10190 matches found
The roerouter hard-coded address error causes all fee funds to be sent to the treasury instead of the vault
Lines of code Vulnerability details Impact The roerouter hard-coded address error causes all fee funds to be sent to the treasury instead of the vault. This will reduce the capital utilization rate, because the fee should be added to the LP to earn interest, but now because the vault address cann...
UniswapV3 trading fees are always locked in treasury instead of going back to the protocol users through GeVault
Lines of code Vulnerability details TokenisableRange was redesigned to redirect collected fees to a pre-defined GeVault, where the protocol stakers can benefit from the added value. However, the use of an incorrect variable makes this distribution of the fees impossible to happen, and the fees wi...
Potential Price Slippage Due to Gaps in Consecutive Ranges
Lines of code Vulnerability details The method allows appending new Range instances without restrictions on the gap between the end of the last range and the start of the new one. Significant gaps between these ranges can result in considerable price slippages, introducing volatility in price...
Risk of Token Get Stuck in burnAndCallAxelar Function due to Use of Same Chain ID
Lines of code Vulnerability details Impact The burnAndCallAxelar function within the contract presents a potential risk where tokens can become stuck if the same chain ID is used for both the source and destination chains. In this scenario, tokens are burned from the user's account, and a...
.The _newPosPrev/_newPosNext hints do not fully prevent invalid ordering when decreasing a delegate's stake.
Lines of code Vulnerability details Impact The contract could incorrectly deactivate or reward transcoders based on the invalid pool order. Proof of Concept When decreasing a delegate's stake with decreaseTotalStake, the contract calls transcoderPool.updateKey to update the delegate's position in...
Incorrect price precision in RdpxV2Core
Lines of code Vulnerability details Impact The core contract expects the price oracle to return 1e8 precision, but its actually 1e18. This will cause heavily incorrect results from all usages of the price. Proof of Concept The RdpxV2Core.getRdpxPrice function is meant to return 1e8 precision:...
Missed approving to UniswapV2Router
Lines of code Vulnerability details Impact The contract should have already granted an allowance of at least minamountOfWeth for the input token. This step is missing during the UniswapV2Router call within the lowerDepeg function. // @audit msg.sender should have already given the router an...
PerpetualAtlanticVaultLP incentives can be stolen via flash loan
Lines of code Vulnerability details Impact The liquidity pooled from the PerpetualAtlanticVaultLP is used by the core contract. This liquidity is provided by anyone, and after each epoch 1 week an incentive is paid after to further incentivise liquidity provision. However, the funds can be stolen...
Improperly tracking asset reserve for WETH
Lines of code Vulnerability details Impact Function RdpxV2Corewithdraw lets delegate owners withdraw their unused WETH. However, withdrawn amount is not deducted from totalWethDelegated, which causes WETH asset reserve tracked improperly. The impacts could be: 1. Function sync gets reverted when...
Malicious user can prevent the creation of a proposal
Lines of code Vulnerability details Vulnerability Detail The LivepeerGovernor inherits OpenZeppelin's GovernorUpgradeable contract. The GovernorUpgradeable utilizes the hashProposal function to generate a unique hash when creating a new proposal. The hash depends solely on input parameters:...
DOS in governance when voting after delegate
Lines of code Vulnerability details Impact The GovernorCountingOverridable::handleVoteOverrides function substracts the delegator vote weight from the total votes when the delegatee has already submited a vote. However, if the delegator's vote is greater than the current total vote the substracti...
Initialization Issue in EarningsPoolL
Lines of code Vulnerability details Impact the vulnerable part in code : uint256 prevCumulativeRewardFactor = prevEarningsPool.cumulativeRewardFactor != 0 ? prevEarningsPool.cumulativeRewardFactor : PreciseMathUtils.percPoints1, 1; earningsPool.cumulativeRewardFactor =...
withdrawGivenInputAmount() calls _lpTokenSpecified with the wrong value of feeDirection
Lines of code Vulnerability details Impact withdrawGivenInputAmount calls lpTokenSpecified with the wrong value of feeDirection: function withdrawGivenInputAmount uint256 xBalance, uint256 yBalance, uint256 totalSupply, uint256 burnedAmount, SpecifiedToken...
overflow vulnerability in the _lpTokenSpecified() function when calculating computedAmount
Lines of code Vulnerability details Impact uf will be incorrect, which will lead to incorrect final price points xf, yf and ultimately an incorrect computedAmount. It also allows an attacker to manipulate the pool in their favor by depositing or withdrawing more assets than they should be able to...
Accounting for Fixed_Fee and Base_Fee twice leading to less amount or token recieved
Lines of code Vulnerability details Impact There are multiple instances where fees is deducted twice. I will explain this with one function similar logic follows in other functions as well.So whenever the swapGivenInputAmount function is called by the user with inputAmount provided by the user th...
Division before multiplication incurs larger precision loss
Lines of code Vulnerability details Impact There are couple of instance of using result of a division for multiplication while can cause larger precision loss. Proof of Concept In contract EvolvingProteus.sol, value of int128 two at line 709 is calculated by using ABDKMath64x64.divu function. The...
Using incorrect parameter for checking the reserve
Lines of code Vulnerability details Impact At line 549 within the swap function's code, the internal call to the function checkBalances checks the reserve for token x is carried out using xi + specifiedAmount instead of xi + roundedSpecifiedAmount. When using roundedSpecifiedAmount passes the che...
MIN_PRICE_VALUE is incorrect
Lines of code Vulnerability details Impact The MINPRICEVALUE variable is being calculated based on 10^10 instead of the intended 10^12. As a result, the MINPRICEVALUE will be lower than expected with 2 decimal places precision, potentially allowing pxinit and pxfinal to be set lower than the...
Swaps affect LP token mint/burn during liquidity addition/removal
Lines of code Vulnerability details Impact The LP token removal/addition forces a recalculation of the bonding curve, and the utility of the curve. The utility curve in proteus looks like the graph below, where the point A represents a certain composition of the pool. If we try to remove add/remo...
H-08 MitigationConfirmed
Lines of code Vulnerability details Original Issue H-08 - Increasing reserves breaks PrizePool accounting Details The previous implementation to increase reserves in the PrizePool contract didn't take into account the injected reserves, which caused the accounted balance in the prize pool to not ...
H-09 Unmitigated
Lines of code Vulnerability details Issue not mitigated About the problem In the report i have described some vaults that will not work in the designed system. Example of such vault will be any vault that has withdraw limit. In this case yieldVault.maxWithdraw call will not return actual amount o...
Upgraded Q -> 3 from #264 [1691857350267]
Judge has assessed an item in Issue 264 as 3 risk. The relevant finding follows: Let's see how it can be exploited. You can add this test to Withdraw.t.sol and run with forge test -vv --match-contract VaultWithdrawTest --match-test testWithdrawAllAssetsForHalfShares: function...
prev emergency security council still has cancellor role in SecurityCouncilMgmtActivationAction
Lines of code Vulnerability details Description In the GovernanceChainSCMgmtActivationAction.perform function. This function is responsible for activating the new emergency security council and revoking the roles of the previous emergency security council. The bug occurs in the following line of...
getPastCirculatingSupply() returns the ARB token supply instead of circulating votes supply
Lines of code Vulnerability details Bug Description In ArbitrumGovernorVotesQuorumFractionUpgradeable, the getPastCirculatingSupply function is used when calculating quorum for proposals: ArbitrumGovernorVotesQuorumFractionUpgradeable.solL31-L35 /// @notice Get "circulating" votes supply; i.e.,...
No need to stack lend pool to take lendlaunger rewards
Lines of code Vulnerability details Impact Lending lenger give reward tokens to users if they lend their tokens to selected pools. Lendingledger give rewards as weekly and it records user's balance until end of the weekespacially thursday because 1 jan 1970 was thursday. But protocol records can ...
Consider Disabling Inherited _cancel Function In The Governor Contracts
Lines of code Vulnerability details Impact The currently used openzeppelin upgradeable contracts dependency @openzeppelin/contracts-upgradeable is v4.7.3 The security council management contracts are inheriting the openzeppelin GovernorUpgradeable contracts to manage proposals. This version of...
Anyone can change the members of Security Council
Lines of code Vulnerability details Impact Anyone can change the members of security council by calling the function perform in the contract SecurityCouncilMemberSyncAction.sol as the function is open to all. Proof of Concept uint256 updateNonce = getUpdateNoncesecurityCouncil; if nonce =...
Anyone can call perform in SecurityCouncilMemberSyncAction to update members of security council multisig
Lines of code Vulnerability details Impact Anyone can update members of security council multisig Proof of Concept SecurityCouncilMemberSyncAction contract has a perform function which is used to update members of security council multisig. File: SecurityCouncilMemberSyncAction.sol /// @notice...
Stealing or reusing votes
Lines of code Vulnerability details Impact It is possible to reuse/steal user's votes if they are supposed to cast vote by signature. Proof of Concept Casting votes during nominee election and member election is possible by calling the functions: castVoteWithReasonAndParams...
Potential Near-Zero Scenarios for purchasePrice in the Continuous Gradual Dutch Auction
Lines of code Vulnerability details Impact The Continuous Gradual Dutch Auction CGDA model has potential scenarios where the purchasePrice for an amount of tokens could approach near-zero values. This is influenced mainly by two factors: emissionRate and timeSinceLastAuctionStart. If either one o...
Unchecked Call Return Value
Lines of code Vulnerability details Impact The functions do not check the return value of low-level calls. This can lock Ether in the contract if the call fails or may compromise the contract if the ownership is being changed. The following calls were detected without return value validations -...
Some functions in TokenisableRange contracts does not allow user to deadline.
Lines of code Vulnerability details Impact Not allowing users to supply their own deadline could potentially expose them to sandwich attacks Proof of Concept Consider the following scenario: if fee0 100 bal0 && fee1 100 bal1 TOKEN0.token.safeIncreaseAllowanceaddressPOSMGR, fee0;...
Lack of check in LiquidationPair.sol#_computePeriod() can lead to DOS
Lines of code Vulnerability details Impact computePeriod will revert because lack of check input validation Proof of Concept In LiquidationPair.sol, computePeriod is used to computes the current auction period: see here. It is called in functions like getPeriodStart and checkUpdateAuction. 377:...
The treasury address can be updated by the contract owner to point to a malicious address after deployment
Lines of code Vulnerability details Impact Any fees or funds sent to the treasury could potentially be stolen or manipulated Proof of Concept The treasury address can be updated by the contract owner to point to a malicious address after deployment. This presents a risk as the treasury receives a...
call() should be used instead of transfer() on an address payable
Lines of code Vulnerability details Impact The use of the transfer function for sending ETH to an address will inevitably make the transaction fail when: The claimer smart contract does not implement a payable function. The claimer smart contract does implement a payable fallback which uses more...
swapExactAmountOut() does not have deadline which allows pending transactions to be maliciously executed
Lines of code Vulnerability details Impact In LiquidationRouter.sol, swapExactAmountOut function has no deadline for the transaction when swapping. File: src/LiquidationRouter.sol function swapExactAmountOut LiquidationPair liquidationPair, address receiver, uint256 amountOut, uint256 amountInMax...
Anyone can complete the Rng relay auction
Lines of code Vulnerability details Impact There's no access restriction on rngComplete which allows anyone to execute this function and complete the auction. This can lead to unexpected behavior or potential DOS attack where a user completes the auction. Tools Used Manual Analysis Recommended...
Wrong Implementation of Continuous Gradual Dutch Auction
Lines of code Vulnerability details Impact Breaks the core functionality of the Liquidation Pair contract. Usage of wrong formula for calculation of Continuous Gradual Dutch Auction results in wrong calculation of purchase price which is basically used to find the swapAmountIn during liquidations...
Broker Address can be Claim by a MEV Bot
Lines of code Vulnerability details Impact If the broker address is a malicious user, he can mint as many OTAP as he wants. Proof of Concept Protocol deploy the OTAP contract A Bot wait until the contract is deployed Then call the "brokerClaim" straight away with his own address. He can then call...
Lack of slippage checks on public withdraw fees function
Lines of code Vulnerability details Impact function withdrawAllMarketFees IMarket calldata markets, ISwapper calldata swappers, IPenrose.SwapData calldata swapData public notPaused require markets.length == swappers.length && swappers.length == swapData.length, "Penrose: length mismatch" ;...
Potential Loss of Rewards During Token Transfers in StaticATokenLM.sol
Lines of code Vulnerability details Impact This issue could lead to a permanent loss of rewards for the transferer of the token. During the token transfer process, the beforeTokenTransfer function updates rewards for both the sender and the receiver. However, due to the specific call order and th...
Missing check of how recent the price is can lead to stale price being used in the protocol
Lines of code Vulnerability details Impact In the ChainlinkOracle.sol file, in the function getChainlinkPriceAggregatorV3Interface feed, there is the check requireupdatedAt != 0, "Round is in incompleted state";. However, there is no check to see that the price is recent and acceptable. If there ...
function _queueProposal not checking if the required time is passed to allow proposal to set to the queue list
Lines of code Vulnerability details Impact in the queueProposal function there is no check for if the requested time is passed to allow queue the proposal. in this case any proposal after creating can be added to the queue list. Proof of Concept the TemporalGovernor.sol contract have a variable...
Current setUnderlyingPrice and setDirectPrice open to incorrect liquidation of users' positions and result in financial losses for users
Lines of code Vulnerability details Impact Price feeds can be affected by network congestion, causing transactions with outdated prices to be treated as current prices. As price feeds are crucial to the protocol's functioning, this situation can lead to incorrect liquidation of users' positions a...
Overflow/underflow when creating the exchange rate Exp.
Lines of code Vulnerability details Impact Incorrect exchange rate values Proof of Concept the exchangeRateStoredInternal function is missing validation on the Exp mantissa size before creating the exchange rate Exp. This could lead to overflow. This would make the mantissa of exchangeRate equal ...
Cannot unwrap token after recovering through wrapping
Lines of code Vulnerability details Impact Cannot unwrap token after recovering through wrapping. Proof of Concept FollowNFTunwrap checks if followerProfileId for the token is not 0: if followDataByFollowTokenIdfollowTokenId.followerProfileId == 0 revert NotFollowing; while after recovering token...
Incorrect implementation of binary search in _find() in History.sol can make BaseVotingVault.sol break and cannot return correct staleIndex
Lines of code Vulnerability details Impact The binary search implemented in find in History.sol is incorrect and in some cases cannot return a correct stale index, and as a result some functions in baseVotingVault.sol can not work properly like queryVotePower. Although History.sol is not in scope...
Unsafe downcast can lead to silent Overflow that causes accounting issues which can be exploited.
Lines of code Vulnerability details Impact In the ARCDVestingVault.sol, there are instances of Unsafe downcasting where if the amount is greater than uint128 the amount will Overflow but silently where the transaction won't revert causing the stored amount to be smaller than the actual amount tha...
User can drain all locked tokens during withdrawal and still retain their voting power
Lines of code Vulnerability details Impact In the NFTBaseVault.sol contract, a user can decide to withdraw all locked tokens by calling the withdraw... function until all locked funds are drained and the still retain their voting power. Proof of Concept if a user malicious or not decides not to...
Possible centralization issue in PrizePool.closeDraw
Lines of code Vulnerability details The winning random number is chosen by DrawManager, which will lead to centralization risk. Despite haventt really deep dive in codebase of this issue, but if DrawManager ,can somehow calculate which random number can make their controlled address is winner wit...