issues
search
sherlock-audit
/
2024-05-aleo-judging
0
stars
0
forks
source link
issues
Newest
Newest
Most commented
Recently updated
Oldest
Least commented
Least recently updated
dtheo - `bond_validator` and `bond_public` do not allow bonding even if unbonding window has passed or there are no credits unbonding
#36
github-actions[bot]
opened
1 week ago
5
dtheo - `split` transaction's fixed fees undercharge block stuff DOS attacks
#35
github-actions[bot]
opened
1 week ago
7
dtheo - Aleo prover/network DOS vector due to invalid `split` proofs being free to abuse
#34
sherlock-admin4
opened
1 week ago
1
dtheo - Aleo's zero address checks should be in bonding functions and not `unbond_public`
#33
sherlock-admin3
closed
5 days ago
2
dtheo - `unbond_public` does not handle 0 credit unbonding correctly
#32
sherlock-admin2
closed
1 week ago
1
dtheo - `unbond_public` logic causes issues for some delegators preventing partial withdrawals
#31
sherlock-admin4
opened
1 week ago
10
dtheo - `bond_public` delegator balance check needs reordering
#30
sherlock-admin3
closed
5 days ago
6
morbsel - The `transfer_public_as_signer` function can be used by a malicious program/contract to steal users credits
#29
sherlock-admin2
closed
1 week ago
0
morbsel - Validators that are already in the committee can self bond while they are unbonding
#28
sherlock-admin3
closed
5 days ago
1
morbsel - The `fee_private` function has public inputs that should be restricted to private
#27
sherlock-admin2
closed
1 week ago
3
morbsel - Validators that are not in the committee can't unbond delegators that are pre bonded to them
#26
sherlock-admin4
closed
1 week ago
0
sammy - `delegated[]` state is not removed after it reaches zero, potentially leading to higher computational costs and DoS
#25
sherlock-admin3
closed
1 week ago
3
pwning_dev - Error Handling in `authorize` Function could lead to dos attack
#24
sherlock-admin2
closed
5 days ago
1
sammy - Validator can block existing delegators from increasing their delegations and new delegators to bond at no cost
#23
sherlock-admin4
opened
1 week ago
14
haxatron - Coinbase reward calculation is incorrect due to incorrect `ANCHOR_HEIGHT`
#22
sherlock-admin3
closed
1 week ago
0
sammy - `bond_validator` uses `self.signer` as validator's address, which will make `set_validator_state` uncallable if the validator uses account abstraction
#21
sherlock-admin2
closed
5 days ago
15
sammy - A validator cannot remove a delegator before joining the committee, which can lead to a constant DoS attack
#20
sherlock-admin4
closed
5 days ago
16
joicygiore - `credits.record::join` lacks `owner` validation, which may result in merging records with different owners
#19
sherlock-admin3
closed
5 days ago
1
joicygiore - Fee related methods only update the fee payer's account information, and do not update the recipient's account information.
#18
sherlock-admin2
closed
1 week ago
6
joicygiore - The user has no incentive to call `credits.aleo::split`, the expected `10_000u64` fee in that method will never be charged
#17
sherlock-admin4
closed
5 days ago
14
knight110001 - The unbond function should distinguish between calls made by the Validator and the Delegator when removing a validator.
#16
sherlock-admin3
closed
5 days ago
1
joicygiore - Using `self.signer` to verify identity may be used by attackers for "identity fraud" or "permission bypass"
#15
sherlock-admin2
closed
5 days ago
1
wl - Validator can set fee to make profit by calling unbond_public and bond_validator in a loop
#14
sherlock-admin4
closed
1 week ago
0
wl - Validator can maliciously set the commission percentage in bond_validator
#13
sherlock-admin3
closed
1 week ago
0
coder-lb - The delegator can maliciously execute unbond_pulic
#12
sherlock-admin2
closed
1 week ago
0
coder-lb - The unbond_public caller should support the delegator address
#11
sherlock-admin4
closed
1 week ago
0
marco-storswift - Claim_unbond_public should be limited to caller' address
#10
sherlock-admin3
closed
1 week ago
0
haxatron - A validator cannot unbond any of its delegators if its not in the committee
#9
sherlock-admin2
closed
1 week ago
0
marco-storswift - The statistics of staking_rewards have precision errors
#8
sherlock-admin4
closed
1 week ago
0
haxatron - Bypass the `split` fee using `transfer_private`
#7
sherlock-admin3
closed
1 week ago
0
haxatron - The `fee_public` can be used to delete all the Aleo credits from user
#6
sherlock-admin2
closed
1 week ago
0
haxatron - Using `self.signer` in `bond_validator` can allow external malicious programs to drain the signers microcredits
#5
sherlock-admin4
closed
1 week ago
0
haxatron - Using `self.signer` in `transfer_public_as_signer` can allow external malicious programs to drain Aleo credits
#4
sherlock-admin3
closed
1 week ago
0
snowtigersoft - Inadequate Requirements for Validator Activation Leading to Unfair Competition
#3
sherlock-admin2
closed
1 week ago
0
snowtigersoft - Potential Exploit with unbond_public Allowing Commission Change without Notice
#2
sherlock-admin4
closed
1 week ago
0
ghostant-1017 - The introduction of ARC-41 in the current implementation of AleoBFT will make the network less secure compared to before.
#1
sherlock-admin3
closed
5 days ago
1