THE amountRemaining IN withdrawAdmin() IS UNDERFLOW

Lines of code Vulnerability details Impact Allocated tokens can get messed up when the amountRemaining in the withdrawAdmin function is underflowed in rare cases. This will make 'numTokensReservedForVesting' will have a larger amount of funds compared to the funds in the token. This will make it...

Vesting revoke will disallow receiver from receiving already unlocked tokens

Lines of code Vulnerability details Impact Unfair loss of tokens for the receiver. Proof of Concept Vesting is used by employers to align incentives in startups and prevent employees from leaving the company if they want to get the vested tokens. This is why a revoke function was included. From t...

Non-contributor can force contributors to buy the NFT when the contributors no longer want to

Lines of code Vulnerability details Impact For a hyped NFT that is valuable to some users, these users can become contributors to contribute for this NFT through using the BuyCrowdfund contract. Yet, during the crowdfunding phase, the NFT's value drops sharply in which its price drops to 0. At th...

Arbitrary contract call allows attacker to steal from user's wallet

Lines of code Vulnerability details Impact In function prepareGate , in the following line : bool s, bytes memory r = addressgateKeeper.callcreateGateCallData; A call to an arbitrary contractgateKeeper with custom calldata createGateCallData is made in prepareGate, which means the contract...

Proposer can double spend his votes as many times as he likes, rugging the party

Lines of code Vulnerability details Description Proposals are created using PartyGovernance's proposeproposal,.. function, and voted on thereafter using acceptproposalid,…. To make sure users don't vote twice, every proposal has hasVoted mapping to keep note of votes. The number of votes counted...

Use safeTransferFrom() function instead of transferFrom()

Lines of code Vulnerability details Impact The transferFrom method is used in the contract PartyGovernanceNFT.sol, I however argue that this isn’t recommended because: OpenZeppelin’s documentation discourages the use of transferFrom, use safeTransferFrom whenever possible Given that any NFT can b...

[NAZ-H2] withdraw() does not update allowances

Lines of code Vulnerability details Impact withdraw is meant for the owner or approved receiver to withdraw the owner's deposited assets and burn the owner's shares. Since it does this for all of the owner's shares, the approved receiver should not be approved for all anymore after burning. Proof...

mapping deletion will not remove the full content

Lines of code Vulnerability details mapping deletion will not remove the full content Summary A deletion in a structure containing a mapping will not delete the mapping see the Solidity documentation. The remaining data may be used to compromise the contract. Proof of Concept Navigate to the...

splitRecipient resulting voting power tend to be overstated

Lines of code Vulnerability details When burn computes the contributor's share via getFinalContribution and contributor = splitRecipient it transfers the whole share to the splitRecipient in advance, even when not all the voting power were allocated. I.e. some contributors might not burn and the...

BuyCrowdfund.buy lacks access control

Lines of code Vulnerability details Impact Anyone can call BuyCrowdfund.buy and BuyCrowdfund.buy will call any function at any address and can send eth up to maximumPriceWhen maximumPrice is 0, all ETH in the contract can be sent. Consider maximumPrice = 70 ETH, the current seller's listing price...

Malicious party active member can approve malicious contract to spend and steal party ERC1155 nft and ERC20 tokens via arbitrary proposal execution

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Let's look into the implementation in ArbitraryCallsProposal.sol // Check that the call is not prohibited. if !isCallAllowedcall, isUnanimous, preciousTokens, preciousTokenIds revert...

The contract can transfer Ownership to the zero address.

Lines of code Vulnerability details Impact When we use transferOwnership or safeTransferOwnership to transfer contract ownership, there is the possibility of transferring ownership to the zero address. This will cause the owner to lose its ownership permanently. Proof of Concept In Ownable.sol...

Users retain votes from their delegated tokens

Lines of code Vulnerability details Impact When a user has undelegated tokens and delegates them to another user, the owner retains all votes for their tokens, while the delegatee also gains those votes. By chaining this attack together, this could allow a user to generate unlimited votes, taking...

Auction.sol : Treasury(payable) typecasting is missed before setting the treasury address

Lines of code Vulnerability details Impact The contract address will not be set with relevant properties, like payable and contract type. Proof of Concept Auction.solL79 : settings.treasury = treasury; Whereas, in Governor.sol, it is set properly. refer the line, Governor.solL74 : settings.treasu...

Attacker can gain more voting power

Lines of code Vulnerability details Impact An attacker can gain more voting power at a low cost Proof of Concept When voting, voting power is taken from the snapshot at the same block as the proposal was created. The attacker can monitor mempool and borrow NFTs just in time when proposal is made...

User can steal their delegate's votes by receiving new tokens and redelegating

Lines of code Vulnerability details Impact A user is able to steal all the votes of any other user by delegating to them, accumulating additional NFTs to increase balance without increasing delegated votes, and then moving their delegates which is performed based on their balance. Proof of Concep...

Adversary can gain Infinite voting power due to integer overflow

Lines of code Vulnerability details Impact Specifically, ERC721Votes enables users to delegate their voting power to others. Note that when delegating the voting power, the actual token balance will not change. On the other hand, when transferring tokens, the voting power transfers accordingly:...

Overflow on _moveDelegateVotes function

Lines of code Vulnerability details Impact A malicious actor can overflow his number of votes Proof of Concept 0. Alice and Kane each have an NFT token 1. Alice uses delegate function to delegate the vote to Kane 2. Kane uses transferFrom to transfer his token to the address Alice 3. Alice uses...

Users can grief the auction and win it

Lines of code Vulnerability details Impact Users can grief the auction and win it anytime. Proof of Concept A malicious actor who create bids through his/her smart contract can grief the Auction.sol's createBid function. Let's say that the attacker's contract has a fallback function that griefs t...

Initial spam of proposals

Lines of code Vulnerability details Impact In the initial phase, when not many tokens are minted, a malicious actor can start submitting proposals and later execute them. E.g. when the first token is minted, this first owner can instantly submit proposals to retrieve all the eth back from the...

TribeRedeemer has no way of getting the redeemedToken out

Lines of code Vulnerability details Impact TribeRedeemer has no way of getting the redeemedToken out! The tokens in tokensReceived will be sent in exchange for redeemedToken, but then the received redeemedToken are locked forever in the contract. There is no mechanism to take them out! If this is...

SimpleFeiDaiPSM contract user can lose DAI funds after having their FEI tokens burned

Lines of code Vulnerability details Impact The FEI token contract contain a burnFrom function which allow the BURNER account to burn a given amount of FEI tokens from an account. When a user transfers DAI to the SimpleFeiDaiPSM contract he get an equivalent amount of FEI tokens in return, those F...

There is no time lock mechanism in RariMerkleRedeemer and constructor of RariMerkleRedeemer contract don't check for maximum value for cTokenExchangeRates, if high value have been set by mistake then attacker can withdraw most of baseToken balance of contract immediately

Lines of code Vulnerability details Impact Exchange rates are used to calculate baseToken amounts that are going to be transferred to the user, if exchange rates are set as a very high number by mistake, an attacker can withdraw baseToken balance of the contract. there should be some checks in th...

The skim function allows to withdraw tokens for any address

Lines of code Vulnerability details Impact Any address can call the skim function and remove tokens that are in excess of the reserves of those tokens. This would lead to the loss of token 0 and 1. Recommended Mitigation Steps You should have an access control so that only the factory, for exampl...

getUnderlyingPrice returns an incorrect value for cUSDC

Lines of code Vulnerability details BaseV1Router01.getUnderlyingPricecToken returns the price of cToken in $NOTE. As per the docs, the function is designed so that cStable coins USDC, USDT, NOTE have prices that are statically set to 1e18. The issue is that USDC uses 6 decimal places of precision...

Tokens with low trading volumes will have distorted time weighting

Lines of code Vulnerability details Proof of Concept Although the docs talk of time weighted values, the actual processing of values by update,reserves, sampleReserves and sampleSupply weights all observations as equal, regardless of duration. So long as update is being called frequently, this...

Upgraded Q -> M from 167 [1662177851548]

Judge has assessed an item in Issue 167 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Cushion bond markets are opened at wall price rather than current price

Lines of code Vulnerability details Impact Incorrect initial bond market price Proof of Concept uint256 initialPrice = range.wall.high.price.mulDivbondScale, oracleScale; uint256 initialPrice = invWallPrice.mulDivbondScale, oracleScale; In the above lines the initial prices are set to the wall...

Governance: users cannot endorse if they voted, which may cause deadlock

Lines of code Vulnerability details Impact It may cause a deadlock situation Condition: there is no proposal with enough endorsement majority depending on the endorsement threshold of votes are locked in the current proposal The votes for the current proposal are balanced between for and against ...

Lack of check if token is a contract

Lines of code Vulnerability details Impact TransferHelper.sol and solmate won't check if the token is a contract or not. A hacker could set traps for non existing tokens to steal future funds from users. Proof of Concept The safeTransfer functions used in the contract are wrappers around the...

Governance functions relies on the proposal Id which says nothing about the proposal content

Lines of code Vulnerability details Impact There are submitProposal/endorseProposal/activateProposal functions on the Governance smart contract. The functions accept the proposed, which does not contain any information about the proposal. As a result, transactions of users can be front-ran. Proof...

[NAZ-M1] Chainlink's latestRoundData Might Return Stale Results

Lines of code Vulnerability details Impact Across these contracts, you are using Chainlink's latestRoundData API, but there is only a check on updatedAt. This could lead to stale prices according to the Chainlink documentation: Historical Price data Checking Your returned answers The result of...

USER CAN BLOCK GOVERNANCE VOTING BY SUBMITTING MULTIPLE PROPOSALS

Lines of code Vulnerability details Impact A user can submit multiple proposals and then endorse each one of them to be able to activate them, and because the Governance contract allow only one active proposal, this user will be able to always activate his proposals and thus not allowing any othe...

Invalid payout is accepted

Lines of code Vulnerability details Impact In callback function, getMarketInfoForPurchase also returns maxPayout as last argument. This is not compared against outputAmount which means if market asks for higher outputAmount then the contract will simply pay Similar instance Also check the...

Upgraded Q -> M from 61 [1661963759888]

Judge has assessed an item in Issue 61 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 253 [1661943600779]

Judge has assessed an item in Issue 253 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

check if the refundGas() is successful or not

Lines of code Vulnerability details The user can lose their refundAmount in the transaction field Recommended Mitigation Steps Add check bool refundSent, = msg.sender.call value: refundAmount ''; requirerefundSent, "Transfer failed."; --- The text was updated successfully, but these errors were...

Withdraw Function hasnt Timelock

Lines of code Vulnerability details Withdraw Function Timelock should be added, it is a very important criterion for investors. --- The text was updated successfully, but these errors were encountered: 👎 1 Shungy reacted with thumbs down emoji All reactions 👎 1 reaction...

Griefing attacks on NounsAuctionHouse

Lines of code Vulnerability details Impact There is internal function safeTransferETH that is called in createBid. The function itself: function safeTransferETHaddress to, uint256 value internal returns bool bool success, = to.call value: value, gas: 30000 new bytes0; return success; Please note...

users could not queue a proposal of state succeeded

Lines of code Vulnerability details Impact When a user tries to invoke queue to queue a successful proposal the transaction will fail, the same thing with execute. so there is no execution even if the queued proposal is passed the eta This error effect also: -Emitting ProposalCreated event on...

Dynamic quorum votes parameters for a proposal (Proposal A) are changed according to another proposal (Proposal B) that proposes to update dynamic quorum votes parameters when Proposal B is executed after Proposal A is created in the same block

Lines of code Vulnerability details Impact The following writeQuorumParamsCheckpoint function is used to record dynamic quorum votes parameters at a block of interest. function writeQuorumParamsCheckpointDynamicQuorumParams memory params internal uint32 blockNumber = safe32block.number, 'block...

MISSING INPUT CKECK WHEN SETTING NEW **QuorumCoefficient**

Lines of code Vulnerability details Impact In the setQuorumCoefficient , setDynamicQuorumParams functions when the admin sets a new QuorumCoefficient, there is no check on the newQuorumCoefficient parameter which means that a wrong QuorumCoefficient could be set either being very big or very smal...

Return value of call() not checked

Lines of code Vulnerability details Impact The return value of a message call is not checked. Execution will resume even if the called contract throws an exception. If the call fails accidentally or an attacker forces the call to fail, this may cause unexpected behaviour in the subsequent program...

Update initializer modifier to prevent reentrancy during initialization

Lines of code Vulnerability details package.json L32-33 The solution uses: "@openzeppelin/contracts": "^4.1.0", "@openzeppelin/contracts-upgradeable": "^4.1.0", The current implementation of initialize function in both NounsDAOLogicV1.sol and NounsDAOLogicV2.sol are not using initializer modifier...

Losing precision of toShares and toAmount in VaultAccount.sol when doing accounting calculation.

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. the code in VaultAccountingLibrary: function toShares VaultAccount memory total, uint256 amount, bool roundUp internal pure returns uint256 shares if total.amount == 0 shares = amount; else shares =...

ERC20.approve can be error prone. It is known issue. ERC20.sol could not be safe.

Lines of code Vulnerability details Impact ERC20 - approve is not safe. Proof of Concept For approve, the entire contract depend on ERC20.approve assetContract.approveswapperAddress, borrowAmount; collateralContract.approveswapperAddress, collateralToSwap; Refer following articles for this issue...

MarketFees's treasury can have potentially a malicious admin

Lines of code Vulnerability details Impact / Proof of Concept In contracts/FoundationTreasury.sol, an attacker can frontrun a call to initialize to register as an admin. If the address of this treasury is shared or is already shared with NFTDropMarket's constructor line 83, then on line 87,...

Unsafe usage of ERC20 transfer and transferFrom

Lines of code Vulnerability details Impact Some ERC20 tokens functions don't return a boolean, for example USDT, BNB, OMG. So the VotingEscrow contract simply won't work with tokens like that as the token. Proof of Concept The USDT's transfer and transferFrom functions doesn't return a bool, so t...

[H1] Some admins functions are unusable because of misuse of variables in upgradeable contracts

Lines of code Vulnerability details Impact ​ Admin functions in NFTCollectionFactor.sol are unusable through a proxy Proof of Concept ​ Upgradeable contracts cannot use neither constructors nor use immutable variables. The reason for that is they work behind a proxy which calls them using...

User cannot withdraw locked fund at all after unlock time has passed if delegated to someone else. Result in huge economics loss.

Lines of code Vulnerability details Impact User cannot withdraw locked fund at all after unlock time has passed if delegated to someone else. Result in huge economics loss as user can't get their underlying token delegated to back. In the document it is said that locks need to be undelegated firs...