Full Report
Immunefi has contests, similar to C4 and Sherlock. Uniquely, they publish all of their findings for people to see. I just found this and wanted to have a public record of it for my own sanity later.
Analysis Summary
Given the context provided, the article acts as a central repository for multiple "Audit Competitions" (time-bound security reviews) rather than a single vulnerability report. Below is a summary index of the findings aggregate as requested.
# Vulnerability: Multi-Protocol Security Flaws (Immunefi Audit Competitions Aggregate)
## CVE Details
- **CVE ID:** N/A (Most Web3/Smart Contract vulnerabilities are tracked by Audit IDs rather than CVEs)
- **CVSS Score:** Varies (Ranging from 4.0 to 10.0 depending on the specific competition)
- **CWE:** Commonly includes CWE-682 (Incorrect Calculation), CWE-863 (Incorrect Authorization), and CWE-667 (Improper Locking/Reentrancy).
## Affected Systems
- **Products:** Decentralized Finance (DeFi) protocols, Layer 1/Layer 2 Blockchains, and Smart Contract Libraries.
- **Versions:** Diverse; specific to codebases at the time of the "Boost" or "Attackathon."
- **Key Affected Projects:**
- **Infrastructure:** Firedancer (Solana client), Fuel Network, Shardeum Core, Ethereum Protocol, Movement Labs.
- **DeFi/Staking:** Alchemix V3, BadgerDAO (eBTC), Puffer Finance, Lido (Mellow Vault), Jito Restaking.
- **Cross-Chain/Bridges:** Folks Finance (Wormhole NTT), Flare FAssets.
## Vulnerability Description
This repository contains a collection of disclosed vulnerabilities discovered during time-bound security contests. Technical flaws discovered across these audits typically involve:
1. **Logic Errors:** Flaws in accounting or state management allowing for unauthorized fund withdrawals.
2. **Oracle Manipulation:** Exploiting price feeds to borrow more assets than collateral allows.
3. **Access Control:** Missing modifiers (e.g., `onlyOwner`) allowing unprivileged users to call administrative functions.
4. **Economic Attacks:** Game-theory flaws where users can "grief" the protocol or profit at the expense of liquidity providers.
## Exploitation
- **Status:** PoC available (Most competition rewards require a functional Proof of Concept script, typically in Foundry or Hardhat).
- **Complexity:** Medium to High (Most findings require deep understanding of protocol state and EVM/SVM internals).
- **Attack Vector:** Network (External transactions to smart contracts).
## Impact
- **Confidentiality:** Low/None (Most blockchain data is public).
- **Integrity:** **High** (Direct potential for unauthorized modification of ledger balances).
- **Availability:** **High** (Potential for permanent freezing of funds or protocol bricking).
## Remediation
### Patches
- Fixes are implemented on a per-project basis. Users should refer to the individual report links (e.g., Alchemix V3, Shardeum Core) for specific commit hashes containing the fixes.
### Workarounds
- **Protocol Pausing:** Many affected protocols utilize "Circuit Breaker" or "Emergency Pause" functions to halt operations upon detection of an exploit.
- **Withdrawal Limits:** Temporary caps on outflows to mitigate damage from logic flaws.
## Detection
- **Indicators of Compromise:** Unusual spikes in "Slippage," unexpected `Transfer` events from treasury addresses, or sudden drops in Total Value Locked (TVL).
- **Detection Methods and Tools:**
- Real-time monitoring (Forta, Tenderly).
- Static analysis (Slither, Aderyn).
- Formal Verification of critical logic paths.
## References
- **Report Repository:** hxxps://reports[.]immunefi[.]com/
- **Active Competitions:** hxxps://immunefi[.]com/boost/
- **Specific Project Reports:**
- Alchemix: hxxps://reports[.]immunefi[.]com/alchemix
- Firedancer: hxxps://reports[.]immunefi[.]com/firedancer-v0.1
- Ethereum Attackathon: hxxps://reports[.]immunefi[.]com/ethereum-protocol-or-attackathon