Comments (2)
There's additional validation steps for the event, that include also transaction matching on L1 and ensuring all the balances are in place before actual card topup occurs. Based from the description, though, if this event would be the only source of truth for the topup that would be a high severity.
from 2022-10-mover-judging.
From a pure solidity perspective it is not an attack vector if an event can be emitted with arbitrary calls. However, we like to take the business logic into account to a certain degree, but considering the protocol put the following text in their readme:
https://github.com/sherlock-audit/2022-10-mover/blob/main/cardtopup_contract/readme.md
The settlement process on L1 is off-chain and out of scope of the smart contracts.
If the proper event would be generated for card top-up, it would be further processed
by backend infrastructure.
We don't assign a medium or high severity to this issue.
from 2022-10-mover-judging.
Related Issues (20)
- ak1 - Lack for sanity check while setting the exchangeProxyContract, trustedRegistryContract could cause the protocol to misbehave. HOT 1
- ignacio - LACK OF REENTRANCY GUARDS ON EXTERNAL FUNCTIONS HOT 1
- WATCHPUG - `exchangeFee` can be escaped HOT 3
- 8olidity - Malicious tokens can safeTransferFrom() results HOT 1
- WATCHPUG - `_expectedMinimumReceived` should consider `topupFee` HOT 1
- WATCHPUG - Lack of sanity checks in the setter functions can result in malfunctions HOT 1
- WATCHPUG - Slippage tolerance for Synapse should not be specified as constant values of `0.95`, `0.91` HOT 1
- ak1 - _processTopup will not work when SYNAPSE bridge is paused. All other process could not function. HOT 1
- ignacio - ABI.ENCODEPACKED() SHOULD NOT BE USED WITH DYNAMIC TYPES WHEN PASSING THE RESULT TO A HASH FUNCTION SUCH AS KECCAK256()
- ignacio - <ARRAY>.LENGTH SHOULD NOT BE LOOKED UP IN EVERY LOOP OF A FOR-LOOP and Increments can be unchecked
- ak1 - checkAllowance could not work as intended when the token decimal value is not 18 HOT 1
- ignacio - Miners can influence the value of block.timestamp to perform Maximal Extractable Value (MEV) attacks.
- Chom - setYieldDistributor doesn't reset allowance for old yield distributor HOT 1
- ak1 - No clarity on the amount of fee set by admin. Could lead to loss of fund to protocol user. Lack of decentalisation
- vlad - Unprotected initialize function of the implementation contract
- vlad - Reuse of the signature for CardTopupTrusted
- vlad - Reuse of the same input parameters in CardTopupMPTProof HOT 1
- vlad - Invalid logic of checkApprove when input data is not long enough HOT 1
- ak1 - Implementation of own signing and verifying mechanism is more dangerous. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from 2022-10-mover-judging.