386 matches found
Upgraded Q -> 2 from #83 [1679850012658]
Judge has assessed an item in Issue 83 as 2 risk. The relevant finding follows: L-02 There is no way to disapprove a collateral --- The text was updated successfully, but these errors were encountered: All reactions...
Short positions can be burned while holding collateral
Lines of code Vulnerability details Impact Users can permanently lose a portion of their collateral due to a malicious attacker or their own mistake. Vulnerability Details In the ShortToken contract, adjustPosition is used to handle changes to a short position's short or collateral amounts. The...
Exchange._liquidate function can cause liquidator to burn too much powerPerp tokens
Lines of code Vulnerability details Impact When calling the following Exchange.liquidate function, uint256 totalCollateralReturned = shortCollateral.liquidatepositionId, debtRepaying, msg.sender is executed. function liquidateuint256 positionId, uint256 debtRepaying internal uint256...
KangarooVault.removeCollateral updates storage without actually removing collateral, resulting in lost collateral
Lines of code Vulnerability details The admin can call KangarooVault.addCollateral to add additional collateral to a Power Perp position. File: src/KangarooVault.sol 424: function addCollateraluint256 additionalCollateral external requiresAuth nonReentrant 425: SUSD.safeApproveaddressEXCHANGE,...
Users can receive less collateral than expected from liquidations
Lines of code Vulnerability details Impact Users might receive very little or no collateral when liquidating extremely unhealthy short positions. Vulnerability Details When users liquidate a short position, they expect to get a reasonable amount of collateral in return. The collateral amount sent...
A POSITION WILL BE FULLY LIQUIDATABLE AS SOON AS IT BECOMES LIQUIDATABLE
Lines of code Vulnerability details Impact A specific position can be liquidated if canLiquidate returns true. However, the function logic of maxLiquidatableDebt is going to make it fully liquidatable even if safetyRatio == 1e18. Proof of Concept Let's assume the following setup: collRatio = 1.5e...
KangarooVault.removeCollateral doesn't remove collateral from the EXCHANGE
Lines of code Vulnerability details Impact The owner of the KangarooVault can't receive collateral from EXCHANGE when he wants to remove collateral from the vault. Proof of Concept KangarooVault.removeCollateral doesn't remove collateral from the EXCHANGE. KangarooVault interacts with EXCHANGE, a...
Price manipulation attack
Lines of code Vulnerability details Impact The PriceFeed.sol was marked OOS but I believe this to be a valid issue. If the chainlink feed fails which is does from time to time, the Tellor price feed takes over no matter what the delta is compared to the chainlink price. This is an issue because t...
First staker staking can lead to unfair profiting
Lines of code Vulnerability details Impact A caller is able to drain all of the fees from the pool if the caller stakes prior to totalLQTYStaked, in the LQTYStaking contract, being greater than 0. When the protocol is first deployed, FLUSD is zero. It is increased when troves are opened. If a...
STRATEGIST still can assign a higher percentage into the withdrawMaxLoss, which may lead to a very higher risk for users to lose the principle sent as a collateral
Lines of code Vulnerability details Impact Within the ReaperVaultV2updateWithdrawMaxLoss above, the user who has a STRATEGIST role still can assign a higher percentage i.e. 99% = 9999 into the withdrawMaxLoss. This lead to a very higher risk for users to lose the principle sent as a collateral if...
The design defect of the ActivePool rehypothecation mechanism, ReaperVaultV2 administrators have too much authority and have the conditions and motives to do evil, so make users lack trust in the ETHOS system (crisis of trust)
Lines of code Vulnerability details Impact In the design logic of the current system, ActivePool holds all the collaterals of active troves and deposits part of them in ReaperVaultV2 for re-mortgaging. If the deposit and withdraw functions of ReaperVaultV2 revert, Core functions such as borrowing...
Last good price might be not good if both Tellor and Chainlink prices are unreliable
Lines of code Vulnerability details Impact Calling from Pricefeed.sol, fetchPrice returns the last good price seen by the protocol whenever both Chainlink and Tellor fail to be reliable. The protocol features multi-collateral support which eventually accepts assets that are volatile in nature, du...
Depositors might not be able to withdraw from StabilityPool if any collateral's price drops significantly
Lines of code Vulnerability details In the TroveManager contract, the closeTrove function contains a check to ensure there is more than one trove, as shown below. TroveManager.solL1278-L1282: function closeTroveaddress borrower, address collateral, Status closedStatus internal assertclosedStatus ...
A Malicious Borrower can drain ActivePool
Lines of code Vulnerability details Impact Any Borrower can take any amount of collateral and the pool gets drained, in this case, the system's TCR will go way down the CCR. putting the whole system at risk of a dangerous recovery mode and may even cause a total crash to the system. Proof of...
StabilizerNode.stabilize may use undistributed rewards in the overflowPool as collateral
Lines of code Vulnerability details Impact In StabilizerNode.stabilize, globalIC.collateralRatio is used to calculate SwingTraderEntryPrice and ActualPriceTarget, with collateralRatio indicating the ratio of the current global collateral to the malt supply. function collateralRatio public view...
_distributeProfit will use the stale globalIC.swingTraderCollateralDeficit()/swingTraderCollateralRatio(), which will result in incorrect profit distribution
Lines of code Vulnerability details Impact The distributeProfit called by handleProfit will use globalIC.swingTraderCollateralDeficit/swingTraderCollateralRatio when distributing profits, and the latest globalIC.swingTraderCollateralDeficit/swingTraderCollateralRatio needs to be used to ensure th...
Incompatibilty of BackingManager with some tokens.
Lines of code Vulnerability details Impact The BackingManager contains a grantRTokenAllowance function which is used to grant token allowances to the RToken contract. function grantRTokenAllowanceIERC20 erc20 external notFrozen requireassetRegistry.isRegisterederc20, "erc20 unregistered"; // ==...
Fee on transfer tokens will not behave as expected
Lines of code Vulnerability details Impact In Numoen, it does not specifically restrict the type of ERC20 collateral used for borrowing. If fee on transfer tokens is/are entailed, it will specifically make mint revert in Lendgine.sol when checking if balanceAfter balanceBefore + collateral. Proof...
Lendgine contract can be drained through mint() function due to lack of Access Control
Lines of code Vulnerability details Impact Anybody can call the mint function on lendgine.sol and enter any amount of collateral. This allows them to mint any number of tokens to their address for free. Proof of Concept The mint function in lendgine.sol is external with no additional modifiers or...
Upgraded Q -> H from #296 [1674743769839]
Judge has assessed an item in Issue 296 as H risk. The relevant finding follows: Lines of code Vulnerability details A malicious liquidator could cause the NFT auction to fail and steal the collateral after end of auction. Impact Anyone can act as a liquidator and trigger the liquidation of the...