7 matches found
BLOCK_EPOCH and WEEK should not be mixed
Lines of code Vulnerability details Impact Rewards and voting weights are aligned on a weekly basis. In contract LendingLedger, reward is recorded for each epochblock.number. However, when calling gaugerelativeweightwrite, we should actually pass a timestamp, or the weight cannot be retrieved...
The LendingLedger.sync_ledger function is susceptible to a potential reentrancy attack
Lines of code Vulnerability details Impact The primary focus is on the functions deposit/withdraw situated within the LendingMarket smart contracts, as they trigger the invocation of the LendingLedger.syncledger function. These functions carry the potential risk of containing a reentrancy issue,...
User don't have to deposit for a week into the market to get his weekly reward from the LendingLedger
Lines of code Vulnerability details Impact In the LendingLedger contract, a user is rewarded with CANTO tokens depending on how long he has his deposit in the market. Rewards are distributed for each week during which the deposit was inside the market. However, the user can cheat this condition...
LendingLedger Lack of method to rescue accidentally sent Canto
Lines of code Vulnerability details Impact There is no function to rescue Canto accidentally sent to LendingLedger so if governance fat-finger those Canto could be lost forever. Proof of Concept There is no function to transfer native token out of LendingLedger Tools Used Manual inspection...
Vulnerability: Setting the userClaimedEpoch to a wrong Epoch / Contract: LendingLedger / Function: claim
Lines of code Vulnerability details Impact The userClaimedEpoch is setted to a different epoch week more than the actual epoch of the claim. Proof of Concept In the function to claim the canto for a market, the claiming can only be made for a prior epoch and the function does it in that way, but...
receive() in LendingLedger should be replaced by an appropriate function to prevent users from sending native by mistake
Lines of code Vulnerability details Impact Users lose funds by transferring them by mistake to LendingLedger. Proof of Concept Since the LendingLedger contract has a receive external payable function which receives native without any validation, which means that anyone can transfer native to it b...
TEST FINDING
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assessed...