ReturndataPointer Out of Bounds: A Recipe for Disaster

Lines of code Vulnerability details Impact This vulnerability allows an attacker to read or write to arbitrary memory locations by passing an out-of-bounds 'ReturndataPointer' value to the functions in the 'ReturndataReaders' and 'MemoryReaders' libraries. This can potentially lead to sensitive...

_verifyTime function does not handle startTime > endTime

Lines of code Vulnerability details Impact A possible scenario where the verifyTime function could cause unexpected behavior is if the input parameters startTime and endTime are not correctly set by the user or another contract. If startTime is greater than endTime, the function would return vali...

_verifySignature function does not handle invalid signature

Lines of code Vulnerability details Impact The verifySignature function checks if the provided signature is valid by calling the internal function assertValidSignature. However, if the signature is not valid, the function does not handle the case and continues with the execution, this could lead ...

The getMaxTreeBrackets function does not handle the case when the suffixes array cannot be created due to memory constraints.

Lines of code Vulnerability details Impact if MaxTreeHeight is set to a very large value, such as 10^9, and twoSubstringLength is also set to a large value, such as 100, then the suffixes array would require 10^9 100 bytes of memory to be created. If the contract does not have that much memory...

_CONDUIT_CONTROLLER variable is immutable, meaning it cannot be reassigned to a different contract after the contract is deployed.

Lines of code Vulnerability details Impact CONDUITCONTROLLER variable is immutable, meaning it cannot be reassigned to a different contract after the contract is deployed. This may be an issue if the original contract is no longer being maintained or if a different contract is needed for some...

No check for overflow or underflow of the uint256 values, which could allow for malicious actors to perform token or ether theft.

Lines of code Vulnerability details Impact A hacker contract is created that calls the "transferFrom" function in the ERC20Interface with a very large value for the "amount" parameter. Since the contract does not have proper overflow/underflow checks in place, it will process the transaction and...

Falsification of conduit keys

Lines of code Vulnerability details Impact In function createConduit, users can falsify their keys by providing their address in the first 20bytes of the conduitkey. Being able to create as many conduits as someone wants. Proof of Concept Given the check that opensea is making: if...

The _verifySignature function skips signature verification if the offerer is the caller.

Lines of code Vulnerability details Impact it could have a significant impact on the security of the smart contract. The function is intended to verify the signature of an order, but if the offerer is the caller, the function skips the signature verification. This could allow someone other than t...

Lack of input validation: The contract does not perform any checks on the inputs passed to the functions, which could allow an attacker to pass malicious data and trigger wrong behavior or errors.

Lines of code Vulnerability details Impact function readInt208 ReturndataPointer rdPtr internal pure returns int208 value assembly returndatacopy0, rdPtr, 0x20 value := mload0 This function reads the int208 at rdPtr in returndata. However, it does not perform any checks on the input rdPtr to ensu...

Upgraded Q -> M from #50 [1674461707004]

Judge has assessed an item in Issue 50 as M risk. The relevant finding follows: QA10. The deposit function only works for tokens that have no more than 18 decimals. This needs to be documented. --- The text was updated successfully, but these errors were encountered: All reactions...

Reentrancy attacks : if the functions in the interfaces are called in a malicious contract that calls back into the calling contract before the first call completes.

Lines of code Vulnerability details Impact Reentrancy attacks could be possible if the functions in the interfaces are called in a malicious contract that calls back into the calling contract before the first call completes. Proof of Concept A malicious contract is created that calls the...

_locateCurrentAmount function, there is an assembly operation that is dividing by duration without a zero check

Lines of code Vulnerability details Impact In the locateCurrentAmount function, there is an assembly operation that is dividing by duration without a zero check, which could cause a division by zero error. Proof of Concept // Check for division by zero requireduration != 0, "Division by zero...

Lack of Input Validation: Unchecked Inputs Allowing for Malicious Data and Unexpected Behavior

Lines of code Vulnerability details Impact The contract does not perform any checks on the inputs passed to the functions, which could allow an attacker to pass malicious data and trigger unexpected behavior or errors. function readInt208 ReturndataPointer rdPtr internal pure returns int208 value...

The _verifyTime function only reverts if revertOnInvalid is true and the order is not active.

Lines of code Vulnerability details Impact The verifyTime function only reverts if revertOnInvalid is true and the order is not active. This means that if revertOnInvalid is not passed or is false, the function will not revert even if the order is not active. It could have a significant impact on...

Managing Incomplete Transactions in the _assertConsiderationLengthIsNotLessThanOriginalConsiderationLength Function

Lines of code Vulnerability details Impact In the assertConsiderationLengthIsNotLessThanOriginalConsiderationLength function, the revertMissingOriginalConsiderationItems function is called if the supplied consideration item total is less than the original consideration item total. However, there ...

No check to ensure that the orderParameters consideration array is not empty

Lines of code Vulnerability details Impact In the assertConsiderationLengthAndGetOrderHash function, there is no check to ensure that the orderParameters consideration array is not empty. This could result in an out of bounds array access error when trying to retrieve the length of the...

_locateCurrentAmount function, there is an unchecked block which skips underflow checks as startTime <= block.timestamp < endTime

Lines of code Vulnerability details Impact In the locateCurrentAmount function, there is an unchecked block which skips underflow checks as startTime = block.timestamp endTime, but if the condition is not upheld, the duration, elapsed, and remaining variables will underflow and can cause unexpect...

Threat: Replay attack vulnerability

Lines of code Vulnerability details Impact The code does not check for the possibility of a replay attack on the contract, if the same order hash is being used multiple times Proof of Concept A replay attack is a type of attack where an attacker intercepts a valid transaction and resends it...

Yul 'staticcall' return value not checked

Lines of code Vulnerability details Impact Unexpected behavior if call fail. --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from #113 [1674422768939]

Judge has assessed an item in Issue 113 as M risk. The relevant finding follows: During handling the open fees, the tigAsset is distributed to gov. But, it is not approved before to be consumed by gov. So, the first user's transaction to initiate a market order, will fail. During handling the clo...

Upgraded Q -> M from #97 [1674422838137]

Judge has assessed an item in Issue 97 as M risk. The relevant finding follows: DOS StableVault deposit and withdraws if ERC20 with more than 18 decimals used. Description withdraw and deposit functions in StableVault will revert if ERC20 token with more than 18 decimals is used. This is due to a...

Incorrect Encoding of Order Hashes

Lines of code Vulnerability details Impact The order hashes are incorrectly encoded during the encodeOrderHashes mechanism, causing functions such as encodeRatifyOrder and encodeValidateOrder to misbehave. Proof of Concept The order hashes encoding mechanism appears to be incorrect as the...

Upgraded Q -> M from #100 [1674425909347]

Judge has assessed an item in Issue 100 as M risk. The relevant finding follows: Lines of code Vulnerability details Impact The wrong amount of LP tokens will be minted and the wrong amount of A/B tokens will be deposited. Proof of Concept According to the PDF document provided, the number of LP...

Upgraded Q -> M from #351 [1674418158719]

Judge has assessed an item in Issue 351 as M risk. The relevant finding follows: Stable Vault cannot accept tokens with more then 18 decimals because of this lines: Consider using different conversion formula. For example: amount 1e18 / 10token.decimals for deposit and amount 10token.decimals /...

Upgraded Q -> M from #658 [1674423084300]

Judge has assessed an item in Issue 658 as M risk. The relevant finding follows: L-04 USDT IS NOT SUPPORTED FOR CALLING Trading.handleDeposit FUNCTION ON ETHEREUM MAINNET As shown by , USDT on the Ethereum mainnet does not allow approving a new amount when the existing approved amount is not zero...

Optimizer Bug Regarding Memory Side Effects of Inline Assembly

Lines of code Vulnerability details Impact This bug only occurs under very specific conditions: the legacy optimizer must be enabled rather than the IR pipeline true for the current project configuration, and the affected assembly blocks must not refer to any local Solidity variables Proof of...

Upgraded Q -> M from #164 [1674419095024]

Judge has assessed an item in Issue 164 as M risk. The relevant finding follows: LOW‑1 The Contract Should approve0 First Some tokens like USDT L199 do not work when changing the allowance from an existing non-zero allowance value. They must first be approved by zero and then the actual allowance...

_validateOrderAndUpdateStatus() fails to check the condition that the numerator and denominator are both equal to 1

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. validateOrderAndUpdateStatus fails to check the condition that the numerator and denominator are both equal to 1 Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots,...

Exploring the Vulnerabilities of Seaport: A Technical Analysis of a Fake Signature Attack on Non-Fungible Tokens

Lines of code Vulnerability details Impact This finding aims to provide a comprehensive analysis of the sc4m trend, which emerged in August 2022, and has since been a prevalent issue in the WEB3 space. Despite efforts to combat this phenomenon, bad actors continue to engage in illicit activities,...

transferOwnership() fails to detect that the new potential owner is not already set.

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. transferOwnership fails to detect that the new potential owner is not already set. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant...

Lack of Input Validation in the Conduit Contract

Lines of code Vulnerability details Bug Description: The Conduit contract is a smart contract that serves as an originator for proxied transfers of ERC20, ERC721, and ERC1155 tokens. The contract's execute function takes an input of type ConduitTransfer calldata transfers which is an array of...

Upgraded Q -> M from #268 [1674418407759]

Judge has assessed an item in Issue 268 as M risk. The relevant finding follows: L-02 Front running attacks by the owner Project has one possible attack vectors by the onlyOwner: dao.Fees , burnsFees , referralFees , botFees variable; It determines the fees rate The default deposit fees equal zer...

Upgraded Q -> M from #254 [1674418824740]

Judge has assessed an item in Issue 254 as M risk. The relevant finding follows: 03: Lock.claimGovFees will revert with tokens that have approve race condition protection Some tokens only allow you to approve a new value if the current allowance is set to zero, e.g. USDT. This is not an issue rig...

Incorrect use of msg.sender in isApprovedForAll function causes issues

Lines of code Vulnerability details Impact the function isApprovedForAlladdress owner, address operator is using msg.sender as the address of the user instead of the address that is passed as the owner parameter, this might cause some issues on the code. --- The text was updated successfully, but...

Upgraded Q -> M from #658 [1674423108320]

Judge has assessed an item in Issue 658 as M risk. The relevant finding follows: L-05 MARGIN ASSET TOKENS WITH MORE THAN 18 DECIMALS ARE NOT SUPPORTED As shown below, arithmetic operations of the StableVault.deposit, StableVault.withdraw, Trading.handleDeposit, and Trading.handleWithdraw function...

Upgraded Q -> M from #445 [1674423223201]

Judge has assessed an item in Issue 445 as M risk. The relevant finding follows: 5 Function crossChain in GovNFT should have limit for maximum tokens allowed to be transferred, because of gas limit in the dest chain. if a user transferred a lot of tokens because there was two loop inside each oth...

SWC-109 Uninitialized Storage Pointer

Lines of code Vulnerability details Impact Uninitialized local storage variables can point to unexpected storage locations in the contract, which can lead to intentional or unintentional vulnerabilities. Proof of Concept Exploit Vulnerability OrderStatus storage orderStatus; Tools Used github...

Potential Manipulation Vulnerability in _validateOrdersAndPrepareToFulfill Function

Lines of code Vulnerability details Impact The smart contract may not be properly validated, which could lead to fraudulent or malicious orders being fulfilled. This could result in loss of assets or other financial damage to users of the contract. Additionally, if the validation process is not...

ConduitController: Smart Contract Initial Owner Vulnerability

Lines of code Vulnerability details Bug Description The createConduit function in the ConduitController smart contract is responsible for deploying new conduits, or contracts that allow registered callers or open "channels" to transfer approved ERC20/721/1155 tokens on their behalf. The function...

Unchecked Loops and Use of selfbalance() Function Vulnerability in Smart Contract.

Lines of code Vulnerability details Impact Use of unchecked in-for loops. unchecked bytes32 orderHash; // Iterate over each order. for uint256 i = 32; i terminalMemoryOffset; i += 32 assembly orderHash := mloadaddorderHashes, i // Do not emit an event if no order hash is present. if orderHash ==...

SWC-109 Uninitialized Storage Pointer

Lines of code Vulnerability details Impact Uninitialized local storage variables can point to unexpected storage locations in the contract, which can lead to intentional or unintentional vulnerabilities. Proof of Concept OrderStatus storage orderStatus; Tools Used github Recommended Mitigation...

SWC-109 Uninitialized Storage Pointer

Lines of code Vulnerability details Impact Uninitialized storage variables can point to unexpected storage locations. Proof of Concept // Exploitable Vulnerability MemoryPointer callData; Tools Used github Recommended Mitigation Steps // Initialize variable "callData" or set the storage attribute...

Lack of proper input validation in fulfillAvailableAdvancedOrders function

Lines of code Vulnerability details Impact fulfillAvailableAdvancedOrders function is designed to fulfill orders on the marketplace, an attacker could pass an AdvancedOrder struct with a much higher value than the intended order, allowing them to gain an unfair advantage, or they could pass a...

Out-of-Memory Exception in _performERC1155BatchTransfers Function Leading to Loss of Tokens.

Lines of code Vulnerability details Impact When the safeBatchTransferFrom function reverts, the code copies the revert data to memory in order to revert the transaction. However, the code does not properly handle memory allocation for this data, which could lead to an out-of-memory exception. If ...

Unhandled Revert in _performERC721Transfer Function Resulting in Loss of Tokens.

Lines of code Vulnerability details Impact transferFrom function is used to transfer ownership of ERC721 tokens from one address to another. If this function reverts, it means that the transfer failed, and the ownership of the tokens should not be changed. However, the code in the...

Reentrancy

Lines of code Vulnerability details Impact An attacker can be the owner of conduitcontroller contract Proof of Concept function acceptOwnership has re-entrancy vulnerability Look at this : function acceptOwnership Executes twice to make the caller as owner. Look at this = emit OwnershipTransferre...

Reentrancy Vulnerability in _performFinalChecksAndExecuteOrders function

Lines of code Vulnerability details Impact bytes memory accumulator = new bytesAccumulatorDisarmed; and transferitem, execution.offerer, execution.conduitKey, accumulator; The code uses an "accumulator" variable that is used in the transfer function. The accumulator is created using the line byte...

Unhandled Revert in _performERC721Transfer Function Resulting in Loss of Tokens

Lines of code Vulnerability details Impact The performERC1155BatchTransfers function could lead to a loss of tokens if the safeBatchTransferFrom function reverts and the code does not properly handle the revert. This can be exploited by an attacker who can call the performERC1155BatchTransfers...

High Severity Reentrancy Vulnerability in stateTransition Modifier

Lines of code Vulnerability details Impact Lack of reentrancy protection in the stateTransition modifier occurs in the following line of code. modifier stateTransitionTradeStatus begin, TradeStatus end requirestatus == begin, "Invalid trade state"; status = TradeStatus.PENDING; ; assertstatus ==...

Possible Unauthorized Redemption of Collateral ERC20 Tokens due to Lack of Proper Check in redeem() Function

Lines of code Vulnerability details Impact An attacker who is not authorized by the smart contract could potentially redeem more tokens than they are entitled to. This could cause a loss of funds for the smart contract and its users, as well as potentially destabilizing the overall ecosystem...