defiHacks_via_Hardhat

1. Alchemix Access Control Bug

Any user could have called setWhitelist() to give an attacker the ability to call the harvest function or to call the flush function. While these two actions are relatively harmless, an attacker could also front-run the intended keeper addresses to block harvest() and flush() from being called, effectively causing a denial of service.

Reference - https://medium.com/immunefi/alchemix-access-control-bug-fix-debrief-a13d39b9f2e0

2. 88mph Function Initialization Bug

The init() function used to initialize the NFT contract on 88mph’s platform, was missing an onlyOwner modifier, and there was also no initializer modifier to prevent a re-initialization as well. This vulnerability would have allowed a malicious attacker to have access to any user’s NFTs and deposits via burn() and mint() functions.

Note: The blockNumber of the hardhat config is set a block where in one of the NFT was minted.

Reference - https://medium.com/immunefi/88mph-function-initialization-bug-fix-postmortem-c3a2282894d3

3. CoinstoreNFT Public Burn Bug

The burn() function present in the ERC721 standard which destroys the token and removes it from blockchain is missing proper access control. As a result, this function can be called by anyone.

Reference - https://twitter.com/BlockSecTeam/status/1543928537882714112

4. FlippazOne Missing Access Control

The ownerWithdrawAllTo() function is missing the onlyOwner modifier check. Additionally, the check of whether the auction is over is also missing. As a result, any user can call the function and drain all the funds. Be sure to check out the tweet linked below to understand more about what happend - when one of the user sent the transaction to the public mempool.

Reference - https://twitter.com/bertcmiller/status/1544496577338826752

Special Mentions

https://twitter.com/immunefi

https://twitter.com/AshiqAmien