Missing Signature Verification Leads To Critical Parameter Changes

Lines of code Vulnerability details Impact During the code review, It has been observed that, signature verification is commented out in the protocol. Without off-chain signature verification, an attacker is able to edit parameters in the protocol Proof of Concept 1. Navigate to the following...

buyFromPrivateSaleFor() Will Fail if The Buyer Has Insufficient Balance Due to an Open Offer on The Same NFT

Lines of code Vulnerability details Impact The buyFromPrivateSaleFor function allows sellers to make private sales to users. If insufficient ETH is provided to the function call, the protocol will attempt to withdraw the amount difference from the user's unlocked balance. However, if the same use...

NFT Creators Can Avoid Paying The Primary Foundation Fee

Lines of code Vulnerability details Impact The primary foundation fee is charged on the initial sale of newly minted NFTs. However, the isCreator && !nftContractToTokenIdToFirstSaleCompletednftContracttokenId check can easily be bypassed to avoid paying the primary foundation fee by selling the...

NFT Sellers Can Steal Funds if an Offer is Accepted on an Unfinalized Auction

Lines of code Vulnerability details Impact NFTs can be sold to users in a variety of ways. One main method is for a seller to auction their NFT by creating a reserve auction. Once the auction is active, it is guaranteed that the sale will go to the highest bidder. Once an auction has ended, anyon...

Incorrect implementation when accepting offer from unsettled auctions

Lines of code Vulnerability details Impact FNDNFTMarket allows market offer to be made on auctioned NFTs that have not been finalised by the auction winner. Auction winner can call acceptOffer to accept the offer and finalise the auction in a single call. However, the current implementation has a...

Review your security vulnerabilities in GitHub with code scanning alerts

Today, for GitHub repositories, our SAST analysis provides fast, precise security feedback directly inside your pull requests. You instantly know how many vulnerabilities are detected and, until now, you would systematically go to SonarCloud to start investigating. Not anymore. From this point...

Foundation Treasury initialize() function can be called by an attacker first

Lines of code Vulnerability details Impact In FoundationTreasury.sol the initialize function can only be called once setting the admin and operator roles which are used in other contracts. The problem is that this initialize function is not called in any deployment script which means an attacker...

VUSD.processWithdrawals() Can Be Filled With Empty Withdrawals

Lines of code Vulnerability details Impact The processWithdrawals function intends to allow for users to finalise their withdrawal in a canonical fashion. By enforcing the order of withdrawals, the protocol can ensure that users are paid out fairly. However, because the function only allows for...

batched delegate calls used can result in double spending bug

Lines of code Vulnerability details Impact In TWABDelegator.sol anyone can call the multicall function which then calls multicall in PermitAndMulticall.sol. When using batched delegatecalls the msg.sender and msg.value are not updated on every iteration and this can result in double spending bugs...

CONSTANT_SETTER_ROLE is never assigned in CommunityLocker.sol

Lines of code Vulnerability details Impact In CommunityLocker.sol only the caller with the CONSTANTSETTERROLE can call the setTimeLimitPerMessage function. The problem is that the CONSTANTSETTERROLE is never assigned in the contract. Only the DEFAULTADMINROLE is assigned in the initialize functio...

TokenManagerERC721.sol _exit() function uses transferFrom

Lines of code Vulnerability details Impact In TokenManagerERC721 the exit function makes use of transferFrom instead of safeTransferFrom. Tokens that don’t correctly implement the latest EIP20 spec will be unusable in the protocol as they revert the transaction because of the missing return value...

canSafeBoostVault() doesn't actually check the feiAmount passed in

Lines of code Vulnerability details Impact In TurboMaster.sol the onSafeBoost function calls canSafeBoostVault on the booster contract to check if the safe is allowed to boost the vault using the feiAmount which is passed in by the caller as an argument. The problem is that the feiAmount is never...

onSafeSlurp() can be called by anyone on TurboMaster.sol

Lines of code Vulnerability details Impact In TurboMaster.sol the onSafeSlurp function can be called directly by anyone while the logic implies that it should only be called by the slurp function on the TurboSafe.sol contract which performs the required calculations beforehand. When onSafeSlurp i...

authenticate modifier can be bypassed

Lines of code Vulnerability details Impact In TurboRouter.sol the authenticate modifier checks if the msg.sender is equal to the owner function of an arbitrary address provided by the caller. Anyone can simply make a contract of the same type with the owner function returning an address that equa...

Improper Upper Bound Definition On The OnlyOwner Function Variables

Lines of code Vulnerability details Impact During the documentation of the contest, It has been seen that the following comment added. Specific care should be put in: Economic exploits Rug Vectors However, onlyOwner function does not have upper bound definition on the related variables. Values th...

_validateOrder Does Not Allow Anyone To Be A Taker Of An Off-Chain Order

Handle leastwood Vulnerability details Impact The EIP1271Wallet contract intends to allow the treasury manager account to sign off-chain orders in 0x on behalf of the TreasuryManager contract, which holds harvested assets/COMP from Notional. While the EIP1271Wallet.validateOrder function mostly...

Owner can extend coolDownPeriod to indefinitely - Improper Upper Bound Definition on the coolDownPeriod

Handle defsec Vulnerability details Impact The setCoolDownTime function does not have any upper or lower bounds. Values that are too large will lead to reversions in several critical functions. User funds will be locked forever. Proof of Concept 1. Navigate to the following contract. function...

ConvexYieldWrapper Does Not Check If A Vault Is Undercollateralised In _getDepositedBalance

Handle leastwood Vulnerability details Impact The ConvexYieldWrapper.sol contract makes use of a user's total collateral held by all their vaults, however, there is no check to ensure the vault is sufficiently collateralised. Hence, it is possible for a user to claim protocol generated yield on a...

Malicious Users Can Transfer Vault Collateral To Other Accounts To Extract Additional Yield From The Protocol

Handle leastwood Vulnerability details Impact ConvexYieldWrapper.sol is a wrapper contract for staking convex tokens on the user's behalf, allowing them to earn rewards on their deposit. Users will interact with the Ladle.sol contract's batch function which: Approves Ladle to move the tokens...

Mageia: Security Advisory (MGASA-2014-0447)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...