10190 matches found
Deniel of service with block gas limit.
Lines of code Vulnerability details Impact An array of unknown size can lead to Deniel of service with block gas limit. Proof of Concept When smart contracts are deployed or functions inside them are called, the execution of these actions always requires a certain amount of gas, based of how much...
High Potential Redeem function can not be executed because of revert
Lines of code Vulnerability details Impact Inside TribeRedeemer constructor tokensReceived is initialized, and can't be modified anywhere else. previewRedeem function will check balance of tokensReceived tokens of TribeRedeemer contract, and there is a require statement which guarantees that the...
reserve0CumulativeLast is incorrectly calculated
Lines of code Vulnerability details Impact It was observed that both reserve0CumulativeLast and reserve1CumulativeLast are incorrectly calculated. Reference can be taken from Uniswap contract which calculates it correctly at Proof of Concept 1. The reserve0CumulativeLast is currently calculated i...
TWAP LP price manipulation
Lines of code Vulnerability details Impact The total value locked sum of the pair is used to price the LP. But the reserves of the underlying can be easily influenced by flashloan, then the TVL can vary dramatically.Just like what happened before here Warp. Although getPriceLP use TWAP to calcula...
[M04] Incorrect price calculation for non-stable pairs without CANTO token
Lines of code Vulnerability details Impact A non-stable pair that doesn't have CANTO token will always have an incorrect price calculated for it. Proof of Concept The code assumes that all pairs are pairs with either NOTE or CANTO token: However, the createPair function doesn't require one of the...
USE SAME SYMBOL CAN GET FAKED PRICE OF TOKEN
Lines of code Vulnerability details Impact it compare symbol to identify token๏ผit can be exploit to produce fake price of token. Proof of Concept attacker can create a token which is like cToken and has symbol of cNOTE .When somebody call comptrollerโs liquidateCalculateSeizeTokens ๏ผit will give ...
Hardcoded prices are subject to be abused
Lines of code Vulnerability details Impact Hardcoded prices are subject to be abused which might address the protocol being drained. Proof of Concept There are 2 possible different issues of the Lending Protocol; 1. The attack surface/risk is not originated directly through the Canto protocol but...
Dividing before multiplying can cause data loss
Lines of code Vulnerability details Impact Note: I'll use the notation decimals here to represent 10 token.decimals, just like th variable defined in the BaseV1Router.getPriceLP function. In the BaseV1Router.getPriceLP function, the token0 TVL is calculated in terms of NOTE, by multiplying the TV...
Possible division loss during LpPricesCumulative calculation
Lines of code Vulnerability details Impact During the token0TVL calculation, it divides by decimals without multiplying 1e18 first. So there might be division loss and the price might be calculated wrongly. Proof of Concept When we calculate this part, it divides first without multiplying 1e18...
Newton's iteration convergence might not converge
Lines of code Vulnerability details Impact In getAmountOut for stable pair, Newton's method is used, however there is no check for the solution convergence. The numerical stability for Newton's method only applies to initial value close enough to the real solution. If the iteration fail to...
Checked range.low.market and range.high.market can be deliver wrong return
Lines of code Vulnerability details Impact Deactived checked can be deliver wrong return Proof of Concept When auctioneer was live, so range.low.market and range.high.market was checked is back above the cushion and if the price is below the wall the only way was used && since if the case was the...
Operator role can update a policy without going through the governance / kernel update execution mechanism
Lines of code Vulnerability details Impact A privileged role can make contract updates that should go through governance Proof of Concept In OlympusDao updates to policies and modules are made by the kernel and are only callable by the governanceExecutors that only executes updates voted by the...
Possibility of unfair voting
Lines of code Vulnerability details Impact The proposal could never get the THRESHOLD Proof of Concept On VoterRegistration.sol: 1- the voteradmin could mint issueVotesTo unlimited tokens to address0 or any address On Governance.sol: 2- this will effect to the totalSupply so no one can execute...
_getPriceDecimals() can return wrong decimal
Lines of code Vulnerability details Impact The decimal returned from function getPriceDecimals is used in function activate to create bond market. If the decimal is not accurate, the price for bond can be wrong, could result in: too low price: abnormal arbitrage opportunity and fund loss to the...
In Governance.sol, it might be impossible to activate a new proposal forever after failed to execute the previous active proposal.
Lines of code Vulnerability details Impact Currently, if users vote for the active proposal, the VOTES are transferred to the contract so that users can't vote or endorse other proposals while the voted proposal is active. And the active proposal can be replaced only when the proposal is executed...
Swap at the lower cushion is impossible due to non approved withdrawal. Wrong implementation can cause free swaps.
Lines of code Vulnerability details Impact Currently it is not clear how the swap user is approved for withdrawing from treasury. Depending on implementation, user could swap without spending any tokens, due to approval mechanism in the TRSRY module. Description In the swap function it should be...
Timelock can be set by anyone except admin since it was not initialize
Lines of code Vulnerability details Impact Timelock can be manipulate by anyone Proof of Concept Timelock NounsDAOExecutor can be set by anyone since timelock was not set acceptAdmin on initialize so it can be manipulate. Tools Used Manual Review Recommended Mitigation Steps Adding...
malicious attacker can manipulate another delegator vote
Lines of code Vulnerability details Impact The function ERC721Checkpointable.delegate is used to change and delegate to another accounts and it call an internal function delegate which will change the delegator of the msg.sender and it will also call another internal function moveDelegates which...
Incorrect Withdraw Pattern
Lines of code Vulnerability details Context: NounsDAOLogicV2.solL783-L792 Description: 1 -When we transfer ether with call, we have to check with require whether the bool value will be successful.This part is missing in the code in the contract Proof Of Concept: 2- Since the bool value is not...
Unchecked Call return value in _refundGas call can fail and contract will not revert
Lines of code Vulnerability details Because payable.call is a low-level call, it will not cause a revert on failure. bool refundSent, = msg.sender.call value: refundAmount ''; This means the function will go through, as if the gas-refund was processed, when it may have not. This can specifically...
Pair still operational during pause
Lines of code Vulnerability details Pair still operational during pause Severity: High Context: FraxlendPairCore.solL660 FraxlendPairCore.solL676 FraxlendPairCore.solL786 FraxlendPairCore.solL828https://github.com/code-423n4/2022-08-frax/blob/c4189a3a98b38c8c962c5ea72f1a322fb...
Interest rate can be gamed
Lines of code Vulnerability details Impact A lender may borrow to increase interest rate, and as such game the bank. Proof of Concept Suppose a lender borrows half of the amount he has lent. If by doing so he increases the utilization such that the interest rate more than doubles which may be...
The vault account amount can be the result of an overflow
Lines of code Vulnerability details Impact The downcast uint128amountToTransfer can result in an overflow, which would impact the totalAsset.amout local variable, resulting in an incorrect amount for the totalAsset.amount state variable. function withdrawFeesuint128 shares, address recipient...
Using large liquidation fees to steal funds
Lines of code Vulnerability details The liquidation fees can be higher than the liquidation buffer i.e., cleanLiquidationFee LTVPRECISION - maxLTV. Lenders are not fully repaid during liquidation when this is true. In a malicious scenario, an attacker may deploy a pool with very large liquidation...
Math operation, condition check with two different data values (uint256 with uint128 and so).
Lines of code Vulnerability details Impact It may leads to unexpected result during math operation and condition checks. Proof of Concept It is obvious that following lines of codes are written with two different data types. nt256 deltaTime = block.timestamp - currentRateInfo.lastTimestamp;...
Not calling approve(0) before setting a new approval might cause reverts when used with Tether (USDT)
Lines of code Vulnerability details Impact Some tokens do not implement the ERC20 standard properly but are still accepted by most code that accepts ERC20 tokens. For example Tether USDT's approve function will revert if the current approval is not zero, to protect against front-running changes o...
Chainlink's latestRoundData() might return stale or incorrect data
Lines of code Vulnerability details Impact The only value being checked from the return of latestRoundData is answer. Chainlink will return more fields that can be checked to ensure the data is not stale/incorrect. Proof of Concept Lack of checks inside the function updateExchangeRate might cause...
Anyone can deploy a pair with a potentially malicious token
Lines of code Vulnerability details By allowing anyone to create a pair with any two tokens there is a risk that an unsavory token will get included either as collateral or as an asset. It could range from a bad actor intentionally inserting a malicious token to a well-intentioned team that...
Wrong values are passed to _checkpoint mess up accounting
Lines of code Vulnerability details Impact The increaseUnlockTime function sends a wrong unlock time to the checkpoint function in the oldLocked variable - the locked variable which is the new LockedBalance is copied into the oldLocked variable which is supposed to be the previous LockedBalance,...
Checkpoint end time is not correct.
Lines of code Vulnerability details Checkpoint end time is not correct. Impact The user's voting power can be significantly decreased. Proof of Concept At L513 of VotingEscrow.sol, when we increase unlock time, oldLocked.end should be oldUnlockTime instead of unlocktime. We can double-check it fr...
FETH.sol is susceptible to ERC20 approve functionality front-running exploit
Lines of code Vulnerability details Proof of concept The problem is perfectly described here The tldr; is that if you approved a person to spend 100 tokens and then you want to decrease his allowance to 50, if he spends his 100 tokens allowance before you set his allowance to 50 he will be able t...
VotingEscrow: Unsupported fee-on-transfer tokens
Lines of code Vulnerability details Impact In the VotingEscrow contract, if the token is a fee-on-transfer token, the number of tokens received by the contract in the createLock and increaseAmount functions will be less than value. This makes the locked balance recorded by the contract incorrect,...
User can have full voting power with virtually no lockup using multiple locks and delegation
Lines of code Vulnerability details Impact User receives voting power of max lock but only locks for a minimal amount of time Proof of Concept In VotingEscrow.solcheckpoint, the duration of the delegatee and the total delegated tokens are used to determine the amount of voting power that a lock...
If a MIMOProxy owner destroys their proxy, they cannot deploy another from the same address
Lines of code Vulnerability details When deploying a new MIMOProxy, the MIMOProxyRegistry first checks whether a proxy exists with the same owner for the given address. If an existing proxy is found, the deployment reverts: MIMOProxyRegistrydeployFor function deployForaddress owner public overrid...
MIMOProxy: The execute function needs to verify that _initialized > 0
Lines of code Vulnerability details Impact In order to avoid changing the owner during the delegatecall, the execute function of the MIMOProxy contract will check the owner before and after the delegatecall. But if initialized is changed to 0 during the delegatecall process, the MIMOProxy contrac...
Add members to the not yet created community
Lines of code Vulnerability details Impact There is a addMember function in the Community. The function accepts data that should be signed by the community.owner and newMemberAddr. // Compute hash from bytes bytes32 hash = keccak256data; // Decode params from data uint256 communityID, address...
Contract name will point to old implementation
Lines of code Vulnerability details Impact The owner can update implementation of contract Name. However it was observed that the updation is not done correctly and contract fails to update contractAddresscontractName variable which mean contract name will still point to old implementation Proof ...
Builder can pay only half of the agreed upon interest on his debt by exploiting daily interest accrual
Lines of code Vulnerability details Impact Project bulder can get away with paying the community owner only half of the agreed upon interest on his debt. Theoretically, the community owner can defend himself from this exploit, if he's aware of this bug, but chances are that he wonโt be aware. Pro...
Approval from non-zero to non-zero amount can lead to DoS
Lines of code Vulnerability details Impact Some tokens like USDT do not work when changing the allowance from an existing non-zero allowance value. They must first be approved by zero and then the actual allowance must be approved. Proof of Concept The following function use an unsafe approvement...
Anyone can steal the ether or the ReceiverImplementation tokens
Lines of code Vulnerability details Impact Anyone can steal the ether or the ReceiverImplementation tokens. Proof of Concept As you can see in the receiveAndSendNative method: function receiveAndSendNative address payable refundAddress, string calldata destinationChain, string calldata...
Use safetransfer/safetransferFrom consistently instead of transfer/transferFrom
Lines of code Vulnerability details Impact Its a good to add require statement to checks the return value of token transfer or using safetransfer or safetransferFrom on Openzeppelin to ensure the token revert when transfer failure. Failure to do so will cause silent failures of transfer and affec...
Potential scenario where an attacker can steal a user's gas refund
Lines of code Vulnerability details Impact Anybody is allowed to add gas for a specific tx. I was trying to figure out whether the following scenarios are possible: 1. Alice sends a public tx where she deposits some gas and calls the gateway contract after 2. Bob, the attacker, catches that...
Anyone can self-destruct this contract.
Lines of code Vulnerability details Impact High Unprotected call to a function executing selfdestruct/suicide. Proof of Concept DepositHandler.destroyaddress contracts/DepositHandler.sol28-30 allows anyone to destruct the contract. Once the contract is unlocked through the noReenter modifier,...
removeDelegation acts on wrong token
Lines of code Vulnerability details Impact The function removeDelegationtokenId currently tries to remove tokenId from the list of tokens delegated to itself. The correct behavior would be to get which token tokenId is delegated to, and remove tokenId from the delegations to that token. Since...
Impossible to add ve in RewardDistributor
Lines of code Vulnerability details Impact Starting from ve == 0, we call addVoteEscrow. function addVoteEscrowaddress voteEscrow external onlyOwner if addressve == address0 ve = VEpendingVoteEscrow; else voteEscrowEnableDate = block.timestamp + 1 days; pendingVoteEscrow = voteEscrow; The functio...
A NFT can be delegated to many NFTS
Lines of code Vulnerability details In VoteEscrowDelegation.sol in the function delegate, there is no check about if the tokenId NFT has already been delegated. Thus is it possible to delegate voting power multiple time. It's even possible to self delegate tokenId = toTokenId multiple times. By...
Able to delegate multiple times with the same tokenId
Lines of code Vulnerability details The delegate function in VoteEscrowDelegation.sol is used to delegate voting power from one tokenId to another. The tokenId is added to the toTokenId's delegatedTokenIds array which contains all tokenIds that have delegated to the toTokenId. The amount of votes...
Upgraded Q -> M from 268 [1659038665057]
Judge has assessed an item in Issue 268 as Medium risk. The relevant finding follows: The protocol does not support fee on transfer and other weird tokens, e.g.: IERC20rewardToken.safeTransferFrommsg.sender, addressthis, amount; rewardTokenInforewardToken.queuedRewards += amount; --- The text was...
TEST
Lines of code Vulnerability details Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended...
CALL() should be used instead of TRANSFER() on an address payable
Lines of code Vulnerability details Impact The use of the deprecated transfer function for an address will inevitably make the transaction fail when: 1 The claimer smart contract does not implement a payable function. 2 The claimer smart contract does implement a payable fallback which uses more...