Unwrap Fee Rounding Down: Revenue Loss, User Unfairness, and Reduced Confidence

Lines of code Vulnerability details Impact The issue with the unwrap fee rounding down can have several detrimental impacts on the Ocean protocol: 1. Revenue Loss: Due to rounding down, the contract loses out on potential unwrap fees, particularly for smaller unwrap amounts. This can significantl...

Fee-on-transfer/rebasing tokens will have problems when swapping

Lines of code 110 Vulnerability details Impact Uniswap v3 does not support rebasing or fee-on-transfer tokens so using these tokens with it will result funds getting stuck. With fee-on-transfer tokens, if the balance isn't checked, the wrong amount may be transferred out. With rebasing tokens, th...

Proxy's logic contract relies on code in the constructor

Lines of code 122, 50, 25, 67, 98, 67, 22 Vulnerability details Impact Logic contracts cannot rely on code in their constructors, because proxy contracts do not re-execute the logic contract's constructor - only its initializer. Move all code in the constructor to the initializer function. File:...

D.O.S due to wrong scaling factor

Lines of code Vulnerability details Impact The cNote token which is a fork of the CToken contract has a scaling method used to handle the exchange rate between CToken and the underlying token. This method helps scale the exchange rate because solidity doesn't handle fixed-point decimals. The...

asD.sol::mint & asDFactory.sol::create allows an attacker to mint legitimate aSD with counterfeit underlying $NOTE

Lines of code Vulnerability details Impact When creating an aSD token using create from the asDFactory.sol, there's the cNote address reference to specify and set. A malicious user can deploy a counterfeit NOTE underlying token that isn't legit or backed by anything and set/reference it as...

DepositPool is susceptible to the inflation attack

Lines of code Vulnerability details Summary The DepositPool contract is susceptible to the Inflation Attack, in which the first depositor can be front-runned by an attacker to steal their deposit. Impact The DepositPool pool contract acts mainly as a vault: accounts deposit LST assets and get bac...

Potential arbitrage opportunity

Lines of code Vulnerability details Impact According to the logic of the protocol , minted tokens can be swapped on AMMs. This is a serious problem as prices on AMMs follow a bonding curve that are independent from the Chainlink pricing feed. This will create arbitrage opportunities for hackers t...

Mint amount calculation in deposit is incorrect

Lines of code Vulnerability details Summary The calculation in the deposit function of the DepositPool contract is flawed as it factors the deposited amount into the RSETH price to calculate the amount to mint. Impact When a user deposits in the DepositPool contract, the amount of RSETH to mint i...

Unchecked constructor arguments can make a contract unworkable

Lines of code Vulnerability details Impact In the NextGenCore contract constructor, there is no check that a valid admin contract is set using NextGenAdmins::isAdminContract. If the contract address in the adminsContract constructor is set incorrectly, it is not possible to call admin functions i...

Multiple instances of reentrancy

Lines of code Vulnerability details Impact This can lead to massive loss of funds and asset in Nextgen. Proof of Concept There are multiple instances of reentrancy in NextGenCore.sol, MinterContract.sol and AuctionMemo.sol. These reentrancy is due to the use of ERC721 safeMint... for token transf...

PartyGovernanceNFT.burn is not updating the totalVotingPower

Lines of code Vulnerability details Proof of Concept The getSharedProposalStorage.governanceValues.totalVotingPower value defines the voting power cap that can be minted using mint in PartyGovernanceNFT. In a previous version of the protocol 2023-05-party this variable was...

All contributions can get locked in the Crowdfund contract, with no means to refund users or finalize.

Lines of code Vulnerability details Impact ETHCrowdfundBasefinalize assumes that all contributions are intact, but there is an emergencyExecute function that is capable of spending part of crowdfund eth. If as little as one wei gets spent, Users cannot get refunded, and the Crowdfund will not get...

decreaseVotingPower() can be front-ran by an attacker to claim an amount of assets from the TokenDistributor more than he should be able to claim or withdraw more assets than he should be able to claim through rageQuit()

Lines of code Vulnerability details Overview of the vulnerability / PoC The function decreaseVotingPower in PartyGovernanceNFT does not have a front-running protection against a user claiming his share of a distribution or a user ragequitting using a token which is going to get it's voting power...

Upgraded Q -> 2 from #246 [1699029732469]

Judge has assessed an item in Issue 246 as 2 risk. The relevant finding follows: L-03 The tokenURI is not compatible with the ERC721 standard Description function tokenURIuint256 safeId public view override returns string memory uri uri = nftRenderer.rendersafeId; tokenURI will call nftRenderer...

Staking functionality temporary blocking due to lack of address zero check

Lines of code Vulnerability details Impact Though lack of zero check issue for the addToBlacklist function is already at the automated findings output, I suppose it is necessary to show the importance of this check here. In case of accidental or malicious the BLACKLISTMANAGERROLE behavior the...

bad Actor can block the operation of mint by creating duplicate order by frunt runing original order

Lines of code Vulnerability details Impact bad Actor can block the operation of mint by creating duplicate order by frunt runing original order So basically the contracts are doing orders by users RFQ to system whether by API or front end. and make the mint process the problem is in the contract...

DoS of the staking functionality due to the check of minimum total supply

Lines of code Vulnerability details Impact The StakedUSDe contract can be accidentally blocked if the all shares will be redeemed before the VESTINGPERIOD end. The checkMinShares function will then revert for any eligible deposits. The same result will be in case of asset transferring to the...

Permanent DoS on Market Creation Failure

Lines of code Vulnerability details Impact Permanent DoS of creating a market if anything fails in the market constructor. Within a create2 call, instead of failing when a revert occurs in the constructor being run, it just returns address0. If this occurs within a market that's being created the...

use of correct modifier

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps function...

On repaying and taking collateral there is 2 times modifying tokenCollateral[cType][account/sourse]this lead to a problem

Lines of code Vulnerability details Impact when you are repaying your tokenCollateralcTypeaccount is modified 2 times, which leads to incorrect data Proof of Concept On calling repayAllDebtAndFreeTokenCollateral or repayDebtAndFreeTokenCollateral first you are calling modifySAFECollateralization...

Scaling Issue in AccountingEngine.auctionSurplus Causing Token Drains

Lines of code Vulnerability details Impact The impact of this vulnerability is significant as it leads to a scaling problem in surplus auctions conducted by the AccountingEngine. The vulnerability arises from the way the amountToSell in surplusAuctionHouse.startAuction call and rad in...

Centralisation risk

Lines of code Vulnerability details Impact The protocol has a onlyGovernor role with privileged rights to perform administrator tasks that can affect users. Proof of Concept The governorhave control over crucial function that can be updated and change according to the governor discretion. functio...

M-05 Unmitigated

Lines of code Vulnerability details Original Issue M-05: Reward sandwiching in VotiumStrategy Details The issue outlined above is about making instant profit by depositing before the boost happens and withdrawing right after the boost occurs. Those who locked their positions for 16+ weeks get the...

Register Wallet unprotected

Lines of code Vulnerability details Impact In the code comments, it states that: @dev Can only be called by safe deployer or the wallet itself This requires a check for either the safe deployer or the wallet. However there is no check to verify this case, therefore any address can verify their se...

There is no checking whether the ExecutorPlugin module has been activated or not on the sub-account, this can cause malfunctions if the user wants to execute tx via ExecutorPlugin

Lines of code Vulnerability details There is no checking whether the ExecutorPlugin module has been activated or not on the sub-account, this can cause malfunctions if the user wants to execute tx via ExecutorPlugin Impact Can cause malfunctions if the user wants to execute tx via ExecutorPlugin ...

Console account cannot execute a transaction on a sub account unless it registers itself as an executor

Lines of code Vulnerability details The Executor is an account authorized to make module transactions on a subAccount via ExecutorPlugin. The executor is assigned/registered by the subaccount created by the console account. But the console account itself cannot execute the transaction & is...

Delegation transfer might become temporarily unavailable due to input format in _delegateMulti

Lines of code Vulnerability details Impact A user might mint a valid delegation token to a target delegate which cannot be transferred to another target delegate through processDelegation due to delegateMulti's extension of address type of data into the space of uint256. Proof of Concept As...

Same multiple delegate values result in wrong calculation of delegated votes

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. If by mistake same delegate value is given multiple times to targets array then delegation of votes is wrongly calculated. Proof of Concept Provide direct links to all referenced code in GitHub. Add...

Needs a secure modifier

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. The ERC20ProxyDelegator constructor appears to be used for delegating voting rights to a delegate by allowing them to call the delegate function of an ERC20Votes contract. To secure this function, you...

Possibility of losing users funds due to not checking for zero address (address 0x0)

Lines of code Vulnerability details Impact As there is no function for checking whether the addresses of the sources and targets are zero or not in the delegateMulti function it may cause issues for users Sending tokens to a zero address address 0x0 is generally not a recommended practice in...

RootBridgeAgent.retrieveSettlement doesn't check if settlement is in FAILED state

Lines of code Vulnerability details Impact The RootBridgeAgent.retrieveSettlement function is supposed to be used to retrieve a failed settlement to be able to redeem it but because the function doesn't actually check that the input settlement is in fact in FAILED state, the function can be used ...

ChainLink should be used as an Oracle for messaging instead of Google Cloud

Lines of code Vulnerability details Impact Each User Application contract e.g. BranchBidgeAgent built on LayerZero will work without configuration using defaults, but a UA will also be able to configure its own. Maia intends to use the default config. However, Google Cloud Oracle is the default a...

Validate poolIdx input to prevent storage corruption in critical functions.

Lines of code Vulnerability details Impact No validation on poolIdx input for key functions like claimConcentratedRewards. Could pass invalid poolId and corrupt storage. Proof of Concept The claimConcentratedRewards function. It takes in a poolIdx as one of the parameters: function...

payableCall in VirtualAccount isn’t protected by requiresApprovedCaller modifier

Lines of code Vulnerability details Impact due to the lack of access control in payableCall function in VirtualAccount contract, anyone can call payableCall on a user virtual account . An attacker can use this vulnerability to steal the users funds after a failed settlement by the user . Proof of...

Event not emitted after sensitive action of setting new concentrated and ambient rewards.

Lines of code Vulnerability details Impact The 'setConcRewards' and 'setAmbRewards' doesn't emit event to to signify to all parties involved the new concentrated and ambient results. Proof of Concept A user not aware of new reward price might suppose he/she have been swindled upon realizing that...

accrueConcentratedPositionTimeWeightedLiquidity may revert under special situations

Lines of code Vulnerability details Impact LiquidityMining.accrueConcentratedPositionTimeWeightedLiquidity may unintentionally reverts and make transactions does not succeed Proof of Concept The LiquidityMining.accrueConcentratedPositionTimeWeightedLiquidity function calculates the concentrated...

Timestamp Manipulation

Lines of code Vulnerability details Impact there is a problem in that contract especiall when updating tickTrackingIndex within the loop an attacker can manipulate the values of enterTimestamp and exitTimestamp to force tickActiveEnd to be significantly larger than tickActiveStart inflate the...

BLOCKS_PER_YEAR in Prime.sol should vary depending on leap and non-leap year

Lines of code Vulnerability details Impact Since BLOCKSPERYEAR is used for calculating the total income that's going to be distributed in a year to prime token holders in the function incomeDistributionYearly, an inadequate non-zero value for BLOCKSPERYEAR in terms of chain and/or leap/non-leap...

underflow possible with sufficiently large capital and sufficiently low alpha

Lines of code Vulnerability details Impact An underflow is possible when a sufficiently large capital is coupled with an adequately low alpha value. This scenario may trigger unanticipated behaviors, resulting in the unforeseen failure of transactions, undermining the integrity and reliability of...

Loss of interests due to loss of precision

Lines of code Vulnerability details Impact Users can lose accrued interest due to loss of precision during calculation. It is possible that the interestsvTokenuser.rewardIndex is changed and the interestsvTokenuser.accrued is never increased. Proof of Concept The interestsvTokenuser.rewardIndex a...

It might not be possible to applyRewards(), if an amount received is less than 0.05 eth

Lines of code Vulnerability details Vulnerability Details Upon claiming Votium rewards, applyRewards is intended to be invoked bi-weekly in order to exchange the tokens for eth and put the eth received back into the strategies. Based on the current ratio it either stakes the amount into safETH or...

Allowance manipulation in UserEscrow struct leads to unauthorized token transfers due to overreliance on maximum allowance check

Lines of code Vulnerability details Summary The UserEscrow smart contract contains a vulnerability that can possibly allow unauthorized users to transfer tokens out of the contract. Specifically, an attacker can exploit this flaw by manipulating the allowances, thus enabling them to bypass the...

The maxMint check should be cumulatively applied to ensure it's effectiveness

Lines of code Vulnerability details Impact Circumvention of the maximum minting restriction, since all a receiver need to do is not specify the whole amount of tokens in one attempt and then claim more than the maximum amount Proof of Concept Take a look at LiquidityPool.solL145-L157 /// @notice...

requestDeposit and requestRedeem do not allow for any price guarantee, opening users to sandwich attacks and other losses

Lines of code Vulnerability details Impact Request functions take only the desired input amount as a parameter, giving no way for the caller to control the fulfilment price. The price is decided by the Centrifuge mainnet only. function requestDeposituint256 assets, address owner; function...

User funds may be blocked if tokens with a transfer fee are used as the underlyingToken

Lines of code Vulnerability details Impact The user can create rights token pair pulling underlying token. To do this, it calls the create function . During the execution of the function, the user sends tokens to the contract address . If an ERC20 token is used as a tokenContract, then the...

getActiveTickIndex returns wrong index

Lines of code Vulnerability details To find a tick that's above price ie its only underlying is the base token, getActiveTickIndex should not if baseTokenIsToken0 && amt0 == 0 || !baseTokenIsToken0 && amt0 == 0 return tickIndex; it should if baseTokenIsToken0 && amt1 == 0 || !baseTokenIsToken0 &&...

Attacker can extract value from pool by sandwiching herself at swapAll during close

Lines of code Vulnerability details Attacker can drain the lending pool by leveraging two facts: 1. swapAll allows 1% slippage 2. There is no Health Factor check after close. Alice and Bob are good friends, the steps are in one single tx: 1. Alice deposits 10000 USDT and borrows 7000$ worth of TR...

Protocol will fail for ERC1155 tokens

Lines of code Vulnerability details Issue DelegateTokenTransferHelpers::checkERC1155BeforePull and DelegateTokenTransferHelpers::pullERC1155AfterCheck perform "set and check" operations on erc1155Pulled.flag which will always revert. In the first function, the value of erc1155Pulled.flag is set t...

Unchecked return value of low level

Lines of code Vulnerability details In the code you provided earlier, there is a potential "Unchecked return value of low-level call" vulnerability in the following line: addressstrategy.delegatecallabi.encodeWithSignature"harvest"; This line of code uses the delegatecall function to invoke the...

The roerouter hard-coded address error causes all fee funds to be sent to the treasury instead of the vault

Lines of code Vulnerability details Impact The roerouter hard-coded address error causes all fee funds to be sent to the treasury instead of the vault. This will reduce the capital utilization rate, because the fee should be added to the LP to earn interest, but now because the vault address cann...