251 matches found
Inflation attack by drip
Lines of code Vulnerability details Impact The drip might inflate the exchange rate on an initial stake such that that subsequent stakers get minted zero wxETH. Their stake can then be unstaked by the first staker, together with their own first stake and inflation investment. Effectively, the fir...
Virgin stake can claim all drops
Lines of code Vulnerability details Impact If wxETH drips when nothing is staked, then the first staker can claim every drop. Proof of Concept Suppose drip is enabled when totalSupply == 0. At least one block passes and the first staker stakes, just 1 xETH is enough. This mints her 1 wxETH. This...
stake() function: The provided stake function lacks checks to prevent a lender from staking multiple NFTs in the same Ajna pool. The function allows any owned position NFT to be staked without considering whether the lender has already staked in the pool. This potentially opens up the system to an abuse where a lender stakes multiple NFTs for the same liquidity position.
Lines of code Vulnerability details Impact The current stake function lacks checks to prevent a lender from staking multiple NFTs in the same Ajna pool. This could lead to an abuse of the system where a lender stakes multiple NFTs for the same liquidity position, potentially earning more rewards...
unstake() function: The unstake function permits the unstaking of multiple position NFTs from the same liquidity pool (LP) by the same lender. This opens the possibility for a lender to claim more Ajna token rewards than they are entitled to by staking and unstaking multiple NFTs associated with the same LP.
Lines of code Vulnerability details Impact The absence of a mechanism to prevent a lender from unstaking multiple NFTs for the same liquidity pool LP could potentially lead to the exploitation of the Ajna token reward system. A lender can mint, stake, and unstake multiple NFTs for the same LP fro...
Mitigation Confirmed for Mitigation of M-10: Issue mitigated
Mitigated issue M-10: Stuck ether when use function stake with empty derivativesderivativeCount = 0 The issue was that stake will accept payment but not issue safETH when derivativeCount == 0 or when all weightsi == 0. Mitigation review The proposed mitigation simply adds a requirederivativeCount...
Mitigation of M-12: mitigation error, see comments
MITIGATION IS NOT CONFIRMED MITIGATION IS NOT CONFIRMED Mitigation of M-12: mitigation error, see comments Link to Issue: code-423n4/2023-03-asymmetry-findings150 Comments While the proposed change correctly mitigates the issue, in the sense that it introduces a user controlled slippage for stake...
Rounding loss in and with approxPrice()
Rounding loss in and with approxPrice Description SafEth.approxPrice contains a rounding loss of the form a/k + b/k = ac/b. We would...
Mitigation of M-12: Issue NOT mitigated
Mitigated issue M-12: No slippage protection on stake in SafEth.sol There were issues with either a lack of slippage protection or a hard set slippage. Slippage protection was missing in deposit for Reth.deposit only if depositing in the Rocket Pool and in Reth.withdraw, as well as in stake becau...
Mitigation Confirmed for Mitigation of M-05: See comments
Mitigated issue M-05: Missing derivative limit and deposit availability checks will revert the whole stake function The issue was that stake calls deposit on each derivative without considering certain conditions under which some deposit might revert. There is an overlap between this issue and...
Mitigation of M-11: Issue NOT mitigated
Mitigated issue M-11: Residual ETH unreachable and unuitilized in SafEth.sol The issue was that the rounding losses from partitioning msg.value in stake and rebalanceToWeights was left irretrievably in the contract. Mitigation review Previously rebalanceToWeights withdrew all staked funds and...
Chainlink price feed responses are not validated
NEW ISSUE - MITIGATION IS NOT CONFIRMED NEW ISSUE - MITIGATION IS NOT CONFIRMED adriro-NEW-H-02 Chainlink price feed responses are not validated Link to changesets: Impact The protocol team introduced Chainlink price feeds for the Reth and WstEth derivatives in order to mitigate price manipulatio...
Mitigation of M-11: Issue not mitigated, mitigation error
MITIGATION IS NOT CONFIRMED MITIGATION IS NOT CONFIRMED Mitigation of M-11: Issue not mitigated, mitigation error Link to Issue: code-423n4/2023-03-asymmetry-findings152 Comments Even though the sponsor followed the warden's recommendation in issue M-11, I don't think the proposed change properly...
Upgraded Q -> 3 from #883 [1682591277339]
Judge has assessed an item in Issue 883 as 3 risk. The relevant finding follows: As such, if deposit or withdraw reverts for any derivative, stake and unstake will fail. This could cause stake and unstake to permanently revert for an prolonged period of time, as it is possible for deposit and...
Upgraded Q -> 2 from #883 [1682591284215]
Judge has assessed an item in Issue 883 as 2 risk. The relevant finding follows: This could cause stake and unstake to permanently revert for an prolonged period of time, as it is possible for deposit and withdraw to revert due to unchecked external conditions: Reth The rocket pool DAO can disabl...
Upgraded Q -> 2 from #17 [1680620718364]
Judge has assessed an item in Issue 17 as 2 risk. The relevant finding follows: L-05 Check that staking cannot occur when endTime is reached The MuteAmplifier.stake function should require that the current timestamp is smaller than endTime even when the call to stake is the first that ever...
The first stake is possible after endTime
Lines of code Vulnerability details Impact Users can stake after endTime due to the wrong check. Proof of Concept When a user stakes LP tokens using MuteAmplifier.stake, stake is not allowed after endTime which is set in initializeDeposit by an admin. requireblock.timestamp endTime,...
In stake() function shares increase exponentially for the same amount of deposit as the totalSupply() increases, causing the loss for the initial stakers relative to later ones.
Lines of code Vulnerability details Impact Stake function don not allocate the safEth according to the totalShares, instead as more user deposit, later depositers get higher share of the value as compared to ealy depositers. Proof of Concept Consider Alice, Bob and Jenny want to stake their eth...
the depositor can get sanwich attack when call stake in SafEth and deposit in RETH
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. users who stake eth from call function stake in will get sandwich attack, which users will lose money Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or an...
Reth griefing
Lines of code Vulnerability details Impact The maximum slippage when buying rETH from the Uniswap V3 pool is calculated in Reth derivative contract by taking the current price in the Uniswap V3 pool at runtime, without taking into account the price at which the user sent the transaction to the...
Missing critical check of amount minted tokens in stake() -> deposit()
Lines of code Vulnerability details Impact No require to ensure that SfrxEth or WstEth is minted when calling in SafEth.sol stake - IDerivative.deposit function Proof of Concept In the deposit function in Reth.sol has a require statement to ensure that the token was actually minted. But there is ...