7 matches found
Upgraded Q -> 2 from #677 [1702060237936]
Judge has assessed an item in Issue 677 as 2 risk. The relevant finding follows: L-04 Deposited amounts in the EigenLayer strategy should be checked before updating the strategy for the asset Users deposit in this protocol and the protocol deposits these funds to EigenLayer strategy contracts...
Swap functionality to sell rewards is too permissive and could cause accidental or intentional loss of value
Lines of code Vulnerability details Summary While the intention is to use the 0x protocol to sell rewards, the implementation doesn't provide any basic guarantee this will correctly happen and grants the rewarder arbitrary control over the tokens held by the strategy. Impact Rewards earned in the...
auraBAL can be stuck into the Strategy contract
Lines of code Vulnerability details Impact The internal harvest function defined is responsible to claim auraBAL from the aura locker and within the function it swaps them to auraBAL - BAL/ETH BPT - WETH - AURA, finally it locks AURA to the locker to increase the position. For claiming auraBAL it...
All withdrawal functionality is paused when contract is paused
Lines of code Vulnerability details Impact When the strategy contract is paused, all withdrawal functionality will be paused. Based on the comments in MyStrategy.sol and baseStrategy.sol, withdrawToVault should not be affected by the pause functionality. This is not the case due to the...
approve and safeApprove Should Approve the Zero Amount First
Lines of code Vulnerability details Impact The PooledCreditLine.sol and LenderPool.sol contracts approve the strategy contract on the collateral or borrow assets before depositing funds. This allows the strategy contracts to transfer on behalf of these contracts, pulling assets out from the pool...
When a user performs a withdrawal operation, a rollback that is not considered by the program may be triggered.
Handle ACai Vulnerability details Impact When the Vault contract deposits all/most of the token into the strategy contract, so that the remaining tokens in the Vault contract are less than the user's deposit, the user's withdrawal operation will result in a rollback that is not considered by the...
Possibility to drain SavingsAccount contract assets
Handle kemmio Vulnerability details Impact A malicious actor can manipulate switchStrategy function in a way to withdraw tokens that are locked in SavingsAccount contract the risk severity should be reviewed Proof of Concept Firstly an attacker need to deploy a rogue strategy contract implementin...