355 matches found
TokenisableRange.sol does not have onERC721Received
Lines of code Vulnerability details Impact TokenisableRange.sol will be unable to mint Uniswap NFTs without a ERC721 Receiver. Proof of Concept TokenisableRange.sol intends to create liquidity NFTs using Uniswapv3 NonfungiblePositionManager. However, there is no callback to check onERC721Received...
Broker Address can be Claim by a MEV Bot
Lines of code Vulnerability details Impact If the broker address is a malicious user, he can mint as many OTAP as he wants. Proof of Concept Protocol deploy the OTAP contract A Bot wait until the contract is deployed Then call the "brokerClaim" straight away with his own address. He can then call...
Re-entrancy in flash minting USDO can bypass max checks
Lines of code Vulnerability details Impact function flashLoan IERC3156FlashBorrower receiver, address token, uint256 amount, bytes calldata data external override notPaused returns bool // @audit re-enter and mint requiretoken == addressthis, "USDO: token not valid"; requiremaxFlashLoantoken =...
No slippage control while minting GLP
Lines of code Vulnerability details Impact glpRewardRouter.mintAndStakeGlpaddressweth, wethAmount, 0, 0; Here, minUSDG = 0 and minGlp = 0 means no slippage checks. This can be sandwitched in certain conditions in which delta between min and max glp price is higher due to following factors: delta...
AirdropBroker.sol#L442 : _participatePhase3 - PHASE_3_AMOUNT_PER_USER should be multiplied by 1e18
Lines of code Vulnerability details Impact Incorrect eligibleAmount is minted to the user. Proof of Concept An eligible user can call the participatePhase3 function and mint the aToken to them. function participatePhase3 bytes calldata data internal returns uint256 oTAPTokenID uint256 tokenID =...
processBlock() function forcibly wrapping a follow NFT could lock it without the owner's consent
Lines of code Vulnerability details Impact It locks the NFT against the owner's wishes. Proof of Concept processBlock is called by the LensHub when a profile is blocked It first checks if the follow NFT is wrapped using isFollowTokenWrapped If not wrapped, it forces wrapping by minting to the own...
The _verifyClaim() does not check claimRoots mapping value, which can happen when token with certain tokenId is never minted.
Lines of code Vulnerability details Impact User could mint ReputationBadge for himself without being legitimate. Proof of Concept The verifyClaim does not check claimRoots mapping value, which can happen when token with certain tokenId is never minted. When: claimRootstokenId == bytes320 If...
The liquidate function lets the caller mint amountOut tokens without providing any
Lines of code Vulnerability details Impact Ther are a lot of check to ensure the parameters of the liquidate function are correct. However, it does not checki for amountIn to NOT be 0, thus it lets the caller proceed and mint amountOut tokens to account without providing any Proof of Concept...
The 'Nouns Fork' is considered unfair towards contributors, given they are not awarded any new tokens.
Lines of code Vulnerability details Impact The 'Nouns Fork' is considered unfair towards contributors, given they are not awarded any new tokens. Proof of Concept The Nouns Fork mechanism allows members of the minority in the Nouns DAO to exit to a new forked Nouns DAO, but the current approach m...
Read-only reentrancy is possible
Lines of code Vulnerability details Impact The agToken might be minted wrongly as rewards due to the reentrancy attack. Proof of Concept There are redeem/swap logics in the transmuter contract and all functions don't have a nonReentrant modifier. So the typical reentrancy attack is possible durin...
FlywheelAcummulatedRewards/FlywheelBribeRewards gains are instantaneous and can be frontrun
Lines of code Vulnerability details Impact FlywheelAcummulatedRewards/FlywheelBribeRewards gains are instantaneous and can be frontrun. The user only needs to frontrun the delegate before each incentive is distributed to get the incentive, and there is no way to prevent the user from undelegating...
the mint function in erc4626 will mint incorrect amount
Lines of code Vulnerability details Impact if you look at the ERC4626 contract the function mint minting the wrong amount at line 53 it should be minting the assets amount not the amount of the share and because the shares and assets are not 1:1 it will lead to unwanted results and different mint...
First user can drain funds from staking contract
Lines of code Vulnerability details Impact If the first user locks an extremely small amount of tokens 1 wei, he can manipulate the reward that is supposed to receive. After locking a small amount, he can unlock it before the second user interacts with the contract. See PoC for more details. Note...
StRSR.cancelUnstake doesn't call _payoutRewards before minting new shares
Lines of code Vulnerability details Impact StRSR.cancelUnstake doesn't call payoutRewards before minting new shares. As result this rewards will be distributed for new staker as well. Proof of Concept If user wants to cancel his withdraw, then he can call StRSR.cancelUnstake and mint new shares...
potential reentrancy attack in _mint and _burn function
Lines of code Vulnerability details Impact potential reentrancy because state changes after minting and burning, should change state first Proof of Concept Tools Used Manual Review Recommended Mitigation Steps follow check-effect-interaction pattern as following: function mintaddress policyholder...
No stale data check on data being read from POR feed
Lines of code Vulnerability details Impact Stale data of exchange rate data being used protocol, resulting in loss in terms of ETHX being minted at stale exchange rate which won't have accounted for new reward Recommended Mitigation Steps Check lastUpdatedAt timestamp and that it is within...
cancelUnstake() doesn't payout rewards first
Lines of code Vulnerability details The new cancelUnstake function allows users to cancel their unstaking, by taking the user's drafts and minting it again. However, since the payoutRewards isn't being called this means that the user would get rewards for the period between the last time...
didPay() front-running
Lines of code Vulnerability details Impact The minting flow of tokens in JBXBuybackDelegate is divided into separate external functions: payParams and didPay. The didPay function can only be called by jbxTerminal, while payParams can be called by anyone without restrictions. The payParams functio...
JBXBuybackDelegate swap pathway always reverts unless slippage is set to 100%
Lines of code Vulnerability details Impact The swap pathway will never work and it will revert due to a validation error unless the user specifies a slippage of 100%. This would be extremely harmful as it would let users be targeted by MEV bots. Proof of Concept This is the pathway to payParams:...
Improper configuration in JBXBuybackDelegate can cause swaps to fail everytime
Lines of code Vulnerability details Impact Improperly configured direction of swap in JBXBuybackDelegate can cause the calls to swap tokens in Uniswap V3 pool to fail everytime. So if the ideal path is token swap over minting, swaps will fail and new project token will be minted instead Proof of...