10190 matches found
Use of wrong Library file directory
Lines of code Vulnerability details Impact Importing the wrong library file path in the Vault Factory contract can pose several risks: Functionality Issues: If you import the wrong library, the functions and features you expect to use may not be available or may behave differently. This can lead ...
_execBuyNftFromMarket() Need to determine if NFT can't already be in the contract
Lines of code Vulnerability details Impact Use other Lien's NFTs for repayment Proof of Concept execBuyNftFromMarket Whether the NFT is in the current contract after buy, to represent the successful buy of NFT function execBuyNftFromMarket address collection, uint256 tokenId, uint256 amount,...
Borrower cannot stop loss when fungibility breaks
Lines of code Vulnerability details Impact When the borrower cannot repay with NFT he will be forced to forsake his entire credit. This situation can be deliberately instigated by the lender. Proof of Concept A borrower can only leave his position by returning an NFT buyNftFromMarket or...
accept() can be delayed or gas-griefed by burning a governance NFT
Lines of code Vulnerability details Impact Rage quitting or burning a token will set the lastBurnTimestamp to the current block's timestamp. This disables accept for the rest of the transactions in the block. This bug can be abused to either gas-grief or delay acceptance of proposals long enough...
SignatureValidator.recoverAddrImpl for mode Multisig checks only the last value is different to zero address
Lines of code Vulnerability details Description Current implementation when mode == SignatureMode.Multisig only checks that the last time signer is calculated is different from zero address. The variable signer is overwritten with a new value, based on the previous value and the current signature...
WETH transfer may fail silently in 'uniswapV3SwapCallback' function and execution may stop without any reverts or notification.
Lines of code Vulnerability details Impact WETH transfer may fail silently in 'uniswapV3SwapCallback' function and execution may stop without any reverts or notification. Proof of Concept In the 'uniswapV3SwapCallback' function There's no checks if the WETH transfer have failed or not . If the...
ETH CAN GET LOCKED IN THE CONTRACT DURING THE EXECUTION OF _swap() FUNCTION
Lines of code Vulnerability details Impact In the JBXBuybackDelegate delegate contract, if the swap option is selected after comparing the quote, the JBXBuybackDelegate.swap function will swap the data.amount.value amount of ETH in the following pool.swap call. try pool.swap recipient: addressthi...
the blocksPerYear for the WhitePaperInterestRateModel is set incorrectly
Lines of code Vulnerability details Impact the blocksPerYear is set to 2102400 in the WhitePaperInterestRateModel this should be equal to number of blocks per year that is assumed by the interest rate model, but the number of block is set incorrectly and it's not equal to block per year. Proof of...
Comptroller.sol#liquidateCalculateSeizeTokens assumes the same precision for vTokenBorrowed and vTokenCollateral
Lines of code Vulnerability details Impact File: Comptroller.sol 1099 uint256 exchangeRateMantissa = VTokenvTokenCollateral.exchangeRateStored; // Note: reverts on error 1100 uint256 seizeTokens; 1101 Exp memory numerator; 1102 Exp memory denominator; 1103 Exp memory ratio; 1104 1105 numerator =...
_updateBucketExchangeRates could possibly revert
Lines of code Vulnerability details Impact updateBucketExchangeRates will not work correctly and would revert in case totalBurnedLatest totalBurnedAtBlock causing DOS for the users when they try to claimRewards, moveStakedLiquidity, stake or unstake. Proof of Concept When the curBurnEpoch doesn't...
Failure to Check for Existence Before Removal
Lines of code Vulnerability details Impact The moveLiquidity function as described. If the positionIndex.removeparams.fromIndex function call returns false, it means that the specified index was not present in the positionIndex set, and the RemovePositionFailed error is not actually applicable in...
_deployPod() is using hardcoded salt value which can cause issues
Lines of code Vulnerability details Impact deployPod is deploying pod but there is a hardcoded salt value of 0 which can cause issue Proof of Concept There is a risk of address collisions if two different users call the deployPod function with the same input parameters at the same time. This coul...
Upgraded Q -> 2 from #198 [1683053533286]
Judge has assessed an item in Issue 198 as 2 risk. The relevant finding follows: L2 - Royalty payment is unfair --- The text was updated successfully, but these errors were encountered: All reactions...
Vulnerability in Keccak Function Used for Equality Check in equals() Function.
Lines of code Vulnerability details Impact The BytesUtils library is using Keccak function to check for equality in the equals function. This is a security concern since the Keccak function is vulnerable to hash collisions, which could allow a malicious user to create an input that matches a...
Position.sol: usage of an incorrect version of Ownable library can potentially malfunction all onlyOwner functions
Lines of code Vulnerability details Impact // From https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/access/Ownable.sol The current implementaion is using a non-upgradeable version of the Ownable library isnstead of the upgradeable version:...
User minting FPS can get grieved by equity loss event
Lines of code Vulnerability details minting in onTokenTransfer handles the case equity = MINIMUMEQUITY, "insuf equity"; // ensures that the initial deposit is at least 1000 ZCHF 245: 246: // Assign 1000 FPS for the initial deposit, calculate the amount otherwise 247: uint256 shares = equity =...
InitialETHCrowdfund + ReraiseETHCrowdfund: Gatekeeper checks wrong address
Lines of code Vulnerability details Impact This vulnerability exists in both the InitialETHCrowdfund and ReraiseETHCrowdfund contracts in exactly the same way. I will continue this report by explaining the issue in only one contract. The mitigation section however contains the fix for both...
The first stake is possible after endTime
Lines of code Vulnerability details Impact Users can stake after endTime due to the wrong check. Proof of Concept When a user stakes LP tokens using MuteAmplifier.stake, stake is not allowed after endTime which is set in initializeDeposit by an admin. requireblock.timestamp endTime,...
There is a race condition betweeen MuteBond#setEpochDuration() and MuteBond#deposit()
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. There is a race condition between MuteBondsetEpochDuration and MuteBonddeposit. The issue is that when a new EpochDuration is set, it will take effect immediately, which will affect the bond price. As a...
Reth slippage and fee stealing
Lines of code Vulnerability details Impact The Reth derivative contract calculates the maximum slippage for buying rETH from the Uniswap V3 pool by using the current price in the pool at runtime, without considering the price at which the user submitted the transaction to the mempool: uint...
[H-01] RETH oracle manipulation allows attacker to steal funds
Lines of code Vulnerability details Impact The Asymmetry SafEth protocol aims to help diversify and decentralize liquid staking derivatives, exchanging ether staked in the protocol for staked ether derivative tokens based on some relative weighting. A function exposed by these derivative wrapper...
Zero value used for sqrtPriceLimitX96
Lines of code Vulnerability details Impact In swapExactInputSingleHop in Reth.sol the sqrtPriceLimitX96 parameter is set to 0 which is useful for testing but can lead to price manipulation attacks. From the uniswap docs: In production, this value can be used to set the limit for the price the swa...
poolPrice in Reth.sol can overflow and revert
Lines of code Vulnerability details Impact To determine the value of sqrtPriceX96 that will cause an overflow, we need to analyze the calculation in the function: sqrtPriceX96 uintsqrtPriceX96 1e18 96 2 The maximum value for a uint256 is 2^256 - 1. An overflow occurs when the result of the...
The "totalRequiredBalance()" function in the TransactionHelper.sol library can compute address(uint160(_transaction.paymaster) as zero address even when _transaction.paymaster is non-zero
Lines of code Vulnerability details Impact A user may provide a non-zero entry for the "transaction.paymaster" field for a transaction to ensure they do not have to pay the gas fees. However, certain values of "transaction.paymaster" = 2^160 can result in addressuint160transaction.paymaster to be...
Default accounts cannot pay transaction fees due to DefaultAccount not calling MsgValueSimulator
Lines of code Vulnerability details Impact Default accounts cannot pay the transaction fees to the bootloader. It's not clear whether the attempts to do so will silently succeed or revert because the behaviour of the CALL opcode in the zkSync Era virtual machine isn't explained in the description...
Adding Multiple Blocks with the Same Timestamp Can Create Ambiguity in the Order of Blocks in the Blockchain Network
Lines of code Vulnerability details Impact Multiple blocks at the same timestamp creates ambiguity about the order in which these blocks should be added to the chain. This can cause inconsistencies in the state of the network and make it vulnerable to attacks such as double-spending. Proof of...
Unvalidated input in setManagerRight function
Lines of code Vulnerability details Impact The setManagerRight function takes managedRight and managerRight as inputs without validating them This could potentially lead to unexpected results if the input values are not what the function expects. Tools Used Recommended Mitigation Steps Provide...
Rewards for the Staking.sol contract may be stolen via the first staker
Lines of code Vulnerability details Impact The return amount of the function rewardPerToken may be inflated for the first in the Staking.sol contract. Proof of Concept The Staking.sol contract is designed for the LOT token holders to be able to stake their native tokens. Thus, the token holders...
Wrong calculation in calculateNewProfit
Lines of code Vulnerability details Impact There is a wrong calculation of the cumulative net profit of the lottery, which affects the calculation of the excess pot and rewards per winning ticket including the jackpot in each draw. This vulnerability also leads to a Denial of Service of the Lotte...
Validator/miner can set Block timestamp to a draw scheduled date and buy winning ticket if drawCoolDownPeriod is set to zero
Lines of code Vulnerability details Impact Validators/Miners would always be able to get the Jackpot prize, compromising the protocol. Proof of Concept The following foundry test illustrates this behaviour. Essentially, if the cooldown period time before a draw during which it is not possible to...
Index of removed Trove is not updated
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. In the function removeTroveOwner in the TroveManager contract the Trovesborrowercollateral.arrayIndex is still equal to its previous index even though it has been removed from TroveOwners and therefore...
Integer Overflow & Underflow
Lines of code Vulnerability details Impact In the setYieldDistributionParams function, there is a danger of underflow or overflow of functionality. Owner calls the function and sets the values to be passed as uint256 for treasurySplit, SPSplit & stakingSplit. There is no check in place to ensure...
[NAZ-M2] ReaperVaultERC4626.sol doesn't fully conform to EIP4626 implementation
Lines of code Vulnerability details Impact Specifically the two function maxDeposit && maxMint don't fully conform to EIP4626 implementation. Proof of Concept Looking at the following from EIP4626: This assumes that the user has infinite assets, i.e. MUST NOT rely on balanceOf of asset. This goes...
Max approve will not work for tokens that do not support it
Lines of code Vulnerability details Impact Max approve does not work for all tokens types Proof of Concept Inside the ReaperBaseStrategyv4 contract initializers, the contract is doing a max approve for the vault over the underlying asset, however this will not work for all tokens types Tools Used...
KIBToken._transfer() did not correctly handle the case where from is the same as to
Lines of code Vulnerability details Impact Hackers can obtain any number of KIB tokens out of thin air. Using the stolen KIB tokens, the hacker could steal all the bonds in the KUMASwap by calling KUMASwap.buyBond, or steal all the deprecationStableCoin in the KUMASwap by calling...
Manipulation of livePrice to receive defaultIncentive in 2 consecutive blocks
Lines of code Vulnerability details Impact In StabilizerNode, the default behaviour when twap is below the lower peg threshold all transfers to the amm pool are blocked. However when usePrimedWindow = true, it will only block transfers for primedWindow = 10 blocks. After 10 blocks, the block...
Mitigation of M-03: Issue not fully mitigated
Lines of code Vulnerability details Original issue: M-03: Baited by redemption during undercollateralization no issuance, just transfer Explanation This is basically a dupe of M-04 as commented by the judge, I elaborated on this on the M-04 mitigation. TL;DR - using a boolean parameter to agree t...
Upgraded Q -> 2 from #533 [1676218902616]
Judge has assessed an item in Issue 533 as 2 risk. The relevant finding follows: Upgradeable contract is missing a gap50 storage variable to allow for new storage variables in later versions --- The text was updated successfully, but these errors were encountered: All reactions...
FIRST ERC4626 DEPOSIT CAN BE EXPLOITED ON SHARE CALCULATION
Lines of code Vulnerability details Impact As also encountered by Uniswap V2 and other protocols, the first depositor of an ERC4626 vault can maliciously manipulate the share price by depositing as low as 1 wei of liquidity prior to deliberately inflating ERC4626.totalAssets to as high as 1:1e18...
Re-entrancy in MultiRewardStaking.claimRewards
Lines of code Vulnerability details Impact If an ERC-777 token is used as reward token for any Staking contract in the system, that reward token can be completely drained from the Staking contract. Proof of Concept Re-entrancy can be done in the MultiRewardStaking.claimRewards function because of...
Upgraded Q -> 2 from #621 [1675724705438]
Judge has assessed an item in Issue 621 as 2 risk. The relevant finding follows: L2 - mintReceipt function lacks a check to verify if the quest has already ended mintReceipt function missing check for ended quest. This could result in a scenario where a receipt is minted after the quest has ended...
Lack of double step transfer in admin modification in a upgradeable contract is dangerous
Lines of code Vulnerability details Lack of double step transfer in admin modification in a upgradeable contract is dangerous Summary Double step transfer of admin / ownership should be a must in upgradeable contracts Vulnerability Detail Admin is changed with changeAdmin that calls changeAdmin,...
Unprotected payable functions in Payment.sol
Lines of code Vulnerability details Impact In Payment.sol contract unwrapWETH and sweepToken functions are without any access control. They are public and and doesn't validate that it's being called by any permissioned account. The result is that anyone can steal tokens. Proof of Concept 25:...
Modifier onlyMinter() implementation is faulty
Lines of code Vulnerability details The current implementation of the modifier onlyMinter will not revert because the "require" part is missing, therefore any user will be able to access the minting functions in RabbitHoleTickets.sol and RabbitHoleReceipt.sol. Impact Any user than the allowed...
withdrawFee() can be called multiple times by any user when quest has ended making it possible to drain contract and leave users unable to claim rewards
Lines of code Vulnerability details Impact The withdrawFee function in the Erc20Quest contract can be called multiple times. The modifier onlyAdminWithdrawAfterEnd is applied to the function which only makes it possible to call it after the end time of a quest. It should be noted that any user is...
Immutable varibles should be checked to there default values
Lines of code Vulnerability details Impact It is very important to check whether the immutable variables are not equal to the default values because if Quest is created and when we pass a default value to a variable then it can't be changed and it can lead to a problem. Proof of Concept Suppose...
Mitigation of M-05: Issue not mitigated
Lines of code Vulnerability details The sponsor disputes the issue, but never follows up after judge's comments, so the same issue remains in the new code. --- The text was updated successfully, but these errors were encountered: All reactions...
Integer Overflow Vulnerability in _addSplittable Function.
Lines of code Vulnerability details Impact splitsStorage.splitsStatesuserId.balancesassetId.splittable += amt; This vulnerability, if exploited, would allow an attacker to add a large amount of funds to a user's splittable balance, causing it to exceed the maximum value that the uint128 type can...
Only one GroupBuy can ever use USDT or similar tokens with front-running approval protections
Lines of code Vulnerability details The issue that is described in code-423n4/2022-12-tessera-findings37 was not mitigated and still applies like it is described there. --- The text was updated successfully, but these errors were encountered: All reactions...
Enormous tokens can be minted by malicious user via reentrancy
Lines of code Vulnerability details Impact The function safeMInt that is used to mint new tokens, makes an external call to ERC721.sol's safeMint which contains a callback to the "to" address argument. checkOnERC721Receivedaddress0, to, tokenId, data safeMint lacks a reentrancy guard, a malicious...