sherlock-audit 2022-10-mover-judging issues

sherlock-audit / 2022-10-mover-judging

1 stars 0 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

ak1 - Implementation of own signing and verifying mechanism is more dangerous.

#136 sherlock-admin closed 2 years ago
1
vlad - Invalid logic of checkApprove when input data is not long enough

#135 sherlock-admin closed 2 years ago
1
vlad - Reuse of the same input parameters in CardTopupMPTProof

#134 sherlock-admin closed 2 years ago
1
vlad - Reuse of the signature for CardTopupTrusted

#133 sherlock-admin closed 2 years ago
0
vlad - Unprotected initialize function of the implementation contract

#132 sherlock-admin closed 2 years ago
0
ak1 - No clarity on the amount of fee set by admin. Could lead to loss of fund to protocol user. Lack of decentalisation

#131 sherlock-admin closed 2 years ago
0
Chom - setYieldDistributor doesn't reset allowance for old yield distributor

#130 sherlock-admin closed 2 years ago
1
ignacio - Miners can influence the value of block.timestamp to perform Maximal Extractable Value (MEV) attacks.

#129 sherlock-admin closed 2 years ago
0
ak1 - checkAllowance could not work as intended when the token decimal value is not 18

#128 sherlock-admin closed 2 years ago
1
ignacio - <ARRAY>.LENGTH SHOULD NOT BE LOOKED UP IN EVERY LOOP OF A FOR-LOOP and Increments can be unchecked

#127 sherlock-admin closed 2 years ago
0
ignacio - ABI.ENCODEPACKED() SHOULD NOT BE USED WITH DYNAMIC TYPES WHEN PASSING THE RESULT TO A HASH FUNCTION SUCH AS KECCAK256()

#126 sherlock-admin closed 2 years ago
0
ak1 - _processTopup will not work when SYNAPSE bridge is paused. All other process could not function.

#125 sherlock-admin closed 2 years ago
1
WATCHPUG - Slippage tolerance for Synapse should not be specified as constant values of `0.95`, `0.91`

#124 sherlock-admin closed 2 years ago
1
WATCHPUG - Lack of sanity checks in the setter functions can result in malfunctions

#123 sherlock-admin closed 2 years ago
1
WATCHPUG - `_expectedMinimumReceived` should consider `topupFee`

#122 sherlock-admin closed 2 years ago
1
8olidity - Malicious tokens can safeTransferFrom() results

#121 sherlock-admin closed 2 years ago
1
WATCHPUG - `exchangeFee` can be escaped

#120 sherlock-admin opened 2 years ago
3
ignacio - LACK OF REENTRANCY GUARDS ON EXTERNAL FUNCTIONS

#119 sherlock-admin closed 2 years ago
1
WATCHPUG - The value of `to` parameter in `_bridgeTxData` can be malicious

#118 sherlock-admin closed 2 years ago
2
ak1 - Lack for sanity check while setting the exchangeProxyContract, trustedRegistryContract could cause the protocol to misbehave.

#117 sherlock-admin closed 2 years ago
1
hansfriese - Users might steal the remaining fees inside the `ExchangeProxy` contract after `cardTopupToken` is changed.

#116 sherlock-admin closed 2 years ago
3
hansfriese - Users can exchange tokens to ETH or other ERC777 tokens without paying `exchangeFee`.

#115 sherlock-admin closed 2 years ago
5
WATCHPUG - Attacker can forge `CardTopup` events

#114 sherlock-admin closed 2 years ago
2
hansfriese - In consistent modification of `_bridgeTxData` in `HardenedTopupProxy._processTopup()`.

#113 sherlock-admin closed 2 years ago
1
WATCHPUG - Attacker can steal the accumulated topup fees in the `topupproxy` contract's balance

#112 sherlock-admin opened 2 years ago
6
hansfriese - `topupFee` and `exchangeFee` should have upper limits.

#111 sherlock-admin closed 2 years ago
0
hansfriese - Possible lost `msg.value` in `ExchangeProxy.executeSwapDirect()`.

#110 sherlock-admin closed 2 years ago
0
ak1 - Inadequate sanity check for min and max top up amounts

#109 sherlock-admin closed 2 years ago
0
ak1 - The Protocol calculate fee based on 18 decimal precision value. This can not be applied for all tokens

#108 sherlock-admin closed 2 years ago
1
Chom - Nonce should be used to prevent signature and MPT proof reuse

#107 sherlock-admin closed 2 years ago
0
ctf_sec - When _bridgeType is equal to 1, the "Across bridge" transaction may fail and result in user fund lock because of the insufficient input validation in _bridgeAssetDirect

#106 sherlock-admin closed 2 years ago
1
GalloDaSballo - Lack of explicity Slippage Check is vulnerable to front-running

#105 sherlock-admin closed 2 years ago
0
GalloDaSballo - Dangerous lack of fee check can lead to unexpected costs

#104 sherlock-admin closed 2 years ago
0
GalloDaSballo - M-04 Hardcoded Slippage allows front-running for Synapse Bridge

#103 sherlock-admin closed 2 years ago
1
GalloDaSballo - M-07 Infinite Allowance will not work for some tokens - Too big approval

#102 sherlock-admin closed 2 years ago
1
GalloDaSballo - M-06 Non-Zero to Non-zero allowance change will break for specific tokens

#101 sherlock-admin closed 2 years ago
0
GalloDaSballo - M-05 Signature can be reused more than once

#100 sherlock-admin closed 2 years ago
0
Miguel - yieldDistributorAddress could be the same as admin

#99 sherlock-admin closed 2 years ago
0
sorrynotsorry - ecrecover might fail silently

#98 sherlock-admin closed 2 years ago
0
Jeiwan - Lack of validation of Synapse bridge calldata allows stealing of funds

#97 sherlock-admin closed 2 years ago
0
cccz - Excess ETH not refunded

#96 sherlock-admin closed 2 years ago
0
ctf_sec - There is no limit on the amount of fee (including exchange fee and top-up fee) users have to pay

#95 sherlock-admin closed 2 years ago
0
cccz - Manipulation of setTopupFee

#94 sherlock-admin closed 2 years ago
0
sorrynotsorry - Card Partner address lacks of sanity checks and not done in 2 steps

#93 sherlock-admin closed 2 years ago
0
ctf_sec - Nonce is missing in signature schema in HardenedTopupProxy#constructMsg so signature can be reused to execute transaction.

#92 sherlock-admin closed 2 years ago
0
sorrynotsorry - No validation of _exchangeProxyContract parameter when setting the address

#91 sherlock-admin closed 2 years ago
1
ctf_sec - Cross-chain replay attacks are possible with TRUSTED_EXETUTOR_ROLE address in CardTopupTrusted function

#90 sherlock-admin closed 2 years ago
0
cccz - _processTopup: slippage control may not work

#89 sherlock-admin closed 2 years ago
1
cryptphi - Users can use less priced token to buy higher priced cardTopupToken for same amount.

#88 sherlock-admin closed 2 years ago
0
sorrynotsorry - No validation in fee boundries

#87 sherlock-admin closed 2 years ago
0