Address poisoning
Summary
The Perpetual Vault Protocol does not check for address poisoning risks, such as zero-token transfers, which could be used in rug pulls.
Vulnerability Details
The PerpetualVault contract does not implement checks for address poisoning, where an attacker could send a small amount of tokens to a user's address to manipulate transaction data. This could be used in conjunction with other attacks to facilitate a rug pull.
Impact
Address poisoning could be used to manipulate transaction data, potentially leading to rug pulls or other malicious activities that result in financial losses for users.
Tools Used
Manual code review
Recommendations
Implement checks to detect and prevent address poisoning, such as monitoring for small, unexpected token transfers. Educate users about the risks of address poisoning and encourage them to verify transaction details before approving.
Lead Judging Commences
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.