7 matches found
Upgraded Q -> 3 from #460 [1677510923458]
Judge has assessed an item in Issue 460 as 3 risk. The relevant finding follows: Lines of code Vulnerability details Impact The safeTransferFrom function on the ClearingHouse is normally used when an OpenSea auction successfully ends and the required ERC20/WETH have been transferred to the...
LinearDistributor.declareReward can revert due to dependency of balance
Lines of code Vulnerability details Impact LinearDistributor.declareReward will revert and it can cause permanent DOS. Proof of Concept In LinearDistributor.declareReward, if the balance is greater than the bufferRequirement, the rest will be forfeited. if balance bufferRequirement // We have mor...
Reentrancy in safeTransferFrom() in ClearingHouse.sol allows the attacker to withdraw the collateral, while still owning the borrowed assets.
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Calling the function safeTransferFrom and passing in a custom, attacker controlled payment token allows the malicious actor to perform reentrancy. the following function clears the attacker of all debt,...
Anyone can deploy a pair with a potentially malicious token
Lines of code Vulnerability details By allowing anyone to create a pair with any two tokens there is a risk that an unsavory token will get included either as collateral or as an asset. It could range from a bad actor intentionally inserting a malicious token to a well-intentioned team that...
[WP-H7] CollateralToken.sol's COLLATERAL_BURNER_ROLE and COLLATERAL_MINTER_ROLE can rug users
Lines of code Vulnerability details In the current design/implementation, CollateralToken is minted and burned by COLLATERALMINTERROLE and COLLATERALBURNERROLE. Such roles can be granted by the owner of QuantConfig, which is the deployer of the QuantConfig. Once the attacker managed to acquire on...
[WP-H6] Admin of the upgradeable proxy contract of Controller.sol can rug users
Lines of code Vulnerability details Use of Upgradeable Proxy Contract Structure allows the logic of the contract to be arbitrarily changed. This allows the proxy admin to perform malicious actions e.g., taking funds from users' wallets up to the allowance limit. This action can be performed by th...
Ether can be locked in the PoolFactory contract without a way to retrieve it
Handle broccolirob Vulnerability details If a borrower calls the createPool function with a non-zero value, but also includes an ERC20 token address for collateralToken, then the Ether value sent will be locked in the PoolFactory contract forever. createPool L260-317 In the createPool function, a...