10190 matches found
TEST
Lines of code Vulnerability details Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended...
CALL() should be used instead of TRANSFER() on an address payable
Lines of code Vulnerability details Impact The use of the deprecated transfer function for an address will inevitably make the transaction fail when: 1 The claimer smart contract does not implement a payable function. 2 The claimer smart contract does implement a payable fallback which uses more...
Reentrancy for function call before state update
Lines of code Vulnerability details Impact An external call "transfer" is made before updating state data through "setFuses" and "setFuses" does not depend on any data from "transfer". . Proof of Concept Reentrancy is not only an effect of Ether transfer but of any function call on another...
Multiple auction can run on same vault - Collateral loss
Lines of code Vulnerability details Impact Due to insufficient checks, it is possible to run 2 auctions at same time. This can lead to loss of collateral for this vault as collateral quantity placed for auction will double Proof of Concept 1. User starts auction on vault id 1 which transfer...
If baseJoin's available balance is greater than callers' amount no underlying will be transferred.
Lines of code Vulnerability details Impact If callers' amount is greater than baseJoin's available balance no underlying will be transferred but caller still gets liquidatorCut. This may also negatively impact the accounting since its updated under the assumption that the caller will transfer...
CHECK VALID ADDRESS for _auctionStarted
Lines of code%20internal%20virtual%20%7BL214 Vulnerability details Impact Should check for valid address before giving so it can revert if it isn't. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the...
There is no boundaries for starting an auction.
Lines of code Vulnerability details Impact The team has brought this contest to be fairer to their users in terms of liquidation mechanism. Looking through this perspective, it can be developed more on the process to be much fairer to the users in volatile market conditions. Proof of Concept The...
Liquidator cut is calculated incorrectly
Lines of code Vulnerability details Impact User can call payBase function to pay debt in return for collateral. But due to incorrect calculation User will obtain lesser collateral than what he should actually receive causing immediate permanent loss Proof of Concept 1. User calls payBase function...
Vault owners can grief auctioneers by cancelling auctions
Lines of code Vulnerability details Since auctioneers are only paid keeper incentives on successful bids, a malicious vault owner can grief auctioneers by creating a risky vault, luring an auctioneer to start an auction, and then immediately canceling it. This is a somewhat elaborate and risky...
Upgraded Q -> M from 358 [1657932899986]
Judge has assessed an item in Issue 358 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 279 [1657955636898]
Judge has assessed an item in Issue 279 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 253 [1657932404226]
Judge has assessed an item in Issue 253 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
ISwivel.authRedeem() doesn't have an implementation in Swivel.sol
Lines of code Vulnerability details Impact ZcToken.withdraw and ZcToken.redeem will always revert because Swivel.sol doesn't contain authRedeem function. Proof of Concept ZcToken.withdraw and ZcToken.redeem call MarketPlace.authRedeem and ISwivelswivel.authRedeem isn't implemented. I think...
MarketPlace - authRedeem does not work
Lines of code Vulnerability details Impact The redeem process looks broken, impacting one of the core functionality of the protocol. Proof of Concept The redeem process is the following: User calls redeem or withdraw in ZcToken, which forwards the call to MarketPlace, which calls...
Not safe transferFrom
Lines of code Vulnerability details Impact The Safe library says: @dev Caution! This library won't check that a token has code, responsibility is delegated to the caller. But this check is not made in Swivel contract, so the Safe library it's prone to phantom methods attacks. Supposedly it is a...
Cannot withdraw or redeem approved tokens
Lines of code Vulnerability details Title Cannot withdraw or redeem approved tokens Impact A contract/EOA which has been approved some ZcToken cannot redeem or withdraw the approved tokens since these functions always revert if msg.sender != holder. Proof of Concept In the withdraw function...
Incorrect check for signature malleability
Lines of code Vulnerability details Impact Sig.recover has an Incorrect check: c.v != 27 || c.v != 28. Thus, Sig.recover always reverts. Proof of Concept c.v != 27 || c.v != 28 is always true function recoverbytes32 h, Components calldata c internal pure returns address // EIP-2 and malleable...
Vault implementation can be selfdestructed due to lack of initialization
Lines of code Vulnerability details Impact HIGH - Assets can be lost directly Anybody can initialize the Vault's implementation contract. The worst case would be to selfdestruct and make all the already deployed and to be deployed Vault's proxies useless and assets in the deployed proxies will be...
Royalty percentage in FERC1155 can be set to a value greater than 100%
Lines of code Vulnerability details Impact Function setRoyalties does not check that the value of percentage is less or equal to 100. Function royaltyInfo in L247 could return a royaltyAmount greater than salePrice. Proof of Concept This simple test shows how the controller can set a value of...
Migration Module: After successful migration, ERC20 assets can be thrown away by anyone
Lines of code Vulnerability details Impact HIGH - Assets can be lost directly After proposal and proposed buyout is successful, anyone can transfer ERC20 asset in the vault to the zero address and the asset will be lost. Proof of Concept proof of concept: testAnyoneCanThrowERC20poc The proof of...
Oracle data feeds are insufficiently validated
Lines of code Vulnerability details Impact If the oracle price feeds are insufficiently validated, there will be pricing errors leading to the miss-pricing of assets Proof of Concept The JBSingleTokenPaymentTerminalStore and abstract JBPayoutRedemptionPaymentTerminal both rely on their respective...
Usage of insecure transfer/transferFrom
Lines of code Vulnerability details Proof of Concept This is a well known issue, the protocol uses at many parts the insecure transfer/safeTransfer for generic ERC20 tokens. Recommended Mitigation Steps Use OZ Safe Transfer --- The text was updated successfully, but these errors were encountered:...
Use of IERC20.transfer() instead of SafeERC20.safeTransfer()
Lines of code Vulnerability details Impact There are multiple external calls to IERC20.transfer and IERC20.transfer in contracts that suppose to transfer out tokens from/to the system. However, there are tokens like USDT that don't return any return value in their implementation of the transfer...
oldToken.transferOwnership() to contract may be irreversible
Lines of code Vulnerability details oldToken.transferOwnership to contract may be irreversible Proof of Concept JBTokenStore.sol 265-266: if newOwner != address0 && oldToken != IJBTokenaddress0 oldToken.transferOwnershipprojectId, newOwner; OpenZeppelin library Ownerable.sol: function...
In JBERC20PaymentTerminal.sol#_transferFrom(...) ignoring return value when IERC20(token).transferFrom(...)
Lines of code Vulnerability details In JBERC20PaymentTerminal.soltransferFrom... ignoring return value when IERC20token.transferFrom... Some of ERC20 token implementations return false upon unsuccess transfer like USDT token, this can lead to some unpredictable balances to rise up without actual...
Upgraded Q -> M from 95 [1657055392912]
Judge has assessed an item in Issue 95 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Create a short call order with non empty floor makes the option impossible to exercise and withdraw
Lines of code Vulnerability details Impact HIGH - assets can be lost If a short call order is created with non empty floorTokens array, the taker cannot exercise. Also, the maker cannot withdraw after the expiration. The maker will still get premium when the order is filled. If the non empty...
Not-yet-exist ERC20 Could Be Used Within An Order
Lines of code Vulnerability details Vulnerability Details It was observed that the PuttyV2 contract uses solmate's SafeTransferLib for pulling ERC20 assets from the order maker or taker to the PuttyV2 contract. There is some difference between the implementation of solmate's SafeTransferLib and...
Fee is being deducted when Put is expired and not when it is exercised.
Lines of code Vulnerability details Impact Fee is being deducted when Put is expired and not when it is exercised in PuttyV2.sol. Comment section of the setFee function mentions "fee rate that is applied on exercise" which signifies that the fee amount is meant to be deducted from strike only whe...
fund steal by crating a lot of bad long positions and then transferring NFT token of long position to all users and trick them(or by mistake) to click on exercise()
Lines of code Vulnerability details Impact when fillOrder is called code mints two PuttyV2 NFT token, one for Long position and one for Short Position and It's possible to transfer this NFT tokens to others. exercising unwanted bad Long positions can cause users to lose funds and tokens, for...
Any one can mint penny NFT to take some advantage
Lines of code Vulnerability details Any one can mint penny NFT to take some advantage Impact Some users might be taken advantage of, for those who long call or short put the floortoken, and finnally lead to loss of these users. Proof of Concept There is no control over the floortoken platform,...
Underlying asset price oracle for CToken in BaseV1-periphery is inaccuarte
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Underlying asset price oracle for CToken in BaseV1-periphery is inaccuarte Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that...
Sending 1 wei of cNote to the treasury can malfunction sweepInterest()
Lines of code Vulnerability details function sweepInterest external override if msg.sender != admin revert SenderNotAdminmsg.sender; //Total balance of Treasury = Note + CNote Balance, Exp memory exRate = Expmantissa: cnote.exchangeRateStored; //used stored interest rates in determining amount to...
GovernorBravoDelegate.sol _initiate() can be called multiple times
Lines of code Vulnerability details Submitting as med risk because documentation inside functions shows that require is there for the purpose of preventing it being called again but is not working correctly, and since we do not have access to the timelock code I cannot fully assess the impact...
getBorrowRate must return rate per block but currently return rate per year
Lines of code Vulnerability details Impact getBorrowRate must return rate per block as defined in compound interest rate model but currently return rate per year. Defined here: Proof of Concept This is definition / @notice Calculates the current borrow interest rate per block @param cash The tota...
Failed transfer with low level call won't revert
Lines of code Vulnerability details In BaseV1-periphery.sol, the function safeTransferCANTO is as follows: function safeTransferCANTOaddress to, uint value internal bool success, = to.callvalue:valuenew bytes0; requiresuccess, "TransferHelper: ETHTRANSFERFAILED"; This function is utilized in a fe...
getSupplyRate returns rate per year instead of per block
Lines of code Vulnerability details Impact According to the documentation in InterestRateModel, getSupplyRate has to return the supply rate per block and the function supplyRatePerBlock in CToken directly returns the value of getSupplyRate. However, the rate per year is returned for NoteInterest...
BURNER_ROLE can burn any amount of ERC20MinterBurnerDecimals from an arbitrary address
Lines of code Vulnerability details Vulnerability details Proof of Concept Using the burnCoins function of ERC20MinterBurnerDecimals, an address with BURNERROLE can burn an arbitrary amount of tokens from any address. We believe this is unnecessary and poses a serious centralization risk. A...
Upgraded Q -> M from 207 [1656344422031]
Judge has assessed an item in Issue 207 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Transfer the original underlying token back to the user but actually transfer from lender to redeemer
Lines of code Vulnerability details Impact Transfer the original underlying token back to the user but actually transfer from lender to redeemer. Underlying token may be locked forever and user may not receive their fund after redeeming. Proof of Concept // Transfer the original underlying token...
[M-03] Wrong minting on lend for Tempus
Lines of code Vulnerability details Impact Will result in either failure to lend or loss of funds for the lender Proof of Concept Not very clear what was the original intention, but I find it hard to believe that subtracting the whole balanceOf iPTs from the return result from Tempus, is what was...
Illuminate PT redeeming do not return underlying to a user
Lines of code Vulnerability details In the second step of two step redeeming process, the underlying funds should be located in the Redeemer contract as external system burned the shares the Redeemer obtained from the Lender contract and returned underlying to Redeemer. Then Redeemer's Illuminate...
[PNM-003] _totalStakedBefore_ and _totalStakedAfter_ are the always the same
Lines of code Vulnerability details Description It can be medium or high according to the off-chain logic which is not avaiable for the contest. Specifically, rebases can only be updated by function storeRebase and the only callsite of function storeRebase is in function rebase. While we have...
No check for set with address(0)
Lines of code Vulnerability details Impact can mint and get approve from address 0. Proof of Concept function setMarketPlaceaddress m external authorizedadmin returns bool if marketPlace != address0 revert ExistsmarketPlace; marketPlace = m; return true; Tools Used None Recommended Mitigation Ste...
Unable to redeem from Notional
Lines of code Redeemer.solL193 Vulnerability details Impact The maxRedeem function is a view function which only returns the balance of the Redeemer.sol contract. After this value is obtained, the PT is not redeemed from Notional. The user will be unable to redeem PT from Notional through...
[H-05] Not minting iPTs for lenders in several lend functions
Lines of code Vulnerability details Impact Using any of the lend function mentioned, will result in loss of funds to the lender - as the funds are transferred from them but no iPTs are sent back to them! Basically making lending via these external PTs unusable. Proof of Concept There is no mintin...
Improper Upper Bound Definition on the Fee
Lines of code Vulnerability details Impact The feenominator does not have any upper or lower bounds. Values that are too large will lead to reversions in several critical functions or the platform user will lost all funds when paying the fee. Proof of Concept 1. Navigate to the following contract...
Staking.setCurvePool() doesn't approve allowance when changes CURVE_POOL.
Lines of code Vulnerability details Impact Staking.setCurvePool doesn't approve allowance when changes CURVEPOOL. It will affect when users exchange asset through CURVEPOOL. Proof of Concept When initialize the contract, Staking contract approves CURVEPOOL here. But when admin updates CURVEPOOL...
[H-03] Attacker can mint unbound amount of iPTs (on APWine)
Lines of code Vulnerability details Note that I've reported a similar vulnerability, on a different 'Principals' and POC\attack vector is a bit different. I will leave it to the judge to decide if these should be grouped as 1 report or not - but I wanted to be specific at the POC instead of...
Principal token is not transferred
Lines of code Vulnerability details Impact When redeeming from APWine and Tempus here, the principal token is not transferred to the redeemer, so may be stuck on the lender contract. Proof of Concept Instead of Safe.transferFromIERC20u, lender, addressthis, amount; it should be...