code-423n4 2023-09-maia-findings issues

code-423n4 / 2023-09-maia-findings

25 stars 17 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

[M-14] Reentrancy in the RootBridgeAgent contract

#856 c4-submissions closed 1 year ago
5
BranchBridgeAgent is missing source chain checking.

#855 c4-submissions opened 1 year ago
7
QA Report

#854 c4-submissions opened 1 year ago
5
Gas Optimizations

#853 c4-submissions opened 1 year ago
2
QA Report

#852 c4-submissions closed 1 year ago
4
Fees not integrated with LayerZero functions

#851 c4-submissions opened 1 year ago
7
if lzReceiveNonBlocking failed to execute , they don't send back ,accumulated msg.value . malicious user drain that

#850 c4-submissions closed 1 year ago
6
Analysis

#849 c4-submissions closed 1 year ago
3
Analysis

#848 c4-submissions opened 1 year ago
3
Tokens locking due to empty parameters to execute on the root chain router

#847 c4-submissions closed 1 year ago
4
QA Report

#846 c4-submissions opened 1 year ago
6
`RootBridgeAgent.retrieveSettlement` doesn't check if settlement is in FAILED state

#845 c4-submissions closed 1 year ago
3
RootBridgeAgentExecutor.sol: executeWith* and executeSignedWith* should transfer msg.value to router if there is no router calldata

#844 c4-submissions opened 1 year ago
4
Gas Optimizations

#843 c4-submissions opened 1 year ago
3
Anyone can call replenishReserves(...) (token version) to repay borrowed reserves with reserves

#842 c4-submissions closed 1 year ago
8
Gas Optimizations

#841 c4-submissions opened 1 year ago
3
QA Report

#840 c4-submissions opened 1 year ago
3
User can selectively turn on the fallback flag to take all ETH on the agent contract as layerzero fee refund

#839 c4-submissions closed 1 year ago
5
Unnecessary usage of `payable` or failing to send back remaining/unused ether might result in stuck funds.

#838 c4-submissions opened 1 year ago
10
The `rootChainId` was hardcoded and made Immutable this goes against the layerzero best practices, which states that "Do not hardcode LayerZero chain Ids. Use admin restricted setters instead".

#837 c4-submissions opened 1 year ago
4
DUPLICATE `_bridgeAgent` ADDRESSES CAN BE ADDED TO `bridgeAgents` ARRAY IN THE `BranchPort` CONTRACT BY CALLING THE `BranchPort.toggleBridgeAgent` FUNCTION

#836 c4-submissions opened 1 year ago
8
Gas Optimizations

#835 c4-submissions opened 1 year ago
3
`settlementNonce` IN THE `RootBridgeAgent` IS DECLARED AS A `uint32` WHICH COULD GET CONSUMED VERY QUICKLY THUS BREAKING THE PROTOCOL, SINCE THE `RootBridgeAgent` IS COMMUNICATING WITH MULTIPLE BLOCKCHAINS AND THE NUMBER IS EXPECTED TO GROW

#834 c4-submissions opened 1 year ago
8
Analysis

#833 c4-submissions opened 1 year ago
3
Wrong arrangement for mapping types

#832 c4-submissions opened 1 year ago
7
LACK OF INPUT VALIDATION ON THE `_recipient` ADDRESS IN THE `RootBridgeAgent.retrySettlement` FUNCTION CAN LEAD TO LOSS OF FUNDS TO THE USER

#831 c4-submissions closed 1 year ago
4
FallBack Function might revert

#830 c4-submissions closed 1 year ago
5
Cross-Chain Token Cap Disparity

#829 c4-submissions closed 1 year ago
3
VirtualAccount.sol:payableCall() lack requiresApprovedCaller modifier

#828 c4-submissions closed 1 year ago
3
Gas Optimizations

#827 c4-submissions opened 1 year ago
3
addGlobalToken in CoreRootRouter will revert if destChainId is greater than 65535

#826 c4-submissions opened 1 year ago
5
users funds will be stuck in the ```BaseBranchRouter``` when making deposit

#825 c4-submissions closed 1 year ago
3
VirtualAccount::payableCall is missing access control

#824 c4-submissions closed 1 year ago
3
QA Report

#823 c4-submissions opened 1 year ago
2
`CoreRootRouter._setLocalToken` FUNCTION COULD OVERWRITE THE EXISTING VALUES OF THE `getLocalTokenFromGlobal` MAPPING VALUES DUE TO LACK OF CONDITIONAL CHECKS

#822 c4-submissions closed 1 year ago
14
THE RETURN BOOLEAN VALUE OF THE `excessivelySafeCall` FUNCTION IS NOT CHECKED IN THE `BranchBridgeAgent.lzReceive` FUNCTION

#821 c4-submissions closed 1 year ago
5
ARITHMETIC UNDERFLOW CAN REVERT THE TRANSACTION THUS `DoS` THE SUBSEQUENT LOGIC EXECUTION OF THE `BranchBridgeAgent._clearToken` FUNCTION, WHICH IS NOT THE INTENDED BEHAVIOUR OF THE FUNCTION

#820 c4-submissions opened 1 year ago
13
Analysis

#819 c4-submissions opened 1 year ago
3
payableCall in VirtualAccount isn’t protected by requiresApprovedCaller modifier

#818 c4-submissions closed 1 year ago
3
`CoreRootRouter.executeDepositSingle` FUNCTION REVERTS FOR SINGLE ASSETS DEPOSITS THUS FAILING THE TRANSACTION

#817 c4-submissions closed 1 year ago
5
callOut And Bridge feature always fail with core router

#816 c4-submissions closed 1 year ago
3
``updatePortStrategy`` does not update the strategy limit for that day.

#815 c4-submissions opened 1 year ago
10
QA Report

#814 c4-submissions opened 1 year ago
3
`msg.value` IS PASSED INTO THE `IRouter.executeResponse` FUNCTION THUS LOCKING THE FUNDS IN THE `RootBridgeAgentExecutor` CONTRACT

#813 c4-submissions opened 1 year ago
11
Analysis

#812 c4-submissions closed 1 year ago
3
fund will struck

#811 c4-submissions closed 1 year ago
4
USAGE OF `abi.encodePacked` TO ENCODE DATA COULD LEAD TO `payload` DATA COLLISION IN THE `RootBridgeAgent._createSettlementMultiple` FUNCTION

#810 c4-submissions closed 1 year ago
7
some chain will not work with this protocol

#809 c4-submissions opened 1 year ago
9
The allowance granted to RootBranchAgent exceeds the necessary amount.

#808 c4-submissions opened 1 year ago
9
QA Report

#807 c4-submissions opened 1 year ago
3

Previous Next