Lucene search
K

19 matches found

Code423n4
Code423n4
•added 2023/09/07 12:0 a.m.•11 views

UniswapV3 trading fees are always locked in treasury instead of going back to the protocol users through GeVault

Lines of code Vulnerability details TokenisableRange was redesigned to redirect collected fees to a pre-defined GeVault, where the protocol stakers can benefit from the added value. However, the use of an incorrect variable makes this distribution of the fees impossible to happen, and the fees wi...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2023/08/28 12:0 a.m.•11 views

Swapping lacks deadline check

Lines of code Vulnerability details Impact There is no deadline when swapping tokens using EvolvingProteus. Swaps that are done through low gas transactions may be stuck in the mempool for a long time, resulting in unfavourable swap. Proof of Concept Evolving prometeus seems like an upgrade to...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2023/08/07 12:0 a.m.•4 views

getTickAtSqrtRatio used in TokenisableRange.sol to calculate lower and upper ticks is used without letting for overflow behavior, which is required

Lines of code Vulnerability details Impact The function getTickAtSqrtRatio is used multiple times in the TokenisableRange.sol, but the library TickMath.sol is compiled with pragma solidity ^0.8.4 as you can see here which doesn't allow for overflows, and since the function is not unchecked,...

7.1AI score
Exploits0
Code423n4
Code423n4
•added 2023/08/07 12:0 a.m.•18 views

swapExactTokensForTokens and swapTokensForExactTokens in OptionsPositionManager.sol uses UniswapV2Router01 which doesn't exist on Arbitrum

Lines of code Vulnerability details Impact The functions swapExactTokensForTokens and swapTokensForExactTokens are using UniswapV2Router01 to make swaps in different functions like closeDebt, withdrawOptionAssets or swapTokens, but that would not be possible and those function would revert. Proof...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2023/08/07 12:0 a.m.•162 views

Use of slot0 to get sqrtPriceLimitX96 can lead to price manipulation

Lines of code Vulnerability details Impact The contracts functions have used UniswapV3.slot0 to get the value of sqrtPriceX96 which it use to perform the swap, however the sqrtPriceX96 gotten from Uniswap.slot0 is the most recent data point and can be manipulated easily via MEV bots & Flashloans...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2023/07/05 12:0 a.m.•12 views

Not using slippage parameter in swap() while swapping causes loss of funds

Lines of code Vulnerability details Impact While making a swap on UniswapV3 the caller should use the slippage parameter amountOutMinimum parameter to avoid losing funds. In swapToEqualAmounts does not use the slippage parameter amountOutMinimum. File: /src/talos/libraries/PoolActions.solL46-L52...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2023/07/05 12:0 a.m.•39 views

Use of slot0 to get sqrtPriceLimitX96 can lead to price manipulation.

Lines of code Vulnerability details Impact In the RootBrigdeAgent.sol the function's gasSwapOut and gasSwapIn uses UniswapV3.slot0 to get the value of sqrtPriceX96 which it use to perform the swap, however the sqrtPriceX96 gotten from Uniswap.slot0 is the most recent data point and can be...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2023/05/22 12:0 a.m.•12 views

Swap leftovers are locked in the JBXBuybackDelegate

Lines of code Vulnerability details Vulnerability details In case that the project JBToken address is bigger than WETH address, projectTokenIsZero is set to false. The test cases of buyback delegate only cover the situation, where the JBToken is lower than WETH. constructor IERC20 projectToken,...

6.6AI score
Exploits0
Code423n4
Code423n4
•added 2023/03/30 12:0 a.m.•11 views

Reth flashloan attack

Lines of code Vulnerability details Impact Using a flashloan to manipulate rETH/ETH price a hacker can receive more SafEth shares for the same amount of ether, thus draining all three derivative contracts rETH, SfrxEth and WstEth. Proof of Concept Reth.poolPrice depends on UniswapV3 pool.slot0...

6.6AI score
Exploits0
Code423n4
Code423n4
•added 2023/03/30 12:0 a.m.•15 views

[H-01] RETH oracle manipulation allows attacker to steal funds

Lines of code Vulnerability details Impact The Asymmetry SafEth protocol aims to help diversify and decentralize liquid staking derivatives, exchanging ether staked in the protocol for staked ether derivative tokens based on some relative weighting. A function exposed by these derivative wrapper...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2023/03/30 12:0 a.m.•11 views

Spot UniswapV3 pricing for rETH when staking in SafEth can lead to loss of user funds

Lines of code Vulnerability details Impact An attacker can craft a set of transactions so that when they are depositing funds in the SafEth contract, using the stake function, they can understate the value of existing deposits preDepositPrice value, while overstating the value of their deposit...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2023/02/01 12:0 a.m.•16 views

Unsafe cast on uniswapV3SwapCallback can get all assets in the contract

Lines of code Vulnerability details Unsafe cast on uniswapV3SwapCallback can get all assets in the contract Summary Type cast with overflows doesn't throw an error / revert therefore, value can be transferred out just by calling the method. Contracts that inherit from SwapHelper:...

7.2AI score
Exploits0
Code423n4
Code423n4
•added 2022/12/12 12:0 a.m.•18 views

depositAndTrade function is incomplete & does not use returnValue of UniswapV3 router

Lines of code Vulnerability details Impact depositAndTrade function seems to be incomplete - the tokenOutput from swapRouter is currently owned by DepositTradeHelper account and needs to be transferred back to msg.sender who initiated this transaction. Since this contract doesn't seem to be part ...

7.1AI score
Exploits0
Code423n4
Code423n4
•added 2022/12/09 12:0 a.m.•14 views

Discrepency in the Uniswap V3 position price calculation because of decimals

Lines of code Vulnerability details Impact When the squared root of the Uniswap V3 position is calculated from the getOracleData function, the price may return a very high number in the case that the token1 decimals are strictly superior to the token0 decimals. See: The reason is that at the...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2022/12/09 12:0 a.m.•9 views

UniswapV3 tokens of certain pairs will be wrongly valued, leading to liquidations.

Lines of code Vulnerability details Description UniswapV3OracleWrapper is responsible for price feed of UniswapV3 NFT tokens. Its getTokenPrice is used by the health check calculation in GenericLogic. getTokenPrice gets price from the oracle and then uses it to calculate value of its liquidity...

6.6AI score
Exploits0
OSV
OSV
•added 2022/10/25 8:2 a.m.•10 views

MAL-2022-692 Malicious code in @uniswapv3/mempool (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e0c3c5ea5c5513da02d2b9b8c4f1c036dca30e072e0354a89bf36a1327e43495 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

7AI score
Exploits0References1
Code423n4
Code423n4
•added 2022/06/24 12:0 a.m.•10 views

TWAV can be attacked by flash loan

Lines of code Vulnerability details Impact updateTWAV can be flash loaned. Hacker may pay the flash loan fee for 4 blocks then execute the attack after that. Proof of Concept function updateTWAVuint256 valuation, uint32 blockTimestamp internal uint32 timeElapsed; unchecked timeElapsed =...

7.1AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/08 12:0 a.m.•15 views

UniswapV3's path issue for swapExactOutput

Handle cmichel Vulnerability details UniswapV3 expects a path object like tokenA, feeAB, tokenB, feeBC, tokenC. The UniV3Trader.swapExactOutput code tries to reverse this path to get to tokenC, feeBC, tokenB, feeAB, tokenA but that's not what the reverseBytes function does. Note that it reverts t...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2021/09/29 12:0 a.m.•8 views

LendingPair.withdrawUniPosition should accrue debt first

Handle cmichel Vulnerability details The LendingPair.withdrawUniPosition function allows the user to withdraw their UniswapV3 pool position NFT again. As the Uniswap position acts as collateral in the protocol, a health check is performed afterwards. However, it does not check the current debt of...

6.8AI score
Exploits0
Rows per page
Query Builder