Lucene search
K

12 matches found

Code423n4
Code423n4
added 2022/07/14 12:0 a.m.17 views

Loss of funds in an underlying protocol would cause catostrophic loss of funds for swivel

Lines of code Vulnerability details Impact Loss of all user funds Proof of Concept This exploit stems from a quirk in the way that exchange rate is tracked for matured positions. We first need to breakdown how interest is calculate for a matured position. In L124 the yield for a matured position ...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2022/06/26 12:0 a.m.12 views

Unable to redeem from Notional

Lines of code Redeemer.solL193 Vulnerability details Impact The maxRedeem function is a view function which only returns the balance of the Redeemer.sol contract. After this value is obtained, the PT is not redeemed from Notional. The user will be unable to redeem PT from Notional through...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2022/06/26 12:0 a.m.10 views

Redeemer.sol#redeem() the principal token from Notional can not be redeemed

Lines of code Vulnerability details int256 amount = IERC20principal.balanceOflender; // Transfer the principal token from the lender contract to here Safe.transferFromIERC20principal, lender, addressthis, amount; if p == uint8MarketPlace.Principals.Swivel // Redeems zc tokens to the sender's...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2022/06/26 12:0 a.m.11 views

In Notional case Redeemer's redeem() will not do the position redeeming

Lines of code Vulnerability details Currently no actual redeeeming is done in Notional case as maxRedeem is a balance view function that doesn't close the position. This way one more operation, the redeeming itself, is now committed and in Notional case Redeemer's redeem doesn't perform anything,...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2022/06/14 12:0 a.m.11 views

Wrapped idiosyncratic (non-tradable) fCash can possibly not be unwrapped prior to maturity

Lines of code Vulnerability details What is idiosyncratic fCash? Markets may not always trade at the exact maturities of all fCash assets. fCash that does not fall on an exact maturity is called idiosyncratic fCash. To value these assets, Notional takes the linear interpolation of the rates of th...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2022/02/02 12:0 a.m.5 views

_validateOrder Does Not Allow Anyone To Be A Taker Of An Off-Chain Order

Handle leastwood Vulnerability details Impact The EIP1271Wallet contract intends to allow the treasury manager account to sign off-chain orders in 0x on behalf of the TreasuryManager contract, which holds harvested assets/COMP from Notional. While the EIP1271Wallet.validateOrder function mostly...

7AI score
Exploits0
Code423n4
Code423n4
added 2022/02/02 12:0 a.m.10 views

getVotingPower Is Not Equipped To Handle On-Chain Voting

Handle leastwood Vulnerability details Impact As NOTE continues to be staked in the sNOTE contract, it is important that Notional's governance is able to correctly handle on-chain voting by calculating the relative power sNOTE has in terms of its equivalent NOTE amount. getVotingPower is a useful...

7AI score
Exploits0
Code423n4
Code423n4
added 2022/02/02 12:0 a.m.8 views

Users Can Deny The Treasury Manager Contract From Claiming COMP Incentives

Handle leastwood Vulnerability details Impact The treasury manager is appointed by the Notional DAO and is tasked with harvesting rewards both COMP incentives and assets from Notional and performing NOTE buybacks using WETH. The TreasuryManager.harvestCOMPFromNotional function is only callable by...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2022/01/31 12:0 a.m.53 views

Use of deprecated Chainlink latestAnswer()

Handle sirhashalot Vulnerability details Impact Chainlink's documentation listed the latestAnswer function as deprecated. This function doesn't revert if no answer is available but returns 0, and the return value of latestanswer is not checked in the Notional code. In fact, Chainlink removed thei...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/09/08 12:0 a.m.7 views

Privilige escalation in ERC1155

Handle cmichel Vulnerability details Vulnerability Details The ERC1155.checkPostTransferEvent function allows the from address to specify trades that are executed by the to address if to approved msg.sender. Impact An approved account can execute arbitrary batch actions on behalf of the approver,...

7.5AI score
Exploits0
Code423n4
Code423n4
added 2021/09/04 12:0 a.m.10 views

Reentrancy Bug in TimelockController.sol

Handle leastwood Vulnerability details Impact Notional's governance framework utilises a fork of Compound's Governor Alpha and ERC20 token. These are denoted specifically as the GovernorAlpha.sol and NoteERC20.sol contracts. However, the GovernorAlpha.sol has a key difference when compared to...

6.9AI score
Exploits0
ThreatPost
ThreatPost
added 2021/08/13 8:8 p.m.231 views

SolarWinds 2.0 Could Ignite Financial Crisis – Podcast

Could a cyberattack spark the next financial crisis? Following the calamitous, widespread SolarWinds attacks in April, that’s exactly what the New York State Department of Financial Services DFS has suggested. “This incident confirms that the next great financial crisis could come from a...

7.1AI score
Exploits0References10
Rows per page
Query Builder