7 matches found
Strategist can break the whole protocol
Lines of code Vulnerability details Background There is known attack to ERC4626 vaults, called inflation attacks. It seems that the ReaperVault is not affected since the only depositor will be the ActivePool contract. But what actually the internal function deposituint256 amount, address receiver...
Integer Overflow
Lines of code Vulnerability details Impact The owner of the ActivePool contract can set yield distribution parameters that do not add to the expected 10000 BPS. This would cause the rebalance function to send the incorrect number of tokens when using the splits. Proof of Concept Calling...
ActivePool.sol – Re-entrancy risk on _rebalance function
Lines of code Vulnerability details The rebalance function is vulnerable to a reentrancy attack. Specifically, an external callee can take over the control flow of the function by calling back into the ActivePool contract via a method that triggers the rebalance function again before it completes...
Inexistent Slippage Evaluation
Lines of code Vulnerability details Impact The ecosystem of Ethos Reserve contains an EIP-4626 implementation of a vault meant to be integrated by its LUSD lending and borrowing system. As per the standard's Security Considerations itself, slippage checks need to be introduced at the integration...
Missing access restriction on StabilityPool's receiveCollateral
Handle kenzo Vulnerability details StabilityPool's receiveCollateral should only be called by ActivePool, but that check is missing. Anybody can call it and update StabilityPool's total collateral variable. Impact Wrong amounts of total collateral in StabilityPool totalColl. As far as I can see,...
ActivePool does not update rewards before unwrapping wrapped asset
Handle kenzo Vulnerability details When ActivePool sends collateral which is a wrapped asset, it first unwraps the asset, and only after that updates the rewards. This should be done in opposite order. As a comment in WJLP's unwrapFor rightfully mentions - "Prior to this being called, the user...
receiveCollateral() can be called by anyone
Handle jayjonah8 Vulnerability details Impact In StabilityPool.sol, the receiveCollateral function should be called by ActivePool per comments, but anyone can call it passing in tokens and amounts args to update stability pool balances. Proof of Concept Tools Used Manual code review Recommended...