Arbitrary call order to handle mutual consent can lead to unrecoverable native ETH

Lines of code Vulnerability details Creating new credits and increasing the credit deposit requires both parties, the lender and the borrower, to agree. This is implemented by having both call the same function with the same call data. However, as it's possible to use native ETH as a credit token...

Authorization Bypass

OpenZeppelin Contracts is vulnerable to authentication bypass. The vulnerability exists because initializer modifier is not properly handled which allows an attacker to cause reentrancy by executing an external call to an untrusted address...

[PNM-001] finalize with malicious input may allow multiple calls leading to fund draining

Lines of code Vulnerability details Description The finalize function of the contract SizeSealed is used to finalize an auction, allowing the auctioner or seller to be paid quote tokens and also eventually allowing successful bidders to withdraw base tokens. Once the finalize function is called,...

No access control for function deployDeletateFor

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. There is no access control for the deployDelegateFor function, so anyone can call this function and initialize all the parameters for a project. Moreover, the caller can also transfer the owner to a...

After proposed 0.8.0 upgrade kicks in, L2 finalizeInboundTransfer might not work.

Lines of code Vulnerability details Description L2GraphTokenGateway uses the onlyL1Counterpart modifier to make sure finalizeInboundTransfer is only called from L1GraphTokenGateway. Its implementation is: modifier onlyL1Counterpart require msg.sender ==...

Risk of ETH funds Rug Pull in the moveWithheldETH and recoverEther functions

Lines of code Vulnerability details Impact In the frxETHMinter contract both the owner and governance timelock have the power to call the functions moveWithheldETH and recoverEther, those functions allow the transfer of the ETH from frxETHMinter to the owner or a given account, this means that th...

Unending and Eventually Futile TRIBE Redemption

Lines of code Vulnerability details Impact TRIBE holders can redeem for pro rata share of remaining DAO controlled assets according to TIP-121 proposal. In the light of this, users would rush into redeeming their TRIBE before the balances of each tokensReceived held on this contract run out...

Reentrancy in repayLoan

Lines of code Vulnerability details Reentrancy in repayLoan Impact token.safeTransferFrom is called and after that state with the value is calcualted, if token can be a wrong or compromised contract this would lead to a clasic reentrancy attack that would transfer more from the balance than...

User can get loan without dept

Lines of code Vulnerability details Impact User can get loan without permission and dept Proof of Concept TRSRY.withdrawReserves does same validation with TRSRY.getLoan and TRSRY.withdrawReserves does not have permissioned modifier, so anyone can get loan from Treasury without any permission and...

Treasury module is vulnerable to cross-contract reentrancy

Lines of code Vulnerability details Impact An attacker can pay back their loan to the treasury module with protocol-owned tokens. This will cause their loan to decrease despite the protocol won't be given funds for it. Proof of Concept The code first measures the number of tokens in the treasury,...

MIMOAutoRebalance#rebalance can be used to drain vault due to reentrancy

Lines of code Vulnerability details Impact Vault is drained instead of rebalanced Proof of Concept The caller of rebalance is allowed to supply arbitrary swapData when calling rebalance. The can be used to swap into a malicious ERC20 token that transfers control to the attacker. This opens the...

Mathematical impossibility in Modifier

Lines of code Vulnerability details Impact In the resolvable modifier, there is a mathematical check for disputeID disputeCount, and unless this is true, the modifier will revert. The default value of the variable disputeCount, which must be mathematically large, is 0 and its value is never...

Vault rebalancing can be exploited if two vaults rebalance into the same vault

Lines of code Vulnerability details Impact User funds stolen Proof of Concept Swap data is completely arbitrary and can be used to swap though malicious ERC20 tokens allowing control transfer. This control transfer would allow the attacker to call rebalance on a second vault and exploit both as...

Attacker can steal all the wrapped tokens, ether or native currency contained in the ReceiverImplementation contract

Lines of code Vulnerability details Impact since all the functions in the ReceiverImplemention are all designed to be called by DepositBase and AxelarDepositService, why not create a simple modifer to check if msg.sender equals either of the two when a delegatecall or call occurs, like so modifie...

ETHRegistrarController._setRecords can register invalid domains and to some degree, its possible to register any domain name

Lines of code Vulnerability details Impact 1. Register invalid domains at Registrar. 2. It's possible to register any domain name. Proof of Concept ETHRegistrarController.setRecords call function at address resolveruser input with call data bytes calldata datauser input. So it can bypass any meth...

unpaused(p) modifier missing in authRedeem function

Lines of code Vulnerability details Impact Due to missing modifier, User will be able to redeem zcTokens and withdraw underlying even in paused Market. This happens due to missing unpausedp modifier Proof of Concept 1. Lets see function definition for authRedeem function function authRedeemuint8 ...

Increase balance for project without paying

Lines of code Vulnerability details Impact It seems that project owners can directly call recordAddedBalanceFor function at JBSingleTokenPaymentTerminalStore.solL696 to increase their project balance without paying anything Proof of Concept 1. Observe the recordAddedBalanceFor function 2. There i...

Reentrancy vulnerability due to _distributePayoutsOf

Lines of code Vulnerability details The function distributePayoutsOf has reentrancy vulnerability which is being called by the external function distributePayoutsOf There are external calls in this function along with calls sending ETH Impact The contract JBPayoutRedemptionPaymentTerminal inherit...

Unused deadline checker modifier may result in user fund loss due to unexpect transaction ordering (MEV)

Lines of code Vulne...

QA Report

ensure modifier - require statement is commented out The ensureuint deadline modifier is used in multiple functions such as addLiquidity and removeLiquidity but the require statement is commented out, the modifier is essentially usesless. modifier ensureuint deadline //requiredeadline =...