use of transfer() instead of call() to send eth

Lines of code Vulnerability details Impact Use of transfer might render ETH impossible to withdraw becuase after istanbul hardfork , there is increases in the gas cost of the SLOAD operation and therefore breaks some existing smart contracts.Those contracts will break because their fallback...

Owner can whitelist addresses for swaps and steal approved assets from users

Lines of code Vulnerability details Impact There is a common vulnerability with aggregator/bridge contracts where passing in arbitrary calldata can do unwanted actions such as steal tokens that were approved to that contract. While there is a whitelist system set up, there is no stopping a...

[WP-M9] sendNative with CBridge will always revert

Lines of code Vulnerability details function startBridgeCBridgeData memory cBridgeData internal Storage storage s = getStorage; address bridge = bridge; // Do CBridge stuff requires.cBridgeChainId != cBridgeData.dstChainId, "Cannot bridge to the same network."; if...

Spreads can be minted with a deactivated oracle

Lines of code Vulnerability details Impact When deactivateOracle is called for an oracle in OracleRegistry it is still available for option spreads minting. This way a user can continue to mint new options within spreads that rely on an oracle that was deactivated. As economic output of spreads i...

QTokens with the same symbol will lead to mistakes

Lines of code Vulnerability details The README.md states: Bob can then trade the QToken with Alice for a premium. The method for doing that is beyond the scope of the protocol but can be done via any smart contract trading platform e.g. 0x. It is therefore important that tokens be easily...

[WP-H0] Wrong implementation of EIP712MetaTransaction

Lines of code Vulnerability details 1. EIP712MetaTransaction is a utils contract that intended to be inherited by concrete actual contracts, therefore. it's initializer function should not use the initializer modifier, instead, it should use onlyInitializing modifier. See the implementation of...

Strategy Migration May Leave Tokens in the Old Strategy Impacting Share Calculations

Lines of code Vulnerability details Impact If a strategy does not have sufficient funds to withdraw for the full amount then it is possible that tokens will be left in this yield contract during migrate. It is common for withdrawal from a strategy to withdraw less than a user's balance. The reaso...

Fee-on-transfer/deflationary tokens cause problems

Lines of code Vulnerability details Some ERC20 tokens, such as USDT, allow for charging a fee any time transfer or transferFrom is called. If a contract does not allow for amounts to change after transfers, subsequent transfer operations based on the original amount will revert due to the contrac...

Too many amms - Dravee

Duplicate of 97 --- The text was updated successfully, but these errors were encountered: All reactions...

CL - throttle

Duplicate of 46 --- The text was updated successfully, but these errors were encountered: All reactions...

Oracle - csanuragjain

Duplicate of 46 --- The text was updated successfully, but these errors were encountered: All reactions...

DDOS - Omik

Duplicate of 119 --- The text was updated successfully, but these errors were encountered: All reactions...

Updating the hub’s token contract address may lead to incorrect undelegation amount

Lines of code Vulnerability details Updating the hub’s token contract address may lead to incorrect undelegation amounts Impact The hub contract allows config updates to the tokencontract config values in anchor-bAsset-contracts/contracts/anchorbassethub/src/config.rs Such updates can cause wrong...

Spend limit can be circumvented

Lines of code Vulnerability details Impact The spending limit is on a single message. One can circumvent it by splitting the transaction up into several messages. if config.spendlimit amount return ErrStdError::genericerr"Cannot spend more than spendlimit"; It does not seem like a useful spend...

Users Can Frontrun Token Distributions Using Flashloans

Lines of code Vulnerability details Impact The collector suite of contracts will actively send ANC token distributions to staked ANC token holders. However, because it is known beforehand that a distribution will be made to the governance contract, users can abuse this to frontrun distributions b...

Whitelisting is Disabled in CrossAnchorBridge.sol

Lines of code Vulnerability details Impact Upon deployment/initialisation, an array of collateral tokens are added to a whitelist, meaning that these tokens are the only tokens that should be deposited/redeemed. Any unsupported tokens should correctly revert so as to avoid instances where Terra...

Whitelist check commented out on the Cross Chain Stable tokens

Lines of code Vulnerability details Impact During the code review, It has been observed that the whitelisted token check is commented out. That will cause to user fund lost on the bridge. The related function only should allow white-listed tokens. Proof of Concept 1. Navigate to the the following...

Fee-on-transfer/deflationary tokens cause problems

Lines of code Vulnerability details Some ERC20 tokens, such as Tether USDT, allow for charging a fee any time transfer or transferFrom is called. If a contract does not allow for amounts to change after transfers, subsequent transfer operations based on the original amount will revert due to the...

The store method allows you to store the same token twice

This issue has been created to upgrade a QA report submission to a medium severity finding. From 0x1f8b: The store method allows you to store the same token twice in NestedRecords.solL130 To do this you must first call storenftId,tokenA,0,reserve and then storenftId,tokenA,100000,reserve because ...

If SChain is Removed Before kill() and getFunds() all Tokens are Locked in the Bridge

Lines of code Vulnerability details Impact If the SChain is removed before all the funds are withdrawn from the bridge they will be permanently locked in the bridge. When a SChain is removed in by the SKALE protocol via the function SchainsInternal.removeSchain the data including the owner will b...

An offer made after auction end can be stolen by an auction winner

Lines of code Vulnerability details Impact An Offer which is made for an NFT when auction has ended, but its winner hasn't received the NFT yet, can be stolen by this winner as transferFromEscrow being called by acceptOffer will transfer the NFT to the winner, finalising the auction, while no...

constructor function used with upgradeable contracts

Lines of code Vulnerability details Impact In FETH.sol it uses Open Zeppelin upgradeable contracts in the file while also including a constructor function. Upgradeable contracts should have an initialize function instead of a constructor in order not the clash with one another. Proof of Concept...

permitAndMulticall() May Be Used to Steal Funds Or as a Denial Of Service if _from Is Not The Message Sender

Lines of code Vulnerability details Impact When the from address is not the msg.sender multiCall will be made on behalf of the msg.sender. As a result each of the functions called by multiCall will be made on behalf of msg.sender and not from. If functions such as transfer or unstake are called...

revert can be bypassed by forcefully sending ETH using selfdestruct()

Lines of code Vulnerability details Impact In NFTMarket.sol there is a receive function that reverts if the msg.sender is not the feth address. This is an attempt to prevent other parties from sending ETH to the contract but this security check can easily be bypassed by an attacker forcefully...

ClearingHouse looping over dynamic array might result in a DOS because of the block gas limit

Lines of code Vulnerability details Impact Inside the ClearingHouse contract there are multiple instances where it loops over the dynamic amms array. There is no way looping over a subset of the array or continuing for you left off. Thus, if the array is large enough certain functions won't be...

Timelock for critical changes

Lines of code Vulnerability details Impact setDefaultFeePercentage, setCustomFeePercentageForCollateral and setCustomFeePercentageForSafe functions should have a timelock to give users time to react to the fee changes. ref: code-423n4/2021-11-overlay-findings120 Proof of Concept Tools Used Manual...

[WP-H7] InsuranceFund#syncDeps() may cause users' fund loss

Lines of code Vulnerability details function syncDepsIRegistry registry public onlyGovernance vusd = IERC20registry.vusd; marginAccount = registry.marginAccount; The Governance address can call InsuranceFund.solsyncDeps to change the contract address of vusd anytime. However, since the tx to set ...

Assets sent from MarginAccount to InsuranceFund will be locked forever

Lines of code Vulnerability details Impact Assets sent from MarginAccount to InsuranceFund will be locked forever Proof of Concept The insurance fund doesn't have a way to transfer non-vusd out of the contract. Assets transferred to the InsuranceFund will be locked forever. Mitigation Have a way...

permit() without updating nonce can result in replay attacks

Lines of code Vulnerability details Impact In PermitAndMulticall.sol the permit is called on the permitToken which allows you to sign the meta-transaction while someone else can submit it to the blockchain on your behalf. The problem is that a valid signature might be used several times in other...

ERC4626 mints more shares than it should

Lines of code Vulnerability details bug in the mint function of the ERC4626 contract The mint function recieves an amount of shares and an address to and mints the amount of shares to the to address. The sender must transfer an amount of token, so that the ratio will be saved - shares / totalShar...

TurboRouter: deposit(), mint(), createSafeAndDeposit() and createSafeAndDepositAndBoost() functions do not work

Lines of code Vulnerability details Impact The TurboRouter contract inherits from the ERC4626RouterBase contract. When the user calls the deposit, mint, createSafeAndDeposit and createSafeAndDepositAndBoost functions of the TurboRouter contract, the deposit and mint functions of the...

ERC4626 mints token amount, not number of shares

Lines of code Vulnerability details Impact If the number of assets is different from the number of shares, the user will get more or less shares than they expect. Users don't have to be sophisticated at all, just using the contract as intended can cause users to get more or less of the shares of ...

[WP-H2] Improper control over the versions of distributions' metadata may lead to repeated claims of rewards

Lines of code Vulnerability details function updateRewardsMetadataCommon.Distribution calldata distributions external onlyRoleDEFAULTADMINROLE requiredistributions.length 0, "Invalid distributions"; IRewardDistributordistributor.updateRewardsMetadatadistributions; In the current implementation,...

RewardDistributor._claim uses native token payable.transfer, which is usafe for smart contracts

Lines of code Vulnerability details Impact When reward.token is set to vault address and native token is used, it is sent out via payable.transfer call. This is unsafe as transfer has hard coded gas budget and can fail when the account is a smart contract. Such transactions will fail for smart...

Slurp misses boost cap checks

Lines of code Vulnerability details Impact Missing checks of canSafeBoostVault in onSafeSlurp function in TurboMaster.solL279. The current vault deposit could already be at BoostCap. Calling slurp on this vault would add interest on the getTotalFeiBoostedForVaultV which will now becomes BoostCap...

Fee amount too restrictive

Lines of code Vulnerability details Impact In the fee collect modules like FeeCollectModule, the initializePublicationCollectModule checks if the fee amount that each user needs to pay is at least = BPSMAX = 10000. For certain currencies with fewer decimals this is too restrictive. As an example,...

NestedFactory: User can utilise accidentally sent ETH funds via processOutputOrders() / processInputAndOutputOrders()

Lines of code Vulnerability details Impact Should a user accidentally send ETH to the NestedFactory, anyone can utilise it to their own benefit by calling processOutputOrders / processInputAndOutputOrders. This is possible because: 1. receive has no restriction on the sender 2. processOutputOrder...

NestedFactory: User can utilise accidentally sent ETH funds via processOutputOrders() / processInputAndOutputOrders()

Lines of code Vulnerability details Impact Should a user accidentally send ETH to the NestedFactory, anyone can utilise it to their own benefit by calling processOutputOrders / processInputAndOutputOrders. This is possible because: 1. receive has no restriction on the sender 2. processOutputOrder...

Reentrancy

Lines of code Vulnerability details Impact Potential Reentrancy Proof of Concept Reentrancy in ConcurRewardPool.claimRewardsaddress contracts/ConcurRewardPool.sol34-40: External calls: - IERC20tokensi.safeTransfermsg.sender,getting contracts/ConcurRewardPool.sol37 State variables written after th...

Shelter funds can be stolen

Lines of code Vulnerability details Impact Shelter has a function withdraw that lets whitelisted users withdraw a specified amount of some token. The function does not check if the user has already withdrew the tokens. Since, a user can withdraw allowed amount any number of times, stealing all th...

MasterChef.add must update pools first

Lines of code Vulnerability details The MasterChef.add function changes the total pool allocation but does not update other pools first. When other pools are finally updated at some point, then accConcurPerShare will be wrongly computed with their smaller allocPoint / newTotalAllocPoint share eve...

ConvexStakingWrapper deposits and withdraws will frequently be disabled if a token that doesn't allow zero value transfers will be added as a reward one

Lines of code Vulnerability details Impact If deposits and withdraws are done frequently enough, the reward update operation they invoke will deal mostly with the case when there is nothing to add yet, i.e. reward.remaining match the reward token balance. If reward token doesn't allow for zero...

Owner never calls finalize() = rug pull

Lines of code Vulnerability details Impact In order for users to claim their promised tokenOut tokens, the contract owner must call the finalize function. If the owner never calls the finalize function, no user can call the claim function to get their tokens. The owner can call the sweep function...

[WP-H3] saleRecipient can rug buyers

Lines of code Vulnerability details In TokenSaleUpgradeable.solbuy, tokenIn will be transferred from the buyer directly to the saleRecipient without requiring/locking/releasing the correspoining amount of tokenOut. This allows the saleRecipient to rug the users simply by not transferring tokenOut...

Double transfer in the transferAndCall function of ERC677

Handle shw Vulnerability details Impact The implementation of the transferAndCall function in ERC677 is incorrect. It transfers the value amount of tokens twice instead of once. Since the Flan contract inherits ERC667, anyone calling the transferAndCall function on Flan is affected by this...

Calling generateFLNQuote twice in every block prevents any migration

Handle camden Vulnerability details Impact and PoC In the Uniswap helper, generateFLNQuote is public, so any user can generate the latest quote. If you call this twice in any block, then the two latest flan quotes will have a blockProduced value of the current block's number. These quotes are use...

You can grief migrations by sending SCX to the UniswapHelper

Handle camden Vulnerability details Impact The attack here allows the attacker to prevent migrations. The attack here is recoverable because we can just call buyFlanAndBurn f it worked as expected with SCX as the input token to buy Flan with the extra SCX, then run the migration again. Proof of...

Improper Validation Of Chainlink's latestRoundData Function

Handle leastwood Vulnerability details Impact latestRoundData is missing additional validation to ensure that the round is complete and has returned a valid/expected price. This is documented here. Proof of Concept , int256 daiPrice, , , = DAI.latestRoundData; , int256 usdcPrice, , , =...

OpenLevV1Lib's and LPool's doTransferOut functions call native payable.transfer, which can be unusable for smart contract calls

Handle hyh Vulnerability details Impact When OpenLev operations use a wrapped native token, the whole user withdraw is being handled with a payable.transfer call. This is unsafe as transfer has hard coded gas budget and can fail when the user is a smart contract. This way any programmatical usage...

Failed transfer with low level call could be overlooked

Handle harleythedog Vulnerability details Impact In LaunchEvent.sol, the function safeTransferAVAX is as follows: function safeTransferAVAXaddress to, uint256 value internal bool success, = to.callvalue: valuenew bytes0; requiresuccess, "LaunchEvent: avax transfer failed"; This function is utiliz...