8 matches found
LiquidityPool inflation attack
Lines of code Vulnerability details Bug Description The LiquidityPool uses an algorithm that converts prices to shares through a linear relationship. For instance, if there are 10,000 assets and 100 shares, then holding 100 assets should yield 1 share. However, a situation arises when investor...
Frontrunning the initialize function can drain the LP initial deposit
Lines of code Vulnerability details Impact An attacker can frontrun the initialize function in AlgebraPool.sol to set an unexpected price and can cause loss of funds for the initial LP deposit. Proof of Concept function initializeuint160 initialPrice external override requireglobalState.price == ...
Frontrun attack to steal first depositor money
Lines of code Vulnerability details Impact Frontrun attack to steal first depositor money Proof of Concept The flow is as following: 1. The first depositor wants to deposit X. 2. We detect it and frontrun 2 operations: 1. We deposit 1 of the underlying to the system. In exchange we receive 1 shar...
Possible frontrun on deposits on LiquidityPool
Lines of code Vulnerability details Impact Rewards are given to a user for depositing either ERC20 tokens or their native token into the LiquidityPool. This reward is used to incentivize users to deposit funds into the liquidity pool when the pool is not in an equilibrium state. For regular users...
Wrapped JLP can be stolen
Handle cmichel Vulnerability details The WJLP.wrap function accepts a from parameter and a to parameter. The tokens are transferred from the from account to the to account: function wrapuint amount, address from, address to, address rewardOwner external override // @audit can frontrun and steal =...
LockeERC20.sol: Frontrun attack on approve()
Handle itsmeSTYJ Vulnerability details Impact It is possible to frontrun the standard ERC20 token approve function. Proof of Concept Read this for more info. Recommended Mitigation Steps Either require that allowance is 0 before approve can be called or use increase / decrease allowance e.g...
LockeERC20 is vulnerable to frontrun attack
Handle egjlmn1 Vulnerability details Impact a user can steal another user's tokens if he frontrun before he changes the allowance. The approve function receives an amount to change to. Lets say user A approved user B to take N tokens, and now he wants to change from N to M, if he calls approveM t...
User deposits can be turned into sponsors and then be stolen
Handle cmichel Vulnerability details Vulnerability Details When a user deposits to the treasury they first approve the contract and then call its deposit action which performs an ERC20.transferFrom. It's possible for an attacker to frontrun the final deposit transaction after the user approval an...