arbitrary send erc20 safeTransferFrom

Lines of code Vulnerability details Impact uses arbitrary from in safeTransferFrom when msg.sender is not used as from in safeTransferFrom. Proof of Concept Alice approves this contract to spend her ERC20 tokens. Bob can call a and specify Alice's address as the from parameter in safeTransferFrom...

Public Detectors arbitrary send erc20

Lines of code Vulnerability details Impact this flaw allows user B to steal the tokens approved by user A Proof of Concept Exploit Scenario: function aaddress from, address to, uint256 amount public erc20.transferFromfrom, to, am; Alice approves this contract to spend her ERC20 tokens. Bob can ca...

Pseudo randomness is not recommended

Lines of code Vulnerability details Impact Use of pseudo randomness in chain is not recommended as it can be predicted by anyone, this can affect value in case of minting or withdrawing in some scenarios Proof of Concept Tools Used Recommended Mitigation Steps Use oracles --- The text was updated...

Royalties cannot be collected for many ERC20 tokens (USDT, BNB and many more) due to use of transfer function.

Lines of code Vulnerability details Description ERC20 royalties are paid using payoutTokens and payoutToken functions in PA1D.sol. Unfortunately these functions use ERC20's transfer instead of implementing safeTransfer: for uint256 i = 0; i length; i++ sending = bpsi balance / 10000;...

Pod can (likely) be chosen by miner

Lines of code Vulnerability details Impact The miner can chose pod with high probability. Proof of Concept The random number generation can be easily influenced by the miner by setting block.timestamp to within an acceptable value ranging some 10-15 consecutive values seconds. Since this is hashe...

Holograph contracts can be deployed by any user successfully through user-crafted signature and signer input

Lines of code Vulnerability details Impact HolographFactory.deployHolographableContract deploys holographable smart contract by accepting config, signature and signer inputs. Due to user input signer passed by the caller, it is possible for signature verification to pass by using the known signer...

MED: leak of value when interacting with an ERC721 enforcer contract

Lines of code Vulnerability details Description HolographERC721.sol is an enforcer of the ERC721 standard. In its fallback function, it calls the actual implementation in order to handle additional logic. If Holographer is called with no calldata and some msg.value, the call will reach the receiv...

Beneficiary loses credit when specifying payment with flag _dontMint = true

Lines of code Vulnerability details Impact In the function processPayment, it will use provided JBDidPayData to mint to the beneficiary. The payment can specify some flags to help guiding how balance will be used to mint. There is a flag dontMint indicating if the transaction should not mint...

Loss of user funds by balance manipulation

Lines of code Vulnerability details Impact Breaking of the accounting logic, loss of user funds Proof of Concept The project uses LBPair's mint function to mint LBTokens to the user with additional safety checks when the user provides liquidity to the pair...

Upgraded Q -> M from 696 [1666361742731]

Judge has assessed an item in Issue 696 as Medium risk. The relevant finding follows: L05 - Usage of trasfer over call to send Ether could cause unexpected Reverts payablepayAddress.transferpayAmt; // royalty transfer to royaltyaddress The function payEther sends ether via transfer which passes a...

Upgraded Q -> M from 964 [1666360503408]

Judge has assessed an item in Issue 964 as Medium risk. The relevant finding follows: Non-critical: EIP712 signatures on GolomTrader could be replayed in case of blockchain forks The chainId is burnt into EIP712DOMAINTYPEHASH rather than checked each time. This means that signatures could be...

Upgraded Q -> M from 94 [1666365598508]

Judge has assessed an item in Issue 94 as Medium risk. The relevant finding follows: L-04 payEther should use .call instead of .transfer Use of .transfer is no longer encouraged, as it may fail if the receiver has any logic in their receive function, due to the 2300 gas consumption limit. --- The...

Uninitialized Storage Variables

Lines of code github.com/jbx-protocol/juice-nft-rewards/blob/f9893b1497098241dd3a664956d8016ff0d0efd0/contracts/JBTiered721DelegateStore.solL344 github.com/jbx-protocol/juice-nft-rewards/blob/f9893b1497098241dd3a6649568016ff0d0efd0/contracts/JBTiered721DelegateStore.solL1024 Vulnerability details...

JBTiered721DelegateStore: Incorrect calculation of totalRedemptionWeight

Lines of code Vulnerability details Impact In the totalRedemptionWeight function of the JBTiered721DelegateStore contract, the calculation of the weight in the following code is incorrect, and the result of numberOfReservedTokensOutstandingFor should also be multiplied by...

The tier setting parameter are unsafely downcasted from type uint256 to type uint80 / uint48 / uint40 / uint16

Lines of code Vulnerability details Impact The tier setting parameter are unsafely downcasted from uint256 to uint80 / uint48 / uint16 the tier is setted by owner is crucial because the parameter affect how nft is minted. the the callstack is JBTiered721Delegate.solinitialize - StorerecordAddTier...

Using ifAdmin modifier to forcefully interact with implementation contracts via _fallback() call.

Lines of code Vulnerability details Impact The modifier ifAdmin allows internal delegation to the implementation contract if caller is not admin by calling the fallback function which delegates the current call to implementation. This allows a user who is not admin to call to make a transaction...

The arithmetic operator can overflow

Lines of code Vulnerability details Impact It is possible to cause an integer overflow or underflow in the arithmetic operation. Description An overflow/underflow happens when an arithmetic operation reaches the maximum or minimum size of a type. For instance if a number is stored in the uint8...

Underhanded meaning of expirationTime == 0

Lines of code Vulnerability details Impact The pwner of BlurExchange can reject the rigor of code and fulfill the ambiguity of human expression, forcing a reinterpretation of expirationTime == 0 to "no expiration time at all". Unexpirable orders in the vicissitudes of the crypto markets do not...

Passing chain id from outside

Lines of code Vulnerability details Impact Passing chain id from outside. Incorrect chain id can be passed. Proof of Concept Tools Used Static analytics Recommended Mitigation Steps Use assembly to obtain current chain id. --- The text was updated successfully, but these errors were encountered:...

StandardPolicyERC1155.sol doesn't validate the order.amount properly.

Lines of code Vulnerability details Impact StandardPolicyERC1155.sol doesn't validate the order.amount properly. This contract is used to check a policy for matching orders of ERC1155 tokens. But it doesn't check the amount of ERC1155 token properly and traders might lose their funds unexpectedly...

ERC1155's Amount Parameter Manipulation To Steal Buyers' Funds

Lines of code Vulnerability details Vulnerability Details We discovered that a rogue seller i.e., attacker can place an order for selling N amount where N 1 of a specific token id of an ERC-1155 NFT collection. However, when the sell order is fulfilled by a buyer, the attacker would spend only 1...

test

Lines of code http://L1 Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps...

Unchecked transfer/transferFrom return can lead to protocol lose of funds

Lines of code Vulnerability details Impact It is good to add a require statement that checks the return value of token transfers or to use something like OpenZeppelin's safeTransfer/safeTransferFrom unless one is sure the given token reverts in case of a failure. Failure to do so will cause silen...

Failed callhook will freeze user funds permanently

Lines of code Vulnerability details Impact If the call hook fails while finalizing the Inbound transfer, user funds will be locked forever with no way to retrieve. This could cause huge fund loss for users moving fund from L1 to L2 Proof of Concept 1. User A makes a transfer from L1 to L2 using...

After a swap, user can lose input token amount while receiving no output token amount when output token becomes non-existent

Lines of code Vulnerability details Impact When calling the swap function below, the following safeTransfer function is further called for transferring the corresponding value of token from the pool to the recipient. Note that safeTransfer does not check for the existence of the token contract...

Integer overflow in AdaptativeFee

Lines of code Vulnerability details Impact You have to take into account that when using a pragma lower than 0.8.X there is no compiler protection against any overflow. The method AdaptiveFee.exp is vulnerable to an integer overflows. Proof of Concept Using the following recipe: x = uint256.Max g...

VRF v1 is depreciated but v2 has different interface

Lines of code Vulnerability details Impact Since VRF v2 is replacing v1, v1 interface might be unavailable some day in the future. Since the v2 interface is different, at that time, the functions depend on VRF v1 will not work. The protocol will not operate due to denial of service. Proof of...

Upgraded Q -> M from 346 [1664289750538]

Judge has assessed an item in Issue 346 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

ArtGobblers.mintLegendaryGobbler() doesn't delete getApproved[id] for burned tokens.

Lines of code Vulnerability details Impact When a gobbler is burned for a legendary gobbler, both owner and getApproved should be deleted. But getApproved isn't deleted now so users can revive the gobbler again. Proof of Concept Users can set getApprovedid for the owned NFTs. File:...

The users can steal the Gobbler from the team

Lines of code Vulnerability details Impact In case mintReservedGobblers start minting let's say 20 for team + 20 for community And the loop on batchMint is now i == 3 Now Alice will invoke mintFromGoo to mint one Gobbler he will steal this Gobbler from the team address Proof of Concept Let’s say...

Chainlink requests may fail if LINK balance is too low. Reveal feature halted. The unfair disadvantage for holders with unrevealed Gobblers

Lines of code Vulnerability details Impact Chainlink requests may fail if LINK balance is too low. Reveal feature halted. The unfair disadvantage for holders with unrevealed Gobblers Proof of Concept Chainlink VRF V1 oracle works only if the caller has LINK balance high enough to pay the fees. If...

ArtGobblers.sol#L396-L402 : The function "gobblerPrice()" does not check whether the mint has started or not

Lines of code Vulnerability details Impact This could revert due to undeflow. Proof of Concept While calculating the gobblerPrice, the function does not check whether the mintStart time is started or not. If it is future time, calling this could revert. This could affect the mintFromGoo function ...

Some real-world NFT tokens may support both ERC721 and ERC1155 standards, which may break gobble ()

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps --- The...

Re-entrancy risk to Project in ArtGobblers.gobble()

Lines of code Vulnerability details Impact In ArtGobblers.gobble, the function accepts user controlled input which may create re-entrancy opportunity in the ERC1155.safeTransferFrom and ERC721.transferFrom external calls . Since the nft parameter is user-controlled, any user can create a maliciou...

High privilege of setWithholdRatio function

Lines of code Vulnerability details Impact With the setWithholdRatio function, most of the funds can be authorized to be confiscated, such authority is too high and can confuse users, If this authority is to be used for commission deduction, it should be clearly stated. Proof of Concept /// @noti...

[NAZ-H1] syncRewards() Can be Front-Run With A Flashloan To Force lastRewardAmount To Equal Zero

Lines of code Vulnerability details Impact A malicious user can front run syncRewards with a flashloan attack to cause lastRewardAmount to equal zero. With this users will lose on rewards until the next rewardsCycleEnd. Proof of Concept 1. Alice calls deposit with 1000 tokens storedTotalAssets =...

Recovererc20 uses transfer -> token transfers do not verify that the tokens were successfully transferred (safeTransfer)

Lines of code Vulnerability details Impact Some tokens do not revert the transaction when the transfer function fails or return false. Which requires us to check the return value after calling the transfer function. Given that recoverERC20 can accept any tokens. A token such as ZRX would not reve...

syncRewards() after xERC4626's beforeWithdraw() can result in wrong reward amount

Lines of code Vulnerability details Impact The withdrawal amount will be counted as part of the surplus asset balance mistakenly if block.timestamp = rewardsCycleEnd. Proof of Concept function beforeWithdrawuint256 assets, uint256 shares internal override super.beforeWithdrawassets, shares; // ca...

depositEther function DoS with locking funds

Lines of code Vulnerability details Description There is a depositEther function in frxETHMinter contract. The function performs multiple deposits to the depositContract. More detailed, the contract calculates the amount of ether that was submitted to it, and everything, except withheld amount, i...

Upgraded Q -> M from 264 [1663928566317]

Judge has assessed an item in Issue 264 as Medium risk. The relevant finding follows: L-05 Single-step Vetoer transfer is unsafe If the newVetoer is set to the incorrect address, the functionality will be unretrievable. 1 instance of this issue has been found: L-05 NounsDAOLogicV2.solL839-L845...

Outdated Claims can be created which will potentially inflate the vested amounts

Lines of code Vulnerability details Overview In creating claims, the VTVLVesting contract uses various time related variables including startTimestamp and endTimestamp which determines when the linear vesting starts and ends consecutively. This is visible in the createClaim , createClaimsBatch an...

Division Before Multiplication Can Lead To Zero

Lines of code Vulnerability details Impact There is a division before multiplication bug that exists in truncatedCurrentVestingDurationSecs calculations Proof of Concept uint40 truncatedCurrentVestingDurationSecs = currentVestingDurationSecs / claim.releaseIntervalSecs claim.releaseIntervalSecs;...

No check of vesting completion can break the distribution when the admin withdraws tokens

Lines of code Vulnerability details Impact VTVLVesting.sol has withdrawAdmin function to allow admins to withdraw the unallocated tokens. However, it's not controlled whether the vesting is completed. If an uncontrolled withdraw occurs in a FullPremintERC20Token contract, than it would break the...

VariableSupplyERC20Token bypass max supply

Lines of code Vulnerability details Impact When minting the tokens in VariableSupplyERC20Token the mintableSupply is reduced, thus you can bypass the max supply limit once it hits 0 because 0 means unlimited. As far as I understand, the total supply should never reach the cap set in the construct...

The protocol doesn't support fee-on transfer ERC20 tokens

Lines of code Vulnerability details Impact The withdraw function in VTVLVesting.sol contract, doesn't handle cases where the tokenAddress is a fee-on transfer ERC20 token. There are ERC20 tokens that may make certain customisations to their ERC20 contracts. One type of these tokens is deflationar...

Potential Impossibility in Creating claims Batch

Lines of code Vulnerability details Overview The createClaimsBatch function of the VTVLVesting contract allows for creation of claims in batch with an unbounded amount of actions. Specifically, the function does not impose a hard cap on the number of elements in the arrays passed as parameters...

Users may not withdraw their tokens.

Lines of code Vulnerability details Impact VTVLVesting's withdraw function has a logic error that impacts the distribution. According to the NATSPEC comment, the users can withdraw their tokens which are fully claimable. However, as per the function's logic users can withdraw their tokens until a...

Improper access control in withdraw at Vault.sol

Lines of code Vulnerability details Impact Anyone can withdraw on behalf of approved user Proof of Concept Function withdraw at Vault.sol has incorrect access control. As the owner is passed as a parameter anyone can call withdraw to a approved receiver. This is the same logic used in...

[NAZ-H2] withdraw() does not update allowances

Lines of code Vulnerability details Impact withdraw is meant for the owner or approved receiver to withdraw the owner's deposited assets and burn the owner's shares. Since it does this for all of the owner's shares, the approved receiver should not be approved for all anymore after burning. Proof...

rewards stuck in StakingRewards because of division rounding error in notifyRewardAmount() and rewardPerToken() and updateReward()

Lines of code Vulnerability details Impact In all functions notifyRewardAmount and rewardPerToken and updateReward there is a division which cause division rounding error and make some rewards to stuck in contract and users don't get their rewards and so users would lose funds. Proof of Concept...