10190 matches found
ERC1155Enumerable._removeTokenEnumeration() checks the removal condition wrongly.
Lines of code Vulnerability details Impact ERC1155Enumerable.removeTokenEnumeration checks the removal condition wrongly. As a result, the tokens with 0 total supply won't be removed from allTokens array at all. Proof of Concept removeTokenEnumeration checks the removal condition like below when ...
Timeswap Options has no reentry check and is providing a set of flashloan with no fees
Lines of code Vulnerability details high-flashloan-provider @timeswap Impact In the file /package/v2-option/TimeswapV2Option.sol, There are a range of functions that has no Reentry check. As a consequence, when the contract call back msg.sender, an attacker can then reeentry in his own callee...
Lack of access control in certain functions within TimeswapV2LiquidityToken & TimeswapV2LiquidityToken contracts
Lines of code Vulnerability details Impact The TimeswapV2Token & TimeswapV2LiquidityToken contracts lack proper access control in sensitive functions such as mint, burn, collectFees, and updateFees. There is no modifier or "require" to check if the caller is allowed to call these functions. This...
Upgraded Q -> M from #598 [1674741102558]
Judge has assessed an item in Issue 598 as M risk. The relevant finding follows: 2.minDepositAmount When the asset is btc, the minDepositAmount is too large when asset == btc , minDepositAmount = 0.1 btc , equal 2000 usd suggest: function minDepositAmount public view virtual overrideERC4626Cloned...
The transferFeesFrom function does not check if the "from" address is the actual owner of the position before transferring the fees.
Lines of code Vulnerability details Impact The code Doesn't check if the from address is the owner of the position before transferring the fees. If the from address is not the owner of the position, an attacker could potentially transfer fees from another user's position without their permission...
Upgraded Q -> M from #404 [1674736594739]
Judge has assessed an item in Issue 404 as M risk. The relevant finding follows: Lβ04 latestAnswer is deprecated Use latestRoundData instead so that you can tell whether the answer is stale or not. The latestAnswer function returns zero if it is unable to fetch data, which may be the case if...
ReturndataPointer Out of Bounds: A Recipe for Disaster
Lines of code Vulnerability details Impact This vulnerability allows an attacker to read or write to arbitrary memory locations by passing an out-of-bounds 'ReturndataPointer' value to the functions in the 'ReturndataReaders' and 'MemoryReaders' libraries. This can potentially lead to sensitive...
_locateCurrentAmount function, there is an assembly operation that is dividing by duration without a zero check
Lines of code Vulnerability details Impact In the locateCurrentAmount function, there is an assembly operation that is dividing by duration without a zero check, which could cause a division by zero error. Proof of Concept // Check for division by zero requireduration != 0, "Division by zero...
Upgraded Q -> M from #113 [1674422768939]
Judge has assessed an item in Issue 113 as M risk. The relevant finding follows: During handling the open fees, the tigAsset is distributed to gov. But, it is not approved before to be consumed by gov. So, the first user's transaction to initiate a market order, will fail. During handling the clo...
Upgraded Q -> M from #658 [1674423084300]
Judge has assessed an item in Issue 658 as M risk. The relevant finding follows: L-04 USDT IS NOT SUPPORTED FOR CALLING Trading.handleDeposit FUNCTION ON ETHEREUM MAINNET As shown by , USDT on the Ethereum mainnet does not allow approving a new amount when the existing approved amount is not zero...
High Severity Reentrancy Vulnerability in stateTransition Modifier
Lines of code Vulnerability details Impact Lack of reentrancy protection in the stateTransition modifier occurs in the following line of code. modifier stateTransitionTradeStatus begin, TradeStatus end requirestatus == begin, "Invalid trade state"; status = TradeStatus.PENDING; ; assertstatus ==...
attacker can make stakeRate to be 1 in the StRSR contract and users depositing tokens can lose funds because of the big rounding error
Lines of code Vulnerability details Impact code calculates amount of stake token and rsr token based on stakeRate and if stakeRate was near 1e18 then division error is small but attacker can cause stakeRate to be 1 and that can cause users to loss up to 1e18 token during stake and unstake. Proof ...
Baited by redemption during undercollateralization (no issuance, just transfer)
Lines of code Vulnerability details Impact This is similar to the "high" vulnerability I submitted, but also shows a similar exploit can be done if a user isn't a whale, and isn't issuing anything. A user can send a redeem TX and an evil actor can make it so they get almost nothing back during...
createLien() The first LienToken does not check for liquidationInitialAsk and maxPotentialDebt
Lines of code Vulnerability details Impact Illegal liquidationInitialAsk and maxPotentialDebt may result in bids amount do not cover the debt Proof of Concept With the current implementation, the first LienToken does not check liquidationInitialAsk and maxPotentialDebt function appendStack...
LienToken: Lender and liquidator can collude to block auction and seize collateral
Lines of code Vulnerability details If a lender offers a loan denominated in an ERC20 token that blocks transfers to certain addresses for example, the USDT and USDC blocklist, they may collude with a liquidator or act as the liquidator themselves to prevent loan payments, block all bids in the...
commitToLien() can pass in an illegal payment token
Lines of code Vulnerability details Impact Stealing vault assets Proof of Concept There are currently two ways to create new Liens in the system 1. user call AstariaRouter.commitToLiens, the internal implementation of this is through VaultImplementation.commitToLien to create 2. user can call...
Potential DOS in utilizationRate() function
Lines of code Vulnerability details Potential DOS IN UTILIZATIONRATE utilizationrate = borrows / cash + borrows - reserves. if cash+ borrows = reserves this goes to infinity so that utilizationrate reverts. Also if cash + borrows Tools Used Vs code Recommended Mitigation Steps Define...
Rounding error "confiscastes" some collateral
Lines of code Vulnerability details Impact There are no adjustments for collateral that is not returned on redemptions due to rounding errors. It will stay in the assetSender however, it will look as if was fully paid out. The rounding error also depends on the burned quantity, so it may be...
Bypass depositFor Contract Check
Lines of code Vulnerability details Validation will pass for a contract in construction; an address where a contract will be created; an address where a contract lived, but was destroyed. --- The text was updated successfully, but these errors were encountered: All reactions...
Frontrunning of smart wallet deployment
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. An attacker could obtain information about the owner and 'index' parameters to front-run the deployment of a smart wallet. Proof of Concept Provide direct links to all referenced code in GitHub. Add...
SmartAccount implementation contract can be destroyed by anyone
Lines of code Vulnerability details SmartAccount implementation contract can be destroyed by anyone Impact Locking all user's funds forever due to DoS for all functions. Proof of Concept There are 2 main reasons for this vulnerability: 1. The expected behaviour of interacting with the...
Users can accidentally lock their stakes forever
Lines of code Vulnerability details Impact StakeManager accepts user deposits and stakes. When adding a new stake, it allows the arbitrary value of unstakeDelaySec supposedly it is higher than previous info.unstakeDelaySec: function addStakeuint32 unstakeDelaySec public payable DepositInfo storag...
getStakers() and getMinipools() could return wrong values (Access Control)
Lines of code Vulnerability details Impact Staking.sol and MinipoolManager.sol contracts use the eternal storage pattern. The contracts are a key-value store that all protocol contracts can write to and read. more info: Functions getStakers.staking and getMinipools.MinipoolManager are implemented...
Upgraded Q -> M from #4 [1671756144822]
Judge has assessed an item in Issue 4 as M risk. The relevant finding follows: GroupBuy: Insertion timestamp ignored The documentation states that "If the users have the same quantity as well, the bid that was placed later will have Raes removed.". However, with the current implementation, this i...
Liquidation logic is incorrect in some conditions
Lines of code Vulnerability details Impact Because purchaseLiquidationAuctionNFT function clears remaining debt of debtor if he has no more collateral, it's possible that when 2 auctions exists in same time, liquidation logic will not work properly and debt will be nullified before last auction i...
PaprController.onERC721Received() assigns collateral to operator's vault instead of the nft owner's one
Lines of code Vulnerability details Impact The collateral is assigned to the operator's vault because of a parameter mismatch. This impacts the ability of third parties to integrate the PaprController contract. You're not able to create an intermediary contract that adds collateral to a user's...
Borrowers may earn auction proceeds without filling the debt shortfall
Lines of code Vulnerability details Impact The proceeds from the collateral auctions will not be used to fill the debt shortfall, but be transferred directly to the borrower. Proof of Concept Assume N is an allowed NFT, B is a borrower, the vault V is vaultInfoBN: 1. B add two NFTsN-1 and N-2 as...
Invalid tokens can be added to the pair
Lines of code Vulnerability details Impact merkleRoot is a bytes32 and it is compared to bytes230 which makes it possible for a non-zero merkleRoot to be set in the constructor and yet still all tokens will be declared as valid Proof of Concept Tools Used Manual Audit Recommended Mitigation Steps...
Attacker can steal the amount collected so far in the GroupBuy for NFT purchase.
Lines of code Vulnerability details Description purchase in GroupBuy.sol executes the purchase call for the group. After safety checks, the NFT is bought with market's execute function. Supposedly it deploys a vault which owns the NFT. The code makes sure the vault is the new owner of the NFT and...
_transferFrom() in Pair contract doesn't update approval amounts when transferring user fractional tokens
Lines of code Vulnerability details Impact Contract Pair is and ERC20 token which represents user fractional token balance and it has all the features of the standard ERC20 tokens. function transferFrom has been written for transferring token but the logic isn't complete and it doesn't consider...
NOT refunding excess token while adding liquidity
Lines of code Vulnerability details Impact LP providers can lose fund Proof of Concept Tools Used Recommended Mitigation Steps incase of ether, return excess ether - incase of erc20, transfer only required amount - --- The text was updated successfully, but these errors were encountered: π 1 Shun...
Only one GroupBuy can ever use USDT or similar tokens with front-running approval protections
Lines of code Vulnerability details Calling approve without first calling approve0 if the current approval is non-zero will revert with some tokens, such as Tether USDT. While Tether is known to do this, it applies to other tokens as well, which are trying to protect against this attack vector...
## MALICIOUS OWNER CAN CLOSE AND WITHDRAW AS HE WANT
Lines of code Vulnerability details MALICIOUS OWNER CAN CLOSE AND WITHDRAW AS HE WANT These functions below are set some emergency scenarios. But caviar.Owner able to triggered these functions as he want. Need to set some require statement in order to actually check these scenarios before his...
Groupbuy: Construction of merkle tree allows some unintended IDs to be bought
Lines of code Vulnerability details Impact In GroupBuy.purchase, when no proof is provided, it is required that the provided token ID is equal to the stored merkleRoot: if purchaseProof.length == 0 // Hashes tokenId to verify merkle root if proof is empty if bytes32tokenId != merkleRoot revert...
Wrong position size calculation in TradingLibrary.pnl()
Lines of code Vulnerability details Impact Users will pay less closing fees than they should when they have a profitable short position. Also, they will pay more fees when they have a lost short position. Proof of Concept TradingLibrary.pnl calculates the new position size like below. function...
Weak PRNG
Lines of code Vulnerability details Impact Weak PRNG due to a modulo on block.timestamp, now or blockhash. These can be influenced by miners to some extent so they should be avoided. src/VRFNFTRandomDraw.sol if settings.recoverTimelock block.timestamp + MONTHINSECONDS 12 revert...
Unchecked setters
Lines of code Vulnerability details Impact Incorrect data: If the 'referred' or 'protocol' variables are set to incorrect values, it could result in incorrect or unexpected behavior in the contract. Manipulation: Malicious actors could potentially exploit this vulnerability to manipulate the syst...
Use of resignOwnership can lead to stuck NFT in contract
Lines of code Vulnerability details Impact Contract OwnableUpgradeable has a resignOwnership function that, if called, can potentially cause the loss of the NFT after a draw has been started. Proof of Concept These are the steps/conditions that make this issue happen: When the owner calls...
DoS after creating 100 raffles under one subscriptionID
Lines of code Vulnerability details Impact If a user adds new consumer, function VRFCoordinatorV2::addConsumer is called: function addConsumeruint64 subId, address consumer external override onlySubOwnersubId nonReentrant // Already maxed, cannot add any more consumers. if...
_priceData.price is not verified in _limitClose
Lines of code Vulnerability details Impact In the function limitClose from the TradingExtension contract the priceData.price is not verified with the getVerifiedPrice function instead its value is directly used, and because the the getVerifiedPrice internally calls the function...
Function fulfillRandomWords in VRFNFTRandomDraw contract must not revert
Lines of code Vulnerability details The VRFNFTRandomDraw contract implements the Chainlink VFR feature to pull random data to select the raffle winner. As per their security guidelines the implementation of the fulfillRandomWords function must not revert. Impact If the fulfillRandomWords function...
Distribute is open to rewards manipulation
Lines of code Vulnerability details Impact The distribute function is prone to manipulation by the first depositor if the totalShares is low, since the result of transferFrom in distribute is not checked. This can happen if a malicious user calls createLock whereby shares = 1 then calls distribut...
Router can perform swaps, add/remove liquidity to pools that do not belong to the protocol.
Lines of code Vulnerability details Impact Users can lose their funds PoC In UniswapV3 decodeFirstPool returns the tuple address tokenOut, address tokenIn, uint24 fee . From there it lookups the corresponding pool address with getPooltokenIn, tokenOut, fee which may not exist. See However, in you...
In WithdrawHook.hook(), withdraw limits can be bypassed.
Lines of code Vulnerability details Impact In WithdrawHook.hook, withdraw limits can be bypassed. As a result, users might withdraw more amount of the base token at a time than they should. Proof of Concept WithdrawHook.hook checks the withdraw limits like below. if lastGlobalPeriodReset +...
PrePOMarket.redeem() business logic may raise users' concerns of their assets
Lines of code Vulnerability details Impact When a user tries to redeem assets, current business logic may fail and pop the error msg fee = 0 repeatedly. Users may not understand what's happening behind, thus raise concers about the safety of their assets since it looks like their assets are out o...
Pool cannot recover from the emergency mode
Lines of code Vulnerability details Impact Pool cannot recover from the emergency mode. If the admin turn on the emergency mode, the user cannot swap or addLiqudity in the pool any more. Proof of Concept In the Pool Contract, the admin factory owner can set the status of the pool to ermergency:...
[NAZ-M2] Usage of send() Can Result In Revert
Lines of code Vulnerability details Impact Several functions are sendusing is used by the across several functions to transfer ETH/WETH. send uses a fixed amount of gas, which was used to prevent reentrancy. However this limit your protocol to interact with others contracts that need more than th...
The buy() function on Last Price Dutch Auction Sale doesn't check if auction ended, may lead to user loss asset
Lines of code Vulnerability details Impact The buy function on Last Price Dutch Auction Sale doesn't check if auction is ended, may lead to user loss asset if user call with amount 0 with msg.value 0 Proof of Concept Ideally if the max id finalId is reached, then the auction will end, so no user...
finalise() lacks authenticate calls to this method as anyone can access it.
Lines of code Vulnerability details Impact Unprotected call to a function sending Ether to an arbitrary address. This can be exploited by attackers . Proof of Concept function finalize public Sale memory temp = sale; requireblock.number = temp.endTime, "TOO SOON";...
Fallback oracle is unusable when primary oracle is not updated
Lines of code Vulnerability details Description Paraspace implemented their own Oracle wrapper in ParaSpaceOracle.sol. The important function getAssetPrice is used by many logic functions like health check. function getAssetPriceaddress asset public view override returns uint256 if asset ==...