Possibility of unfair voting

Lines of code Vulnerability details Impact The proposal could never get the THRESHOLD Proof of Concept On VoterRegistration.sol: 1- the voteradmin could mint issueVotesTo unlimited tokens to address0 or any address On Governance.sol: 2- this will effect to the totalSupply so no one can execute...

Swap at the lower cushion is impossible due to non approved withdrawal. Wrong implementation can cause free swaps.

Lines of code Vulnerability details Impact Currently it is not clear how the swap user is approved for withdrawing from treasury. Depending on implementation, user could swap without spending any tokens, due to approval mechanism in the TRSRY module. Description In the swap function it should be...

Upgraded Q -> M from 239 [1661780295145]

Judge has assessed an item in Issue 239 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Unchecked Call return value in _refundGas call can fail and contract will not revert

Lines of code Vulnerability details Because payable.call is a low-level call, it will not cause a revert on failure. bool refundSent, = msg.sender.call value: refundAmount ''; This means the function will go through, as if the gas-refund was processed, when it may have not. This can specifically...

Dynamic quorum votes parameters for a proposal (Proposal A) are changed according to another proposal (Proposal B) that proposes to update dynamic quorum votes parameters when Proposal B is executed after Proposal A is created in the same block

Lines of code Vulnerability details Impact The following writeQuorumParamsCheckpoint function is used to record dynamic quorum votes parameters at a block of interest. function writeQuorumParamsCheckpointDynamicQuorumParams memory params internal uint32 blockNumber = safe32block.number, 'block...

The vault account amount can be the result of an overflow

Lines of code Vulnerability details Impact The downcast uint128amountToTransfer can result in an overflow, which would impact the totalAsset.amout local variable, resulting in an incorrect amount for the totalAsset.amount state variable. function withdrawFeesuint128 shares, address recipient...

repayAsset() but you will not receive your Collateral

Lines of code Vulnerability details Impact The user will just pay down the debt Proof of Concept By invoking repayAsset you will just pay the Asset Token, on the other hand, he does not send any amount of my Collateral Recommended Mitigation Steps Add a function to send the Collateral after...

LinearInterestRate mode has the risk of drastic fluctuation of interestRate by flash borrow attack, make borrower pay more interest

Lines of code Vulnerability details Impact In LinearInterestRate mode, the minInterest can be as low as MININT=0, and the maxInterest can be as high as MAXINT=146248508681. In getNewRate function, the newRate is determined by utilization. If utilization=1e5, the interestRate can be MAXINT. There...

Chainlink’s latestRoundData might return stale or incorrect results

Lines of code Vulnerability details Impact On ChainlinkPriceOracle.sol, we are using latestRoundData, but there is no check if the return value indicates stale data. Proof of Concept File: contracts/FraxlendPairCore.sol , int256 answer, , , = AggregatorV3InterfaceoracleMultiply.latestRoundData; ,...

Anyone can deploy a pair with a potentially malicious token

Lines of code Vulnerability details By allowing anyone to create a pair with any two tokens there is a risk that an unsavory token will get included either as collateral or as an asset. It could range from a bad actor intentionally inserting a malicious token to a well-intentioned team that...

Interest rate can be gamed

Lines of code Vulnerability details Impact A lender may borrow to increase interest rate, and as such game the bank. Proof of Concept Suppose a lender borrows half of the amount he has lent. If by doing so he increases the utilization such that the interest rate more than doubles which may be...

Attackers can abuse the quitLock function to get a very large amount of votes

Lines of code Vulnerability details Impact An attacker can use a flashloan and the quitLock function to achieve a large amount of votes for one transaction. It can, depends on the implementation of the modules that will use this contract, be used to pass malicious proposals or exploit any feature...

Wrong values are passed to _checkpoint mess up accounting

Lines of code Vulnerability details Impact The increaseUnlockTime function sends a wrong unlock time to the checkpoint function in the oldLocked variable - the locked variable which is the new LockedBalance is copied into the oldLocked variable which is supposed to be the previous LockedBalance,...

Operator can use reentrancy within mintFromFixedPriceSale to bypass limitPerAccount.

Lines of code Vulnerability details Impact An operator can pass a contract as the buyReferrer parameter. When distributeFunds is called it sends ETH to the contracts' receive function. After transferring any NFTs the contract may have to another contract it calls mintFromFixedPriceSale passing a...

Any permission can be used to execute any code in MimoProxy

Lines of code Vulnerability details Impact If a permission is given in MimoProxy to any function, it can then be abused to whitelist any other msg.sender/function by modifying the permissions mapping. There is a check that the owner was not modified, but no check on permissions which makes sense...

Everyone can perform emptyVaultOperation. Everyone can steal leftover par after repaying the loan from any vault. This pattern also applied to other files.

Lines of code Vulnerability details Impact Everyone can perform emptyVaultOperation. Everyone can steal leftover par after repaying the loan from any vault. It is intended to only be able to call from executeOperation through MIMOProxy callback but in fact everyone can execute it. Proof of Concep...

Registry.sol works bad - it fails to delivere expected functionality

Lines of code Vulnerability details Impact The description of Registry.sol is following: /// Deploys new proxies via the factory and keeps a registry of owners to proxies. Owners can only /// have one proxy at a time. But it is not. There are multiple problems: 1. Proxy owner can change and will...

Divide before multiply may create unexpected values on interests

Lines of code Vulnerability details Divide before multiply may create unexpected values on interests Impact Solidity integer division might truncate. As a result, performing divide before multiply can sometimes create loss of precision. Details If for example we have an operation: 2/33 The expect...

Unexpected use of array indexes in HomeFi.sol

Lines of code Vulnerability details Unexpected use of array indexes in HomeFi.sol Impact Elements in array are expected to start from 0 when regular indexes are used, however, cause of the order of operations in the HomeFi.createProject function, the element 0 will never be used as index in...

It should never be possible to change the status of a completed task

Lines of code Vulnerability details High Risk Finding Impact In Project.sol, once a task is set as completed by calling function setComplete, the contract pays the subcontractor. Once in this state, in should not be possible to change the task state back to ACTIVE/INACTIVE, because then the same...

Lent principal includes lender fee

Lines of code Vulnerability details Impact A community owner is able to lend funds to a project by calling the function Community.lendToProject. Lending requires the lender to pay a lenderFee, a percentage of the fee a lender has to pay to the HomeFi system. However, the current implementation...

Project.raiseDispute() doesn't use approvedHashes - meaning users who use contracts can't raise disputes

Lines of code Vulnerability details Impact In case users are using a contract like a multisig wallet to interact with a project, they can't raise a dispute. The sponsors have added the approveHash function to support users who wish to use contracts as builder/GC/SC. However, the...

block.timestamp used as time proxy

Lines of code Vulnerability details block.timestamp used as time proxy Summary: Risk of using block.timestamp for time should be considered. Details: block.timestamp is not an ideal proxy for time because of issues with synchronization, miner manipulation and changing block times. This can be...

Builder can pay only half of the agreed upon interest on his debt by exploiting daily interest accrual

Lines of code Vulnerability details Impact Project bulder can get away with paying the community owner only half of the agreed upon interest on his debt. Theoretically, the community owner can defend himself from this exploit, if he's aware of this bug, but chances are that he won’t be aware. Pro...

In Community.sol, the interest calculation formula is not correct.

Lines of code Vulnerability details Impact Currently, it calculates interest using the number of days and builders would pay nearly half or less interest than they should. So lenders wouldn't get the interest as expected and it means builders can steal the interest from lenders. Proof of Concept ...

Community can lose interest because interest was calculated by days instead of seconds

Lines of code Vulnerability details Impact Community's owner lose amount of interest from project up to half of total interest Proof of concept When builder repay any loan amount by function repayLender or community call function lendToProject, function claimInterest in contract Community will be...

No check if 'ecrecover()' fails

Lines of code Vulnerability details Impact addMember function makes a call to 'ecrecover' to grab the 'community owner' & 'new member'. The problem is that if 'ecrecover' fails it will return a 0 which is currently not guarded against. This was a problem in the famous Polygon Matic token bug. The...

Unable To Verify Signature If There Are Too Many Signers And Operators

Lines of code Vulnerability details It was observed that there is a nested for loop within the AxelarAuthWeighted.validateSignatures function. If there are a large number of signatures and operators, it will result in an "Out of Gas" error or a "Block Gas Limit" error and the command's signature...

Anyone can self-destruct this contract.

Lines of code Vulnerability details Impact High Unprotected call to a function executing selfdestruct/suicide. Proof of Concept DepositHandler.destroyaddress contracts/DepositHandler.sol28-30 allows anyone to destruct the contract. Once the contract is unlocked through the noReenter modifier,...

No storage gap for Upgradable contract might lead to storage slot collision

Lines of code Vulnerability details Impact For upgradeable contracts, there must be storage gap to “allow developers to freely add new state variables in the future without compromising the storage compatibility with existing deployments” quote OpenZeppelin. Otherwise it may be very difficult to...

Approve will fail

Lines of code Vulnerability details Impact Multiple ERC20 tokens require zero address approval before approving the required amount. The contract seems to be missing this. Proof of Concept 1. Observe the receiveAndSendNative function at ReceiverImplementation.sol...

Did Not Approve To Zero First

Lines of code Vulnerability details Some ERC20 tokens like USDT do not work when changing the allowance from an existing non-zero allowance value. For example Tether USDT's approve function will revert if the current approval is not zero, to protect against front-running changes of approvals. The...

Use safetransfer/safetransferFrom consistently instead of transfer/transferFrom

Lines of code Vulnerability details Impact Its a good to add require statement to checks the return value of token transfer or using safetransfer or safetransferFrom on Openzeppelin to ensure the token revert when transfer failure. Failure to do so will cause silent failures of transfer and affec...

Able to delegate multiple times with the same tokenId

Lines of code Vulnerability details The delegate function in VoteEscrowDelegation.sol is used to delegate voting power from one tokenId to another. The tokenId is added to the toTokenId's delegatedTokenIds array which contains all tokenIds that have delegated to the toTokenId. The amount of votes...

Upgraded Q -> M from 268 [1659038665057]

Judge has assessed an item in Issue 268 as Medium risk. The relevant finding follows: The protocol does not support fee on transfer and other weird tokens, e.g.: IERC20rewardToken.safeTransferFrommsg.sender, addressthis, amount; rewardTokenInforewardToken.queuedRewards += amount; --- The text was...

TEST

Lines of code Vulnerability details Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended...

Reentrancy for function call before state update

Lines of code Vulnerability details Impact An external call "transfer" is made before updating state data through "setFuses" and "setFuses" does not depend on any data from "transfer". . Proof of Concept Reentrancy is not only an effect of Ether transfer but of any function call on another...

Auctioneer Cut calculated in different order of magnitude

Lines of code Vulnerability details Impact Auctioneer fee is calculated in different order of magnitude. Proof of Concept As your are defining auctioneerReward in 1e18 basis point being 1e18 100% you need to divide by 1e18 when calculating percentage. function setAuctioneerRewarduint128...

Possible casting overflow in _updateAccounting function

Lines of code Vulnerability details Impact In the updateAccounting function, the inkOut and artIn parameters are cast from type uint256 to uint128. However, since the explicit cast does not ensure the value fits the uint128 data type i.e., not ensuring value = typeuint128.max, casting overflows a...

On the auction function start time is not set

Lines of code Vulnerability details Impact During the code review, It has been noticed that auction start time block.timestamp is not set. All pay functions are checking If the auction.start is more than zero. From that reason, auction start time should be set at auction function. Proof of Concep...

CHECK VALID ADDRESS for _auctionStarted

Lines of code%20internal%20virtual%20%7BL214 Vulnerability details Impact Should check for valid address before giving so it can revert if it isn't. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the...

Not safe transferFrom

Lines of code Vulnerability details Impact The Safe library says: @dev Caution! This library won't check that a token has code, responsibility is delegated to the caller. But this check is not made in Swivel contract, so the Safe library it's prone to phantom methods attacks. Supposedly it is a...

Vault implementation can be selfdestructed due to lack of initialization

Lines of code Vulnerability details Impact HIGH - Assets can be lost directly Anybody can initialize the Vault's implementation contract. The worst case would be to selfdestruct and make all the already deployed and to be deployed Vault's proxies useless and assets in the deployed proxies will be...

Issue with condition check handling

Lines of code Vulnerability details Impact It might cause data corruption, as most of the data handling is done in low level. Proof of Concept // Add up all the percents to make sure they cumulative are under 100%. uint256 percentTotal = 0; for uint256 i = 0; i typeuint56.max revert...

Reentrancy vulnerability due to _distributePayoutsOf

Lines of code Vulnerability details The function distributePayoutsOf has reentrancy vulnerability which is being called by the external function distributePayoutsOf There are external calls in this function along with calls sending ETH Impact The contract JBPayoutRedemptionPaymentTerminal inherit...

Reentrancy issues on function distributePayoutsOf

Lines of code Vulnerability details Impact In the contract JBPayoutRedemptionPaymentTerminal, the function distributePayoutsOf calls the internal function distributePayoutsOf and this internal function perfoms a loop where is using the function distributeToPayoutSplitsOfhttps://githu...

fee proportional to strike even for unexercised orders

Lines of code Vulnerability details Impact The protocol takes a fee proportional to the order's strike. This happens during a withdraw: // transfer strike to owner if put is expired or call is exercised if order.isCall && isExercised || !order.isCall && !isExercised // send the fee to the admin/D...

getBorrowRate must return rate per block but currently return rate per year

Lines of code Vulnerability details Impact getBorrowRate must return rate per block as defined in compound interest rate model but currently return rate per year. Defined here: Proof of Concept This is definition / @notice Calculates the current borrow interest rate per block @param cash The tota...

Failed transfer with low level call won't revert

Lines of code Vulnerability details In BaseV1-periphery.sol, the function safeTransferCANTO is as follows: function safeTransferCANTOaddress to, uint value internal bool success, = to.callvalue:valuenew bytes0; requiresuccess, "TransferHelper: ETHTRANSFERFAILED"; This function is utilized in a fe...

Upgraded Q -> M from 207 [1656344422031]

Judge has assessed an item in Issue 207 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...