Author: nick
-
An unverified contract lost $4k
I think root cause is improper check of calldata in “uniswapV2Call” function. It needs to check first parameter-sender address, but it didn’t. Hacker could call this callback function by calling “swap” function.
-
SPythia lost 21 ETH
Anyone who holds SPythia token can call “claimRewards” function without any locking period. Hacker could call “claimRewards” function several times by moving tokens from one account to another account. Reward amout should be calculated using locked period.