19 matches found
Fee-on-transfer/rebasing tokens will have problems when swapping
Lines of code 110 Vulnerability details Uniswap v3 does not support rebasing or fee-on-transfer tokens so using these tokens with it will result funds getting stuck. With fee-on-transfer tokens, if the balance isn't checked, the wrong amount may be transferred out. With rebasing tokens, the...
Fee-on-transfer/rebasing tokens will have problems when swapping
Lines of code 110 Vulnerability details Uniswap v3 does not support rebasing or fee-on-transfer tokens so using these tokens with it will result funds getting stuck. With fee-on-transfer tokens, if the balance isn't checked, the wrong amount may be transferred out. With rebasing tokens, the...
Deriving the price with balanceOf() is dangerous
Lines of code Vulnerability details Impact Deriving the price with balanceOf is dangerous as it can easily be manipulated by direct transfers. Proof of Concept In the getAssetDistributionData function, the asset lying in the LRTDepositPool is retrieved using balanceOfaddressthis:...
RDPX price manipulation benefit for attacker via a Flashloan attack
Lines of code Vulnerability details Impact As the RdpxV2Core contract burns RDPX tokens, a malicious attacker can benefit from a price manipulation attack using a flashloan attack Proof of Concept The function bond in the RdpxV2Core contract is a primary function to enter the protocol and bond...
Lack of minAmount when adding liquidity into Uniswap V2 can lead to the LP getting MEVd
Lines of code Vulnerability details Impact The amount being LPd into Uniswap can get stolen trough MEV. Proof of Concept The reLP contract re-LPs a certain amount of the tokens, that enter after a bond gets bought. The issue arises due to there not being proper minimum liquidity amounts passed wh...
Function stabilize() might always revert because of overflow since Malt contract use solidity 0.8
Lines of code Vulnerability details Impact MaltDataLab fetched priceCumulative directly from Uniswap V2 pool to calculate price of Malt token. However, it is noticed that Uniswap V2 pool use Solidity 0.5.16, which does not revert when overflow happen. In addition, it is actually commented in...
FIRST ERC4626 DEPOSIT CAN BE EXPLOITED ON SHARE CALCULATION
Lines of code Vulnerability details Impact As also encountered by Uniswap V2 and other protocols, the first depositor of an ERC4626 vault can maliciously manipulate the share price by depositing as low as 1 wei of liquidity prior to deliberately inflating ERC4626.totalAssets to as high as 1:1e18...
First depositor can break minting of shares
Lines of code Vulnerability details Vulnerability details The calculation of exchange rate for shares in Popcorn Vault is done by dividing the total supply of shares by the totalAssets of the vault. The first depositor can mint a very small number of shares, then donate to the vault to manipulate...
Lack of slippage protection when swapping on Uniswap v2/v3
Lines of code Vulnerability details Impact Lack of slippage protection when swapping on Uniswap v2/v3. It'll create the potential to be sandwiched by MEV bots and result in user loss. Proof of Concept In the LendgineRouter.mint function, the contract would swap all the token0 to token1 in...
sellQuote might lead to unexpected reverts when returning zero
Lines of code Vulnerability details Impact the implementation of sellQuote follows the logic of getAmountOut from Uniswap V2 Library. However it doesn't add +1 as the original implementation, this could make the function return zero and lead to reverts. Proof of Concept Tools Used Manual review...
Rounding down leads to breakage of the xy curve calculation
Lines of code Vulnerability details Impact When needing to calculate the inputAmount required to receive a certain amount of fractional tokens called outputAmount, we are deriving from the xy = k curve used on the Uniswap V2 protocol. Proof of Concept Some maths: The so-called curve equation is: ...
Pair.sol can be manipulated to affect small liquidity providers.
Lines of code Vulnerability details Impact The first minter can manipulate the supply of LP tokens and baseToken-fractional ratio, hindering small liquidity providers from interacting with the pair. A malicious actor can mint 1wei of LP token from a new pair, then proceed to transfer baseToken to...
Surplus token after adding liquidity is not refunded to liquidity providers. LP might suffer front-running attack and lose funds.
Lines of code Vulnerability details Impact Function Pair.add receives base token and fractional token from liquidity providers and mint equivalent amount of LP token for them. The amount of LP token be minted is calculate in function addQuote function addQuoteuint256 baseTokenAmount, uint256...
MAL-2022-6784 Malicious code in uniswap-v2-adapter (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 36809731348bb0b16418c6c21f3074d63d258f4cd3e03ebab01a693c2f77c204 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in uniswap-v2-adapter (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 36809731348bb0b16418c6c21f3074d63d258f4cd3e03ebab01a693c2f77c204 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
New YVault depositors can be attacked by depressing share decimals
Lines of code Vulnerability details Impact An attacker can become the first depositor for a recently created YVault contract, providing a tiny amount of token by calling deposit1 raw values here, 1 is 1 wei, 1e18 is 1 token if it is 18 decimals. Then the attacker can directly transfer, for exampl...
Two pairs can have same tokens
Handle sirhashalot Vulnerability details Impact The createLPoolPair function in ControllerV1.sol tries to prevent a pair from being create if it already exists. It does this with the statement requirelpoolPairstoken0token1.lpool0 == address0 || lpoolPairstoken1token0.lpool0 == address0, 'pool pai...
first liquidity provider can drain others
Handle danb Vulnerability details Impact first liquidity provider can drain others Proof of Concept consider the following scenario: a malicious user creates the usdc-usdt pool, they provided 1 basic unit of usdt and 1 basic unit of usdc 1/106 each the amount of liquidity token that will be minte...
PostAuctionLauncher's liquidity provision can be exploited
Handle cmichel Vulnerability details The PostAuctionLauncher.finalize function takes the raised payment token amounts and uses previously provided auction token amounts to provide liquidity to a Sushiswap pool after an auction has successfully been finalized. It provides this liquidity at a...