15 matches found
PositionManager's moveLiquidity can freeze funds by removing destination index even when the move was partial
Lines of code Vulnerability details positionIndex.removeparams.fromIndexremoves the PositionManager entry even when it is only partial removal as a result of IPoolparams.pool.moveQuoteToken... call. I.e. it is correct to do fromPosition.lps -= vars.lpbAmountFrom, but the resulting amount might no...
Frontrunning deployCounterFactualWallet
Lines of code Vulnerability details entryPoint and handler are not included in the salt, so a front-running attack could be possible for the same owner and index same counterfactual address with malicious entryPoint and handler DoS/freeze funds only entryPoint can be updated, not handler. Add to...
Excessive owner privilege - can freeze pledge creator's funds after pledging period completed.
Lines of code Vulnerability details Description The retrievePledgeRewards function is used by pledge creator, only after pledge endTimestamp has passed. It will collect for the creator all unused reward tokens. Since it can only operate after endTimestamp, the pledge has for all intents and...
A malicious user could stuck crowdfund ETH
Lines of code Vulnerability details Impact A user could freeze funds accumulated in a crowdfund and execute a "fake sale" that would be the approval of the token. Proof of Concept A group of users create a crowdfund, they raise money to buy the most good looking Bored Ape. An attacker would buy i...
Malicious user can indefinitely freeze the funds of another user
Lines of code Vulnerability details Impact By design, a user's cooldown period is extended if they receive a transfer of hPal. The cooldown is extended based on the weight of the receiver's original balance and cooldown period compared to the sent amount and sender's cooldown period. Due to this...
[WP-H14] LiquidityProviders.sol The share price of the LP can be manipulated and making future liquidityProviders unable to removeLiquidity()
Lines of code Vulnerability details function removeLiquidityuint256 nftId, uint256 amount external nonReentrant onlyValidLpTokennftId, msgSender whenNotPaused address tokenAddress, uint256 nftSuppliedLiquidity, uint256 totalNFTShares = lpToken.tokenMetadatanftId;...
[WP-H3] S2S Transfer from the origin schain to another schain with automatic deploy disabled can cause funds to be frozen
Lines of code Vulnerability details When moving tokens that are native on the origin schain, to another schain, TokenManagerERC20.soltransferToSchainERC20 will be called, which calls exit - receiveERC20: if isMainChainToken data = receiveERC20 chainHash, addresscontractOnSchain, msg.sender, amoun...
updateYieldStrategy will freeze some funds with the old Strategy if yieldStrategy fails to withdraw all the funds because of liquidity issues
Handle hyh Vulnerability details Impact Part of the funds held with the strategy can be frozen if the current strategy has tight liquidity when updateYieldStrategy is run as this function makes an attempt to withdraw all the funds and then unconditionally removes the strategy. The Sherlock to...
[WP-H12] forceUnsponsor() may open a window for attackers to manipulate the _totalShares and freeze users' funds at a certain deposit amount
Handle WatchPug Vulnerability details if force && sponsorAmount totalUnderlying sponsorToTransfer = totalUnderlying; else if !force require sponsorToTransfer totalUnderlying, the contract will transfer totalUnderlying to sponsorToTransfer, even if there are other depositors and totalShares 0. Aft...
[WP-H10] A malicious early user/attacker can manipulate the pps to freeze users' funds at a certain deposit amount
Handle WatchPug Vulnerability details uint256 tokenId = depositors.mint msgSender, amount, claimerId, lockedUntil ; function safeMint address to, uint256 tokenId, bytes memory data internal virtual mintto, tokenId; require checkOnERC721Receivedaddress0, to, tokenId, data, "ERC721: transfer to non...
Malicious early user/attacker can malfunction the contract and even freeze users' funds in edge cases
Handle WatchPug Vulnerability details pointsPerUnit += newXDEFI pointsMultiplier / totalUnitsCached; In the current implementation, pointsPerUnit can be changed in updateDistribution which can be called by anyone. A malicious early user can lock with only 1 wei of XDEFI and makes pointsPerUnit to...
createPromotion() Lack of input validation for _epochDuration can potentially freeze promotion creator's funds
Handle WatchPug Vulnerability details function createPromotion address ticket, IERC20 token, uint216 tokensPerEpoch, uint32 startTimestamp, uint32 epochDuration, uint8 numberOfEpochs external override returns uint256 requireTicketticket; uint256 nextPromotionId = latestPromotionId + 1;...
Publisher can scam users by changing license fees and using auction to freeze user funds
Handle 0x0x0x Vulnerability details Publisher can call changeLicenseFee to change fees. There is no maximum cap for this parameter. At first glance, because there is a timelock period of 1 day, the users have enough time to react. But if the publisher can start an auction and bondForRebalance. Th...
Unbounded for loops allows an attacker to freeze users' funds
Handle WatchPug Vulnerability details function claim external whenNotPaused nonReentrant requirebenRevocablemsg.sender1 == false, 'Account must not already be revoked.'; uint256 amount = claimableAmountmsg.sender.subbenClaimedmsg.sender; requireamount 0, "Claimable amount must be positive";...
Basket.sol#auctionBurn() A failed auction will freeze part of the funds
Handle WatchPug Vulnerability details Given the auctionBurn function will burn the auction bond without updating the ibRatio. Once the bond of a failed auction is burned, the proportional underlying tokens won't be able to be withdrawn, in other words, being frozen in the contract. Proof of Conce...