code-423n4 2023-09-delegate-findings issues

code-423n4 / 2023-09-delegate-findings

2 stars 1 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

Condition will not revert when block.timestamp is == to the compared variable

#287 c4-submissions closed 1 year ago
3
Broken ERC1155 functions in DelegateTokenTransferHelper library

#286 c4-submissions closed 1 year ago
4
withdraw() function is vulnerable to permanently bricking tokens if it fails after setting the registry hash to the "used" flag.

#285 c4-submissions closed 1 year ago
1
Analysis

#284 c4-submissions closed 1 year ago
2
The `DelegateToken.approve` function will directly overwrite the old user's approval, resulting in a loss of user rights

#283 c4-submissions closed 1 year ago
1
Delegate Token Holder can inappropriately withdraw for him if expiry date passes.

#282 c4-submissions closed 1 year ago
7
Gas Optimizations

#281 c4-submissions closed 1 year ago
2
CreateOfferer is not SIP-compliant, which can cause integration issues with third parties

#280 c4-submissions opened 1 year ago
9
flashloan function revert when is called by approved operator

#279 c4-submissions closed 1 year ago
7
Delegate Token owner can be griefed during extend()

#278 c4-submissions closed 1 year ago
5
QA Report

#277 c4-submissions closed 1 year ago
3
Decrementing the balance before transferring could lead to incorrect state if the transfer fails.

#276 c4-submissions closed 1 year ago
1
updating the registry hash after making state changes can lead to inconsistent state if the registry update fails

#275 c4-submissions closed 1 year ago
1
A token that was deposited to CreateOfferer by Seaport may be stolen by malicious attacker.

#274 c4-submissions closed 1 year ago
4
Gas Optimizations

#273 c4-submissions closed 1 year ago
2
If the new owner tries to approve an operator right after receiving the NFT, it will fail since the approved address was reset to 0

#272 c4-submissions closed 1 year ago
1
QA Report

#271 c4-submissions closed 1 year ago
2
The DelegateToken contract is vulnerable to draining assets via repeated flashloans of the same assets

#270 c4-submissions closed 1 year ago
1
Principal token can be permanently locked

#269 c4-submissions opened 1 year ago
3
QA Report

#268 c4-submissions closed 1 year ago
2
ETH can be permanently locked during a flashloan

#267 c4-submissions opened 1 year ago
11
In transferFrom() address "from" can be put of contract address and bypass Errors.FromNotCreateOfferer(from)

#266 c4-submissions closed 1 year ago
2
Incorrect delegate token URI in MarketMetadata.sol.

#265 c4-submissions closed 1 year ago
3
Rebasing tokens remain permanently locked inside DelegateToken

#264 c4-submissions opened 1 year ago
2
In ratifyOrder there is no need for array

#263 c4-submissions closed 1 year ago
4
Emitting the Transfer event before updating the registry can enable reentrancy attacks.

#262 c4-submissions closed 1 year ago
1
Analysis

#261 c4-submissions opened 1 year ago
3
DelegateToken is not EIP-721 compliant

#260 c4-submissions opened 1 year ago
12
Seaport orders will not work with USDT

#259 c4-submissions opened 1 year ago
13
The payable modifier on the multicall function does allow it to receive and hold ether, which can be locked in the contract forever

#258 c4-submissions closed 1 year ago
2
Rebasing tokens may be stolen or stuck in the contract

#257 c4-submissions closed 1 year ago
8
`flashloan()` allows both owner and approver to call

#256 c4-submissions closed 1 year ago
5
DelegateRegistry.checkDelegateForERC20() and checkDelegateForERC1155() will return the maximum amount delegated even if there are multiple matching delegations with different amounts

#255 c4-submissions closed 1 year ago
1
The rights strings are compared directly which can lead to unintended rights being granted.

#254 c4-submissions closed 1 year ago
1
QA Report

#253 c4-submissions closed 1 year ago
2
Gas Optimizations

#252 c4-submissions closed 1 year ago
2
Analysis

#251 c4-submissions closed 1 year ago
2
The assembly optimization at the end of the contract does skip Solidity's safety checks and could potentially hide error conditions.

#250 c4-submissions closed 1 year ago
1
Protocol is incapable of supporting fee-on-transfer tokens

#249 c4-submissions closed 1 year ago
2
Dirty boolean value other than 0/1 could be manipulated by an attacker when returned from _validateFrom.

#248 c4-submissions closed 1 year ago
1
Incorrect Handling of Empty rights Parameter in delegateAll Function

#247 c4-submissions closed 1 year ago
1
An attacker could create fake delegations that wrongly appear valid to _validateFrom().

#246 c4-submissions closed 1 year ago
1
Gas Optimizations

#245 c4-submissions closed 1 year ago
1
DelegateCall used here in unsafe manner [ FILE NAME : DelegateRegistry.sol ]

#244 c4-submissions closed 1 year ago
3
Malicious user can steal innocent user's stake token reward by flashloan NFT

#243 c4-submissions closed 1 year ago
6
CreateOffererLib#createOrderHash function can be front-run by attacker and cause user create order failed

#242 c4-submissions closed 1 year ago
3
The _invalidFrom() function as written only checks for the specific address values of 0x00 and 0xff, which represent an empty or revoked delegation in storage

#241 c4-submissions closed 1 year ago
1
QA Report

#240 c4-submissions closed 1 year ago
2
Improper deletion [ FILE NAME : DelegateToken.sol ]

#239 c4-submissions closed 1 year ago
2
DelegateToken's onERC721Received not work

#238 c4-submissions closed 1 year ago
2

Previous Next