21 matches found
A Quantitative Notion of Economic Security for Smart Contract Compositions
Decentralized applications are often composed of multiple interconnected smart contracts. This is especially evident in DeFi, where protocols are heavily intertwined and rely on a variety of basic building blocks such as tokens, decentralized exchanges and lending protocols. A crucial security...
Calls to get_virtual_price() are vulnerable to read-only reentrancy
Lines of code 117 Vulnerability details getvirtualprice was originally considered to be a manipulation-resistant price - suitable as a price oracle, but it was later found to be vulnerable to a read-only reentrancy attack, where the Curve contract could be put into a partially-modified state, and...
Calls to get_virtual_price() are vulnerable to read-only reentrancy
Lines of code 117 Vulnerability details getvirtualprice was originally considered to be a manipulation-resistant price - suitable as a price oracle, but it was later found to be vulnerable to a read-only reentrancy attack, where the Curve contract could be put into a partially-modified state, and...
Calls to get_virtual_price() are vulnerable to read-only reentrancy
Lines of code 117 Vulnerability details getvirtualprice was originally considered to be a manipulation-resistant price - suitable as a price oracle, but it was later found to be vulnerable to a read-only reentrancy attack, where the Curve contract could be put into a partially-modified state, and...
Calls to get_virtual_price() are vulnerable to read-only reentrancy
Lines of code 117 Vulnerability details getvirtualprice was originally considered to be a manipulation-resistant price - suitable as a price oracle, but it was later found to be vulnerable to a read-only reentrancy attack, where the Curve contract could be put into a partially-modified state, and...
Calls to get_virtual_price() are vulnerable to read-only reentrancy
Lines of code 117 Vulnerability details getvirtualprice was originally considered to be a manipulation-resistant price - suitable as a price oracle, but it was later found to be vulnerable to a read-only reentrancy attack, where the Curve contract could be put into a partially-modified state, and...
Calls to get_virtual_price() are vulnerable to read-only reentrancy
Lines of code 117 Vulnerability details getvirtualprice was originally considered to be a manipulation-resistant price - suitable as a price oracle, but it was later found to be vulnerable to a read-only reentrancy attack, where the Curve contract could be put into a partially-modified state, and...
Calls to get_virtual_price() are vulnerable to read-only reentrancy
Lines of code 117 Vulnerability details getvirtualprice was originally considered to be a manipulation-resistant price - suitable as a price oracle, but it was later found to be vulnerable to a read-only reentrancy attack, where the Curve contract could be put into a partially-modified state, and...
Calls to get_virtual_price() are vulnerable to read-only reentrancy
Lines of code 117 Vulnerability details Impact getvirtualprice was originally considered to be a manipulation-resistant price - suitable as a price oracle, but it was later found to be vulnerable to a read-only reentrancy attack, where the Curve contract could be put into a partially-modified...
H-09 Unmitigated
Lines of code Vulnerability details Issue not mitigated About the problem In the report i have described some vaults that will not work in the designed system. Example of such vault will be any vault that has withdraw limit. In this case yieldVault.maxWithdraw call will not return actual amount o...
The _currentExchangeRate of the Vault contract can't increase, and always be lower than or equal to _assetUnit
Lines of code Vulnerability details Impact The currentExchangeRate of the Vault contract can not increase, and always be lower than or equal to assetUnit. Therefore, when the vault is undercollateralized currentExchangeRate assetUnit, it can't be further collateralized. Proof of concept function...
Challenger incentives can be inflated with external transfers
Lines of code Vulnerability details Impact The function notifyChallengeSucceeded calculates the volume of ZCHF to be repaid, which is then used to calculate the reward for the challenger. The challenger can however artificially inflate this value. A challenger can start a challenge on an...
dETH are branded as slash proof, but ETH2 slashing could make 32 deposit drop much below 24 (down to 0), making dETH undercollateralized
Lines of code Vulnerability details Description dETH is advertised as fault proof , slash proof ETH However, ETH2 staked deposit can be slashed from 32 down to 0, not just to 24 as would be expected24 dETH printed. This means dETH is undercollateralized, and indeeds bears the risk of being "paper...
There is no boundaries for starting an auction.
Lines of code Vulnerability details Impact The team has brought this contest to be fairer to their users in terms of liquidation mechanism. Looking through this perspective, it can be developed more on the process to be much fairer to the users in volatile market conditions. Proof of Concept The...
MATIC/AVAX and AVAX/MATIC pools
Handle 0x0x0x Vulnerability details The MATIC/AVAX and AVAX/MATIC pools are close to being undercollateralized. Don't fall for the high APR Psyops, always check the collateralization before lending into a pool, otherwise borrowers will default and you will loose your asset --- The text was update...
Miscalculation of _supplyCreditUni allows undercollateralized loan
Handle WatchPug Vulnerability details In supplyCreditUni, the calculation of the collateral value of tokenB supply is using priceB instead of priceA, which can lead to undercollateralized loans. function supplyCreditUni address account, address returnToken, uint priceA, uint priceB, uint...
Liquidation can be escaped by depositing a Uni v3 position with 0 liquidity
Handle WatchPug Vulnerability details When the liquidator is trying to liquidate a undercolldarezed loan by calling liquidateAccount, it calls unwrapUniPosition - uniV3Helper.removeLiquidity - positionManager.decreaseLiquidity. However, when the Uni v3 position has 0 liquidity,...
Undercollateralized vaults' owner can be overwritten
Handle cmichel Vulnerability details The witch can Witch.grab vaults and the vaultOwnersvaultId field is set to the original owner. However, when the auction time is over and the debt has not been fully paid back, the original owner is not restored, and the witch can grab the same vault again,...
UniswapConfig getters return wrong token config if token config does not exist
Handle @cmichelio Vulnerability details Vulnerability Details The UniswapConfig.getTokenConfigBySymbolHash function does not work as getSymbolHashIndex returns 0 if there is no config token for that symbol uninitialized map value, but the outer function implements the non-existence check with -1...
Users Can Drain Funds From MarginSwap By Making Undercollateralized Borrows If The Price Of A Token Has Moved More Than 10% Since The Last MarginSwap Borrow/Liquidation Involving Accounts Holding That Token.
Handle jvaqa Vulnerability details Users Can Drain Funds From MarginSwap By Making Undercollateralized Borrows If The Price Of A Token Has Moved More Than 10% Since The Last MarginSwap Borrow/Liquidation Involving Accounts Holding That Token. Impact MarginSwap's internal price oracle is only...