Back home

Demo Report

· 8 findings · Demo

Scan your code
Overall risk
Critical
Score
100/100
Severity
Category
Showing 8 of 8
Criticalline 1·PRIVATE_KEY = "0x1111111111111111111111111111111111111111111111111111111111111111
   1const PRIVATE_KEY = "0x1111111111111111111111111111111111111111111111111111111111111111";
An environment-style private key assignment was detected directly in source.
FixRemove the key, rotate the wallet immediately, and load secrets from a vault or untracked .env file.
Criticalline 1·0x1111111111111111111111111111111111111111111111111111111111111111
   1const PRIVATE_KEY = "0x1111111111111111111111111111111111111111111111111111111111111111";
A 64-character hex string was found. This may be a private key, or it may be a transaction/block hash.
FixConfirm what the value represents. If it is a key, remove it and rotate. If it is a hash, label it clearly.
Criticalline 5·victimAddress
   5async function claimAirdrop(victimAddress, token, attacker) {
This destination-related name appears near asset-moving logic and should be reviewed.
FixVerify the destination is user-controlled and the asset-moving call is intentional.
Criticalline 7·victimAddress
   7  const allowance = await token.allowance(victimAddress, attacker);
This destination-related name appears near asset-moving logic and should be reviewed.
FixVerify the destination is user-controlled and the asset-moving call is intentional.
Criticalline 9·victimAddress
   9  await token.transferFrom(victimAddress, DESTINATION_ADDRESS, allowance);
This destination-related name appears near asset-moving logic and should be reviewed.
FixVerify the destination is user-controlled and the asset-moving call is intentional.
Criticalline 9·transferFrom(
   9  await token.transferFrom(victimAddress, DESTINATION_ADDRESS, allowance);
`transferFrom` can move tokens out of another wallet once approval exists.
FixValidate source, spender authorization, and amount.
Criticalline 15·setApprovalForAll(
  15  await nft.setApprovalForAll(operator, true);
`setApprovalForAll` gives an operator control over every NFT in a collection.
FixAvoid collection-wide approvals; approve a single token id when possible.
Mediumline 3·0x2222222222222222222222222222222222222222
   3const DESTINATION_ADDRESS = "0x2222222222222222222222222222222222222222";
A hardcoded EVM address was detected and may hide a fund destination.
FixLabel addresses clearly; move configuration to environment variables.