Contract Vulnerabilities #599

thelostone-mc · 2022-11-01T04:15:18Z

thelostone-mc
Nov 1, 2022

Etherscan has reported the following vulnerabilities on our contracts which are documented over at
https://github.com/gitcoinco/grants-round/blob/main/packages/contracts/docs/CHAINS.md

ProgramFactory
QuadraticFundingVotingStrategyFactory
RoundFactory

The compiled contract might be susceptible to AbiReencodingHeadOverflowWithStaticArrayCleanup (medium-severity), DirtyBytesArrayToStorage (low-severity), DataLocationChangeInInternalOverride (very low-severity), NestedCalldataArrayAbiReencodingSizeValidation (very low-severity), SignedImmutables (very low-severity), ABIDecodeTwoDimensionalArrayMemory (very low-severity), KeccakCaching (medium-severity) Solidity Compiler Bugs.

Sample: https://goerli.etherscan.io/address/0x548c775c4Bd61d873a445ee4E769cf1A18d60eA9#code

==========

ProgramImplementation
QFVotingStrategyImplementation
RoundImplementation
MerklePayoutContract

The compiled contract might be susceptible to AbiReencodingHeadOverflowWithStaticArrayCleanup (medium-severity), DirtyBytesArrayToStorage (low-severity), DataLocationChangeInInternalOverride (very low-severity), NestedCalldataArrayAbiReencodingSizeValidation (very low-severity), SignedImmutables (very low-severity) Solidity Compiler Bugs.

Sample: https://goerli.etherscan.io/address/0x8568133fF3Ef0BD108868278Cb2a516Eaa3B8ABf#code

Answered by bhargavaparoksham

Nov 1, 2022

@thelostone-mc It seems etherscan is showing the same vulnerabilities to all contracts.

Here's Aave V2 Lending pool contract on the mainnet. Etherscan is showing all the same vulnerabilities - https://etherscan.io/address/0x7d2768de32b0b80b7a3454c06bdac94a69ddc7a9#code

DAI ERC20 contract has similar vulnerabilities as per etherscan: https://etherscan.io/token/0x6b175474e89094c44da98b954eedeac495271d0f#code

Other example upgradeable contract on mainnet with similar vulnerabilities:
https://etherscan.io/address/0x0c30476f66034e11782938df8e4384970b6c9e8a#code

View full answer

bhargavaparoksham · 2022-11-01T14:24:43Z

bhargavaparoksham
Nov 1, 2022

@thelostone-mc It seems etherscan is showing the same vulnerabilities to all contracts.

Here's Aave V2 Lending pool contract on the mainnet. Etherscan is showing all the same vulnerabilities - https://etherscan.io/address/0x7d2768de32b0b80b7a3454c06bdac94a69ddc7a9#code

DAI ERC20 contract has similar vulnerabilities as per etherscan: https://etherscan.io/token/0x6b175474e89094c44da98b954eedeac495271d0f#code

Other example upgradeable contract on mainnet with similar vulnerabilities:
https://etherscan.io/address/0x0c30476f66034e11782938df8e4384970b6c9e8a#code

1 reply

thelostone-mc Nov 1, 2022
Author

Oh, that's reassuring! Let's bring this up on the call and see what the team thinks
Smart thinking on checking other contracts @bhargavaparoksham :D

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Contract Vulnerabilities #599

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Contract Vulnerabilities #599

Uh oh!

Uh oh!

thelostone-mc Nov 1, 2022

Replies: 1 comment · 1 reply

Uh oh!

bhargavaparoksham Nov 1, 2022

Uh oh!

thelostone-mc Nov 1, 2022 Author

thelostone-mc
Nov 1, 2022

Replies: 1 comment 1 reply

bhargavaparoksham
Nov 1, 2022

thelostone-mc Nov 1, 2022
Author