GHSA-PM4J-7R4Q-CCG8 Soroban: Muxed address<->ScVal conversions may break after a conversion failure

Summary Soroban host ensures that MuxedAddress objects can't be used as storage keys in order to proactively prevent the contract logic bugs. However, due to a bug in Soroban host implementation, a failure in Val-ScVal conversion during the storage key computation will have the flag indicating th...

Unwrapping function emits event with incorrect values.

Lines of code Vulnerability details Impact The etherUnwrap function in the smart contract does not correctly emit the EtherUnwrap event. The issue arises when calculating and emitting the fee and transfer amounts. The current implementation deducts the fee, transfers the calculated amount, and...

Event Emission

Lines of code Vulnerability details Impact Events such as Swap, Deposit, and Withdraw are emitted with the primitive address as the user parameter, which might not be the actual user msg.sender initiating the transaction. Proof of Concept Provide direct links to all referenced code in GitHub. Add...

No check proxy contract is deployed

Lines of code Vulnerability details The deployProxyDelegatorIfNeeded function in ERC20MultiDelegate.sol does not verify that a proxy contract has been successfully deployed before emitting an event indicating its creation. Impact Both createProxyDelegatorAndTransfer and processDelegation function...

Event not emitted after sensitive action of setting new concentrated and ambient rewards.

Lines of code Vulnerability details Impact The 'setConcRewards' and 'setAmbRewards' doesn't emit event to to signify to all parties involved the new concentrated and ambient results. Proof of Concept A user not aware of new reward price might suppose he/she have been swindled upon realizing that...

Lack of events in EvolvingProteus contract

Lines of code Vulnerability details Impact There is no event emitted in the whole contract, even after executing sensitive actions like swaps between assets or at the constructor. That is bad because many automatic tools that monitors the contracts deployed rely on them. For example, see the swap...

critical functions should emit an event when they called

Lines of code Vulnerability details Impact some critical functions should emit an even when they called because it contains important information and an event should be emitted, some functions in this contest did not emit an event and this may led to unwanted behavior in future functions like cla...

The claim() function has a reentrancy vulnerability

Lines of code Vulnerability details Impact The claim function has a reentrancy vulnerability . In the function, the UtilLib.sendValue function is called before emitting the Claimed event. This violates the "check-effect-interaction" model, which is a best practice for secure smart contract...

EVENT EMITTED WITHOUT ACTION

Lines of code Vulnerability details Impact A malicious validator can remain in the system after exceeding it's exit penalty threshold. This poses a risk to users and a possible reputation risk to the protocol. Proof of Concept In the updateTotalPenaltyAmount... function, when the validators...

Everything wrong with deposit method

Lines of code Vulnerability details Impact No Accounting, Wrong data in Event emission in case of Fees on transfer Tokens and limited usecase. Proof of Concept File: DAO.sol function deposit address token, uint256 amount, string calldata reference external payable override if amount == 0 revert...

CrossChainRelayerArbitrum.processCalls() can be invoked multiple times.

Lines of code Vulnerability details Impact In the CrossChainRelayerArbitrum contract once a Call has been relayed using the relayCalls function, processCalls can be invoked multiple times by anyone for the respective Call. Due to this redundant IInbox.createRetryableTicket calls are triggered and...

operator role it's handled in a way that can damage the protocol

Lines of code Vulnerability details operator role it's handled in a way that can damage the protocol Impact Same logic is being deployed several times, for maintainability is hardly recommended to not copy paste same logic many times but inherit it. Also there is an issue in BorrowController with...

A single point of failure is not acceptable for this project

Lines of code Vulnerability details Impact The pause function on WardenPledge.sol has a single point of failure and onlyOwner can stop all project. Owner is not behind a multisig and changes are not behind a timelock.This information hasnt got in documents Even if protocol admins/developers are n...

LayerZeroModule miscalculates gas, risking loss of assets

Lines of code Vulnerability details Description Holograph gets it's cross chain messaging primitives through Layer Zero. To get pricing estimate, it uses the DstConfig price struct exposed in LZ's RelayerV2 The issue is that the important baseGas and gasPerByte configuration parameters, which are...

Check the return of .call when sending Ether

Lines of code Vulnerability details Impact It's considered a best practice to always check the return of the transaction when sending Ether with .call, since it's possible for a tx failure due to external factors out of the contract control. Currently, the contract emits an event with the result...

Upgraded Q -> M from 294 [1654474576938]

Judge has assessed an item in Issue 294 as Medium risk. The relevant finding follows: Owner can frontrun exercise to increase fees A malicious owner account can observe and frontrun calls to exercise and extract 100% of the strike price as a protocol fee. Scenario: A malicious owner observes a ca...

Missing events/timelock for function updateChannel only functions that change critical parameters

Lines of code Vulnerability details Impact functions that change critical parameters should emit events and have timelocks. Events allow capturing changed parameters so interfaces can register changes with timelock. It allow users to evaluate them and consider if they would like to engage or exit...

Total loss of funds on owner account compromise

Lines of code Vulnerability details Issue: The vault address may be arbitrarily updated by the owner using setVaultAddress. The owner can also call withdrawAll to move all funds to the vault. Consequence: A malicious owner or owner account compromise can siphon the entire contract's funds to an...

Missing event & timelock for critical onlyAdmin functions

Handle 0xRajeev Vulnerability details Impact onlyAdmin functions that change critical contract parameters/addresses/state should emit events and consider adding timelocks so that users and other privileged roles can detect upcoming changes by offchain monitoring of events and have the time to rea...

Missing events for critical parameter changing operations by owner

Handle 0xRajeev Vulnerability details Impact The owner of TracerPerpetualSwaps contract, who is potentially untrusted as per specification, can change the market critical parameters such as the addresses of the Liquidation/Pricing/Insurance/GasOracle/FeeReceiver and also critical values such as...