572 matches found
Unbounded fee
Handle gzeon Vulnerability details Impact There is no check on the value of fee in OverlayV1Mothership.sol despite MINFEE and MAXFEE has been defined in L10. This issue is considered to be higher risk than the other because this enable the possibility for governance to "rug" users' fund by settin...
OverlayV1Mothership.sol Incomplete implementation
Handle WatchPug Vulnerability details Based on the context, FEE and MARGINMAINTENANCE rates should be bounded. However, the current implementation does not enforce these bounds. uint16 public constant MINFEE = 1; // 0.01% uint16 public constant MAXFEE = 100; // 1.00% uint16 public constant...
Improper Upper Bound Definition on the Fee
Handle defsec Vulnerability details Impact In the adjustGlobalParams function on line 1603of "", adjustGlobalParams function does not have any upper or lower bounds. Values that are too large will lead to reversions in several critical functions. Proof of Concept The setFee function that begins o...
Unbounded feeBurnRate and marginBurnRate
Handle gzeon Vulnerability details Impact There are no checks when setting feeBurnRate and marginBurnRate in OverlayV1Mothership constructor and adjustGlobalParams, if one of the 2 variable is set to any value FixedPoint.ONE i.e. 1e18 it would lead to underflow at OverlayV1OVLCollateral:L147 and...
Fee boundaries are not validated
Handle pauliax Vulnerability details Impact OverlayV1Mothership has declared variables named MINFEE and MAXFEE, or MINMARGINMAINTENANCE and MAXMARGINMAINTENANCE, however, none of these variables are used anywhere, e.g. I expected to see a fee validated with these min/max boundaries, but now...
Fee double counting for underwater positions
Handle hyh Vulnerability details Impact Actual available fees are less than recorded. That's because a part of them corresponds to underwater positions, and will not have the correct amount stored with the contract: when calculation happens the fee is recorded first, then there is a check for...
NestedFactory.sol#_submitInOrders() Wrong implementation cause users to be overcharged
Handle WatchPug Vulnerability details When executing orders, the actual amountSpent + feesAmount can be lower than inputTokenAmount, the unspent amount should be returned to the user. However, in the current implementation, the unspent amount will be taken as part of the fee. function...
XVader.sol : loss of user funds during 'leave' function
Handle shri4net Vulnerability details Impact Unintended Fee is charged to user while using 'leave' function in XVader.sol as part of the voting/governance. Proof of Concept Ref contracts/x-vader/XVader.sol, function leave Ref contracts/tokens/Vader.sol, function transfer Example, User locks 100...
Inconsistent balance when supplying transfer-on-fee or deflationary tokens
Handle Reigada Vulnerability details Impact In the contract StakingRewards, the stake function assume that the amount of stakingToken is transferred to the smart contract after calling the safeTransferFrom function and thus it updates the balances mapping. However, this may not be true if the...
Wrong assumption when updating token balance
Handle rfa Vulnerability details Impact When there is a movement of token in the swap and addliquidity function, the balances reserve , is updated based on the difference between the before and after the user transfer the token, however if there is a user that accidently send a token to this...
Trades where toToken is feeOnTransferToken might send user less tokens than finalAmountMin
Handle kenzo Vulnerability details Slingshot's executeTrades checks that the trade result amount to be sent to the user is bigger than finalAmountMin, and after that sends the user the amount. But if the token charges fee on transfer, the final transfer to the user will decrease the amount the us...
Fee on transfer tokens do not work within the protocol
Handle tensors Vulnerability details Fee on transfer tokens transfer less tokens in than what would be expect. This means that the protocol request incorrect amounts when dealing with these tokens. The protocol should use stored token balances instead of transfer for calculating amounts. --- The...
fee possibly send in the wrong way in exitVaultFillingVaultInitiate
Handle gpersoon Vulnerability details Impact The functions exitZcTokenFillingZcTokenInitiate and exitVaultFillingVaultInitiate are kind of similar, however the processing of the fee is different. exitZcTokenFillingZcTokenInitiate send the fee from o.maker exitVaultFillingVaultInitiate sends the f...
Swivel: implementation for initiateZcTokenFillingZcTokenExit is incorrect
Handle itsmeSTYJ Vulnerability details Impact In initiateZcTokenFillingZcTokenExit , this comment // transfer underlying tokens - the premium paid + fee in underlying to swivel from sender is incorrect because you are actually transferring the underlying tokens - premium paid to the maker from...
User can get more/less interest than required
Handle csanuragjain Vulnerability details Impact It seems that owner must not get interest for transfer fee which is collected using transferNotionalFee No interest is calculated on owner side before reducing the owner notional amount But this can simply be bypassed if owner adds new notional whi...
ConstantProductPool & HybridPool: Adding and removing unbalanced liquidity yields slightly more tokens than swap
Handle GreyArt Vulnerability details Impact A mint fee is applied whenever unbalanced liquidity is added, because it is akin to swapping the excess token amount for the other token. However, the current implementation distributes the minted fee to the minter as well when he should be excluded. It...
HybridPool's flashSwap sends entire fee to barFeeTo
Handle cmichel Vulnerability details The HybridPool.flashSwap function sends the entire trade fees fee to the barFeeTo. It should only send barFee fee to the barFeeTo address. Impact LPs are not getting paid at all when this function is used. There is no incentive to provide liquidity. Recommende...
hybrid pool uses wrong non_optimal_mint_fee
Handle broccoli Vulnerability details Impact When an lp provider deposits an imbalance amount of token, a swap fee is applied. HybridPool uses the same nonOptimalMintFee as constantProductPool; however, since two pools use different AMM curve, the ideal balance is not the same. ref:...
HybridPool's flashSwap gives the total fee to barFeeTo
Handle 0xsanson Vulnerability details Impact In HybridPool's flashSwap function there's a transfer to barFeeTo transfertokenIn, fee, barFeeTo, false; Here fee = amountIn swapFee / MAXFEE is the total swap fee. However it should transfer out only a fraction of it barFee/MAXFEE otherwise liquidity...
Fee calculation is potentially incorrect
Handle itsmeSTYJ Vulnerability details Impact More fees are actually charged than intended Mitigation Steps Basket.sol line 118 Assume that license fee is 10% i.e. 1e17 and time diff = half a year. When you calculate feePct, you expect to get 5e16 since that's 5% and the actual amount of fee to b...