Integer Overflow

@openzeppelin/confidential-contracts is vulnerable to Integer Overflow. The vulnerability is due to a silent overflow failure in the internal mint function that is not checked by wrapper functions, which allows an attacker to cause minting to fail silently while still transferring underlying...

Mismatch of decimals for some underlying tokens across chains could cause a huge loss of funds

Lines of code Vulnerability details Impact The issue is, some ERC20 underlying tokens could have different decimals on other chains. For example, USDC in BNB chain has 18 decimals where it has 6 decimals in other chains such as Ethereum, Polygon ...etc. The root chain doesn't account for decimals...

Missing sanityCheckUnderlying Call in Certain Functions of OptionsPositionManager Contract

Lines of code Vulnerability details Bug Description In the OptionsPositionManager contract, there is a missing call to the sanityCheckUnderlying function at the beginning of the sellOptions and close functions. These functions involve interactions with option assets and underlying tokens. However...

Lendgine#mint gifts the borrower liquidity and both underlying token as well which bricks contract functionality

Lines of code Vulnerability details Impact Borrower of liquidity can just keep borrowing liquidity as he will also get token0 and token1, draining the protocol funds. Proof of Concept Lendginemint calls Pairburn before calling mint to mint the number of ERC20 power tokens. totalLiquidityBorrowed ...

Incorrect check in ZcToken.withdraw and ZcToken.redeem leads to underlying tokens not being able to be transferred

Lines of code Vulnerability details Incorrect check in ZcToken.withdraw and ZcToken.redeem leads to underlying tokens not being able to be transferred In both ZcToken.withdraw and ZcToken.redeem, in the case where holder != msg.sender, a check of the msg.sender's ZcToken allowance is performed. B...

amount requires to be updated to contract balance increase (3)

Lines of code Vulnerability details Impact Every time transferFrom or transfer function in ERC20 standard is called there is a possibility that underlying smart contract did not transfer the exact amount entered. It is required to find out contract balance increase/decrease after the transfer. Th...

[WP-H27] IndexTemplate.sol#compensate() will most certainly fail

Handle WatchPug Vulnerability details Root Cause Precision loss while converting between the amount of shares and the amount of underlying tokens back and forth is not handled properly. uint256 shortage; if totalLiquidity amount //Insolvency case shortage = amount - value; uint256 cds =...

No slippage protection on _swapUstToUnderlying can lead to lost funds

Handle harleythedog Vulnerability details Impact The function swapUstToUnderlying exists to swap Ust to underlying tokens. The last argument to exchangeunderlying is mindy, which specifies the minimum number of underlying to be returned from the swap. Currently, this value is set to 0, so the...

_transferAndCheckUnderlying doesn't work with fee-on-transfer tokens

Handle harleythedog Vulnerability details Impact There are several ERC20 tokens that take a small fee on transfers/transferFroms known as "fee-on-transfer" tokens. Most notably, USDT is an ERC20 token that has togglable transfer fees, but for now the fee is set to 0 see the contract here: . In th...

Creator of pie can mint any amount of _initialSupply, and drain underlying tokens via exitPool

Handle hubble Vulnerability details Impact The Creator of pie or msg.sender of bakePie in PieFactoryContract, can set any high value of initialSupply and get the ERC20 tokens minted. There is no relation to the intialSupply and the amount of underlying Tokens added to the Pie during the bakePie...

Improper design/implementation of SingleTokenJoinV2#joinTokenSingle() make it prone to fail

Handle WatchPug Vulnerability details for uint256 i; i bs.tokens.length; i++ IERC20 token = bs.tokensi; uint256 tokenAmount = balanceaddresstoken.mulamount.addfeeAmount.div totalSupply ; requiretokenAmount != 0, "AMOUNTTOOSMALL"; token.safeTransferFrommsg.sender, addressthis, tokenAmount; // If...