10190 matches found
_payoutToken[s]() is not compatible with ERC20-tokens which revert on zero value transfer
Lines of code Vulnerability details Impact Payout is blocked. Proof of Concept PA1D.payoutToken and PA1D.payoutTokens call ERC20.transfer to send tokens to a list of payout recipients. Some tokens e.g. LEND revert when transferring a zero value amount. If one of the recipients is to receive a zer...
# Divide before multiply affects precision
Lines of code Vulnerability details Divide before multiply affects precision Impact Solidity integer division might truncate. As a result, performing multiplication before division can sometimes avoid loss of precision. Details In general, this is a problem due to precision. In this case, it also...
Missing support of non-standart ERC20
Lines of code Vulnerability details Vulnerability details Description In functions of PA1D and HolographOperator contracts there is logic relying on the fact that tokens implemented ERC20 standard especially, that transfer and transferFrom functions of the tokens returns bool result. But in...
Royalties cannot be collected for many ERC20 tokens (USDT, BNB and many more) due to use of transfer function.
Lines of code Vulnerability details Description ERC20 royalties are paid using payoutTokens and payoutToken functions in PA1D.sol. Unfortunately these functions use ERC20's transfer instead of implementing safeTransfer: for uint256 i = 0; i length; i++ sending = bpsi balance / 10000;...
Holograph contracts can be deployed by any user successfully through user-crafted signature and signer input
Lines of code Vulnerability details Impact HolographFactory.deployHolographableContract deploys holographable smart contract by accepting config, signature and signer inputs. Due to user input signer passed by the caller, it is possible for signature verification to pass by using the known signer...
MED - Royalty system couples receiving address and collection request address, which may cause marketplaces to not be able to collect.
Lines of code Vulnerability details Description Royalties are managed in PA1D.sol. Owner configures several addresses which will get percentages of tokens owned by the contract. However, to receive the payout caller must be one of the eligible addresses, or the owner. This is an issue because the...
MED: leak of value when interacting with an ERC721 enforcer contract
Lines of code Vulnerability details Description HolographERC721.sol is an enforcer of the ERC721 standard. In its fallback function, it calls the actual implementation in order to handle additional logic. If Holographer is called with no calldata and some msg.value, the call will reach the receiv...
An attacker can lock operator out of the pod by setting gas limit that's higher than the block gas limit of dest chain
Lines of code Vulnerability details When a beaming job is executed, there's a requirement that the gas left would be at least as the gasLimit set by the user. Given that there's no limit on the gasLimit the user can set, a user can set the gasLimit to amount that's higher than the block gas limit...
Balance is not checked before reduction
Lines of code Vulnerability details Impact When decreasing the tier balance for the sender as follows, --tierBalanceOfmsg.senderfromtierId; it is not checked whether the balance is more than 0. So even the balance is 0, the transfer performs successfully, and results in wrong total supply and...
JB721Delegate#initialize _fundingCycleStore lack of zero address check can lead to redeployment
Lines of code Vulnerability details Impact initialize function does not check that fundingCycleStore is not zero. Given that state variable fundingCycleStore can not be set anywhere else, setting it to zero can lead to contract redeployment POC The deployer mistakenly call JB721Delegateinitialize...
trader-joe-v2 does not provide any mechanism to handle the pairs with different decimal values.
Lines of code Vulnerability details Impact Joe could not able to provide the swapping/staking for pair of tokens with different decimal values. Proof of Concept To my knowledge based on the code analys, nowhere I saw the handling for pairs with different decimal values. Tools Used Vs code and joe...
Uninitialized local variable uint256 _i
Lines of code Vulnerability details Impact Uninitialized local variable uint256 i is a variable that was declared inside a function but it was not assigned a value. It contains default value for that data type. Using an uninitialized variable in an expression may give unexpected results or cause...
Upgraded Q -> M from 964 [1666360503408]
Judge has assessed an item in Issue 964 as Medium risk. The relevant finding follows: Non-critical: EIP712 signatures on GolomTrader could be replayed in case of blockchain forks The chainId is burnt into EIP712DOMAINTYPEHASH rather than checked each time. This means that signatures could be...
Upgraded G -> M from 553 [1666369528441]
Judge has assessed an item in Issue 553 as Medium risk. The relevant finding follows: 01 - payEther use transfer instead of call Replace line 154 for payablepayAddress.callvalue: payAmt"" Reason --- The text was updated successfully, but these errors were encountered: All reactions...
Owner can set lockUntil to a very large timestamp to create not-removeable tier and not-pause-able tier
Lines of code Vulnerability details Impact Owner can set lockUntil to a very large timestamp to create not-removeable tier. when a tier is created, the owner can set lockUntil parameter @member lockedUntil The time up to which this tier cannot be removed or paused. when the owner call adjustTier,...
Upgraded Q -> M from 220 [1665830289014]
Judge has assessed an item in Issue 220 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 160 [1665775526819]
Judge has assessed an item in Issue 160 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Signature malleability not protected against
Lines of code Vulnerability details Vulnerability details OpenZeppelin has a vulnerability in versions lower than 4.7.3, which can be exploited by an attacker. The project uses a vulnerable version ECDSA signature malleability package.jsonL27-L28 package.jsonL27-L28 : "@openzeppelin/contracts":...
Use OpenZeppelin's safeTransferFrom instead of transferFrom when transferring ERC20 tokens
Lines of code Vulnerability details Impact In this case, since GRT token is used, the current implementation of GRT does have a return value for transferFrom and reverts on failure, but the same cannot be said for many other ERC20 tokens in the wild. OpenZeppelin recommends to always use...
Dangerous calls _transferTo function
Lines of code Vulnerability details Impact Dangerous calls transferTo function Proof of Concept transferToaddress,address,address,uint256 contracts/BlurExchange.sol496-515 sends eth to arbitrary user Dangerous calls: - addressto.transferamount contracts/BlurExchange.sol508 Recommended Mitigation...
Lack Of A Safety Mechanism For Deducting Selling Fees
Lines of code Vulnerability details Vulnerability Details The transferFees function of the BlurExchange contract calculates and transfers selling fees to multiple fee receivers as shown in L477 - 478 in code snippet 1. The selling fees would be deducted from the selling price. In other words, a...
Critical matching policy logic is unenforced
Lines of code Vulnerability details Impact Malicious order matching. Proof of Concept When being executed two orders are matched using custom matching policies. Certain checks are critical for every order matching. Currently these checks would have to be implemented in the matching policies...
test
Lines of code http://L1 Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps...
Unchecked transfer/transferFrom return can lead to protocol lose of funds
Lines of code Vulnerability details Impact It is good to add a require statement that checks the return value of token transfers or to use something like OpenZeppelin's safeTransfer/safeTransferFrom unless one is sure the given token reverts in case of a failure. Failure to do so will cause silen...
Upgraded Q -> M from 418 [1665255821676]
Judge has assessed an item in Issue 418 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
It is possible that, after swapping, extra input token amount is transferred from user to pool but pool does not give user output token amount that corresponds to the extra input token amount
Lines of code Vulnerability details Impact When calling the swap function below, the following swapCallback function is further called for calling the algebraSwapCallback function in the callee contract, which is msg.sender; such contract could be implemented by a third party especially for...
Use of globalState.unlocked state change outside lock modifier allows for Re-entrancy which would cause huge loss to pool
Lines of code Vulnerability details I guess I can put this into one report since the issue affects two seperate functions in a contract. Impact The functions AlgebraPool.swap and AlgebraPool.swapSupportingFeeOnInputTokens attempt to not use the lock modifier to update the globalState.unlocked sta...
tickCumulative may be overflow. New timepoints can't be created and the system will be completely broken.
Lines of code Vulnerability details Impact tickCumulative may be overflow. New timepoints can't be created and the system will be completely broken. Proof of Concept Write function call createNewTimepoint. createNewTimepoint increases cumulative value. function createNewTimepoint Timepoint memory...
Integer overflow in AdaptativeFee
Lines of code Vulnerability details Impact You have to take into account that when using a pragma lower than 0.8.X there is no compiler protection against any overflow. The method AdaptiveFee.exp is vulnerable to an integer overflows. Proof of Concept Using the following recipe: x = uint256.Max g...
Gobbler is missing onERC721Received, gobble feeding use transferFrom which is not safe.
Lines of code Vulnerability details Impact Gobbler is missing onERC721Received, gobble feeding use transferFrom which is not safe. Proof of Concept contract ArtGobblers is GobblersERC721, LogisticVRGDA, Owned, ERC1155TokenReceiver isERC1155 ? ERC1155nft.safeTransferFrommsg.sender, addressthis, id...
Re-entrancy risk to Project in ArtGobblers.gobble()
Lines of code Vulnerability details Impact In ArtGobblers.gobble, the function accepts user controlled input which may create re-entrancy opportunity in the ERC1155.safeTransferFrom and ERC721.transferFrom external calls . Since the nft parameter is user-controlled, any user can create a maliciou...
IntegerOverflow Underflow on AdaptiveFee
Lines of code Vulnerability details The AdaptiveFee uses raw calculation on all functions which are potentially vulnerable to integer Overflow and Underflow. Recommended Mitigation Steps Use Safemath library or Upgrade contract to solidity version above 0.8.0 --- The text was updated successfully...
The users can steal the Gobbler from the team
Lines of code Vulnerability details Impact In case mintReservedGobblers start minting let's say 20 for team + 20 for community And the loop on batchMint is now i == 3 Now Alice will invoke mintFromGoo to mint one Gobbler he will steal this Gobbler from the team address Proof of Concept Letβs say...
Users can recover already burned gobblers after minting a legendary gobbler.
Lines of code Vulnerability details Impact Users can recover already burned gobblers after minting a legendary gobbler. The main flaw is that it doesn't reset getApprovedid here. As a result, users can have more emissionMultiple than they should by recovering the burned gobblers. Proof of Concept...
Upgraded Q -> M from 182 [1664281111530]
Judge has assessed an item in Issue 182 as Medium risk. The relevant finding follows: L00: Usage of transfer to send eth The transfer function has a fixed gas stipend of 2300. If a contract as well as EOA can call the function, it is advised to use call function instead of transfer. Here are...
Some real-world NFT tokens may support both ERC721 and ERC1155 standards, which may break gobble ()
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps --- The...
Users can mint legendary gobbler without losing any gobblers
Lines of code Vulnerability details Impact In ArtGobblers.mintLegendaryGobbler function, it mints a legendary gobbler by burning multiple standard gobblers. But instead of call burn, it just set getGobblerDataid.owner = address0. All the data of the standard gobbler will stay the same, included...
Upgraded Q -> M from 399 [1664289734798]
Judge has assessed an item in Issue 399 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
GOO tokens will be locked inside the GobblerReserve contract.
Lines of code Vulnerability details Impact GOO will be locked inside the GobblerReserve contract. This contract is used as a reserve contract for the team and community and the minted gobblers will produce GOO tokens continuously. But there is no logic to withdraw or transfer the GOO tokens. Proo...
Community/Team owner can steal gobbler by sending it to arbitrary address
Lines of code Vulnerability details Impact A malicious owner can steal all of its reserved gobbler. This is possible because owner can send reserved gobbler by withdraw function to ANY ARBITRARY ADDRESS. Proof of Concept owner can set any address to to parameter of withdraw function of...
When minting legendary NFT, non-legendary NFTs are burned, but burned token approval is not revoked, burned NFT TokenURI still accessible after burning.
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. When minting legendary NFT, non-legendary NFTs are burned, only the owner of the burned nft is set to 0, emit Transfermsg.sender, getGobblerDataid.owner = address0, id; but burned token approval is not...
High privilege of setWithholdRatio function
Lines of code Vulnerability details Impact With the setWithholdRatio function, most of the funds can be authorized to be confiscated, such authority is too high and can confuse users, If this authority is to be used for commission deduction, it should be clearly stated. Proof of Concept /// @noti...
Low level call returns true if the address doesn't exist
Lines of code Vulnerability details Impact As written in the solidity documentation, the low-level function call returns true as its first return value if the address called is non-existent, as part of the design of the EVM. Address existence must be checked prior to calling if needed. Since the...
syncRewards() after xERC4626's beforeWithdraw() can result in wrong reward amount
Lines of code Vulnerability details Impact The withdrawal amount will be counted as part of the surplus asset balance mistakenly if block.timestamp = rewardsCycleEnd. Proof of Concept function beforeWithdrawuint256 assets, uint256 shares internal override super.beforeWithdrawassets, shares; // ca...
Recovererc20 uses transfer -> token transfers do not verify that the tokens were successfully transferred (safeTransfer)
Lines of code Vulnerability details Impact Some tokens do not revert the transaction when the transfer function fails or return false. Which requires us to check the return value after calling the transfer function. Given that recoverERC20 can accept any tokens. A token such as ZRX would not reve...
_releaseIntervalSecs is not validated
Lines of code Vulnerability details Impact VTVLVesting.sol has createClaimUnchecked function to create the claims internally while validating parameters with the users' allocations. However, releaseIntervalSecs is not validated comparing to user's linearVestAmount and startTimestamp endTimestamp...
The bytes allocated to linearVestAmount is too small in the struct VTVLVesting.Claim
Lines of code Vulnerability details Impact In baseVestedAmount of VTVLVesting.sol, when we calculate the vested amount, vestAmt is the sum of cliffAmount and linearVestAmount. linearVestAmount is calculated from the fraction of completed interval as follows. uint112 linearVestAmount =...
Outdated Claims can be created which will potentially inflate the vested amounts
Lines of code Vulnerability details Overview In creating claims, the VTVLVesting contract uses various time related variables including startTimestamp and endTimestamp which determines when the linear vesting starts and ends consecutively. This is visible in the createClaim , createClaimsBatch an...
Potential Impossibility in Creating claims Batch
Lines of code Vulnerability details Overview The createClaimsBatch function of the VTVLVesting contract allows for creation of claims in batch with an unbounded amount of actions. Specifically, the function does not impose a hard cap on the number of elements in the arrays passed as parameters...
Users may not withdraw their tokens.
Lines of code Vulnerability details Impact VTVLVesting's withdraw function has a logic error that impacts the distribution. According to the NATSPEC comment, the users can withdraw their tokens which are fully claimable. However, as per the function's logic users can withdraw their tokens until a...