Lucene search
K

11 matches found

Code423n4
Code423n4
added 2023/02/15 12:0 a.m.10 views

recreateMinipool may not be called

Lines of code Vulnerability details Impact recreateMinipool may not be called Proof of Concept To resolve M-09, the fix is that: function recordStakingEndThenMaybeCycle address nodeID, uint256 endTime, uint256 avaxTotalRewardAmt external payable whenNotPaused int256 minipoolIndex =...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2023/02/09 12:0 a.m.11 views

Upgraded Q -> 2 from #214 [1675930440482]

Judge has assessed an item in Issue 214 as 2 risk. The relevant finding follows: cenario 2 - Use node of node operator In this scenario the NodeOp registers for a duration longer then 14 days. The hacker will hijack the minipool after 14 days and earn rewards on behalf of the node operators node...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2023/02/03 12:0 a.m.7 views

Upgraded Q -> 2 from #653 [1675442664703]

Judge has assessed an item in Issue 653 as 2 risk. The relevant finding follows: 1. Funds are locked if Rialto use function finishFailedMinipoolByMultisig Detail Function finishFailedMinipoolByMultisig did not transfer any funds or doing any data change, only updating state of minipool to Finishe...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2023/02/03 12:0 a.m.7 views

Upgraded Q -> 2 from #338 [1675444014859]

Judge has assessed an item in Issue 338 as 2 risk. The relevant finding follows: L-07 It should be possible to assign Minipool to a new Multisig MinipoolManager.sol 1 --- The text was updated successfully, but these errors were encountered: All reactions...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2023/02/03 12:0 a.m.9 views

Upgraded Q -> 2 from #260 [1675460942583]

Judge has assessed an item in Issue 260 as 2 risk. The relevant finding follows: L2 Withdrawable minipool can be finished before funds are withdrawn --- The text was updated successfully, but these errors were encountered: All reactions...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/02/02 12:0 a.m.10 views

Upgraded Q -> H from #694 [1675343512989]

Judge has assessed an item in Issue 694 as H risk. The relevant finding follows: there is no check that duration of the Minipool is less than 365 days and if user by mistake set very high value for duration and fails to run node properly user would lose very large number of his GGP collaterals...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2023/01/03 12:0 a.m.16 views

The owner minipool count is not decreased in the case of a staking error

Lines of code Vulnerability details Impact When a node operator creates a new pool or the recreateMinipool function is called the minipool count of the owner is increased by 1 and when the staking ends the multisig calls the recordStakingEnd function which will decrease the owner minipool count b...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2023/01/03 12:0 a.m.14 views

Possible to block withdrawal of staked funds after recordStakingEnd or stakingError

Lines of code Vulnerability details Impact Node operators can lose their staked AVAX after stakingEnd or stakingError. Funds will be locked in the Staking contract, but impossible to withdraw. A bad actor does need to supply 1000 AVAX which he gets back and has not have real incentive to do it, b...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2023/01/03 12:0 a.m.10 views

Funds of Node Operators can be nullified by any attacker

Lines of code Vulnerability details Impact The MinipoolManager.createMinipool function do not validate the caller's address due to which any address can invoke the createMinipool function with any nodeID existing or new as input. For any existing nodeID the function can be invoked as long as the...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2023/01/03 12:0 a.m.9 views

Malicious user can use previously used nodeID to prevent user(s) from withdrawing minipool funds

Lines of code Vulnerability details In createMinipool, an event is emitted with details of a newly created minipool. This includes relevant information that a subsequent user can utilise to create another minipool.The only condition that prevents a minipool from being created again with the same...

6.4AI score
Exploits0
Code423n4
Code423n4
added 2023/01/03 12:0 a.m.7 views

MinipoolManager.sol : createMinipool does not check the owner of node when overwriting

Lines of code Vulnerability details Impact owner will be deprived from picking the node id which they already used. when natspec says // If nodeID exists, only allow overwriting if node is finished or canceled The pool that are marked as Withdrawable and Error are also used to overwrite the node ...

6.8AI score
Exploits0
Rows per page
Query Builder