57 matches found
First-Spammed, First-Served: MEV Extraction on Fast-Finality Blockchains
This research analyzes the economics of spam-based arbitrage strategies on fast-finality blockchains. We begin by theoretically demonstrating that, splitting a profitable MEV opportunity into multiple small transactions is the optimal strategy for CEX-DEX arbitrageurs. We then empirically validat...
Invalid WETH inclusion for Curve's Tricrypto pools.
Lines of code Vulnerability details Impact For some of Curve's Tricrypto pools, CurveTricryptoAdapter will not be working. Proof of Concept address wethAddress = ICurveTricryptoprimitive.coins2; zToken = calculateOceanIdaddress0x4574686572, 0; // hexadecimalascii"Ether" indexOfzToken = 2;...
Calling withdraw on a delegated amount of WETH doesn't subtract from totalWethDelegated
Lines of code Vulnerability details Impact The contract's WETH amount gets permanently bricked. Proof of Concept A user can call addToDelegate and give WETH, that other people can use for bonding with their rDPX in exchange for a certain percentage appointed by the delegatee. Delegate memory...
getLpPriceInEth and getRdpxPriceInEth return prices in 1e18 decimals, but we use it as 1e8 decimals
Lines of code Vulnerability details Impact Wrong decimals/price if we use RdpxEthOracle.sol as the oracle. Proof of Concept rdpx/eth oracle is not in the scope of this audit, so we can assure they are correct and only check if we use the API right. According to...
Improperly tracking asset reserve for WETH
Lines of code Vulnerability details Impact Function RdpxV2Corewithdraw lets delegate owners withdraw their unused WETH. However, withdrawn amount is not deducted from totalWethDelegated, which causes WETH asset reserve tracked improperly. The impacts could be: 1. Function sync gets reverted when...
Bonding WETH discounts can drain WETH reserves of RdpxV2Core contract to zero
Lines of code Vulnerability details Impact Depending on the reserves of rDPX, bonding discounts are given both on the rDPX and WETH collateral requirements for minting dpxETH. The bonding discounts for both rDPX and WETH portions are provided as rDPX which is taken from the treasury. The issue wi...
Deposit will always revert when depositing ETH if one of the GeVault tokens is not WETH
Lines of code Vulnerability details Impact When a user deposits funds, the deposit function requires an argument namely, the address of the token with which to fund the transaction. If the GeVault has two tokens of for example: USDC/DAI. Line 251 expects the function argument to be the address of...
GeVault cannot deposit ETH
Lines of code Vulnerability details Impact The GeVault contract has two instances where the require statement for token validation can cause reverts. In the first instance, the contract allows only token0 and token1 addresses for withdrawal, making it impossible to withdraw ETH. In the second...
No slippage control while minting GLP
Lines of code Vulnerability details Impact glpRewardRouter.mintAndStakeGlpaddressweth, wethAmount, 0, 0; Here, minUSDG = 0 and minGlp = 0 means no slippage checks. This can be sandwitched in certain conditions in which delta between min and max glp price is higher due to following factors: delta...
borrowInternal() of BaseTOFTMarketModule.sol has phantom permit functions
Lines of code Vulnerability details Impact A malicious actor could steal funds from a User who has already done his first deposit. Proof of Concept Consider the case where attacker uses a token with phantom permit function as collateral, the most famous ones being WETH, BNB, HEX etc. Let’s consid...
Permit does not revert for tokens that do not implement it.
Lines of code Vulnerability details Impact Callers should not rely on permit to revert for arbitrary tokens especially if permit is used as a security check. Tokens which do not revert on permit either do not implement it or have a non-reverting fallback function. Most notable among them is WETH...
Funds added to reserves through sync are accidentally transferred out to users
Lines of code Vulnerability details Impact Wells have the ability to shift funds to other Wells as part of gas-efficient multi-pool swaps. This natspec explanation of this can be find here. The sync function is intended to synchronize the underlying token amounts with the token reserves of the...
Function _execBuyNftFromMarket() Fails to Check the Actual ETH Balance in the Contract After Executing the Trade
Lines of code Vulnerability details Impact In the function execBuyNftFromMarket, if the user chooses to use WETH, the function deposits ETH and approves the amount of WETH to the marketplace. After executing the trade at the marketplace, the function checks that the balance decrease is correct in...
WETH transfer may fail silently in 'uniswapV3SwapCallback' function and execution may stop without any reverts or notification.
Lines of code Vulnerability details Impact WETH transfer may fail silently in 'uniswapV3SwapCallback' function and execution may stop without any reverts or notification. Proof of Concept In the 'uniswapV3SwapCallback' function There's no checks if the WETH transfer have failed or not . If the...
Upgraded Q -> 2 from #463 [1682585731493]
Judge has assessed an item in Issue 463 as 2 risk. The relevant finding follows: L-08 Swapping in Reth.sol may be sub-optimal The Reth pool uses the Weth/Reth 0.05% fee pool to swap between weth and reth. I recommend using the balancer pool to swap instead as it has 80M liquidity compared to...
Upgraded Q -> 3 from #460 [1677510923458]
Judge has assessed an item in Issue 460 as 3 risk. The relevant finding follows: Lines of code Vulnerability details Impact The safeTransferFrom function on the ClearingHouse is normally used when an OpenSea auction successfully ends and the required ERC20/WETH have been transferred to the...
refundETH has no access control and be called repeatedly or Can be Front runned to steal WETH funds from Contract
Lines of code Vulnerability details Impact The function refundETH has no access control and called be called anyone resulting in a loss of WETH funds if address0 is entered as the recipient for removeLiquidity Proof of Concept Consider the scenario if bob calls removeliquidity which returns WETH...
Anyone can withdraw all the WETH sent to Payment contract
Lines of code Vulnerability details Impact Anyone can withdraw all the WETH sent to Payment contract Proof of Concept 1. Someone send WETH to Payment contract 2. Attacker will call unwrapWETH with amountMinimum = WETH balance of Payment contract and recipient = any attacker controlled address 3...
Exploring the Vulnerabilities of Seaport: A Technical Analysis of a Fake Signature Attack on Non-Fungible Tokens
Lines of code Vulnerability details Impact This finding aims to provide a comprehensive analysis of the sc4m trend, which emerged in August 2022, and has since been a prevalent issue in the WEB3 space. Despite efforts to combat this phenomenon, bad actors continue to engage in illicit activities,...
Lack of access control for sweepToken, refundETH, unwrapWETH9 in Router.sol
Lines of code Vulnerability details Impact Lack of access control for sweepToken, refundETH, unwrapWETH9 in Router.sol, any WETH token, ETH and ERC20 sent to Router.sol is lost and claimable to anyone. Proof of Concept the function unwrapWETH9 and sweepToken and refundETH has no access control an...