Thrum Detector Reference

This page enumerates detector IDs and their descriptions. Every detector on our list supports direct fragment navigation, e.g., #D007. When you run a Thrum scan, you are getting access to every single one of these detectors. We've also built a proprietary model to selectively run detectors based on your unique repo so that you can get your scan back with speed, accuracy, completeness, and relevance.

Category legend

Abbrev.	Category
`AC`	access control
`UPG`	upgrades/proxies
`MATH`	numeric/precision
`CALL`	external calls/callbacks
`ORCL`	oracles/MEV
`TOK`	token standards
`DEFI`	DeFi math/economics
`XCH`	cross-chain
`AA`	account abstraction
`EVM`	new EVM/compiler surfaces
`UNI4`	Uniswap v4 hooks
`GEN`	general logic/DoS
`L2`	L2/rollup-specific surfaces
`WLT`	wallet standards/delegation
`STORE`	storage namespace/layout
`REST`	restaking/LST/validator ops
`ZK`	zero-knowledge/verifier
`MRK`	Merkle/claim trees

Detectors

Query by thrum.sh/docs/detectors#XXXX, where XXXX is the UID.

D001

Category: AC
Description: Missing or incorrect access control on privileged functions (owner/role checks).

D002

Category: AC
Description: Role-admin misuse (DEFAULT ADMIN ROLE can grant/revoke itself without delay).

D003

Category: AC
Description: Privilege escalation via role renouncement or role reconfiguration.

D004

Category: AC
Description: Unprotected initialization/initializer front-run (initialize() callable by anyone).

D005

Category: AC
Description: Reinitialization vulnerability (reinitializer callable multiple times).

D006

Category: AC
Description: Two-step ownership transfer missing (no acceptOwnership pattern).

D007

Category: AC
Description: Authorization via tx.origin (phishing/contract-call bypass).

D008

Category: AC
Description: EOA-only checks via EXTCODESIZE==0 (bypassable; breaks with delegation).

D009

Category: AC
Description: Incomplete access control on emergency functions (pause/unpause/rescue/skim).

D010

Category: AC
Description: Unbounded admin power without timelock/delay window (risk posture flag).

D011

Category: AC
Description: Inconsistent access control across overloaded functions (e.g., setX vs setX(uint)).

D012

Category: AC
Description: Modifier order bug (auth after state change/external call).

D013

Category: AC
Description: Delegatecall-based auth bypass (msg.sender semantics confusion).

D014

Category: AC
Description: Signature-based auth replay (missing nonce/domain separation).

D015

Category: AC
Description: EIP-1271 signature validation misuse (accepts invalid contract signature).

D016

Category: AC
Description: Permit misuse (EIP-2612/permit2 allowance escalation).

D017

Category: AC
Description: Misconfigured multisig threshold/owners set (single-owner disguised multisig).

D018

Category: AC
Description: Critical parameter setters lack bounds (fee, LTV, oracle staleness, limits).

D019

Category: AC
Description: Governance action can reduce timelock delay below safe minimum.

D020

Category: AC
Description: Upgrade admin and protocol admin conflation (same key controls logic and funds).

D021

Category: UPG
Description: Transparent/UUPS proxy pattern mis-detection (false immutability).

D022

Category: UPG
Description: Proxy admin slot collision/incorrect EIP-1967 slot usage.

D023

Category: UPG
Description: UUPS upgradeTo/upgradeToAndCall missing onlyProxy/proxiableUUID checks.

D024

Category: UPG
Description: Upgradeable implementation exposes initialize() after deployment (uninitialized impl).

D025

Category: UPG
Description: Initializer does not call parent initializers (partial init -> privilege bugs).

D026

Category: UPG
Description: Storage layout collision across upgrades (struct packing/inherited state reorder).

D027

Category: UPG
Description: Storage gap mismanagement (incorrect gap sizing).

D028

Category: UPG
Description: Delegatecall to untrusted implementation (implementation pointer mutable by attacker).

D029

Category: UPG
Description: Beacon proxy: beacon upgrade auth missing/beacon address changeable.

D030

Category: UPG
Description: Diamond selector collision across facets (EIP-2535).

D031

Category: UPG
Description: Diamond function shadowing/selector overwrite introduced by diamondCut plan.

D032

Category: UPG
Description: DiamondCut access control weakness (diamondCut callable by non-admin).

D033

Category: UPG
Description: Diamond init delegatecall hazard (init can be swapped/re-run/reenter).

D034

Category: UPG
Description: Diamond loupe inconsistency (facet mapping incomplete -> monitoring blind spots).

D035

Category: UPG
Description: Metamorphic CREATE2 upgrade trick reliance (incompatible with post-6780 semantics).

D036

Category: UPG
Description: Upgrade introduces new external call edge (call graph diff risk).

D037

Category: UPG
Description: Upgrade introduces new privileged function (ABI surface diff risk).

D038

Category: UPG
Description: Upgrade removes safety check/invariant (semantic regression).

D039

Category: UPG
Description: Upgradeable ERC-20/4626: decimals/asset changes across upgrade (economic break).

D040

Category: UPG
Description: Storage type-change across upgrades (e.g., uint->address) even if slot preserved.

D041

Category: UPG
Description: Proxy selfdestruct/kill-switch reachable (fund lock/bricking risk).

D042

Category: UPG
Description: Admin key can bypass pause or circuit breaker (guardrail bypass risk).

D043

Category: UPG
Description: Initialization parameter injection via upgradeToAndCall (unsafe init calldata parsing).

D044

Category: UPG
Description: Differential upgrade regression (diff fuzz) between old/new implementations.

D045

Category: UPG
Description: Hidden proxy detection in unverified bytecode (proxy collision/shadow proxy).

D046

Category: MATH
Description: Integer overflow/underflow in unchecked blocks (semantic bug).

D047

Category: MATH
Description: Signed/unsigned cast truncation (int256->uint256) leading to negative bypass.

D048

Category: MATH
Description: Downcast truncation (uint256->uint128/uint64) losing high bits.

D049

Category: MATH
Description: Precision loss in division before multiplication (a/bc) vs (a*c/b).

D050

Category: MATH
Description: Rounding direction bug (ceil vs floor) in share/asset conversions.

D051

Category: MATH
Description: Unchecked return of SafeCast/custom cast helpers (silent wrap).

D052

Category: MATH
Description: Fixed-point scaling mismatch (1e18 vs 1e27 vs token decimals).

D053

Category: MATH
Description: Fee computation overflow (feeRate * amount) before division.

D054

Category: MATH
Description: Interest accrual overflow/exponentiation blowup.

D055

Category: MATH
Description: TWAP accumulator overflow/uint32 timestamp wrap misuse.

D056

Category: MATH
Description: Double-counting in cumulative indices (integral updated twice per block).

D057

Category: MATH
Description: Division by zero on supply/totalAssets/totalSupply edge cases.

D058

Category: MATH
Description: Slippage checks missing or inverted (minOut/maxIn misuse).

D059

Category: MATH
Description: Precision mismatch in sqrt/exp/log approximations (AMM math).

D060

Category: MATH
Description: Overflow/underflow in bitwise packing/unpacking of state (e.g., ticks).

D061

Category: CALL
Description: Reentrancy: state update after external call (classic checks-effects-interactions violation).

D062

Category: CALL
Description: Cross-function reentrancy (reenter via different entrypoint).

D063

Category: CALL
Description: Read-only reentrancy (view reentrancy affecting price/oracle/limits).

D064

Category: CALL
Description: Reentrancy via ERC-777/token hooks (tokensReceived).

D065

Category: CALL
Description: Reentrancy via ERC-721 receiver hooks (onERC721Received).

D066

Category: CALL
Description: Reentrancy via fallback/receive function on ETH transfer.

D067

Category: CALL
Description: Reentrancy via delegatecall into attacker-controlled code.

D068

Category: CALL
Description: Missing reentrancy guard on multicall/batch execution entrypoint.

D069

Category: CALL
Description: Reentrancy guard incorrectly scoped (nonReentrant on internal, bypass via external).

D070

Category: CALL
Description: Reentrancy guard cleared too early (before function end).

D071

Category: CALL
Description: Unchecked low-level call success (call/delegatecall/staticcall).

D072

Category: CALL
Description: Unchecked external call return value for ERC-20 transfers (non-standard tokens).

D073

Category: CALL
Description: External call in loop (n untrusted callees -> gas griefing/reentrancy).

D074

Category: CALL
Description: Callback origin not validated (hook/callback callable by anyone).

D075

Category: CALL
Description: Cross-contract invariants broken by external call between reads/writes.

D076

Category: ORCL
Description: Price oracle manipulation (spot price used; no TWAP).

D077

Category: ORCL
Description: Oracle source centralization (single feed; admin updatable without delay).

D078

Category: ORCL
Description: Oracle stale price usage (heartbeat/updatedAt not checked).

D079

Category: ORCL
Description: Oracle decimal mismatch (feed decimals vs token decimals).

D080

Category: ORCL
Description: Chainlink-like aggregator answeredInRound misuse (stale round).

D081

Category: ORCL
Description: Uniswap v2/v3 TWAP misuse (observation cardinality/period too short).

D082

Category: ORCL
Description: AMM price used during same block as swap (sandwichable).

D083

Category: ORCL
Description: Front-running vulnerability in commit-less auctions/order submissions.

D084

Category: ORCL
Description: Sandwich attack susceptibility due to missing slippage bounds.

D085

Category: ORCL
Description: Block timestamp dependence in price selection (timestamp manipulation).

D086

Category: ORCL
Description: Miner/validator extractable liquidation path (liquidation bonus exploit).

D087

Category: ORCL
Description: Flash-loan aided oracle manipulation (single-tx pump and dump).

D088

Category: ORCL
Description: Cross-chain oracle message finality not validated (optimistic relay abuse).

D089

Category: ORCL
Description: Price circuit breaker missing (oracle jump not bounded).

D090

Category: ORCL
Description: Min-out computed from stale oracle but executed against AMM (mismatch exploit).

D091

Category: TOK
Description: ERC-20 transfer/transferFrom return value not checked (non-standard tokens).

D092

Category: TOK
Description: ERC-20 approve race condition (IERC20 approve front-running).

D093

Category: TOK
Description: Permit (EIP-2612) domain separator misuse (chainId replay/forks).

D094

Category: TOK
Description: Permit nonce reuse (replay)/missing deadline checks.

D095

Category: TOK
Description: Permit2 integration misconfiguration (unbounded allowance/expiration).

D096

Category: TOK
Description: ERC-777 hooks incompatibility (reentrancy/denial via hook revert).

D097

Category: TOK
Description: Fee-on-transfer/deflationary token incompatibility (amount received != amount sent).

D098

Category: TOK
Description: Rebasing token incompatibility (balance changes break accounting).

D099

Category: TOK
Description: ERC-4626 share inflation/donation attack surface (totalAssets manipulation).

D100

Category: TOK
Description: ERC-4626 rounding edge cases (preview vs actual mismatch).

D101

Category: TOK
Description: ERC-4626 totalAssets reported incorrectly (includes/excludes fees).

D102

Category: TOK
Description: ERC-3156 flash loan callback origin not validated.

D103

Category: TOK
Description: ERC-721 safeMint/transferToReceiver reentrancy via onERC721Received.

D104

Category: TOK
Description: ERC-721 approval logic error (operator approvals overly broad).

D105

Category: TOK
Description: ERC-1155 batch transfer receiver hook misuse and reentrancy.

D106

Category: TOK
Description: EIP-712 typed data hash mismatch (struct encoding bug).

D107

Category: TOK
Description: EIP-1271 signature validation accepts arbitrary magic value.

D108

Category: TOK
Description: EIP-3009 transferWithAuthorization replay (nonce/validAfter/validBefore).

D109

Category: TOK
Description: ERC-20 decimals assumption hardcoded (must not assume 18).

D110

Category: TOK
Description: Unsafe token rescue function can drain user funds (sweep transfers all).

D111

Category: DEFI
Description: AMM invariant violation: k not preserved due to rounding or fee bug.

D112

Category: DEFI
Description: AMM fee accounting mismatch (fees not applied consistently).

D113

Category: DEFI
Description: AMM lp share minting uses wrong reserve snapshot (front-runnable).

D114

Category: DEFI
Description: AMM sync()/skim() misuse enabling reserve manipulation.

D115

Category: DEFI
Description: Tick math overflow/underflow in concentrated liquidity (sqrtPriceX96).

D116

Category: DEFI
Description: Liquidity position accounting double-count/missing update in burn/mint.

D117

Category: DEFI
Description: Lending market collateral factor/LTV setter lacks bounds.

D118

Category: DEFI
Description: Lending: liquidation calculation uses stale index (over/under-liquidation).

D119

Category: DEFI
Description: Lending: repay can underflow debt due to rounding.

D120

Category: DEFI
Description: Lending: interest accrual not called on state-changing paths (stale debt).

D121

Category: DEFI
Description: Lending: borrow allowed when market paused (pause bypass).

D122

Category: DEFI
Description: Vault: deposit/withdraw uses incorrect asset decimals scaling.

D123

Category: DEFI
Description: Vault: donation/inflation attack (pre-mint shares then donate assets).

D124

Category: DEFI
Description: Vault: totalAssets includes pending rewards incorrectly (double count).

D125

Category: DEFI
Description: Vault: share price manipulation via flash loan + donation.

D126

Category: DEFI
Description: Staking rewards: per-user integral update order bug (steal rewards).

D127

Category: DEFI
Description: Staking rewards: missing checkpoint on transfer (reward theft).

D128

Category: DEFI
Description: Fee module: fee recipient can be set to zero or attacker.

D129

Category: DEFI
Description: Fee module: fee-on-fee compounding bug (fee charged on already-fee’d value).

D130

Category: DEFI
Description: Options/derivatives: settlement uses manipulable oracle at expiry.

D131

Category: DEFI
Description: Options: exercise/withdraw ordering bug (withdraw before settle).

D132

Category: DEFI
Description: Perp funding: funding rate sign bug (pays wrong side).

D133

Category: DEFI
Description: Stablecoin peg: redemption rounding bug drains collateral.

D134

Category: DEFI
Description: Aggregator routers: arbitrary external call/swap data injection risk.

D135

Category: DEFI
Description: Fee distribution: division remainder accumulates to attacker address.

D136

Category: XCH
Description: Bridge message replay (nonce/domain not enforced).

D137

Category: XCH
Description: Bridge message origin not authenticated (anyone can call receiveMessage).

D138

Category: XCH
Description: Bridge finality assumption wrong (accepts optimistic message without challenge window).

D139

Category: XCH
Description: Bridge multisig signer-set update insecure (threshold lowered/signer added).

D140

Category: XCH
Description: Bridge rate limits missing (infinite mint per time window).

D141

Category: XCH
Description: Bridge guardian pause bypass (pause not checked on receive).

D142

Category: XCH
Description: Cross-chain token decimals mismatch (mint wrong amount).

D143

Category: XCH
Description: Cross-chain fee calculation mismatch leading to underpayment/DoS.

D144

Category: XCH
Description: Cross-domain reentrancy via message callback into protocol.

D145

Category: XCH
Description: Bridge refund logic exploitable (double refund/refund to attacker).

D146

Category: AA
Description: ERC-4337 validateUserOp missing signature check (auth bypass).

D147

Category: AA
Description: ERC-4337 nonce management bug (replay across bundles).

D148

Category: AA
Description: ERC-4337 paymaster validation allows free gas (sponsor drain).

D149

Category: AA
Description: ERC-4337 paymaster postOp accounting mismatch (sponsor loss).

D150

Category: AA
Description: ERC-4337 UserOperation packing/hashing bug (different ops same hash).

D151

Category: AA
Description: ERC-7562 validation-scope rule violations (bundler DoS/mempool rejection).

D152

Category: AA
Description: AA validation reads mutable state not permitted (state-dependent validation).

D153

Category: AA
Description: ERC-6900 module install authorization weak (anyone can install validation module).

D154

Category: AA
Description: ERC-6900 module uninstall leaves account without validation (fail-open).

D155

Category: AA
Description: ERC-6900 hook ordering conflict (pre/post hooks can bypass checks).

D156

Category: AA
Description: ERC-6900 shared storage collisions among modules (corrupt module state).

D157

Category: AA
Description: ERC-7579 module type confusion (validator vs executor vs hook mis-registered).

D158

Category: AA
Description: ERC-7579 fallback handler authorization bypass.

D159

Category: AA
Description: EOA delegation (EIP-7702): whitelist/EOA-only gating bypass risk.

D160

Category: AA
Description: Session key/spending limit module bypass (limit checked after call).

D161

Category: EVM
Description: Transient storage used as long-lived state (assumes persists beyond tx).

D162

Category: EVM
Description: Transient storage not cleared on revert path (cleanup missing on error).

D163

Category: EVM
Description: Transient storage keying collision (same slot reused across independent flows).

D164

Category: EVM
Description: Transient storage used for access control without end-of-call clear.

D165

Category: EVM
Description: Transient storage read-before-write (uninitialized transient slot assumption).

D166

Category: EVM
Description: SELFDESTRUCT used as access control (kill-switch) but semantics changed (EIP-6780).

D167

Category: EVM
Description: Compiler-version vulnerable range detector (known solc bugs; ABIEncoderV2, etc.).

D168

Category: EVM
Description: abi.encodePacked collision in hashing/signatures.

D169

Category: EVM
Description: Uncheckedassembly return(...)skipping invariants/access control.

D170

Category: EVM
Description: ecrecover malleability/s-value not enforced.

D171

Category: UNI4
Description: Uniswap v4 hook not PoolKey-bound (hook callable from arbitrary pool).

D172

Category: UNI4
Description: Hook initialization lacks token-pair validation (fake token pools exploit).

D173

Category: UNI4
Description: Hook callback origin not validated (external direct calls to callbacks).

D174

Category: UNI4
Description: Hook reentrancy: external calls inside before/afterSwap without guard.

D175

Category: UNI4
Description: Hook DoS: hook can revert and brick swaps/liquidity operations.

D176

Category: UNI4
Description: Hook fee manipulation bug (dynamic fee logic exploitable).

D177

Category: UNI4
Description: Hook custom accounting mismatch (credits without deposits).

D178

Category: UNI4
Description: Hook donation/claim mechanism allows unbacked mint (callback spoofing).

D179

Category: UNI4
Description: Hook statefulness across pools leaks accounting (shared state cross-pool).

D180

Category: UNI4
Description: Hook uses transient storage without strict cleanup (tx-composability bug).

D181

Category: GEN
Description: Denial of service via unbounded iteration over dynamic arrays/mappings.

D182

Category: GEN
Description: Denial of service via unexpected revert in external dependency (no fallback path).

D183

Category: GEN
Description: Gas griefing via storage writes in loop (attacker-controlled length).

D184

Category: GEN
Description: Block gas limit assumption (function becomes uncallable as state grows).

D185

Category: GEN
Description: DoS via forced Ether (selfdestruct/coinbase payment) affecting invariants.

D186

Category: GEN
Description: DoS via revert-on-receive ETH (pull vs push payments).

D187

Category: GEN
Description: Unchecked arithmetic in loop index leading to infinite loop.

D188

Category: GEN
Description: Timestamp dependence for critical logic (auction end, vesting) without tolerance.

D189

Category: GEN
Description: Block.number dependence for time (L2 reorg/variable block times).

D190

Category: GEN
Description: Front-running in commit-reveal missing (reveal can be copied).

D191

Category: GEN
Description: Improper error handling: assert used for user-controlled condition.

D192

Category: GEN
Description: Missing input validation: zero address, zero amount, same-token pairs.

D193

Category: GEN
Description: Unvalidated array length mismatch across parallel arrays.

D194

Category: GEN
Description: Type confusion via abi.decode with wrong tuple layout.

D195

Category: GEN
Description: Storage pointer aliasing bug (Solidity older patterns)/uninitialized storage ref.

D196

Category: GEN
Description: Unsafe cast from bytes to address (truncation) in parsing calldata.

D197

Category: GEN
Description: Signature replay across function selectors (missing function binding).

D198

Category: GEN
Description: Replay across chains (missing chainId in signed message).

D199

Category: GEN
Description: Fee recipient can be griefed (set to contract that reverts on receive).

D200

Category: GEN
Description: Emergency withdrawal bypasses accounting (steal funds/breaks invariants).

D201

Category: L2
Description: Missing L2 sequencer-uptime gating before using oracle data (downtime -> stale prices, unsafe liqui- dations).

D202

Category: L2
Description: Missing post-recovery grace period after sequencer resumes (operations immediately resume on “up”).

D203

Category: L2
Description: Sequencer check implemented but wrong condition (inverted “up/down”, wrong timestamp field, or wrong comparison).

D204

Category: L2
Description: Sequencer check exists but not applied to all sensitive paths (e.g., applied to swap, not to liqui- date/settle).

D205

Category: L2
Description: Cross-domain auth: contract trusts L1 sender but fails to enforcemsg.sender == CrossDomainMessenger (OP-style).

D206

Category: L2
Description: Cross-domain auth: contract readsmsg.senderinstead ofxDomainMessageSender()/ equivalent (sender spoof risk).

D207

Category: L2
Description: Rollup address-aliasing bug: uses rawmsg.senderfor L1-originated calls without un-aliasing (Arbitrum- style).

D208

Category: L2
Description: Bridge replay: missing “spent”/nonce consumption check on finalized messages (same withdrawal/message can be executed twice).

D209

Category: L2
Description: Finality/challenge-window not enforced for optimistic bridges (accepts messages/withdrawals before finalization).

D210

Category: L2
Description: L2 gas/refund-path reentrancy: refunds /call{value:...}("")to user assumed safe (breaks under delegated-code EOAs).

D211

Category: WLT
Description: ERC-6492 counterfactual signature not supported (auth DoS/incompatible with modern wallet flows).

D212

Category: WLT
Description: ERC-6492 validation executes attacker-controlled deployment calldata or calls (reentrancy/arbitrary side effects during “isValidSignature”).

D213

Category: WLT
Description: ERC-6492 accepted without factory/deployer allowlist (counterfactual “wallet” can be spoofed).

D214

Category: WLT
Description: EIP-7702: “EOA-only” gating viatx.origin==msg.sender(or variants) used for security (bypass- able).

D215

Category: WLT
Description: EIP-7702:tx.origin-based “anti-reentrancy” is relied upon (now broken; reentrancy feasible with delegated code).

D216

Category: WLT
Description: EIP-7702: refund-to-EOA/ETH-send assumed non-reentrant; delegated fallback enables reentry into protocol.

D217

Category: WLT
Description: Missing nested EIP-712 binding (ERC-7739-style) for signatures used across multiple consumers (cross-app/relayer replay).

D218

Category: WLT
Description: Signature digest useskeccak256(abi.encodePacked(...))with multiple dynamic types (collision -> forged authorization).

D219

Category: STORE
Description: ERC-7201 namespace slot computed incorrectly (not following the spec formula/masking; silent state corruption).

D220

Category: STORE
Description: Duplicate ERC-7201 namespace IDs across inheritance/libs (distinct modules share storage; cor- ruption/collision risk).

D221

Category: REST
Description: Withdrawal-credentials capture: first-deposit/registration sets withdrawal creds without strict ownership/auth checks (front-runnable).

D222

Category: REST
Description: Withdrawal-credential validation incomplete (accepts malformed prefixes/lengths; wrong credential type accepted).

D223

Category: REST
Description: Slashing not reflected in exchange rate/share accounting (derivative token becomes undercollat- eralized).

D224

Category: REST
Description: Reward index monotonicity trap: index only increases + precision/rounding -> eventual claim DoS/unclaimable rewards.

D225

Category: REST
Description: Withdrawal queue accounting bug: shares not burned/locked before assets transfer (double-withdraw window).

D226

Category: REST
Description: Delegation switch not checkpointed: user can claim rewards from old+new operator (double count- ing).

D227

Category: REST
Description: Rebase mismatch: uses LSTbalanceOfwhere “shares” should be used (extractable via rebase timing).

D228

Category: REST
Description: msg.value(or deposit amount) reused inside loops for multiple validator ops (over/under-deposit; replayed value bug).

D229

Category: REST
Description: Deterministic vault/address derivation bug (CREATE2 inputs wrong -> funds stuck or credited to wrong vault).

D230

Category: REST
Description: Fee-recipient/distributor callback reentrancy in reward distribution paths (repeat-claim/withdraw).

D231

Category: ZK
Description: Missing public-input field/range checks (inputs not reduced mod field; invalid inputs pass or break soundness assumptions).

D232

Category: ZK
Description: Missing “point on curve/subgroup” checks for elliptic-curve points supplied as public inputs or proof elements.

D233

Category: ZK
Description: Proof verification return value ignored (verify called but not required for state transition).

D234

Category: ZK
Description: Proof verifies, but contract fails to bind critical public inputs to execution context (e.g., recipi- ent/amount not checked vsmsg.sender).

D235

Category: ZK
Description: Nullifier replay: contract lacks “seen nullifier” storage/bitmap (reused proof spends twice).

D236

Category: ZK
Description: Root replay: accepts arbitrary/old Merkle roots (no valid-root set or epoch restriction).

D237

Category: ZK
Description: Cross-chain/domain replay: proof not bound to chainId/contract domain (same proof valid elsewhere).

D238

Category: ZK
Description: Known-vulnerable verifier template fingerprint (gnark/circom versions with documented issues; byte- pattern detection).

D239

Category: ZK
Description: Precompile call failure not checked (pairing/EC ops viastaticcallwithout verifying success -> false positives).

D240

Category: ZK
Description: Verifier uses unsafe assembly with missing calldata-length validation (reads garbage/malleability surface).

D241

Category: MRK
Description: Leaf-vs-node collision: pre-hash leaf is 64 bytes and uses same hash as internal nodes (internal node can be “proven” as leaf).

D242

Category: MRK
Description: Leaf hashing usesabi.encodePackedwith multiple dynamic args (hash collisions -> forged leaf).

D243

Category: MRK
Description: Bitmap/index bug in claim tracking (wrong word/bit math -> double-claim or permanent lockout).

D244

Category: MRK
Description: Multiproof misuse: proofFlags/leaves mismatch not validated (crafted multiproof accepted or claims bricked).

D245

Category: MRK
Description: Leaf constructed fromlivemutable state (e.g., current token balance) instead of static entitlement (breaks claims/manipulable).

D246

Category: MRK
Description: Missing domain separation in leaf (no “airdrop id”/contract binding) enabling cross-distribution proof reuse.

D247

Category: MRK
Description: Merkle root update allowed after claims start without timelock/epoch rules (silent rug/clawback vector).

D248

Category: MRK
Description: Claim verifies signature over one payload but Merkle leaf derived from another payload (inconsistent auth -> bypass/DoS).

D249

Category: MRK
Description: Sorted-vs-unsorted Merkle mismatch (on-chain assumes sorted pairs; off-chain tree not) causing systemic claim failure.

D250

Category: MRK
Description: Leaf includes variable-length strings/bytes viaabi.encodePacked.