Lucene search
K

19 matches found

Code423n4
Code423n4
added 2022/01/13 12:0 a.m.13 views

[WP-M35] PoolTemplate#applyCover Unbounded for loops allows an attacker to malfunction applyCover(), making it impossible to change the marketStatus of the Pool to Payingout status

Handle WatchPug Vulnerability details function applyCover uint256 pending, uint256 payoutNumerator, uint256 payoutDenominator, uint256 incidentTimestamp, bytes32 merkleRoot, string calldata rawdata, string calldata memo external override onlyOwner requirepaused == false, "ERROR: UNABLETOAPPLY";...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/09/29 12:0 a.m.11 views

IndexPool.sol#_pow() Wrong implementation

Handle WatchPug Vulnerability details function powuint256 a, uint256 n internal pure returns uint256 output output = n % 2 != 0 ? a : BASE; for n /= 2; n != 0; n /= 2 a = a a; if n % 2 != 0 output = output a; 1. a a without div by BASE will accumulate decimals unexpectedly and leads to overflow...

7.1AI score
Exploits0
Code423n4
Code423n4
added 2021/09/29 12:0 a.m.12 views

Incorrect multiplication in _computeSingleOutGivenPoolIn of IndexPool

Handle broccoli Vulnerability details Impact The computeSingleOutGivenPoolIn function of IndexPool uses the raw multiplication i.e., to calculate the zaz variable. However, since both BASE - normalizedWeight and swapFee are in WAD, the mul function should be used instead to calculate the correct...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/09/29 12:0 a.m.4 views

Incorrect usage of _pow in _computeSingleOutGivenPoolIn of IndexPool

Handle broccoli Vulnerability details Impact The computeSingleOutGivenPoolIn function of IndexPool uses the pow function to calculate tokenOutRatio with the exponent in WAD i.e., in 18 decimals of precision. However, the pow function assumes that the given exponent n is not in WAD. for example,...

7.1AI score
Exploits0
Code423n4
Code423n4
added 2021/09/29 12:0 a.m.7 views

IndexPool.mint The first liquidity provider is forced to supply assets in the same amount, which may cause a significant amount of fund loss

Handle WatchPug Vulnerability details When reserve == 0, amountIn for all the tokens will be set to the same amount: ratio, regardless of the weights, decimals and market prices of the assets. The first liquidity provider may not be aware of this so that it may create an arbitrage opportunity for...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/09/29 12:0 a.m.7 views

IndexPool.mint The first liquidity provider is forced to supply assets in the same amount, which may cause a significant amount of fund loss

Handle WatchPug Vulnerability details When reserve == 0, amountIn for all the tokens will be set to the same amount: ratio, regardless of the weights, decimals and market prices of the assets. The first liquidity provider may not be aware of this so that it may create an arbitrage opportunity for...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/09/29 12:0 a.m.15 views

Unsafe cast in IndexPool mint leads to attack

Handle cmichel Vulnerability details The IndexPool.mint function performs an unsafe cast of ratio to the uint120 type: uint120 ratio = uint120divtoMint, totalSupply; Note that toMint is chosen by the caller and when choosing toMint = 2120 totalSupply / BASE, the ratio variable will be 2120 and th...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/09/29 12:0 a.m.9 views

IndexPool._pow wrong loop and does not normalize values

Handle cmichel Vulnerability details The IndexPool.compute function is indented as if the if n % 2 != 0 output = output a; is inside the loop but there are actually not braces around it. It must be in the loop for the exponentiation by repeated squaring algorithm to work: function powuint256 a,...

7.1AI score
Exploits0
Code423n4
Code423n4
added 2021/09/29 12:0 a.m.8 views

IndexPool initial LP supply computation is wrong

Handle cmichel Vulnerability details The IndexPool.constructor function already mints INITPOOLSUPPLY = 100 1e18 = 1e20 LP tokens to the zero address. When trying to use the pool, someone has to provide the actual initial reserve tokens in mint. On the first mint, the pool reserves are zero and th...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/09/29 12:0 a.m.8 views

IndexPool.INIT_POOL_SUPPLY is too large, which may cause a significant amount of fund loss to the first liquidity provider

Handle WatchPug Vulnerability details uint256 internal constant BASE = 1018; ... uint256 internal constant INITPOOLSUPPLY = BASE 100; /// @dev Mints LP tokens - should be called via the router after transferring bento tokens. /// The router must ensure that sufficient LP tokens are minted by usin...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/09/29 12:0 a.m.8 views

IndexPool's flashSwap does not transfer tokens before the callback

Handle cmichel Vulnerability details The IndexPool.flashSwap function calls ITridentCalleemsg.sender.tridentSwapCallbackcontext before transferring the tokens to the recipient via tranfer. Impact It's very important that the tokens are transferred to the caller before the callback. The use-case o...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/09/29 12:0 a.m.13 views

TridentRouter.addLiquidity() Add liquidity to IndexPool through TridentRouter may casue loss of a small portion of users funds

Handle WatchPug Vulnerability details The mint function in IndexPool requires the liquidity provider to transfer in amounts no less than the amounts of tokens' reserve proportionally to the toMint amount. However, the TridentRouter won't calculate the toMint amount and amountsIn for the liquidity...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/09/29 12:0 a.m.7 views

_pow is mathematically wrong

Handle 0xsanson Vulnerability details Impact In IndexPool.sol, the function pow is called during the computation of the output amount when swapping. function powuint256 a, uint256 n internal pure returns uint256 output output = n % 2 != 0 ? a : BASE; for n /= 2; n != 0; n /= 2 a = a a; if n % 2 !...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/09/29 12:0 a.m.9 views

Overflow in the mint function of IndexPool causes LPs' funds to be stolen

Handle broccoli Vulnerability details Impact It is possible to overflow the addition in the balance check i.e., balancetokenIn = amountIn + reserve in the mint function by setting the amountIn to a large amount. As a result, the attacker could gain a large number of LP tokens by not even providin...

7.1AI score
Exploits0
Code423n4
Code423n4
added 2021/09/29 12:0 a.m.8 views

IndexPool performs several unsafe type casts

Handle cmichel Vulnerability details The IndexPool.burn/burnSingle/swap/flashSwap functions all perform unsafe type casts to uint120 without checking if the values actually fit into 120 bits. Impact Unlike mint, these functions have other require statements and checks that don't seem to directly...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/09/29 12:0 a.m.12 views

IndexPool does not apply barFee

Handle pauliax Vulnerability details Impact IndexPool does not mint fees barFee and barFeeTo. It initializes these variables but never uses them in a meaningful way. Recommended Mitigation Steps Consider handling the fees in this contract similarly to other pools. --- The text was updated...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/09/29 12:0 a.m.11 views

No bar fees for IndexPools?

Handle 0xsanson Vulnerability details Impact IndexPool doesn't collect fees for barFeeTo. Since this Pool contains also a method updateBarFee, probably this is an unintended behavior. Also without a fee, liquidity providers would probably ditch ConstantProductPool in favor of IndexPool using the...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/09/29 12:0 a.m.8 views

IndexPool.INIT_POOL_SUPPLY is too large, which may cause a significant amount of fund loos to the first liquidity provider

Handle WatchPug Vulnerability details uint256 internal constant BASE = 1018; ... uint256 internal constant INITPOOLSUPPLY = BASE 100; /// @dev Mints LP tokens - should be called via the router after transferring bento tokens. /// The router must ensure that sufficient LP tokens are minted by usin...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/09/29 12:0 a.m.8 views

IndexPool's flashswap trasfer before callback

Handle 0xsanson Vulnerability details Impact The flashswap function in IndexPool.sol doesn't fulfill its function. Indeed it should transfer tokens to the users before they need to pay back, but the transfer happens at the end: ... ITridentCalleemsg.sender.tridentSwapCallbackcontext; // @dev Chec...

6.9AI score
Exploits0
Rows per page
Query Builder