Lucene search
K

13 matches found

Code423n4
Code423n4
added 2023/10/25 12:0 a.m.7 views

[ADRIRO-NEW-M-05] Rewarder should not be allowed to apply rewards on CVX tokens

Lines of code Vulnerability details Summary The rewarder role should not be allowed to modify the balance of CVX tokens when applying rewards, otherwise the internal CVX balance tracking could get out of sync with major consequences for the protocol. Impact The introduction of internal CVX balanc...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/07/14 12:0 a.m.10 views

Depositors might lose funds due to the lack of zero share check

Lines of code Vulnerability details Impact Depositors might lose funds due to the lack of checking whether the shares to be minted is equal to zero. When this happens, the assets will be deposited into the vault, but the depositors will receive zero shares. This is independent from the initial...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2023/07/07 12:0 a.m.11 views

Interest is not accrued before parameters are updated in SavingsVest

Lines of code Vulnerability details Impact Stablecoin holders can receive wrongly calculated yield in the SavingsVest contract. Also, wrong vesting profit can be slashed when the protocol is under-collateralized. Proof of Concept The SavingsVest contract lets users deposit their stablecoins and...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2023/01/03 12:0 a.m.13 views

FIRST DEPOSIT CAN BREAK SHARE CALCULATIONS

Lines of code Vulnerability details Impact Future depositors are forced to pay a huge value of assets to deposit. It is not practically possible for all users. This could directly affect the attrition of users towards this system. Proof of Concept A well-known attack vector for almost all...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2023/01/03 12:0 a.m.11 views

JIT(JUST-IN TIME) LIQUIDITY OPPORTUNITIES EXISTS FOR USERS

Lines of code Vulnerability details Impact The MEV opportunity created robs the honest users who deposit before the start of a reward cycle. Leading to loss of rewards for said users. Proof of Concept A user deposits AVAX into tokenggAVAX.sol and in return gets an lp token to represent their...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2022/12/19 12:0 a.m.13 views

Upgraded Q -> M from #334 [1671456734920]

Judge has assessed an item in Issue 334 as M risk. The relevant finding follows: Collateral.withdraw allows the manager to withdraw an arbitrary amount of baseToken from Collateral. The only check is in the ManagerWithdrawHook.hook call, where it checks the withdrawal does not drop the amount of...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2022/05/15 12:0 a.m.9 views

Users Can Game Yield Distributions

Lines of code Vulnerability details Impact processYield restricts who can call this function to just the vault admin. Upon being processed, the treasury receives its fair share of the yield and the rest is transferred to the YieldManager.sol contract. To distribute yield, the manager calls...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2022/04/20 12:0 a.m.7 views

StakedCitadel depositors can be attacked by the first depositor with depressing of vault token denomination

Lines of code Vulnerability details Impact An attacker can become the first depositor for a recently created StakedCitadel contract, providing a tiny amount of Citadel tokens by calling deposit1 raw values here, 1 is 1 wei, 1e18 is 1 Citadel as it has 18 decimals. Then the attacker can directly...

6.6AI score
Exploits0
Code423n4
Code423n4
added 2022/04/13 12:0 a.m.14 views

New YVault depositors can be attacked by depressing share decimals

Lines of code Vulnerability details Impact An attacker can become the first depositor for a recently created YVault contract, providing a tiny amount of token by calling deposit1 raw values here, 1 is 1 wei, 1e18 is 1 token if it is 18 decimals. Then the attacker can directly transfer, for exampl...

6.6AI score
Exploits0
Code423n4
Code423n4
added 2022/02/09 12:0 a.m.15 views

Owner can lock tokens in MasterChef

Lines of code Vulnerability details Impact Owner can remove a depositor. Since only depositors can deposit and withdraw, the owner may add a contract to the whitelist, let users deposit in the contarct and remove the depositor from the whitelist. Depositor's reward cannot be withdrawn then. And...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2022/01/12 12:0 a.m.6 views

Depositors are at mercy of admins to get their funds back

Handle cmichel Vulnerability details When depositors want their funds back and there are not enough funds in the vault or the strategy, the aUST in the BaseStrategy needs to be redeemed. This redemption process is asynchronous due to the nature of EthAnchor and requires an admin to redeem the aUS...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2022/01/11 12:0 a.m.12 views

Both _mint and _safeMint are used to mint NFTs

Handle palina Vulnerability details Impact Both mint and safeMint functions are used to mint ERC721 NFTs in Claimers and Depositors, respectively. The usage of the mint is, however, discouraged by the used ERC721 implementation see PoC section, in favor of its safe counterpart. Proof of Concept...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/11/16 12:0 a.m.5 views

Users Can Reset Bond Depositor's Vesting Period

Handle leastwood Vulnerability details Impact The VaderBond.deposit function overwrites a depositors bond info on each call with the updated payout information. If any of the vesting is left unclaimed before a call to deposit is made, the vesting period is reset to terms.vestingTerm, resulting in...

7AI score
Exploits0
Rows per page
Query Builder