Lucene search
K

25 matches found

Code423n4
Code423n4
•added 2022/07/14 12:0 a.m.•11 views

Buyout griefing can block almost all functionalities

Lines of code Vulnerability details Impact Everyone can start a Buyout for a vault by paying only 1 wei. For the next 4 days no other Buyout can start. If someone is fast enough, they can start another griefing buyout as soon as one finishes, meaning that it's possible to block the functionality ...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/07/14 12:0 a.m.•9 views

percsion error that causes buyoutprice to be very low causing the fractionPrice very low or very high

Lines of code Vulnerability details percsion error that causes buyoutprice to be very low causing the fractionPrice very low detials how does buyout become realy low? because of this percison error in the code if you supply msg.value=1 depsitAmount=1 totalSupply=5 1. also there is a possiblity th...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2022/07/14 12:0 a.m.•10 views

User can block migration actions by starting buyout process

Lines of code Vulnerability details Impact All migration actions such as propose, join, leave, and commit require that the pool's buyout state is INACTIVE. At any point, a user can call buyout.Start to start the buyout process which will change the buyout state to LIVE. Proof of Concept...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/07/14 12:0 a.m.•15 views

Committed Unsuccessful Migration can be settled later on

Lines of code Vulnerability details Impact When committing a migration proposal, it's status is changed to isCommited = true and the buyout starts. After 4 days, the buyout ends. Considering the case it was rejected, its status goes to INACTIVE. Nothing happens to the proposal in the Migration...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/07/14 12:0 a.m.•9 views

Migration Module: Re-enter commit using custom token

Lines of code Vulnerability details Impact HIGH - Assets can be compromised directly. One can drain eth out from migration module to buyout module using custom made FERC1155 token. Proof of Concept proof of concept: testCommitReenterpoc custom made FERC1155 for the attack The proof of concept sho...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/07/14 12:0 a.m.•10 views

Buyout Module: ethBalance is not properly updated

Lines of code Vulnerability details Impact HIGH - Assets can be stolen directly. An attacker can steal eth from buyout module Proof of Concept proof of concept1: testCashSharepoc proof of concept2: testCashRepeatpoc The proof of concept1 shows that the same amount of fractions will result in...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/07/14 12:0 a.m.•12 views

Migration Module: After successful migration, ERC20 assets can be thrown away by anyone

Lines of code Vulnerability details Impact HIGH - Assets can be lost directly After proposal and proposed buyout is successful, anyone can transfer ERC20 asset in the vault to the zero address and the asset will be lost. Proof of Concept proof of concept: testAnyoneCanThrowERC20poc The proof of...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2022/07/14 12:0 a.m.•10 views

Proposal commitment takes all fractional balance in Migration contract

Lines of code Vulnerability details Impact The Migration contract holds all fractional token balance of all proposals. Let's suppose a single vault has multiple proposals going on, and one gets committed. If the target price is satisfied, then a buyout starts // Checks if the current price is...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2022/07/14 12:0 a.m.•10 views

fractionPrice precision can be lost if fractional tokens supply is high enough

Lines of code Vulnerability details Buyout's start now determine fractional token price by dividing native tokens amount by total supply number. Whenever the supply is high enough the precision can be lost, leading to severe losses to buyout proposer as his staked fractional tokens can be valued ...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2022/07/14 12:0 a.m.•8 views

Not check fractionPrice > 0 may allow users to buy or sell fractions with zero ETH

Lines of code Vulnerability details Impact In Buyout.start function, fractionPrice is calculated from msg.value and depositAmount, both can be changed by sender. And there is no check if fractionPrice is bigger than 0. So in case fractionPrice = 0, users may sell and buy fractions with zero ETH...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/07/14 12:0 a.m.•7 views

Migration can be impacted, by frontrunning the commit function call

Lines of code Vulnerability details As part of the migration of a vault, the commit function is called to kickoff the buyout process for the migration. Its possible that any EOA address can initiate a start function on the Buyout module with a very low amount of msg.value and prevent the above...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/07/14 12:0 a.m.•9 views

Buyout Module: redeeming before the update of totalSupply will make buyout's current state success

Lines of code Vulnerability details Impact MED - a hypothetical attack path with stated assumptions, but external requirements. Attacker can create a vault with successful buyout status and non zero supply. The attacker can sell the fractions and then simply withdraw the assets. Proof of Concept...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2022/07/14 12:0 a.m.•12 views

buyoutPrice precision is lost in Buyout's start and Migration's commit

Lines of code Vulnerability details Buyout's start now determine the price for buyout with the truncation to 1% of supply. When buyout initiator brings in the big enough amount of fractional tokens current formula can yield substantial mispricing of initiator's fractional tokens value, which will...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2022/07/14 12:0 a.m.•7 views

Migration's withdrawContribution ignores the exchange between fractional tokens and ETH happened during Buyout attempt

Lines of code Vulnerability details withdrawContribution aims to return the funds to Migration participants. However, it uses initial userProposalFractionsproposalIdmsg.sender and userProposalEthproposalIdmsg.sender records for withdrawal accounting. Real funds structure is different after Buyout...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/07/14 12:0 a.m.•15 views

Not update ethBalance after users cash out in Migration may cause loss of funds

Lines of code Vulnerability details Impact In Buyout.cash function, users will burn their fractions to cash out ETH. The ETH amount is proportionate the number of fractions they have. So when someone burn fractions, total amount of ETH ethBalance should be updated accordingly. But in cash functio...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/07/14 12:0 a.m.•6 views

cash share amount calculated incorrectly

Lines of code Vulnerability details Impact When a buyout is successful, token owners can cash out their fractional tokens for ETH. The amount of ETH cashed out buyoutShare is calculated like this L268: uint256 buyoutShare = tokenBalance ethBalance / totalSupply + tokenBalance; with tokenBalance t...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/06/24 12:0 a.m.•8 views

Discrepancies between document and code implementation

Lines of code Vulnerability details Impact This will tarnish the credibility of the system. Proof of Concept Document says buyout time as 3 days. But the code is implemented with 5 days as buyout time. Tools Used Manual verification Recommended Mitigation Steps Implement the code as per what...

7.1AI score
Exploits0
Code423n4
Code423n4
•added 2022/06/24 12:0 a.m.•10 views

NibblVault buyout duration longer than update timelock

Lines of code Vulnerability details Impact User can buy out NFT by initiating the process through initiateBuyout, then he has to wait BUYOUTDURATION which is 5 days and if the buyout will not get rejected he can claim the NFT. During that period bidder cannot cancel the process. The issue is that...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/06/24 12:0 a.m.•10 views

_getTwav is not correct. It is not considering all last 4 blocks.

Lines of code Vulnerability details Impact This will result in invalid deadline to decide the buyout end. Proof of Concept /// @notice returns the TWAV of the last 4 blocks /// @return twav TWAV of the last 4 blocks function getTwav internal view returnsuint256 twav if...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/06/24 12:0 a.m.•13 views

Buyer can initiateBuyout by sending less value than current valuation

Lines of code Vulnerability details Impact Intuitively, a buyer calling initiateBuyout should be sending a msg.value greater than or equal to current valuation. However, they can actually send less than this amount and still initiate the buyout. On line 404 we have requirebuyoutBid =...

7.2AI score
Exploits0
Rows per page
Query Builder