Loss of precision will lock portions of tokens

Lines of code Vulnerability details Impact When the initial balance of a redemption reward token is smaller than the base, small amounts of the token will be rounded down to zero, meaning small-amount users will get nothing for redeeming tokens. Broken accounting means high severity Proof of...

Price can be manipulated by flashloan

Lines of code Vulnerability details Impact The last observation of the TWAP can be manipulated by a flashloan, which thus manipulates the price. Proof of Concept The price calculated in getPriceLP is based on the last 8 observations. As the last observation may be in the current block it is...

Users can cause other users' delegations to be undone

Lines of code Vulnerability details Impact Users can be blocked by other users, from being able to delegate Proof of Concept The writeCheckpoint function looks up the existing checkpoint and attempts to update its delegation array if one exists line 104: File:...

Oracle data feeds are insufficiently validated

Lines of code Vulnerability details Impact If the oracle price feeds are insufficiently validated, there will be pricing errors leading to the miss-pricing of assets Proof of Concept The JBSingleTokenPaymentTerminalStore and abstract JBPayoutRedemptionPaymentTerminal both rely on their respective...

Vaults are vulnerable to sandwich attacks due to missing slippage checks

Lines of code Vulnerability details Impact Swaps in the new Beefy Vault can have almost all funds taken via MEV sandwich attacks because there is no slippage control Proof of Concept The last argument to addliquidity is the minimum amount to mint, which is zero here: File:...

_harvest() vulnerable to sandwich attacks due to missing slippage checks

Lines of code Vulnerability details Impact All funds that should have been harvested can be taken via MEV sandwich attacks because there is no slippage control. Proof of Concept The two swap calls pass zero as the third argument: File: contracts/MyStrategy.sol 1 249 uint256 balEthBptEarned =...

Vote locking should block wrapper contracts

Lines of code Vulnerability details The reason that users are given boosted rewards for locking their governance tokens is that by making them illiquid for a set amount of time, the supply available to be sold is restricted, and users buying the token are more able to push the price up. Impact By...

The VotingEscrow steals depositor's rebasing tokens' rewards

Lines of code Vulnerability details Rebasing tokens are tokens that have each holder's balanceof increase over time. This ability of user's balances to grow is a way that some tokens provide rewards to the current holders. Aave aTokens are an example of such tokens. Impact Because the VotingEscro...

Users can grief reward distribution

Lines of code Vulnerability details Impact Users can grief reward distributions by spending dust Proof of Concept If a reward is targeted for an epoch in the past, a user can front-run the txn in the mempool and call addRewardToEpoch with a dust amount at an epoch after the one in question. This...

Users may lose rewards to other users if rewards are given as fee-on-transfer tokens

Lines of code Vulnerability details Impact If rewards are given in fee-on-transfer tokens, users may get no rewards, breaking functionality Med: Assets not at direct risk, but the function of the protocol or its availability could be impacted, or :::leak value with a hypothetical attack path with...

Users can get rewards even if not locking for the full lock duration

Lines of code Vulnerability details Impact Users can get rewards that should only have gone to users that locked for the full duration, effectively stealing from those other users Proof of Concept This is the relevant logic from lock that determines the time at which the funds are unlocked: File:...

processYield() and distributeYield() may run out of gas and revert due to long list of extra rewards/yields

Lines of code Vulnerability details Impact Yields will not be able to be distributed to lenders because attempts to do so will revert Proof of Concept The processYield function loops overall of the extra rewards and transfers them File: smart-contracts/ConvexCurveLPVault.sol 1 105 uint256...

Attackers can prevent the transfer of the highest-value Cosmos to Ethereum transactions

Lines of code Vulnerability details In order to ensure that profitable batches are eventually created we must avoid locking up the high fee 'good transactions' into obviously bad batches. To add to the difficulty we don't actually know what any token in this process is worth or what ETH gas costs...

Administrators can rug users

Lines of code Vulnerability details The Cudos Network is a special-purpose blockchain designed to provide high-performance, trustless, and permissionless cloud computing for all. To be considered trustless, both the incentives and the code must be aligned to prevent the possibility of...

Missing a storage slot

Lines of code Vulnerability details Impact By using a pre-increment in our instantiations, we are potentially missing out on using the first 0th slot. Tools Used Manual Inspection Recommended Mitigation Steps Use post-incement --- The text was updated successfully, but these errors were...

Inactive skipped assets can be drained from the index

Lines of code Vulnerability details Impact If an index has any inactive assets with the role SKIPPEDASSETROLE, a user can repeatedly deposit and withdraw assets, always getting the skipped asset without having to deposit any Proof of Concept During minting, any asset that has the 'skipped' role i...

deposit()ing when there is no discount results in zero xCitadel bought

Lines of code Vulnerability details The amount of citadel bought when there is no discount is always zero. If the user doesn't specify, or specifies zero as the minCitadelOut, then the user will get no xCitadel and will still have to pay the full price. Proof of Concept If funding.discount is equ...

Loan buyouts can stick users with huge surprise bills

Lines of code Vulnerability details Impact If a small loan is bought out with a new loanAmount in the millions, so much interest can be charged that the borrower is unable to pay back the loan, essentially guaranteeing whales will be able to Seize NFTs. Proof of Concept The only requirement as it...

Delegations incorrectly tracked when multiple delegate() calls occur in the same block

Lines of code Vulnerability details The README.md states: If the user has a Lock, and delegates to someone, then the bonus voting power is not counted. Impact Accounts are still able to claim bonus voting power even if they delegate to someone else, and any operations that rely on the public...

Block delays can be bypassed with two flash loans instead of one

Lines of code Vulnerability details The README.md states: Withdrawals must be requested in a prior block via initiateWithdrawaluint256 amount . The number of blocks until a request expires is settable by the vault owner . This is mainly for mitigating the feasibility of a flash loan attack. Impac...