15 matches found
EUVD-2023-46895
Malicious code in bioql PyPI...
interest is still accuring when the market is paused, force user to incur debts
Lines of code Vulnerability details Impact interest is still accuring when the market is paused, force user to incur debts Proof of Concept when the function accure is called the interest is accured after the interest rate is calculated uint256 interestRate = IIRMirm.getInterestRateaddressthis,...
accrueTokens will revert if any rebase tokens are used
Lines of code Vulnerability details Impact In PrimeLiquidityProvider.sol:accrueTokens we get the current balance of the passed token. If the token is any rebase token AMPL, stETH, RMPL and the current balance has become lower than tokenAmountAccruedtoken, the function will revert. This will lead ...
Pausing Optimism Portal only pauses withdrawals, can result in locked or lost funds
Lines of code Vulnerability details The comment over OptimismPortal.pause indicates pause should affect both deposits and withdrawls. Currently, only finalizeWithdrawalTransaction and proveWithdrawlTransaction implement the whenNotPaused modifier. Both depositTransaction and donateETH do not...
Contributors wouldn't claim their party cards from the finalized ReraiseETHCrowdfund by a malicious crowdfund creator.
Lines of code Vulnerability details Impact With the custom min/maxContributions settings, contributors wouldn't claim their part cards after the ReraiseETHCrowdfund was finalized. As a result, their funds will be locked inside the party forever because they can't claim from TokenDistributor witho...
Users that send funds at a price lower than the current low bid have the funds locked
Lines of code Vulnerability details If a user contributes funds after there is no more supply left, and they don't provide a price higher than the current minimum bid, they will be unable to withdraw their funds while the NFT remains unbought. Impact Ether becomes stuck until and unless the NFT i...
Funds are locked if can’t transfer reward to recipient in withdraw
Lines of code Vulnerability details Impact When recipient not able to received reward when call withdraw, as natspec: If contract is using proxy pattern, it's possible to register retroactively, however past fees will be lost. We not handle that case to get locked funds back. We should add...
User cannot withdraw locked fund at all after unlock time has passed if delegated to someone else. Result in huge economics loss.
Lines of code Vulnerability details Impact User cannot withdraw locked fund at all after unlock time has passed if delegated to someone else. Result in huge economics loss as user can't get their underlying token delegated to back. In the document it is said that locks need to be undelegated firs...
Delegator's locked Amount would be temporarily unable to withdraw their locked_.amount
Lines of code Vulnerability details Impact Delegator's locked Amount would be temporarily unable to withdraw their locked.amount Proof of Concept From the contract, the delegatee has alot of controlling power. As such, users cannot withdraw or even quitLock their locked funds and this function is...
User Funds are Locked in the VotingEscrow Contract When Delegated User Withdraws
Lines of code Vulnerability details Description There exists an issue when a delegated user attempts to withdraw the locked funds after a lock duration is expired, as a result the funds for the original user who triggered the delegation is lost within the contract. Impact This is an issue because...
Call to safeApprove without checking previous allowance in burnFees could result in locked funds
Lines of code Vulnerability details Impact Using this deprecated function can lead to unintended reverts and potentially the locking of funds. A deeper discussion on the deprecation of this function is in OZ issue 2219 OpenZeppelin/openzeppelin-contracts2219. Proof Of Concept Refer to the burnFee...
If A User Mistakenly Provides Too Much Ether To The passThruGate() Function, This Additional Amount Will Be Forever Locked Within The Contract
Lines of code Vulnerability details Impact The passThruGate function acts as a proxy function to the beneficiary address by attaching Ether to the call. If an excess of Ether is provided to the call, only gate.ethCost will be sent to the beneficiary. Excess Ether will be forever be locked in the...
Users Can Lock Funds by Backing Out of an Auction
Lines of code Vulnerability details Impact The createReserveAuction function allows users to create duplicate auctions with the same NFT but different auctionIds. As a result, a user could back out of an active auction by creating and then cancelling a duplicate auction. This leads to locked user...
Vault may not have enough tokens for withdraw
Handle 0xRajeev Vulnerability details Impact There is an assumption in LegacyController.vault that the vault will have enough tokens0 to cover the balance difference. If not, the user may receive less than amount requested and balance funds get lost/locked unless the vault withdraws from the...
Conviction score is not updated during tokenization if funds are locked
Handle 0xRajeev Vulnerability details Impact The updateConvictionScore on Line284 of tokenizeConviction is only called if user specifies zero locked funds. This leads to loss of accounting of user’s conviction score for tokenization since the last update for user if non-zero amount of FSDs are...