Upgraded Q -> M from 400 [1666366553858]

Judge has assessed an item in Issue 400 as Medium risk. The relevant finding follows: Use safeTransferFrom instead of transferFrom transferFrom can be replaced with safeTransferFrom as it makes sure that the receiver can handle ERC721 tokens and prevents it from being stuck in the contracts Refer...

ArtGobblers.mintLegendaryGobbler() doesn't delete getApproved[id] for burned tokens.

Lines of code Vulnerability details Impact When a gobbler is burned for a legendary gobbler, both owner and getApproved should be deleted. But getApproved isn't deleted now so users can revive the gobbler again. Proof of Concept Users can set getApprovedid for the owned NFTs. File:...

_claim function vulnerable to cross-chain-replay attacks

Lines of code Vulnerability details If there's a fork, since anyone can call claim, an attacker can monitor the blockchain for calls to claim, and then make the same call with the same arguments on the other chain. Proof of Concept There are no EIP-712 protections in the encoding: bytes32 leafHas...

Contract TribeRedeemer: function previewRedeem() might unable to be called forever because of devide by 0

Lines of code Vulnerability details 2022-09-tribe Contract TribeRedeemer: function previewRedeem might unable to be called forever because of devide by 0 tags: c4, 2022-09-tribe, medium Affected code Impact After redemptions, redeemBase can be 0. Then function previewRedeem always revert when be...

Invalid payout is accepted

Lines of code Vulnerability details Impact In callback function, getMarketInfoForPurchase also returns maxPayout as last argument. This is not compared against outputAmount which means if market asks for higher outputAmount then the contract will simply pay Similar instance Also check the...

the 1st creator can get a little amount or 0 creatorShares

Lines of code Vulnerability details Impact On line 513 the MarkerFees.getFees function if there is more than one creatorRecipients it will loop through them and set there payment after that it will subtract creatorRev - totalRoyaltiesDistributed and set it to the the 1st creatorRecipients...

In Community.sol, the interest calculation formula is not correct.

Lines of code Vulnerability details Impact Currently, it calculates interest using the number of days and builders would pay nearly half or less interest than they should. So lenders wouldn't get the interest as expected and it means builders can steal the interest from lenders. Proof of Concept ...

pendingLockAtEpochOf will revert

Lines of code Vulnerability details Impact The line for uint256 i = locks.length - 1; i + 1 != 0; i-- relies on uint256 underflow and overflow, which would revert in solidity ^0.8.0 Proof of Concept function pendingLockAtEpochOfuint256 epoch, address user external view returns uint256 amount...

Steal user's first deposit

Lines of code Vulnerability details Impact Steal user's first deposit Proof of Concept The attack's flow is as following: 1. The first depositor wants to deposit X in bathToken.sol. 2. We detect it and frontrun 2 operations: 1. We deposit 1 of the underlying to the system. In exchange we receive ...

At LidoVault.sol, _withdrawFromYieldPool()function, ETH transfer return value is not checked

Lines of code Vulnerability details Impact At withdrawFromYieldPool ETH transfer return value is not checked as the return statement at line 141 breaks the return value checking. Proof of Concept function withdrawFromYieldPool address asset, uint256 amount, address to internal override returns...

No cap on fee parameters

143 comment Warden: gzeon Consider adding caps to fee parameters to reduce rug risk --- The text was updated successfully, but these errors were encountered: All reactions...

Forget to remove account out of _roleMembers[role]

Originally submitted by warden TrungOre in 89, duplicate of 164. For get to remove account out of roleMembersrole --- The text was updated successfully, but these errors were encountered: All reactions...

Division by zero

I'm upgrading the following issue from a QA report issue 48 to Medium risk: Division by zero calculateDeviationThresholdBasisPoints was important enough to be in a separate library rather than being just a normal function of another contract so it should be generic enough for other contracts to u...

Cast to uint192 is unsafe

Judge @GalloDaSballo has assessed the 3rd item in QA Report 197 as Medium risk. The relevant finding follows: … Cast to uint192 is unsafe, user trying to deposit more than 2^192 would recevie less deposits balance. depositspidmsg.sender.amount += uint192amount; --- The text was updated...

[WP-M11] Wrong implementation of DexManagerFacet.sol#batchRemoveDex() will remove only the first item

Lines of code Vulnerability details function batchRemoveDexaddress calldata dexs external LibDiamond.enforceIsContractOwner; for uint256 i; i dexs.length; i++ if s.dexWhitelistdexsi == false continue; s.dexWhitelistdexsi = false; for uint256 j; j s.dexs.length; j++ if s.dexsj == dexsi removeDexj;...

DDOS - robee

Duplicate of 119 --- The text was updated successfully, but these errors were encountered: All reactions...

The store method allows you to store the same token twice

This issue has been created to upgrade a QA report submission to a medium severity finding. From 0x1f8b: The store method allows you to store the same token twice in NestedRecords.solL130 To do this you must first call storenftId,tokenA,0,reserve and then storenftId,tokenA,100000,reserve because ...

TimeswapPair.sol#borrow() Improper implementation allows attacker to increase pool.state.z to a large value

Handle WatchPug Vulnerability details In the current implementation, borrow takes a user input value of zIncrease, while the actual collateral asset transferred in is calculated at L319, the state of pool.state.z still increased by the value of the user's input at L332. Even though a large number...

Reserve does not properly apply prices of VADER and USDV tokens

Handle TomFrenchBlockchain Vulnerability details Impact Reserve pays out vastly higher or lower IL protection than it should Proof of Concept Consider the lines 98 and 102 as shown on the link below: Here we multiply the IL experienced by the LP by a price for USDV or VADER as returned by the LBT...

NFTXVaultFactoryUpgradeable implementation can be replaced in production breaking the system

Handle hyh Vulnerability details Impact NFTXVaultFactory contract holds information regarding vaults, assets and permissions vaults, vaultsForAsset and excludedFromFees mappings. As there is no mechanics present that transfers this information to another implementation, the switch of...