CVE-2026-11465

A security flaw has been discovered in songquanpeng one-api up to 0.6.11-preview.7. Affected by this issue is the function Redeem of the file model/redemption.go of the component Redemption Code Top-Up Endpoint. The manipulation results in business logic errors. The attack may be launched remotel...

CVE-2026-11465

A security flaw has been discovered in songquanpeng one-api up to 0.6.11-preview.7. Affected by this issue is the function Redeem of the file model/redemption.go of the component Redemption Code Top-Up Endpoint. The manipulation results in business logic errors. The attack may be launched remotel...

PT-2026-47196

A security flaw has been discovered in songquanpeng one-api up to 0.6.11-preview.7. Affected by this issue is the function Redeem of the file model/redemption.go of the component Redemption Code Top-Up Endpoint. The manipulation results in business logic errors. The attack may be launched remotel...

Users will retain possession of their USDe after redeeming collateral

Lines of code Vulnerability details Impact Users will retain possession of their USDe after redeeming their collateral this can lead to theft/loss of funds. Proof of Concept See belo for the coded POC. The benefactor and the beneficiary in the Order struct containing order details and confirmatio...

StakedUSDe.totalSupply() may decrease below MIN_SHARES by StakedUSDe.redistributeLockedAmount.

Lines of code Vulnerability details Impact StakedUSDe runs checkMinShares in deposit and withdraw to keep the totalSupply more than MINSHARES, 1e18. It is to prevent an ERC4626 inflation attack. However, StakedUSDe.redistributeLockedAmountuser, address0 burns all the user's shares and decreases t...

Upgraded Q -> 2 from #2142 [1698131545015]

Judge has assessed an item in Issue 2142 as 2 risk. The relevant finding follows: LOW1: No whenNotPaused in redeem Technical Details Almost all state changing functions have whenNotPaused in the core contract but it is not the case for redeem. The NFT it interact with has a pause/unpause...

Potential Over-redemption Vulnerability in redeem Function

Lines of code Vulnerability details Impact In the redeem function, when a third party is using their allowance to redeem shares on behalf of an owner, there exists a potential scenario where the third party could redeem more than originally intended by the owner. Proof of Concept This is how the...

the perpetualVaultLP.sol is vulnable by flashloan attack

Lines of code Vulnerability details impact The perpVaultLp contract is susceptible to a flash loan attack. An attacker can exploit the vulnerability by executing flash loan transactions using both the deposit and redeem functions. This allows the attacker to acquire extra rdpx tokens and increase...

Attacker can Steal all eths of WETHRouter.sol through redeem function

Lines of code Vulnerability details Impact An attacker can Steal eths through redeem function in WETHRouter.sol as you know the contract does the redeem process and redeem user mTokens to ETHs, and as you know we have the function of mint which is the opposite of this and users deposit ETH in ord...

Possible Unauthorized Redemption of Collateral ERC20 Tokens due to Lack of Proper Check in redeem() Function

Lines of code Vulnerability details Impact An attacker who is not authorized by the smart contract could potentially redeem more tokens than they are entitled to. This could cause a loss of funds for the smart contract and its users, as well as potentially destabilizing the overall ecosystem...

Can easily bypass the require by modifying parameter

Lines of code Vulnerability details Impact User can easily bypass the require code inside redeem function inside SimpleFeiDaiPSM.sol file by modifying the parameter. the requireamountFeiOut = minAmountOut, ... and requireamountOut = minAmountOut, .. statement can be bypassed easily since the two...

redeem() doesn't support inflationary or deflationary erc20 tokens

Lines of code Vulnerability details Impact A transfer-on-fee token or a deflationary/rebasing token, causes the received amount to be less than the accounted amount. For instance, a deflationary tokens might charge a certain fee for every transfer or transferFrom. TribeRedeemer.sol supports the u...

TribeRedeemer.redeem function can possibly revert when block gas limit is reached

Lines of code Vulnerability details Impact As the following constructor shows, when constructing the TribeRedeemer contract, the number of tokens in tokensReceived that is used to set tokensReceived is not capped. When the redeem function below is called, tokensReceived, which is essentially toke...

High Potential Redeem function can not be executed because of revert

Lines of code Vulnerability details Impact Inside TribeRedeemer constructor tokensReceived is initialized, and can't be modified anywhere else. previewRedeem function will check balance of tokensReceived tokens of TribeRedeemer contract, and there is a require statement which guarantees that the...

FEI Minter can drain SimpleFeiDaiPSM contract DAI balance

Lines of code Vulnerability details Impact The FEI token contract contain a mint function which allow the MINTER to mint a given amount of FEI tokens to any account including his own address. So the Minter can mint to his own account an amount of FEI tokens equivalent to the SimpleFeiDaiPSM...

No way to burn or withdraw redeemedToken from TribeRedeemer

Lines of code Vulnerability details Impact There is no way to burn or withdraw redeemedToken, sended to this contract Recommended Mitigation Steps Burn tokens in redeem or add function to withdraw that tokens --- The text was updated successfully, but these errors were encountered: All reactions...

Funds may be stuck when redeeming for Illuminate

Lines of code Vulnerability details Impact Funds may be stuck when redeeming for Illuminate. Proof of Concept Assuming the goal of calling redeem for Illuminate here is to redeem the Illuminate principal held by the lender or the redeemer, then there is an issue because the wrong balance is...

Loss of underlying tokens due to ERC4626 non-compliance in redeem function in wfCashERC4626.sol

Lines of code Vulnerability details Impact Similar to the report I sent earlier on the issue of The withdraw function in wfCashERC4626.sol, the redeem function is missing the code that transfers the underlying tokens to the receiver. According to the EIP-4626 standard, redeem function Burns share...

Improper implementation of slippage check

Handle WatchPug Vulnerability details function redeemIERC20 token, uint amount, uint poolId, int128 idx, uint minOut external defend blockLocked whenNotPaused returnsuint out ibbtc.safeTransferFrommsg.sender, addressthis, amount; Pool memory pool = poolspoolId; if poolId = minOut, "Slippage Check...

Zap contract's redeem() function doesn't check which token the user wants to receive

Handle Ruhum Vulnerability details Impact In the redeem function, the user can pass a token address. That's the token they receive in return for the ibbtc they give back. Because of missing address checks the user can provide any possible ERC20 token here without the function reverting. Although...