sherlock-audit 2024-09-orderly-network-solana-contract-judging issues

sherlock-audit / 2024-09-orderly-network-solana-contract-judging

0 stars 0 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

Abundant Walnut Rooster - Ignored CPI Result in SetDelegate Function Prevents Error Propagation

#176 sherlock-admin2 closed 4 days ago
0
Abundant Walnut Rooster - Unchecked CPI Result in OApp Registration

#175 sherlock-admin2 closed 4 days ago
0
Jovial Lilac Sloth - Dead code and TODO not implemented

#174 sherlock-admin2 closed 4 days ago
0
Broad Pecan Pheasant - Hardcoded Values

#173 sherlock-admin2 closed 4 days ago
0
Immense Rouge Goose - Wrong Log Message When ResetVault is Called

#172 sherlock-admin2 closed 4 days ago
0
Brisk Felt Lark - The reinit_oapp did not update the delegate when setting a new admin.

#171 sherlock-admin2 closed 4 days ago
0
Nice Hemp Raccoon - When a PDA (Program Derived Address) is required to perform signing operations but invoke_signed is not used, the transaction will fail

#170 sherlock-admin2 opened 4 days ago
0
Rural Frost Skunk - SolCOnnector.sol address passed to lzSend() will cause fees refunded to be stucked

#169 sherlock-admin2 opened 4 days ago
0
Bent Eggshell Sidewinder - The UUPS proxie standard is implemented incorrectly, making the protocol not upgradeable

#168 sherlock-admin2 opened 4 days ago
0
Original Emerald Millipede - Missing Conditional Registration for New LayerZero Endpoint on OApp Reinitialization May Cause Call Failures

#167 sherlock-admin2 opened 4 days ago
0
Original Emerald Millipede - [High] Missing `deposit_token` Validation in Orderly Vaults deposit Instruction Allows Unauthorized Cross-Chain Transfers

#166 sherlock-admin2 opened 4 days ago
0
Clumsy Powder Rook - The lack of payable modifier makes the withdraw function unusable

#165 sherlock-admin2 opened 4 days ago
0
Dandy Lavender Terrier - token accounts are not verified against token_hash

#164 sherlock-admin2 opened 4 days ago
0
Orbiting Tweed Shell - Zero-amount deposits will cause an underflow on withdrawal

#163 sherlock-admin2 opened 4 days ago
0
Bouncy Butter Cat - USDC could get stuck if address is blacklisted or block bridge.

#162 sherlock-admin2 opened 4 days ago
0
Magic Ash Kookaburra - Can't re-initialize `vault_authority` once initialized

#161 sherlock-admin2 opened 4 days ago
0
Dandy Lavender Terrier - reset instructions will not work

#160 sherlock-admin2 opened 4 days ago
0
Bouncy Butter Cat - Gas could get stuck in the contract

#159 sherlock-admin2 opened 4 days ago
0
Dandy Lavender Terrier - lz_receive can be called with any user account to steal from users

#158 sherlock-admin3 opened 4 days ago
0
Magnificent Cerulean Tardigrade - User will be able to use any deposit_token to bridge usdc

#157 sherlock-admin2 opened 4 days ago
0
Magnificent Cerulean Tardigrade - Actor can frontrun lz_receive and steal users’ withdrawal

#156 sherlock-admin3 opened 4 days ago
0
Magic Ash Kookaburra - Protocol unable to reinitialize `oapp_config`

#155 sherlock-admin2 opened 4 days ago
0
Raspy Seaweed Bear - Tokens Permanently Locked in Vault Due to Absence of Revert or Retry Mechanism

#154 sherlock-admin3 opened 4 days ago
0
Abundant Walnut Rooster - Missing Fee Validation in Token Withdrawal

#153 sherlock-admin3 opened 4 days ago
0
Radiant Punch Dalmatian - Attacker can steal funds by withdrawing a token different from the request withdrawal token

#152 sherlock-admin2 opened 4 days ago
0
Fit Canvas Pangolin - Due to missing checks on minimum gas and fee passed through LayerZero, executions can fail on the destination chain

#151 sherlock-admin2 opened 4 days ago
0
Fit Canvas Pangolin - During the deposit process, there is no instruction for the user to transfer the gas fee, nor is there a setting for the gas fee refund address.

#150 sherlock-admin2 opened 4 days ago
0
Fit Canvas Pangolin - The OAppLzReceive contract lacks underflow checks, which could allow an attacker to exploit this vulnerability to steal funds.

#149 sherlock-admin2 opened 4 days ago
0
Bouncy Butter Cat - Fees refund sent to wrong address

#148 sherlock-admin4 opened 4 days ago
0
Tangy Peanut Lizard - Incorrect Use of init Constraint in ReinitOApp Instruction

#147 sherlock-admin4 opened 4 days ago
0
Plain Corduroy Goblin - Missing LayerZero Ordered Execution Option For Orderly Chain Messages

#146 sherlock-admin4 opened 4 days ago
0
Raspy Seaweed Bear - Missing Constraint for payer Account in oapp_lz_receive.rs

#145 sherlock-admin2 opened 4 days ago
0
Droll Cider Armadillo - sequential messaging in oapp_lz_receive can be easily attacked

#144 sherlock-admin3 opened 4 days ago
0
Droll Cider Armadillo - rate_limiter is not used

#143 sherlock-admin3 opened 4 days ago
0
Dizzy Green Mantis - Missing access control on `oapp_lz_receive::apply`

#142 sherlock-admin3 opened 4 days ago
0
Orbiting Tweed Shell - Native fee cannot be paid because the `withdraw` function is not payable

#141 sherlock-admin4 opened 4 days ago
0
Petite Pecan Starfish - malicious user can bypass allowed broker hash

#140 sherlock-admin2 opened 4 days ago
0
Energetic Midnight Boar - Missing Authorization Check for Peer Modification.

#139 sherlock-admin2 opened 4 days ago
0
Energetic Midnight Boar - Malicious Users can Disable Rate limiting Leading to Dos and Unauthorized Access.

#138 sherlock-admin2 opened 4 days ago
0
Petite Pecan Starfish - utils.validateAccountId function always returns false

#137 sherlock-admin3 opened 4 days ago
0
Brisk Felt Lark - When the VaultAuthority is reset, malicious actors can seize control of the VaultAuthority permissions.

#136 sherlock-admin4 opened 4 days ago
0
Jovial Lilac Sloth - The `nonce` parameter setting in `SetOrderDelivery` may fail

#135 sherlock-admin4 opened 4 days ago
0
Jovial Lilac Sloth - Part of the implementation of `OAppLzReceiveTypes` is incorrect and inconsistent with the comment structure

#134 sherlock-admin4 opened 4 days ago
0
Tangy Mocha Fox - Ledger never calls SolConnector's `withdraw()`

#133 sherlock-admin4 opened 4 days ago
0
Tangy Mocha Fox - SolConnector is not allowed to call `accountDeposit()` on the Ledger

#132 sherlock-admin3 opened 4 days ago
0
Jovial Lilac Sloth - When receiving cross-chain messages, it may be necessary to update the data in the peer account

#131 sherlock-admin3 opened 4 days ago
0
Tangy Mocha Fox - Withdrawn USDC from `SolanaVault` can be replaced with any token

#130 sherlock-admin3 opened 4 days ago
0
Fit Canvas Pangolin - The deposit() function lacks a check to ensure deposit_params.token_amount > 0, which may cause an error during execution on the EVM side, potentially blocking the entire message.

#129 sherlock-admin3 opened 4 days ago
0
Jovial Lilac Sloth - The account is not verified, which may lead to self-transfers and cause vault assets to inflate

#128 sherlock-admin2 opened 4 days ago
0
Fit Canvas Pangolin - The account OAppLzReceive::user_deposit_wallet may not be initialized, leading to withdraw failure on the Solana side.

#127 sherlock-admin2 opened 4 days ago
0