BathToken with initial liquidity of 1 wei causes very expensive share price leading to precision errors and loss of funds

Lines of code Vulnerability details Impact The creator of a new BathToken is able to maliciously manipulate the share price by providing lowest possible amount 1 wei of liquidity initialLiquidityNew and then artificially blowing up the BathToken token balance. Following depositors will loose thei...

BathToken.sol#_deposit() attacker can mint more shares with re-entrancy from hookable tokens

Lines of code Vulnerability details BathToken.soldeposit calculates the actual transferred amount by comparing the before and after balance, however, since there is no reentrancy guard on this function, there is a risk of re-entrancy attack to mint more shares. Some token standards, such as ERC77...

BathToken uninitialized rewardsVestingWallet leading to loss of funds

Lines of code Vulnerability details Impact Contract BathToken.sol implements distributeBonusTokenRewards function that allows distributing non-underlying bath token incentives to pool withdrawers. In case of rewardsVestingWallet being set implementation triggers release function of...

There is no way to set the rewardsVestingWallet (IBathBuddy) in BathToken contract

Lines of code Vulnerability details rewardsVestingWallet IBathBuddy helps in releasing or distributing vested bonus tokens during withdrawals. There is currently no function to set it in BathToken contract. rewardsVestingWallet IBathBuddy remains as address0 and is unusable. Impact Admin can not...

BathPair.sol#rebalancePair() can be front run to steal the pending rebalancing amount

Lines of code Vulnerability details function underlyingBalance public view returns uint256 uint256 pool = IERC20underlyingToken.balanceOfaddressthis; return pool.addoutstandingAmount; function removeFilledTradeAmountuint256 amt external onlyPair outstandingAmount = outstandingAmount.subamt; emit...