if lzReceiveNonBlocking failed to execute , they don't send back ,accumulated msg.value . malicious user drain that

Lines of code Vulnerability details Impact PerformFallBack is gonna fail and msg.value will be accumulated in that BranchBridgeAgent and malicious user can take over them Proof of Concept User deposited and When it's not executed ,user want to retrieve and callRetrieveSettlement ,send message to...

ClaimConcentratedRewards and claimAmbientRewards don't update liquidity, enabling double rewards claims. Update liquidity after claims.

Lines of code Vulnerability details Impact The claimConcentratedRewards and claimAmbientRewards functions do not update the liquidity amount after withdrawing rewards. This could allow a user to withdraw rewards multiple times for the same liquidity. Proof of Concept The liquidity amount is not...

Event not emitted after sensitive action of setting new concentrated and ambient rewards.

Lines of code Vulnerability details Impact The 'setConcRewards' and 'setAmbRewards' doesn't emit event to to signify to all parties involved the new concentrated and ambient results. Proof of Concept A user not aware of new reward price might suppose he/she have been swindled upon realizing that...

Rewards cannot be transferred when calling protocol command

Lines of code Vulnerability details Summary Rewards are set up using protocol commands, but it's entrypoint is not payable. Impact Rewards can be set up by protocol authorities using the functions setConcRewards and setAmbRewards present in the LiquidityMiningPath contracts. These two are part of...

Users may be unable to claim their rewards and add/remove liquidity due exceeding gas limit

Lines of code Vulnerability details Impact If a user provides liquidity on ticks which are entered and exited a large number of times, the gas required to call the accrueConcentratedPositionTimeWeightedLiquidity can exceed the block gas limit. Proof of Concept The...

Loss of interests due to loss of precision

Lines of code Vulnerability details Impact Users can lose accrued interest due to loss of precision during calculation. It is possible that the interestsvTokenuser.rewardIndex is changed and the interestsvTokenuser.accrued is never increased. Proof of Concept The interestsvTokenuser.rewardIndex a...

function 'accrueInterest(address vToken)' allows too many rewards to be allocated

Lines of code Vulnerability details Impact Malicious users can increase the number of rewards they receive within a block. Proof of Concept In the Prime contract, marketsvToken.rewardIndex is used to determine how many rewards are allocated to Prime token holders, and its value can only be change...

Prime.sol : Incorrect decimal scaling

Lines of code Vulnerability details Impact Incorrect computation of the capital variable due to an incorrect decimal scaling. This directly impacts the computation of user's score. PoC The function calculateScore calculates the score for a given user and a given market. One of the core variables ...

Inflation attack in VotiumStrategy

Lines of code Vulnerability details Summary The VotiumStrategy contract is susceptible to the Inflation Attack, in which the first depositor can be front-runned by an attacker to steal their deposit. Impact Both AfEth and VotiumStrategy acts as vaults: accounts deposit some tokens and get back...

It might not be possible to applyRewards(), if an amount received is less than 0.05 eth

Lines of code Vulnerability details Vulnerability Details Upon claiming Votium rewards, applyRewards is intended to be invoked bi-weekly in order to exchange the tokens for eth and put the eth received back into the strategies. Based on the current ratio it either stakes the amount into safETH or...

Transactions could be frontrun to deposit assets and collect shares between the deposit request and collection

Lines of code Vulnerability details Impact Attacker can spoof deposit to get free shares. Proof of Concept requestDeposit - Requests a deposit, locks up the assets. collectDeposit - Collects the shares after deposit execution. The vulnerability arises because: requestDeposit locks up the assets,...

Malicious RestrictionManger can be used to verify Tranche Members

Lines of code Vulnerability details The ability to file a new Restriction Manger after deployment can actually be utilized by a rouge ward and deploy a malicious version of the RestrictionManger that implements almost the same thing as the originals, but just tweaked to return the SUCCESSMESSAGE...

Attacker can extract value from pool by sandwiching herself at swapAll during close

Lines of code Vulnerability details Attacker can drain the lending pool by leveraging two facts: 1. swapAll allows 1% slippage 2. There is no Health Factor check after close. Alice and Bob are good friends, the steps are in one single tx: 1. Alice deposits 10000 USDT and borrows 7000$ worth of TR...

H-01 Unmitigated

Lines of code Vulnerability details test test --- The text was updated successfully, but these errors were encountered: All reactions...

Potential Price Slippage Due to Gaps in Consecutive Ranges

Lines of code Vulnerability details The method allows appending new Range instances without restrictions on the gap between the end of the last range and the start of the new one. Significant gaps between these ranges can result in considerable price slippages, introducing volatility in price...

Wrong calculation of elapsed days

Lines of code Vulnerability details Impact For a certain period of time, the dailyIr is compounded every day. However, when calculating prevClosePrice, the last day's addition is missed. The formula for calculating the current price is as follows: Range.dailyInterestRate Days Elapsed + 1...

Funds will be lost in case the block reorg occurs on the chain of sending bridge

Lines of code Vulnerability details Impact Funds will be lost in case the block reorg occurs on the chain of sending bridge Proof of Concept consider the following scenerio on sending chain: In block 1: Alice sends the 1000 tokens to the destination bridge and the nonce for it is set to 10 In blo...

getLpPriceInEth and getRdpxPriceInEth return prices in 1e18 decimals, but we use it as 1e8 decimals

Lines of code Vulnerability details Impact Wrong decimals/price if we use RdpxEthOracle.sol as the oracle. Proof of Concept rdpx/eth oracle is not in the scope of this audit, so we can assure they are correct and only check if we use the API right. According to...

wrong sets of weth/dpxEth balance leads to incorrect calculation

Lines of code Vulnerability details impact In the curveSwap function, there is a crucial condition check to determine the values of a and b. If coin0 is equal to weth, the values should be set as 0, 1 or a, b. If not, they should be set as b, a. However, there is a discrepancy in the way these...

BondManager.updateTranscoderWithFees wrong decimal multiplication. Function always revert due to underflow

Lines of code Vulnerability details BondingManager.sol have 2 mathUtils libraries, MathUtils use 1e6 as precision while PreciseMathUtils use 1e27 as precision. Some variable use MathUtils while other use PreciseMathUtils which might cause confusion. It happen with treasuryRewardCutRate variable...

A malicious delegator could artificially inflate the deductions for a transcoder, potentially leading to incorrect vote counting.

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept In the handleVoteOverrides function, the deductions are added to the transcoder's voter state without any validation: A malicious delegator could call countVote multiple times, each tim...

If funding duration is update after few epoch, it will completely brick the perPetualAtlanticVault.sol

Lines of code Vulnerability details Impact perpetualAtlanticVault.sol functionality is dependent upon the funding duration which can be changed by the admin and can lead to bricking the whole calculations in the perpetualAtlanticVault.sol Proof of Concept Initially funding duration is set to seve...

The bond manager contract does not properly zero out the transcoder's cumulative rewards/fees between rounds.

Lines of code Vulnerability details Impact transcoder's cumulative rewards and fees can continue accumulating from previous rounds, instead of resetting each round. This means a transcoder could claim portion of rewards/fees that it should not be entitled to. Proof of Concept This only resets the...

swapGivenInputAmount checks the wrong result out

Lines of code Vulnerability details Impact Wrong check amount results in unusable function. Proof of Concept swapGivenInputAmount calcaultes the value of result after calling swap. The check then requires that result 0. However, the comment states that amount cannot be less than 0...

withdrawGivenInputAmount() calls _lpTokenSpecified with the wrong value of feeDirection

Lines of code Vulnerability details Impact withdrawGivenInputAmount calls lpTokenSpecified with the wrong value of feeDirection: function withdrawGivenInputAmount uint256 xBalance, uint256 yBalance, uint256 totalSupply, uint256 burnedAmount, SpecifiedToken...

MIN_PRICE_VALUE is incorrect

Lines of code Vulnerability details Impact The MINPRICEVALUE variable is being calculated based on 10^10 instead of the intended 10^12. As a result, the MINPRICEVALUE will be lower than expected with 2 decimal places precision, potentially allowing pxinit and pxfinal to be set lower than the...

Swaps affect LP token mint/burn during liquidity addition/removal

Lines of code Vulnerability details Impact The LP token removal/addition forces a recalculation of the bonding curve, and the utility of the curve. The utility curve in proteus looks like the graph below, where the point A represents a certain composition of the pool. If we try to remove add/remo...

Lack of slippage parameter in swap can cause losses for users

Lines of code Vulnerability details Impact Users can incure losses do to lack of slippage control. Detailed description of the impact of this finding. Slippage control helps to safeguard user funds against price falling below a certain threshold. This can be caused byfrontrunning attack. Proof of...

RESERVE BALANCE BOUNDRY CHECKS IN _checkBalances FUNCTION IS ERRORNEOUS DUE TO WRONG INPUT PARAMETERS PASSED IN

Lines of code Vulnerability details Impact The EvolvingProteus.swap function is used to swap one token Specified token to another non-specified tokenusing the liquidity pool. The protocol charges the fee on the swap transactions by calling the applyFeeByRounding function as shown below:...

Upgraded Q -> 2 from #273 [1692910023114]

Judge has assessed an item in Issue 273 as 2 risk. The relevant finding follows: L-01 --- The text was updated successfully, but these errors were encountered: All reactions...

Reusing other user's votes for both nominee and member elections

Lines of code Vulnerability details Impact The two elections nominee and member are sharing the same proposal id. This give an attack opportunity to a malicious user to reuse signature of other users who casted vote by signature in nominee election for casting vote in member election. In other...

Stealing or reusing votes

Lines of code Vulnerability details Impact It is possible to reuse/steal user's votes if they are supposed to cast vote by signature. Proof of Concept Casting votes during nominee election and member election is possible by calling the functions: castVoteWithReasonAndParams...

otherCohort() is not returning different value when the Election has ended.

Lines of code Vulnerability details Impact In SecurityCouncilNomineeElectionGovernor.sol when the otherCohort function is called, it should return the otherCohort. But it is not the case because it returns the cohort at electionIndexToCohort at electionCount - 2 which is only updated when another...

Absence of zero address checks for roles passed to the initialize function.

Lines of code Vulnerability details Impact The initialize function accepts various roles as part of the roles parameter SecurityCouncilManagerRoles. However, it doesn't validate whether any of these role addresses are set to the zero address address0. This omission might result in inadvertently...

Proposals will not be submitted in SecurityCouncilMemberElectionGovernor.sol and SecurityCouncilNomineeElectionGovernor.sol

Lines of code Vulnerability details Impact SecurityCouncilNomineeElectionGovernor::execute and SecurityCouncilNomineeElectionGovernor::createElection will always revert, since the form of description at the proposal is not compliant to the format required at GovernorUpgradable of Openzeppelin...

Anyone can become owner of GnosisSafe(securityCouncil) contracts

Lines of code Vulnerability details Impact Member roles in SecurityCouncilManager contract can change owners of GnosisSafesecurityCouncil contracts by schedulinig a perform call to ArbitrumTimelock contract. However the contract that handles updating ownerssecurity council members with perform...

Missing access control in RngRelayAuction::rngComplete()

Lines of code Vulnerability details For a draw auction to complete, a bot must relay a completed RNG result to the Prize Pool. This is done by calling rngComplete and the data must originate from the relayer. However the rngComplete function is missing a check that the msg.sender is the relayer s...

call() should be used instead of transfer() on an address payable

Lines of code Vulnerability details Impact The use of the transfer function for sending ETH to an address will inevitably make the transaction fail when: The claimer smart contract does not implement a payable function. The claimer smart contract does implement a payable fallback which uses more...

cleanup() does not properly handle debt repayment

Lines of code Vulnerability details Impact The cleanup... function in the PositionManager.sol contract is used to deposit remaining users assets back to ROE, repaying debt if any. However the users debt will not be repaid if the user has debt leading to loss of funds for the lenders and the proje...

INCORRECT ACCESS CONTROL

Lines of code https...

CONTROLLED LOW-LEVEL CALL

Lines of code Vulnerability details Impact The contract was using call which was accepting address controlled by a user. This can have devastating effects on the contract as a delegate call allows the contract to execute code belonging to other contracts but using it’s own storage. This can very...

DEPRECATED POOLS CAN BE USED IN THE CRITICAL TRANSACTION EXECUTIONS OF THE OptionsPositionManager CONTRACT

Lines of code Vulnerability details Impact The PositionManager.getPoolAddresses function is used to get the important address details of the RoePool to be used in the critical function executions of the OptionsPositionManager contract such as executeBuyOptions, executeLiquidation,...

Missing check for equal length arrays in executeOperation().

Lines of code Vulnerability details Impact The executeOperation function in the OptionsPositionManager contract doesn't check if the lengths of the arrays submitted are equal. This can lead to unexpected operations. Proof of Concept In the OptionsPositionManager contract, the executeOperation...

removeFromAllTicks() withdraws all tick assets before deposit and withdraw re-deposit them creates a reentrancy attacks.

Lines of code Vulnerability details Impact reentrancy attacks can result to stolen funds Proof of Concept The key issue is that removeFromAllTicks calls removeFromTickindex in a loop, which calls lendingPool.withdraw and tr.withdraw. These external calls could trigger a reentrant call back into t...

An attacker could manipulate the _rngAuctionResult to unfairly distribute more rewards to themselves

Lines of code Vulnerability details Impact When the rewards are calculated using computeRewards, the attacker's inflated rewardFraction will be used, giving them a bigger share Proof of Concept The rngAuctionResult passed to rngComplete is stored directly into the auctionResults array without any...

Wrong Implementation of Continuous Gradual Dutch Auction

Lines of code Vulnerability details Impact Breaks the core functionality of the Liquidation Pair contract. Usage of wrong formula for calculation of Continuous Gradual Dutch Auction results in wrong calculation of purchase price which is basically used to find the swapAmountIn during liquidations...

Missing flash loan initiator check allows attacker to open trades, close trades and steal funds

Lines of code Vulnerability details Impact The attacker can close trades, partially close trades and even steal funds. Proof of Concept The OptionsPositionManager.executeOperation function is called when a flash loan is made and it can only be called by the lendingPool. The wrong assumption by th...

slot0 is easily manipulatable

Lines of code Vulnerability details Impact The deposit amount of a user can be manipulated. Proof of Concept slot0 is extremely easy to manipulate as it is the most recent data point. The issue arises due to there not being any protection against sqrtPriceX96 manipulation. // @audit no check...

The treasury address can be updated by the contract owner to point to a malicious address after deployment

Lines of code Vulnerability details Impact Any fees or funds sent to the treasury could potentially be stolen or manipulated Proof of Concept The treasury address can be updated by the contract owner to point to a malicious address after deployment. This presents a risk as the treasury receives a...

Reentrancy vulnerability in BigBang.execute

Lines of code Vulnerability details Impact This vulnerability could allow an attacker to withdraw funds from the BigBang contract. This could result in a loss of funds for the user. Proof of Concept The BigBang.execute function has external calls inside a loop. This could potentially lead to...