sherlock-audit 2024-05-andromeda-ado-judging issues

sherlock-audit / 2024-05-andromeda-ado-judging

1 stars 0 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

g - Vested funds can be unavailable on claiming

#81 sherlock-admin2 closed 3 months ago
0
g - Outaded versions of ADO contracts are considered valid senders

#80 sherlock-admin4 closed 3 months ago
6
g - App Components can use older ADO versions

#79 sherlock-admin3 closed 3 months ago
6
forgebyola - Lack of fund validation allows a user to bloat the message queue with empty stake messages

#78 sherlock-admin2 closed 3 months ago
0
g - Module registration lacks validation and can DOS ADO contracts

#77 sherlock-admin4 closed 3 months ago
0
4b - `crates.io:andromeda-vesting::instantiate()` does not validate `msg`

#76 sherlock-admin3 closed 3 months ago
0
g - Merging Bank messages turns them into fire-and-forget

#75 sherlock-admin2 closed 3 months ago
1
4b - `amount_available` can underflow in `claim_batch`

#74 sherlock-admin4 closed 3 months ago
0
g - Payment transactions succeed even when recipient transfers fail

#73 sherlock-admin3 closed 3 months ago
3
4b - Result type not propagated and returned explicitly

#72 sherlock-admin2 closed 3 months ago
0
4b - In `withdraw.rs::remove_withdrawable_token` error is not propagated

#71 sherlock-admin4 closed 3 months ago
0
bin2chen - execute_withdraw_fund() Funds arrive at End-Block, so the time judgment should be > instead of >=

#70 sherlock-admin3 closed 2 months ago
5
bin2chen - set_permission() using string splicing may cause key conflicts

#69 sherlock-admin2 closed 2 months ago
6
0xR360 - Delegate, Redelegate, Undelegate and Withdraw rewards functionality might break in the vesting contract

#68 sherlock-admin4 closed 3 months ago
5
0xR360 - Claim functionality might break in validator-staking contract

#67 sherlock-admin3 closed 3 months ago
5
Yashar - Stakers Funds Will Be Permanently Locked Within the Contract if a Validator is Tombstoned

#66 sherlock-admin2 closed 3 months ago
0
Yashar - Lack of Denomination Validation in `execute_stake` Function Allows Stakers to Stake Arbitrary Coins and Undermines Reward Fairness

#65 sherlock-admin4 closed 3 months ago
8
g - Recipients are unable to claim their vested funds

#64 sherlock-admin3 closed 3 months ago
6
g - Invalid recipient can break claiming of vested funds

#63 sherlock-admin2 closed 3 months ago
0
g - Only the last message in the AMP packet is handled in ADO Contracts

#62 sherlock-admin4 closed 3 months ago
0
g - Minting and batch minting auth can be bypassed by anyone

#61 sherlock-admin3 closed 3 months ago
0
g - Permissioned actions can not be disabled

#60 sherlock-admin2 closed 3 months ago
6
J4X_ - Batch creation will break if vestings are opened to recipients

#59 sherlock-admin4 opened 3 months ago
2
J4X_ - Lockup of vestings or completion time can be bypassed due to missing check for staked tokens

#58 sherlock-admin3 opened 3 months ago
14
J4X_ - Staked tokens will get stuck after claim

#57 sherlock-admin2 opened 3 months ago
3
J4X_ - Slashing of Unbondings is not accounted for and can lead to DOS of withdrawals

#56 sherlock-admin4 closed 3 months ago
0
J4X_ - Slashing allows users to bypass the lockup period of vestings

#55 sherlock-admin3 closed 2 months ago
20
J4X_ - Changes of the `UnbondingTime` are not accounted for

#54 sherlock-admin2 opened 3 months ago
3
J4X_ - Staked tokens can never be retrieved due to old `cosmos-sdk` version on targeted chains

#53 sherlock-admin4 closed 3 months ago
7
J4X_ - Rewards will get stuck if `withdrawaddrenabled` is set to false on the target chain

#52 sherlock-admin3 closed 3 months ago
17
J4X_ - Un-bonding will lead to staked tokens getting stuck

#51 sherlock-admin2 closed 3 months ago
0
J4X_ - Attacker can freeze users first rewards

#50 sherlock-admin4 opened 3 months ago
14
bin2chen - execute_claim() possible loss of accuracy or even inability to retrieve funds

#49 sherlock-admin3 opened 3 months ago
2
bin2chen - claim_batch() last_claimed_release_time is set too large when the balance is not enough

#48 sherlock-admin2 closed 3 months ago
5
bin2chen - is_permissioned() It doesn't make sense to have permissions by default after Blacklisted expires.

#47 sherlock-admin4 opened 3 months ago
24
bin2chen - is_permissioned() may underflow

#46 sherlock-admin3 opened 3 months ago
2
bin2chen - verify_origin() previous_sender may be forged

#45 sherlock-admin2 opened 3 months ago
2
bin2chen - if Slash Validator occurs, UNSTAKING_QUEUE's unstake amount will not be accurate

#44 sherlock-admin4 opened 3 months ago
3
bin2chen - If WithdrawAddrEnabled = false, execute_claim() will fail

#43 sherlock-admin3 opened 3 months ago
8
bin2chen - execute_stake() without setting DistributionMsg::SetWithdrawAddress, partial reward may remain in the contract

#42 sherlock-admin2 closed 2 months ago
3
bin2chen - when a validator is kicked out of the bonded validator set ,unstake funds will remain in the contract

#41 sherlock-admin4 opened 3 months ago
4
jollytesimal.eth - The test_execute_withdraw_native function: Improper Error Handling in execute_withdraw Leads to Panic (Error Handling Vulnerability).

#40 sherlock-admin3 closed 3 months ago
0
jollytesimal.eth - Logic Error in execute_start_sale: Unhandled None start_time Causes Contract Failure (Panicking on None start_time with Some duration

#39 sherlock-admin2 closed 3 months ago
0
g - Auction ADO allows non-payment of taxes

#38 sherlock-admin4 closed 3 months ago
0
g - Calculating tax amount does not include taxes in `WasmMsg::Execute` messages

#37 sherlock-admin3 opened 3 months ago
7
skinneomeje - Lack of validation of recipient address could lead to lock of funds in andromeda-vesting contract

#36 sherlock-admin2 closed 3 months ago
0
g - Flat-rate fees can break `OnFundsTransfer` hooks

#35 sherlock-admin4 closed 3 months ago
7
g - Creating a batch with invalid release amount locks funds permanently in Vesting ADO

#34 sherlock-admin3 closed 3 months ago
0
g - Registering usernames can be used to hijack paths with app contracts

#33 sherlock-admin2 closed 3 months ago
9
g - Valid VFS paths with "~" can fail validation

#32 sherlock-admin4 closed 3 months ago
0