10190 matches found
collectLiquidity() Lack of can specify recipient leads to inability to retrieve token1 after entering the blacklist of token0
Lines of code Vulnerability details Vulnerability details LP has only one way to retrieve token, first decreaseLiquidity, then retrieve through the collectLiquidity method. collectLiquidity only has one parameter, tokenId. function collectLiquidity uint256 tokenId external override nonReentrant...
TRST-M-1 finding from previous audit still exists
Lines of code Vulnerability details Proof of Concept Issue TRST-M-1 from previous audit still exist. In order to calculate collateral amount getCollateralCreditCurrente36 function is used. uint tokenValuee36 = ILendingPoolpoolsi.toAmtCurrentsharesi tokenPricee36; tokenValuee36 is usd value of...
Contracts are vulnerable to fee-on-transfer accounting-related issues
Lines of code 359, 448, 509, 530, 42, 797, 162 Vulnerability details The functions below transfer funds from the caller to the receiver via transferFrom, but do not ensure that the actual number of tokens received is the same as the input amount to the transfer. If the token is a fee-on-transfer...
Contracts are vulnerable to fee-on-transfer accounting-related issues
Lines of code 359, 448, 509, 530, 42, 797, 162 Vulnerability details The functions below transfer funds from the caller to the receiver via transferFrom, but do not ensure that the actual number of tokens received is the same as the input amount to the transfer. If the token is a fee-on-transfer...
addRewardToken() does note remove old entries before adding new ones
Lines of code 455, 280, 378, 411 Vulnerability details Each time addRewardToken is called, new entries are added to the array, but doing so does not remove any old entries. By calling the function multiple times, an attacker can can increase their voting power indefinitely, without having to...
Some tokens may revert when zero value transfers are made
Lines of code 356, 371, 145, 272, 252, 116, 445, 374, 506, 488https://github.com/Tapioca-DAO/tap-token-audit/blob/59749be5bc2286f0bdbf59d7ddc258ddafd49a9f/contracts/options/TapiocaOptionBroker...
Calls to get_virtual_price() are vulnerable to read-only reentrancy
Lines of code 117 Vulnerability details getvirtualprice was originally considered to be a manipulation-resistant price - suitable as a price oracle, but it was later found to be vulnerable to a read-only reentrancy attack, where the Curve contract could be put into a partially-modified state, and...
Only ensure the Lp is repaid when close the position invites MEV bot
Lines of code Vulnerability details Impact Only ensure the Lp is repaid when close the position invites MEV bot Proof of Concept in the function closePosition function closePosition DataStruct.ClosePositionParams calldata params, DataCache.ClosePositionCache memory cache, Lien.Info memory lien,...
addRewardToken() does note remove old entries before adding new ones
Lines of code 455, 280, 378, 411 Vulnerability details Each time addRewardToken is called, new entries are added to the array, but doing so does not remove any old entries. By calling the function multiple times, an attacker can can increase their voting power indefinitely, without having to...
Unsafe usage of msg.value in a loop
Lines of code 140 Vulnerability details The value of msg.value in a transaction's call never gets updated, even if the called contract ends up sending some or all of the Eth to another contract. This means that using msg.value in a for- or while-loop, without extra accounting logic, will either...
Unsafe use of transfer()/transferFrom() with IERC20
Lines of code 377, 509, 491, 530, 42, 50 Vulnerability details Some tokens do not implement the ERC20 standard properly but are still accepted by most code that accepts ERC20 tokens. For example Tether USDT's transfer and transferFrom functions on L1 do not return booleans as the specification...
The owner is a single point of failure and a centralization risk
Lines of code 56, 109, 127, 172, 219, 250, 115, 131, 154, 116, 131https://github.com/Tapioca-DAO/tapiocaz-audit/blob/bcf61f79464cfdc0484aa272f9f6e28d...
Division by Zero and Precision Loss in computeOutputAmount Function
Lines of code Vulnerability details Impact The vulnerability can cause a runtime exception due to division by zero, leading to contract execution reverting. Additionally, precision loss may occur in calculations due to truncation of remainders, Proof of Concept When unwrapFeeDivisor unexpectedly...
owner can brick unwrapping by setting unwrap devisor = 0
Lines of code Vulnerability details Impact The protocol does not handle when Ocean.changeUnwrapFee sets unwrapFeeDivisor = 0 gracefully. When setting unwrapFeeDevisor = 0, the function Ocean.calculateUnwrapFee will revert due to a division by 0. This function is used in the callstacks related to:...
Usage of _safeMint in NextGenCore@_mintProcessing allows an attacker to reenter when onERC721Received is called
Lines of code Vulnerability details Impact An attacker can : Exceed the per address allowance in Fixed Price Sale, Exponential Descending Sale and Linear Descending Sale modes. Cause a loss for another user in Burn-to-Mint mode by accepting an offer when onERC721Received is triggered. Proof of...
Fee-on-transfer/rebasing tokens will have problems when swapping
Lines of code 110 Vulnerability details Impact Uniswap v3 does not support rebasing or fee-on-transfer tokens so using these tokens with it will result funds getting stuck. With fee-on-transfer tokens, if the balance isn't checked, the wrong amount may be transferred out. With rebasing tokens, th...
Title of issue/finding
Lines of code , Vulnerability details Impact description for the issue found Content includes @Audit stack and code example of the issue Content includes @Audit stack and code example of the issue Assessed type other --- The text was updated successfully, but these errors were encountered: All...
Unchecked cToken mint in mint() risks imbalance, breaking 1:1 peg reserve backing.
Lines of code Vulnerability details Impact mint does not check return code from cToken.mint. If minting fails, contract could have imbalance between cTokens and minted asD tokens. Attacker mints asD but underlying cToken mint fails. Result is loss of 1:1 peg backing. Proof of Concept In the mint...
Max withdrawable calculation is incorrect in asD contract
Lines of code Vulnerability details Summary The implementation of the max withdrawable amount is incorrect as it divides the calculation by the wrong denominator, leading to an incorrect result and a potential denial of service due to an overflow. Impact In the Application Specific Dollar protoco...
The withdrawCarry() function always reverts because of an incorrect assumption.
Lines of code Vulnerability details Impact The Compound protocol's CTokens have 8 decimal places, but the team mistakenly believed that cNote also had only 8 decimal places. However, it was discovered that cNote actually has 18 decimal places. This discrepancy caused the withdrawCarry function to...
asD TOKEN CREATOR CAN PROFIT UNFAIRLY FROM THE cNote TOKENS DIRECLTY TRANSFERRED TO THE asD.sol CONTRACT
Lines of code Vulnerability details Impact The asD.withdrawCarry function is used to withdraw the interest that accrued in the asD contract in the form of NOTE tokens. Only the owner of the asD token is able to withdraw the interest accrued since the withdrawCarry is controlled by the onlyOwner...
Lost fees
Lines of code Vulnerability details Impact Buyers do not get any split of the fees. It is instead to be distributed to holders. But holder splits on successive buys are partially lost to the contract and cannot be recovered. Proof of concept The buyer's rewardsLastClaimedValueidmsg.sender is...
asD creator's would not be able to claim interest accrued due to wrong calculations of the maximumWithdrawable
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. The asD contract implement's withdrawCarry method, which calculates the accrued interest on the users NOTE deposit. The variable maximumWithdrawable gets interest accrued by the deposit by the...
Changing rsETH address breaks contract
Lines of code Vulnerability details Impact manipulating rsETH price Proof of Concept admin can change rsETH token address, while total supply of rsETH is used to calculate its price changing rsETH address changes its price. Tools Used Manual Review Recommended Mitigation Steps prevent changing...
First depositor will get twice more minted token for the same amount deposited
Lines of code Vulnerability details Impact The initial depositor stands to gain an unfair amount of RSETH tokens compared to later depositors, as a result of the fixed exchange rate of 1 ether when no RSETH supply exists i.e., no minted tokens are available. Consequently, the first deposit will...
Potential arbitrage opportunity
Lines of code Vulnerability details Impact According to the logic of the protocol , minted tokens can be swapped on AMMs. This is a serious problem as prices on AMMs follow a bonding curve that are independent from the Chainlink pricing feed. This will create arbitrage opportunities for hackers t...
claimAuction can be reverted by any bidder, locking all funds and the prize.
Lines of code Vulnerability details Description claimAuction is used to redeem the auction's ERC-721 and refund all bidders that didn't win the auction. In this process, callbacks are sent to every single bidder via low-level calls that triggers fallbacks/receives and ERC721.safeTransferFrom. So,...
decreaseVotingPower() can be front-ran by an attacker to claim an amount of assets from the TokenDistributor more than he should be able to claim or withdraw more assets than he should be able to claim through rageQuit()
Lines of code Vulnerability details Overview of the vulnerability / PoC The function decreaseVotingPower in PartyGovernanceNFT does not have a front-running protection against a user claiming his share of a distribution or a user ragequitting using a token which is going to get it's voting power...
Arthimetic operation result in loss of voting power
Lines of code Vulnerability details Impact Carrying out calculation of voting power in function finalize based on division with value 1e4, then subtracting it with totalContributions and after that multiplying and dividing again will be a resultant that cause large precision error or even loss of...
anyone can burn the governance NFT
Lines of code Vulnerability details Impact Impact The impact of this finding centers on the PartyGovernanceNFT.sol smart contract, specifically within the context of the burnuint256 tokenId function. This critical function operates without any access control mechanisms in place. Consequently, it...
A malicious contributor can increase voting power maliciously and eventually steal funds!
Lines of code Vulnerability details Impact Unlimited voting power for attacker and stealing of funds ! Proof of Concept All of the contribute functions uses msg.value to calculate the votingpower . For example , contribute function looks like this : function contribute uint256 tokenId, address...
Reentrancy on batchRefund making external call
Lines of code Vulnerability details Impact Reentrancy can occur when the refund function being called inside the batchRefund function allows external contract calls that can trigger the batchRefund function again before the previous execution is completed. Proof of Concept The batchRefund functio...
Upgraded Q -> 2 from #320 [1699029580772]
Judge has assessed an item in Issue 320 as 2 risk. The relevant finding follows: 2. The governor setting not reliable The initial setting for the voting period in ODGovernor is 15 block, which can be too tight for the governance. Based on Arbitrum block time, which is about 0.26 seconds, which ca...
Upgraded Q -> 2 from #246 [1699029732469]
Judge has assessed an item in Issue 246 as 2 risk. The relevant finding follows: L-03 The tokenURI is not compatible with the ERC721 standard Description function tokenURIuint256 safeId public view override returns string memory uri uri = nftRenderer.rendersafeId; tokenURI will call nftRenderer...
StakedUSDe.totalSupply() may decrease below MIN_SHARES by StakedUSDe.redistributeLockedAmount.
Lines of code Vulnerability details Impact StakedUSDe runs checkMinShares in deposit and withdraw to keep the totalSupply more than MINSHARES, 1e18. It is to prevent an ERC4626 inflation attack. However, StakedUSDe.redistributeLockedAmountuser, address0 burns all the user's shares and decreases t...
DoS of the staking functionality due to the check of minimum total supply
Lines of code Vulnerability details Impact The StakedUSDe contract can be accidentally blocked if the all shares will be redeemed before the VESTINGPERIOD end. The checkMinShares function will then revert for any eligible deposits. The same result will be in case of asset transferring to the...
Taking deposits hostage
Lines of code Vulnerability details Impact An initial attacker can gain the power to hold subsequent deposits into StakedUSDeV2 hostage, and release them at will e.g. for a ransom. Proof of concept The checkMinShares requirement called after any withdrawal and deposit function checkMinShares...
Uninitialized State Variables
Lines of code Vulnerability details Impact in The resetTmpMarketParameters function is an internal function, which means it can only be called from within the WildcatMarketController contract itself. If a child contract inherits from WildcatMarketController and calls resetTmpMarketParameters befo...
ODProxy contract can't grant safeRights (can't change the state of the called contracts) which will disable generating debts functionality
Lines of code Vulnerability details Impact The protocol implements a proxy mechanism to enable only the Vault721 contract from transferring SAFEs, as each SAFE is represented by a NFV non fungible vault. This contract has only one function execute that makes delegatecalls to other contracts, so...
Updating safeManager reference in Vault721 will brick transfer of safes
Lines of code Vulnerability details Impact Updating safeManager reference in Vault721 will brick safe transfers since the state of the new ODSafeManager instance won't have corresponding data. In addition, it is not clear how it would be possible to achieve seamless migration as particular...
[ADRIRO-NEW-M-02] AfEth withdrawals are delayed even if the vAfEth withdrawal amount is zero
Lines of code Vulnerability details Summary While zero amount withdrawals of SafEth have been prevented, the updated codebase still executes the withdrawal process for zero amount withdrawals of vAfEth, creating an unnecessary delay in AfEth withdrawals. Impact In AfEth, the withdrawal process is...
Centralisation risk
Lines of code Vulnerability details Impact The protocol has a onlyGovernor role with privileged rights to perform administrator tasks that can affect users. Proof of Concept The governorhave control over crucial function that can be updated and change according to the governor discretion. functio...
Delegating the call from ODProxy will make the changes in the context of ODProxy's storage layer which breaks the invariant.
Lines of code Vulnerability details Impact Making the delegate call to ODSafeManager will affect the storage of ODProxy leaving behind the inconsistent state in ODSafeManager, moreover this issue will also breaks the invariant 'Users must exclusively use the ODProxy to interact with their safes.'...
TransactionValidator does not validate gas token address and gas price parameter when validating the transaction
Lines of code Vulnerability details Impact TransactionValidator does not validate gas token address and gas price parameter when validating the transaction Proof of Concept the safe transaction struct is listed below: struct SafeTransactionParams Enum.Operation operation; address from; address to...
Deploying a Console to the Same Address Across Different Supported Chains Could Become Impossible
Lines of code Vulnerability details Impact In Brahma, Users can interact with SafeDeployer::deployConsoleAccount to deploy console accounts/wallets. To deploy the wallet to the same address across all supported chains, the user needs to interact with the deployConsoleAccount function on all chain...
RootBridgeAgent.retrieveSettlement doesn't check if settlement is in FAILED state
Lines of code Vulnerability details Impact The RootBridgeAgent.retrieveSettlement function is supposed to be used to retrieve a failed settlement to be able to redeem it but because the function doesn't actually check that the input settlement is in fact in FAILED state, the function can be used ...
Validate poolIdx input to prevent storage corruption in critical functions.
Lines of code Vulnerability details Impact No validation on poolIdx input for key functions like claimConcentratedRewards. Could pass invalid poolId and corrupt storage. Proof of Concept The claimConcentratedRewards function. It takes in a poolIdx as one of the parameters: function...
USAGE OF abi.encodePacked TO ENCODE DATA COULD LEAD TO payload DATA COLLISION IN THE RootBridgeAgent._createSettlementMultiple FUNCTION
Lines of code Vulnerability details Impact The RootBridgeAgent.callOutAndBridgeMultiple function is used to settle multiple assets and perform a remote call to a branch chain. callOutAndBridgeMultiple function calls the RootBridgeAgent.createSettlementMultiple internal function to compute the...
accrueConcentratedPositionTimeWeightedLiquidity may revert under special situations
Lines of code Vulnerability details Impact LiquidityMining.accrueConcentratedPositionTimeWeightedLiquidity may unintentionally reverts and make transactions does not succeed Proof of Concept The LiquidityMining.accrueConcentratedPositionTimeWeightedLiquidity function calculates the concentrated...
if lzReceiveNonBlocking failed to execute , they don't send back ,accumulated msg.value . malicious user drain that
Lines of code Vulnerability details Impact PerformFallBack is gonna fail and msg.value will be accumulated in that BranchBridgeAgent and malicious user can take over them Proof of Concept User deposited and When it's not executed ,user want to retrieve and callRetrieveSettlement ,send message to...