Incorrect use of AddressAliasHelper.applyL1ToL2Alias() in _isAuthorized()

Lines of code Vulnerability details Summary In the isAuthorized function, the require statement checks if the msg.sender is equal to the result of calling AddressAliasHelper.applyL1ToL2Alias with relayer as the argument. However, this is incorrect, as AddressAliasHelper.applyL1ToL2Alias is intend...

Chainlink's latestRoundData might return stale or incorrect results

Lines of code Vulnerability details Impact latestRoundData is used to fetch the asset price from a Chainlink aggregator, but it's missing additional validations to ensure that the round is complete. If there is a problem with Chainlink starting a new round and finding consensus on the new value f...

UniswapV2PriceOracle.sol currentCumulativePrices() will revert when priceCumulative addition overflow

Lines of code Vulnerability details uint price0Cumulative, uint price1Cumulative, uint32 blockTimestamp = addresspair.currentCumulativePrices; Because the Solidity version used by the current implementation of UniswapV2OracleLibrary.sol is =0.8.7, and there are some breaking changes in Solidity...

Swap Input Validation

Lines of code Vulnerability details Input Validation: - The swap function assumes that fpos and spos are valid positions within the heap. - Ensure that you are providing valid positions, and consider adding checks to verify that fpos and spos are within the bounds of your heap. requirefpos size &...

Providing LP outside of active range is prone to DoS

Lines of code Vulnerability details Impact When LP provide uniswap V3 position using ParticlePositionManager that have range outside of active price, it can be DoSed by opening position of all the provided liquidity. Proof of Concept When LPs provide a Uniswap V3 position that is currently outsid...

Cross contract reentrancy attack through changing the xDomainMsgSender

Lines of code Vulnerability details Impact The use of the guaranteed safe CrossDomainMessenger for withdrawals can result in permanent blockages when the recipient address interacts with external addresses, which is an important feature for interoperability and is expected to be widely utilized...

Frontrunning the initialize function can drain the LP initial deposit

Lines of code Vulnerability details Impact An attacker can frontrun the initialize function in AlgebraPool.sol to set an unexpected price and can cause loss of funds for the initial LP deposit. Proof of Concept function initializeuint160 initialPrice external override requireglobalState.price == ...

Inconsistent implementation of delegate and delegateBySig leads to inconsistent checkpoints and numCheckpoints modification.

Lines of code Vulnerability details Impact User can delegate to delegatee by calling delegeate and if the parameter delegatee is address0, it will be replaced with the msg.sender. function delegateaddress delegatee public if delegatee == address0 delegatee = msg.sender; return delegatemsg.sender,...

redeemFresh does not work

Lines of code Vulnerability details Impact The CNote contract uses the CToken contract's redeemFresh function to perform redeem operations. However, since the CNote contract does not hold note tokens, the getCashPrior returns 0 and is less than the redeemAmount, causing the redeemFresh function t...

Safe.approve may not work for USDT

Lines of code Vulnerability details Impact Some tokens like USDT do not work when changing the allowance from an existing non-zero allowance value. They must first be approved by zero and then the actual allowance must be approved. Proof of concept: The following function may fail and make USDT...

ERC20 tokens with before/afterTokenTransfer hooks can be manipulated to cause submitBatch to fail

Lines of code Vulnerability details Impact Currently submitBatch processes a batch of Cosmos to Ethereum transactions. As part of this method ERC20 tokens are transferred to the desired destination from the Gravity bridge, as approved by the current validator set. For ERC20 tokens without a...

[WP-H8] Admin of the upgradeable proxy contract (the diamond contract) can rug users

Lines of code Vulnerability details Use of Upgradeable Proxy Contract Structure The Diamond Structure allows the logic of the contract to be arbitrarily changed. This allows the proxy admin to perform malicious actions e.g., taking funds from users' wallets up to the allowance limit. This action...

transferAndCall sends tokens twice

Handle cccz Vulnerability details Impact The Flan contract is inherited from the ERC677 contract. In the transferAndCall function of the ERC677 contract, the super.transfer and transfer functions will be called, which will cause the token to be sent twice. function transferAndCall address to,...

Permanent DOS in liquidity_lockbox for under $10

Lines of code Vulnerability details Impact The liquiditylockbox contract in the lockbox-solana project is vulnerable to permanent DOS due to its storage limitations. The contract uses a Program Derived Address PDA as a data account, which is created with a maximum size limit of 10 KB. Every time...

The same console addresses on other chains can be captured by compromised or malicious owner

Lines of code Vulnerability details Impact The same order of owners addresses lets generate the same console address on all chains. But any owner from the list can deploy console accounts on other chains with threshold parameter equals 1 and then change owners in these accounts, i.e. capture thes...

Gas that was sent by LayerZero can get stuck in the contract in some cases

Lines of code Vulnerability details If a tx on the destination chain calls back the chain from where the transaction was initiated by the user, the first transaction on the source chain needs to "airdrop" gas to the destination chain so it is able to call back the source chain. The problem is tha...

Using memory instead of storage in 'redeemPositions' will result in incorrect LP Balance

Lines of code Vulnerability details Impact This bug could lead to a situation where a user can 'redeem' their positions without the associated liquidity positions LPs being properly reset. This could result in the user being able to artificially inflate their LP balance, which could lead to...

SubprotocolRegistry is vulnerable to malicious names

Lines of code Vulnerability details Impact A malicious subprotocol can register a name that looks the same as any other protocol. Users may use the malicious subprotocol because they can't distinguish the names, and be cheated out of subprotocolFee. Proof of Concept Any subprotocol can be...

Cached EIP-712 domain separator may lead to replay attacks

Lines of code Vulnerability details Impact The usage of a cached DOMAINSEPARATOR present in the initializer of the GraphTokenUpgradeable contract may lead to replay attacks in the case of an eventual fork of the chain, since the cached domain separator is constructed with an initial chainId that...

Fee-on transfer tokens not supported

Handle pmerkleplant Vulnerability details Impact There exist ERC20 tokens that charge a fee for every transfer. This kind of token does not work correctly with the PoolTemplate::deposit function. Proof of Concept The PoolTemplate::deposit function mints an amount of iTokens based on the function'...

Incorrect checking of signature length

Handle JMukesh Vulnerability details Impact signature which have SignatureMode.EthSign/SignatureMode.EIP712 have length 65 , so all signature coming through both mode will be reverted Proof of Concept Tools Used manual review Recommended Mitigation Steps update the correct signature length --- Th...

Excess funds sent via msg.value not refunded

Lines of code 201 Vulnerability details The code below allows the caller to provide Ether, but does not refund the amount in excess of what's required, leaving funds stranded in the contract. The condition should be changed to check for equality, or the code should refund the excess. File:...

A malicious deployer can set auctionTargetTime close to auctionDuration to make it hard or impossible for anyone to win a reward.

Lines of code Vulnerability details Impact A malicious deployer could set auctionTargetTime very close to auctionDuration, making it hard/impossible for anyone to win a reward leading to losses Proof of Concept In the constructor, auctionTargetTime is not validated to be less than auctionDuration...

Avoid the use of hard coded slippage

Lines of code Vulnerability details Impact In OptionsPositionManager.sol, swapExactTokensForTokens has used the hardcoded slippage of 1% which is used in withdrawOptionAssets and swapTokens functions. function swapExactTokensForTokensIUniswapV2Router01 ammRouter, IPriceOracle oracle, uint amount,...

rngComplete() function is vulnerable to an array out of bounds error

Lines of code Vulnerability details Impact A malicious actor can manipulate the AuctionResult passed to RewardLib.rewards to make it return a short rewards array Proof of Concept The issue is that there is no check that i stays within the bounds of rewards. If rewards is shorter than expected, th...

Unintended or Malicious Use of Prize Winners' Hooks

Lines of code Vulnerability details Impact The setHooks function in Vault.sol allows users to set arbitrary hooks, potentially enabling them to make external calls with unintended consequences. This vulnerability could lead to various unexpected behaviors, such as unauthorized side transactions...

AMO2 doesn't add the lp balance of the CVXStaker to the withdrawable token amount

Lines of code Vulnerability details Impact The lp tokens held by CVXStaker can't be able to used or withdrew by AMO2. Although the jam is not permanent and the owner of the CVXStaker can use recoverToken function to withdraw them, it will cause the functions about removing liquidity break down in...

[Medium - 1] Ecrecover precompile doesn't behave the same as the one from Ethereum

Lines of code Vulnerability details Impact According to the Ethereum yellow paper and in the specifications of the ecrecover precompile, it is stated that if the ecrecover doesn't return anything denoted by ∅, then the return should be 0 as well. If we take a look at the current ecrecover...

The Risk of Adding an Incorrect Previous Block Hash Value in a Blockchain Network

Lines of code Vulnerability details Impact There is a risk of adding an incorrect previous block hash value to a block, either intentionally or unintentionally. If the previous block hash value is incorrect, it means that the data in the previous block has been tampered with, and the current bloc...

Attacker can fake an ERC20 token as the paymentToken and call ClearingHouse.safeTransferFrom() to prematurely settle the auction, preventing the actual auction from completing

Lines of code Vulnerability details Impact ClearingHouses are deployed for each new loan and settle payments between Seaport auctions and Astaria Vaults if a liquidation occurs. However, due to the lack of proper data validation in the current implementation, anyone can fake a token and transfer ...

Compounding is vulnerable to sandwich attack

Lines of code Vulnerability details Impact Function compound is called in every deposit/withdraw in AutoPxGmx contract. It claim rewards in form of gmxBaseReward and swap them to gmx token. They used amountOutMinimum from input params gmxAmountOut = SWAPROUTER.exactInputSingle...

LBRouter's swapAVAXForExactTokens is unavailable when any extra AVAX funds supplied

swapAVAXForExactTokens logic includes transferring out the excess amount of the native funds supplied by a caller. However, amountsIn0 - msg.value amount that swapAVAXForExactTokens calculates for transfer out is negative. The reason is the inverted amount calculation, i.e. according to the logic...

xERC4626.sol#beforeWithdraw will fail under certain conditions

Lines of code Vulnerability details Impact Valid withdrawals will fail in certain edge cases Proof of Concept function totalAssets public view override returns uint256 // cache global vars uint256 storedTotalAssets = storedTotalAssets; uint192 lastRewardAmount = lastRewardAmount; uint32...

Unchecked Transfer

Lines of code Vulnerability details High Severity - Unchecked Transfer Line 167 of Vault.sol has an unchecked Transfer. Reference and recommendation from slither. Tools Used: Slither --- The text was updated successfully, but these errors were encountered: All reactions...

Rounding error for low decimal token

Lines of code Vulnerability details Impact Some token has low decimal USDC has only 6, as a result, the rounding may introduce substantial error in stable pair calculation, causing wrong getAmountOut quote, at the end lead to fund loss in swap function. Malicious user can abuse the wrong quote to...

Chainlink oracle lacks proper validation

Lines of code Vulnerability details Impact Calls to the Chainlink price oracle via latestRoundData in FraxlendPairCore.sol use the correct function latestRoundData per Chainlink's documentation, but lack the recommended validations to ensure that the round is complete and does not return stale...

WETH.allowance() returns wrong result.

Lines of code Vulnerability details Impact WETH.allowance returns wrong result. I can't find other contracts that use this function but WETH.sol is a base contract and it should be fixed properly. Proof of Concept In this function, the "return" keyword is missing and it will always output 0 in th...

ETH funds accidentally sent to InfinityStaker cannot be retrieved

Lines of code Vulnerability details rescueETH function that aims to retrieve mistakenly sent funds cannot reach contract balance, only sending over the Ether value attached to the current call instead. Setting the severity to medium as the case is a violation of system's auxiliary logic. Also, an...

rescueETH function doesn't works as expected

Lines of code Vulnerability details Impact The rescueETH function is implemented to collect any unexpected ETH transferred to the infinityExchange.sol contract, But this function will not work as expected. The function is supposed to return the eth from the contract to the specified destination...

no slippage check

Lines of code Vulnerability details in the function swapAndAddLiquidity it makes a call swapExactTokensForTokens with slippage hard coded to 1 this could lead to the user receiving much less tokens than expected due to being frontrun / sandwiched which will result in a loss of funds recommend...

Arbitrary Logic Enables ERC20 Theft

Handle ElliotFriedman Vulnerability details Severe Issue: ERC20 Token Theft Using Arbitrary Logic There are 2 ways that this bug can be used to drain funds from the bridge. Both are catastrophic and result in total loss of funds. The 1st method is horrible, the second method is diabolical as it c...

CamelotRelayer uses wrong interface for CamelotPair

Lines of code Vulnerability details Impact The CamelotRelayer uses the OracleLibrary as an interface for accessing oracle data from the CamelotPair contract which is the Camelot DEX's equivalent of a pool using the OracleLibrary from UniSwapV3Pool's periphery contracts but because the CamelotPair...

Unprotected initialize functions can front-run by MEV or by an Attacker

Lines of code Vulnerability details Vulnerability Detail It should be avoided that the implementation of proxy contracts can be initialized by third parties. This can be the case if the initialize function is unprotected. Since the implementation contract is not meant to be used directly without ...

the check for the roundId == answeredInRound should be set to >= in the ChainlinkCompositeOracle.sol#getPriceAndDecimals

Lines of code Vulnerability details Impact the function getPriceAndDecimals have check that it check if the round id is equal to the answer in round ID. this check should be change to = because some roundID may get the data/answers in the round that is more than the roundId and this case is...

Reentrancy Vulnerability in MErc20Delegate.sol

Lines of code Vulnerability details Impact The fallback function delegates calls to the implementation contract using delegatecall. This allows the implementation contract to call back into MErc20Delegate before the original delegatecall completes. An attacker could exploit this vulnerability to...

Validator can revert block at no cost.

Lines of code Vulnerability details Impact Validator can revert block at no cost. Proof of Concept the validator should only call this function on Executor.sol to revert the unexecuted blocks if the block is not really not executable. /// @notice Reverts unexecuted blocks /// @param newLastBlock...

LBPair swap() can be front-runned, a malicious attacker can call swap with higher gas than a user, getting the user swap amount transferred to the attacker address

Lines of code Vulnerability details Impact In the LBPair.sol contract, when a user calls swap after transferring tokens to the Pair, a malicious attacker can front-run that tx then call swap on the same pair with the parameter to changed to an malicious address of his choice, paying a higher gass...

Attackers can prevent the creation of pools

Lines of code Vulnerability details Impact A malicious attacker can permanently prevent users from creating pools of certain token pairs. Proof of Concept The deploy function in AlgebraPoolDeployer.sol uses a salt while deploying a new AlgebraPool: 44: function deploy 45: address dataStorage, 46:...

Unsafe downcast

Lines of code Vulnerability details Impact It's possible to generate silent overflows when downcasting. E.g. if the value if bigger than the type being cast, it will overflow starting from zero. Proof of concept For the Price.sol constructor, if observationFrequency is a small value and...

Deprecated CHAINLINK API usage

Lines of code Vulnerability details Impact Usage of deprecated chainlink function to get collateral price. Proof of Concept The Chainlink API latestAnswer used in the FungibleAssetVaultForDAO contract is deprecated: This method returns the last value but that value cannot be fully updated. New V3...