9 matches found
Compound charges are sent to GeVault, making them potentially vulnerable to theft
Lines of code Vulnerability details Impact In the previous version, the compound fee would be saved in the TokenisableRange before being deposited into LP, and would be deposited into LP after reaching 1%. After reconstruction, the fees are sent directly to GeVault for distribution through getTVL...
GeVault LP calculations do not use scaling and are vulnerable to deposit attacks
Lines of code Vulnerability details Impact Currently, getTVL counts all token balances in GeVault, and attackers can manipulate getTVL to implement deposit attacks. Secondly, since the calculation of LP does not use scaling, because there is a precision error in the division, the cost for the...
UniswapV3 trading fees are always locked in treasury instead of going back to the protocol users through GeVault
Lines of code Vulnerability details TokenisableRange was redesigned to redirect collected fees to a pre-defined GeVault, where the protocol stakers can benefit from the added value. However, the use of an incorrect variable makes this distribution of the fees impossible to happen, and the fees wi...
Wrong tick selected by GeVault.getActiveTickIndex()
Lines of code Vulnerability details During mitigation of M-03, the function getActiveTickIndex has been completely rewritten. The new logic uses the following statement to identify the active ticker that represents the Uniswap V3 liquidity pool actively traded: if baseTokenIsToken0 && amt0 == 0 |...
New from fees rework: fees can still be stolen with a flash-loan on GeVault
Lines of code Vulnerability details The TokenisableRange fees have been reworked to be sent to the corresponding GeVault instance This fixed the problems with fee accounting in TokenisableRange but created a new, similar one in GeVault, where the deposit function does not count the fees in the...
GeVault cannot deposit ETH
Lines of code Vulnerability details Impact The GeVault contract has two instances where the require statement for token validation can cause reverts. In the first instance, the contract allows only token0 and token1 addresses for withdrawal, making it impossible to withdraw ETH. In the second...
Inflation attacks with virtual shares and assets on GeVault
Lines of code Vulnerability details Impact An inflation attacks can be done on the first deposit into the GeVault contract. Making the first real depositor losing his deposit. Proof of Concept Inflation attack steps : First, Alice the attacker need to craft a deposit that put valueX8 = 1 = Thus...
Deposit will always revert when depositing ETH if one of the GeVault tokens is not WETH
Lines of code Vulnerability details Impact When a user deposits funds, the deposit function requires an argument namely, the address of the token with which to fund the transaction. If the GeVault has two tokens of for example: USDC/DAI. Line 251 expects the function argument to be the address of...
GeVault#poolMatchesOracle is extemely easy to manipulate due to how it calculates underlying token balances
Lines of code Vulnerability details Impact GeVaultpoolMatchesOracle uses the UniV3Pool.slot0 to determine the number of tokens it has in it's position. slot0 is the most recent data point and is therefore extremely easy to manipulate. Given that the protocol specializes in leverage, the effects o...