10190 matches found
Unwrapping function emits event with incorrect values.
Lines of code Vulnerability details Impact The etherUnwrap function in the smart contract does not correctly emit the EtherUnwrap event. The issue arises when calculating and emitting the fee and transfer amounts. The current implementation deducts the fee, transfers the calculated amount, and...
Fee on transfer tokens are not accounted for in any way
Lines of code Vulnerability details Impact Fee on transfer or other unique tokens are not properly accounted for. This could lead to wrong accounting within The Ocean and eventual losses for the protocol. Proof of Concept The Ocean doesn't keep track of its balances when a user is wrapping a toke...
Upgraded Q -> 2 from #776 [1701285150754]
Judge has assessed an item in Issue 776 as 2 risk. The relevant finding follows: Low-01 No minimum AmountrsETH receive parameter absent in depositAsset Here we can see that User deposit asset via depositAsset which take asset address and asset depositAmount as parameter Then rsethAmountMinted...
LACK OF DEADLINE AND SLIPPAGE CHECKS COULD PROMPT THE USERS TO EXECUTE THE BUY AND SELL TRANSACTIONS AT UNFAVOURABLE PRICE POINTS
Lines of code Vulnerability details Impact The Market.sol contract implements four functions which depend on the linear bonding curve to calculate the price and fee amounts associated with their logic execution. These functions are Market.buy, Market.sell, Market.mintNFT and Market.burnNFT. The...
buggy reward calculation
Lines of code Vulnerability details Impact This is very similar to an inflation attack. Rewards increase whenever splitFees is being called which is anywhere buy/sell/mint/burn. The calculation is done like this: shareDataid.shareHolderRewardsPerTokenScaled += shareHolderFee 1e18 / tokenCount;...
Holder cannot claim fee
Lines of code Vulnerability details Impact Assume a user buys some shares and mints it to an NFT and sends the shares to a cold wallet for safety. The following happens: A user buys 10 shares using buy is called, the rewardsLastClaimedValue is updated to the latest holder rewards, the...
asD.sol::mint & asDFactory.sol::create allows an attacker to mint legitimate aSD with counterfeit underlying $NOTE
Lines of code Vulnerability details Impact When creating an aSD token using create from the asDFactory.sol, there's the cNote address reference to specify and set. A malicious user can deploy a counterfeit NOTE underlying token that isn't legit or backed by anything and set/reference it as...
Improper validation can cause fee error and loss of funds.
Lines of code Vulnerability details Impact If the amount is equal to zero the fee will be equal to zero, there is no check for amount should not be equal to zero the condition passes, it will fetch bondingCurve address then calcutes the price from LinearBondindCurve.sol,fee = priceForOne amount...
RandomizerNXT allows randomness re-rolling and also front-running.
Lines of code Vulnerability details Description When a collection uses RandomizerNXT as the randomizer, the process of minting and setting the token hash happens in the same transaction and block, which allows two attacks. First, a user can see the randomness outcome in mempool and front-run his...
Unchecked constructor arguments can make a contract unworkable
Lines of code Vulnerability details Impact In the NextGenCore contract constructor, there is no check that a valid admin contract is set using NextGenAdmins::isAdminContract. If the contract address in the adminsContract constructor is set incorrectly, it is not possible to call admin functions i...
Risk of Permanent ETH Loss for Bidders
Lines of code Vulnerability details Impact There's a risk of ETH becoming irretrievably locked in the contract if a bidder's address is a contract with either complex logic in its receive function or no receive function at all. In such cases, ETH transfers to these addresses could fail and result...
Cross-Contract Reentrancy can occur during burnToMint
Lines of code Vulnerability details Impact Cross Contract re-entrancy can occur due to not following CEI Proof of Concept 1. Attacker can call burnToMint, with any of the tokenId he owns! 2. This calls the burnToMint in GenCore, which mints the the new token from the to be minted collection...
Unbounded iteration over all index
Lines of code Vulnerability details Impact The transactions could fail if the array get too big and the transaction would consume more gas than the block limit. This will then result in a denial of service for the desired functionality and break core functionality. Proof of Concept Functions like...
PartyGovernanceNFT.burn is not updating the totalVotingPower
Lines of code Vulnerability details Proof of Concept The getSharedProposalStorage.governanceValues.totalVotingPower value defines the voting power cap that can be minted using mint in PartyGovernanceNFT. In a previous version of the protocol 2023-05-party this variable was...
accure interest function is likely failed to accure interest for token with low decimal
Lines of code Vulnerability details Impact loss of precision is too high when accuring interest Proof of Concept When intereste accures, we are calling uint256 interestAmount; uint256 interestRate = IIRMirm.getInterestRateaddressthis, trancheIndex, totalDeposit, totalBorrow; interestAmount =...
There is no check for collateral token in mint matches same in withdraw
Lines of code Vulnerability details Impact While we understand that usde is the base token here, we see that on minting used token you would need to transfer some tokens to the contract and get some used minted to you and on redemption get usde burnt to get a token sent back to you. The implicati...
Staking functionality temporary blocking due to lack of address zero check
Lines of code Vulnerability details Impact Though lack of zero check issue for the addToBlacklist function is already at the automated findings output, I suppose it is necessary to show the importance of this check here. In case of accidental or malicious the BLACKLISTMANAGERROLE behavior the...
Lender can cause unintended behavior for the borrower's transaction
Lines of code Vulnerability details This vulnerability comes in the form of when a borrower wants to remove a lender as a both deposit and withdraw and set them as a withdraw only, to avoid paying more interest on their funds in the market, this plan may not go as planned, based on the nature of...
Deploying a market with a non-ERC20 asset can cause incorrect interaction with asset
Lines of code Vulnerability details Impact The market contract may expect certain ERC20 functions to be present and behave in a specific way. If the asset contract does not adhere to the ERC20 standard, the market may behave unexpectedly, resulting in incorrect token balances, pricing, or other...
Invalid asset address can result to malicious Market Address and loss of fund
Lines of code Vulnerability details Impact The computeMarketAddress function is used to calculate the address where a market contract for a specific asset would be deployed. If an invalid asset address is passed, it could potentially lead to a collision with a valid market contract address, causi...
Permanent DoS on Market Creation Failure
Lines of code Vulnerability details Impact Permanent DoS of creating a market if anything fails in the market constructor. Within a create2 call, instead of failing when a revert occurs in the constructor being run, it just returns address0. If this occurs within a market that's being created the...
[ADRIRO-NEW-H-03] Invalid operation in withdrawStuckTokens() will break CVX balance tracking in VotiumStrategy
Lines of code Vulnerability details Summary The updated code for withdrawStuckTokens contains an update to the trackedCvxBalance variable that will break CVX accounting in the VotiumStrategy contract, leading to multiple severe consequences. Impact To mitigate a potential withdrawal of CVX tokens...
Scaling Issue in AccountingEngine.auctionSurplus Causing Token Drains
Lines of code Vulnerability details Impact The impact of this vulnerability is significant as it leads to a scaling problem in surplus auctions conducted by the AccountingEngine. The vulnerability arises from the way the amountToSell in surplusAuctionHouse.startAuction call and rad in...
Upgraded Q -> 2 from #272 [1698254247989]
Judge has assessed an item in Issue 272 as 2 risk. The relevant finding follows: ERC1155 can be inflated if the token doesn’t revert on failed transfer --- The text was updated successfully, but these errors were encountered: All reactions...
On repaying and taking collateral there is 2 times modifying tokenCollateral[cType][account/sourse]this lead to a problem
Lines of code Vulnerability details Impact when you are repaying your tokenCollateralcTypeaccount is modified 2 times, which leads to incorrect data Proof of Concept On calling repayAllDebtAndFreeTokenCollateral or repayDebtAndFreeTokenCollateral first you are calling modifySAFECollateralization...
use of correct modifier
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps function...
M-05 Unmitigated
Lines of code Vulnerability details Original Issue M-05: Reward sandwiching in VotiumStrategy Details The issue outlined above is about making instant profit by depositing before the boost happens and withdrawing right after the boost occurs. Those who locked their positions for 16+ weeks get the...
The GovernorSettings are set to incorrect values
Lines of code Vulnerability details When ODGovernor is deployed the GovernorSettings is initialized with the initialVotingDelay, initialVotingPeriod and initialProposalThreshold. The problem is that the initialVotingDelay and initialVotingPeriod are set to incorrect values which are really small...
[ADRIRO-NEW-H-02] Users loses their share of rewards while waiting for withdrawal
Lines of code Vulnerability details Summary Withdrawals in AfEth undergo a delay until the underlying CVX tokens can be withdrawn. Depositors need to request a withdrawal and wait until the required withdrawal epoch before making their withdrawal effective. During this period of time, they will...
ODProxy is flawed due to delegatecall to ODSafeManager which render system inoperable
Lines of code Vulnerability details Impact The vulnerability arises from the use of delegatecall to interact with the ODSafeManager contract, which is designed to store the context of the safe manager. However, the data inside ODSafeManager is never properly updated when ODProxy uses delegatecall...
Upgraded Q -> 2 from #2037 [1698131784473]
Judge has assessed an item in Issue 2037 as 2 risk. The relevant finding follows: L‑01 Early users can modify the underlying assets’ unit share price Summary: ERC4626, an extension of ERC20, is a standard that is mostly used in yield-bearing tokens. The contract of an ERC4626 token itself is an...
Register Wallet unprotected
Lines of code Vulnerability details Impact In the code comments, it states that: @dev Can only be called by safe deployer or the wallet itself This requires a check for either the safe deployer or the wallet. However there is no check to verify this case, therefore any address can verify their se...
Console account cannot execute a transaction on a sub account unless it registers itself as an executor
Lines of code Vulnerability details The Executor is an account authorized to make module transactions on a subAccount via ExecutorPlugin. The executor is assigned/registered by the subaccount created by the console account. But the console account itself cannot execute the transaction & is...
There is no checking whether the ExecutorPlugin module has been activated or not on the sub-account, this can cause malfunctions if the user wants to execute tx via ExecutorPlugin
Lines of code Vulnerability details There is no checking whether the ExecutorPlugin module has been activated or not on the sub-account, this can cause malfunctions if the user wants to execute tx via ExecutorPlugin Impact Can cause malfunctions if the user wants to execute tx via ExecutorPlugin ...
the nonce value is not increasing everytime
Lines of code Vulnerability details Impact the nonce value is not increasing everytime The nonce value is used to create the TypeHashHelper.Transaction struct that's passed to the buildTransactionStructHash function. The actual value of executorNonceexecRequest.accountexecRequest.executor is...
Needs a secure modifier
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. The ERC20ProxyDelegator constructor appears to be used for delegating voting rights to a delegate by allowing them to call the delegate function of an ERC20Votes contract. To secure this function, you...
Front-Running during Proxy Creation
Lines of code Vulnerability details Impact An ill-intentioned party might front run every proxy contracts creation and deploy one first causing the transaction for every user to revert. It is worth noting that for this attack to succeed, the attacker would need to get their transaction mined in t...
Zero address Salt used in Creating delegate contract
Lines of code Vulnerability details Impact A zero-valued salt used, means an attacker can predict the contract address of a new delegate, this can lead an attacker to create the ERC20ProxyDelegator on behalf of the user, this is to allow for max access to the tokens to be transfered Proof of...
Possibility of losing users funds due to not checking for zero address (address 0x0)
Lines of code Vulnerability details Impact As there is no function for checking whether the addresses of the sources and targets are zero or not in the delegateMulti function it may cause issues for users Sending tokens to a zero address address 0x0 is generally not a recommended practice in...
Delegation transfer might become temporarily unavailable due to input format in _delegateMulti
Lines of code Vulnerability details Impact A user might mint a valid delegation token to a target delegate which cannot be transferred to another target delegate through processDelegation due to delegateMulti's extension of address type of data into the space of uint256. Proof of Concept As...
token.transferFrom signaling failure by returning false may allow for funds to be stolen
Lines of code Vulnerability details Impact ERC20MultiDelegate is expected to work with any ERC20-compliant tokens as long as they provide the same functionality and interface as ERC20Votes from OpenZeppelin. This makes it possible for ERC20MultiDelegate to work with a token that signals...
payableCall in VirtualAccount isn’t protected by requiresApprovedCaller modifier
Lines of code Vulnerability details Impact due to the lack of access control in payableCall function in VirtualAccount contract, anyone can call payableCall on a user virtual account . An attacker can use this vulnerability to steal the users funds after a failed settlement by the user . Proof of...
Incorrect functionID will not trigger fallback
Lines of code Vulnerability details Impact When encoding a payload for settlement of multiple tokens, the fallback flag is not set when it should be. This will cause no fallback to be triggered even though the user has paid enough to cover the additional costs that are required. Proof of Concept ...
A Malicious user can create a rootBridgeAgent with a malicious endpoint and execute calls directly with the rootBridgeAgent.
Lines of code Vulnerability details Impact A Malicious user can create a rootBridgeAgent with a malicious endpoint and execute calls directly with the rootBridgeAgent. Since anyone can create a rootBridgeAgent with desired values for port, endpoint and router address in anychain. The Attacker can...
Timestamp Manipulation
Lines of code Vulnerability details Impact there is a problem in that contract especiall when updating tickTrackingIndex within the loop an attacker can manipulate the values of enterTimestamp and exitTimestamp to force tickActiveEnd to be significantly larger than tickActiveStart inflate the...
ChainLink should be used as an Oracle for messaging instead of Google Cloud
Lines of code Vulnerability details Impact Each User Application contract e.g. BranchBidgeAgent built on LayerZero will work without configuration using defaults, but a UA will also be able to configure its own. Maia intends to use the default config. However, Google Cloud Oracle is the default a...
BLOCKS_PER_YEAR in Prime.sol should vary depending on leap and non-leap year
Lines of code Vulnerability details Impact Since BLOCKSPERYEAR is used for calculating the total income that's going to be distributed in a year to prime token holders in the function incomeDistributionYearly, an inadequate non-zero value for BLOCKSPERYEAR in terms of chain and/or leap/non-leap...
underflow possible with sufficiently large capital and sufficiently low alpha
Lines of code Vulnerability details Impact An underflow is possible when a sufficiently large capital is coupled with an adequately low alpha value. This scenario may trigger unanticipated behaviors, resulting in the unforeseen failure of transactions, undermining the integrity and reliability of...
M-05 MitigationConfirmed
Lines of code Vulnerability details In the previous implementation when stakingContract.totalAllocPoint = 0 stakingContract.withdraw and stakingContract.deposit will div 0 , revert This results in StargateRewardableWrapper no longer being able to execute StargateRewardableWrapper.withdraw The...
requestDeposit and requestRedeem do not allow for any price guarantee, opening users to sandwich attacks and other losses
Lines of code Vulnerability details Impact Request functions take only the desired input amount as a parameter, giving no way for the caller to control the fulfilment price. The price is decided by the Centrifuge mainnet only. function requestDeposituint256 assets, address owner; function...