-
Notifications
You must be signed in to change notification settings - Fork 53
Applied Tactics
sam bacha edited this page Jun 25, 2024
·
1 revision
| ID | T1001 |
|---|---|
| Title | Don't let the user deploy contracts [high-gas-cost] |
| Condition | createPair, deploy-contract by user |
| Description | Allowing users to deploy contracts with high gas costs can lead to inefficient gas usage and potential denial of service. |
| Mitigation | Implement restrictions on user-deployed contracts to manage gas costs effectively. |
| Reference | GitHub Issue |
| ID | T1002 |
|---|---|
| Title | Let users set the value limit |
| Condition | tx.gasprice, non-limit, gasleft() |
| Description | Allowing users to set their own gas limits can result in unpredictable behavior and inefficient gas usage. |
| Mitigation | Implement controls to manage user-set gas limits effectively. |
| Reference | GitHub Issue |
| ID | T1003 |
|---|---|
| Title | Improper tokenGasPrice design for small decimal ERC20 |
| Condition | gasleft, gasFee |
| Description | Inadequate design for token gas prices for small decimal ERC20 tokens can lead to inaccurate gas fee calculations. |
| Mitigation | Adjust the token gas price design to account for small decimal ERC20 tokens. |
| Reference | GitHub Issue |
| ID | T1004 |
|---|---|
| Title | Fixed gas amount can be insufficient |
| Condition | to.call{value: msg.value}{gas: FIX_AMOUNT} |
| Description | Using a fixed gas amount for transactions can be insufficient, leading to failed transactions. |
| Mitigation | Implement dynamic gas management to ensure sufficient gas for transactions. |
| Reference | GitHub Issue |
| ID | T1005 |
|---|---|
| Title | Wrong gas charge calculation |
| Condition | gasleft(), user pay gas |
| Description | Incorrect gas charge calculations can lead to users paying more gas than required. |
| Mitigation | Ensure accurate gas charge calculations to prevent overcharging users. |
| Reference | GitHub Issue |
| ID | T1006 |
|---|---|
| Title | The waste of gas design |
| Condition | call loop and SSTORE |
| Description | Inefficient gas usage due to poor contract design, such as unnecessary loops and storage operations. |
| Mitigation | Optimize contract design to reduce gas waste. |
| Reference | GitHub Issue |
| ID | T2001 |
|---|---|
| Title | Dex withdraw handling: removeLiq > withdraw |
| Condition | withdraw, remoteLiquidity |
| Description | Insufficient handling of withdrawal processes in decentralized exchanges can lead to vulnerabilities. |
| Mitigation | Implement thorough checks and processes for withdrawals to prevent vulnerabilities. |
| Reference | GitHub Issue |
| ID | T2002 |
|---|---|
| Title | Can’t update the value depends on other updating |
| Condition | update, block.timestamp > nextXXX |
| Description | Failure to update values based on dependencies can lead to inconsistencies and vulnerabilities. |
| Mitigation | Ensure all dependent values are updated consistently. |
| Reference | GitHub Issue |
| ID | T2003 |
|---|---|
| Title | Insufficient mapping to approve multi tokens |
| Condition | mapping |
| Description | Inadequate mapping for multi-token approval can lead to security risks. |
| Mitigation | Implement comprehensive mapping strategies for multi-token approvals. |
| Reference | GitHub Issue |
| ID | T2004 |
|---|---|
| Title | User can’t get the reward if some method executed |
| Condition | shelter, MasterChef |
| Description | Users may be unable to receive rewards if certain methods are executed incorrectly. |
| Mitigation | Ensure all reward distribution methods are executed correctly and rewards are distributed appropriately. |
| Reference | GitHub Issue |
| ID | T2005 |
|---|---|
| Title | Should be transferred tokens before transfer to another contract |
| Condition | transfer → CA_1 → CA_2, buy, sell |
| Description | Tokens should be transferred to intermediate contracts before final transfers to ensure security. |
| Mitigation | Implement secure token transfer processes involving intermediate contracts. |
| Reference | GitHub Issue |
| ID | T3001 |
|---|---|
| Title | Insufficient error handling |
| Condition | external func, try-catch |
| Description | Inadequate error handling in external functions can lead to vulnerabilities and potential loss of funds. |
| Mitigation | Implement comprehensive error handling strategies for external functions. |
| Reference | GitHub Issue |
| ID | T3002 |
|---|---|
| Title | Insufficient error handling leads to funds loss |
| Condition | if error happens, change the variable |
| Description | Failure to handle errors properly can result in the loss of funds and contract vulnerabilities. |
| Mitigation | Ensure robust error handling mechanisms are in place to protect against fund loss. |
| Reference | GitHub Issue |
| ID | T3003 |
|---|---|
| Title | Missing revert keyword for Error |
| Condition | Error.XXX, non-revert |
| Description | Omitting the revert keyword in error handling can cause unexpected behavior and vulnerabilities. |
| Mitigation | Always include the revert keyword in error handling statements. |
| Reference | GitHub Issue |
| ID | T4001 |
|---|---|
| Title | Admin Eve can remove all Admins leads to bad governance |
| Condition | remote auth by one admin |
| Description | Allowing a single admin to remove all other admins can lead to poor governance and potential abuse of power. |
| Mitigation | Implement checks and balances to prevent any single admin from having too much control. |
| Reference | GitHub Issue |
| ID | T4002 |
|---|---|
| Title | An attacker can extend the period by setting lastTimestamp |
| Condition | lastTimestamp, access control, change rate handling |
| Description | Attackers can manipulate contract periods by changing the lastTimestamp, leading to potential abuse. |
| Mitigation | Implement strict access control and validation for period-setting operations. |
| Reference | GitHub Issue |
| ID | T4003 |
|---|---|
| Title | Anyone can |