Malicious Module can change the policy commit of a Gnosis Safe console Account

Lines of code Vulnerability details Impact The overall design of the Gnosis safe allows for the addition of a Module, modules are smart contracts that extend the ability of the Gnosis safe, which means that a module can be setup in such a way that it can perform actions that is meant to improve t...

SafeDeployer.sol : Missing the correct type caste for _WALLET_REGISTRY_HASH when setup the console account could lead issue in accessing the functions from WalletRegistry

Lines of code Vulnerability details Impact Incorrect address type caste would lead to setting the console account which can not access the function from WalletRegistry.sol. Proof of Concept The SafeDeployer contract facilitates the deployment of Gnosis Safe accounts and configuring them as consol...

Contract data cannot be migrated to the new address during contract upgrading.

Lines of code Vulnerability details Impact According to this document, the AddressProvider contract manages and updates addresses of authorized contracts and registries within the system. If security vulnerabilities are discovered or functional upgrades are needed in a contract, the government ca...

OpenZeppelin 's recent v5.0.0 release includes many changes to libraries/contracts that can directly affect ERC20MultiDelegate functionality

Lines of code Vulnerability details Impact OpenZeppelin just released v5.0.0, and there happen to be several significant changes that directly affect the ERC20MultiDelegate implementation, directly and indirectly, via packages used and inherited from. Here’s a link to the release: Below is a...

_reimburse and createProxyDelegatorAndTransfer uses ERC20Votes.transferFrom with user as msg.sender, but allowance is given for ERC20MultiDelegate contract.

Lines of code Vulnerability details Description The delegateMulti external method is called by user. This function call some internal functions like reimburse and transferBetweenDelegators, which doesn't change the msg.sender because they are internal. So, when these functions try to use...

Deterministic proxy contract address with a hard-coded salt enables token theft.

Lines of code Vulnerability details Impact The retrieveProxyContractAddress function calculates the address of the proxy contract deterministically based only on the delegate address. An attacker could pre-compute proxy contract addresses for target delegates and steal tokens by transferring to...

delegateMulti(...) Griefing Attack

Lines of code Vulnerability details Impact A call to delegateMulti... with the right parameters will consume much gas and waste memory for Proxy Delegators DoS costing the attacker very little. Proof of Concept Calling delegateMulti with many unique targets and amounts of 0 consumes Proxy...

Delegate balance in getBalanceForDelegate can be manipulated by delegate sending ERC1155 tokens to the contract directly

Lines of code Vulnerability details Impact The contract is an ERC1155 contract that can receive tokens from delegates which might affect core protocol invariants through getBalanceForDelegate Proof of Concept function getBalanceForDelegate address delegate internal view returns uint256 return...

Possible hash collision in retrieveProxyContractAddress()

Lines of code Vulnerability details Impact implemention of keccak256abi.encodePackeda, b with both dynamic types or same type with dynamic nature leads to collision in hash. Proof of Concept From the sol docs:link. i.e If you use keccak256abi.encodePackeda, b and both a and b are dynamic types, i...

Zero address Salt used in Creating delegate contract

Lines of code Vulnerability details Impact A zero-valued salt used, means an attacker can predict the contract address of a new delegate, this can lead an attacker to create the ERC20ProxyDelegator on behalf of the user, this is to allow for max access to the tokens to be transfered Proof of...

Possibility of security vulnerabilities introduced by creating ERC20ProxyDelegator instances on the fly using static salt values

Lines of code Vulnerability details Impact Security risks associated with deploying proxy contracts via deterministic addresses that can be easily calculated. In deployProxyDelegatorIfNeeded, in the case that extcodesizeproxyAddress == 0, then a proxy contract is instantiated ad hoc via new...

Loss of tokens because target address can be set to zero

Lines of code Vulnerability details Impact Due to the possibility of target addresses being zero, tokens transferred to zero address will be lost forever, leading to loss of funds for the users of the protocol and that tokens being out of circulation forever burned. Proof of Concept Users can...

Delegation transfer might become temporarily unavailable due to input format in _delegateMulti

Lines of code Vulnerability details Impact A user might mint a valid delegation token to a target delegate which cannot be transferred to another target delegate through processDelegation due to delegateMulti's extension of address type of data into the space of uint256. Proof of Concept As...

No access control on _delegateMulti allows unauthorized token delegation.

Lines of code Vulnerability details Impact There is no access control on the delegateMulti function. This allows anyone to delegate tokens between accounts. The function should check that the caller is the token holder. Proof of Concept The delegateMulti function that allows anyone to delegate...

Same multiple delegate values result in wrong calculation of delegated votes

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. If by mistake same delegate value is given multiple times to targets array then delegation of votes is wrongly calculated. Proof of Concept Provide direct links to all referenced code in GitHub. Add...

Assertions and array length checks can be manipulated maliciously, causing issues.

Lines of code Vulnerability details Impact There are some assertions and requirements on array lengths to prevent mismatched data. But assertions like require statements can potentially be used maliciously in some cases. These are a few ways a malicious user could try to exploit the asserts,...

amount could still have some dust left

Lines of code Vulnerability details Impact Amount can still remain after transfer process that can lead unbalancing of length between sources, targets and amount that can lead to unexpected behavior. Proof of Concept There is no means to check inside delegateMulti function that either all amount ...

Front-Running during Proxy Creation

Lines of code Vulnerability details Impact An ill-intentioned party might front run every proxy contracts creation and deploy one first causing the transaction for every user to revert. It is worth noting that for this attack to succeed, the attacker would need to get their transaction mined in t...

No validation allows unauthorized voting power transfer by any user.

Lines of code Vulnerability details Impact There is no check that the msg.sender is allowed to delegate votes on behalf of the sources. Any user could call delegateMulti and transfer voting power from other addresses. There should be a require statement to ensure msg.sender owns the tokens they a...

User is unable to undelegate their votes from a ProxyDelegator

Lines of code Vulnerability details Impact The delegate is used to delegate sender's votes to someone else without the need to actually send the tokens. Here is a quick intro for the function: delegateaddress delegatee This function allows msg.sender to delegate their voting power to delegatee an...

Hash Collisions and Front-Running Risk

Lines of code Vulnerability details Salt Value in Proxy Deployment: The contract uses a salt value of 0 during the deployment of proxy delegator contracts. This introduces a significant security concern related to potential hash collisions. If multiple delegators attempt to deploy to the same...

ERC20Votes tokens has maximum token supply capped at type(uint208).max approving type(uint256).max in ERC20ProxyDelegator will cause overflow

Lines of code Vulnerability details Impact Maximum token supply in OpenZeppelin ERC20Votes.sol. Defaults to typeuint208.max 2^208^ - 1. This maximum is enforced in update. It limits the total supply of the token, which is otherwise a uint256, so that checkpoints can be stored in the Trace208...

Multi-delegate system opens exploits: vote amplification, collusion, rapid alternation, obscuring bribes.

Lines of code Vulnerability details Impact Allowing votes to be spread across multiple delegates does potentially open up new attack vectors if not handled carefully. Some ways this could potentially be exploited: A delegator spreads their votes thin across many dummy delegates they control to...

Assembly proxy creation lacks bytecode validation, enabling arbitrary contract deployment.

Lines of code Vulnerability details Impact The proxy contract creation uses assembly to compute the create2 address. But it does not verify the deployed bytecode matches expectations. The use of assemble for proxy contract creation has potential risks if the bytecode is not validated. This could...

Permissive owner access allows misleading URI changes, impacting user trust.

Lines of code Vulnerability details Impact setUri function is only restricted to the contract owner, this could allow the owner to update the URI and make changes that users did not anticipate. The setUri function allows the owner to update the URI to anything they want. For example, they could...

Some ERC20Votes tokens will not work if you set approve() to any value without setting to zero first

Lines of code Vulnerability details Impact Not setting allowance to Zero before changing the allowance can hinder the deployment of the ERC20ProxyDelegator contract for some ERC20 tokens Proof of Concept Some ERC20 tokens like USDT with Voting enabled will not work when changing the allowance fro...

Approval Verification

Lines of code Vulnerability details Impact There is a great need for approval check before commencement of token transfer and clearing of excess approvals after token transfer has been done, to prevent potential third-party exploitation that could drain funds from unsuspecting users via the...

ERC20ProxyDelegator contract will always lead to zero approval

Lines of code Vulnerability details Impact In constructor of ERC20ProxyDelegator contract token.approve have typeuint256.max. This leads to approval remain zero as nothing will happens due to wrong value provided. The main reason is due to the max approval attainable is typeuint256.max – 1. This...

Anyone can force reimbursement from source

Lines of code Vulnerability details Impact The reimburse function is invoked when the index is less than the source length. This typically occurs when the target length exceeds the source array length, resulting in the reimbursement of the index number beyond the minimum from the source to the...

Missing validation lets users delegate more than they own.

Lines of code Vulnerability details Impact The amounts array is not checked to ensure the sum is less than or equal to the user's overall token balance. This could allow someone to delegate more tokens than they own. Proof of Concept This is another validation issue in the delegateMulti function...

Unrestricted delegator contract deployment risks gas abuse; implement mitigations.

Lines of code Vulnerability details Impact deployProxyDelegatorIfNeeded deploys a new delegator contract if one does not exist. This could be abused to spam deploy many delegators and waste gas. Proof of Concept The issue with potentially spam deploying many delegator contracts occurs in the...

The delegator process occurs even if the source and target have the same address.

Lines of code Vulnerability details Impact The ERC20MultiDelegate contract allows a ENS token holder to either: Case1: Transfer tokens from sources to targets to delegate votes, OR Case2: Get reimbursed from sources and burn their votes OR Case3: Deploy a proxy delegate contract to transfer token...

Needs a secure modifier

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. The ERC20ProxyDelegator constructor appears to be used for delegating voting rights to a delegate by allowing them to call the delegate function of an ERC20Votes contract. To secure this function, you...

ENS (ERC20Votes) token transferred to the proxy contract will be lost forever.

Lines of code Vulnerability details Impact ENS ERC20Votes token transferred to the proxy contract will be lost forever. As delegation amount is out of sync with the ERC1155 balance if the ENS token is transferred to the proxy contract. Proof of Concept When the user delegates 100 tokens to A, the...

people can steal others voting power by creating mlicous proxy contracts

Lines of code Vulnerability details Impact bad actor can control over the other peoples voting power in delegate proxy contracts. lets start from delegateMulti when somebody calls it it leads to delegateMulti and it calls processDelegationsource, target, amount; in the process of loop. if you loo...

Owner role's URI setting power can be maliciously exploited.

Lines of code Vulnerability details Impact The owner role has a lot of power here. Setting URI could be used maliciously. Should consider limiting owner capabilities to only essential admin functions. Proof of Concept The issue occurs in the setUri function: function setUristring memory uri...

Unbounded approval in ERC20ProxyDelegator allows potential token theft; limit approvals.

Lines of code Vulnerability details Impact The proxy contract ERC20ProxyDelegator approves maximum possible tokens to the ERC20MultiDelegate contract. This could allow the ERC20MultiDelegate to steal all tokens from the proxy contracts. The approval amount should be limited to only what is...

Use of uint for addresses may result in fund loss for user .

Lines of code Vulnerability details Proof of Concept : The Multidelegate contract takes input of addresses as uint256 which is quite unique . Each target address is inputted as uint256 and casted down to uint160 . for uint transferIndex = 0; transferIndex Math.maxsourcesLength, targetsLength;...

Incorrect Addresses will be returned via retrieveProxyContractAddress() possibly bricking delegations.

Lines of code Vulnerability details The retrieveProxyContractAddress function is used to retrieve the address where it casts a bytes32 to an address type. function retrieveProxyContractAddress ERC20Votes token, address delegate private view returns address bytes memory bytecode = abi.encodePacked...

can not transfer voting tokens between ERC20ProxyDelegator contracts even if he supplied funds before

Lines of code Vulnerability details Description if a user wants to delegate voting power to a delegate he will call the function delegateMulti with targets array set to the address of the delegates he wants to delegate to, but the targets array is uint and not address type, so the user needs to...

No check proxy contract is deployed

Lines of code Vulnerability details The deployProxyDelegatorIfNeeded function in ERC20MultiDelegate.sol does not verify that a proxy contract has been successfully deployed before emitting an event indicating its creation. Impact Both createProxyDelegatorAndTransfer and processDelegation function...

use higher version of openzeppelin library instead of vulnerible ones.

Lines of code Vulnerability details Impact the Op lib has some dangerous vulnerabilities in lower versions especially when you work with ERC1155 Openzeppelin already says the lower versions are vulnerable. Affected versions = 4.2.0 Tools Used vs code Recommended Mitigation Steps upgrade versions ...

No address validation can lead to unexpected behaviour

Lines of code Vulnerability details Background With the implementation of the ERC20Multidelegate contract, it will be possible to delegate your voting power to multiple recipients in one transaction. A user can call ERC20MultiDelegate.delegateMulti to initiate this multi-delegation: source:...

Same multiple values in source result in wrong withdrawl

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. If by mistake same delegate value is given multiple times to sources array then withdrawal is affected Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or a...

Lack of array length validation in delegateMulti() can lead to errors.

Lines of code Vulnerability details Impact There is no validation that the sources, targets, and amounts arrays passed to delegateMulti are the same length. This could cause issues with iterating through the arrays. Proof of Concept In the delegateMulti function. function delegateMulti uint256...

Possibility of losing users funds due to not checking for zero address (address 0x0)

Lines of code Vulnerability details Impact As there is no function for checking whether the addresses of the sources and targets are zero or not in the delegateMulti function it may cause issues for users Sending tokens to a zero address address 0x0 is generally not a recommended practice in...

"deployProxyDelegatorIfNeeded" Can Be Exploited To Steal Funds Or Even Cause Denial Of Service

Lines of code Vulnerability details Impact In circumstances whereby transferIndex is greater than or equal to sources length but less than targets length, there are remaining target addresses to process. DelegateMulti Function calls createProxyDelegatorAndTransfer to handle any remaining target...

This code is not wroking amounts[:sourcesLength]

Lines of code Vulnerability details Impact it is not going to work the whole protocol Proof of Concept I tried that in Remix and it isn't compiling Tools Used manual Recommended Mitigation Steps remove the code and write to manual slice the amounts array Assessed type Other --- The text was updat...

no sufficient tokens check for transferFrom() in _reimburse() , createProxyDelegatorAndTransfer() and transferBetweenDelegators()

Lines of code Vulnerability details Impact there is no sufficient tokens check in reimburse , createProxyDelegatorAndTransfer and transferBetweenDelegators for transferFrom which can lead to unexpected results Proof of Concept from the OZ's ERC1155.sol: from must have a balance of tokens of type ...

_reimburse() bypasses 1155 accounting, allowing potential fund drainage.

Lines of code Vulnerability details Impact The reimburse function allows the caller to withdraw any remaining source delegate balance back to themselves. This bypasses the 1155 token balances and could let the caller drain funds. For example: The reimburse function allows the caller to withdraw a...