Potential scenario where an attacker can steal a user's gas refund

Lines of code Vulnerability details Impact Anybody is allowed to add gas for a specific tx. I was trying to figure out whether the following scenarios are possible: 1. Alice sends a public tx where she deposits some gas and calls the gateway contract after 2. Bob, the attacker, catches that...

easy to craft input to execute commands that are not SELECTOR_TRANSFER_OPERATORSHIP

Lines of code Vulnerability details Impact For AxelarGateway.execute , the signed messageHash is only used to validateProof for currentOperators , so anyone can craft input to execute commands other than SELECTORTRANSFEROPERATORSHIP. Impact of above would allow anyone to be able to be approved to...

Anyone can self-destruct this contract.

Lines of code Vulnerability details Impact High Unprotected call to a function executing selfdestruct/suicide. Proof of Concept DepositHandler.destroyaddress contracts/DepositHandler.sol28-30 allows anyone to destruct the contract. Once the contract is unlocked through the noReenter modifier,...

No storage gap for Upgradable contract might lead to storage slot collision

Lines of code Vulnerability details Impact For upgradeable contracts, there must be storage gap to “allow developers to freely add new state variables in the future without compromising the storage compatibility with existing deployments” quote OpenZeppelin. Otherwise it may be very difficult to...

# Refund wont function as intended to refund the desired token in some cases

Lines of code Vulnerability details Refund wont function as intended to refund the desired token in some cases Impact The rationale behind refund is only let the refundAddress to call refund the specific token. But according to current code Anyone else can call the refund function. Other tokens c...

No Storage Gap for Upgradeable Contract Might Lead to Storage Slot Collision

Lines of code Vulnerability details Impact For upgradeable contracts, there must be storage gap to "allow developers to freely add new state variables in the future without compromising the storage compatibility with existing deployments" quote OpenZeppelin. Otherwise it may be very difficult to...

XC20Wrapper.sol can be hijacked via Upgradable.sol#setup

Lines of code Vulnerability details Impact XC20Wrapper.sol can be hijacked at any time Proof of Concept function setupbytes calldata data external override // Prevent setup from being called on the implementation if implementation == address0 revert NotProxy; setupdata; function setupbytes callda...

Attacker can empty vaults

Lines of code Vulnerability details Impact Both MIMOEmptyVault and MIMOLeverage contracts share same signature/definition, an attacker can gain control of EmptyVault contract, issue a flash loan, and empty the vaults. Proof of Concept See the test below. In below test, EmptyVault contract is...

Malicious relayer can execute stale transactions by spoofing validator weights/threshold in proof

Lines of code Vulnerability details Impact Transaction is submit with wrong validator information, allowing stale commands to be executed Proof of Concept This vulnerability is a result of allowing msg.sender to provide key information identifying operators. First we need to understand how the...

delegate modifies old checkpoint

Lines of code Vulnerability details Impact VoteEscrow tokens are used as voting tokens for a GovernorAlpha governance. It shouldn't be possible to modify an old meaning for blocks older than block.number checkpoint, otherwise it's possible to buy tokens just to vote for a proposal and then sell...

User is unable to remove delegation and transfer NFT

Lines of code Vulnerability details Impact The transferFrom in VoteEscrowDelegation.sol should be change to an external function. Currently, the function is unable to be called by any user since it is an internal function and there's no call to the function from another Golom contract. With above...

AxelarAuthWeighted.sol#_validateSignature fails for valid transaction if early signer submits invalid signature

Lines of code Vulnerability details Impact Valid transactions deemed invalid Proof of Concept for ; operatorIndex function isSortedAscAndContainsNoDuplicateaddress memory accounts internal pure returns bool for uint256 i; i = accountsi + 1 return false; return accounts0 != address0; Va...

removeDelegation acts on wrong token

Lines of code Vulnerability details Impact The function removeDelegationtokenId currently tries to remove tokenId from the list of tokens delegated to itself. The correct behavior would be to get which token tokenId is delegated to, and remove tokenId from the delegations to that token. Since...

Impossible to add ve in RewardDistributor

Lines of code Vulnerability details Impact Starting from ve == 0, we call addVoteEscrow. function addVoteEscrowaddress voteEscrow external onlyOwner if addressve == address0 ve = VEpendingVoteEscrow; else voteEscrowEnableDate = block.timestamp + 1 days; pendingVoteEscrow = voteEscrow; The functio...

Misleading mapping delegates

Lines of code Vulnerability details The mapping delegates in VoteEscrowDelegation can be misleading it is not updated when a delegation is removed. If someone is relying on this value not the case here, because this mapping is never used in the contracts ?, but we can assume that it has / will ha...

Fees are lost after GOLOM token supply limit has been reached

Lines of code Vulnerability details Impact When the 1 billion supply has been reached for the GOLOM token, addFee in RewardDistributor will automatically return to the start without updating any trades, however will still accept fees being sent from GolomTrader. These fees however cannot be claim...

QA Report

VoteEscrowDelegation.sol delegates mapping is not updated in removeDelegation. It is updated in function delegate, but after a call to removeDelegation the mapping still contains the token that it was delegated to. --- The text was updated successfully, but these errors were encountered: All...

Miscalculated payout to NFT sellers completing ERC1155 bids

Lines of code Vulnerability details Impact Payout to user fulfilling bid orders by selling their NFTs on ERC1155 will get incorrectly calculated. This will lead to eth getting stuck in the contract, and users not getting their advertised payout. Proof of Concept This whole bug takes place in...

A NFT can be delegated to many NFTS

Lines of code Vulnerability details In VoteEscrowDelegation.sol in the function delegate, there is no check about if the tokenId NFT has already been delegated. Thus is it possible to delegate voting power multiple time. It's even possible to self delegate tokenId = toTokenId multiple times. By...

delegate will revert for tokenIds which have no prior checkpoints

Lines of code Vulnerability details Impact For a tokenId without a prior checkpoint, calling VoteEscrowDelegation.delegate would revert due to an underflow in nCheckpoints nCheckpoints variable in uint256 nCheckpoints = numCheckpointstoTokenId; is set to 0 since there was no prior numCheckpoints...

The function _transferFrom doesn't work

Lines of code Vulnerability details In VoteEscrowDelegation.sol L242, the function removeDelegation is called externally with the syntax this., but that external call changes the msg.sender. So in the function removeDelegation, msg.sender will be the contract itself, not the user. But this functi...

_writeCheckpoint not working correctly if oldCheckpoint.fromBlock == block.number

Lines of code Vulnerability details Impact function writeCheckpoint uint256 toTokenId, uint256 nCheckpoints, uint256 memory delegatedTokenIds internal requiredelegatedTokenIds.length 0 && oldCheckpoint.fromBlock == block.number oldCheckpoint.delegatedTokenIds = delegatedTokenIds; else...

removeDelegation does not remove the delegation to another tokenId

Lines of code Vulnerability details The removeDelegation function in VoteEscrowDelegation.sol is used to revoke the delegation given to another tokenId in the delegate function. In other words, removeDelegation is supposed to remove tokenId from the delegatedTokenIds of the toTokenId. When used i...

Malicious user can cause complete loss of function in AxelarAuthWeighted.sol by matching validators and weights to a previous epoch

Lines of code Vulnerability details Impact Complete loss of function for both AxelarAuthWeighted.sol and AxelarGateway.sol Proof of Concept if epochForHashnewOperatorsHash 0 revert SameOperators; AxelarAuthWeighted.soltransferOperatorship reverts in L76 if epochForHashnewOperatorHash != 0. This...

The function delegate doesn't work

Lines of code Vulnerability details In VoteEscrowDelegation.sol in the function delegate when nCheckpoint = 0, which is the case for every account that has not delegated yet, the function writeCheckpoint is called. However, this function computes nCheckpoints - 1 L101 which thus causes an...

Index error

Lines of code Vulnerability details Impact delegate will not work due to the index error. Proof of Concept VoteEscrowDelegation.writeCheckpoint will be reverted when nCheckpoints == 0. numCheckpoints can be increased only when nCheckpoints == 0. So numCheckpoints will always be zero for any token...

Possible to delegate same token

Lines of code Vulnerability details Impact It's possible to call delegatetokenId1, tokenId2 using the same token tokenId1 multiple times. The previous delegated value isn't deleted, and all delegations stack up. This way tokenId2 will have all these tokens as delegated:...

The function removeDelegation doesn't work

Lines of code Vulnerability details When a delegation is created with the function delegate, the ID of its NFT tokenId is added in the array checkpointstoTokenIdnCheckpoints - 1; where toTokenId is the ID of NFT the user delegates its NFT to. When an user removes the delegation of his NFT with th...

Impossible to transfer VE tokens

Lines of code Vulnerability details Impact In VoteEscrowDelegation.sol, function transferFrom will attempt to remove the delegations to the token transferred. // remove the delegation this.removeDelegationtokenId; However this external call will change msg.sender to addressthis, reverting the cal...

Impossible to delegate

Lines of code Vulnerability details Impact It's impossible to delegate to a token, because the first delegation will always revert. Consider there's no delegation so far, meaning that every token will have numCheckpointstoken = 0. When calling delegate, we will have nCheckpoints = 0 and the call...

Users can cause other users' delegations to be undone

Lines of code Vulnerability details Impact Users can be blocked by other users, from being able to delegate Proof of Concept The writeCheckpoint function looks up the existing checkpoint and attempts to update its delegation array if one exists line 104: File:...

arbitrary low level call

Lines of code Vulnerability details Impact An attacker may perform call to an arbitrary address with controlled calldata Proof of Concept File: contracts\DepositHandler.sol: 23 if callee.code.length == 0 revert NotContract; 24: success, returnData = callee.calldata; 25 references: Tools Used vsco...

Attacker can steal all the wrapped tokens, ether or native currency contained in the ReceiverImplementation contract

Lines of code Vulnerability details Impact since all the functions in the ReceiverImplemention are all designed to be called by DepositBase and AxelarDepositService, why not create a simple modifer to check if msg.sender equals either of the two when a delegatecall or call occurs, like so modifie...

Able to delegate multiple times with the same tokenId

Lines of code Vulnerability details The delegate function in VoteEscrowDelegation.sol is used to delegate voting power from one tokenId to another. The tokenId is added to the toTokenId's delegatedTokenIds array which contains all tokenIds that have delegated to the toTokenId. The amount of votes...

Wrong arithmetic operation upon filling a bid order, lead to lost amount of ether on user funds

Lines of code Vulnerability details Functions GolomTrader.solfillBid... and GolomTrader.solfillCriteriaBid... used to fill a signed order Golom order.orderType = 1 or = 2 by the buyer after he approved GolomTrader contract some wETH. However, in case that the signed order is of type ERC1155 where...

Change Admin and Opertorship address through setup function in AxelarGateway

Lines of code Vulnerability details Impact Anyone can set the Admin address and transferOperatorShip to a new address. Proof of Concept A Simple call to the setup function. That will call setAdmins of Axelar Multisig Base contract. Recommended Mitigation Steps Can Add access control on setup...

Upgraded Q -> M from 333 [1659114494203]

Judge has assessed an item in Issue 333 as Medium risk. The relevant finding follows: 2. Marketplace assumes tokens are already sent Description: The Marketplace looks like a convienance router contract for the lenders to easily interact with Illuminate on chain. However, in methods...

Upgraded Q -> M from 232 [1659037895855]

Judge has assessed an item in Issue 232 as Medium risk. The relevant finding follows: Title : Value of certain range can be used instead of nothing at Booster.sol Line.233 was used : //values must be within certain ranges but at certain range was not used, so it can be deleted as it should be or...

Upgraded Q -> M from 264 [1659038303960]

Judge has assessed an item in Issue 264 as Medium risk. The relevant finding follows: L-05 Unbounded loop on array can lead to DoS As these arrays can grow quite large only push operations, no pop, the transaction's gas cost could exceed the block gas limit and make it impossible to call the...

Upgraded Q -> M from 234 [1659038052827]

Judge has assessed an item in Issue 234 as Medium risk. The relevant finding follows: 1. Update asset weight when calling VeTokenMinter.removeOperator When removing operator, there is no check to make sure that veAssetWeightsoperator has been removed. If governance forgot to call...

Upgraded Q -> M from 9 [1659036743700]

Judge has assessed an item in Issue 9 as Medium risk. The relevant finding follows: Centralized risk The operator address can mint arbitrary amount of tokens. In addition, operator can also burn tokens from third-party accounts. If the private key of the owner or minter address is compromised, th...

Upgraded Q -> M from 268 [1659038665057]

Judge has assessed an item in Issue 268 as Medium risk. The relevant finding follows: The protocol does not support fee on transfer and other weird tokens, e.g.: IERC20rewardToken.safeTransferFrommsg.sender, addressthis, amount; rewardTokenInforewardToken.queuedRewards += amount; --- The text was...

High risk with links to code

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps --- The...

TEST

Lines of code Vulnerability details Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended...

Really really really really really really really really really really really really really really really really really really really really really really really really really really really really really really really really really really long title

Lines of code L123 Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps ---...

[PNM-004] An additional domain can be registered for free

Lines of code Vulnerability details Description The ETHRegistrarController added new functionality to support set multiple records while registering a ETH 2LD. It uses the following code to support this functionality. function setRecords address resolver, bytes32 label, bytes calldata data intern...

ETHRegistrarController's register and renew use payable.transfer calls with an arbitrary receiver

Lines of code Vulnerability details ETHRegistrarController's register and renew transfer out remainder native tokens via payableto.transfer call. This is unsafe as transfer has hard coded gas budget and can fail when msg.sender is a smart contract. Such transactions will fail for smart contract...

NameWrapper: parent can change owner of subnode by minting

Lines of code Vulnerability details Impact HIGH - bypassing PARENTCANNOTCONTROL fuse As discussed in the discord, bypassing fuse is considered high, thus reports as high impact Condition for the parent for this exploit: should be able to unwrap: no CANNOTUNWRAP fuse on the parent Or alternatively...

[PNM-001] PARENT_CANNOT_CONTROL can be bypassed by maliciously unwrapping parent node

Lines of code Vulnerability details Description By design, for any subdomain, as long as its PARENTCANNOTCONTROL fuse is burnt and does not expire, its parent should not be able to burn its fuses or change its owner. However, this contraint can be bypassed by a parent node maliciously unwrapping...

Transfer ETH by using transfer() may cause this transaction to fail

Lines of code Vulnerability details Impact Transfer ETH by using transfer may cause this transaction to fail. In EIP-1884: In many cases, a recipient of ether from a CALL will want to issue a LOG. The LOG operation costs 375 plus 375 per topic. If the LOG also wants to do an SLOAD, this change ma...