10190 matches found
ABDKMath64 performs multiplication on results of division
Lines of code Vulnerability details Impact Solidity could truncate the results, performing multiplication before division will prevent rounding/truncation in solidity math. POC: EvolvingProteus is using ABDKMath64x64 library which is doing performing multiplication before division this can roundi...
Missing balance checks in _reserveTokenSpecified()
Lines of code Vulnerability details Impact By calling depositGivenInputAmount and withdrawGivenOutputAmount which both call 'reserveTokenSpecified', users may potentially create scenarios where the balance ratio allowed for the EvolvedProtocol.sol deployment is violated. POC depositGivenInputAmou...
Lack of events in EvolvingProteus contract
Lines of code Vulnerability details Impact There is no event emitted in the whole contract, even after executing sensitive actions like swaps between assets or at the constructor. That is bad because many automatic tools that monitors the contracts deployed rely on them. For example, see the swap...
Signatures can be replayed in castVoteWithReasonAndParamsBySig() to use up more votes than a user intended
Lines of code Vulnerability details Bug Description In the SecurityCouncilNomineeElectionGovernor and SecurityCouncilMemberElectionGovernor contracts, users can provide a signature to allow someone else to vote on their behalf using the castVoteWithReasonAndParamsBySig function, which is in...
VaultBooster liquidations can revert due to discrepancy in liquidatable balance value
Lines of code Vulnerability details Impact When a user/bot wants to perform a liquidation for a liquidation pair, they can call view methods like maxAmountOut to see what balance of the output token they are able to liquidate at the current time. This makes an underlying call to...
Integer underflow/overflow is possible in some of the timestamp calculations if sequenceOffset or auctionDuration are set maliciously
Lines of code Vulnerability details Impact An attacker could exploit this to make auctionElapsedTime return a low value when it should be high, thereby manipulating the reward calculation. Proof of Concept The vulnerability comes from the subtraction currentTime - sequenceOffset which could...
Not Checking For Stale Price
Lines of code Vulnerability details Impact Oracle data feed is insufficiently validated. There is no check for stale price and round completeness. Price can be stale and can lead to wrong price return value Proof of Concept /// @notice Get the price for the latest available round of a feed ///...
ConvexStakingWrapper.sol after shutdown,rewards can be steal
Lines of code Vulnerability details Impact After shutdown, checkpoints are stopped, leading to possible theft of rewards. Proof of Concept ConvexStakingWrapper No more checkpoints after shutdown, i.e. no updates reward.rewardintegralforuser function beforeTokenTransfer address from, address to,...
CurveVolatileCollateral._underlyingRefPerTok() Possible manipulation
Lines of code Vulnerability details Impact curvePool.getvirtualprice May be manipulated to cause malicious entry DISABLED Proof of Concept CurveVolatileCollateral.underlyingRefPerTok return curvePool.getvirtualprice function underlyingRefPerTok internal view virtual override returns uint192 @...
Race condition in approve function can lead to more funds than intended being transferred
Lines of code Vulnerability details Impact The approve function from MToken.sol contains a front-running vulnerability that allows a user to spend more tokens than he should. Proof of Concept Lets take the following scenario: 1. Alice calls approveEve, 10. This permits Eve to spend 10 tokens from...
liquidateBorrow() mTokens that do not enter the market can still be liquidated as collateral
Lines of code Vulnerability details Impact borrower's mTokens that do not join the market, but it still be Liquidation as collateral Proof of Concept If user wants to use mToken as collateral, the user needs to enter market with enterMarket function. / @notice Add assets to be included in account...
Any user can claim rewards infinitely from the market without respecting the accrued rewards time
Lines of code Vulnerability details Impact calculateSupplyRewardsForUser updates the user accrued rewards based on the user balance of mTokens & on global and user indicies difference which is the time difference between the last reard claim and the current time . Comptroller contract: one of the...
the TemporalGovernor.sol can be unpaused when it should still in the pause mood
Lines of code Vulnerability details Impact the TemporalGovernor implemented in a way that if the guardians pause the system then the system will be paused to period of time and the system will remove the guradians approve till the system reApprove them again and going to the unpause mood, the...
faulty users can abuse the function delegate in NFTBoostVault.sol
Lines of code Vulnerability details Impact The contract NFTBoostVault.sol lets users to register their tokens/optional NFT's in exchange of voting power. in this contract its mandatory for users to be registered in order to lock their tokens and claim voting power, as its mentioned in the code...
bypass flow limit by transferring tokens at epoch's boarder
Lines of code Vulnerability details Impact Token flow can reach 2flowlimit in a very short time. Proof of Concept We store the flow out and flow in tokens numbers for every epoch: / @dev Returns the slot which is used to get the flow out amount for a specific epoch @param epoch The epoch to get t...
_amountOut is representing assets and shares at the same time in the liquidate function
Lines of code Vulnerability details Impact In the liquidate function from the Vault contract, the input argument amountOut is used as if it was representing a value of asset amount and share amount at the same time which is impossible a there a conversion rate between them, this error will make...
The owner of a LSP0ERC725Account can become the owner again after renouncing ownership
Lines of code Vulnerability details Bug Description The renounceOwnership function allows the owner of a LSP0ERC725Account to renounce ownership through a two-step process. When renounceOwnership is first called, renounceOwnershipStartedAt is set to block.number to indicate that the process has...
Anyone can call Well.sol skim method and transfer excessive tokens to its address.
Lines of code Vulnerability details Impact Excessive tokens balance of Well.sol more than returned from getReserves can be transferred by anyone to his account. Proof of Concept After getting hold token's instances from Well.sol contract tokens we can check the balances of Contract of Each token...
Possible Front Running on the Permit function
Lines of code Vulnerability details Impact It could cause damage to third parties who use the permit method for transferring the tokens. Proof of Concept The well contract extends the ERC20Permit.sol, which contains a permit function that allow users to transfer assets with signatures. / @dev...
the swapFrom() function allows the Fee On Transfer tokens and _setReserves doesn't revert
Lines of code Vulnerability details Impact the protocol supports the fee on transfer tokens and has implemented a special capable function for it and wants to not allow and revert the fee on transfer tokens in normal SwapFrom function as it says in comments of swapfrom function @dev MUST revert i...
The merkle tree might be revoked again after being used to claim rewards.
Lines of code Vulnerability details Impact The merkle tree might be revoked again after being used to claim rewards. Proof of Concept The governor can revoke the merkle tree using revokeTree. function revokeTree external onlyGovernorOrGuardian if disputer != address0 revert UnresolvedDispute;...
doRebalance in Talos is vulnerable to Flash loan Attacks resulting loss of funds
Lines of code Vulnerability details Impact Loss of funds due to MEV Sandwich attacks. Proof of Concept Rebalancing is done using doRebalance method in TalosStrategySimple. File: TalosStrategySimple.sol function doRebalance internal override returns uint256 amount0, uint256 amount1 int24...
Behaviour of Distributor when user appears in multiple merkle trees
Lines of code Vulnerability details Impact To avoid that a user can claim the same amount multiple times, the following code is used: uint256 toSend = amount - claimedusertoken.amount; However, the Distributor contract supports updating the merkle tree via updateTree. But because the claimed...
Missing require statements in onlyRole/checkRole modifiers
Lines of code Vulnerability details In LybraConfigurator.sol, there are two modifiers, checkOnlyRole and checkRole from GovernanceTimelock, designed to verify whether the msg.sender is authorized. However, these modifiers lack "require" statements to enforce the condition that the returned boolea...
The Swap action will always fail if the value of the deposited IBC asset is less than the value of autoSwapThreshold Canto
Lines of code Vulnerability details Impact The Swap action will always fail if the value of the deposited IBC asset the value of autoSwapThreshold Canto. This is not a bug, but it's very inconvenient for users and makes the goal of the onboarding module fail. Let's asssume that: 1 Canto = 0.1 USD...
Default coin spend limit was set wrong for ETH
Lines of code Vulnerability details Impact It is stated in the README that some spend limit are configured for the swaps. This is a security precaution to avoid spending too much tokens for the default 4 CANTO tokens in order to onboard the users if their balance is less than 4 tokens. As a...
doesn't handle when value of reservePool returned is nil
Lines of code Vulnerability details Impact inputReserve and outputReserve is gotten from the reservePool return However reservePool could be nil and since not handled or checked it results to inaccurate inputReserve and outputReserve Proof of Concept inputReserve and outputReserve are gotten usin...
Using transferFrom on ERC721 tokens transfer
Lines of code Vulnerability details Impact The transferFrom method is used instead of safeTransferFrom which is not recommended. It can result in loss of NFT if the address is not able to handle the received NFT. OpenZeppelin’s documentation discourages the use of transferFrom, use safeTransferFr...
Lack of reentrancy protection in L1ERC721Bridge.sol
Lines of code Vulnerability details Summary Calling IERC721.transferFrom in the L1ERC721Bridge.initiateBridgeERC721 after writing the deposit makes a reentrancy attack possible if there is a callback before transfer in the localToken contract we will name such a contract ERC721Callback...
LES (Light Ethereum Subprotocol) doesn't forward the transaction to the sequencer
Lines of code Vulnerability details Impact LES Light Ethereum Subprotocol doesn't forward the transaction to the sequencer when receiving it over RPC. Proof of Concept When a user submits a transaction to op-geth node validator/verfier mode, the node sends the transaction to the sequencer, if no...
selfdestruct(self) does not clear balance
Lines of code Vulnerability details Impact Balance is stored in OVMETH contract, function opSuicide increments it, then Sucide does not change it, at the end of function it will be decremented. Which means it will not be changed. Proof of Concept // SPDX-License-Identifier: GPL-3.0 pragma solidit...
NodeOperator will steal other NodeOperators' validators through frontrunning
Lines of code Vulnerability details Impact People that want to earn staking rewards, but do not have the resources to run validators, will see Stader as an avenue where they can easily steal and use others validators and they will actually earn Operator rewards from Stader. This could lead to two...
Rage quitting availability cannot be reliably guaranteed
Lines of code Vulnerability details Impact The host can block specific rage quits, invalidating some of the security offered by the rage quit functionality. Proof of Concept Rage quitting is only allowed before rageQuitTimestamp or if permanently enabled: // Check if ragequit is allowed. uint40...
Incorrect setting of sqrtPriceLimitX96 in protocol
Lines of code Vulnerability details Impact The pool.swap function in the swap attempts to execute a swap. As the code below ,The sqrtPriceLimitX96 is set based on the value of projectTokenIsZero. If projectTokenIsZero is true, sqrtPriceLimitX96 is set to TickMath.MAXSQRTRATIO - 1; otherwise, it i...
Upgraded Q -> 2 from #404 [1684435083624]
Judge has assessed an item in Issue 404 as 2 risk. The relevant finding follows: Global Budget Constraint is said to be 2% in Docs But It Is 3% in The code Description: In the docs it is mentioned that Global Budget Constraint should be 2% but in the code here it is hardcoded to 3%. --- The text...
USDC blacklisted accounts can DOS the bidding system in Shortfall
Lines of code Vulnerability details Impact Shortfall contract is used to clear off any pool bad debt via auction. If the debt reached its mimimum value, anybody can start off the auction and place the bid. Attacker can bid with tokene.g. USDC, USDT that have a contract level admin controlled...
Users may lose rewards
Lines of code Vulnerability details Impact In RewardsManager.sol we have claimRewards function: function claimRewards uint256 tokenId, uint256 epochToClaim external override StakeInfo storage stakeInfo = stakestokenId; if msg.sender != stakeInfo.owner revert...
Division by Zero Vulnerability in _calculateNewRewards function.
Lines of code Vulnerability details Impact The calculateNewRewards function in the smart contract performs a division operation with totalInterestEarnedInPeriod, which could be zero, but there is a problem that can result in a division-by-zero error, causing the smart contract to behave...
It is not possible to create or execute new extraordinary proposals after 10 funded Extraordinary Proposals
Lines of code Vulnerability details Impact With each executed offer, the value of getMinimumThresholdPercentage increases, resulting in the fact that when trying to create a new proposal or execute existing, getMinimumThresholdPercentage exceeds 1e18 and we catch an underflow error via...
Integer Overflow in executeExtraordinary Function.
Lines of code Vulnerability details Impact The executeExtraordinary function casts a uint128 value to a uint256 value, which could lead to an integer overflow vulnerability. An attacker can provide a large uint128 value that exceeds the maximum value for uint256, causing the value to overflow and...
PositionManager's moveLiquidity can freeze funds by removing destination index even when the move was partial
Lines of code Vulnerability details positionIndex.removeparams.fromIndexremoves the PositionManager entry even when it is only partial removal as a result of IPoolparams.pool.moveQuoteToken... call. I.e. it is correct to do fromPosition.lps -= vars.lpbAmountFrom, but the resulting amount might no...
Use of block.timestamp
Lines of code Vulnerability details Impact Block timestamps have a purpose for a variety of applications, such as entropy for random numbers see the Entropy Illusion for further details, locking funds for periods of time, and various state-changing conditional statements that are time-dependent...
Gas stipend of 2300 in staticcall function causes contract failure
Lines of code Vulnerability details Impact The Merkle library's staticcall function contains a vulnerability that could lead to the failure of the entire operation if the invoked external contract exceeds the provided 2300 gas stipend. An attacker could leverage this vulnerability to launch a...
Insecure Ownership Management in DNSSECImpl.sol
Lines of code Vulnerability details Impact This finding highlights a potential security risk related to the lack of safeguards when changing ownership in the DNSSECImpl.sol contract. As it stands, the current implementation allows for the owner to be set to address0, which could result in the los...
Positions can be created to mint unlimited tokens and still run off with the provided collateral.
Lines of code Vulnerability details Impact Brief Introduction A compromised position can be used to mint tokens up to the limit. The attacker can also withdraw this collateral. Hence, the attacker can mint tokens against his collateral and withdraw his collateral at the same time. Explanation...
Oracle could possibly flag stolen NFT after the NFT already was sold to the pool which leads to non-trivial impact
Lines of code Vulnerability details Impact Stolen NFT oracle is used to check if an NFT is stolen. It depends on ReservoirOracle. Check However, a stolen NFT could still be sold to the pool if it was flagged too late for whatever reason. The issue is that the pool allows buying stolen NFTs. This ...
NonceHolder.setValueUnderNonce does not check if the nonce has been used before
Lines of code Vulnerability details Impact Already used nonces or the nonces less than the specified minimal nonce can be used by the NonceHolder.setValueUnderNonce function. It can lead to some unique conflicts and even replay attacks on some of dapps which are based on the values under nonces...
Multiplier must be capped to prevent expected payout exceeding ticket price
Lines of code Vulnerability details Impact Expected payout may be greater than ticket price, bankrupting the lottery. Proof of Concept ticketsSold determines the multiplier to be used when calculating non jackpot rewards LotteryMath.solL84: bonusMulti += excessPot EXCESSBONUSALLOCATION /...
A Malicious Borrower can drain ActivePool
Lines of code Vulnerability details Impact Any Borrower can take any amount of collateral and the pool gets drained, in this case, the system's TCR will go way down the CCR. putting the whole system at risk of a dangerous recovery mode and may even cause a total crash to the system. Proof of...
Upgraded Q -> 3 from #268 [1677186221526]
Judge has assessed an item in Issue 268 as 3 risk. The relevant finding follows: code423n4 commented on Jan 17 Lines of code Vulnerability details Impact As there is no callback in Seaport 1.1. When listing on OpenSea, Astaria adds an additional item to be received along with payment token. It is...