135 matches found
Battery discharge mechanism doesn't work correctly for first redemption
Lines of code Vulnerability details Impact The RTokenP1 contract implements a throttling mechanism using the RedemptionBatteryLib library. The library models a "battery" which "recharges" linearly block by block, over roughly 1 hour. RToken.sol function redeemuint256 amount external notFrozen //...
Redemptions during undercollateralization can be hot-swapped to steal all funds
Lines of code Vulnerability details Impact During recollateralization/a switch basket/when the protocol collateral isn't sound, a user can have almost their entire redemption transaction hot swapped for nothing. For example, trying to redeem 1M collateral for 1M rTokens could have the user end up...
Anyone can be refunded; no input validation
Lines of code Vulnerability details Impact The method for processing refunds has no input validation. If Bob burns 100 CASH and Alice burns 1 CASH, and the manager wants to refund Alice and pay out Bob, they are able to swap the refund parameters. This would result in Alice getting the entire...
Redeemers will receive less collateral than expected if function completeRedemptions() is called with empty refundees list
Lines of code Vulnerability details Impact Function completeRedemptions is used by admin account to distribute collateral to users and also to refund redemption requests if the redemption cannot be serviced. function completeRedemptions address calldata redeemers, address calldata refundees,...
Liquidation bots are needed to stabilize the system.
Lines of code Vulnerability details Impact Allowing liquidation bots to arbitrage would stabilize the system. The majority of liquidations are done by liquidation bots. For liquidation bots to be viable there has to exist a secondary market where the assets can be instantly sold. This is especial...
Wrong logic totalBurned is not updated after _processRefund() results in loss of funds for redeemers
Lines of code Vulnerability details Impact Function completeRedemptions is used by admin account to distribute collateral to users and also to refund redemption requests if the redemption cannot be serviced. function completeRedemptions address calldata redeemers, address calldata refundees,...
The Equifax Breach Settlement Offer is Real, For Now
Millions of people likely just received an email or snail mail notice saying theyre eligible to claim a class action payment in connection with the 2017 megabreach at consumer credit bureau Equifax. Given the high volume of reader inquiries about this, it seemed worth pointing out that while this...
Irrelevant error message from PrePOMarket.redeem() worries users
Lines of code Vulnerability details Impact Users may receive error messages fee = 0 whenever making a redemption from PrePOMarket contract if the redemption amout is not enough. The error message is irrelevant to users. It's related to the protocol processing the redemption. If a user receives...
PrePOMarket.redeem() business logic may raise users' concerns of their assets
Lines of code Vulnerability details Impact When a user tries to redeem assets, current business logic may fail and pop the error msg fee = 0 repeatedly. Users may not understand what's happening behind, thus raise concers about the safety of their assets since it looks like their assets are out o...
Slashing can prevent Protected Staking Pool depositors from redeeming their ETH
Lines of code Vulnerability details The documentation states that: The Protected Staking Pool is free from any slashing and leaking risk. While the penalties affect the node operator first, then the Fees and MEV Pool stakers, if the slashing amount is higher, it will also impact the Protected...
The tier reserved rate is not validated and can surpass JBConstants.MAX_RESERVED_RATE
Lines of code Vulnerability details If the reserved rate of a tier is set to a value JBConstants.MAXRESERVEDRATE, the JBTiered721DelegateStore.numberOfReservedTokensOutstandingFor function will return way more outstanding reserved tokens up to 6 times more than allowed - 2^16 - 1 due to the manua...
Outstanding reserved tokens are incorrectly counted in total redemption weight
Lines of code Vulnerability details Impact The amounts redeemed in overflow redemption can be calculated incorrectly due to incorrect accounting of the outstanding number of reserved tokens. Proof of Concept Project contributors are allowed to redeem their NFT tokens for a portion of the overflow...
NFT Owner can keep add new tiers to increase the NFT supply with no upper limit to dilute the redemption power of the NFT from old tiers
Lines of code Vulnerability details Impact Owern can adjust tiers, adding tiers with no restriction. function adjustTiersJB721TierParams calldata tiersToAdd, uint256 calldata tierIdsToRemove // Add the tiers. if numberOfTiersToAdd != 0 // Record the added tiers in the store. uint256 memory...
Owner can set contribution floor to 0 , meaning the user lose the fund / fee for 0 contribution power NFT and NFT have no redemption weight
Lines of code Vulnerability details Impact Owner can set contribution floor to 0, meaning the user lose the fund / fee for 0 contribution power NFT and NFT have no redemption weight. the normal payment flow for user is Payment Terminal - pay - didPay - processPayment - // Mint rewards if they wer...
Incorrect calculation of totalRedemptionWeight in JBTiered721DelegateStore.sol, we use weight + number of reserved token instead of weight + weight
Lines of code Vulnerability details Impact After NFT minted, the NFT has redemption weight based on the contribution floor price, the logic that calculate the total redemption weight is storedTier = storedTierOfnfti + 1; // Add the tier's contribution floor multiplied by the quantity minted. weig...
JBTiered721DelegateStore: Incorrect calculation of totalRedemptionWeight
Lines of code Vulnerability details Impact In the totalRedemptionWeight function of the JBTiered721DelegateStore contract, the calculation of the weight in the following code is incorrect, and the result of numberOfReservedTokensOutstandingFor should also be multiplied by...
Stripe: Promotion code can be used more than redemption limit.
A race condition vulnerability existed in the promotion code creation process, allowing users to use the same code more times than the specified redemption limit. This could result in unauthorized discounts or other unintended consequences...
burnFeiHeld() in SimpleFeiDaiPSM burns FEI balance of contract, which includes FEI received because of redeems and FEI transferred or minted for the contract address. contract should only burn FEI received in redeems. this functionality a backdoor to transfer and burn FEI tokens by this contract.
Lines of code Vulnerability details Impact it's possible to burn FEI tokens without receiving DAI tokens, one can transfer FEI tokens to SimpleFeiDaiPSM contract address and then call burnFeiHeld to burn FEI tokens. this is a backdoor to burn FEI tokens. the contract should only burn FEI tokens...
Loss of precision will lock portions of tokens
Lines of code Vulnerability details Impact When the initial balance of a redemption reward token is smaller than the base, small amounts of the token will be rounded down to zero, meaning small-amount users will get nothing for redeeming tokens. Broken accounting means high severity Proof of...
user fund loss in redeem() of RariMerkleRedeemer, because of division rounding error in previewRedeem() which is used in _redeem() and _multiRedeem()
Lines of code Vulnerability details Impact Because of the division rounding error in calculating baseToken amount, when users tries to redeem, they receive less baseToken for the amount of cToken they transferred to the RariMerkleRedeemer contract. This bug is more critical when cToken is a very...