Pausing the GuardCM does not work because the governorCheckProposalId is never set

Lines of code Vulnerability details Impact Since the governorCheckProposalId of the proposal to check the activity of the governance is never set in GuardCM, the CM can never pause GuardCM, even if the governance is inactive. This will result in a stagnation of the protocol since no significant...

Funds cannot be withdrawn from EigenLayer

Lines of code Vulnerability details Impact NodeDelegator contracts handle depositing LSTs into EigenLayer to earn yield. However the contract lacks functions to withdraw those tokens afterwards, meaning they will become trapped in the EigenLayer protocol. This breaks the functionality of the...

Incorrect Addresses will be returned via retrieveProxyContractAddress() possibly bricking delegations.

Lines of code Vulnerability details The retrieveProxyContractAddress function is used to retrieve the address where it casts a bytes32 to an address type. function retrieveProxyContractAddress ERC20Votes token, address delegate private view returns address bytes memory bytecode = abi.encodePacked...

PROPOSAL DEADLINE IS NOT CHECKED DURING VOTE CASTING IN _countVote FUNCTION

Lines of code Vulnerability details Impact The SecurityCouncilNomineeElectionGovernorCountingUpgradeable is an abstract contract which is inherited by the SecurityCouncilNomineeElectionGovernor contract. The SecurityCouncilNomineeElectionGovernorCountingUpgradeable.countVote function is responsib...

It is not possible to execute actions that require ETH (or other protocol token)

Lines of code Vulnerability details Details Actions can have value attached to them. That means when action is being executed, a certain amount of ETH or other protocol token need to be sent by the caller with the contract call. This is why LlamaCore.executeAction is payable function...

THERE IS NO INPUT VALIDATION FOR CRITICAL STATE VARIABLES WHICH COULD BREAK THE CORE FUNCTIONALITY OF THE PROTOCOL

Lines of code Vulnerability details Impact In the LlamaAbsoluteStrategyBase.queuingPeriod variable denotes the minimum time in seconds between queueing and execution of action. The LlamaAbsoluteStrategyBase.minExecutionTime returns the block.timestamp + queuingPeriod timestamp. Here queuingPeriod...

Claiming of domains will likely be locked due to a bad check in _enableNode

Lines of code Vulnerability details Description DNS name claims all go through claim which calls enableNode, which calls enableNode. Nodes are enabled recursively, from the root downwards.The following check occurs in enableNode: node = keccak256abi.encodePackedparentNode, label; address owner =...

Gas griefing is possible on unsafe external calls on execute

Lines of code Vulnerability details Impact A malicious or compromised actor that has EXECUTIONPERMISSIONID may cause a gas griefing attack by returning actionsi.data with a really high payload. Griefing attacks have no economic incentive for the attacker but could lead to other issues e.g. not...

Null pointer dereference

A NULL pointer dereference flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system...

Upgraded Q -> M from 268 [1654474507101]

Judge has assessed an item in Issue 268 as Medium risk. The relevant finding follows: High feeRate can break core protocol function PROBLEM There is no maximum input value on setFee in Cally.sol. But if the owner sets it to a uint greater than 1e18, the users will not be able to call exercice as...

Oracle price does not compound

Lines of code Vulnerability details Impact The oracle does not correctly compound the monthly APRs - it resets on fulfill. Note that the oraclePrice storage variable is only set in updateCPIData as part of the oracle fulfill callback. It's set to the old price price from 1 month ago plus the...

It is possible to liquidate not existing account

Handle 0x0x0x Vulnerability details It is possible to liquidate an address for any product when collateral = maintenance = 0. So in other words, if a user have never used a product and deposited collateral, the user can get liquidated blacklisted from the product by anyone, since a liquidated...

Broken access control leads to protocol functionality freeze

Handle 0xRajeev Vulnerability details Impact The contracts use an access control pattern where the contract deployer is included in the onlyDAO modifier which is used for authorized access to critical functions. Such contracts also include a purgeDeployer function which renounces sets to...