Lucene search
+L

31 matches found

github
github
added 2025/12/09 2:25 p.m.7 views

Babylon Incorrect FP inactive accounting in costaking creates “phantom stake” that earns rewards after BTC unbond

Summary A state consistency bug in x/costaking can leave a BTC delegator with non-zero ActiveSatoshis Phatom Stake even after they have fully unbonded their BTC delegation, if their Finality Provider FP drops out of the active set in the exact same babylon block height. This creates a “phantom...

6.9AI score
Exploits0References3Affected Software4
code423n4
code423n4
added 2023/12/21 12:0 a.m.15 views

repay(), liquidate() and liquidateWLp() receive shares as argument, which may revert if from approval to tx settled blocks have passed

Lines of code Vulnerability details Impact repay, liquidate and liquidateWLp transactions revert if users approve the exact repay amount they need in the frontend and only after some blocks have passed is the transaction settled. This happens because the interest accrual is by timestamp, so the...

6.9AI score
Exploits0
code423n4
code423n4
added 2023/12/20 12:0 a.m.11 views

Interest still accuring when repayment is paused, creating debt that cannot be repaid

Lines of code Vulnerability details Impact Interest still accuring when repayment is paused Proof of Concept When the admin pause the lending pool repayment, as timestamp elapses, interest still accuring /// @inheritdoc ILendingPool function accrueInterest public uint lastAccruedTime =...

7.1AI score
Exploits0
code423n4
code423n4
added 2023/12/19 12:0 a.m.10 views

InitiCore.liquidate uses stale toShares function

Lines of code Vulnerability details Proof of Concept When position is going to be liquidated, then liquidator provides poolToRepay and poolOut. He wants to repay some amount to poolToRepay and get shares from poolOut back according to repaid amount + bonus. ILendingPoolpoolOut.toShares function i...

7AI score
Exploits0
code423n4
code423n4
added 2023/11/06 12:0 a.m.11 views

interest is still accuring when the market is paused, force user to incur debts

Lines of code Vulnerability details Impact interest is still accuring when the market is paused, force user to incur debts Proof of Concept when the function accure is called the interest is accured after the interest rate is calculated uint256 interestRate = IIRMirm.getInterestRateaddressthis,...

7AI score
Exploits0
code423n4
code423n4
added 2023/11/02 12:0 a.m.12 views

accure interest function is likely failed to accure interest for token with low decimal

Lines of code Vulnerability details Impact loss of precision is too high when accuring interest Proof of Concept When intereste accures, we are calling uint256 interestAmount; uint256 interestRate = IIRMirm.getInterestRateaddressthis, trancheIndex, totalDeposit, totalBorrow; interestAmount =...

7AI score
Exploits0
code423n4
code423n4
added 2023/11/02 12:0 a.m.17 views

MEV bot can frontrun user's repayment to liquidate user first when the OmniPool is unpaused

Lines of code Vulnerability details Impact MEV bot can frontrun user's repayment to liquidate user first when the OmniPool is unpaused Proof of Concept this report tries to combine a few issue 1. when OmniPool is paused, interest is still accuring 2. when OmniPool is paused, user cannot repay 3...

7AI score
Exploits0
code423n4
code423n4
added 2023/10/26 12:0 a.m.4 views

New approved lender can receive other peoples accrued interest fees

Lines of code Vulnerability details A new approved Lender by the borrower, getting into the market at the right time can make huge profits in the market due to activity in the market of others, and accruing interest, which make the lender withdraw immediately, without being in the market for a lo...

7AI score
Exploits0
code423n4
code423n4
added 2023/10/06 12:0 a.m.6 views

Global and Position liquidity accrual can significantly impact the performance

Lines of code Vulnerability details Impact Global and Position liquidity accrual can significantly impact the performance Proof of Concept The calculation of currWeek and nextWeek as shown in the provided code snippet aims to determine two time points within a week, primarily for the purpose of...

7.2AI score
Exploits0
code423n4
code423n4
added 2023/10/04 12:0 a.m.9 views

accrueTokens() function could revert due to potential underflow

Lines of code Vulnerability details Impact Medium, as any underflow would cause the accrueTokens function to revert, preventing tokens from being accrued, which disrupts the rewards distribution mechanism. Proof of Concept The accrueTokens function is designed to update the distribution state by...

7.1AI score
Exploits0
code423n4
code423n4
added 2023/09/07 12:0 a.m.9 views

The USDT.sol contract does not accrue additional income in the form of rUSDY tokens

Lines of code Vulnerability details Impact rUSDY is the rebasing variant of USDY token, and is heavily based on other rebasing tokens such as stETH. Users are able to acquire rUSDY tokens by calling the wrapuint256 function on the contract. Where as the price of a single USDY token varies over...

6.7AI score
Exploits0
code423n4
code423n4
added 2023/08/04 12:0 a.m.10 views

Incorrect Interest Accrual Calculation in 'SGLCommon' Contract

Lines of code Vulnerability details Description The 'SGLCommon' contract contains a critical vulnerability in the interest accrual calculation, particularly in the computation of the 'extraAmount' used for accruing interest. The flaw arises from always dividing by 1e18, disregarding the number of...

6.7AI score
Exploits0
code423n4
code423n4
added 2023/07/21 12:0 a.m.9 views

M-06 Unmitigated

Lines of code Vulnerability details Original Issue code-423n4/2023-06-angle-findings13 Details This issue shows users may lose a portion of yield when protocolSafetyFee and vestingPeriod are changed. As mitigation, it recommends accruing interests before those parameters are changed. Mitigation P...

6.8AI score
Exploits0
code423n4
code423n4
added 2023/07/21 12:0 a.m.21 views

Collateralization ratio manipulation can cause a denial of service

Lines of code Vulnerability details Impact Stablecoin redeeming and profit accruing in the SavingsVest contract can be blocked when the collateralization ratio has overflown. Proof of Concept The mitigation recommended in 31 and implemented by the sponsor in this commit doesn't resolve the root...

7AI score
Exploits0
code423n4
code423n4
added 2023/07/07 12:0 a.m.11 views

Interest is not accrued before parameters are updated in SavingsVest

Lines of code Vulnerability details Impact Stablecoin holders can receive wrongly calculated yield in the SavingsVest contract. Also, wrong vesting profit can be slashed when the protocol is under-collateralized. Proof of Concept The SavingsVest contract lets users deposit their stablecoins and...

6.8AI score
Exploits0
code423n4
code423n4
added 2023/07/05 12:0 a.m.12 views

Contracts are vulnerable to rebasing accounting-related issues

Lines of code Vulnerability details Impact Rebasing tokens are tokens that have each holder's balanceof increase over time. Aave aTokens are an example of such tokens. If rebasing tokens are used, rewards accrue to the contract holding the tokens, and cannot be withdrawn by the original depositor...

6.8AI score
Exploits0
code423n4
code423n4
added 2023/06/20 12:0 a.m.11 views

M-05 Unmitigated

Lines of code Vulnerability details Mitigation of M-05: Issue NOT mitigated Mitigated issue M-05: Virgin stake can claim all drops Fix: code-423n4/2023-05-xeth@aebc324 The issue is that if dripping is enabled when totalSupply == 0 the entire amount dripped will immediately accrue to the first...

6.7AI score
Exploits0
code423n4
code423n4
added 2023/06/02 12:0 a.m.13 views

Changing _treasuryRate can cause lender to lose some interest that it is entitled to

Lines of code Vulnerability details Impact Calling the following ParticleExchange.buyNftFromMarket, ParticleExchange.repayWithNft, ParticleExchange.refinanceLoan, and ParticleExchange.auctionBuyNft functions accrue interestAccrued for the corresponding lender. When calling these functions, the...

6.7AI score
Exploits0
code423n4
code423n4
added 2023/02/07 12:0 a.m.14 views

Missed owner accrual in MultiRewardStaking _withdraw() leads to reward loss

Lines of code Vulnerability details Impact Function withdraw can be called from an approved caller to withdraw owner funds. The function accrues rewards for caller and receiver but misses the accrual for owner. If, for example, the owner didn't accrue any reward from the beginning of time and all...

6.8AI score
Exploits0
code423n4
code423n4
added 2022/12/21 12:0 a.m.8 views

Liquidations force users into bigger debts

Lines of code Vulnerability details Impact User's uncovered debt increases when auction starts on their collateral token. The increased debt may be too big for a user and they might not be able to repay it, which forces them to wait for the auctioned token to be sold and accrue more debt due to t...

6.7AI score
Exploits0
Rows per page
Query Builder