10190 matches found
Attacker can set anyone as the tokenSender role
Lines of code Vulnerability details Impact The setTokenSender function which is the function that is responsible to set the token sender role is made public with no access control, which makes attacker escalate his privileges to the token sender role Proof of Concept truffle console --networkId 5...
Oracle does not treat upward and downward price movement the same in validity checks, causing safety issues in oracle usage.
Lines of code Vulnerability details Description NFTFloorOracle retrieves ERC721 prices for ParaSpace. maxPriceDeviation is a configurable parameter, which limits the change percentage from current price to a new feed update. We can see how priceDeviation is calculated and compared to...
The buy() function on Last Price Dutch Auction Sale doesn't check if auction ended, may lead to user loss asset
Lines of code Vulnerability details Impact The buy function on Last Price Dutch Auction Sale doesn't check if auction is ended, may lead to user loss asset if user call with amount 0 with msg.value 0 Proof of Concept Ideally if the max id finalId is reached, then the auction will end, so no user...
finalise() lacks authenticate calls to this method as anyone can access it.
Lines of code Vulnerability details Impact Unprotected call to a function sending Ether to an arbitrary address. This can be exploited by attackers . Proof of Concept function finalize public Sale memory temp = sale; requireblock.number = temp.endTime, "TOO SOON";...
Anyone can remove feeders from NFTFloorOracle.
Lines of code Vulnerability details Impact There is no onlyRole modifier in removeFeeder, so anyone can remove feeders from NFTFloorOracle, and it will cause a DOS attack. Proof of Concept function removeFeederaddress feeder external onlyWhenFeederExistedfeeder //@audit no modifier...
Users can lose funds if they call buy with _amount larger than type(uint48).max.
Lines of code Vulnerability details Impact The function buy take amount of type uint256 as input. amount is used to check if msg.value is correct depending on the sale price as follows: requireamount sale.price == msg.value, "WRONG PRICE"; but is not casted to uint48 as done to calculate the newI...
LPDA refund logic is broken, meaning buyers always get lowest price sale
Lines of code Vulnerability details Impact The protocol intends the LPDA to refunds buyers with the difference between the price they paid and the last sale price Once the sale has ended, the users must call refund to get their Ether refunds based on their purchase price and lowest sale price 99:...
Unsafe casting from uint256 to uint8 cause wrong index of asset and feeder in NFTFloorOracle
Lines of code Vulnerability details Impact In NFTFloorPrice, it has a set of feeders and a set of assets. Feeders will set price for assets. Of coursers, with the growing NFT space, number of assets collection could be much more than 256 and because Paraspace uses median price from keepers so...
Dutch auction getPrice() formula can lead to price reaching 0 and eventually reverting and locking the function.
Lines of code Vulnerability details Impact In the function getPrice the current price is calculated by taking the start price and subtracting the product of dropPersecond and time elapsed. start price - dropPreSecond timeElapsed. The issue with this is that given the right inputs for dropPerSecon...
Upgraded Q -> M from #454 [1670445333683]
Judge has assessed an item in Issue 454 as M risk. The relevant finding follows: Lโ01 Don't use payable.transfer/payable.send The use of payable.transfer is heavily frowned upon because it can lead to the locking of funds. The transfer call requires that the recipient is either an EOA account, or...
Upgraded Q -> M from #35 [1670345543949]
Judge has assessed an item in Issue 35 as M risk. The relevant finding follows: No. 2 Any smart contract that uses transfer or send is taking a hard dependency on gas costs by forwarding a fixed amount of gas: 2300. If gas costs are subject to change, then smart contracts canโt depend on any...
Potential security issues in CallLib solidity library
Lines of code Vulnerability details Description: The CallLib solidity library contains several potential security issues that could be exploited by attackers. Issue 1: The executeCalls function does not check if the sender parameter is the contract owner before allowing the calls to be executed...
ExecutorAware doesn't adequately validate sender for nonce
Lines of code Vulnerability details Impact Contracts on the execution chain are asked to inherit from ExecutorAware.sol. This gives them the ability to check msgSender and nonce pulled from the calldata in the format encoded by the executor. While the msgSender function adequately checks that the...
Upgraded Q -> M from #402 [1670185822442]
Judge has assessed an item in Issue 402 as M risk. The relevant finding follows: Staked Gmx RewardTracker may retain allowances Summary: Both the configureGmxState function and the setContractContracts c, address contractAddress can be used to update the PirexGmx contract's stakedGmx storage...
NameWrapper: expired names behave unwrapped
Lines of code Vulnerability details Impact expired Names are supposed to be unregistered, but it behaves like unwrapped parent with CANNOTCREATESUBDOMAIN fuse can "create" again an expired name parent can ENS.setSubdomainOwner before burning CANNOTCREATESUBDOMAIN to be able to use the subdomain...
MINTING OF NFT AT WILL
Lines of code Vulnerability details Impact register is an unrestricted public function where any new msg.sender is going to get through the modifier onlyUnregistered. With a non-zero recipient argument passed into the function, a new NFT is going to be minted to the recipient. Consequently, an...
value can be burned in burnLPToken but nothing withdrawn
Lines of code Vulnerability details value can be burned in burnLPToken but nothing withdrawn Summary If initial amount is not big enough, value can get truncated by division of 24 ether and therefore be 0 the redemptionValue. Therefore, this value to be withdrawn would be lost. PoC // redeem savE...
Medium: Vaults can be griefed to not be able to be used for deposits
Lines of code Vulnerability details Description Interaction with SavETHVault and StakingFundsVault require a minimum amount of MINSTAKINGAMOUNT. In order to be used for staking, there needs to be 24 ETH or 4 ETH for the desired BLS public key in those vaults. The issue is that vaults can be grief...
Unbounded loop can run out of gas in withdraw and unstake operations
Lines of code Vulnerability details Unbounded loop can run out of gas in withdraw and unstake operations Impact There are no bounds on the number of orders in the loop, this can run out of gas due to cost of the operations that can vary by the time. Proof Of Concept function withdrawLPTokensLPTok...
Possibly reentrancy attacks in _distributeETHRewardsToUserForToken function
Lines of code Vulnerability details Author: rotcivegaf Impact The root of the problem are in the distributeETHRewardsToUserForToken who makes a call to distribute the ether rewards. With this call the recipient can execute an reentrancy attack calling several times the different function to steal...
Users can block other users from redeeming their ETH in Vaults
Lines of code Vulnerability details The burnLPToken of a protected vault allow users to burn LP tokens in exchange of ETH or dETH. In the case of ETH, ie when the BLS key has not had its derivatives minted yet, the function checks the liquidity is not fresh by checking...
Upgraded Q -> M from #449 [1668465467675]
Judge has assessed an item in Issue 449 as M risk. The relevant finding follows: FlashLoanFee should be bounded | Low | 1 --- The text was updated successfully, but these errors were encountered: All reactions...
Recipients Can Steal Remaining ETH from Exchange
Lines of code Vulnerability details Impact This vulnerability allows recipients to reenter the Exchange contract, stealing remaining ETH. When a batch of orders are matched using the bulkExecute method a malicious recipient of assets may reenter the bulkExecute method, stealing ETH that would've...
The attacker can steal the ETH of users that wanted to buy an NFT by sandwiching the victim transaction.
Lines of code Vulnerability details Impact The attacker can steal the ETH of users that wanted to buy an NFT by sandwiching the victim transaction. Proof of Concept In non-atomic some of the orders could fail and funds should return and the end of execute function - . But the returnETHIfAny...
Seller can steal ETH which is for other orders of the bulk
Lines of code Vulnerability details Impact The 'bulkExecute' and 'returnDust' functions are susceptible to reentrancy attack. Seller can exploit it to steal ETH which is for other orders of the bulk. Proof of Concept Key steps for successful attack 1 set fee rate to 100% 2 reentrancy call...
Public to all funds escape
Lines of code Vulnerability details Description The LooksRareAggregator smart contract implements a bunch of functions to escape funds by the contract owner see rescueETH, rescueERC20, rescueERC721, and rescueERC1155. In this way, any funds that were accidentally sent to the contract or were lock...
Use of .transfer()
Lines of code Vulnerability details Impact Note: I realize that this was flagged in the C4udit output, though it seems to believe that it's an ERC20 transfer. The use of transfer to send ETH only forwards 2300 gas to the recipient. This is not enough gas to execute a gnosis safe delegatecall. Fun...
Governor ownership can be lost because of not sanity check
Lines of code Vulnerability details Governor ownership can be lost because of no checks Impact Sanity checks are important to not affect reputation / flows and users of the protocol when a mistake is done. 0 address should be checked for important address assignments in this case, only done in th...
Solmate safetransfer and safetransferfrom doesnot check the codesize of the token address, which may lead to fund loss
Lines of code Vulnerability details Impact In bid function, the safetransferfrom function doesn't check the existence of code at the token address. This is a known issue while using solmate's libraries. Hence this may lead to miscalculation of funds and may lead to loss of funds , because if...
Denial of service when baseAmount is equal to zero
Lines of code Vulnerability details Vulnerability details Description There is a finalize function in the SizeSealed smart contract. The function traverses the array of the bids sorted by price descending. On each iteration, it calculates the quotePerBase. When this variable is calculated, the...
Some bidders can withdraw would claim moreof the baseToken when auction CliffPercent value is 1
Lines of code Vulnerability details Impact If an auction is created with a.timings.cliffPercent set to 1 , then during withdrawal of baseTokens after auction ends, the some bidders to withdraw would claim more tokens than others of the baseToken amounts. Proof of Concept 1. Auction A is created...
Protocol wonโt work with rebasing tokens
Lines of code Vulnerability details Proof of Concept Some tokens may make arbitrary balance modifications outside of transfers e.g. Ampleforth style rebasing tokens, Compound style airdrops of governance tokens, mintable / burnable tokens. If such a token as used, since in the protocol we cache t...
seller can change lowestBaseand lowestQuote and the seller can make it diffrent values causing a dos or loss of funds
Lines of code Vulnerability details Impact When I a seller finalizes the auction they change the lowestQuote and lowestBase.When users withdraw from the auction after the auction is finalized. QuoteBought is calculated with the new amounts which can cause dos or refund their leftover quote amount...
[PNM-003] finalize can be called by bidders, allows them to cancelBid
Lines of code Vulnerability details Description The finalize function is used to finalize the auction, locking all bids, and paying the seller. However, any user, including bidders can call finalize, as it is a public function, and there are no user checks. This may allow bidders to input malicio...
Unchecked array length of the public_inputs[] in Verifier.sol
Lines of code Vulnerability details Impact If an array enumerates all registered addresses, an adversary can register many addresses, causing the problem described above. Vulnerability Details Ethereum is a very resource-constrained environment. Prices per computational step are orders of magnitu...
Oracle.sol uses deprecated Chainlink method latestAnswer()
Lines of code Vulnerability details Proof of Concept Chainlink has market the latestAnswer method as deprecated for his price feeds, but the code is using it. Impact The latestAnswer method just returns the price and has no way to check if it is stale. If the project is using a stale price it can...
Front-running of a pledge call
Lines of code Vulnerability details Description There is pledge function in the WardenPledge contract. The function accepts the pledgeId, which does not contain any information about the pledge itself. As a result, transactions of users can be front-runned to enforce them use the pledge with the...
Chainlink latestAnswer is deprecated
Lines of code Vulnerability details Impact Since Chainlink latestAnswer is deprecated, use latestRoundData instead. Since it is deprecated, there is chance of Chainlink to stop supporting this function. Proof of Concept uint price = feedstoken.feed.latestAnswer; Tools Used Manual Analysis...
Interference exploit among multiple pledges.
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. There is no guarantee that each server has only one pledge, when such scenario appears, vars.votesDifference will be calculated incorrectly and all other calculations will be wrong. Proof of Concept...
_payoutEth() gas computation can make call revert even if balance is sufficient
Lines of code Vulnerability details Payout recipients can call getEthPayout to transfer the ETH balance of the contract to all payout recipients. This function makes an internal call to payoutEth, which computes the gasCost, then proceeds to check balance - gasCost 10000 before sending the result...
MED - Incorrect implementation of ERC721 may have bad consequences for receiver
Lines of code Vulnerability details Description HolographERC721.sol is an enforcer contract that fully implements ERC721. In its safeTransferFromFunction there is the following code: if isContractto require ERC165to.supportsInterfaceERC165.supportsInterface.selector &&...
Users could accidentally burn() and lose fund
Lines of code Vulnerability details Impact If users accidentally burn the token, the fund will be lost. There does not seem any reason for the users to call the public burn function, only by mistake calling the method to lose self fund. Proof of Concept // contracts/enforcer/HolographERC721.sol...
Incorrect usage of try/catch block
Lines of code Vulnerability details Vulnerability details Description There is a function getBridgeOutRequestPayload in HolographBridge contract. It has the following: / @dev the revertedBridgeOutRequest function is wrapped into a try/catch function / try this.revertedBridgeOutRequestmsg.sender,...
Signature replay attacks
Lines of code Vulnerability details Description There is a function deployHolographableContract from the HolographFactory smart contract. Among other things, the function verifies the ECDSA signature. The signed data for verification is constructed as a concatenation of different user-provided...
Deactivated tiers can still mint reserve tokens, even if no non-reserve tokens were minted.
Lines of code Vulnerability details Description Tiers in Juicebox can be deactivated using the adjustTiers function. It makes sense that reserve tokens may be minted in deactivated tiers, in order to be consistent with already minted tokens. However, the code allows the first reserve token to be...
Unused return _launchProjectFor
Lines of code Vulnerability details Impact the function will push the return value on the stack, the caller will then adjust the stack frame accordingly, but won't copy the returned value from the stack into any variable. ignores return value by Proof of Concept The execution of the message call...
Wrong calculation in LBRouter._getAmountsIn.
Lines of code Vulnerability details Impact It calculates the amountsIn wrongly here and the function returns the wrong result. Proof of Concept Currently, getAmountsIn calculates the amountsIn like below. amountsIni - 1 = reserveIn amountOut 1000 / reserveOut - amountOut 997 + 1; As we can see...
ReserveRate doesn't always work as expected
Lines of code Vulnerability details Impact Reserve NFTs are not available as expected Proof of Concept uint256 numberOfNonReservesMinted = storedTier.initialQuantity - storedTier.remainingQuantity - reserveTokensMinted; uint256 numerator = uint256numberOfNonReservesMinted storedTier.reservedRate;...
Upgraded Q -> M from 463 [1666363539691]
Judge has assessed an item in Issue 463 as Medium risk. The relevant finding follows: Ignores return value of onERC721Received The try block should include a check to make sure the function returns its selector as specified by IERC721Receiver. While the function may have the same parameters as th...
No check transferFrom() return value
Lines of code Vulnerability details Impact The smart contract doesnโt check the return value of token.transferFrom, some erc20 token might not revert in case of error but return false. Proof of Concept as seen in several contests, for ex: Tools Used Visual inspection Recommended Mitigation Steps...