10190 matches found
burn() and borrow() in LendingPool are very likely to revert due to insufficient cash and could be triggered maliciously
Lines of code Vulnerability details Impact Users might not always be able to burn or borrow due to being frontrunned by other borrow or burn calls, potentially in a malicious manner so funds don't leave the LendingPool. Proof of Concept This attack could happen frequently because the health of a...
wLp tokens could be stolen
Lines of code Vulnerability details PosManagerremoveCollateralWLpTo function allows users to remove collateral wrapped in a wLp token that was previously supplied to the protocol: File: PosManager.sol 249: function removeCollateralWLpTouint posId, address wLp, uint tokenId, uint amt, address...
Using block.timestamp as the deadline/expiry invites MEV
Lines of code 307 Vulnerability details Passing block.timestamp as the expiry/deadline of an operation does not mean "require immediate execution" - it means "whatever block this transaction appears in, I'm comfortable with that block's timestamp". Providing this value means that a malicious mine...
Calls to get_virtual_price() are vulnerable to read-only reentrancy
Lines of code 117 Vulnerability details getvirtualprice was originally considered to be a manipulation-resistant price - suitable as a price oracle, but it was later found to be vulnerable to a read-only reentrancy attack, where the Curve contract could be put into a partially-modified state, and...
Upgraded Q -> 2 from #677 [1702060237936]
Judge has assessed an item in Issue 677 as 2 risk. The relevant finding follows: L-04 Deposited amounts in the EigenLayer strategy should be checked before updating the strategy for the asset Users deposit in this protocol and the protocol deposits these funds to EigenLayer strategy contracts...
Incorrect Condition for Validating Input and Output Tokens in CurveTricryptoAdapter::_determineComputeType Function
Lines of code Vulnerability details Impact The contract contains a bug in the determineComputeType function, where the condition for checking if the input and output tokens are valid for swapping is incorrect. This bug may lead to unexpected behavior and incorrect computation of the compute type...
Slippage Handling
Lines of code Vulnerability details Impact The primitiveOutputAmount function reverts the transaction if the output amount is less than the minimumOutputAmount, which is a strict slippage protection. This could lead to failed transactions due to normal price fluctuations in the Curve pool. Proof ...
Incorrect Decimals Conversion in Curve2PoolAdapter::primitiveOutputAmount Function
Lines of code Vulnerability details Impact The bug in the primitiveOutputAmount function can lead to incorrect decimal conversions when calculating the rawInputAmount. The rawInputAmount is calculated using the convertDecimals function, but the decimals parameter passed to convertDecimals is...
Withdraws will be bricked if the curve pool gets killed
Lines of code Vulnerability details Impact Liquidity will be locked forever since there is no interface to remove it. Proof of Concept Curve pools have a killed parameter that allows an admin to kill the pool, suspend all deposits, swaps, and single token withdrawals, and then only allow for taki...
Calls to get_virtual_price() are vulnerable to read-only reentrancy
Lines of code 117 Vulnerability details getvirtualprice was originally considered to be a manipulation-resistant price - suitable as a price oracle, but it was later found to be vulnerable to a read-only reentrancy attack, where the Curve contract could be put into a partially-modified state, and...
Unchecked redeemUnderlying failure allows burning asD without redeeming NOTE, breaking peg.
Lines of code Vulnerability details Impact The burn function does not validate the return code from redeemUnderlying. This means if redeeming fails, asD tokens could be burned without redeeming the underlying NOTE, breaking 1:1 peg. Attacker burns asD tokens and receives NOTE, but contract fails ...
Reentrancy leads to minting/burning/buying without paying the correct amount of fees
Lines of code Vulnerability details Impact Fee calculations depends on shareDataid.tokenCount, which is updated AFTER doing the transfer of token. That means, if the token is an ERC777 compatible token, users can reenter the function paying, for example, less fees on a buy operation. Proof of...
rsETH can return incorrect price because of future EigenLayer strategies
Lines of code Vulnerability details Impact How currently rsETH price is calculated? totalEthLocked is divided by rsETH supply. How totalEthLocked is calculated? It sums 3 amounts per every asset: 1 balance of LRTDepositPool.sol, 2 balance of all node delegators, 3 already deposited amount of asse...
ChainLink's latestAnswer is deprecated
Lines of code Vulnerability details Impact Chainlink's documentation indicates that the latestAnswer function is deprecated. This function lacks reversion if no answer is obtained, instead returning 0. Additionally, the reported latestAnswer varies with 18 decimals for some token quotes and 8...
Too small deposits will result in no rsEth mint for the
Lines of code Vulnerability details Impact User will get nothing if the deposit amount is too small . Proof of Concept The getRsETHAmountToMint is for getting the conversion rate of asset to rsEth . /// @return rsethAmountToMint Amount of rseth to mint function getRsETHAmountToMint address asset,...
_blockAccount doesn’t transfer asset correctly getting portion of funds locked permanently
Lines of code Vulnerability details Description When blockAccount is called and the account that is getting blocked has balance in the market, escrow contract is created and balance of the user is transferred to this contract by updating accounts mapping. When the account is unsanctioned, the...
During Safe Transfer, the Receiving User Loses Control of the Safe, Resulting in the Safe Being Lost
Lines of code Vulnerability details Impact Assuming a user wants to transfer their safe NFT to another user, post transfer Vault721::afterTokenTransfer is triggered. This function in turn calls the IODSafeManager::transferSAFEOwnership function to complete the transfer. The problem here is, that...
correct use of safeAllowed modifier
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps function...
repayAllDebt joins system tokens to the proxy not to the Safe contract
Lines of code Vulnerability details Impact repayAllDebt now calls joinSystemCoins with dest = addressthis, which in case a proxy makes a delegated call to this function will cause the user's tokens to be transferred to its proxy, then in CoinJoin.join it will transfer internal coins from CoinJoin...
Inherit a wrong contract - Authorizable.sol.
Lines of code Vulnerability details Risk rating high Title Inherit a wrong contract - Authorizable.sol. Vulnerability Details Impact By an untrust account, the system could be invaliable. Proof of Concept The Authorizable.soladdAuthorization and Authorizable.solremobeAuthorization functions as...
Enabled modules after been activated cannot subsequently be disabled
Lines of code Vulnerability details Impact Modules are third party accounts and they have some level of access to the GnosisSafe depending on configuration by the account owner. Therefore, they are created and assigned by account owners and they can execute transactions independently but they...
ExecutorPlugin.executeTransaction() is prone to cross-chain replay attacks.
Lines of code Vulnerability details The function executeTransaction is used by executors to validate and execute transactions via a module transaction. the function takes in the input ExecutionRequest and does no validation of the msg.sender. therefore this creates an opening in which a malicious...
A malicious actor can Block stuff the chain until the validator signature expires.
Lines of code Vulnerability details Impact The signature of a validator is time bound of which after the expiration period the transaction becomes invalid, a malicious user might notice a time bound transaction made by the sub account and decide to block stuff the network until the validator...
Possibility of security vulnerabilities introduced by creating ERC20ProxyDelegator instances on the fly using static salt values
Lines of code Vulnerability details Impact Security risks associated with deploying proxy contracts via deterministic addresses that can be easily calculated. In deployProxyDelegatorIfNeeded, in the case that extcodesizeproxyAddress == 0, then a proxy contract is instantiated ad hoc via new...
Lack of array length validation in delegateMulti() can lead to errors.
Lines of code Vulnerability details Impact There is no validation that the sources, targets, and amounts arrays passed to delegateMulti are the same length. This could cause issues with iterating through the arrays. Proof of Concept In the delegateMulti function. function delegateMulti uint256...
Lack of validation in accrued index allows excess rewards claim.
Lines of code Vulnerability details Impact Mapping tickTrackingIndexAccruedUpTo tracks the index up to which rewards have been accrued for a position. However, there is no validation that this index is incremented properly and stays in sync with tickTracking. An attacker could manipulate the...
The current vlCVX balance is not freezed, when withdrawal has been requested
Lines of code Vulnerability details Vulnerability Details After some deposits/withdrawals being made by users, the following edge case might occur: Let's say, n = totalLockedBalancePlusUnlockable, before iterating over the lockedBalances. t1 = lockedBalance0.unlockTime t2 =...
M-04 Unmitigated
Lines of code Vulnerability details Impact The previously identified vulnerability of potential rounding issues during reward calculations has not been fully mitigated. The current strategy to keep remainders and use them in subsequent claimAndSyncRewards calls does not adequately address the iss...
Last stakers may not receive funds back
Lines of code Vulnerability details Impact Last stakers may not receive funds back. Proof of Concept When user wants to withdraw, then he needs to initiate requestWithdraw. As some part of funds are locked as cvx token inside vlcvx that means that they should be withdrawn. When you lock cvx then...
Attacker can mint afEth with cheaper price
Lines of code Vulnerability details Impact Attacker can mint afEth with cheaper price and then withdraw. Proof of Concept When user would like to buy some amount of afEth tokens, then price is calculated. This price will be used to calculate amount of tokens to mint. function price public view...
Vulnerability: An Attacker can steal Tranche Tokens and Drain the Pool / Contract: InvestmentManager.
Lines of code Vulnerability details Impact An Attacker can mint Tranche Tokens for free and use them to Drain the Pool and steal the user's money. Proof of Concept Let's imagine that some users deposit money in the pool and mint tranches but they didn't redeem/withdraw their tokens, one of the...
An attacker can use the flashloan function with an invalid collateral asset
Lines of code Vulnerability details Impact Function flashloan - allows delegate token owner or approved operator to borrow their underlying tokens for the duration of a single atomic transaction. The function uses Structs.FlashInfo calldata info as an input parameter. Failure to call...
Compound charges are sent to GeVault, making them potentially vulnerable to theft
Lines of code Vulnerability details Impact In the previous version, the compound fee would be saved in the TokenisableRange before being deposited into LP, and would be deposited into LP after reaching 1%. After reconstruction, the fees are sent directly to GeVault for distribution through getTVL...
Non-standart ERC20 tokens are not supported
Lines of code Vulnerability details Impact The issue here is that some non-standard ERC20 tokens can have fee-on-transfer Proof of Concept The issue here is that some non-standard ERC20 tokens can have fee-on-transfer, so it could cause a problem that the protocol will lose tokens on each call...
Wrong input hash given to decodeType function in CreateOffererHelpers library
Lines of code Vulnerability details Impact The RegistryHashes.decodeType function is supposed to take a specific bytes32 hash as input with an encoded token type in the last bytes to know token type is used, but when this function is called in the CreateOffererHelpers library it is given a simple...
lack of address(0) check for oracle address
Lines of code Vulnerability details Impact no oracle no updated prices. Not sure what happens if try to call getPrice in this scenario, but IF it returns price of zero, then number of tokens from getRUSDYByShares will be zero for any amount of USDY shares... Proof of Concept Tools Used Recommende...
Tokens transferred with bridge can get lost if destination transaction can’t be executed
Lines of code Vulnerability details Impact User could lost his tokens, if tx on destination chain will failrevert. There is no option to recover the tokens on source chain. Revert could be cause by function attachThreshold. This function finds the correspondence between the amount and threshhold...
M-08 Unmitigated
Lines of code Vulnerability details The original issue M-08: Return value of low level call not checked, in scope for the mitigation review, was not acted upon, most likely overlooked during the fixing phase. Assessed type call/delegatecall --- The text was updated successfully, but these errors...
Bond Redemption is lower than intended
Lines of code Vulnerability details Impact Bonds redemption does not correspond to protocol intention leading to lesser ETH redeemed Proof of Concept Once the bond reaches maturity and the user initiates the redemption process by calling "redeem," it's possible for the user to receive a gain that...
Zero Amount Check Missing in reLP function
Lines of code Vulnerability details Impact If amount is 0, the reLP function will still execute all its operations, including external contract calls, which consume gas. This could lead to unnecessary gas costs for the caller. In a worst-case scenario, if this function is called repeatedly with...
A difference in the rDPX price between the oracle and DEXs used for trading can cause more slippage than expected
Lines of code Vulnerability details Impact The protocol will experience much higher slippage than supposed to due to using the wrong price in calculating the amount after slippage. Proof of Concept The protocol executes swaps on Uniswap and Curve. The issue arises due to the protocol using its ow...
Overwriting rdpxAmount Without Checks
Lines of code Vulnerability details Impact The decreaseAmount function, specifically the line bondsbondId.rdpxAmount = amount;. This vulnerability allows overwriting the rdpxAmount without any checks or backups, which can result in irreversible data loss. function decreaseAmount uint256 bondId,...
RDPX price manipulation benefit for attacker via a Flashloan attack
Lines of code Vulnerability details Impact As the RdpxV2Core contract burns RDPX tokens, a malicious attacker can benefit from a price manipulation attack using a flashloan attack Proof of Concept The function bond in the RdpxV2Core contract is a primary function to enter the protocol and bond...
GaugeController.remove_gauge() may indefinitely trap user voting power
Lines of code Vulnerability details Impact Users will permanently lose voting power equal to their power used to vote in the removed gauge unless the gauge is re-added and users re-vote to remove their voting power from the gauge. Proof of Concept GaugeController.sol does not have any function fo...
replaceMember and rotateMember redundancy
Lines of code Vulnerability details Impact The replaceMember and rotateMember functions have identical functionality which may lead to redundancy and confusion. Proof of Concept Both the replaceMember and rotateMember functions essentially perform the same action: replacing a current member...
Hardcoded slippage of 95% may not be ideal if liquidity is low or during market volatility, may result in revert when depositing or withdrawing
Lines of code Vulnerability details Impact Larger Deposits and/or withdraw may not work with a 95% slippage parameter. If there are many swaps going on, the slippage should be less restrictive to allow for deposits/withdraws. Proof of Concept In TokenisableRange.sol, the slippage is hardcoded at...
Vulnerability: Donation Attacks can Cause Loss of Liquidity and/or Undesired Prices Rebalance / Contract: GeVault / Function: withdraw
Lines of code Vulnerability details Impact Donation attack can cause loss of users liquidity or undesired tick rebalance by price manipulation. Proof of Concept An attacker can cause constant rebalancing, instability, and along with the vulnerability of slot0 in the getTokenAmountsExcludingFees...
swapExactAmountOut() no deadline protection
Lines of code Vulnerability details Impact no deadline protection , users may suffer losses Proof of Concept LiquidationRouter.swapExactAmountOut use for swap tokens. However, currently only amountInMax slippage protection is provided, and not deadline protection like the common AMMS protection...
REENTRANCY
Lines of code Vulnerability details Impact In a Re-entrancy attack, a malicious contract calls back into the calling contract before the first invocation of the function is finished. This may cause the different invocations of the function to interact in undesirable ways, especially in cases wher...
The RngRelayAuction::rngComplete() function can be called by anyone (malicious actor) causing that the draw will be closed using a malicious random number
Lines of code Vulnerability details Impact The rngComplete function is called by the RngAuctionRelayerDirect contract or the RngAuctionRelayerRemoteOwner contract. The rngComplete function receives the RNG results from the rng auction. The problem here is that the rngComplete function can be call...