5 matches found
[ADRIRO-NEW-H-03] Invalid operation in withdrawStuckTokens() will break CVX balance tracking in VotiumStrategy
Lines of code Vulnerability details Summary The updated code for withdrawStuckTokens contains an update to the trackedCvxBalance variable that will break CVX accounting in the VotiumStrategy contract, leading to multiple severe consequences. Impact To mitigate a potential withdrawal of CVX tokens...
[ADRIRO-NEW-M-02] AfEth withdrawals are delayed even if the vAfEth withdrawal amount is zero
Lines of code Vulnerability details Summary While zero amount withdrawals of SafEth have been prevented, the updated codebase still executes the withdrawal process for zero amount withdrawals of vAfEth, creating an unnecessary delay in AfEth withdrawals. Impact In AfEth, the withdrawal process is...
Intrinsic arbitrage from price discrepancy
Lines of code Vulnerability details Impact The up to 2 % price discrepancy from Chainlink creates an intrinsic arbitrage. Especially, it makes withdrawals worth more than deposits in the sense that one can immediately withdraw more than just deposited. Proof of Concept When depositing ETH into...
VotiumStrategy.price() does not validate Chainlink response
Lines of code Vulnerability details Impact AfEth.deposit may mint an incorrect amount of afEth. VotiumStrategy.price may return an incorrect price of vAfEth. AfEth.price may return an incorrect price of afEth. Proof of Concept VotiumStrategy.price function price external view override returns...
Unsafe use of balanceOf(address(this))
Lines of code Vulnerability details Impact AfEth.deposit can be bricked. Proof of Concept AfEth makes use of its own balance of afEth as a temporary store of afEth for withdrawal requests. On requestWithdraw afEth is transferred to the AfEth contract and these are then burned on withdraw. The...