Knowledge Base - Issues
Our knowledge-base provides a comprehensive collection of information on vulnerabilities related to cyber security.Arbitrary Jump with Function Type Variable is a vulnerability of category Smart Contract, which affects Solidity-based Smart Contracts (SWC). This vulnerability is defined by Common Weakness Enumeration (CWE-427) as "Uncontrolled Search Path Element". The OWASP Testing Guide describes the vulnerability as a "failure to properly validate the contents of function...
Assert Violation is a vulnerability that occurs in smart contracts and is categorized as CWE-613. It occurs when an assertion is made in a smart contract and is not enforced. OWASP defines this type of vulnerability as "failure to properly enforce an assertion that has been made". This leads to...
Authorization through tx.origin is an IT vulnerability in the category of Smart Contract, which occurs in the Solidity programming language (SWC). This vulnerability allows an attacker to bypass authorization checks as the tx.origin parameter appears to be trusted by the Smart Contract. According to the Common Weakness Enumeration (CWE) directory,...
Block values as a proxy for time (CWE-843) is a type of vulnerability that is present in Smart Contracts, particularly those generated in programming languages such as Solidity and Vyper. This vulnerability arises when the time value of a block is used as a proxy for an application's time value....
Delegatecall to Untrusted Callee is a vulnerability of category Smart Contract (CWE-817). It is related to insecure coding practices that can be seen in the Solidity programming language (SWC). Delegatecall to Untrusted Callee is a vulnerability that occurs when a contract calls an external contract that is not verified or...
DoS With Block Gas Limit is a vulnerability of the Smart Contract category, which has been identified in the Smart Contract Wallet (SWC). It is classified as CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion'), according to the CWE directory. According to the OWASP Testing Guide, this attack occurs when a smart...
DoS with Failed Call (CWE-400) is a type of Smart Contract vulnerability that occurs in SWC (Solidity). It is a type of attack where an attacker can cause an internal function of the contract to enter an infinite loop, which causes the contract to lock up and stop functioning. This...
Floating Pragma is a type of vulnerability found in smart contracts, specifically in the Solidity programming language. It occurs when a contract is written with a compiler version that is later than the one specified in the source code. This can lead to an unpredictable execution of the contract, causing...
Function Default Visibility is a Smart Contract vulnerability in SWC (Software Composition Analysis) which relates to the CWE-837: Improper Enforcement of a Single, Unique Action. This type of vulnerability occurs when a function is set to public visibility by default, allowing anyone to call it and execute code without any...
Hash Collisions With Multiple Variable Length Arguments is a vulnerability that occurs in Smart Contracts written in Solidity (SWC). According to the CWE directory, this vulnerability occurs when the same hash is assigned to multiple strings of different lengths, allowing for the execution of malicious code. This vulnerability can lead...
Incorrect Constructor Name is a vulnerability of the category Smart Contract. It occurs in Solidity and the Common Weakness Enumeration (CWE) directory refers to it as CWE-811. According to the OWASP Testing Guide, this vulnerability occurs when the constructor is named incorrectly, allowing malicious attackers to call the constructor multiple...
Incorrect Inheritance Order, a smart contract vulnerability identified in the Common Weakness Enumeration (CWE) directory, occurs when the order of inheritance is incorrect when a contract is written in Solidity (SWC). This can lead to security issues due to incorrect visibility rules for functions and state variables, and can be...
Insufficient Gas Griefing (CWE-843) is a type of vulnerability found in the Smart Contract code of a Software Composition Analysis (SCA) system. It is a type of security issue that can arise when a contract does not have enough gas to execute a set of instructions, leading to a denial...
Integer overflow/underflow is a type of software vulnerability in which an integer value is stored in memory but exceeds the maximum or minimum size of storage space, leading to unexpected and potentially dangerous outcomes. This vulnerability is classified as CWE-190 in the Common Weakness Enumeration (CWE) directory and is mentioned...
Lack of Proper Signature Verification is a vulnerability identified in the Common Weakness Enumeration (CWE) directory and is classified as a software security coding issue (CWE-347). It is a vulnerability that arises when a Smart Contract in Solidity (SWC) does not properly verify the digital signature of a transaction before...
Message call with hardcoded gas amount is a type of vulnerability found in Smart Contracts. This vulnerability occurs when a message call is made with a hardcoded gas amount that is not sufficient for the call to be executed. This can lead to further issues such as the smart contract...
Missing Protection Against Signature Replay Attacks is a vulnerability (CWE-345) in Smart Contracts which occurs when a contract system fails to provide protection against signature replay attacks. Signature replay attacks are a type of attack in which a malicious user obtains a valid signature from a legitimate user and then...
Outdated Compiler Version is a type of vulnerability classified under the Smart Contract category (CWE-827) of the Common Weakness Enumeration (CWE). It is a vulnerability that occurs when the source code of a smart contract is compiled with an out-of-date compiler version. This can result in the code not being...
Presence of unused variables, CWE-561, is a type of vulnerability that occurs when a software component contains variables that are not used anywhere within the codebase. This is commonly seen in Smart Contract development, where Solidity is the most commonly used language. This type of vulnerability can lead to a...
Reentrancy is a type of vulnerability that occurs in Smart Contracts, specifically in Solidity-based languages (SWC). It is a type of attack in which an attacker can repeatedly call a vulnerable function on a contract and access the internal state of the contract. The attacker can use this access to...
Requirement Violation is a vulnerability of the category Smart Contract, which occurs in SWC. It is defined in the CWE Directory as "The software does not conform to the specified requirements or violates an explicitly or implicitly stated contract or agreement between parties that is an input to the software"....
Right-To-Left-Override control character (U+202E) is a vulnerability in the software code (SWC) that can allow an attacker to manipulate data. This vulnerability is also referred to as a Unicode Character Encoding Vulnerability and is categorized in the Common Weakness Enumeration (CWE) directory as CWE-202. In a Right-To-Left-Override attack, the vulnerability...
Shadowing State Variables is an IT vulnerability that occurs in Smart Contracts that are written in Solidity (SWC). It is classified as CWE-827, which is a type of Improper Control of a Resource Through its Lifetime. This vulnerability occurs when a developer re-declares a state variable with the same name...
Signature malleability is a vulnerability in Smart Contracts (SWC) that allows an attacker to modify the signature of a transaction before broadcasting it to the blockchain network. It is classified as a type of Tampering vulnerability and is listed in the Common Weakness Enumeration (CWE) directory. According to OWASP, it...
State Variable Default Visibility is a type of vulnerability associated with Smart Contract applications. This vulnerability occurs when a state variable is declared but its visibility is not specified, thus allowing anyone to access the state variable and change its value. It is an example of a software vulnerability classified...
Transaction Order Dependence (TOD) is a type of vulnerability that occurs in certain types of smart contracts. Specifically, it describes a situation when smart contracts do not correctly handle re-ordered or concurrent transactions. The Common Weakness Enumeration (CWE) directory defines the vulnerability as “the software does not correctly handle reordered...
Typographical Error (CWE-20) is a type of vulnerability in Smart Contracts that occurs when the code fails to validate user input correctly. This vulnerability is often caused by typos made during coding, such as missing a character or mistyping a keyword. According to the OWASP Testing Guide, this type of...
Unchecked Call Return Value (CWE-252) is a vulnerability in Smart Contracts that occurs when the return value from a called function is not checked and it is assumed that the return value is valid. This can lead to serious security issues, as an attacker can manipulate the return values and...
Unencrypted Private Data On-Chain is a type of software weakness classified in the Common Weakness Enumeration (CWE) directory as CWE-310. It occurs when private data is stored on the blockchain in an unencrypted form, making it open to malicious actors who can access the data. This vulnerability is present in...
Unexpected Ether Balance is a type of vulnerability that occurs in Smart Contracts. It is defined by the Common Weakness Enumeration (CWE) directory as CWE-845: "Improper Restriction of Excessive Authentication Attempts". This vulnerability occurs when a Smart Contract allows users to transfer Ether without sufficient checks. This can lead to...
Uninitialized Storage Pointer (USP) is a type of smart contract vulnerability classified within the Common Weakness Enumeration (CWE) directory as CWE-845. It is a type of insecure coding practice that occurs when a program fails to check if a storage pointer has been initialized to a valid memory address or...
Unprotected Ether Withdrawal (UEW) is a type of smart contract vulnerability that can be exploited by malicious actors to steal cryptocurrencies from vulnerable contracts, such as Simple Wallet Contracts (SWC). UEW occurs when a smart contract allows ether to be withdrawn without any restrictions or checks for authorization. This type...
Unprotected SELFDESTRUCT Instruction is a vulnerability classified in CWE-813 (Improper Control of Generation of Code (‘Code Injection’)) and related to Smart Contracts. It occurs when a self-destruct instruction is called within a smart contract and it is not correctly protected, allowing anyone to call the instruction and delete the smart...
Use of Deprecated Solidity Functions is a vulnerability of category Smart Contract, and is classified as CWE-831: Inclusion of Functionality from Untrusted Control Sphere. This vulnerability occurs in SWC (Solidity Web Compiler) and has been identified by the Open Web Application Security Project (OWASP) Testing Guide. It occurs when developers...
Weak Sources of Randomness from Chain Attributes (CWE-330) is a vulnerability that affects Smart Contracts. This vulnerability occurs when a smart contract uses weak sources of randomness such as the block number, chain ID, or timestamp to generate random numbers or other chain attributes. The weakness of the randomness source...
Write to Arbitrary Storage Location (CWE-78) is a type of vulnerability in Smart Contract that allows an attacker to write data to an arbitrary memory location. This memory location could be outside of the smart contract’s allocated memory, making it vulnerable to malicious attacks. This vulnerability is commonly found in...
Showing entries 1 to 37 of 37 entries.