128 amount0Requested, uint128 amount1Requested external override lock returns uint128 amount0, uint128 amount1 Position...

Missing zero value check in AlgebraPool.initialize() would cause reverts preventing minting and swapping.

Lines of code Vulnerability details Impact The initialize function in AlgebraPool contract sets the globalState price and tick for the Algebra Pool. However, due to a missing check to ensure the price is not set to zero, a revert would occur always when calculating amounts for liquidity in...

[M3] It is impossible to recover stucked non complying ERC-20 tokens

Lines of code Vulnerability details Impact Contract frxETHMinter is unable to recover tokens like USDT PoC Tokens that return void on transfer, that is, those who do not follow ERC20 standard will revert when you try to assign the output to a boolean variable. This is the case in you function...

Risk of ETH funds Rug Pull in the moveWithheldETH and recoverEther functions

Lines of code Vulnerability details Impact In the frxETHMinter contract both the owner and governance timelock have the power to call the functions moveWithheldETH and recoverEther, those functions allow the transfer of the ETH from frxETHMinter to the owner or a given account, this means that th...

A mistake made by the Minters can result in minting tokens to a wrong address or a zero address.

Lines of code Vulnerability details Impact Tokens can be minted to a wrong address. Proof of Concept The function mintermint is used by the Minters, to mint tokens to the users that successfully used the functions submitAndDeposit, submit and submitAndGive. However there is no check in mintermint...

numTokensReservedForVesting is not compared with contract balance

Lines of code Vulnerability details Impact In VTVLVesting contract, the claims are created without comparing the numTokensReservedForVesting variable to the contract balance. If the sum of all user vesting tokens is below this param then the contract will be insolvent to be withdrawn. Proof of...

lack of check if claim is active in vestedAmount,claimableAmount and finalVestedAmount.

Lines of code Vulnerability details Impact According to the contract, finalVestedAmount function calculates the total vested at the end of the schedule. vestedAmount function calculates the amount vested for a given recipient at a reference timestamp. claimableAmount function Calculates how much...

An admin can revoke the claim of a given claimant at any time then withdraw the claim due to said claimant.

Lines of code Vulnerability details Impact I understand the reasoning why admins are given the ability to revoke claims but that power in combination with the fact that an admin can then withdraw said claim that was due to a claimant gives rug vibes. This ability should at least be behind a...

Missing ReEntrancy Guard to Withdraw function

Lines of code Vulnerability details Impact Missing ReEntrancy Guard to Withdraw function Proof of Concept There is no re-entry risk on true ERC-20 tokens that work according to the spec i.e. audited, etc.. However you can write a malicious ERC-20 with custom transferFrom or approve that have...

DoS With Block Gas Limit

Lines of code Vulnerability details Impact Modifying an array of unknown size, that increases in size over time in the function createClaimUnchecked can lead to Deniel of Service. Proof of Concept When smart contracts are deployed or functions inside them are called, the execution of these action...

Limited supply of VariableSupplyERC20Token can be bypassed to mint an infinite amount of tokens

Lines of code Vulnerability details Limited supply of VariableSupplyERC20Token can be bypassed to mint an infinite amount of tokens VariableSupplyERC20Token is defined as A ERC20 token contract that allows minting at will, with limited or unlimited supply. No burning possible In the case of a...

Upgraded Q -> M from 496 [1663882181323]

Judge has assessed an item in Issue 496 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Eth can be stucked in contract when NFT was gifted to party (AuctionCrowdfund.sol)

Lines of code Vulnerability details Impact We can call function finalize, which will claim the NFT if we won. After claiming the NFT, function will check if contract is the owner of NFT or not. if lastBid == 0 // The NFT was gifted to us. Everyone who contributed wins. lastBid = totalContribution...

havent specify the solidity compiler version, 8.15 and older version may lead to a mis encoded struct parameter

Lines of code Vulnerability details Impact the structure: struct ExecuteProposalParams uint256 proposalId; bytes proposalData; bytes progressData; bytes extraData; uint256 flags; IERC721 preciousTokens; uint256 preciousTokenIds; there are some unknown length elementbytes, in 8.15 and older...

Unbounded proposal calls array length could cause DoS

Lines of code Vulnerability details Impact It's possible to render the governance and execution contract inoperable for a period of time and effectively kill some proposals due to execution failure, which will break the governance routine and function. This could be a mistake or on purpose. Proof...

this is a test

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps --- The...

Bids can be created while paused

Lines of code Vulnerability details createBid allows for bid creation while the Auction is paused. As the latter happens on a system error mint failure, this can allow an attacker to interacts with the malfunctioning system. This at least can lead to misallocation of user's funds, i.e. freezing t...

It is possible to add more than 15 properties

Lines of code Vulnerability details The total number of properties is now limited to be 15 or less with hard code on the storage structures level. In the same time it is possible to add unlimited number of properties with MetadataRenderer's addProperties. If this happens, with a malicious intent ...

# _safeMint() should be used rather than _mint() wherever possible

Lines of code Vulnerability details safeMint should be used rather than mint wherever possible Impact In Token.sol.sol, eventually it is called ERC721 mint. Calling mint this way does not ensure that the receiver of the NFT is able to accept them, making possible to lose them. safeMint should be...

DoS with (Unexpected) revert or Gas Limit DoS on a Contract via Unbounded Operations

Lines of code Vulnerability details Impact According to SWC-113, external calls can fail accidentally or deliberately, which can cause a DoS condition in the contract. To minimize the damage caused by such failures, it is better to isolate each external call into its own transaction that can be...

Contract TribeRedeemer: redeemBase should has setter function

Lines of code Vulnerability details 2022-09-tribe Contract TribeRedeemer: redeemBase should has setter function tags: c4, 2022-09-tribe, high Affected code Impact Contract TribeRedeemer doesn't have setter function for redeemBase. So redeemBase can not be adjusted if it is neccesary. Contract wil...

in function redeem() of TribeRedeemer users would receive less funds because of rounding error in division in previewRedeem()

Lines of code Vulnerability details Impact Function previewRedeem in TribeRedeemer has been used to calculate the amounts of tokens the user would receive for what the user transfer as redeemedToken. the user would receive a ratio of token balance of the contract which ratio is equal to amountIn ...

Unbounded Loop

Lines of code Vulnerability details 🎨 Category Denial of Service 💥 Impact If the number of tokensReceived gets too big, the transaction's gas cost could exceed the block gas limit and make it impossible to call previewRedeem at all. 📝 Proof of Concept previewRedeem function iterates over all...

Missing access Control to burnFeiHeld function

Lines of code Vulnerability details Impact burnFeiHeld hasn't any owner modifier , so everybody run it Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. function burnFeiHeld external uint256...

Unending and Eventually Futile TRIBE Redemption

Lines of code Vulnerability details Impact TRIBE holders can redeem for pro rata share of remaining DAO controlled assets according to TIP-121 proposal. In the light of this, users would rush into redeeming their TRIBE before the balances of each tokensReceived held on this contract run out...

The _movingAverage always have the same value as _movingAverage + (currentPrice / numObs)

Lines of code Vulnerability details Impact On updateMovingAverage the calculate new moving average is always movingAverage == movingAverage + currentPrice / numObs Proof of Concept 1- keeper invoke beat on Heart.sol 2- this PRICE.updateMovingAverage; to updating the moving average on the Price...

Olympus votes can be locked in OlympusGovernance contract

Lines of code Vulnerability details Impact Olympus votes can be locked in Governance.sol OlympusGovernance contract. Proof of Concept When a user votes for a proposal, their current balance of VOTE is transferred to the OlympusGovernance contract. Those votes can be reclaimed once the proposal is...

Div by 0 can block functions such as updateMovingAverage

Lines of code Vulnerability details Prevent div by 0 Impact On several locations in the code precautions are taken not to divide by 0, because this will revert the code. However on some locations this isn’t done. All this reverts can be caused by state variables assigned to 0 or with length 0, th...

Race condition produces DDOS on governance : 20% minority can block the other 80% from passing a proposal.

Lines of code Vulnerability details Impact An account controlling enough voting percentage to endorse a proposal can block an unwanted proposal from being activated. This can be done by frontrunning or by paying more for gas. There can only be one concurrent activated proposal so there is a race...

ERC20 return value not checked and not compatible with tokens like USDT, OMG, etc

Lines of code Vulnerability details ERC20 return value not checked and not compatible with tokens like USDT, OMG, etc Detail The ERC20.transfer and ERC20.transferFrom functions return a boolean value indicating success. This parameter needs to be checked for success. Furthermore, some tokens like...

taetaw

Lines of code L1 Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps --- Th...

Upgraded Q -> M from 239 [1661780295145]

Judge has assessed an item in Issue 239 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Multiple storage slot collisions between versions - due to different order in declaration

Lines of code Vulnerability details Impact If we list the sequence of how variables receive slots, we will see the failure to follow "append-only" principle. Many variable added "in-between" V2 version can read/write wrong slots. Proof of Concept Here is the table/list of variable, built taking...

NounsDAOLogicV2.sol funds will be instantaneously drained if the private keys become compromised

Lines of code Vulnerability details Impact If the admin gets compromised, all the ether in NounsDAOLogicV2.sol will be drained. function withdraw external if msg.sender != admin revert AdminOnly; uint256 amount = addressthis.balance; bool sent, = msg.sender.call value: amount ''; emit...

repayAsset() but you will not receive your Collateral

Lines of code Vulnerability details Impact The user will just pay down the debt Proof of Concept By invoking repayAsset you will just pay the Asset Token, on the other hand, he does not send any amount of my Collateral Recommended Mitigation Steps Add a function to send the Collateral after...