Hermez

Findings · 22

1. 1 Lack of a contract existence check allows token thet High
2. 2 No incentive for bidders to vote earlier Medium
3. 3 L1 transaction spam Low
4. 4 Account creation spam Low
5. 5 Lack of access control separation is risky High
6. 6 Lack of two-step procedure for critical operations leaves them error-prone High
7. 7 Lack of a contract existence check in TimeLock leads to incorrect assumption of code execution Medium
8. 8 Insuficient Logging Low
9. 9 Lack of zero check on functions Informational
10. 10 Multiple contracts are missing inheritance Informational
11. 11 Using empty functions instead of interfaces leaves contract error-prone Informational
12. 12 Initialization functions can be front-run High
13. 13 Re-entrancy risks on TokenHez High
14. 14 ChainId usage can lead to collisions Medium
15. 15 Lack of overlow check on allocation ratio allows AuctionProtocol to be siphoned High
16. 16 Arithmetic rounding allows getMinBidBySlot to return the current bid value Low
17. 17 _checkSig allows signature re-use Medium
18. 18 changeDefaultSlotSetBid allows the closed minimum bid of an open slot to be updated Low
19. 19 cancelTransaction can be called on non-queued transaction Informational
20. 20 Contracts used as dependencies do not track upstream changes Low
21. 21 Expected behavior regarding authorization for adding tokens is unclear Informational
22. 22 Contract name duplication leaves codebase error-prone Informational

Findings extracted from the published report PDF. See the full report below for details and remediation.