10190 matches found
Aunction DOS
Lines of code Vulnerability details Impact All auction functions are under a potential DOS or exploitability vulnerability A 2 day duration is added to the current block.number when creating a lot. This introduces a critical flaw, Adding 2 86400correct value of 2 days / 27200wrong value used in...
Recipient address is not appropriately validated or sanitized in the BaseFeeVault contract (loss of funds)
Lines of code Vulnerability details Impact If the recipient address is not properly validated, an attacker could supply a malicious address as the recipient. This could result in the accumulated fees being sent to an unintended or unauthorized party. It could lead to financial loss or disruption ...
Pausing Optimism Portal only pauses withdrawals, can result in locked or lost funds
Lines of code Vulnerability details The comment over OptimismPortal.pause indicates pause should affect both deposits and withdrawls. Currently, only finalizeWithdrawalTransaction and proveWithdrawlTransaction implement the whenNotPaused modifier. Both depositTransaction and donateETH do not...
ParticleExchange.auctionBuyNft and ParticleExchange.withdrawEthWithInterest function calls can be DOS'ed
Lines of code Vulnerability details Impact When lien.borrower is a contract, its receive function can be coded to conditionally revert based on a state boolean variable controlled by lien.borrower's owner. As long as payback 0 is true, lien.borrower's receive function would be called when calling...
Unspent WETH is not considered in buyNftFromMarket()
Lines of code Vulnerability details Unspent WETH is not considered in buyNftFromMarket Impact In the buyNftFromMarket function, the borrower buys an NFT in order to repay and close their loan. The purchase is executed in the internal function named execBuyNftFromMarket. 395: function...
New treasury rate should not affect existing loan
Lines of code Vulnerability details Impact In the protocol, lenders have to pay a small treasury fee when they claim their interest. The contract owner can change this treasuryRate at any time using the function setTreasuryRate. // @audit treasury rate should not affect existing loan function...
Recovery transaction can be replayed after a cancellation
Lines of code Vulnerability details Recovery transaction can be replayed after a cancellation The recovery transaction can be replayed after a cancellation of the recovery procedure, reinstating the recovery mechanism. Impact The Ambire wallet provides a recovery mechanism in which a privilege ca...
arbitrary reservedRate value will result the next swap to be wrongly executed
Lines of code Vulnerability details Impact the function "payParams" will set the variable reservedRate without checking the effective value of that param,in fact if someone decides to call the "payParams" function passing as data.reservedRate a number 10k will result in the next swap that will...
M-01 Unmitigated
Lines of code L1 Vulnerability details Lines of code L1 Vulnerability details Confirmed --- The text was updated successfully, but these errors were encountered: All reactions...
Anyone can front-rundidPay calling payParams to grief swaps and mints
Lines of code Vulnerability details Impact The payParams function in the IJBPayDelegate contract does not currently have any form of access control implemented. This could allow a malicious user to manipulate the mintedAmount and reservedRate state variable, which can interfere with the correct...
mintedAmount and reservedRate mutex not working
Lines of code Vulnerability details Impact File: JBXBuybackDelegate.sol 101 / 102 @notice The amount of token created if minted is prefered 103 104 @dev This is a mutex 1-x-1 105 / 106 uint256 private mintedAmount = 1; 107 108 / 109 @notice The current reserved rate 110 111 @dev This is a mutex...
TEST-high risk
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assessed...
totalBorrows is not deducted properly when Comptroller#healAccount is called
Lines of code Vulnerability details Impact TotalBorrowed in VToken is not accounted properly when healAccount is called. Proof of Concept ComptrollerhealAccount intends to forgive the debt of the account if the debt goes far too underwater. When that happens, the collateral is seized, some of the...
Inconsistent check for LP balance in AMO
Lines of code Vulnerability details Inconsistent check for LP balance in AMO While pulling LP tokens from the CVXStaker contract, the AMO queries the current available balance using the staked balance, which is inconsistent with the implementation of the withdraw function. Impact Curve LP tokens...
CVXStaker.sol Unable to process newly add rewardTokens
Lines of code Vulnerability details Impact The lack of a mechanism to modify rewardTokens If convex adds new extraRewards CVXStaker.sol cannot transfer the added token Proof of Concept CVXStaker.sol will pass in rewardTokens in constructor and in getReward, loop this array to transfer rewardToken...
Shortfall.sol#initialize's waitForFirstBidder and nextBidderBlockLimit too short
Lines of code Vulnerability details Impact File: Shortfall.sol 147 waitForFirstBidder = 100; 148 nextBidderBlockLimit = 10; Binance Smart Chain has a block time of around 3 seconds. This could lead to an attacker blocking other bids to bid for the token at a low price. Proof of Concept Tools Used...
VToken mint -- Inflation attack
Lines of code Vulnerability details Impact The token could be impacted by an inflation attack. Proof of Concept At present, vToken is still susceptible to the well-known ERC4626 'Inflation Attack'. This vulnerability allows the total asset count to be inflated by making donations. This means that...
Missing transaction expiration check result in asset tokens selling at a lower price
Lines of code Vulnerability details Impact Selling of asset tokens misses the transaction expiration check, which may lead to reward tokens being sold at a price that's lower than the market price at the moment of a swap. Proof of Concept The swapAsset function, which is responsible for selling...
NOT CONFIRMED
Lines of code L1 Vulnerability details NOT CONFIRMED Assessed type Decimal --- The text was updated successfully, but these errors were encountered: All reactions...
Logic error in _transferAjnaRewards function
Lines of code Vulnerability details Context: ajna-core/src/RewardsManager.sol: 836 / 837: function transferAjnaRewardsuint256 rewardsEarned internal 838: // check that rewards earned isn't greater than remaining balance 839: // if remaining balance is greater, set to remaining balance 840: uint25...
Incorrect Calculation of Max Amount of Quote Tokens in moveLiquidity() Function in PositionManager.sol.
Lines of code Vulnerability details Impact The updateInterest function is called before retrieving the fromPosition value from positionsparams.tokenIdparams.fromIndex in the moveLiquidity function. This means that the bucketDeposit value may not reflect the current accrued interest, which can...
Upgraded Q -> 2 from #298 [1683710120837]
Judge has assessed an item in Issue 298 as 2 risk. The relevant finding follows: L-03 Redundant and dangerous len parameter in readKeyValue Links Impact If the len is not set to input.length minus the offset, there may be unpredictable results due how the algorithm works. Proof of Concept Let's...
Mitigation of M-08: Issue NOT mitigated
Mitigated issue M-08: Possible DoS on unstake The issue is that a potential time-lock in Rocket Pool may cause RocketTokenRETHInterfacerethAddress.burnamount to revert, which prevents frequent withdrawals and unstakes. Mitigation review Reth.withdraw still calls...
Mitigation of M-08: Issue not mitigated
MITIGATION IS NOT CONFIRMED MITIGATION IS NOT CONFIRMED Mitigation of M-08: Issue not mitigated Link to Issue: code-423n4/2023-03-asymmetry-findings685 Comments First, there is a clear error in the associated description of mitigation: "Use Chainlink to get rETH". Using Chainlink to obtain the...
Mitigation of M-07: Issue not mitigated
MITIGATION IS NOT CONFIRMED MITIGATION IS NOT CONFIRMED Mitigation of M-07: Issue not mitigated Link to Issue: code-423n4/2023-03-asymmetry-findings765 Comments While the principal issue for M-07 described a de-peg scenario, which eventually was interpreted as a "black swan" event, I do think the...
Vulnerability in Pause Function
Lines of code Vulnerability details Impact An attacker can exploit this vulnerability by setting any value as the new paused status code, which can allow the attacker to circumvent the pausing restrictions and carry out unauthorized actions on the contract. This can lead to significant consequenc...
BEACON CHAIN VALIDATOR COULD SELF RESCUE WHEN OPERATOR IS FROZEN
Lines of code Vulnerability details Impact The modifier onlyNotFrozen is intuitive such that the staker will be frozen when the delegated operator is frozen. However, not utilizing it in recordOvercommittedBeaconChainETH and undelegate could allow the Beacon Chain validator to undelegate from the...
Depositors risk losing funds through StrategyManager.depositIntoStrategyWithSignature()
Lines of code Vulnerability details Impact The StrategyManager contract has two functions for depositing funds into Strategy contracts, one of them is depositIntoStrategyWithSignature which allows the caller to make a deposit and the new shares are credited to a specified staker. If the staker...
The value of MAX_WITHDRAWAL_DELAY_BLOCKS is constant which shouldn't be
Lines of code Vulnerability details Impact The value of MAXWITHDRAWALDELAYBLOCKS is constant which shouldn't be. It is stated that at the moment MAXWITHDRAWALDELAYBLOCKS is 50400 and it is adjustable, but it isn't in this case as it is constant and once deployed it can't be change Proof of Concep...
Slashing can be frontrunned
Lines of code Vulnerability details Proof of Concept When attempting to withdraw funds, the user calls queueWithdrawal first. queueWithdrawal checks that the caller is not frozen, then marks the withdrawal as pending. function queueWithdrawal uint256 calldata strategyIndexes, IStrategy calldata...
Upgraded Q -> 3 from #284 [1683017290576]
Judge has assessed an item in Issue 284 as 3 risk. The relevant finding follows: NFT tokens sent to the EthRouter contract by mistake can be drained by pool contracts. When someone calls sell, deposit or change functions on EthRouter contract, the contract gives the particular pool full approval...
Unbounded Loop in DNS Name Encoder Library
Lines of code Vulnerability details Impact The unchecked keyword disables overflow and underflow checks for arithmetic operations, which can cause unexpected behavior if the loop is not properly bounded. In this specific case, the loop is not properly bounded, which can cause the loop to run...
SHA1 Hashing Algorithm vulnerable to Length Extension Attack
Lines of code Vulnerability details Impact The implementation of the SHA1 hashing algorithm in the code has a significant impact as it is vulnerable to the length extension attack. This attack enables us to create a new hash for an extended message without altering the existing hash, even though ...
Improper Implementation of Interface
Lines of code Vulnerability details Impact The improper implementation of interfaces can cause unexpected behavior in the contract and lead to an unwanted state of the contract. This can potentially affect several functions. Description The DNSSECImpl contract contains two internal functions,...
SHA-1 chosen prefix collision
Lines of code Vulnerability details Impact An attacker can claim DNS names signed with SHA-1 algorithms 5 and 7 which he does not own. Proof of Concept SHA-1 has been broken for chosen prefix collision. This means that an attacker can have his parent domain, if it signs with SHA-1, sign an RRset...
Lack of slippage in redeem can result in loss of shares for redeemer
Lines of code Vulnerability details FPS holders can redeem their shares against zchf using redeem File: Equity.sol 276: function redeemaddress target, uint256 shares public returns uint256 //@audit no slippage, calculateProceeds can return 0 277: requirecanRedeemmsg.sender; 278: uint256 proceeds ...
Reentrancy Attack Vulnerability in StablecoinBridge Contract
Lines of code Vulnerability details Impact The vulnerability can potentially drain the funds of the contract by allowing an attacker to repeatedly call the mint or burn functions and re-enter the mintInternal or burnInternal functions before they complete. Proof of Concept To deploy the...
Let Me Suggest For You
Lines of code Vulnerability details Impact Scope of vulnerabiliy - This vulnerability allows any user including users the do not own any share tokens to effectivly cast a veto on a minter suggetion. The only requirement to excecute the vulnerability is to have the minimun fee in the acccount. In...
if revertOnFailure is set to false, batchContributeFor doesn't refund properly
Lines of code Vulnerability details Proof of Concept Consider the code for batchContributeFor: function batchContributeFor BatchContributeForArgs calldata args external payable onlyDelegateCall returns uint96 memory votingPowers uint256 numContributions = args.recipients.length; votingPowers = ne...
An attacker can contribute to the ETH crowdfund using a flash loan and control the party as he likes.
Lines of code Vulnerability details Impact An attacker can have more than half of the total voting power using a flash loan and abuse other contributors. Proof of Concept The main flaw is that the party can distribute funds right after the crowdfund is finalized within the same block. So the...
Tokens with Fee on Transfer can break the PrivatePool invariant
Lines of code Vulnerability details Impact Some tokens take a transfer fee e.g. STA, PAXG, some do not currently charge a fee but may do so in the future e.g. USDT, USDC. Fees lead to the fact that the pool actually receives less funds than expected in the contract, and the reserve configuration ...
A hacker can front-run the owner of a PrivatePool to drain the pool
Lines of code Vulnerability details Impact A hacker can sandwitch calls to setVirtualReserves or setMerkleRoot in a private pool and make an instant profit at the expense of the owner. For example, the hacker sees that there is a setVirtualReserves transaction in the mempool that will make the NF...
ReraiseETHCrowdfund.sol: Multiple scenarios how pending votes might not be claimable which is a complete loss of funds for a user
Lines of code Vulnerability details Impact This issue is about how the ReraiseETHCrowdfund claim functionality can be broken. When the claim functionality is broken this means that a user cannot claim his voting power, resulting in a complete loss of funds. The claim functionality is not broken i...
ETHCrowdfundBase.sol: all funds are lost when fee recipient cannot receive ETH
Lines of code Vulnerability details Impact In the ETHCrowdfundBase contract a fundingSplitRecipient address is configured which receives a percentage of the funds in case the crowdfund is won. Neither the fundingSplitRecipient address nor the fundingSplitBps percentage can be changed. The issue i...
Params of Lien struct are not emitted when lien is created making it difficult to track
Lines of code Vulnerability details Impact Protocol does not store any information about Lien. When users want to interact, they have to send the whole Lien struct along with lienId, and the protocol will verify if this data is correct by hash. This approach reduces onchain storage and can save a...
Award is still distributed when there aren't any stakers, allowing users to get reward without staking
Lines of code Vulnerability details Proof of Concept Consider the update modifier for the amplifier. modifier update if mostRecentValueCalcTime == 0 mostRecentValueCalcTime = firstStakeTime; uint256 totalCurrentStake = totalStake; if totalCurrentStake 0 && mostRecentValueCalcTime endTime uint256...
A malicious frontrunner can make the Mutebond contract broken when the owner decreases maxPayout
Lines of code Vulnerability details Impact The Mutebond contract might stop working after the owner decreased maxPayout by a malicious frontrunner. Proof of Concept setMaxPayout can be used to reset maxPayout. function setMaxPayoutuint payout external requiremsg.sender == customTreasury.owner;...
An attacker can lower the price of another depositor() by frontrunning
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. The deposit function will bump bond price back by 5% after purchase based on current delta. However, this function can be executed unlimited number of times in the same block and as a result, one can...
MuteBond.sol: deposit function allows no control for payout and value which leads to unexpected purchases of bonds
Lines of code Vulnerability details Impact The MuteBond.deposit function allows the user to purchase a bond with LP tokens and receive MUTE tokens in return. The bondPrice increases linearly over time which I should mention means the bond gets cheaper; the naming is a bit confusing. There is...
poolPrice() is vulnerable to price manipulation
Lines of code Vulnerability details Impact The output of poolPrice, which is used to determine the price of rETH, can be manipulated to become extremely small or large. An attacker abuse this to gain large amounts of SafETH during staking. Vulnerability Details In the Reth contract, poolPrice...