Overwriting rdpxAmount Without Checks

Lines of code Vulnerability details Impact The decreaseAmount function, specifically the line bondsbondId.rdpxAmount = amount;. This vulnerability allows overwriting the rdpxAmount without any checks or backups, which can result in irreversible data loss. function decreaseAmount uint256 bondId,...

.The _newPosPrev/_newPosNext hints do not fully prevent invalid ordering when decreasing a delegate's stake.

Lines of code Vulnerability details Impact The contract could incorrectly deactivate or reward transcoders based on the invalid pool order. Proof of Concept When decreasing a delegate's stake with decreaseTotalStake, the contract calls transcoderPool.updateKey to update the delegate's position in...

Bond Redemption is lower than intended

Lines of code Vulnerability details Impact Bonds redemption does not correspond to protocol intention leading to lesser ETH redeemed Proof of Concept Once the bond reaches maturity and the user initiates the redemption process by calling "redeem," it's possible for the user to receive a gain that...

Utility per LP token can decrease in some cases.

Lines of code Vulnerability details Impact Utility per LP token can decrease in some cases. Proof of Concept The documentation in contest repo states that Within a timeslice a single block, no set of transactions swaps, deposits, withdrawals should result in a decrease of the utility per LP token...

Division before multiplication incurs larger precision loss

Lines of code Vulnerability details Impact There are couple of instance of using result of a division for multiplication while can cause larger precision loss. Proof of Concept In contract EvolvingProteus.sol, value of int128 two at line 709 is calculated by using ABDKMath64x64.divu function. The...

Upgraded Q -> 3 from #264 [1691857350267]

Judge has assessed an item in Issue 264 as 3 risk. The relevant finding follows: Let's see how it can be exploited. You can add this test to Withdraw.t.sol and run with forge test -vv --match-contract VaultWithdrawTest --match-test testWithdrawAllAssetsForHalfShares: function...

GaugeController.remove_gauge() may indefinitely trap user voting power

Lines of code Vulnerability details Impact Users will permanently lose voting power equal to their power used to vote in the removed gauge unless the gauge is re-added and users re-vote to remove their voting power from the gauge. Proof of Concept GaugeController.sol does not have any function fo...

Governor relay() functions can be used to bypass voting an directly run critical SecurityCouncilManager functions

Lines of code https://github.com/ArbitrumFoundation/governance/blob/c18de53820c505fc459f766c1b224810eaeaabc5/src/security-council-mgmt/governors/SecurityCouncilNomineeElectionGovernor.sol...

LendingLedger.sol sends ETH instead of CANTO

Lines of code Vulnerability details Impact In the documentations for the contest it is clearly stated that LendingLedger contract is expected to send CANTO to the user when they call the claim function but in reality it transfers ETH. This could be problematic if the user is a contract that expec...

TEST EDITING

Lines of code L1 Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assess...

Insufficient input validation can lead to loss of funds

Lines of code Vulnerability details Impact The VaultBooster.sol contract allows someone to liquidate tokens for a vault and improve the vault's chance of winning. The prizePool.prizeToken is set in the constructor and liquidationPair set in the setBoost function. However, the external deposit...

Vulnerability: Donation Attacks can Cause Loss of Liquidity and/or Undesired Prices Rebalance / Contract: GeVault / Function: withdraw

Lines of code Vulnerability details Impact Donation attack can cause loss of users liquidity or undesired tick rebalance by price manipulation. Proof of Concept An attacker can cause constant rebalancing, instability, and along with the vulnerability of slot0 in the getTokenAmountsExcludingFees...

REENTRANCY

Lines of code Vulnerability details Impact In a Re-entrancy attack, a malicious contract calls back into the calling contract before the first invocation of the function is finished. This may cause the different invocations of the function to interact in undesirable ways, especially in cases wher...

Too many rewards are distributed when a draw is closed

Lines of code Vulnerability details Impact A relayer completes a prize pool draw by calling rngComplete in RngRelayAuction.sol. This method closes the prize pool draw with the relayed random number and distributes the rewards to the RNG auction recipient and the RNG relay auction recipient. These...

rounding error can lead to DISABLE the system

Lines of code Vulnerability details Impact In RNGAuction.sol, openSequenceId if the difference between currentTime and sequenceOffset is less than the sequencePeriod, it will round to zero leading to all functions depending on its value to return false like canStartNextSequence, or even revert in...

swapExactAmountOut() no deadline protection

Lines of code Vulnerability details Impact no deadline protection , users may suffer losses Proof of Concept LiquidationRouter.swapExactAmountOut use for swap tokens. However, currently only amountInMax slippage protection is provided, and not deadline protection like the common AMMS protection...

The RngRelayAuction::rngComplete() function can be called by anyone (malicious actor) causing that the draw will be closed using a malicious random number

Lines of code Vulnerability details Impact The rngComplete function is called by the RngAuctionRelayerDirect contract or the RngAuctionRelayerRemoteOwner contract. The rngComplete function receives the RNG results from the rng auction. The problem here is that the rngComplete function can be call...

UNCHECKED TRANSFER

Lines of code Vulnerability details Impact Some tokens do not revert the transaction when transferFrom fails and returns False. Hence we must check the return value after calling the transfer or transferFrom function. Proof of Concept Check the last answer here: In short: Using...

The USDOMarketModule contract's lend function allows for dangerous call delegation

Lines of code Vulnerability details Impact The USDOMarketModule contract is a module that is used by the BaseUSDO contract to facilitate functionality for market actions. The module functionality is invoked through the invocation of a delegatecall within the BaseUSDO contract's executeModule...

Attacker can Steal all eths of WETHRouter.sol through redeem function

Lines of code Vulnerability details Impact An attacker can Steal eths through redeem function in WETHRouter.sol as you know the contract does the redeem process and redeem user mTokens to ETHs, and as you know we have the function of mint which is the opposite of this and users deposit ETH in ord...

initialize() function can manipulated by attacker

Lines of code Vulnerability details Impact initialize function in the FollowNFT.sol contract is external and everyone can call this function. comment in the code says: "This is called right after deployment by the LensHub, so we can skip the onlyHub check." But in this scenario, attacker can call...

Inaccurate implementation of ECDSA creates signature malleability

Lines of code Vulnerability details Impact The ecrecover function is an inherent cryptographic function within Solidity which enables the retrieval of the signer's address messages which have been signed with their private key. Of course, this is very important when it comes to verifying the...

treasury approveSmallSpending / MediumSpend / LargeSpend and small / medium / large transfer can be blocked

Lines of code Vulnerability details Impact treasury approveSmallSpending, approveMediumSpend and approveLargeSpend can be frontrunned Proof of Concept the AracheTreasury, there are three spending relate function: approveSmallSpend, approveMediumSpend, approveLargeSpend both of these function call...

User can drain all locked tokens during withdrawal and still retain their voting power

Lines of code Vulnerability details Impact In the NFTBaseVault.sol contract, a user can decide to withdraw all locked tokens by calling the withdraw... function until all locked funds are drained and the still retain their voting power. Proof of Concept if a user malicious or not decides not to...

StandardizedToken can be setup multiple times by anyone. Causing unlimited mint by anyone.

Lines of code Vulnerability details Impact StandardizedToken can be setup multiple times by anyone. Causing unlimited mint by anyone. Proof of Concept function setupbytes calldata params external override onlyProxy address distributor; address tokenManager; string memory tokenName; tokenManager,...

Users can abuse multicall feature on InterchainTokenService to steal contract funds

Lines of code Vulnerability details Impact Users can steal balance in InterchainTokenService to pay gas fees for remote chain calls through multicall in InterchainTokenService.sol. Proof of Concept User can send multiple calls at the same time on InterchainTokenService contract with the help of...

isTimeSafe and isTimeRangeSafe not implemented in the functions getBalanceAt and getTwabBetween

Lines of code Vulnerability details Impact The Natspec of both getBalanceAt and getTwabBetween functions indicates that they should implement the functions isTimeSafe and isTimeRangeSafe respectively to ensure that the queried timestamps are safe, but both functions don't implement them which can...

CONFIGURING ALLOWANCE TO ZERO FOR THE _previousLiquidationPair CAN BE FRONT RUN

Lines of code Vulnerability details Impact The Vault.setLiquidationPair is used to change the liquidationPair address to a new address. In the process it sets the allowance of the previousLiquidationPair to zero as shown below: if previousLiquidationPair != address0...

_getNextObservationIndex() Random use of timestamp to determine the currentTime can be manipulated bacause of dangerous strict equalities

Lines of code Vulnerability details Impact The use of strict equalities can be easily manipulated by an attacker. Miners may attempt to manipulate the timestamp. Proof of Concept File: TwabLib.sol Code Link: Code: if newestObservation.timestamp == currentTime File: TwabLib.sol Code Link: Code: if...

No access control on mintYieldFee

Lines of code Vulnerability details Impact Lack of access-control allows anyone to mint the yield fee to himself. Proof of Concept Vault.mintYieldFee does not restrict the recipient yield fees: function mintYieldFeeuint256 shares, address recipient external requireVaultCollateralized; if shares...

Lack of Access Control in withdrawTokens Function Allows Unauthorized Token Withdrawal

Lines of code Vulnerability details Impact withdrawTokens function lacks proper access control, enabling an attacker to exploit it and withdraw tokens from the escrow to an arbitrary address, since no access control check ensures that only the DAO contract can invoke this function, and as a resul...

Well.shift could suffer from front-running attack

Lines of code Vulnerability details Impact The usage of Well.shift is described in the comment: 2. Using a router with shift: WETH.transfersender=0xUSER, recipient=Well1 1 Call the router, which performs: Well1.shifttokenOut=DAI, recipient=Well2 DAI.transfersender=Well1, recipient=Well2 2...

Potential token duplication validation bypass

Lines of code Vulnerability details Impact Potential token duplication validation bypass Proof of Concept The loop statement in init function will check if there is duplicated token for a Well. function initstring memory name, string memory symbol public initializer ERC20Permitinitname;...

Flash loan price manipulation in Well.sol

Lines of code Vulnerability details Impact Line 214 of Well.sol calculates the price of tokens to tokens in the pool based on the balances at a single point in time. Pool balances at a single point in time can be manipulated with flash loans, which can skew the numbers to the extreme. The single...

getMerkleRoot() might return an unconfirmed root.

Lines of code Vulnerability details Impact Users might claim rewards using an unconfirmed merkle root. Proof of Concept getMerkleRoot returns the merkle root to claim the rewards. function getMerkleRoot public view returns bytes32 if block.timestamp = endOfDisputePeriod return tree.merkleRoot; el...

Read-only reentrancy is possible

Lines of code Vulnerability details Impact The agToken might be minted wrongly as rewards due to the reentrancy attack. Proof of Concept There are redeem/swap logics in the transmuter contract and all functions don't have a nonReentrant modifier. So the typical reentrancy attack is possible durin...

Incorrect Use of Equality Operator in addPartner and addVault Functions

Lines of code Vulnerability details Impact The addPartner and addVault functions in the PartnerManagerFactory contract are intended to add new partner managers and vaults respectively. These functions also assign a unique ID to each new partner manager and vault by storing them in the partnerIds...

Incorrect usage of Comparison Operator(==) instead of Asignment Operator(=) in PartnerManagerFactory

Lines of code Vulnerability details Impact The incorrect usage of comparison operator instead of an assignment operator in addPartner and addVault functions could lead to undesirable behaviour. While the mapping partnerIds and vaultIds are supposed to keep track of the IDs, due to the error, thes...

Liquidity providers may lose funds when initialising a strategy

Lines of code Vulnerability details Summary Liquidity providers may lose funds when initialising a strategy Vulnerability Detail Liquidity providers may lose a portion of provided liquidity in either of the pair tokens when creating a new position. The init function on TalosBaseStrategy.sol does...

Potential Integer Underflow/Overflow: The code uses the SafeCastLib library for type conversions, but it does not handle potential underflow or overflow situations.

Lines of code Vulnerability details Impact The potential integer underflow/overflow vulnerability in the code can lead to incorrect calculations, unexpected behavior, and potential security issues. Proof of Concept In the provided code, there are a few areas where potential integer...

Interactions with Pool do not use valid deadlines for operations

Lines of code Vulnerability details Impact Miner can potentially hold the transaction which results in loss of funds for users. Proof of Concept File: TalosBaseStrategy.sol liquidityDifference, amount0, amount1 = nonfungiblePositionManager.increaseLiquidity...

Users with bad collateralization ratio from either rebase/nonrebasevault can bypassliquidation

Lines of code Vulnerability details Impact users with an unsafe collateralization ratio who are supposed to be liquidated can manipulate the rigidRedemption feature to bypass the liquidation. From the code above its noted that being a rigidRedemption provider one can can put their collateral amou...

[M] Mining rewards are not distributed to users

Lines of code Vulnerability details Impact Expected mining rewards in distributeRewards are not distributed due to a revert in purchaseOtherEarnings. Proof of Concept A missing mintVault implementation in transferFrom will inevitably cause a revert in purchaseOtherEarnings. This means expected...

proposals view function returns wrong voting results

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Even though, the votes are calculated correctly, the proposals view function returns wrong voting results returning forVotes results as againstVotes amount. This would negatively impact the users...

Incorrect poolTotalEUSDCirculation Calculation

Lines of code Vulnerability details Impact poolTotalEUSDCirculation calculated incorerctly so it can effect reward distribution Proof of Concept The following line of code deduces repaid amount from poolTotalEUSDCirculation while the fee that is part of repaid amount will be distribute as rewards...

Voting period hardcoded to 3 blocks

Lines of code Vulnerability details Impact Here in the Governance contract, the voting period is locked to 3 blocks. function votingPeriod public pure override returns uint256 return 3; function votingDelay public pure override returns uint256 return 1; This is a direct bug because if we take a...

Proposal remains open to votes for only 3 blocks instead of 7 days

Lines of code Vulnerability details Impact LybraGovernance contract only allows to vote during the first 3 blocks after the snapshot is taken. Assuming it takes roughly 12 seconds per 1 block on Ethereum, it is only 36 seconds to decide and vote for a proposal. This would be too fast for a regula...

Lack of input validation

Lines of code Vulnerability details Impact There is no input sanitizer implemented for the transfertypes.FungibleTokenPacketData data variable. Proof of Concept After "unmarshaling" the packet, which checks if there is an error, it is used right away without further checking the fields inside it,...

On OnRecvPacket, TradeInputForExactOutput is called with all the amount of the transferred coin as a maximum which is not safe.

Lines of code Vulnerability details Impact In OnRecvPacket IBC receive callback, coinswapKeeper.TradeInputForExactOutput is called to swap from transferredCoin to standardDenom i.e. canto. TradeInputForExactOutput func takes the input as max amount of the token to be paid. This is not safe for th...

Almost all of the github.com/cosmos/cosmos-sdk/types will be deprecated

Lines of code Vulnerability details Impact Codes in the scope won't work if the would be updated. Proof of Concept It is clearly seen that in the it is fixed version of v0.45.9. However, in next version of cosmos-sdk all of the Int methods will be deprecated. Almost all of the code in the scope i...