Wrong invocation of Whirpools's updateFeesAndRewards will cause it to always revert

Lines of code Vulnerability details Impact Deposits will be unwithdrawable from the lockbox Proof of Concept If the entire liquidity of a position has been removed, the withdraw function calls the updateFeesAndRewards function on the Orca pool before attempting to close the position. function...

Lack of input validation for ClosePositionParams.amountSwap results in theft of fund (premium + protocol fee))

Lines of code Vulnerability details Impact Lack of input validation for ClosePositionParams.amountSwap results in theft of fund Proof of Concept ParticlePositionManager.sol hold two part of fund 1. the contract hold premium added by borrower 2. the contract hold protocol fee before protocol...

Upgraded Q -> 2 from #491 [1701115520323]

Judge has assessed an item in Issue 491 as 2 risk. The relevant finding follows: L-03 While StakedUSDeV2.cooldownDuration is changed from non-zero to zero, stakers should be able to call StakedUSDeV2.unstake to withdraw assets regardless of userCooldown.cooldownEnd File: While...

The approve function can be frontrun

Lines of code Vulnerability details Impact Bob steals tokens from Alice. Proof of Concept In the file WildcatMarketToken.sol there is an approve function: function approveaddress spender, uint256 amount external virtual nonReentrant returns bool approvemsg.sender, spender, amount; return true; th...

The while loop used in all the accrueXXXPositionTimeWeightedLiquidity function could make a call reach the block gas limit

Lines of code Vulnerability details Proof of Concept If a user neither modifies his position nor claims rewards for a very long time, it might become impossible for him to do any action involving the internal functions accrueAmbientPositionTimeWeightedLiquidity or...

missing in calculation parameter issue in Earnings Pool

Lines of code Vulnerability details Impact here is the vulnerable part in code : function getLastTranscoderRewardsEarningsPooladdress transcoder, uint256 round internal view returns uint256 rewardRound, EarningsPool.Data memory pool BondingCheckpoint storage bond = getBondingCheckpointAttranscode...

Condition will not revert when block.timestamp is == to the compared variable

Lines of code Vulnerability details Medium Issues | | Issue | Instances ---|---|--- M-1 | Condition will not revert when block.timestamp is == to the compared variable | 1 M-1 Condition will not revert when block.timestamp is == to the compared variable The condition does not revert when...

Collateralization ratio manipulation can cause a denial of service

Lines of code Vulnerability details Impact Stablecoin redeeming and profit accruing in the SavingsVest contract can be blocked when the collateralization ratio has overflown. Proof of Concept The mitigation recommended in 31 and implemented by the sponsor in this commit doesn't resolve the root...

M-02 Unmitigated

Lines of code Vulnerability details Original Issue code-423n4/2023-06-angle-findings31 Details It shows LibGetters.getCollateralRatio might return the incorrect ratio due to the unsafe cast. Mitigation PR: AngleProtocol/angle-transmuter@6f2ffcb During the mitigation, it uses the safeCast library...

A malicious user can steal a reserved token by using shift() function of Well.sol if the well was added liquidity unsafely with zero amount of the one of tokens.

Lines of code Vulnerability details Impact A malicious user can steal a reserved token by using shift function of Well.sol if the well was added liquidity unsafely with zero amount of the one of tokens. Proof of Concept Let's assume the well with WETH and USDC tokens. Currently totalSupply is zer...

Well.shift could suffer from front-running attack

Lines of code Vulnerability details Impact The usage of Well.shift is described in the comment: 2. Using a router with shift: WETH.transfersender=0xUSER, recipient=Well1 1 Call the router, which performs: Well1.shifttokenOut=DAI, recipient=Well2 DAI.transfersender=Well1, recipient=Well2 2...

executeFlashloan() doesn't pass/authenticate the initiator address

Lines of code Vulnerability details Impact In PeUSDMainnetStableVision.sol executeFlashloan. File: contracts/lybra/token/PeUSDMainnetStableVision.sol 129 function executeFlashloanFlashBorrower receiver, uint256 eusdAmount, bytes calldata data public payable 130 uint256 shareAmount =...

newLien.lender can steal NFT that should belong to oldLien.lender after refinancing

Lines of code Vulnerability details Impact After calling the following ParticleExchange.refinanceLoan function, collection are the same and tokenId become newLien.tokenId for both the old and new liens. function refinanceLoan Lien calldata oldLien, uint256 oldLienId, Lien calldata newLien, uint25...

First 1 wei deposit can produce lose of user xETH funds in wxETH

Lines of code Vulnerability details Description The present implementation of the wxETH::stake functions permits the sending of tokens to the contract, even if the quantity of wxETH is zero. This can result in users losing funds, particularly when the initial deposit is only 1 wei, and the extent...

Virgin stake can claim all drops

Lines of code Vulnerability details Impact If wxETH drips when nothing is staked, then the first staker can claim every drop. Proof of Concept Suppose drip is enabled when totalSupply == 0. At least one block passes and the first staker stakes, just 1 xETH is enough. This mints her 1 wxETH. This...

Upgraded Q -> 2 from #49 [1683711080406]

Judge has assessed an item in Issue 49 as 2 risk. The relevant finding follows: QA10. readKeyValue fails to enforce the constraint offset+len Mitigation: make sure offset+len input.length revert outOfBoundAccess; uint256 separator = input.findoffset, len, "="; if separator == typeuint256.max retu...

Staker can bypass the debt accrued via beaconChainETHSharesToDecrementOnWithdrawal by transferring shares to another address

Lines of code Vulnerability details Description When a staker is verified to have over-committed and the over-committed amount is greater than their outstanding shares, they accrue a debt that is captured by beaconChainETHSharesToDecrementOnWithdrawal. This debt eventually gets settled when the...

Upgraded Q -> 2 from #240 [1683052133668]

Judge has assessed an item in Issue 240 as 2 risk. The relevant finding follows: LOW‑11 tokenURI does not follow EIP-721 The EIP states that tokenURI "Throws if tokenId is not a valid NFT", which the code below does not do. If the NFT has not yet been minted, tokenURI should revert Proof Of Conce...

TEST FINDING

Lines of code Vulnerability details ISSUE FOR TESTING PURPOSES Assessed type Uniswap --- The text was updated successfully, but these errors were encountered: All reactions...

Result of transferFrom and transfer are not checked.

Lines of code Vulnerability details M-01 result of transferFrom and transfer are not checked. It may lead to assets lost if the transfer is somehow failed. below are some examples: contracts/Position.sol 138: collateral.transferFrommsg.sender, addressthis, newCollateral - colbal; 228:...