Lucene search
K

7 matches found

Code423n4
Code423n4
added 2024/01/26 12:0 a.m.18 views

nextEpoch is incorrect

Lines of code Vulnerability details Impact Rewards and voting weights are aligned on a weekly basis. However, nextEpoch is calculated incorrectly, which may break the invariant "The total rewards that are sent for one block should never be higher than the rewards that were configured for this...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2023/05/15 12:0 a.m.12 views

mint and burn can be attacked by sandwiches

Lines of code Vulnerability details Impact The rewards of mint and burn are calculated based on the ratio of uTokenincluding debt and vToken, so it can be sandwiched by attackers. Proof of Concept Tools Used manual Recommended Mitigation Steps It is recommended to add the minimum receiving quanti...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2023/05/11 12:0 a.m.6 views

Position NFT can be spammed with insignificant positions by anyone until rewards DoS

Lines of code Vulnerability details Impact The PositionManager.memorializePositionsparams method can be called by anyone per design, see 3rd party test cases and allows insignificantly small any value 0 positions to be attached to anyone else's positions NFT, see PoC. As a result, the...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2023/05/11 12:0 a.m.18 views

_updateBucketExchangeRates could possibly revert

Lines of code Vulnerability details Impact updateBucketExchangeRates will not work correctly and would revert in case totalBurnedLatest totalBurnedAtBlock causing DOS for the users when they try to claimRewards, moveStakedLiquidity, stake or unstake. Proof of Concept When the curBurnEpoch doesn't...

7.3AI score
Exploits0
Code423n4
Code423n4
added 2022/11/28 12:0 a.m.11 views

Rewards calculation does not consider GMX reward rate fluctuation

Lines of code Vulnerability details Impact The current time based px rewards calculation system is not accurate, and not fair for users. Due to GMX protocol reward rate fluctuation, px users stake and claim at different time could get less or more rewards they deserve. Some users could abuse the...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2022/09/23 12:0 a.m.9 views

Wrong accounting logic when syncRewards() is called within beforeWithdraw makes withdrawals impossible

Lines of code Vulnerability details Impact sfrxETH.beforeWithdraw first calls the beforeWithdraw of xERC4626, which decrements storedTotalAssets by the given amount. If the timestamp is greater than the rewardsCycleEnd, syncRewards is called. However, the problem is that the assets have not been...

6.6AI score
Exploits0
Code423n4
Code423n4
added 2022/02/09 12:0 a.m.12 views

[WP-H8] ConvexStakingWrapper.sol#_calcRewardIntegral Wrong implementation can disrupt rewards calculation and distribution

Lines of code Vulnerability details uint256 bal = IERC20reward.token.balanceOfaddressthis; uint256 dreward = bal - reward.remaining; // send 20 % of cvx / crv reward to treasury if reward.token == cvx || reward.token == crv IERC20reward.token.transfertreasury, dreward / 5; dreward = dreward 4 / 5...

6.7AI score
Exploits0
Rows per page
Query Builder