Skip to content

Issues: code-423n4/2024-07-karak-findings

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

30 Open 73 Closed
30 Open 73 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or ⇧ + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Assignee
Filter by who’s assigned
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
πŸ‘ πŸ‘Ž πŸ˜„ πŸŽ‰ πŸ˜• ❀️ πŸš€ πŸ‘€

Issues list

Slashing NativeVault will lead to locked ETH for the users 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working edited-by-warden H-01 primary issue Highest quality submission among a set of duplicates πŸ€–_11_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sufficient quality report This report is of sufficient quality
#102 opened Aug 20, 2024 by howlbot-integration bot
3
QA Report 3rd place bug Something isn't working grade-a Q-01 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sufficient quality report This report is of sufficient quality
#97 opened Aug 1, 2024 by howlbot-integration bot
2
QA Report 2nd place bug Something isn't working edited-by-warden grade-a Q-02 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sufficient quality report This report is of sufficient quality
#96 opened Aug 1, 2024 by howlbot-integration bot
2
Operators can stake a vault more than once to a single DSS bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-61 grade-b Q-03 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax πŸ€–_20_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
#94 opened Aug 1, 2024 by howlbot-integration bot
6
Operator can bypass MIN_STAKE_UPDATE_DELAY by spamming requestUpdateVaultStakeInDSS() bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-61 grade-b Q-04 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax πŸ€–_20_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
#89 opened Aug 1, 2024 by howlbot-integration bot
7
Attacker can DOS a new user in Native Restaking bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-59 grade-b Q-05 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax πŸ€–_23_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
#74 opened Aug 1, 2024 by howlbot-integration bot
2
A DSS cannot stop staking of a vault that doesn't meet its conditions bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-21 grade-b Q-06 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax πŸ€–_20_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
#70 opened Aug 1, 2024 by howlbot-integration bot
6
Request update stake can be repeated for a vault to a DSS even when the vault is staked already bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-b primary issue Highest quality submission among a set of duplicates Q-07 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax πŸ€–_20_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
#61 opened Aug 1, 2024 by howlbot-integration bot
10
New NodeOwners can be griefed by forcing them to provide proof for an empty snapshot without any shares increase/decrease on their node bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue edited-by-warden grade-b primary issue Highest quality submission among a set of duplicates Q-08 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax πŸ€–_primary AI based primary recommendation πŸ€–_23_group AI based duplicate group recommendation sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality
#59 opened Aug 1, 2024 by howlbot-integration bot
5
The operator can create a NativeVault that can be silently unslashable. 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working H-02 primary issue Highest quality submission among a set of duplicates πŸ€–_74_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue sufficient quality report This report is of sufficient quality
#55 opened Aug 1, 2024 by howlbot-integration bot
6
Changing the slashingHandler for NativeVaults will DoS slashing 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-01 primary issue Highest quality submission among a set of duplicates πŸ€–_primary AI based primary recommendation πŸ€–_74_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality
#49 opened Jul 30, 2024 by c4-bot-1
5
QA Report bug Something isn't working grade-a insufficient quality report This report is not of sufficient quality Q-09 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
#45 opened Jul 30, 2024 by c4-bot-9
2
The Core contract doesn't implement IDSS.cancelUpdateStakeHook(). bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-b Q-10 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax πŸ€–_primary AI based primary recommendation sufficient quality report This report is of sufficient quality
#39 opened Jul 30, 2024 by c4-bot-8
8
A DoS on snapshots due to a rounding error in calculations. 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working edited-by-warden H-03 insufficient quality report This report is not of sufficient quality primary issue Highest quality submission among a set of duplicates πŸ€–_primary AI based primary recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report upgraded by judge Original issue severity upgraded from QA/Gas by judge
#36 opened Jul 30, 2024 by c4-bot-6
16
A snapshot may face a permanent DoS if both a slashing event occurs in the NativeVault and the staker's validator is penalized. 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue insufficient quality report This report is not of sufficient quality M-02 primary issue Highest quality submission among a set of duplicates πŸ€–_primary AI based primary recommendation πŸ€–_29_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#31 opened Jul 30, 2024 by c4-bot-1
13
Malicios Operator can utilize a malicios DSS and an overleveraged vault to frontrun an honest DSS's slashing request to protect its funds bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue edited-by-warden grade-b insufficient quality report This report is not of sufficient quality Q-11 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax πŸ€–_06_group AI based duplicate group recommendation
#27 opened Jul 30, 2024 by c4-bot-10
6
QA Report 1st place bug Something isn't working grade-a Q-12 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax selected for report This submission will be included/highlighted in the audit report
#22 opened Jul 30, 2024 by c4-bot-7
10
Operator can DOS DSS's unregistrationHook function by specifying arbitrary unregistrationHookData while not reverting its own Core.unregisterOperatorFromDSS function call bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax πŸ€–_primary AI based primary recommendation πŸ€–_64_group AI based duplicate group recommendation sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue sufficient quality report This report is of sufficient quality
#21 opened Jul 30, 2024 by c4-bot-5
7
Every operator is unexpectedly DOS'ed from staking to a DSS and possible leveraging for at least 9 days bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a insufficient quality report This report is not of sufficient quality QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax πŸ€–_20_group AI based duplicate group recommendation
#19 opened Jul 30, 2024 by c4-bot-5
3
DSS can force operator to pay much more for gas than necessary when calling DSS's hooks bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax πŸ€–_09_group AI based duplicate group recommendation sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue sufficient quality report This report is of sufficient quality
#18 opened Jul 30, 2024 by c4-bot-6
4
When malicious behavior occurs and DSS requests slashing against vault during 2 day period after SLASHING_WINDOW of 7 days is passed after staker initiates a withdrawal, token amount to be slashed is calculated to be higher than what it should be 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue M-03 primary issue Highest quality submission among a set of duplicates πŸ€–_primary AI based primary recommendation πŸ€–_13_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue sufficient quality report This report is of sufficient quality
#17 opened Jul 30, 2024 by c4-bot-2
13
Delayed Slashing Window and Lack of Transparency for Pending Slashes Could Lead to Loss of Funds 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-04 primary issue Highest quality submission among a set of duplicates πŸ€–_28_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue sufficient quality report This report is of sufficient quality
#15 opened Jul 30, 2024 by c4-bot-8
7
QA Report bug Something isn't working edited-by-warden grade-a insufficient quality report This report is not of sufficient quality Q-13 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
#14 opened Jul 30, 2024 by c4-bot-3
1
Vault is vulnerable to Inflation Attack bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-b insufficient quality report This report is not of sufficient quality primary issue Highest quality submission among a set of duplicates Q-14 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax πŸ€–_primary AI based primary recommendation πŸ€–_24_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards
#10 opened Jul 26, 2024 by c4-bot-6
8
Blocking of Default Vault Implementation in changeImplementationForVault Function bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a insufficient quality report This report is not of sufficient quality QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax πŸ€–_primary AI based primary recommendation πŸ€–_02_group AI based duplicate group recommendation
#8 opened Jul 24, 2024 by c4-bot-2
4
ProTip! Updated in the last three days: updated:>2024-10-29.