Wormhole is a generic message passing protocol that connects to multiple chains including Ethereum, Solana, Terra, Binance Smart Chain, Polygon, Avalanche and Oasis.
Reentrancy in ERC1967Upgrade._upgradeToAndCallSecure(address,bytes,bool) (#496-524):
External calls:
- Address.functionDelegateCall(newImplementation,data) (#506)
- Address.functionDelegateCall(newImplementation,abi.encodeWithSignature(upgradeTo(address),oldImplementation)) (#514-517)
Event emitted after the call(s):
- Upgraded(newImplementation) (#472)
- _upgradeTo(newImplementation) (#522)
Apply the check-effects-interactions pattern.
Additional information: link
Different versions of Solidity is used:
- Version used: ['^0.8.0', '^0.8.2']
- ^0.8.0 (#6)
- ^0.8.0 (#93)
- ^0.8.0 (#313)
- ^0.8.0 (#402)
- ^0.8.2 (#421)
- ^0.8.0 (#617)
- ^0.8.0 (#681)
Use one Solidity version.
Additional information: link
StorageSlot.getAddressSlot(bytes32) (#54-58) uses assembly
- INLINE ASM (#55-57)
StorageSlot.getBooleanSlot(bytes32) (#63-67) uses assembly
- INLINE ASM (#64-66)
StorageSlot.getBytes32Slot(bytes32) (#72-76) uses assembly
- INLINE ASM (#73-75)
StorageSlot.getUint256Slot(bytes32) (#81-85) uses assembly
- INLINE ASM (#82-84)
Address.isContract(address) (#116-126) uses assembly
- INLINE ASM (#122-124)
Address.verifyCallResult(bool,bytes,string) (#285-305) uses assembly
- INLINE ASM (#297-300)
Proxy._delegate(address) (#331-354) uses assembly
- INLINE ASM (#332-353)
Do not use evm assembly.
Additional information: link
ERC1967Upgrade._upgradeToAndCall(address,bytes,bool) (#480-489) ignores return value by Address.functionDelegateCall(newImplementation,data) (#487)
ERC1967Upgrade._upgradeToAndCallSecure(address,bytes,bool) (#496-524) ignores return value by Address.functionDelegateCall(newImplementation,data) (#506)
ERC1967Upgrade._upgradeToAndCallSecure(address,bytes,bool) (#496-524) ignores return value by Address.functionDelegateCall(newImplementation,abi.encodeWithSignature(upgradeTo(address),oldImplementation)) (#514-517)
ERC1967Upgrade._upgradeBeaconToAndCall(address,bytes,bool) (#599-609) ignores return value by Address.functionDelegateCall(IBeacon(newBeacon).implementation(),data) (#607)
Ensure that all the return values of the function calls are used.
Additional information: link
Address.functionCall(address,bytes) (#169-171) is never used and should be removed
Address.functionCall(address,bytes,string) (#179-185) is never used and should be removed
Address.functionCallWithValue(address,bytes,uint256) (#198-204) is never used and should be removed
Address.functionCallWithValue(address,bytes,uint256,string) (#212-223) is never used and should be removed
Address.functionStaticCall(address,bytes) (#231-233) is never used and should be removed
Address.functionStaticCall(address,bytes,string) (#241-250) is never used and should be removed
Address.sendValue(address,uint256) (#144-149) is never used and should be removed
BeaconProxy._beacon() (#650-652) is never used and should be removed
BeaconProxy._setBeacon(address,bytes) (#671-673) is never used and should be removed
ERC1967Upgrade._changeAdmin(address) (#558-561) is never used and should be removed
ERC1967Upgrade._getAdmin() (#541-543) is never used and should be removed
ERC1967Upgrade._getImplementation() (#453-455) is never used and should be removed
ERC1967Upgrade._setAdmin(address) (#548-551) is never used and should be removed
ERC1967Upgrade._setImplementation(address) (#460-463) is never used and should be removed
ERC1967Upgrade._upgradeTo(address) (#470-473) is never used and should be removed
ERC1967Upgrade._upgradeToAndCall(address,bytes,bool) (#480-489) is never used and should be removed
ERC1967Upgrade._upgradeToAndCallSecure(address,bytes,bool) (#496-524) is never used and should be removed
Proxy._implementation() (#360) is never used and should be removed
StorageSlot.getBooleanSlot(bytes32) (#63-67) is never used and should be removed
StorageSlot.getBytes32Slot(bytes32) (#72-76) is never used and should be removed
StorageSlot.getUint256Slot(bytes32) (#81-85) is never used and should be removed
Remove unused functions.
Additional information: link
Pragma version^0.8.0 (#6) allows old versions
Pragma version^0.8.0 (#93) allows old versions
Pragma version^0.8.0 (#313) allows old versions
Pragma version^0.8.0 (#402) allows old versions
Pragma version^0.8.2 (#421) allows old versions
Pragma version^0.8.0 (#617) allows old versions
Pragma version^0.8.0 (#681) allows old versions
Deploy with any of the following Solidity versions: 0.5.16 - 0.5.17, 0.6.11 - 0.6.12, 0.7.5 - 0.7.6 Use a simple pragma version that allows any of these versions. Consider using the latest version of Solidity for testing.
Additional information: link
Low level call in Address.sendValue(address,uint256) (#144-149):
- (success) = recipient.call{value: amount}() (#147)
Low level call in Address.functionCallWithValue(address,bytes,uint256,string) (#212-223):
- (success,returndata) = target.call{value: value}(data) (#221)
Low level call in Address.functionStaticCall(address,bytes,string) (#241-250):
- (success,returndata) = target.staticcall(data) (#248)
Low level call in Address.functionDelegateCall(address,bytes,string) (#268-277):
- (success,returndata) = target.delegatecall(data) (#275)
Avoid low-level calls. Check the call success. If the call is meant for a contract, check for code existence
Additional information: link
Unable to find audit link on the website
Unable to find whitepaper link on the website
Unable to find Youtube account