sherlock-audit 2023-03-optimism-judging issues

sherlock-audit / 2023-03-optimism-judging

6 stars 0 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

0xGoodess - `StandardBridge` do not ensure enough tokens are transferred in`_initiateBridgeERC20`

#62 sherlock-admin closed 1 year ago
0
GalloDaSballo - `metered` in OptimismPortal ends up burning more gas than necessary

#61 sherlock-admin closed 1 year ago
1
GalloDaSballo - OptimismPortal.Initialize is not emitting `Paused`

#60 sherlock-admin closed 1 year ago
1
GalloDaSballo - Optimism Portal uses the same speed for Pause and Unpause

#59 sherlock-admin closed 1 year ago
1
GalloDaSballo - Incorrect Gap Math for `CrossDomainMessenger`

#58 sherlock-admin closed 1 year ago
2
0xGoodess - `proposeL2Output` does not push a block with timestamp equal to nextTimestamp() as described

#57 sherlock-admin closed 1 year ago
1
ShadowForce - Function signature may have hash collision

#56 sherlock-admin closed 1 year ago
2
0xGoodess - spec: Portal still accepts deposit even when paused.

#55 sherlock-admin closed 1 year ago
0
ks__xxxxx - SafeCall.call() function is still being used even after having SafeCall.callWithMinGas() which follows the EIP-150 63/64th Rule for Gas

#54 sherlock-admin closed 1 year ago
5
J4de - When L2 withdraws, if it is ERC20, it will return the ETH that the user may pay

#53 sherlock-admin closed 1 year ago
2
KingNFT - The gas estimation for calldata overhead in ````baseGas()```` is not correct

#52 sherlock-admin closed 1 year ago
6
HE1M - Double counting `RECEIVE_DEFAULT_GAS_LIMIT` when directly transferring ETH to the bridge

#51 sherlock-admin closed 1 year ago
2
overflow427x - overflow427x – _sendMessage function doesn't check if the gas limit specified is sufficient

#50 sherlock-admin closed 1 year ago
0
overflow427x - overflow427x – minimumBaseFee can cause an uderflow when computing newBaseFee

#49 sherlock-admin closed 1 year ago
0
overflow427x - overflow427x – gasUsedDelta and baseFeeDelta can cause overflow/underflow

#48 sherlock-admin closed 1 year ago
2
overflow427x - overflow427x – Lack of input validation in getL1GasUsed()

#47 sherlock-admin closed 1 year ago
0
overflow427x - overflow427x – Potential denial-of-service attack in initialize()

#46 sherlock-admin closed 1 year ago
0
overflow427x - overflow427x – _remoteToken can be set to address(0)

#45 sherlock-admin closed 1 year ago
0
overflow427x - overflow427x – Reentrancy in the finalizeBridgeERC721() function

#44 sherlock-admin closed 1 year ago
0
rvierdiiev - Bug #175 from previous sherlock audit is not fixed

#43 sherlock-admin closed 1 year ago
0
OCC - A vulnerability allowing ownership transfer to address 0, which could result in the contract becoming inaccessible and unusable

#42 sherlock-admin closed 1 year ago
0
rvierdiiev - L1 depositors overpays gas fees because of `MIN_GAS_CALLDATA_OVERHEAD`

#41 sherlock-admin closed 1 year ago
0
KingNFT - The formula used in ````SafeCall.callWithMinGas()```` is wrong

#40 sherlock-admin opened 1 year ago
3
ks__xxxxx - MINIMUM_GAS_LIMIT constant is still being used even after migrating the minimum gas limit calculation to a different function.

#39 sherlock-admin closed 1 year ago
0
ShadowForce - Reentrancy in CrossDomainMessenger#relayMessage

#38 sherlock-admin closed 1 year ago
3
ShadowForce - Malicious user can finalize other’s withdrawal with precise amount of gas, leading to loss of funds even after the fix

#37 sherlock-admin closed 1 year ago
9
0xChinedu - No Transfer of Ownership Pattern

#36 sherlock-admin closed 1 year ago
0
0xChinedu - Funds Donated or Locked In Optimism Portal Can Never be Recovered or Withdrawn

#35 sherlock-admin closed 1 year ago
0
Bauer - User will lose funds if s/he sends ETH directly to the L2ToL1MessagePasser contract

#34 sherlock-admin closed 1 year ago
2
0xGoodess - spec: documentation on StandardBridge'signature do not match implementation

#33 sherlock-admin closed 1 year ago
0
Bauer - If user uses an NFT that can be paused,the NFT may be frozen in the contract

#32 sherlock-admin closed 1 year ago
2
0xGoodess - L2StandardBridge actually takes ERC20 token with blacklister - for example USDC

#31 sherlock-admin closed 1 year ago
0
chaduke - proveWithdrawalTransaction() fails to detect that ``L2_ORACLE.getL2Output(provenWithdrawal.l2OutputIndex).outputRoot`` might return obsolete value.

#30 sherlock-admin closed 1 year ago
1
0xChinedu - Use `safeTransferFrom()` Instead of `transferFrom()` for Outgoing ERC721 transfers

#29 sherlock-admin closed 1 year ago
0
chaduke - L2ToL1MessagePasser#initiateWithdraw() lacks the alias translatoin for the ``from`` field.

#28 sherlock-admin closed 1 year ago
2
HE1M - Usage of **revert** in case of low gas in `L1CrossDomainMessenger` can result in loss of fund

#27 sherlock-admin opened 1 year ago
7
rvierdiiev - L2OutputOracle constructor checks `_submissionInterval > _l2BlockTime` which is incorrect as one is block amount and another is time range

#26 sherlock-admin closed 1 year ago
2
chaduke - L2ToL1MessagePasser#receive() lack the onlyEOA modifer, leading to possible loss of funds.

#25 sherlock-admin closed 1 year ago
0
chaduke - Logical error in relayMessage() leads to no revert for Constants.ESTIMATION_ADDRESS when the call to SafeCall.callWithMinGas is successful.

#24 sherlock-admin closed 1 year ago
2
chaduke - Logical error in finalizeWithdrawalTransaction() leads to NO REVERT during failure, and thus silent failure in most cases.

#23 sherlock-admin closed 1 year ago
0
chaduke - proposalL2Outout() uses the wrong timestamp for the proposal

#22 sherlock-admin closed 1 year ago
2
chaduke - finalizeBridgeETH() falis to make sure _to != OTHER_BRIDGE

#21 sherlock-admin closed 1 year ago
2
chaduke - ProveWithdrawlTransaction() fails to check provenWithdrawal.l2OutputIndex == l2OutputIndex when provenWithdrawal.timestamp !=0

#20 sherlock-admin closed 1 year ago
2
chaduke - proveWithdrawalTransaction() fails to check that _tx.target != Constants.DEFAULT_L2_SENDER.

#19 sherlock-admin closed 1 year ago
2
chaduke - OptimismPortal#receive() failes to make sure msg.sender is not a contract

#18 sherlock-admin closed 1 year ago
2
MaanVader - Potential overflow/underflow in the function `depositTransaction()` which may allow funds to be lost and transferred to a wrong address

#17 sherlock-admin closed 1 year ago
3
chaduke - _isUnsafeTarget() fails to exclude OTHER_MESSENGER

#16 sherlock-admin closed 1 year ago
2
MaanVader - Gas limit attack in the function `_initiateETHDeposit()`

#15 sherlock-admin closed 1 year ago
0
Bauer - OptimismPortal.depositTransaction continues to function even the protocol paused

#14 sherlock-admin closed 1 year ago
1
weeeh_ - Unhandled exception on l2geth node may result in panic then DoS

#13 sherlock-admin closed 1 year ago
2

Previous Next