/Audit-365

Audit-365 is a challenge for me where I will be posting educational content related to Smart contract auditing and web3 security throughout the 365 days of the year.

Audit-365 🚀


🤔What is Audit-365?

Audit-365 is a challenge for me where I will be posting educational content related to Smart contract auditing and web3 security throughout the 365 days of the year starting from 1st January, 2023 to 31st December, 2023. It will be full of actual content without any fillers.

â›”Discontinuation of Challenge:

Unfortunately, I had to discontinue the challenge due to health issues and other priorities. I successfully continued for around 60 days, but had to stop due to other commitments at that point in time. I hope to return soon with even more awesome ideas.


Daily Swig:

Day Findings Severity Category Thread Links
01 User's Orders can be canceled by anyone and their ETH can be stolen High Audit Findings Link
02 Double transfer in the transferAndCall function. High Audit Findings Link
03 Unchecked Return Value from "ecrecover" Critical BugFix Reports Link
04 EIP-712 signatures can be re-used Medium Audit Findings Link
05 Use safeCast for changing types Medium Audit Findings Link
06 BLOCK_PERIOD IS INCORRECT Medium Audit Findings Link
07 Insufficient validation of Chainlink Oracle data feed Medium Audit Findings Link
08 88mph Function Initialization Bug (Reward $42,069) Critical BugFix Report Link
09 700+ Smart contract Bugs, $1 Million Bug Payout, Trust’s Interview, and more - Weekly Newsletter Link
10 Sandwich attack due to hardcoded slippage High Audit Findings Link
11 Initialize function can be invoked multiple times. Medium Audit Findings Link
12 A Typo leading to locking of Funds High Audit Findings Link
13 Centralisation RIsk: Owner Of RoyaltyVault Can Take All Funds High Audit Findings Link
14 Call Return is executed before 'require' check. High Audit Findings Link
15 Reentrancy Vulnerability due to violation of the CEI Pattern. Critical Real-life Exploits Link
16 Zero-Knowledge: A-Z, Web3 Security Tools Lists, Bug Bounty, Defcon CTF, etc - Weekly Newsletter Link
17 Lack of access control in the parameterize function of proposal contracts Medium Audit Findings Link
18 Reentrancy Guard Lacking in mint function. Medium Audit Findings Link
19 Lender can change NFT valuation oracle without borrower permission High Audit Findings Link
20 Incorrect airdrop calculation Critical Real-life Exploits Link
21 Tokens with more than 18 decimal points will cause issues Medium Audit Findings Link
22 Cannot unpause exchange Medium Audit Findings Link
23 Zcash Hash Collision, Reversing The EVM, Ice Phishing Attacks and many more. - Weekly Newsletter Link
24 Usage of deprecated ChainLink API Medium Audit Findings Link
25 Lack of Access control over burn function Critical Real-life Exploits Link
26 Bad Source of Randomness Critical Real-life Exploits Link
27 Arbitrary Token Burn High Audit Findings Link
28 Users can get unlimited Votes High Audit Findings Link
29 Incorrect number of seconds in ONE_YEAR variable Medium Audit Findings Link
30 Unnecessary precision loss in _recipientBalance() Medium Audit Findings Link
31 Reward Manager of the Convex Base Reward Pool Can DoS processYield() Medium Audit Findings Link
32 Low-level transfer via call() can fail silently Medium Audit Findings Link
33 ERC20 bridging functions do not revert on non-zero msg.value Medium Audit Findings Link
34 User can escape from paying fees. Medium Audit Findings Link
35 The noContract modifier does not work as expected. Medium Audit Findings Link
36 Sandwich attacks are possible as there is no slippage control Medium Audit Findings Link
37 No checked success for Oracle High Audit Findings Link
38 HolyPaladinToken.sol uses ERC20 token with a highly unsafe pattern Medium Audit Findings Link
39 Initialize function can be front-runned Medium Audit Findings Link
40 No upper limit for selling fees (Exit Scam) High Real-life Exploits Link
41 Division before multiplication Medium Audit Findings Link
42 User specified slippage allows frontrunning Medium Audit Findings Link
43 Protocol pays swap fees instead of users. Medium Audit Findings Link
44 call() should be used instead of transfer() on an address payable Medium Audit Findings Link
45 Dust amounts can cause payments to fail, leading to default Medium Audit Findings Link
46 Votes can be amplified due to insufficient checks Medium Audit Findings Link
47 Anyone can spend on behalf of roller periphery High Audit Findings Link
48 Lack of Access control on Minting tokens. Critical Exploit Findings Link
49 Bad Source of Randomness leading to break contract High Exploit Findings Link
50 Incorrect Validation leading to a DOS attack Medium Audit Findings Link
51 Pool Manager can front-run fees to 100% Medium Audit Findings Link
52 Precision loss due to division before multiplication Medium Audit Findings Link
53 NFT to be frozen in a contract that does not support ERC721 Medium Audit Findings Link
54 Lack of sanity check for stoptime Medium Audit Findings Link
55 approve can fail for some tokens Medium Audit Findings Link
56 User specified input allows frontrunning High Audit Findings Link
57 Lack of Access Control Critical Audit Findings Link
58 Incorrect Validation in transferLPs lead to a DOS attack Medium Audit Findings Link
59 Wrong deduction of fees High Audit Findings Link
60 Arbitrary transactions possible due to insufficient High Audit Findings Link

Connect with me

Sm4rty-1 Sm4rty-1 Sm4rty-1