6 matches found
Bad debt bidders’ funds are locked forever when Shortfall address is changed during ongoing debt auction
Lines of code Vulnerability details Vulnerability Details When the protocol accrues bad debt, it can be auctioned off to anyone who is willing to pay. Each user wanting to participate in the auction has to lock their bid in Shortfall contract: function placeBidaddress comptroller, uint256 bidBps...
Division by zero error causes KangarooVault to be DoS with funds locked inside
Lines of code Vulnerability details KangarooVault can be DoS with funds locked in the contract due to a division by zero error in getTokenPrice as it does not handle the scenario where getTotalSupply is zero. Impact Funds will be locked within the KangarooVault as shown in the PoC below and it is...
Admin should be able to refund or redeem the sanctioned users
Lines of code Vulnerability details Impact Sanctioned user's funds are locked Proof of Concept It is understood that the sanctioned users can not mint nor redeem because the functions requestMint and requestRedemption are protected by the modifier checkKYC. And it is also understood that the...
Operator may be removed without checking whether are there fund locked in that operator.
Lines of code Vulnerability details Impact Operator may be removed without checking whether are there fund locked in that operator. Locked fund may not be able to withdraw unless operator is being added back. Proof of Concept /// @inheritdoc INestedFactory function removeOperatorbytes32 operator...
AuraClaimZap may transfer CVX tokens to itself which become locked in the contract
Lines of code Vulnerability details Impact During AuraClaimZap.claimExtras if the option LockCvx is set to false then the contract will transfer CVX tokens from the msg.sender to this contract without forwarding them on to the user. There is no way to retrieve these funds from the protocol and...
Owner of the PoolAddressesProviderRegistry Contract Can Update the Pool Address and Effectively Lock Deposited Funds by Preventing All Withdrawals
Lines of code Vulnerability details Impact The owner of the PoolAddressesProviderRegistry contract is able to register and unregister providers as they see fit. Because AaveV3YieldSource.sol dynamically queries the Aave pool through this contract, it is possible for the owner of this Aave contrac...