10190 matches found
Using ifAdminOrPendingImpl modifier to forcefully interact with implementation contracts via _fallback() call.
Lines of code Vulnerability details Impact The modifier ifAdminOrPendingImpl allows internal delegation to the implementation contract if caller is not admin by calling the fallback function which delegates the current call to implementation. This allows a user who is not admin to call to make a...
Permanent lockup of tokens without recovery possible
Lines of code Vulnerability details Impact The callhook for whitelisted contracts adds an additional layer of complexity that can have multiple points of failure. If the execution of L2GraphTokenGateway.finalizeInboundTransfer fails indefinitely, there is currently no way to recover the...
UNSAFE USAGE OF ERC20 TRANSFERFROM
Lines of code Vulnerability details Impact Ignores return value from L1GraphTokenGateway.finalizeInboundTransfer and L1GraphTokenGateway.outboundTransfer Not tracking values returned by token transfer from. finalizeInboundTransfer When escrow not approve for L1GraphTokenGateway or allowance is no...
The arithmetic operator can overflow
Lines of code Vulnerability details Impact It is possible to cause an integer overflow or underflow in the arithmetic operation. Proof of Concept Contract: GraphProxyAdmin Function name: getProxyPendingImplementationaddress PC address: 1898 Estimated Gas Usage: 1387 - 36513 In file:...
Use safeTransferFrom instead of transferFrom()
Lines of code Vulnerability details Impact Although ERC20 standard suggests that a transfer should return true on success, there are tokens that doesn't comply with this. Therefore, the transferFrom call might cause silent failures and will affect the token accounting in this contract. Proof of...
Requiring Timelock For Setter Functions
Lines of code Vulnerability details Vulnerability Details We noticed that the following owner-privileged setter functions can update important state variables without a time delay. 1. setExecutionDelegate function of the BlurExchange contract L215 - 222 in code snippet 1 2. setPolicyManager...
revokeApproval() only work with WETH
Lines of code Vulnerability details Impact User can invoke execute successfully even if revokedApprovalmsg.sender == true Proof of Concept If buyer did invoke revokeApproval it only block matching the orders if paymentToken == WETH but if the paymentToken == address0 the buyer could invoke execut...
Griefing of execute transaction sender
Lines of code Vulnerability details Description In function execute from BlurExchange contract there is a call of executeTokenTransfer function. The last one contains the following logic: function executeTokenTransfer address collection, address from, address to, uint256 tokenId, uint256 amount,...
BlurExchange Contract May Not Be Upgradeable
Lines of code Vulnerability details Vulnerability Details The BlurExchange is designed to be an implementation contract supporting an upgradeable feature. However, we found that some contracts define state variables without allocating the reserved storage slots gap which may impede the BlurExchan...
Unused slippage params
Lines of code Vulnerability details Impact Unused slippage params. function outboundTransfer in L2GraphTokenGateway both L1 and L2 do not use slippage parameters., making it susceptible to sandwich attacks / MEV. Proof of Concept 'uint256, // unused on L2 uint256, // unused on L2' Tools Used...
Wrong amount of ERC1155 token result in loss of funds for buyer
Lines of code Vulnerability details Impact In StandardPolicyERC1155 contract, the amount of ERC1155 token always return 1 instead of amount value in Order struct. The result is when ERC1155 orders is matched, buyers will only receive 1 token even they specify amount 1, which means loss of funds f...
AN ATTACKER CAN CREATE A SHORT PUT OPTION ORDER ON AN NFT THAT DOES NOT SUPPORT ERC721 (LIKE CRYPTOPUNK), AND THE USER CAN FULFILL THE ORDER, BUT CANNOT EXERCISE THE OPTION
Lines of code Vulnerability details Impact Blur is kind of NFT marketplace where will somehow attracts high value NFT items like cryptopunk. Therefore assuming the platform will handle cryptopunk NFT is a common thing, and this raise an issue. An attacker can create a short put option on...
ERC20 return values not checked
Lines of code Vulnerability details Vulnerability details Some tokens like USDT don't correctly implement the EIP20 standard and their transfer/transferFrom function return void instead of a success boolean. Calling these functions with the correct EIP20 function signatures will always revert...
Missing zero value check in AlgebraPool.initialize() would cause reverts preventing minting and swapping.
Lines of code Vulnerability details Impact The initialize function in AlgebraPool contract sets the globalState price and tick for the Algebra Pool. However, due to a missing check to ensure the price is not set to zero, a revert would occur always when calculating amounts for liquidity in...
AlgebraPool.sol#L488 : onlyValidTicks modifier is missing for function
Lines of code Vulnerability details Impact Invalid ticks can be allowed for collection. Proof of Concept function collect address recipient, int24 bottomTick, int24 topTick, uint128 amount0Requested, uint128 amount1Requested external override lock returns uint128 amount0, uint128 amount1 Position...
A malicious user can claim and successfuly steal a gobbler NFT token.
Lines of code Vulnerability details Impact A malicious user can claim and successfuly steal a gobbler NFT token in the function claimGobbler. Proof of Concept The function claimGobbler is used from the mintlisted users to claim a gobbler using a merkle proof. However there is no check to ensure...
Gobblers burnt for minting legendary Gobblers can be transferred out from the address zero
Lines of code Vulnerability details Impact The mintLegendaryGobbler function burn standard gobblers by setting their owner to address0 without deleting the getApprovedid. So the original owner can setApproval for himself address and transfer the gobbler token back to any address from the address0...
Risk of ETH funds Rug Pull in the moveWithheldETH and recoverEther functions
Lines of code Vulnerability details Impact In the frxETHMinter contract both the owner and governance timelock have the power to call the functions moveWithheldETH and recoverEther, those functions allow the transfer of the ETH from frxETHMinter to the owner or a given account, this means that th...
A mistake made by the Minters can result in minting tokens to a wrong address or a zero address.
Lines of code Vulnerability details Impact Tokens can be minted to a wrong address. Proof of Concept The function mintermint is used by the Minters, to mint tokens to the users that successfully used the functions submitAndDeposit, submit and submitAndGive. However there is no check in mintermint...
Missing ReEntrancy Guard to Withdraw function
Lines of code Vulnerability details Impact Missing ReEntrancy Guard to Withdraw function Proof of Concept There is no re-entry risk on true ERC-20 tokens that work according to the spec i.e. audited, etc.. However you can write a malicious ERC-20 with custom transferFrom or approve that have...
createClaim can be circumvented
Lines of code Vulnerability details Impact VTVLVesting.sol has createClaim function for the admins to create claims. However, a malicious admin vector exists inside. The project gives some powerfull access to the admins for some reason as stated on the contest page. And a good intention is to emi...
In VTVLVesting._baseVestedAmount(), the funds might be locked inside the contract forever with uint112 overflow.
Lines of code Vulnerability details Impact In VTVLVesting.baseVestedAmount, the funds might be locked inside the contract forever with uint112 overflow. Currently, it doesn't consider uint112 overflow during multiply and it's very likely to happen when the vesting duration is not short like 1 yea...
numTokensReservedForVesting is not compared with contract balance
Lines of code Vulnerability details Impact In VTVLVesting contract, the claims are created without comparing the numTokensReservedForVesting variable to the contract balance. If the sum of all user vesting tokens is below this param then the contract will be insolvent to be withdrawn. Proof of...
Limited supply of VariableSupplyERC20Token can be bypassed to mint an infinite amount of tokens
Lines of code Vulnerability details Limited supply of VariableSupplyERC20Token can be bypassed to mint an infinite amount of tokens VariableSupplyERC20Token is defined as A ERC20 token contract that allows minting at will, with limited or unlimited supply. No burning possible In the case of a...
UNBOUNDED LOOPS MAY CAUSE createClaimsBatch() TO FAIL
Lines of code Vulnerability details Impact There are no limits on the number of claims, which may cause the feature to fail due to a certain number of claims entered. Proof of Concept There are no upper bounds on this loop: FIle: contracts/VTVLVesting.sol for uint256 i = 0; i Recommended Mitigati...
DoS With Block Gas Limit
Lines of code Vulnerability details Impact Modifying an array of unknown size, that increases in size over time in the function createClaimUnchecked can lead to Deniel of Service. Proof of Concept When smart contracts are deployed or functions inside them are called, the execution of these action...
An admin can revoke the claim of a given claimant at any time then withdraw the claim due to said claimant.
Lines of code Vulnerability details Impact I understand the reasoning why admins are given the ability to revoke claims but that power in combination with the fact that an admin can then withdraw said claim that was due to a claimant gives rug vibes. This ability should at least be behind a...
Upgraded Q -> M from 496 [1663882181323]
Judge has assessed an item in Issue 496 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 238 [1663858577471]
Judge has assessed an item in Issue 238 as Medium risk. The relevant finding follows: 2. call should be used instead of transfer on an address payable Sometimes this kind of issue is considered as Medium risk. The use of the deprecated transfer function for an address will inevitably make the...
Some users won't be able to burn their crowdfund token to get their voting power
Lines of code Vulnerability details Impact User which is a contract who doesn't have a receive function can't burn his token to get the governance power, because ethOwed ether are transferred to him. This is correct even if ethOwed is 0. Tools Used Manual audit Recommended Mitigation Steps Consid...
this is a test
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps --- The...
It is possible to add more than 15 properties
Lines of code Vulnerability details The total number of properties is now limited to be 15 or less with hard code on the storage structures level. In the same time it is possible to add unlimited number of properties with MetadataRenderer's addProperties. If this happens, with a malicious intent ...
Bids can be created while paused
Lines of code Vulnerability details createBid allows for bid creation while the Auction is paused. As the latter happens on a system error mint failure, this can allow an attacker to interacts with the malfunctioning system. This at least can lead to misallocation of user's funds, i.e. freezing t...
Use safeTransfer to send ERC721 tokens
Lines of code Vulnerability details Impact Winner of the auction can lose his NFT Proof of Concept When you settle and auction you transfer the NFT using transferFrom token.transferFromaddressthis, auction.highestBidder, auction.tokenId; Maybe this is just an intended behaviour and is the...
Deniel of service with block gas limit.
Lines of code Vulnerability details Impact An array of unknown size can lead to Deniel of service with block gas limit. Proof of Concept When smart contracts are deployed or functions inside them are called, the execution of these actions always requires a certain amount of gas, based of how much...
in function redeem() of TribeRedeemer users would receive less funds because of rounding error in division in previewRedeem()
Lines of code Vulnerability details Impact Function previewRedeem in TribeRedeemer has been used to calculate the amounts of tokens the user would receive for what the user transfer as redeemedToken. the user would receive a ratio of token balance of the contract which ratio is equal to amountIn ...
redeem() doesn't support inflationary or deflationary erc20 tokens
Lines of code Vulnerability details Impact A transfer-on-fee token or a deflationary/rebasing token, causes the received amount to be less than the accounted amount. For instance, a deflationary tokens might charge a certain fee for every transfer or transferFrom. TribeRedeemer.sol supports the u...
Contract TribeRedeemer: redeemBase should has setter function
Lines of code Vulnerability details 2022-09-tribe Contract TribeRedeemer: redeemBase should has setter function tags: c4, 2022-09-tribe, high Affected code Impact Contract TribeRedeemer doesn't have setter function for redeemBase. So redeemBase can not be adjusted if it is neccesary. Contract wil...
DoS with (Unexpected) revert or Gas Limit DoS on a Contract via Unbounded Operations
Lines of code Vulnerability details Impact According to SWC-113, external calls can fail accidentally or deliberately, which can cause a DoS condition in the contract. To minimize the damage caused by such failures, it is better to isolate each external call into its own transaction that can be...
Missing access Control to burnFeiHeld function
Lines of code Vulnerability details Impact burnFeiHeld hasn't any owner modifier , so everybody run it Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. function burnFeiHeld external uint256...
Unbounded Loop
Lines of code Vulnerability details π¨ Category Denial of Service π₯ Impact If the number of tokensReceived gets too big, the transaction's gas cost could exceed the block gas limit and make it impossible to call previewRedeem at all. π Proof of Concept previewRedeem function iterates over all...
Dividing before multiplying can cause data loss
Lines of code Vulnerability details Impact Note: I'll use the notation decimals here to represent 10 token.decimals, just like th variable defined in the BaseV1Router.getPriceLP function. In the BaseV1Router.getPriceLP function, the token0 TVL is calculated in terms of NOTE, by multiplying the TV...
TWAP LP price manipulation
Lines of code Vulnerability details Impact The total value locked sum of the pair is used to price the LP. But the reserves of the underlying can be easily influenced by flashloan, then the TVL can vary dramatically.Just like what happened before here Warp. Although getPriceLP use TWAP to calcula...
[M04] Incorrect price calculation for non-stable pairs without CANTO token
Lines of code Vulnerability details Impact A non-stable pair that doesn't have CANTO token will always have an incorrect price calculated for it. Proof of Concept The code assumes that all pairs are pairs with either NOTE or CANTO token: However, the createPair function doesn't require one of the...
reserve0CumulativeLast is incorrectly calculated
Lines of code Vulnerability details Impact It was observed that both reserve0CumulativeLast and reserve1CumulativeLast are incorrectly calculated. Reference can be taken from Uniswap contract which calculates it correctly at Proof of Concept 1. The reserve0CumulativeLast is currently calculated i...
The _movingAverage always have the same value as _movingAverage + (currentPrice / numObs)
Lines of code Vulnerability details Impact On updateMovingAverage the calculate new moving average is always movingAverage == movingAverage + currentPrice / numObs Proof of Concept 1- keeper invoke beat on Heart.sol 2- this PRICE.updateMovingAverage; to updating the moving average on the Price...
Non-standard/Malicious token transfers may cause loans not to be paid.
Lines of code Vulnerability details Impact Non-standard token transfers may cause loans not to be paid. Proof of Concept The TRSRY.sol has repayLoan function for the users to repay their loan as per the ERC20 token. The function is as below; function repayLoanERC20 token, uint256 amount external...
In Governance.sol, it might be impossible to activate a new proposal forever after failed to execute the previous active proposal.
Lines of code Vulnerability details Impact Currently, if users vote for the active proposal, the VOTES are transferred to the contract so that users can't vote or endorse other proposals while the voted proposal is active. And the active proposal can be replaced only when the proposal is executed...
Div by 0 can block functions such as updateMovingAverage
Lines of code Vulnerability details Prevent div by 0 Impact On several locations in the code precautions are taken not to divide by 0, because this will revert the code. However on some locations this isnβt done. All this reverts can be caused by state variables assigned to 0 or with length 0, th...
Treasury module is vulnerable to cross-contract reentrancy
Lines of code Vulnerability details Impact An attacker can pay back their loan to the treasury module with protocol-owned tokens. This will cause their loan to decrease despite the protocol won't be given funds for it. Proof of Concept The code first measures the number of tokens in the treasury,...