[DD] Smart Contracts

Severity

Example Vulnerabilities

🔴 Critical

• Direct theft of funds or NFTs

• Permanent freezing of funds or NFTs

Severity

Example Vulnerabilities

🟠 High

• Temporary freezing of funds or NFTs

• Theft of unclaimed funds (e.g., yield, royalties)

• Permanent freezing of unclaimed funds

• Oracle Manipulation (High): Influencing on-chain price feeds or data sources.

🟡 Medium

• Theft of gas (unbounded loops, expensive operations exploitable by attackers)

• Gas limit / Out-of-Gas vulnerabilities - Poor gas handling leading to transaction failure, loss of funds, or halted functionality

• Denial of Service (DoS) - Gas exhaustion, block stuffing, or malicious state manipulation that disrupts contract availability

• No-profit attacks (Griefing) - Attacks that damage the protocol or users without financial gain for the attacker

🟢 Low

• Failure to deliver promised returns (e.g., staking pool advertises fixed APY but underperforms due to bugs or flawed logic)

• Uninitialized Storage Variables: Can lead to privilege escalation but often low-risk.

🔵 Info

• Theoretical vulnerabilities: Issues that simply point out missing checks or lack of adherence to best practices (e.g., CEI pattern) without a concrete exploit scenario are out of scope.

• Privileged roles acting maliciously: Issues that assume admin, owner, or other privileged roles will behave incorrectly or maliciously are out of scope, unless a realistic reason or scenario is provided to justify this behavior.

• Oracle manipulation or failures: Submissions involving oracles (e.g., missing timestamp checks) are not accepted unless the report demonstrates a clear and practical attack scenario showing how oracle misbehavior leads to an exploit.

• Weird Tokens: unless the protocol clearly specifies that it accepts weird tokens (low decimals, erc777) all issues regarding them are out of scope