This page collects WhisperX intelligence signals tagged #smart_contract. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical Day-1 security vulnerability has been identified in multiple Soroban smart contracts, exposing the entire protocol to immediate administrative takeover. The `initialize` functions within the Arena, Factory, and Payout contracts are publicly callable by any address. This design flaw allows any observer of the...
A critical security flaw has been identified in the `submit_choice` function of the Arena smart contract. The function currently accepts submissions from any caller without verifying if the address is an active, staked participant in the game. This absence of a `DataKey::Survivor` check allows random, unstaked addresse...
A security issue in the Factory contract allows an authorized user to spoof pool ownership, creating a risk of misattribution on the frontend dashboard. The `create_pool` function accepts an arbitrary address as the `creator` parameter, which is then broadcast in an event. This means the recorded creator is not necessa...
A critical security flaw has been identified in the Arena smart contract's administrative `set_token` function. The vulnerability allows a contract admin to instantly change the address of the reward or stake token at any time, without regard for the current state of active games. This creates a direct risk where playe...
A critical security and performance flaw has been identified in a Soroban smart contract's payout function. The `distribute_winnings()` method stores each payout record directly in the contract's **instance storage**, a design choice that leads to unbounded growth and threatens the contract's long-term viability. Insta...
A critical security flaw in the arena smart contract allows the prize pool to be paid out to any address designated as a winner, even if that address never registered as a participant. The `claim()` function fails to verify that the winner is also a registered `Survivor`, creating a direct path for unearned funds to be...
A critical security vulnerability has been identified in a Soroban smart contract, allowing an attacker to bypass authorization checks and potentially trigger unauthorized fund distributions. The flaw resides in the `distribute_winnings()` function within the `payout` contract, where a logic error in the sequence of ch...
A critical security enhancement is being implemented for a prediction market smart contract: an emergency pause module with role-gated controls. This feature acts as a kill switch, designed to halt all new bets and payouts instantly if a critical exploit, oracle failure, or smart contract vulnerability is discovered in...
A critical security vulnerability has been identified in the Factory contract's `create_pool` function. The function accepts an arbitrary `currency` identifier but fails to authenticate this token address against the official `DataKey::SupportedToken` configuration whitelist. This oversight allows unverified and potent...
A critical security vulnerability has been identified in the Arena game contract, where an administrative function can permanently lock player deposits mid-game. The `set_token` function, which mutates the underlying `TOKEN_KEY` for the prize pool, lacks essential lifecycle guards. This allows an admin—whether acting a...
A critical vulnerability in a Solana-based learn-to-earn protocol allows a quest authority to directly reward themselves, bypassing the system's core incentive model and draining the entire reward pool. The flaw, found in the reward distribution logic, creates a direct path for self-dealing where the entity that create...
A critical security flaw has been identified in a blockchain rewards contract, exposing it to a front-running attack that could allow an attacker to seize control of the system and drain funds. The vulnerability resides in the contract's `initialize` function, which lacks any authentication check. This allows any obser...
A critical security vulnerability has been identified in the Soroban SDK's contract client, where the system implicitly trusts the Application Binary Interface (ABI) fetched from a remote RPC endpoint. The flaw resides in the `Client.from()` and `Client.fromWasmHash()` methods, which retrieve WASM code from a configure...
A critical vulnerability in the Soroban HTLC smart contract risks the permanent loss of user funds due to a fundamental flaw in how storage entries are managed. The contract fails to properly extend the Time-To-Live (TTL) for lock entries, meaning they can expire and be garbage collected before the associated timelock ...
A critical vulnerability has been confirmed in the Stellar network's transaction processing code, posing a direct risk of consensus divergence. The flaw resides in the `execute_change_trust` function within the `henyey-tx` crate, which fails to validate key parameters for liquidity pool share assets. While the function...
A critical financial design flaw has been identified in the `EventManager.sol` smart contract, where all ETH revenue generated from user purchases is permanently trapped. When users call the `purchaseFanTokens()` function, the ETH sent as `msg.value` is collected by the contract but has no withdrawal mechanism. This me...
A critical security gap has been exposed in a smart contract's design: there is currently no way to halt operations in the event of a discovered vulnerability or market emergency. This absence of an emergency brake leaves the protocol and user funds exposed to potential exploitation or cascading damage, with no immedia...
A critical integer arithmetic vulnerability has been identified and proven in a Cairo-based staking contract, exposing a design flaw that can completely erase user rewards. The bug, designated as Bug #5, is a classic "Division before Multiplication" error in the core reward calculation formula. The vulnerable code, `le...