7 matches found
nextEpoch is incorrect
Lines of code Vulnerability details Impact Rewards and voting weights are aligned on a weekly basis. However, nextEpoch is calculated incorrectly, which may break the invariant "The total rewards that are sent for one block should never be higher than the rewards that were configured for this...
mint and burn can be attacked by sandwiches
Lines of code Vulnerability details Impact The rewards of mint and burn are calculated based on the ratio of uTokenincluding debt and vToken, so it can be sandwiched by attackers. Proof of Concept Tools Used manual Recommended Mitigation Steps It is recommended to add the minimum receiving quanti...
Position NFT can be spammed with insignificant positions by anyone until rewards DoS
Lines of code Vulnerability details Impact The PositionManager.memorializePositionsparams method can be called by anyone per design, see 3rd party test cases and allows insignificantly small any value 0 positions to be attached to anyone else's positions NFT, see PoC. As a result, the...
_updateBucketExchangeRates could possibly revert
Lines of code Vulnerability details Impact updateBucketExchangeRates will not work correctly and would revert in case totalBurnedLatest totalBurnedAtBlock causing DOS for the users when they try to claimRewards, moveStakedLiquidity, stake or unstake. Proof of Concept When the curBurnEpoch doesn't...
Rewards calculation does not consider GMX reward rate fluctuation
Lines of code Vulnerability details Impact The current time based px rewards calculation system is not accurate, and not fair for users. Due to GMX protocol reward rate fluctuation, px users stake and claim at different time could get less or more rewards they deserve. Some users could abuse the...
Wrong accounting logic when syncRewards() is called within beforeWithdraw makes withdrawals impossible
Lines of code Vulnerability details Impact sfrxETH.beforeWithdraw first calls the beforeWithdraw of xERC4626, which decrements storedTotalAssets by the given amount. If the timestamp is greater than the rewardsCycleEnd, syncRewards is called. However, the problem is that the assets have not been...
[WP-H8] ConvexStakingWrapper.sol#_calcRewardIntegral Wrong implementation can disrupt rewards calculation and distribution
Lines of code Vulnerability details uint256 bal = IERC20reward.token.balanceOfaddressthis; uint256 dreward = bal - reward.remaining; // send 20 % of cvx / crv reward to treasury if reward.token == cvx || reward.token == crv IERC20reward.token.transfertreasury, dreward / 5; dreward = dreward 4 / 5...