USDV.sol Mint and Burn Amounts Are Incorrect

Handle leastwood Vulnerability details Impact The USDV.mint function queries the price of Vader from the LiquidityBasedTwap contract. The calculation to determine uAmount in mint is actually performed incorrectly. uAmount = vPrice vAmount / 1e18; will return the USD amount for the provided Vader ...

OverlayToken.burn function could burn tokens of any user

Handle xYrYuYx Vulnerability details Impact The burner could burn any amount of tokens of any user. This is not good solution of burn Tools Used Manual Recommended Mitigation Steps Update burn function for only owner can burn his tokens. Now, ovl.burn function is used in OverlayV1OVLCollateral.so...

ConcentratedLiquidityPosition.sol#collect() Users may get double the amount of yield when they call collect() before burn()

Handle WatchPug Vulnerability details When a user calls ConcentratedLiquidityPosition.solcollect to collect their yield, it calcuates the yield based on position.pool.rangeFeeGrowth and position.feeGrowthInside0, position.feeGrowthInside1: When there are enough tokens in bento.balanceOf, it will...

ConcentratedLiquidityPool: secondsPerLiquidity should be modified whenever pool liquidity changes

Handle hickuphh3 Vulnerability details Impact secondsPerLiquidity is updated as such: secondsPerLiquidity += uint160diff 128 / liquidity; where diff = timestamp - uint256lastObservation. Hence, whenever liquidity changes, secondsPerLiquidity should be updated prior to the change. In particular,...

Incorrect usage of typecasting in burn lets an attacker corrupt the pool state

Handle broccoli Vulnerability details Impact In the burn function of ConcentratedLiquidityPool, when calling updatePosition, the amount of liquidity to burn is explicitly converted from uint128 to int128, which could result in a positive integer if amount is larger than 1 127 and less than 1 128...

burn and mintTo in Basket.sol vulnerable to reentrancy

Handle 0xalpharush Vulnerability details Impact The functions mintTo and burn make external calls prior to updating the state. If a basket contains an ERC777 token, attackers can mint free basket tokens. Proof of Concept An attacker could reenter the mintTo function when the contract pulls an...

_calculateDeltaOfFSD fails when called with negative _reserveDelta

Handle cmichel Vulnerability details Vulnerability Details When reserveDelta is negative in ABC.calculateDeltaOfFSD the following branch is executed: if reserveDelta 0 uint256 capitalPostWithdrawal = capitalPool.subuint256reserveDelta; The type cast to uint256 is purely a reinterpretation of the...