Lucene search
K

34 matches found

Code423n4
Code423n4
added 2023/10/25 12:0 a.m.4 views

H-01 Unmitigated

Lines of code Vulnerability details Mitigation of H-01: Mitigation Error, see comments Link to Issue: code-423n4/2023-09-asymmetry-findings62 Comments The sponsor has provided a detailed response in the following comment: code-423n4/2023-09-asymmetry-findings62 comment In summary their analysis i...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2023/10/25 12:0 a.m.7 views

[H-02] Mitigation error: Null Votium withdrawal requests are queued last

Lines of code Vulnerability details Description When a request to withdraw is placed such that VotiumStrategy.requestWithdraw0 is called, this queues it to the end of all previous withdrawal requests as if an infinitesimal amount is to be withdrawn, incurring an artificially prolonged withdrawal...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/10/25 12:0 a.m.12 views

[ADRIRO-NEW-H-03] Invalid operation in withdrawStuckTokens() will break CVX balance tracking in VotiumStrategy

Lines of code Vulnerability details Summary The updated code for withdrawStuckTokens contains an update to the trackedCvxBalance variable that will break CVX accounting in the VotiumStrategy contract, leading to multiple severe consequences. Impact To mitigate a potential withdrawal of CVX tokens...

7.2AI score
Exploits0
Code423n4
Code423n4
added 2023/10/25 12:0 a.m.9 views

M-07 Unmitigated

Lines of code Vulnerability details Mitigation of M-07: Issue NOT fully mitigated with ERROR Mitigated issue M-07: Lack of access control and value validation in the reward flow exposes functions to public access The issue was that anyone can deposit rewards to AfEth, and that if AfEth or...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/10/25 12:0 a.m.6 views

M-07 Unmitigated

Lines of code Vulnerability details Mitigation of M-07: Mitigation Error, see comments Link to Issue: code-423n4/2023-09-asymmetry-findings38 Comments The changes related to this issue are: Access control has been added to AfEth::depositRewards using the onlyVotiumOrRewarder modifier. This functi...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/10/25 12:0 a.m.8 views

M-05 Unmitigated

Lines of code Vulnerability details Mitigation of M-05: Issue NOT mitigated Mitigated issue M-05: Reward sandwiching in VotiumStrategy The issue was that exposure to the benefits of the VotiumStrategy might be unfairly time-weighted. There were two aspects mentioned: voting power and rewards. I d...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2023/10/25 12:0 a.m.8 views

M-08 Unmitigated

Lines of code Vulnerability details Lines of code Vulnerability details Mitigation of M-08: Issue mitigated with ERROR Mitigated issue M-08: Inflation attack in VotiumStrategy The issue was that the price of afEth and of vAfEth could be inflated by donating underlying assets. Mitigation review Al...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/10/25 12:0 a.m.6 views

Price inflation by locking CVX on behalf of VotiumStrategy

Lines of code Vulnerability details Impact The price of vAfEth can be inflated with severe rounding errors as a result. Proof of Concept In VotiumStrategy the price of vAfEth is calculated by function cvxInSystem public view returns uint256 uint256 total = ILockedCvxVLCVXADDRESS.lockedBalanceOf...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2023/10/25 12:0 a.m.9 views

Null VotiumStrategy deposits revert

Lines of code Vulnerability details Impact Deposits which attempt to deposit 0 in VotiumStrategy revert. Proof of concept The issue is similar to H-02: Zero amount withdrawals of SafEth or Votium will brick the withdraw process. Depositing in AfEth might call VotiumStrategy.deposit1 if the ratio ...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/10/25 12:0 a.m.10 views

Introduce minEpoch to prevent withdrawal requests being front-runned

Lines of code Vulnerability details Original Issue M-04: VotiumStrategy withdrawal queue fails to consider available unlocked tokens causing different issues in the withdraw process Issue Details The issue raised above occured whenever there was an unlocked balance which could be used to fulfill...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/10/25 12:0 a.m.6 views

[ADRIRO-NEW-M-05] Rewarder should not be allowed to apply rewards on CVX tokens

Lines of code Vulnerability details Summary The rewarder role should not be allowed to modify the balance of CVX tokens when applying rewards, otherwise the internal CVX balance tracking could get out of sync with major consequences for the protocol. Impact The introduction of internal CVX balanc...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/10/25 12:0 a.m.13 views

[ADRIRO-NEW-M-02] AfEth withdrawals are delayed even if the vAfEth withdrawal amount is zero

Lines of code Vulnerability details Summary While zero amount withdrawals of SafEth have been prevented, the updated codebase still executes the withdrawal process for zero amount withdrawals of vAfEth, creating an unnecessary delay in AfEth withdrawals. Impact In AfEth, the withdrawal process is...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/10/25 12:0 a.m.8 views

[ADRIRO-NEW-M-01] Manager authorization in VotiumStrategy still leaves room for unprotected access

Lines of code Vulnerability details Summary Access control has been added to the VotiumStrategy contract with the intention of restricting functionality only to AfEth. However, an error in the implementation still leaves the contract publicly accessible. Impact In the updated codebase, the sponso...

7.2AI score
Exploits0
Code423n4
Code423n4
added 2023/10/25 12:0 a.m.7 views

M-06 Unmitigated

Lines of code Vulnerability details Mitigation of M-06: Issue NOT mitigated Mitigated issue M-06: Missing deadline check for AfEth actions The issue was missing deadline checks for deposits and withdrawals. Mitigation review - missing deadline for rewards Deadline parameters have been added to...

7.2AI score
Exploits0
Code423n4
Code423n4
added 2023/10/25 12:0 a.m.9 views

M-05 Unmitigated

Lines of code Vulnerability details Mitigation of M-05: Mitigation Error, see comments Link to Issue: code-423n4/2023-09-asymmetry-findings45 Comments To mitigate M-05, the sponsor has added a delay of one epoch when the available CVX balance is enough to cover the withdrawal: 81: uint256...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/09/27 12:0 a.m.8 views

Withdrawals will be permanently DOSed if VLCVX's owner decides to shutdown the contract

Lines of code Vulnerability details Bug Description In VotiumStrategy.sol, the relock function is used to withdraw all unlockable CVX and then lock an appropriate amount of CVX again. It does so by calling lock of the VLCVX contract: VotiumStrategy.solL145-L148 if cvxAmountToRelock 0...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/09/27 12:0 a.m.6 views

Reward sandwiching in VotiumStrategy

Lines of code Vulnerability details Summary The reward system in VotiumStrategy can be potentially gamed by users to enter just before rewards are deposited and request an exit after that. Depending on the withdrawal queue, users may exit as early as the next epoch and avoid waiting the normal 16...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2023/09/27 12:0 a.m.6 views

VotiumStrategy.price() does not validate Chainlink response

Lines of code Vulnerability details Impact AfEth.deposit may mint an incorrect amount of afEth. VotiumStrategy.price may return an incorrect price of vAfEth. AfEth.price may return an incorrect price of afEth. Proof of Concept VotiumStrategy.price function price external view override returns...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/09/27 12:0 a.m.6 views

VotiumStrategy.requestWithdraw() does not account for immediately possible withdrawals

Lines of code Vulnerability details Impact A user might be given an unnecessarily late withdrawal epoch. VotiumStrategy.requestWithdraw might revert altogether. Proof of Concept VotiumStrategy.requestWithdraw finds the epoch at which withdrawal is possible by the following logic: , uint256...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2023/09/27 12:0 a.m.6 views

Incorrect AfEth.price() calculation

Lines of code Vulnerability details Impact AfEth.price may be calculated as too low. Proof of Concept AfEth.requestWithdraw does not burn the afEth but only transfers it to itself. Hence the withdrawRatio is calculated using only the free supply of afEth: AfEth.solL180-L185 // ratio of afEth bein...

7AI score
Exploits0
Rows per page
Query Builder