LPFarming, yVault and yVaultLPFarming contract white listing can be surpassed

Lines of code Vulnerability details Impact LPFarming, yVault and yVaultLPFarming contracts' white list checks are performed with isContract and can be surpassed. isContract can only be used for positive confirmations, i.e. filtering out EOAs. Setting high severity as it is a direct access control...

Lender can stop others from offering higher rates.

Lines of code NFTLoandFacilitator.lend; L205 Vulnerability details Impact A lender using an upgradeable smart contract could stop other lenders from buying him out, essentially causing a DoS. Proof of Concept Lender uses an upgradeable smart contract that front runs competing lenders and upgrades...

Malicious owner can steal some funds from borrower

Lines of code Vulnerability details Impact Owner can make changes to the protocol with immediate effect. Malicious owner can watch for big lend in the mempool and front run it by maxing out originationFeeRate to 5%. The users, both lender and borrower, will still think that originationFeeRate is...

Use .call instead of .transfer for increased security

Lines of code Vulnerability details Impact The issue highlighted here will reduce gas costs and avoid hacks Proof of Concept The .transfer function at the following places can be replaced with .call as the former has a hard dependency on gas costs as it forwards a fixed amount of gas: 2300. For...

PaladinRewardReserve.sol may have potential bugs if it uses new tokens as rewards

Lines of code Vulnerability details Impact PaladinRewardReserve.sol may have potential bugs if it uses new tokens as rewards. Proof of Concept Currently, PaladinRewardReserve.sol has following behaviors: mappingaddress = bool public approvedSpenders does not store the info regarding which token i...

Emergency mode enable/disable issue

Lines of code Vulnerability details Impact Enabling emergency mode should be one way process that sets contracts in emergency mode. It should be not possible to revert that process, otherwise it puts owner of the contracts in very privileged position. Owner can trigger emergency mode, perform...

One co-creator with a small share can get 100% of the funds in the splitter

Lines of code Vulnerability details Impact One co-creator with a small share can get 100% of the funds by calling the incrementWindow function from an attacker contract that mimics RoyaltyVault. He can then create one or multiple fake windows and claim them to get the full balance of the splitter...

[WP-M9] sendNative with CBridge will always revert

Lines of code Vulnerability details function startBridgeCBridgeData memory cBridgeData internal Storage storage s = getStorage; address bridge = bridge; // Do CBridge stuff requires.cBridgeChainId != cBridgeData.dstChainId, "Cannot bridge to the same network."; if...

Owner can whitelist addresses for swaps and steal approved assets from users

Lines of code Vulnerability details Impact There is a common vulnerability with aggregator/bridge contracts where passing in arbitrary calldata can do unwanted actions such as steal tokens that were approved to that contract. While there is a whitelist system set up, there is no stopping a...

All swapping functions lack checks for returned tokens

Lines of code Vulnerability details Impact Every function that stems from the GenericSwapFacet lacks checks to ensure that some tokens have been returned via the swaps. In LibSwap.sol in the swap function, the swap call is sent to the target DEX. A return of success is required, otherwise the...

Lack of checks between _swapData and _lifiData could lead to loss of funds and reputation risk.

Lines of code LibSwap.swap swapTokensGeneric Vulnerability details Impact Users could input incongruent values for lifiData and swapData leading to a swap no being processed correctly and users not getting any of the expected lifiData.receivingAssetId. It can also damage reputation because LiFi...

Spreads can be minted with a deactivated oracle

Lines of code Vulnerability details Impact When deactivateOracle is called for an oracle in OracleRegistry it is still available for option spreads minting. This way a user can continue to mint new options within spreads that rely on an oracle that was deactivated. As economic output of spreads i...

[WP-H0] Wrong implementation of EIP712MetaTransaction

Lines of code Vulnerability details 1. EIP712MetaTransaction is a utils contract that intended to be inherited by concrete actual contracts, therefore. it's initializer function should not use the initializer modifier, instead, it should use onlyInitializing modifier. See the implementation of...

QTokens with the same symbol will lead to mistakes

Lines of code Vulnerability details The README.md states: Bob can then trade the QToken with Alice for a premium. The method for doing that is beyond the scope of the protocol but can be done via any smart contract trading platform e.g. 0x. It is therefore important that tokens be easily...

Incorrect implementation of Lender can result in lost tokens

Lines of code Vulnerability details Impact MapleLoanInternals.sendFee should check returnData.length == 32 before decoding, otherwise if it returns bytes data, the abi.decode will return 0x20, result in lost tokens. Proof of Concept This contract can test that when the function returns bytes data...

Chainlink pricer is using a deprecated API

Lines of code Vulnerability details Impact According to Chainlink's documentation, the latestAnswer function is deprecated. This function might suddenly stop working if Chainlink stop supporting deprecated APIs. And the old API can return stale data. Proof of Concept Tools Used None Recommended...

Fee-on-transfer/deflationary tokens cause problems

Lines of code Vulnerability details Some ERC20 tokens, such as USDT, allow for charging a fee any time transfer or transferFrom is called. If a contract does not allow for amounts to change after transfers, subsequent transfer operations based on the original amount will revert due to the contrac...

Oracle - csanuragjain

Duplicate of 46 --- The text was updated successfully, but these errors were encountered: All reactions...

CL - throttle

Duplicate of 46 --- The text was updated successfully, but these errors were encountered: All reactions...

DDOS - Omik

Duplicate of 119 --- The text was updated successfully, but these errors were encountered: All reactions...

Too many amms - Dravee

Duplicate of 97 --- The text was updated successfully, but these errors were encountered: All reactions...

Users Can Frontrun Token Distributions Using Flashloans

Lines of code Vulnerability details Impact The collector suite of contracts will actively send ANC token distributions to staked ANC token holders. However, because it is known beforehand that a distribution will be made to the governance contract, users can abuse this to frontrun distributions b...

Simple interest calculation is not exact

Lines of code Vulnerability details Impact The borrow rate uses a simple interest formula to compute the accrued debt, instead of a compounding formula. pub fn computeinterestraw state: &mut State, blockheight: u64, balance: Uint256, aterrasupply: Uint256, borrowrate: Decimal256, targetdepositrat...

[WP-H4] anchor_basset_reward pending yields can be stolen

Lines of code Vulnerability details For yield farming aggregators, if the pending yield on an underlying strategy can be harvested and cause a surge of rewards to all existing investors, especially if the harvest can be triggered permissionlessly. Then the attacker can amplify the attack using a...

Spend limit can be circumvented

Lines of code Vulnerability details Impact The spending limit is on a single message. One can circumvent it by splitting the transaction up into several messages. if config.spendlimit amount return ErrStdError::genericerr"Cannot spend more than spendlimit"; It does not seem like a useful spend...

Updating the hub’s token contract address may lead to incorrect undelegation amount

Lines of code Vulnerability details Updating the hub’s token contract address may lead to incorrect undelegation amounts Impact The hub contract allows config updates to the tokencontract config values in anchor-bAsset-contracts/contracts/anchorbassethub/src/config.rs Such updates can cause wrong...

Whitelist check commented out on the Cross Chain Stable tokens

Lines of code Vulnerability details Impact During the code review, It has been observed that the whitelisted token check is commented out. That will cause to user fund lost on the bridge. The related function only should allow white-listed tokens. Proof of Concept 1. Navigate to the the following...

Fee-on-transfer/deflationary tokens cause problems

Lines of code Vulnerability details Some ERC20 tokens, such as Tether USDT, allow for charging a fee any time transfer or transferFrom is called. If a contract does not allow for amounts to change after transfers, subsequent transfer operations based on the original amount will revert due to the...

The store method allows you to store the same token twice

This issue has been created to upgrade a QA report submission to a medium severity finding. From 0x1f8b: The store method allows you to store the same token twice in NestedRecords.solL130 To do this you must first call storenftId,tokenA,0,reserve and then storenftId,tokenA,100000,reserve because ...

If SChain is Removed Before kill() and getFunds() all Tokens are Locked in the Bridge

Lines of code Vulnerability details Impact If the SChain is removed before all the funds are withdrawn from the bridge they will be permanently locked in the bridge. When a SChain is removed in by the SKALE protocol via the function SchainsInternal.removeSchain the data including the owner will b...

An offer made after auction end can be stolen by an auction winner

Lines of code Vulnerability details Impact An Offer which is made for an NFT when auction has ended, but its winner hasn't received the NFT yet, can be stolen by this winner as transferFromEscrow being called by acceptOffer will transfer the NFT to the winner, finalising the auction, while no...

Fee-on-transfer/rebalancing tokens are not supported

Lines of code Vulnerability details Impact Some ERC20 tokens make modifications to their ERC20's transfer or balanceOf functions. One type of these tokens is deflationary tokens that charge a certain fee for every transfer or transferFrom. Others are rebasing tokens that increase in value over ti...

permitAndMulticall() May Be Used to Steal Funds Or as a Denial Of Service if _from Is Not The Message Sender

Lines of code Vulnerability details Impact When the from address is not the msg.sender multiCall will be made on behalf of the msg.sender. As a result each of the functions called by multiCall will be made on behalf of msg.sender and not from. If functions such as transfer or unstake are called...

revert can be bypassed by forcefully sending ETH using selfdestruct()

Lines of code Vulnerability details Impact In NFTMarket.sol there is a receive function that reverts if the msg.sender is not the feth address. This is an attempt to prevent other parties from sending ETH to the contract but this security check can easily be bypassed by an attacker forcefully...

[WP-M3] TurboRouter.sol#createSafeAndDeposit*() CreateSafeAndDeposit combo methods won't work as an allowance cannot be granted to a newly created Safe for deposit

Lines of code Vulnerability details The TurboRouter.soldeposit function can be used in a multicall together with approve and pullToken from PeripheryPayments to pull tokens from msg.sender and grant allowance for the ERC4626 Safe to call asset.safeTransferFrom with the msg.sender being the router...

TurboSafe - should override maxWithdraw and maxRedeem

Lines of code Vulnerability details Impact Considering the EIP , as withdraw must revert if it is not possible to withdraw assets , it is important to have an accurate maxWithdraw function. However, here, maxWithdraw does not account for the current max withdrawal in the cToken contract. Liquidit...

[WP-H7] InsuranceFund#syncDeps() may cause users' fund loss

Lines of code Vulnerability details function syncDepsIRegistry registry public onlyGovernance vusd = IERC20registry.vusd; marginAccount = registry.marginAccount; The Governance address can call InsuranceFund.solsyncDeps to change the contract address of vusd anytime. However, since the tx to set ...

Attacker can DOS VUSD withdrawal by spamming withdrawals of zero tokens

Lines of code Vulnerability details Impact By spamming withdrawal requests of 0, the user can clog the withdrawal queue. For anybody to withdraw their funds somebody has to first unclog it by running processWithdrawal. Depending on the number of spam withdrawals, potentially multiple times. Since...

Assets sent from MarginAccount to InsuranceFund will be locked forever

Lines of code Vulnerability details Impact Assets sent from MarginAccount to InsuranceFund will be locked forever Proof of Concept The insurance fund doesn't have a way to transfer non-vusd out of the contract. Assets transferred to the InsuranceFund will be locked forever. Mitigation Have a way...

Griefing attack at VUSD withdraw queue is possible

Lines of code Vulnerability details Impact A malicious user can make lots of withdrawal requests to fill up the queue, making VUSD withdrawals unreachable for all other users Proof of Concept There is no control of the size or number of the withdrawal requests, and VUSD will burn even 1 wei amoun...

canSafeBoostVault() doesn't actually check the feiAmount passed in

Lines of code Vulnerability details Impact In TurboMaster.sol the onSafeBoost function calls canSafeBoostVault on the booster contract to check if the safe is allowed to boost the vault using the feiAmount which is passed in by the caller as an argument. The problem is that the feiAmount is never...

[WP-H2] Improper control over the versions of distributions' metadata may lead to repeated claims of rewards

Lines of code Vulnerability details function updateRewardsMetadataCommon.Distribution calldata distributions external onlyRoleDEFAULTADMINROLE requiredistributions.length 0, "Invalid distributions"; IRewardDistributordistributor.updateRewardsMetadatadistributions; In the current implementation,...

[WP-H5] RewardDistributor.setBribeVault() can cause users who haven't claimed their native tokens yet can not claim the reward anymore

Lines of code Vulnerability details In the current implementation, RewardDistributor.claim is using if token != bribeVault token is from rewardsrewardIdentifier.token to detect whether it's a ERC20 token or native token ETH. However, this is not a trustworthy way to determine whether the reward i...

Fee amount too restrictive

Lines of code Vulnerability details Impact In the fee collect modules like FeeCollectModule, the initializePublicationCollectModule checks if the fee amount that each user needs to pay is at least = BPSMAX = 10000. For certain currencies with fewer decimals this is too restrictive. As an example,...

NestedFactory: User can utilise accidentally sent ETH funds via processOutputOrders() / processInputAndOutputOrders()

Lines of code Vulnerability details Impact Should a user accidentally send ETH to the NestedFactory, anyone can utilise it to their own benefit by calling processOutputOrders / processInputAndOutputOrders. This is possible because: 1. receive has no restriction on the sender 2. processOutputOrder...

NestedFactory: User can utilise accidentally sent ETH funds via processOutputOrders() / processInputAndOutputOrders()

Lines of code Vulnerability details Impact Should a user accidentally send ETH to the NestedFactory, anyone can utilise it to their own benefit by calling processOutputOrders / processInputAndOutputOrders. This is possible because: 1. receive has no restriction on the sender 2. processOutputOrder...

Shelter.claim does not check if already claimed

Lines of code Vulnerability details The Sheler.withdraw function sets the claimedtokenuser field but does not check if the user is allowed to claim by checking require!claimedtokenuser, "already claimed". function withdrawIERC20 token, address to external override requireactivatedtoken != 0 &&...

ConvexStakingWrapper deposits and withdraws will frequently be disabled if a token that doesn't allow zero value transfers will be added as a reward one

Lines of code Vulnerability details Impact If deposits and withdraws are done frequently enough, the reward update operation they invoke will deal mostly with the case when there is nothing to add yet, i.e. reward.remaining match the reward token balance. If reward token doesn't allow for zero...

Wrong reward token calculation in MasterChef contract

Lines of code Vulnerability details Impact When adding new token pool for staking in MasterChef contract function addaddress token, uint allocationPoints, uint16 depositFee, uint startBlock All other, already added, pools should be updated but currently they are not. Instead, only totalPoints is...

MasterChef.add must update pools first

Lines of code Vulnerability details The MasterChef.add function changes the total pool allocation but does not update other pools first. When other pools are finally updated at some point, then accConcurPerShare will be wrongly computed with their smaller allocPoint / newTotalAllocPoint share eve...