31 matches found
An attacker can manipulate the preDepositvePrice to steal from other users.
Lines of code Vulnerability details Impact The first user that stakes can manipulate the total supply of sfTokens and by doing so create a rounding error for each subsequent user. In the worst case, an attacker can steal all the funds of the next user. Proof of Concept When the first user enters...
Null VotiumStrategy deposits revert
Lines of code Vulnerability details Impact Deposits which attempt to deposit 0 in VotiumStrategy revert. Proof of concept The issue is similar to H-02: Zero amount withdrawals of SafEth or Votium will brick the withdraw process. Depositing in AfEth might call VotiumStrategy.deposit1 if the ratio ...
H-02 Unmitigated
Lines of code Vulnerability details Mitigation of H-02: Issue mitigated with ERROR Mitigated issue H-02: Zero amount withdrawals of SafEth or Votium will brick the withdraw process The issue was that withdrawing afEth might imply a withdrawal of 0 safEth or vAfEth, which reverts. Mitigation revie...
[ADRIRO-NEW-H-02] Users loses their share of rewards while waiting for withdrawal
Lines of code Vulnerability details Summary Withdrawals in AfEth undergo a delay until the underlying CVX tokens can be withdrawn. Depositors need to request a withdrawal and wait until the required withdrawal epoch before making their withdrawal effective. During this period of time, they will...
Intrinsic arbitrage from price discrepancy
Lines of code Vulnerability details Impact The up to 2 % price discrepancy from Chainlink creates an intrinsic arbitrage. Especially, it makes withdrawals worth more than deposits in the sense that one can immediately withdraw more than just deposited. Proof of Concept When depositing ETH into...
Zero amount withdrawals of SafEth or Votium will brick the withdraw process
Lines of code Vulnerability details Summary Withdrawals of amount zero from both SafEth and VotiumStrategy have issues downstream that will cause the transaction to revert, potentially bricking withdrawals from being executed. Impact Withdrawals in AfEth undergo a process to account for any...
Unsafe use of balanceOf(address(this))
Lines of code Vulnerability details Impact AfEth.deposit can be bricked. Proof of Concept AfEth makes use of its own balance of afEth as a temporary store of afEth for withdrawal requests. On requestWithdraw afEth is transferred to the AfEth contract and these are then burned on withdraw. The...
sellCVX(0) reverts
Lines of code Vulnerability details Impact A withdrawal cannot be finalised if requested at a time when AfEth had only safEth, and that owed share of safEth is permanently lost. Proof of Concept It is possible that AfEth holds at most dust amounts of vAfEth if ratio = 100 %. The amounts of vAfEth...
Missing slippage control while depositing rewards in SafEth and VotiumStrategy
Lines of code Vulnerability details Summary Deposits to SafEth and VotiumStrategy coming from rewards lack slippage control, making them susceptible to sandwich attacks by MEV bots, which can result in a loss of funds for the protocol. Impact Rewards coming from the VotiumStrategy contract are...
AfEth withdrawing will not work when ratio will be 0
Lines of code Vulnerability details Impact AfEth withdrawing will not work when ratio will be 0. It will be not possible to withdraw. Proof of Concept Any ratio for the 2 tokens of afEth can be set by owner. AfEth.withdraw function will not work in case if ratio will be 0, which means that safEth...
Mitigation Confirmed for Mitigation of M-10: Issue mitigated
Mitigated issue M-10: Stuck ether when use function stake with empty derivativesderivativeCount = 0 The issue was that stake will accept payment but not issue safETH when derivativeCount == 0 or when all weightsi == 0. Mitigation review The proposed mitigation simply adds a requirederivativeCount...
Mitigation Confirmed for M-01
MITIGATION IS NOT CONFIRMED MITIGATION IS NOT CONFIRMED Mitigation of M-01: Issue not mitigated Link to Issue: code-423n4/2023-03-asymmetry-findings1078 Comments While the "division before multiplication" issues described in M-01 have been mitigated in the proposed changeset, there are other case...
Mitigation of M-12: mitigation error, see comments
MITIGATION IS NOT CONFIRMED MITIGATION IS NOT CONFIRMED Mitigation of M-12: mitigation error, see comments Link to Issue: code-423n4/2023-03-asymmetry-findings150 Comments While the proposed change correctly mitigates the issue, in the sense that it introduces a user controlled slippage for stake...
Upgraded Q -> 2 from #763 [1682682097179]
Judge has assessed an item in Issue 763 as 2 risk. The relevant finding follows: In line 87 there's a check for a pause setting. If staking is currently paused, the operation will fail. Similar to the edge case described above, line 88 verifies that msg.value != 0. The division in the weighted...
Upgraded Q -> 2 from #623 [1682589089611]
Judge has assessed an item in Issue 623 as 2 risk. The relevant finding follows: L‑05 Stuck dust in SafEth contract for division When stake in the contract SafEth some WEIs could be stuck in the contract because the equation uint256 ethAmount = msg.value weight / totalWeight;, in example: ethAmou...
Upgraded Q -> 2 from #830 [1682357430454]
Judge has assessed an item in Issue 830 as 2 risk. The relevant finding follows: unstake in safETH would be blocked if any derivative gets blocked during withdraw The system essentially comes to a halt if any of stETH/frxETH/rETH stops their withdrawal. function unstakeuint256 safEthAmount extern...
User should be able to set the slippage amount willing to pay
Lines of code Vulnerability details Impact The impact of this finding is that users may be required to pay higher transaction fees than necessary due to the absence of an adjustable slippage feature. This could discourage users from using the SafEth contract and negatively impact its adoption...
poolPrice() is vulnerable to price manipulation
Lines of code Vulnerability details Impact The output of poolPrice, which is used to determine the price of rETH, can be manipulated to become extremely small or large. An attacker abuse this to gain large amounts of SafETH during staking. Vulnerability Details In the Reth contract, poolPrice...
Upgradeability completely breaks decentralization
Lines of code Vulnerability details Impact Owner of SafEth can steal all staked funds. Proof of Concept SafEth is an upgradeable ERC20 contract that handles the conversion between ETH and whatever derivatives that are implemented. But it also has access to the staked funds through the derivatives...
REth token price can be manipulated
Lines of code Vulnerability details Impact Currently, all deposit operations split the received ETH between derivatives. One of them is rETH, trading on Pool 0xa4e0faA58465A2D369aa21B3e42d43374c6F9613 with around 1500 ETH in liquidity for each side. The price calculation for splitting deposits in...