[adriro-NEW-M-01]: Forced failure of transactions that use tryCatchLimit

Lines of code Vulnerability details adriro-NEW-M-01: Forced failure of transactions that use tryCatchLimit The same attack described in M-02 can also be exploited with transactions that use tryCatchLimit. Impact Similar to tryCatch, the tryCatchLimit function can be used to execute a transaction...

M-02 Unmitigated

Lines of code Vulnerability details Description The mitigation recommendation is not right. To understand the issue I strongly recommend the lecture of this article. In particular, sections "Insufficient Gas Griefing Attack" and "Workaround Against “Insuficient Gas Griefing attack”". The issue...

Upgraded Q -> 2 from #327 [1686724891862]

Judge has assessed an item in Issue 327 as 2 risk. The relevant finding follows: L-04 addBid does not increment the endBlock of the auction when it is close to the end, preventing the protocol from capturing extra value When an Auction is created, it sets a lotItem.endBlock. This value remains...

UNJUSTIFIED ZERO INDEX VALIDATION HINDERS INDEX VALUE OF 0

Lines of code Vulnerability details Impact SocializingPool.verifyProof currently incorporates a zero index check which blocks the entry of an index value of 0. While this check is designed to prevent the use of invalid index values, it inadvertently prohibits the valid index value of 0. This may...

Challenger can change the output root or delete output root arbitrarily to authorize invalid withdrawal or block withdrawal infinitely

Lines of code Vulnerability details Impact Challenger can change the output root or delete output root arbitrarily Proof of Concept In the OptimismPortal.sol, when prove and finalize the transaction the output root needs to be verificated // Grab the OutputProposal from the L2OutputOracle, will...

The admin address used in initialize function, can behave maliciously

Lines of code Vulnerability details N.B : This bug is different that the other one titled "Risk of losing admin access if updateAdmin set with same current admin address". Both issues are related to access control, but the impact, root cause and bug fix are different, so DO NOT mark it as dupliat...

No way out of the loop if operator not active

Lines of code Vulnerability details Impact There is no way out of the loop if operator not active. do if !operatorStructByIdi.active continue; uint256 remainingCapacity = validatorPerOperatorGreaterThanZero ? remainingOperatorCapacityi : getOperatorQueuedValidatorCounti; uint256 newSelectedCapaci...

VaultProxy implementation can be initialized by anyone and self-destructed

Lines of code Vulnerability details Impact When the VaultFactory contract is deployed and initialized, the initialise method on the newly created VaultProxy implementation contract is never called. As such, anyone can call that method and pass in whatever values they want as arguments. One...

Individual nodes can manipluate sdPriceInETH to be any value inside StaderOracle#submitSDPrice

Lines of code Vulnerability details Trusted nodes can submit their attested ethereum price by calling StaderOraclesubmitSDPrice. Once a 66% majority of nodes submit a price for a specific block number, the new sdPriceData will be set to the median of the submitted prices. function...

addCredit() DOS Attack

Lines of code Vulnerability details Impact DOS Attack Proof of Concept addCredit can be called by anyone, and the msg.value is as small as 1 wei. Users can modify Lien at a small cost, causing the value stored in lienslienId=keccak256abi.encodelien to change By front-run, the normal user's...

_initiateBridgeERC20() does not check if _remoteToken is valid. When the message send to L2, it will cause user lossing funds in L1

Lines of code Vulnerability details Impact initiateBridgeERC20 does not check if remoteToken is valid. When the message send to L2, it will cause user lossing funds in L1 Proof of Concept As we can see, theinitiateBridgeERC20 just check isOptimismMintableERC20localToken,if valid ,it will call...

Users can bypass distributions fees by ragequitting instead of using a formal distribution

Lines of code Vulnerability details Impact Distribution fees can be bypassed by ragequitting instead of distributing Proof of Concept address payable feeRecipient = feeRecipient; uint16 feeBps = feeBps; if tokenType == ITokenDistributor.TokenType.Native return distributor.createNativeDistribution...

deployAndExecute() function in Factory should be payable

Lines of code Vulnerability details deployAndExecute function in Factory should be payable The deployAndExecute function fails to consider ETH payments that may need to be forwarded to the wallet's execute function. Impact The deployAndExecute function present in the AmbireAccountFactory can be...

Delegate should check that terminal is operating with ETH as the terminal token

Lines of code Vulnerability details Delegate should check that terminal is operating with ETH as the terminal token The JBXBuybackDelegate implementation is only prepared to operate with ETH as the terminal token. The implementation should check that the JuiceBox terminal matches this case. Impac...

transfer() method can lead to re-entrancy attack

Lines of code Vulnerability details Impact The contract in scope has a withdraw function namely ‘uniswapV3SwapCallback’ which sends funds to the calling address. The calling address can be a malicious contract. Currently transfer sends more gas than 2300 creating a potential attack vector for...

New finding

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assessed...

Comptroller.exitMarket() does not get an updated exchange rate causing inacurate exit validations

Lines of code Vulnerability details Impact The user can use the exitMarket function to remove an asset from the account liquidity calculation; disabling them as collateral. The problem is that the user can call exitMarket before the vToken updates their accrue interests via accrueInterest functio...

Inflation attack by drip

Lines of code Vulnerability details Impact The drip might inflate the exchange rate on an initial stake such that that subsequent stakers get minted zero wxETH. Their stake can then be unstaked by the first staker, together with their own first stake and inflation investment. Effectively, the fir...

It is possible to override pool params in PoolRegistry.sol since the creator field is never set for a venus pool

Lines of code Vulnerability details Proof of Concept PoolRegistry.createPoolRegistry will call PoolRegistry.registerPool which will make a check on the creator field for a pool. VenusPool memory venusPool = poolByComptrollercomptroller; requirevenusPool.creator == address0, "PoolRegistry: Pool...

Deflation bricking

Lines of code Vulnerability details Impact First staker can block staking by making exchangeRate == 0. Proof of Concept As can be seen function exchangeRate public view returns uint256 /// @dev if there are no tokens minted, return the initial exchange rate uint256 totalSupply = totalSupply; if...

PositionManager's moveLiquidity can set wrong deposit time and permanently freeze LP funds moved

Lines of code Vulnerability details moveLiquidity set new destination index LP entry deposit time to be equal to the source index deposit time, while destination bucket might have defaulted after that time. This is generally not correct as source bucket bankruptcy is controlled i.e. LP shares tha...

Missing Proposal Validations in Funding Contract.

Lines of code Vulnerability details Impact The Funding.sol contract's validateCallDatas function validates the targets, values, and calldatas parameters for a proposal but does not check if the proposal is valid based on the current state of the contract. For example, it does not check if the...

Mitigation of M-04: Mitigation error

MITIGATION IS NOT CONFIRMED MITIGATION IS NOT CONFIRMED Mitigation of M-04: Mitigation error Link to Issue: code-423n4/2023-03-asymmetry-findings932 Comments Even though the original issue is mitigated, as the exchange through Uniswap V3 has been completely removed in favor of using...

Mitigation Confirmed for NEW

H-02, H-05, H-06, H-08 mitigation error: No sanity check on Chainlink price feed Description and recommendation The mitigation of issues H-02, H-05, H06 and H-08 have introduced a Chainlink price feed. In all of those instances there are no sanity checks on the Chainlink return data, especially...

Mitigation Confirmed for H-06

Fix looks good. Root issue was assume 1:1 peg for stETH. This has been fixed by getting true price of stETH from chainlink oracle. --- The text was updated successfully, but these errors were encountered: All reactions...

A Malicious validator can frontrun 32ETH deposit

Lines of code Vulnerability details Impact Frontrunning by malicious validator actor to change the withdrawal credentials and gain the withdrawal ETH value. Proof of Concept A malicious validator can frontrun stake transaction with the same pubkey and deposit 1 ether for different withdrawal...

Upgraded Q -> 2 from #878 [1683053128185]

Judge has assessed an item in Issue 878 as 2 risk. The relevant finding follows: L-3 Potential loss of funds when paying royalties - --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #882 [1683052816154]

Judge has assessed an item in Issue 882 as 2 risk. The relevant finding follows: If royaltyFee 0 and recipient == address0 users will be overcharged --- The text was updated successfully, but these errors were encountered: All reactions...

Invalid addresses will be accepted as resolvers, possibly bricking assets

Lines of code Vulnerability details Description The hexToAddress utility parses a string into an address type. function hexToAddress bytes memory str, uint256 idx, uint256 lastIdx internal pure returns address, bool if lastIdx - idx 40 return address0x0, false; bytes32 r, bool valid =...

BytesUtils.keccak does not revert when offset is out of bounds

Lines of code Vulnerability details Impact The BytesUtils.keccak function accepts out of bound offset value and returns a valid response without reverting. function keccak bytes memory self, uint256 offset, uint256 len internal pure returns bytes32 ret requireoffset + len = self.length; assembly...

Upgraded Q -> 2 from #706 [1682589361421]

Judge has assessed an item in Issue 706 as 2 risk. The relevant finding follows: 02 USERS CANNOT SET OWN SLIPPAGE WHEN STAKING AND UNSTAKING Only the owner of the SafEth contract can call the following SafEth.setMaxSlippage function to set maxSlippage that is used in the corresponding derivative...

Unvalidated External Library Usage in RSASHA256Algorithm

Lines of code Vulnerability details Impact A hacker could exploit this vulnerability to inject malicious code into the contract, potentially allowing them to steal user funds or take control of the contract. Proof of Concept To demonstrate the attack vector, lets deploy a malicious version of the...

Lack of validation in opening positions parameters can lead to critical vulnerabilities at protocol level

Lines of code Vulnerability details Suspicious positions may be denied by voters if they don't seem legit, but over time it is very possible that one of them lands in the protocol, which can involve serious risks. Some attributes may not seem harmful with certain values at first sight, and can le...

A MINTER CAN STOP A QUALIFIED POOL SHARE HOLDER FROM DENYING THE MINTER DURING THE APPLICATION PERIOD BY FRONT-RUNNING THE TRANSACTION

Lines of code Vulnerability details Impact A minter can stop a Qualified pool share holder from denying the minter during the application period by front-running the transaction Consider the following scenario: 1 . Assume minter is User A and Qualified pool share holder is User B. 2 . User A call...

Burn logic issue due to lack of checking parameter 0 in burnWithReserve function

Lines of code Vulnerability details Impact The token quantity is sent to 0 and then the token is internally burned, causing a logic problem. Proof of Concept 1. burnWithReserve - reservePPM = 0 2. calculateFreedAmount call - The result is scaled by the ratio of currentReserve and minterReserve...

Resizing tokenIds is wrong in CollectionBatchBuyOperator.execute()

Lines of code Vulnerability details Impact The implementation of resizing an array is wrong in assembly, so the length of the array tokenIds will be wrong. Proof of Concept In CollectionBatchBuyOperator.execute, tokenIds should be resized to tokensBought, and the implementation is as follows:...

No check for minPrice and maxPrice in the deposit() function

Lines of code Vulnerability details Impact No check for minPrice and maxPrice in the deposit function could lead to unexpected consequences Proof of Concept In the function deposit function deposit address payable privatePool, address nft, uint256 calldata tokenIds, uint256 minPrice, uint256...

Dangerous use of setVirtualReserves(), withdraw(), and execute() leads to incorrect configuration of PrivatePool

Lines of code Vulnerability details Impact The function setVirtualReserves allows arbitrary changes to the values of virtualBaseTokenReserves and virtualNftReserves, which determine the price of the NFT trade in the pool. However, the real balance of tokens or ether in the pool is not checked, so...

Routing griefing via ERC-777 operator

Lines of code Vulnerability details Impact Currently, there is no router implemented for private pools in which NFTs are traded against ERC-20 tokens or it is not available in the repository. However, in the future, it is possible that some algorithm on the frontend will look for the optimal path...

ReraiseETHCrowdfund.sol: party card transfer can be front-run by claiming pending voting power which results in a loss of the voting power

Lines of code Vulnerability details Impact In this report I show how an attacker can abuse the fact that anyone can call ReraiseETHCrowdfund.claim for any user and add voting power to an existing party card. The result can be a griefing attack whereby the victim loses voting power. In some cases...

Logic for RescueTokens is incorrect for muteTokens

Lines of code Vulnerability details Proof of Concept The logic for RescueTokens doesn't take into account the reward remainders. I wanted to write a POC but I'm in a bit of a time crunch. So, imagine the following situation: totalRewards = 100, and staker A, B the only stakers staked for the firs...

Division before multiplication truncate minOut and incurs heavy precision loss and result in insufficient slippage protection

Lines of code Vulnerability details Impact When Calcuting the minOut before doing trade, Division before multiplication truncate minOut and incurs heavy precision loss, then very sub-optimal amount of the trade output can result in loss of fund from user because of the insufficient slippage...

SfrxEth slippage and fee stealing

Lines of code Vulnerability details Impact The SfrxEth derivative contract calculates the maximum slippage for buying SfrxEth from curve pool by using the current price in the pool at runtime, without considering the price at which the user submitted the transaction to the mempool: uint256 minOut...

dMute.sol: Attacker can push lock items to victim's array such that redemptions are forever blocked

Lines of code Vulnerability details Impact This report deals with how an attacker can abuse the fact that he can lock MUTE tokens for any other user and thereby push items to the array of UserLockInfo structs of the user. There are two functions in the dMute contract that iterate over all items i...

sybil attack vulnerability (via Shitcoin)

Lines of code Vulnerability details Impact Attacker can create worthless shitcoin/NFT to mint PFP and as much as possible. Thereby acquiring outrageous and undeserved amount of PFP . Hence attacker is well positioned for further sybil attack/ farming. This is unhealthy to the contract and its...

KangarooVault.removeCollateral updates storage without actually removing collateral, resulting in lost collateral

Lines of code Vulnerability details The admin can call KangarooVault.addCollateral to add additional collateral to a Power Perp position. File: src/KangarooVault.sol 424: function addCollateraluint256 additionalCollateral external requiresAuth nonReentrant 425: SUSD.safeApproveaddressEXCHANGE,...

Mint Bio NFT with mismatched SVG

Lines of code Vulnerability details Impact The tokenURI function of a given NFT contract must represent truth about the given tokenid. The Bio contract allows for minting of NFTs using a bio string. The tokenURI of a minted Bio NFT in turn generates a JSON response. This JSON payload includes the...

Anyone can steal funds in the Contract Deployer

Lines of code Vulnerability details Impact If ContractDeployer.sol ever holds funds, it could potentially be drained via the chained creation of new contracts. Proof of Concept When creating a contract the create/create2 functions will be called inside the contract deployer here: , which after...

bootloader doesn't add tighter gas limit to the IAccount.validateTransaction call

Lines of code Vulnerability details Impact As mentioned in the competition details: Important, while the bootloader is out of scope, we may reward an additional bounty for valid bugs found in it by our judgement! As mentioned in the dev document, , there are some limitations of the verification a...

NonceHolder.setValueUnderNonce lack of validation

Lines of code Vulnerability details Impact NonceHolder.setValueUnderNonce can set the nonce value for key has already being used. Proof of Concept Quoting to the document NonceHolder part: It provides a function validateNonceUsage which the bootloader uses to check whether the nonce has been used...