Skip to content
/ smart-contract-vulnerabilities Public

Real smart contract vulnerabilities โ€” explained, categorized & sourced for Web3 learners & auditors (especially for me) ๐Ÿ›

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

0xScratch/smart-contract-vulnerabilities

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ย 

History

123 Commits
bugs
bugs
ย 
ย 
case-studies
case-studies
ย 
ย 
README.md
README.md
ย 
ย 

Repository files navigation

Smart Contract Vulnerabilities

This repository contains a curated list of known smart contract vulnerabilities categorized by their type. Each entry includes a brief description of the vulnerability, its severity, and a link to a detailed report or analysis.

I try to keep adding vulnerabilities as soon as I come across one through solodit, or any other means. That said, it doesn't mean one will find every finding in here. Most of them seemed good so far.

The sole purpose of this repository is just to make white hats (especially me) understand these findings in easy way possible, with the help of AI. Usually, one needs to work around a bit more in order to understand why something is a vulnerability at first place. So, this repository, decodes it in simple form and will definitely prove to useful for me, as far as I am concerned.

And Most importantly, it will create a habit of me to keep reading other auditors' reports!!

Table of Contents

How each finding is listed?

Here are the common steps I took in listing these findings:

  • First, an obvious step, I went through a vulnerability (let's say from solodit, or any other means) and understood what's going on in here.
  • After that the same finding is passed to AI (chatGPT or Grok), and its help is taken to understand it even better.
  • Now we know our AI assistant understand it well, all I need to do is pass the template, which contains the following sections:
    • Title: Self explanatory
    • Some extra meaningful details
      • Severity
      • Source
      • Affected Contract
      • Vulnerability Type
    • Some early added vulnerabilities might contain the original finding that auditors wrote
    • Summary: A straight written summary about the finding
    • A Better Explanation (With Simplified Example)
      • Intended Behavior: What should happen
      • What Actually Happens (Bug)
      • Why This Matters: Impact
      • Concrete Walkthrough: The simplified example, it helps sometimes
    • Vulnerable Code Reference
    • Recommended Mitigation
    • Pattern Recognition Notes: Really Important!!
    • Quick Recall (TL;DR): Only latest added findings contains this section
  • Next, the generated finding by AI is usually checked and thus been added under the relevant category.
  • Each category contains a table for easier accessibility.

Vulnerability Categories

Access Control

Protocol Vulnerability Severity Source
Alchemix Unauthorized Reward Token Injection via notifyRewardAmount in Alchemix Bribe Contract Medium Immunefi
BakerFi Arbitrary originalAmount in Flash Loan Data Allows Logic Manipulation Medium Code4rena
Escher Sale Finalization Failure Due to Deprecated selfdestruct Semantics in Escher FixedPrice & OpenEdition Medium Code4rena
Karak Unslashable NativeVault via Unvalidated extraData and Unrestricted Manager Upgrade High Code4rena
MonoX Unauthorized Pool Price Manipulation via Missing Access Control in Monoswap High Solodit (Halborn)
Stader Loss of Admin via Self-Assignment in updateAdmin (Role Revocation Bug) Medium Code4rena
Stader Permissionless Reward Drain Allows Unfair Operator Slashing in ValidatorWithdrawalVault Medium Code4rena
Virtuals Protocol ContributionNft Mint Abuse via Unrestricted Proposer Control Medium Code4rena

Business Logic Flaw

Protocol Vulnerability Severity Source
Abracadabra Improper Handling of Rebasing Tokens in Lending/Borrowing Logic Medium Code4rena
Amphora Reorg-Based Vault Address Hijacking via CREATE Deployment in Amphora Medium Code4rena
Arcade Incorrect gscAllowance Accounting & ERC20 Allowance Overwrite Risk in ArcadeTreasury Medium Code4rena
Badger Redemption Drains Healthy CDPs โ†’ System-Wide Under-Collateralization Medium Code4rena
Canto Epoch Boundary Reward Inflation via Misaligned nextEpoch Calculation in update_market High Code4rena
Init Capital ReturnNative Flag Ignored in Withdraw Flow of MoneyMarketHook Medium Code4rena
Licredity Self-Liquidation via Unlock Abuse in Licredity Critical Cyfrin Audits
Licredity Self-Triggered Back-Run Enables LP Fee Farming in Licredity High Cyfrin Audits
Licredity Index Desynchronization via Swap-and-Pop in Position Fungibles Critical Cyfrin Audits
Notional Finance Single-Sided Redemption Slippage Bypass via Miscomputed Min Amounts High Sherlock Audits
Opensea Seaport Merkle Tree Intermediate Hash Bypass in Criteria Resolution Medium Code4rena
Particle Ineffective Deadline Usage in Particle's LiquidityPosition Library Medium Code4rena
PoolTogether Loss of Unclaimed Yield Fees Due to Partial Claim Reset in PrizeVault High Code4rena
Reserve Revenue Loss via Mid-Flight Distribution Parameter Changes in Reserve Protocol Distributor Medium Code4rena
Revert Incorrect Daily Lending/Borrowing Cap Due to Off-by-One Scaling in V3Vault Medium Code4rena
Sentiment Protocol Reserve Leakage via Unrestricted Borrowing in LToken Vault Medium Sherlock Audits
Size Incremental Compensation Blocked by Strict CR Check in compensate() Medium Code4rena
Tapioca Incorrect Share-to-Fraction Calculation Due to Inconsistent Rounding in MagnetarHelper Medium Code4rena
Verwa Extra Gauge Weight via Front-Running Governance Overrides in GaugeController Medium Code4rena
Verwa Replay Attack in Gauge Voting via Delegation Abuse High Code4rena

Denial of Service

Protocol Vulnerability Severity Source
Althea Liquid Denial of Service via Empty Distribution Griefing Medium Code4rena
Asymmetry Finance Denial of Service via Rounding Edge Case in WstEth.withdraw Medium Code4rena
Autonolas Global Withdraw DoS via Zeroโ€‘Liquidity Position in Liquidity Lockbox High Code4rena
Axelar Denial-of-Service via Flow-Limit Exhaustion in Axelar TokenManager Medium Code4rena
Basin Cheap DoS via Zero-Fee TWAP Manipulation in Basin Medium Code4rena
Delegate Nonce Desynchronization Leading to Denial of Service in CreateOfferer.sol Medium Code4rena
EvmAuth Incomplete Burn Handling in _burnGroupBalances (EVMAuthExpiringERC1155) High Trail of Bits
EvmAuth Incorrect Account Assignment in Token Burning Logic in EVMAuthExpiringERC1155 High Trail of Bits
Frankencoin Fragile Challenge Finalization Due to Unchecked Transfer Failures in end() Function Medium Code4rena
Gondi Auction DoS via Minimal Increment Bids in Gondi Medium Code4rena
Jpegd Global Withdraw DoS via Negative-Delta Accounting in yVaultLPFarming High Code4rena
Livepeer Protocol Fully Slashed Transcoder Vote Override Denial of Service Vulnerability Medium Code4rena
Nudge.xyz DoS on Reallocation Processing via Privileged Executor Role Revocation Medium Code4rena
Phi Griefing via Forced Share Lock Extension in Phi Protocol Medium Code4rena
PoolTogether Prize Tier Manipulation via Single Claim Controlling largestTierClaimed Medium Code4rena
Putty Global Withdraw DoS via Fee Transfer Revert in PuttyV2 Medium Code4rena
ReNFT Rental Stop DoS via Disabled onStop Hook in reNFT Guard Policy Medium Code4rena
Reserve Dutch Auctions Can Fail to Settle Due to Silent Error Handling in BackingManager Medium Code4rena
Revolution Protocol Auction Settlement DoS via Malicious Multi-Creator Setup in Revolution Protocol Medium Code4rena
Revolution Protocol DoS via Gas-Intensive NFT Minting Failing AuctionHouse's Auction Creation Medium Code4rena
Taiko Denial of Service via Permissioned Genesis Block Medium Code4rena

Front Running/MEV

Protocol Vulnerability Severity Source
Abracadabra.money Deterministic Pool Address Hijack via tx.origin on Blast (CREATE2 Collision Under Reorg) Medium Code4rena
Blueberry Blueberry Protocol - Disabled Deadline Enables Stale Swaps & MEV Exploitation High Sherlock Audits
Derby Finance On-Chain Slippage Manipulation via Uniswap Quoter in Derby Finance High Sherlock Audits
Ethereum Credit Guild Auction manipulation by block stuffing and reverting on ERC-777 hooks Medium Code4rena
EYWA Transaction DoS via permit() Front-Running in RouterV2 Medium MixBytes
HyperBloom Sandwich-Driven Liquidity Mint Manipulation via Calm-Period Bypass in Passive Strategy Manager Medium Pashov Audit Group
InitCapital Limit Price Manipulation via Front-Running Allows Theft in Margin Order Filling High Code4rena
Loop Vaults Incorrect Vesting Interest Calculation Enables MEV Exploitation High Pashov Audit Group
Notional Finance Approval Front-Running via Allowance Overwrite in NoteERC20 Medium OpenZeppelin Audit
Nuts Finance Initial Mint Frontโ€‘Run Inflation Attack โ€” SelfPeggingAsset (Tapio / NUTS Finance) Critical Tapio Security Audit Report
Rhinestone PermissionID Swap Attack via Unsigned Permission Identifier in Enable-Mode Digest High Solodit
Stealth Project Front-Run Pool Initialization & Forced Mispriced Liquidity Deposit in getOrCreatePoolAndAddLiquidity Medium Solodit (Code4rena)

Governance

Protocol Vulnerability Severity Source
Alchemix Zero-Supply Proposal Spam in AlchemixGovernor (Griefing Attack) Medium Solodit (Immunefi)
Ethereum Credit Guild Cheap Governance Manipulation via PSM Unlimited Minting Medium Code4rena
Salty Vote Inflation via SALT Recycling in Proposals.sol Medium Code4rena

Insecure Randomness

Protocol Vulnerability Severity Source
AI Arena NFT Attribute Manipulation via onERC721Received Hook Revert Medium Code4rena

Invalid Validation

Protocol Vulnerability Severity Source
Angle Invalid Input Validation Leading to Slippage/Token Order Mismatch Medium Code4rena
Livepeer Protocol Incorrect Vote Deduction in Livepeer Governance System High Code4rena
Maia Crossโ€‘chain DepositNonce Poisoning โ€” retrieveDeposit() allows arbitrary nonces to be marked executed High Code4rena
Nextgen Double Royalty Payout Due to Faulty Split Logic in NextGen Minter Contract Medium Code4rena
Olympus Oracle-Based Post-Exit Skim Nullifies User Slippage Protection in BLVaultLido High Sherlock Audit
Panoptic Duplicate TokenId fingerprint collision โ†’ solvency bypass in PanopticPool.sol Medium Code4rena
Lindy Labs Sandlock Flash-Loan Fee Ignorance Leading to Rebalance & Withdraw DoS in Sandclock Vaults High Solodit
Venus Fragile Liquidation Check in Comptroller.sol โ€” Zero Borrow Balance Requirement Medium Code4rena

Math / Arithmetic Errors

Protocol Vulnerability Severity Source
Isomorph Bad Debt Persistence via Truncation Mismatch in Isomorph Velo Vault Medium Sherlock Audits
Munchables Asset Freezing via Flawed Reward Penalty Calculation in LandManager High Code4rena
Ostium Wrong Collateral Refund in Liquidation (liqPrice == priceAfterImpact) Medium Pashov Audit Group
PrePO Zero-Share Mint via Total Asset Inflation in Collateral.sol High Code4rena
Rigor Rounding Error Interest Loss via Day-Truncation in Interest Calculation High OpenCoreCh's Report
Size Liquidation Profit Underflow via Decimal Mismatch in Collateral-Debt Conversion High Code4rena
Terplayer Withdrawal Underflow via Self-Delegation and Ceiling Division in BVT Reward Vault Critical Shieldify Audits
Traitforge Age Underestimation Due to Early Integer Division in calculateAge() Medium Code4rena

Reentrancy

Protocol Vulnerability Severity Source
Angle Protocol Reentrancy-Based Reward Inflation via Collateral Ratio Manipulation in Angle Transmuter Medium Code4rena
Itos Self-Transfer Settlement Bypass in reentrantSettle High Pashov Audit Group
Panoptic Reentrancy in SemiFungiblePositionManager via ERC777 tokensToSend Hook High Code4rena
ReNFT Reentrancy via safeTransferFrom Callback in PAY Rentals Medium Code4rena
ReNFT reNFT โ€” ERC1155 Hijack via Reentrancy / TOCTOU (rentedAssets) High Code4rena

Timing

Protocol Vulnerability Severity Source
Basin Immutable BLOCK_TIME Parameter Cause Oracle Flaws Medium Code4rena
Frankencoin Inaccurate Holding Duration on Optimism Due to block.number Usage in Equity.sol Medium Code4rena
Karak Unfair Withdrawal Slashing During Veto Window in Karak Vaults Medium Code4rena
Renzo L1โ†’L2 Price Update Reverts Due to Cross-Chain Timestamp Mismatch Medium Code4rena
Verwa Permanent Lock via Expired-Lock Undelegation Restriction in VotingEscrow High Code4rena

Others

Protocol Vulnerability Type Severity Source
Arbitrum Signature Replay in Split-Voting Governor Elections Signature Replay / Missing Nonce / Authorization Bypass High Code4rena
Cap Missing Slippage Protection in Liquidation Allows Unexpected Collateral Loss Missing Slippage Protection / Value Mismatch in Liquidation Medium Sherlock
Goodentry Unchecked Call Return Value in ETH Transfers call/delegatecall - Unchecked Return Value Medium Code4rena
OpenSea Partial Order Fulfillment Discount via Low-Decimal ERC20 in BasicOrderFulfiller Precision Loss / Partial Payment Exploit Medium Code4rena
Optimism Incorrect DISPUTED_L2_BLOCK_NUMBER Causes Cross-Game Context Collisions & Invalid VM Outcomes Incorrect State Context / Fault Proof Misdirection / Cross-Game Inconsistency High Code4rena
Stader Consensus Stall via Strict Equality in StaderOracle Submissions Logic Error / Consensus Liveness Failure Medium Code4rena
Y2K Finance EIP-4626 Interface Mismatch Causing Potential Integration Breakage in SemiFungibleVault Standards Non-Compliance / Composability Risk / Integration Inconsistency High Code4rena

Case Studies

Protocol Vulnerability Type Severity Source
Curve Curve LP Oracle Manipulation via Read-Only Reentrancy Oracle Manipulation / Read-Only Reentrancy High ChainSecurity
Sushi (Miso) ETH Double-Spend & Refund Exploit via BoringBatchable in MISO Auction Value Reuse / Accounting Manipulation / Refund Exploit Critical Samczun's blog

About

Real smart contract vulnerabilities โ€” explained, categorized & sourced for Web3 learners & auditors (especially for me) ๐Ÿ›

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published