55 matches found
stakers can withraw reward without waiting the vesting period
Lines of code Vulnerability details Impact stakers can frontrun a reward giving transaction by monitoring the mempool for the function transferInRewards, and stake before it, and then unstake after to get rewards, if the cooldown is off. Proof of Concept imagine a scenario where the cooldown peri...
LiquidityPool inflation attack
Lines of code Vulnerability details Bug Description The LiquidityPool uses an algorithm that converts prices to shares through a linear relationship. For instance, if there are 10,000 assets and 100 shares, then holding 100 assets should yield 1 share. However, a situation arises when investor...
DOS the system by frontrunning the initialize function
Lines of code Vulnerability details Impact LivepeerGovernor and Treasury are vulnerable to DOS. Proof of Concept The initialize function present in these two contracts is not called just after their construction. Which is confirmed in the contract LivepeerGovernorUpgradeMock.sol while initializin...
Swaps affect LP token mint/burn during liquidity addition/removal
Lines of code Vulnerability details Impact The LP token removal/addition forces a recalculation of the bonding curve, and the utility of the curve. The utility curve in proteus looks like the graph below, where the point A represents a certain composition of the pool. If we try to remove add/remo...
FlywheelAcummulatedRewards/FlywheelBribeRewards gains are instantaneous and can be frontrun
Lines of code Vulnerability details Impact FlywheelAcummulatedRewards/FlywheelBribeRewards gains are instantaneous and can be frontrun. The user only needs to frontrun the delegate before each incentive is distributed to get the incentive, and there is no way to prevent the user from undelegating...
GnosisTrade contract can be frontrunned in order to make it report violation and block broker
Lines of code Vulnerability details Impact GnosisTrade contract can be frontrunned in order to make it report violation and block broker. This will stop broker from creating another traders. Proof of Concept When BackingManager is rebalancing, then it can open trade, which can be gnosis trade...
Attacker can revert execution by frontrunning "createAction"
Lines of code Vulnerability details Impact Malicious user can frontrun "createAction" to make action execution revert due to the "assertNoActionCreationsAtCurrentTimestamp" check Proof of Concept function assertNoActionCreationsAtCurrentTimestamp internal view if llamaExecutor == address0 return;...
Attacker can frontrun user bid with wrong lotId and create the lot with that lotId, forcing the user to take a big loss
Lines of code Vulnerability details Impact User takes a huge loss by getting 1 SD token, but bidding an amount possibly much bigger. Attackers are incetivized to perform this if they are ETHx holders and want to increase the value of their tokens. Proof of Concept When a user adds a bid to the...
Challenges can be frontrun with de-leveraging to cause lossses for challengers
Lines of code Vulnerability details Impact Challenges, once created, cannot be closed. Thus once a challenge is created, the challenger has already transferred in a collateral amount and is thus open for losing their collateral to a bidding war which will most likely close below market price, sin...
No sanity check on drawCoolDownPeriod can lead to frontrun attacks on jackpot prize
Lines of code Vulnerability details Impact During the construction of the LotterySetup, there is no sanity check on drawCoolDownPeriod. If its set to zero, then there will be no cool down period, players can buy the lottery tickets at any time until the draw. Once lottery setup is complete with...
Ticket: Owner of winning ticket can frontrun secondary sales
Lines of code Vulnerability details The Wenwin docs note that tickets "can be traded on the secondary market before or after the draw," since they are standard ERC721 tokens. After a ticket draw, the owner of a winning ticket may call LotteryclaimWinningTickets, which transfers lottery winnings t...
Malicious user can frontrun the selling or transferring of a ticket to claim the rewards
Lines of code Vulnerability details A bad actor can trick a user into buying an unclaimed ticket and frontrun the selling or transfer of the NFT to claim the rewards associated with the ticket before the original transaction. Impact Given the described scenario, a bad actor can frontrun the...
Anyone can call the DripsHub.split function to frontrun the DripsHub.setSplits function call of the trusted user who owns the splittable funds
Lines of code Vulnerability details Impact As mentioned by the following DripsHub.split function's comment, the user, who owns the splittable funds, needs to be trusted by the receivers for such splittable funds. Yet, when this trusted user wants to call the DripsHub.setSplits function below to...
ERC4626Cloned deposit and mint logic differ on first deposit
Lines of code Vulnerability details The ERC4626Cloned contract is an implementation of the ERC4626 used for vaults. The standard contains a deposit function to deposit a specific amount of the underlying asset, and a mint function that will calculate the amount needed of the underlying token to...
Uniswap V3 swaps are vulnerable to a sandwich attack
Lines of code Vulnerability details Impact As the amountOutMinimum is always hardcoded with 1 in the AutoPxGmx, then the Uniswap V3 swap is vulnerable to a frontrun / sandwich attack. Proof of Concept Even though the amountOutMinimum may never be 0 because it is prevented against it: if...
SimpleERC20Escrow's initialize() can be frontrun
Lines of code Vulnerability details Impact The user's collateral is not held in the market contract but is instead held in individual escrows. Every user has a unique escrow for every market. And the escrow contracts are created via the Market contract's createEscrow function. And it's initialize...
Frontrunning the initialize function can drain the LP initial deposit
Lines of code Vulnerability details Impact An attacker can frontrun the initialize function in AlgebraPool.sol to set an unexpected price and can cause loss of funds for the initial LP deposit. Proof of Concept function initializeuint160 initialPrice external override requireglobalState.price == ...
Multiple Withdrawal Attack Vector in TRSRY.sol
Lines of code Vulnerability details Impact Multiple Withdrawal Attack Vector in TRSRY.sol Proof of Concept The TRSRY.sol has setApprovalFor method to set approval for specific withdrawer addresses. The function is as below; function setApprovalFor address withdrawer, ERC20 token, uint256 amount...
A delegatee can frontrun the delegator's call to increaseUnlockTime to prevent the delegator to withdraw or quitlock
Lines of code Vulnerability details Impact Charlie and Alice both create a lock, with Alice's lock being longer than Charlie's. Charlie then delegates to Alice. At this point, if Charlie wants to unlock his tokens he can call withdraw or quitLock, but not with a delegation in place see 1, 2, so h...
Griefing on claim()
Lines of code Vulnerability details Issue: griefing can happen if coolDownPeriod 0 due to the fact that you can stake for someone else. Whenever a stake happens, the expiry variable increases with coolDownPeriod. This can be done either by watching the mempool and frontrun a stake when someone...