6 matches found
Upgraded Q -> 2 from #28 [1686212158430]
Judge has assessed an item in Issue 28 as 2 risk. The relevant finding follows: L-9 Griefer can DoS lender NFT withdrawals --- The text was updated successfully, but these errors were encountered: All reactions...
Updating a pool's total points doesn't affect existing stake positions for rewards calculation
Lines of code Vulnerability details Impact Staking rewards are calculated based on the user's share of total points in the corresponding asset pool, this is the sum of the points associated to the staker's positions divided by the total points from all positions in the pool. We can see this...
Pair creation can be denied
Handle cmichel Vulnerability details The LaunchEvent.createPair requires that no previous pool was created for the WAVAX token pair. function createPair external isStoppedfalse atPhasePhase.PhaseThree address wavaxAddress, address tokenAddress = addressWAVAX, addresstoken ; // @audit grief: anyon...
Launch event creation can be denied 2
Handle cmichel Vulnerability details The RocketJoeFactory.createRJLaunchEvent requires that no previous pool was created for the WAVAX token pair. function createRJLaunchEvent address issuer, uint256 phaseOneStartTime, address token, uint256 tokenAmount, uint256 tokenIncentivesPercent, uint256...
Marketplace Zap mints can be denied
Handle cmichel Vulnerability details The NFTXMarketPlaceZap.mint721 function verifies if the contract indeed received the expected amount of vault tokens of balance = count BASE - count INFTXVaultvault.mintFee by checking: function mint721 uint256 vaultId, uint256 memory ids internal returns...
Vests can be denied
Handle cmichel Vulnerability details The LinearVesting.vestFor function which is called by Converter reverts if there already exists a vest for the user: require vestuser.amount == 0, "LinearVesting::selfVest: Already a vester" ; There's an attack where a griefer frontruns the vestFor call and...