10190 matches found
Its possible to underflow votes using delegate and delegateBySig on ERC721Votes.sol
Lines of code Vulnerability details Impact Is possible to generate an underflow on ERC721Votes.solL216 mainly because its wrapped in an unchecked bracked. prevTotalVotes could be lower than amount so this will generate and underflow; writeCheckpointfrom, nCheckpoints, prevTotalVotes, prevTotalVot...
Users could keep increasing the voting weight just by one NFT
Lines of code Vulnerability details Impact With only one NFT the user can keep increasing the voting weight on different addresses Proof of Concept 1- letβs say Alice has one NFT 2- he delegate to Bob 3- Alice invoke transferFrom to Richard 4- Richard invoke delegate to Bob So now Bob has two...
It is possible to add more than 15 properties
Lines of code Vulnerability details The total number of properties is now limited to be 15 or less with hard code on the storage structures level. In the same time it is possible to add unlimited number of properties with MetadataRenderer's addProperties. If this happens, with a malicious intent ...
createBid call front-running
Lines of code Vulnerability details Description There is createBid function in the Auction contract. The function accept the tokenId, which does not contain any information about the token itself. As a result, transactions of users can be front-runned to enforce user make a bid for the token with...
Attacker can gain more voting power
Lines of code Vulnerability details Impact An attacker can gain more voting power at a low cost Proof of Concept When voting, voting power is taken from the snapshot at the same block as the proposal was created. The attacker can monitor mempool and borrow NFTs just in time when proposal is made...
NFT could be locked in settlement
Lines of code Vulnerability details Impact transferFrom is used to transfer NFT in settlement. If the receiver is a contract without appropriate way to handle the NFT, the NFT might be locked in there and non retrievable. Proof of Concept There is no check if the receiver can deal with NFT if it ...
Allowing multiple checkpoints in a single block can be abused to increase voting power on select proposals
Lines of code Vulnerability details Impact Votes can be multiplied allowing for governance attacks Proof of Concept // Get the pointer to store the checkpoint Checkpoint storage checkpoint = checkpointsaccountid; // Record the updated voting weight and current time checkpoint.votes =...
Potential of underflow on _moveDelegateVotes()
Lines of code Vulnerability details Impact Attacker could get typeuint192.max of voting weight So he can create a proposal to withdraw an amount from the Treasury.sol and he can pass the proposalThreshold with no need to anyone Proof of Concept 1- Attacker buy one NFT and transfer it to addr1 2-...
User can steal their delegate's votes by receiving new tokens and redelegating
Lines of code Vulnerability details Impact A user is able to steal all the votes of any other user by delegating to them, accumulating additional NFTs to increase balance without increasing delegated votes, and then moving their delegates which is performed based on their balance. Proof of Concep...
The result of getPastVotes can be different time after time
Lines of code Vulnerability details Impact In moveDelegateVotes of ERC721Votes.sol, we write checkpoint every time, so there might be several checkpoints in the same timestamp. In that case, when we get past votes in getPastVotes, we use binary search by timestamp. But there might be several...
Proposal can be executed unlimited number of times
Lines of code Vulnerability details There is no executed flag for the proposals, so one can be executed an arbitrary number of times. This will have critical impact, for example a proposal to send out 10 ETH can be run 10 times, transferring 100 ETH. Apart from the malicious Owner case, this also...
Overflow on _moveDelegateVotes function
Lines of code Vulnerability details Impact A malicious actor can overflow his number of votes Proof of Concept 0. Alice and Kane each have an NFT token 1. Alice uses delegate function to delegate the vote to Kane 2. Kane uses transferFrom to transfer his token to the address Alice 3. Alice uses...
Adversary can gain Infinite voting power due to integer overflow
Lines of code Vulnerability details Impact Specifically, ERC721Votes enables users to delegate their voting power to others. Note that when delegating the voting power, the actual token balance will not change. On the other hand, when transferring tokens, the voting power transfers accordingly:...
Malicious pausing the contract
Lines of code Vulnerability details Vulnerability details Description There is a function createAuction in Auction contract. It consist the following logic: /// @dev Creates an auction for the next token function createAuction private // Get the next token available for bidding try token.mint...
The users could duplicate their voting weight
Lines of code Vulnerability details Impact Any user who has an NFT could duplicate their voting weight at any time Proof of Concept 1- Alice has one NFT 2- He invokes delegate and passes to to his address 3- on delegate both of from == to are Alice addresses 4- on moveDelegateVotes from is the...
ERC721Votes: Token owners can double voting power through self delegation
Lines of code Vulnerability details The owner of one or many ERC721Votes tokens can double their voting power once and only once by delegating to their own address as their first delegation. Scenario This exploit relies on the initial default value of the delegation mapping in ERC721Votes, which ...
Ddos in Governor.sol
Lines of code Vulnerability details Impact An attacker can cancel proposals. Proof of Concept The proposal ID depends on 4 variables:targets, values, calldatas, and descriptionHash. The Problem is that once a proposal is proposed and the proposal ID is stored, no matter if the proposal is execute...
Users can grief the auction and win it
Lines of code Vulnerability details Impact Users can grief the auction and win it anytime. Proof of Concept A malicious actor who create bids through his/her smart contract can grief the Auction.sol's createBid function. Let's say that the attacker's contract has a fallback function that griefs t...
Potential of token lost permanently when highest bid is made by a Contract
Lines of code Vulnerability details Impact When auction is happening, there is no checks on who can participate to createBid. In order to work well, contract need to confirm that the Bidder is capable of receiving ERC721 or else their token may be permanently lost. After a bidder decided to be th...
Initial spam of proposals
Lines of code Vulnerability details Impact In the initial phase, when not many tokens are minted, a malicious actor can start submitting proposals and later execute them. E.g. when the first token is minted, this first owner can instantly submit proposals to retrieve all the eth back from the...
founderPct variable cast
Lines of code Vulnerability details Description There is a function addFounders in Token contract. It accepts array of FounderParams as an input. For each of founders it uses founderPct as an variable to store percent ownership for such founder. It is unsafe to cast it to from uint256 to uint8 in...
# _safeMint() should be used rather than _mint() wherever possible
Lines of code Vulnerability details safeMint should be used rather than mint wherever possible Impact In Token.sol.sol, eventually it is called ERC721 mint. Calling mint this way does not ensure that the receiver of the NFT is able to accept them, making possible to lose them. safeMint should be...
The voting power cannot be returned deterministically, if there are multiple checkpoints sharing the same timestamp
Lines of code Vulnerability details Impact Specifically, when writing a checkpoint, the code does not check whether the latest checkpoint is also in the current block. Consider a user makes multiple times of token transfer, the ERC721Votes contract will record multiple checkpoints with the same...
Founders may not receive their vesting allocations
Lines of code Vulnerability details Impact In addFounders the vesting allocations are distributed among the first one hundred nouns according to their ownership percentage. These first one hundred represent the token ID:s modulo 100 that should be minted to the nounders, which is how it is...
Use can get unlimited votes
Lines of code Vulnerability details Impact aftertokenTransfer in ERC721Votes transfers votes between user addresses instead of the delegated addresses, so a user can cause overflow in moveDelegates and get unlimited votes Proof of Concept function afterTokenTransfer address from, address to,...
ERC721Votes.sol checkpoints' timestamp is not unique, which leads to manipulation of the amount of votes
Lines of code Vulnerability details Impact getPastVotes uses the binary search algorithm, which returns the result if it encounters the same timestamp, and since timestamps are not unique in the array The number of votes can be controlled by adding checkpoints to locate any one of the same...
baseTokenId variable calculation
Lines of code Vulnerability details Description There is addFounders function in the Token contract. There is the following loop: // Used to store the base token id the founder will recieve uint256 baseTokenId; // For each token to vest: for uint256 j; j founderPct; ++j // Get the available token...
NFT flashloan against governance voting
Lines of code Vulnerability details Impact Specifically, to support a proposal, the voting power is counted at the time of the proposal creation time. However, there are multiple services that support NFT flashloan, e.g., NFTuloan . Since the voting power is counted as the proposal creation time,...
Deployment flow doesn't work
Lines of code Vulnerability details Impact The deployment flow is based on the concept that the ZORA team can deploy implementation contracts and users will be able to deploy proxies. However, because manager is immutably set in the implementation contracts, this entire system will not work. Proo...
user fund loss in redeem() of RariMerkleRedeemer, because of division rounding error in previewRedeem() which is used in _redeem() and _multiRedeem()
Lines of code Vulnerability details Impact Because of the division rounding error in calculating baseToken amount, when users tries to redeem, they receive less baseToken for the amount of cToken they transferred to the RariMerkleRedeemer contract. This bug is more critical when cToken is a very...
User's cToken could be locked in _claim()
Lines of code Vulnerability details Impact The function claim can only be called 1 time to set the claims amount, but if later the user's balance of the cToken is updated, whether increase of decrease, the functionality of claim and redeem will break. In the case later some cToken is transferred ...
_claim function vulnerable to cross-chain-replay attacks
Lines of code Vulnerability details If there's a fork, since anyone can call claim, an attacker can monitor the blockchain for calls to claim, and then make the same call with the same arguments on the other chain. Proof of Concept There are no EIP-712 protections in the encoding: bytes32 leafHas...
TribeRedeemer.redeem() might revert for revert-on-zero-value-transfers tokens.
Lines of code Vulnerability details Impact TribeRedeemer.redeem might revert for revert-on-zero-value-transfers tokens. Currently, it doesn't check when the transfer amount is zero and it might revert for some weird tokens. Proof of Concept As we can see here, some ERC20 tokens don't allow to...
DoS with (Unexpected) revert or Gas Limit DoS on a Contract via Unbounded Operations
Lines of code Vulnerability details Impact According to SWC-113, external calls can fail accidentally or deliberately, which can cause a DoS condition in the contract. To minimize the damage caused by such failures, it is better to isolate each external call into its own transaction that can be...
It can be Underflow
Lines of code Vulnerability details π¨ Category Data Validation π₯ Impact If amountIn is greater than redeemBase, this happens underflow and reverting the transaction. π Proof of Concept The value of amountIn can set by users so It can be underflow. e.g redeemBase = 5 redeemaddresstest, 10 This...
Contract TribeRedeemer: User might not redeem with large amount
Lines of code Vulnerability details 2022-09-tribe Contract TribeRedeemer: User might not redeem with large amount tags: c4, 2022-09-tribe, medium Affected code Impact After many redemptions of contract TribeRedeemer, redeemBase will be reduced and might not be still large. Then users can not rede...
A reverting token transfer will lock all payouts.
Lines of code Vulnerability details Impact A reverting fallback function will lock all payouts. Proof of Concept External calls can fail accidentally or deliberately, which can cause a DoS condition in the contract. To minimize the damage caused by such failures, it is better to isolate each...
TribeRedeemer has no way of getting the redeemedToken out
Lines of code Vulnerability details Impact TribeRedeemer has no way of getting the redeemedToken out! The tokens in tokensReceived will be sent in exchange for redeemedToken, but then the received redeemedToken are locked forever in the contract. There is no mechanism to take them out! If this is...
Can easily bypass the require by modifying parameter
Lines of code Vulnerability details Impact User can easily bypass the require code inside redeem function inside SimpleFeiDaiPSM.sol file by modifying the parameter. the requireamountFeiOut = minAmountOut, ... and requireamountOut = minAmountOut, .. statement can be bypassed easily since the two...
Wrong exchange rates after some time, because It's not possible to change excahngeRates after contract deployments, the rates can be changed after some times in real life but it's not possible to change rates in contract
Lines of code Vulnerability details Impact exchange rates are used to calculate amounts of baseToken users received for their cTokens, exchange rates are set when contracts get deployed but it's not possible to change them after some time, so users would get the wrong exchange rates after some ti...
possbile griefing using replay attack
Lines of code Vulnerability details users who want to user redeem function has to set a value for amountIn this value cant be more than redeemBase , which is set in contract's constructor. the value of redeemBase will decrease in case of a successful call of redeem . while contract's solidity...
TribeRedeemer.reedem assets can be lost in case of malicious token
Lines of code Vulnerability details Impact The function redeemaddress to, uint256 amountIn to calculate the amount of redemption tokens in turn calls In case of a malicious token will always revert: contract BadBadERC20 is ERC20, ERC20Burnable constructor ERC20"BadToken", "BDT" function...
Contract TribeRedeemer: redeemBase should has setter function
Lines of code Vulnerability details 2022-09-tribe Contract TribeRedeemer: redeemBase should has setter function tags: c4, 2022-09-tribe, high Affected code Impact Contract TribeRedeemer doesn't have setter function for redeemBase. So redeemBase can not be adjusted if it is neccesary. Contract wil...
in function redeem() of TribeRedeemer users would receive less funds because of rounding error in division in previewRedeem()
Lines of code Vulnerability details Impact Function previewRedeem in TribeRedeemer has been used to calculate the amounts of tokens the user would receive for what the user transfer as redeemedToken. the user would receive a ratio of token balance of the contract which ratio is equal to amountIn ...
redeem WIll Fail If There Is One tokenReceived Has Zero Balance
Lines of code Vulnerability details Impact redeem will always revert if there is one token received has zero balance, and user will not able redeem their token. So the token will lock in that contract. Proof of Concept Suppose, user A wants to redeem the token P, Q, R, so user A will call redeem...
Potential DoS in _claim()
Lines of code Vulnerability details Impact An attacker could call claim in an infinite loop to conduct DoS attack. Proof of Concept Here is the implementation of claim: // User provides the the cToken & the amount they should get, and it is verified against the merkle root for that cToken ///...
Contract RariMerkleRedeemer: all of cTokens and redundant baseToken will be locked in contract forever.
Lines of code Vulnerability details 2022-09-tribe Contract RariMerkleRedeemer: all of cTokens and redundant baseToken will be locked in contract forever. tags: c4, 2022-09-tribe, high Affected code Impact Contract does not have directly withdraw function for any token, so all of cTokens that...
Tokens with fee on transfer are not supported
Lines of code Vulnerability details Impact There are ERC20 tokens that charge fee for every transfer or transferFrom. If this tokens are unsupported, ensure there is proper documentation about it. Proof of Concept 6 instances in 2 files: contracts/shutdown/fuse/RariMerkleRedeemer.sol...
External Calls inside loops of _multiRedeem & redeem function may cause Denial of Service
Lines of code Vulnerability details Impact Calls inside loops that may address DoS. Proof of Concept Calls to external contracts inside a loop are dangerous especially if the loop index can be user-controlled because it could lead to DoS if one of the calls reverts or execution runs out of gas...
Function getRedeemAmountOut can't deliver was it should be
Lines of code Vulnerability details Proof of Concept The fn of getRedeemAmountOut can't be deliver the same as it should be eversince it has @params uint256 amountIn and return amountIn which clearly should be amountFeiIn. So the calculate would be deliver wrong value. Tools Used Manual Review...