Lack of input validation for ClosePositionParams.amountSwap results in theft of fund (premium + protocol fee))

Lines of code Vulnerability details Impact Lack of input validation for ClosePositionParams.amountSwap results in theft of fund Proof of Concept ParticlePositionManager.sol hold two part of fund 1. the contract hold premium added by borrower 2. the contract hold protocol fee before protocol...

Borrower escapes delinquency penalty if no intermittent action happens

Lines of code Vulnerability details Impact Once the market goes below required reserves, it is marked as delinquent only if an updateState action happens. Actions like market.updateState, executeWithdrawal, deposit, etc. have to happen else the protocol remains unaware of the market's delinquency...

Upgraded Q -> 3 from #619 [1675724566035]

Judge has assessed an item in Issue 619 as 3 risk. The relevant finding follows: The function withdrawRemainingTokens can be changed in a safer way to handle the withdraw from the owner and the protocol fee as well. This prevent risks allocated with the protocol fees. By the docs this function is...

Upgraded Q -> 3 from #664 [1675726078144]

Judge has assessed an item in Issue 664 as 3 risk. The relevant finding follows: L-1 ERC20 Quest: withdrawFee function should only be able to be called once instead of multiple times Issue: The withdrawFee function can be called multiple times by admin after a quest ends, resulting in more than t...

Malicious user can send the quest reward tokens to the protocol fee contract preventing users from claiming their rewards.

Lines of code Vulnerability details Impact Malicious user can take advantage of the function withdrawFee after the quest end time and successfuly send the quest reward tokens to the protocol fee contract preventing users from claiming their rewards. Proof of Concept Every receipt minted should...

Pool with any fee tier can be created

Lines of code Vulnerability details Impact Pool with any fee tier can be created Proof of Concept There is a section in this medium: In Fee Structure: Maverick AMM supports initializing pools with arbitrary fee rates, but it is expected that LPs will choose from one of the following “standard” fe...

Pool._amountToBin() returns a wrong value when protocolFeeRatio = 100%.

Lines of code Vulnerability details Impact Pool.amountToBin returns a larger value than it should when protocolFeeRatio = 100%. As a result, bin balances might be calculated wrongly. Proof of Concept delta.deltaInBinInternal is used to update the bin balances like this. if tokenAIn binBalanceA +=...

Admin can call claim fee multiple times with no restriction

Lines of code Vulnerability details Impact Admin can call claim fee multiple times to drain the fund in the pool Proof of Concept Admin can perform certain actions in the Pool.sol function adminActionuint256 action, uint16 val, address recipient external checkReentrancytrue, true; // reentrancy...

Miscalculated payout to NFT sellers completing ERC1155 bids

Lines of code Vulnerability details Impact Payout to user fulfilling bid orders by selling their NFTs on ERC1155 will get incorrectly calculated. This will lead to eth getting stuck in the contract, and users not getting their advertised payout. Proof of Concept This whole bug takes place in...

Wrong arithmetic operation upon filling a bid order, lead to lost amount of ether on user funds

Lines of code Vulnerability details Functions GolomTrader.solfillBid... and GolomTrader.solfillCriteriaBid... used to fill a signed order Golom order.orderType = 1 or = 2 by the buyer after he approved GolomTrader contract some wETH. However, in case that the signed order is of type ERC1155 where...

Potential interests are not distributed fairly among the zcTokens holders, nor taken as a protocol fee, but will be frozen in the redeemer contract

Lines of code Vulnerability details function authRedeem address u, uint256 m, address f, address t, uint256 a public authorizedIMarketPlacemarketPlace.marketsu, m, 0 returns bool // Get the principal token for the given market IERC5095 pt = IERC5095IMarketPlacemarketPlace.marketsu, m, 0; // Make...

Protocol fee rate can be arbitrarily modified by the owner and the new rate will apply to all existing orders

Lines of code Vulnerability details function matchOneToOneOrders OrderTypes.MakerOrder calldata makerOrders1, OrderTypes.MakerOrder calldata makerOrders2 external uint256 startGas = gasleft; uint256 numMakerOrders = makerOrders1.length; requiremsg.sender == MATCHEXECUTOR, 'OME';...

NO TIMELOCK ON setProtocolFee() CAN LEAD TO SELLERS LOSING THEIR NFTs

Lines of code Vulnerability details NO TIMELOCK ON setProtocolFee CAN LEAD TO SELLERS LOSING THEIR NFTs In InfinityExchange.sol, there is no timelock on setProtocolFee. This is the fee that is applied in orders, and determines how much the Exchange receives in fee VS how much the seller receives...

Admin can set arbitrarily high exchange fees

Lines of code Vulnerability details Impact Admins can attack users by frontrunning them Poc In the function setProtocolFeeInfinityExchange.sol function setProtocolFeeuint16 protocolFeeBps external onlyOwner PROTOCOLFEEBPS = protocolFeeBps;@audit medium emit NewProtocolFeeprotocolFeeBps; Admins ca...

InfinityExchange owner can steal user's tokens via front-running

Lines of code Vulnerability details Impact Contract InfinityExchange.sol charges protocol fee through PROTOCOLFEEBPS. The issue is that owner of the contract is able to change protocol fee at any time without any restriction which puts him in a very privileged position and allows him to steal...

Maker order buyer is forced to reimburse the gas cost at any tx.gasprice

Lines of code Vulnerability details uint256 gasCost = startGasPerOrder - gasleft + wethTransferGasUnits tx.gasprice; // if the execution currency is weth, we can send the protocol fee and gas cost in one transfer to save gas // else we need to send the protocol fee separately in the execution...

Upgraded Q -> M from 294 [1654474576938]

Judge has assessed an item in Issue 294 as Medium risk. The relevant finding follows: Owner can frontrun exercise to increase fees A malicious owner account can observe and frontrun calls to exercise and extract 100% of the strike price as a protocol fee. Scenario: A malicious owner observes a ca...