Get Started
- CodeAnt AI
- Setup
- Control Center
- Pull Request Review
- IDE
- Compliance
- Anti-Patterns
- Code Governance
- Infrastructure Security Database
- Application Security Database
- Apex
- Bash
- C
- Clojure
- Cpp
- Csharp
- Dockerfile
- Elixir
- Fingerprints
- Generic
- Go
- Html
- Java
- Javascript
- Json
- Kotlin
- Ocaml
- Php
- Problem-based-packs
- Python
- Ruby
- Rust
- Scala
- Solidity
- Swift
- Terraform
- Typescript
- Yaml
Security
Custom ERC20 implementation exposes _transfer() as public
Likelihood: HIGH
Confidence: LOW
CWE:
- C
- W
- E
- -
- 2
- 8
- 4
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- A
- c
- c
- e
- s
- s
-
- C
- o
- n
- t
- r
- o
- l
Function sweepToken is allowed to be called by anyone
Likelihood: LOW
Confidence: MEDIUM
CWE:
- C
- W
- E
- -
- 2
- 8
- 4
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- A
- c
- c
- e
- s
- s
-
- C
- o
- n
- t
- r
- o
- l
msg.sender is not being used when calling erc20.transferFrom. Example - Alice approves this contract to spend her ERC20 tokens. Bob can call function ‘a’ and specify Alice’s address as the from parameter in transferFrom, allowing him to transfer Alice’s tokens to himself.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-285: Improper Authorization
OWASP:
- A01:2021 - Broken Access Control
The code must not contain any of Unicode Direction Control Characters
Likelihood: LOW
Confidence: HIGH
CWE:
- C
- W
- E
- -
- 8
- 3
- 7
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- E
- n
- f
- o
- r
- c
- e
- m
- e
- n
- t
-
- o
- f
-
- a
-
- S
- i
- n
- g
- l
- e
- ,
-
- U
- n
- i
- q
- u
- e
-
- A
- c
- t
- i
- o
- n
ERC721 onERC721Received() reentrancy
Likelihood: LOW
Confidence: HIGH
CWE:
- C
- W
- E
- -
- 8
- 4
- 1
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- E
- n
- f
- o
- r
- c
- e
- m
- e
- n
- t
-
- o
- f
-
- B
- e
- h
- a
- v
- i
- o
- r
- a
- l
-
- W
- o
- r
- k
- f
- l
- o
- w
Anyone can burn tokens of other accounts
Likelihood: HIGH
Confidence: LOW
CWE:
- C
- W
- E
- -
- 2
- 8
- 4
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- A
- c
- c
- e
- s
- s
-
- C
- o
- n
- t
- r
- o
- l
Oracle update is not restricted in $F()
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- C
- W
- E
- -
- 2
- 8
- 4
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- A
- c
- c
- e
- s
- s
-
- C
- o
- n
- t
- r
- o
- l
ERC777 tokensReceived() reentrancy
Likelihood: LOW
Confidence: HIGH
CWE:
- C
- W
- E
- -
- 8
- 4
- 1
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- E
- n
- f
- o
- r
- c
- e
- m
- e
- n
- t
-
- o
- f
-
- B
- e
- h
- a
- v
- i
- o
- r
- a
- l
-
- W
- o
- r
- k
- f
- l
- o
- w
Unrestricted transferOwnership
Likelihood: HIGH
Confidence: LOW
CWE:
- C
- W
- E
- -
- 2
- 8
- 4
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- A
- c
- c
- e
- s
- s
-
- C
- o
- n
- t
- r
- o
- l
$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- C
- W
- E
- -
- 8
- 4
- 1
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- E
- n
- f
- o
- r
- c
- e
- m
- e
- n
- t
-
- o
- f
-
- B
- e
- h
- a
- v
- i
- o
- r
- a
- l
-
- W
- o
- r
- k
- f
- l
- o
- w
transferFrom() can steal allowance of other accounts
Likelihood: HIGH
Confidence: HIGH
CWE:
- C
- W
- E
- -
- 6
- 8
- 8
- :
-
- F
- u
- n
- c
- t
- i
- o
- n
-
- C
- a
- l
- l
-
- W
- i
- t
- h
-
- I
- n
- c
- o
- r
- r
- e
- c
- t
-
- V
- a
- r
- i
- a
- b
- l
- e
-
- o
- r
-
- R
- e
- f
- e
- r
- e
- n
- c
- e
-
- a
- s
-
- A
- r
- g
- u
- m
- e
- n
- t
Proxy declares a state var that may override a storage slot of the implementation
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- C
- W
- E
- -
- 7
- 8
- 7
- :
-
- O
- u
- t
- -
- o
- f
- -
- b
- o
- u
- n
- d
- s
-
- W
- r
- i
- t
- e
blockhash(block.number) and blockhash(block.number + N) always returns 0.
Likelihood: LOW
Confidence: HIGH
CWE:
- C
- W
- E
- -
- 3
- 4
- 1
- :
-
- P
- r
- e
- d
- i
- c
- t
- a
- b
- l
- e
-
- f
- r
- o
- m
-
- O
- b
- s
- e
- r
- v
- a
- b
- l
- e
-
- S
- t
- a
- t
- e
Custom ERC721 implementation lacks access control checks in _transfer()
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- C
- W
- E
- -
- 2
- 8
- 4
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- A
- c
- c
- e
- s
- s
-
- C
- o
- n
- t
- r
- o
- l
Function borrowFresh() in Compound performs state update after doTransferOut()
Likelihood: LOW
Confidence: HIGH
CWE:
- C
- W
- E
- -
- 8
- 4
- 1
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- E
- n
- f
- o
- r
- c
- e
- m
- e
- n
- t
-
- o
- f
-
- B
- e
- h
- a
- v
- i
- o
- r
- a
- l
-
- W
- o
- r
- k
- f
- l
- o
- w
No slippage check in a Uniswap v2/v3 trade
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- C
- W
- E
- -
- 6
- 8
- 2
- :
-
- I
- n
- c
- o
- r
- r
- e
- c
- t
-
- C
- a
- l
- c
- u
- l
- a
- t
- i
- o
- n
setMultipleAllowances() is missing onlyOwner modifier
Likelihood: HIGH
Confidence: HIGH
CWE:
- C
- W
- E
- -
- 2
- 8
- 4
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- A
- c
- c
- e
- s
- s
-
- C
- o
- n
- t
- r
- o
- l
Contract can be destructed by anyone in $FUNC
Likelihood: HIGH
Confidence: LOW
CWE:
- C
- W
- E
- -
- 2
- 8
- 4
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- A
- c
- c
- e
- s
- s
-
- C
- o
- n
- t
- r
- o
- l
UniswapV3 adapter implemented incorrect extraction of path parameters
Likelihood: LOW
Confidence: LOW
CWE:
- C
- W
- E
- -
- 1
- 2
- 8
- 5
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- V
- a
- l
- i
- d
- a
- t
- i
- o
- n
-
- o
- f
-
- S
- p
- e
- c
- i
- f
- i
- e
- d
-
- I
- n
- d
- e
- x
- ,
-
- P
- o
- s
- i
- t
- i
- o
- n
- ,
-
- o
- r
-
- O
- f
- f
- s
- e
- t
-
- i
- n
-
- I
- n
- p
- u
- t
Price oracle can be manipulated via flashloan
Likelihood: MEDIUM
Confidence: LOW
CWE:
- C
- W
- E
- -
- 6
- 8
- 2
- :
-
- I
- n
- c
- o
- r
- r
- e
- c
- t
-
- C
- a
- l
- c
- u
- l
- a
- t
- i
- o
- n
Possible arithmetic underflow
Likelihood: MEDIUM
Confidence: LOW
CWE:
- C
- W
- E
- -
- 1
- 9
- 1
- :
-
- I
- n
- t
- e
- g
- e
- r
-
- U
- n
- d
- e
- r
- f
- l
- o
- w
-
- (
- W
- r
- a
- p
-
- o
- r
-
- W
- r
- a
- p
- a
- r
- o
- u
- n
- d
- )
An attacker may perform delegatecall() to an arbitrary address.
Likelihood: HIGH
Confidence: LOW
CWE:
- C
- W
- E
- -
- 2
- 0
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- I
- n
- p
- u
- t
-
- V
- a
- l
- i
- d
- a
- t
- i
- o
- n
Keep3rV2.current() call has high data freshness, but it has low security, an exploiter simply needs to manipulate 2 data points to be able to impact the feed.
Likelihood: LOW
Confidence: HIGH
CWE:
- C
- W
- E
- -
- 6
- 8
- 2
- :
-
- I
- n
- c
- o
- r
- r
- e
- c
- t
-
- C
- a
- l
- c
- u
- l
- a
- t
- i
- o
- n
An attacker may perform call() to an arbitrary address with controlled calldata
Likelihood: HIGH
Confidence: LOW
CWE:
- C
- W
- E
- -
- 2
- 0
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- I
- n
- p
- u
- t
-
- V
- a
- l
- i
- d
- a
- t
- i
- o
- n
$VAULT.getPoolTokens() call on a Balancer pool is not protected from the read-only reentrancy.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- C
- W
- E
- -
- 8
- 4
- 1
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- E
- n
- f
- o
- r
- c
- e
- m
- e
- n
- t
-
- o
- f
-
- B
- e
- h
- a
- v
- i
- o
- r
- a
- l
-
- W
- o
- r
- k
- f
- l
- o
- w
Parameter “from” is checked at incorrect position in “_allowances” mapping
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- C
- W
- E
- -
- 6
- 8
- 8
- :
-
- F
- u
- n
- c
- t
- i
- o
- n
-
- C
- a
- l
- l
-
- W
- i
- t
- h
-
- I
- n
- c
- o
- r
- r
- e
- c
- t
-
- V
- a
- r
- i
- a
- b
- l
- e
-
- o
- r
-
- R
- e
- f
- e
- r
- e
- n
- c
- e
-
- a
- s
-
- A
- r
- g
- u
- m
- e
- n
- t
Potential signature malleability in $F
Likelihood: MEDIUM
Confidence: LOW
CWE:
- C
- W
- E
- -
- 3
- 4
- 7
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- V
- e
- r
- i
- f
- i
- c
- a
- t
- i
- o
- n
-
- o
- f
-
- C
- r
- y
- p
- t
- o
- g
- r
- a
- p
- h
- i
- c
-
- S
- i
- g
- n
- a
- t
- u
- r
- e
$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- C
- W
- E
- -
- 8
- 4
- 1
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- E
- n
- f
- o
- r
- c
- e
- m
- e
- n
- t
-
- o
- f
-
- B
- e
- h
- a
- v
- i
- o
- r
- a
- l
-
- W
- o
- r
- k
- f
- l
- o
- w
Uniswap callback is not protected
Likelihood: MEDIUM
Confidence: LOW
CWE:
- C
- W
- E
- -
- 2
- 8
- 4
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- A
- c
- c
- e
- s
- s
-
- C
- o
- n
- t
- r
- o
- l
ERC677 callAfterTransfer() reentrancy
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- C
- W
- E
- -
- 8
- 4
- 1
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- E
- n
- f
- o
- r
- c
- e
- m
- e
- n
- t
-
- o
- f
-
- B
- e
- h
- a
- v
- i
- o
- r
- a
- l
-
- W
- o
- r
- k
- f
- l
- o
- w
$F with constant msg.value can be called multiple times
Likelihood: MEDIUM
Confidence: LOW
CWE:
- C
- W
- E
- -
- 8
- 3
- 7
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- E
- n
- f
- o
- r
- c
- e
- m
- e
- n
- t
-
- o
- f
-
- a
-
- S
- i
- n
- g
- l
- e
- ,
-
- U
- n
- i
- q
- u
- e
-
- A
- c
- t
- i
- o
- n
abi.encodePacked hash collision with variable length arguments in $F()
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- C
- W
- E
- -
- 2
- 0
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- I
- n
- p
- u
- t
-
- V
- a
- l
- i
- d
- a
- t
- i
- o
- n
A specially crafted calldata may be used to impersonate other accounts
Likelihood: HIGH
Confidence: HIGH
CWE:
- C
- W
- E
- -
- 2
- 0
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- I
- n
- p
- u
- t
-
- V
- a
- l
- i
- d
- a
- t
- i
- o
- n
Oracle price data can be submitted by anyone
Likelihood: HIGH
Confidence: LOW
CWE:
- C
- W
- E
- -
- 2
- 8
- 4
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- A
- c
- c
- e
- s
- s
-
- C
- o
- n
- t
- r
- o
- l