Audit-365 is a challenge for me where I will be posting educational content related to Smart contract auditing and web3 security throughout the 365 days of the year starting from 1st January, 2023 to 31st December, 2023. It will be full of actual content without any fillers.
Unfortunately, I had to discontinue the challenge due to health issues and other priorities. I successfully continued for around 60 days, but had to stop due to other commitments at that point in time. I hope to return soon with even more awesome ideas.
| Day | Findings | Severity | Category | Thread Links |
|---|---|---|---|---|
| 01 | User's Orders can be canceled by anyone and their ETH can be stolen | High | Audit Findings | Link |
| 02 | Double transfer in the transferAndCall function. |
High | Audit Findings | Link |
| 03 | Unchecked Return Value from "ecrecover" | Critical | BugFix Reports | Link |
| 04 | EIP-712 signatures can be re-used | Medium | Audit Findings | Link |
| 05 | Use safeCast for changing types | Medium | Audit Findings | Link |
| 06 | BLOCK_PERIOD IS INCORRECT | Medium | Audit Findings | Link |
| 07 | Insufficient validation of Chainlink Oracle data feed | Medium | Audit Findings | Link |
| 08 | 88mph Function Initialization Bug (Reward $42,069) | Critical | BugFix Report | Link |
| 09 | 700+ Smart contract Bugs, $1 Million Bug Payout, Trust’s Interview, and more | - | Weekly Newsletter | Link |
| 10 | Sandwich attack due to hardcoded slippage | High | Audit Findings | Link |
| 11 | Initialize function can be invoked multiple times. | Medium | Audit Findings | Link |
| 12 | A Typo leading to locking of Funds | High | Audit Findings | Link |
| 13 | Centralisation RIsk: Owner Of RoyaltyVault Can Take All Funds | High | Audit Findings | Link |
| 14 | Call Return is executed before 'require' check. | High | Audit Findings | Link |
| 15 | Reentrancy Vulnerability due to violation of the CEI Pattern. | Critical | Real-life Exploits | Link |
| 16 | Zero-Knowledge: A-Z, Web3 Security Tools Lists, Bug Bounty, Defcon CTF, etc | - | Weekly Newsletter | Link |
| 17 | Lack of access control in the parameterize function of proposal contracts | Medium | Audit Findings | Link |
| 18 | Reentrancy Guard Lacking in mint function. | Medium | Audit Findings | Link |
| 19 | Lender can change NFT valuation oracle without borrower permission | High | Audit Findings | Link |
| 20 | Incorrect airdrop calculation | Critical | Real-life Exploits | Link |
| 21 | Tokens with more than 18 decimal points will cause issues | Medium | Audit Findings | Link |
| 22 | Cannot unpause exchange | Medium | Audit Findings | Link |
| 23 | Zcash Hash Collision, Reversing The EVM, Ice Phishing Attacks and many more. | - | Weekly Newsletter | Link |
| 24 | Usage of deprecated ChainLink API | Medium | Audit Findings | Link |
| 25 | Lack of Access control over burn function | Critical | Real-life Exploits | Link |
| 26 | Bad Source of Randomness | Critical | Real-life Exploits | Link |
| 27 | Arbitrary Token Burn | High | Audit Findings | Link |
| 28 | Users can get unlimited Votes | High | Audit Findings | Link |
| 29 | Incorrect number of seconds in ONE_YEAR variable | Medium | Audit Findings | Link |
| 30 | Unnecessary precision loss in _recipientBalance() | Medium | Audit Findings | Link |
| 31 | Reward Manager of the Convex Base Reward Pool Can DoS processYield() | Medium | Audit Findings | Link |
| 32 | Low-level transfer via call() can fail silently | Medium | Audit Findings | Link |
| 33 | ERC20 bridging functions do not revert on non-zero msg.value | Medium | Audit Findings | Link |
| 34 | User can escape from paying fees. | Medium | Audit Findings | Link |
| 35 | The noContract modifier does not work as expected. | Medium | Audit Findings | Link |
| 36 | Sandwich attacks are possible as there is no slippage control | Medium | Audit Findings | Link |
| 37 | No checked success for Oracle | High | Audit Findings | Link |
| 38 | HolyPaladinToken.sol uses ERC20 token with a highly unsafe pattern | Medium | Audit Findings | Link |
| 39 | Initialize function can be front-runned | Medium | Audit Findings | Link |
| 40 | No upper limit for selling fees (Exit Scam) | High | Real-life Exploits | Link |
| 41 | Division before multiplication | Medium | Audit Findings | Link |
| 42 | User specified slippage allows frontrunning | Medium | Audit Findings | Link |
| 43 | Protocol pays swap fees instead of users. | Medium | Audit Findings | Link |
| 44 | call() should be used instead of transfer() on an address payable | Medium | Audit Findings | Link |
| 45 | Dust amounts can cause payments to fail, leading to default | Medium | Audit Findings | Link |
| 46 | Votes can be amplified due to insufficient checks | Medium | Audit Findings | Link |
| 47 | Anyone can spend on behalf of roller periphery | High | Audit Findings | Link |
| 48 | Lack of Access control on Minting tokens. | Critical | Exploit Findings | Link |
| 49 | Bad Source of Randomness leading to break contract | High | Exploit Findings | Link |
| 50 | Incorrect Validation leading to a DOS attack | Medium | Audit Findings | Link |
| 51 | Pool Manager can front-run fees to 100% | Medium | Audit Findings | Link |
| 52 | Precision loss due to division before multiplication | Medium | Audit Findings | Link |
| 53 | NFT to be frozen in a contract that does not support ERC721 | Medium | Audit Findings | Link |
| 54 | Lack of sanity check for stoptime | Medium | Audit Findings | Link |
| 55 | approve can fail for some tokens | Medium | Audit Findings | Link |
| 56 | User specified input allows frontrunning | High | Audit Findings | Link |
| 57 | Lack of Access Control | Critical | Audit Findings | Link |
| 58 | Incorrect Validation in transferLPs lead to a DOS attack | Medium | Audit Findings | Link |
| 59 | Wrong deduction of fees | High | Audit Findings | Link |
| 60 | Arbitrary transactions possible due to insufficient | High | Audit Findings | Link |
