14 matches found
In the event of a fall in the price of USDY, the withdrawal of funds for the user may be blocked
Lines of code Vulnerability details Impact There is a wrap function called by users to wrap their USDY tokens . In the future, to withdraw tokens, the user calls the unwrap function . However, in the unwrap function, the user can have more funds in case the price of USDY falls. Based on the case...
Reentrancy vulnerability in Singularity.execute
Lines of code Vulnerability details Impact This vulnerability could allow an attacker to withdraw funds from the Singularity contract. This could result in a loss of funds for the user. Proof of Concept The Singularity.execute function has external calls inside a loop. This could potentially lead...
Reentrancy vulnerability in BigBang.execute
Lines of code Vulnerability details Impact This vulnerability could allow an attacker to withdraw funds from the BigBang contract. This could result in a loss of funds for the user. Proof of Concept The BigBang.execute function has external calls inside a loop. This could potentially lead to...
Priority queue min accounting breaks when nodes are split in two
Lines of code Vulnerability details The README states If two users place bids at the same price but with different quantities, the queue will pull from the bid with a higher quantity first, but the data-structure used for implementing this logic, is not used properly and essentially has its data...
No withdraw mechanism for eth sent to GraphProxy contract
Lines of code Vulnerability details Impact The GraphProxy contract implements receive and fallback functions to receive funds. However, there is no method associated with a user to withdraw his funds which might be sent accidentally to the proxy contract, thus leading to most of the eth locked in...
The user Can't swap their frxETH to ETH
Lines of code Vulnerability details Impact I’m so confused I didn't find any logic to withdrawing my funds ETH by transferring my frxETH Recommended Mitigation Steps Create logic for withdrawals swap --- The text was updated successfully, but these errors were encountered: All reactions...
Time rounding can cause users to not be able to withdraw all the funds they are eligible for
Lines of code Vulnerability details Impact The time that has passed from the start of the vest is rounded down to the closest multiplication of claim.releaseIntervalSecs. The user can claim the funds for an interval only at the end of it. That means that users can't withdraw the funds for a part ...
DDOS to withdraw funds
Lines of code Vulnerability details Impact DDOS to approval / withdraw mechanism Proof of Concept If someone who's not a policy is given the approval to withdraw funds by the custodian with the grantApproval function anyone can revoke his approval and prevent him from withdrawing funds from the...
Functions that send Ether to arbitrary destinations
Lines of code Vulnerability details M-1. Functions that send Ether to arbitrary destinations Description Unprotected call to a function that allow a user to refund to another address. Mitigation Ensure that an arbitrary user cannot withdraw unauthorized funds...
Buyout griefing can block almost all functionalities
Lines of code Vulnerability details Impact Everyone can start a Buyout for a vault by paying only 1 wei. For the next 4 days no other Buyout can start. If someone is fast enough, they can start another griefing buyout as soon as one finishes, meaning that it's possible to block the functionality ...
Timelock able to be bypassed because of wrong check in LibDiamond
Lines of code Vulnerability details Impact In the walkthrough video, it said that the upgrades of Diamond must go through a proposal window with a delay of 7 days. Upgrade should be done by first call proposeDiamondCut and then wait 7 days and call diamondCut. But this timelock can be bypassed...
The name of the function to setup a vesting in the interface IVesting.sol doesn’t match with the name of the function to setup a vesting in StakeCitadelVester.sol.
Lines of code Vulnerability details Impact Users will not be able to withdraw their funds . Proof of Concept When a user wants to withdraw his tokens from StakedCitadel.sol, vesting is supposed to be set and tokens are sent to the vesting contract where they are vested linearly for 21 days. This ...
Owner has a rugpull function
Handle tensors Vulnerability details Impact The owner of the contract has a rugpull function. This can be unsafe if the private key for the owner account falls into the wrong hands, allowing instant withdrawal of all the funds. In general, having a single point of failure like this is not...
PoolBase enables an easy withdrawal of funds
Handle walker Vulnerability details PoolBase enables an easy withdrawal of all funds severity: critical type: memory safety Description A memory safety bug in the pool base allows participants to trick the system into believing they're interacting with a pool's token. While in reality, they're...