10190 matches found
Allowance manipulation in UserEscrow struct leads to unauthorized token transfers due to overreliance on maximum allowance check
Lines of code Vulnerability details Summary The UserEscrow smart contract contains a vulnerability that can possibly allow unauthorized users to transfer tokens out of the contract. Specifically, an attacker can exploit this flaw by manipulating the allowances, thus enabling them to bypass the...
The maxMint check should be cumulatively applied to ensure it's effectiveness
Lines of code Vulnerability details Impact Circumvention of the maximum minting restriction, since all a receiver need to do is not specify the whole amount of tokens in one attempt and then claim more than the maximum amount Proof of Concept Take a look at LiquidityPool.solL145-L157 /// @notice...
lack of an ownership transfer mechanism
Lines of code Vulnerability details Issue: The code does not have a mechanism to transfer ownership of the contract. In the current implementation, once deployed, the contract owner's address cannot be changed. This can be problematic for contract maintenance and security, as it restricts the...
Unchecked return value of low level
Lines of code Vulnerability details In the code you provided earlier, there is a potential "Unchecked return value of low-level call" vulnerability in the following line: addressstrategy.delegatecallabi.encodeWithSignature"harvest"; This line of code uses the delegatecall function to invoke the...
getActiveTickIndex returns wrong index
Lines of code Vulnerability details To find a tick that's above price ie its only underlying is the base token, getActiveTickIndex should not if baseTokenIsToken0 && amt0 == 0 || !baseTokenIsToken0 && amt0 == 0 return tickIndex; it should if baseTokenIsToken0 && amt1 == 0 || !baseTokenIsToken0 &&...
yryryserywretsh
Lines of code L1 Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assess...
Protocol will fail for ERC1155 tokens
Lines of code Vulnerability details Issue DelegateTokenTransferHelpers::checkERC1155BeforePull and DelegateTokenTransferHelpers::pullERC1155AfterCheck perform "set and check" operations on erc1155Pulled.flag which will always revert. In the first function, the value of erc1155Pulled.flag is set t...
User funds may be blocked if tokens with a transfer fee are used as the underlyingToken
Lines of code Vulnerability details Impact The user can create rights token pair pulling underlying token. To do this, it calls the create function . During the execution of the function, the user sends tokens to the contract address . If an ERC20 token is used as a tokenContract, then the...
The roerouter hard-coded address error causes all fee funds to be sent to the treasury instead of the vault
Lines of code Vulnerability details Impact The roerouter hard-coded address error causes all fee funds to be sent to the treasury instead of the vault. This will reduce the capital utilization rate, because the fee should be added to the LP to earn interest, but now because the vault address cann...
Cross-chain smart contract call can revert and burned tokens in source chain can't be recovered
Lines of code Vulnerability details Summary AXELARGATEWAY.callContract doesn't revert on failure in destination chain , execute function can revert for varies reasons such as not passing require statements, or low gas so tokens remained burned in source chain and can't be recovered . Impact Loss ...
Precision Error in getPrice due to Omission of Last Day's Interest
Lines of code Vulnerability details The code attempts to calculate the price based on the interest from the previous day by using range.end - 1. However, if the last day represented by range.end has fully passed, the interest for this day is never taken into account. Over time, these slight...
Potential Out-of-Bounds Error When Modifying Ranges
Lines of code Vulnerability details The method allows for the modification of a range based on an index. However, there's no explicit check to ensure that the provided indexToModify is within the bounds of the ranges array. If an out-of-bounds index is provided, the method will throw a generic...
UniswapV3 trading fees are always locked in treasury instead of going back to the protocol users through GeVault
Lines of code Vulnerability details TokenisableRange was redesigned to redirect collected fees to a pre-defined GeVault, where the protocol stakers can benefit from the added value. However, the use of an incorrect variable makes this distribution of the fees impossible to happen, and the fees wi...
Risk of Token Get Stuck in burnAndCallAxelar Function due to Use of Same Chain ID
Lines of code Vulnerability details Impact The burnAndCallAxelar function within the contract presents a potential risk where tokens can become stuck if the same chain ID is used for both the source and destination chains. In this scenario, tokens are burned from the user's account, and a...
missing in calculation parameter issue in Earnings Pool
Lines of code Vulnerability details Impact here is the vulnerable part in code : function getLastTranscoderRewardsEarningsPooladdress transcoder, uint256 round internal view returns uint256 rewardRound, EarningsPool.Data memory pool BondingCheckpoint storage bond = getBondingCheckpointAttranscode...
Slashing transcoders on violation should not effect the delegators who staked into such transcoders, delegators should continue to earn rewards
Lines of code Vulnerability details Impact Due to violation of norms, when a transcoder is slashed and force to resign, the delegators who provided stake into such transcoder should not be effected. They delegators should be able to continue earning the rewards as they delegated their tokens to...
LastRewardRound is sometimes not checkpointed for Delegators
Lines of code Vulnerability details Impact lastRewardRound is not updated/checkpointed for delegators when transcoder changes state. This results in incorrect rewards and votes. It also violates this checkpointing condition specified by the technical specification: Quote: "In practical terms, it...
Attacker can DOS the sync function of RdpxV2Core which will brick critical functionality
Lines of code Vulnerability details Impact The sync function of the RdpxV2Core contract is critical for ensuring that the cached balances of the tokens in the contract are up to date. For example, all of the AMO logic involves sending tokens directly to the RdpxV2Core contract, meaning there's no...
Improperly tracking asset reserve for WETH
Lines of code Vulnerability details Impact Function RdpxV2Corewithdraw lets delegate owners withdraw their unused WETH. However, withdrawn amount is not deducted from totalWethDelegated, which causes WETH asset reserve tracked improperly. The impacts could be: 1. Function sync gets reverted when...
Malicious user can prevent the creation of a proposal
Lines of code Vulnerability details Vulnerability Detail The LivepeerGovernor inherits OpenZeppelin's GovernorUpgradeable contract. The GovernorUpgradeable utilizes the hashProposal function to generate a unique hash when creating a new proposal. The hash depends solely on input parameters:...
Incorrect price precision in RdpxV2Core
Lines of code Vulnerability details Impact The core contract expects the price oracle to return 1e8 precision, but its actually 1e18. This will cause heavily incorrect results from all usages of the price. Proof of Concept The RdpxV2Core.getRdpxPrice function is meant to return 1e8 precision:...
Missed approving to UniswapV2Router
Lines of code Vulnerability details Impact The contract should have already granted an allowance of at least minamountOfWeth for the input token. This step is missing during the UniswapV2Router call within the lowerDepeg function. // @audit msg.sender should have already given the router an...
DOS the system by frontrunning the initialize function
Lines of code Vulnerability details Impact LivepeerGovernor and Treasury are vulnerable to DOS. Proof of Concept The initialize function present in these two contracts is not called just after their construction. Which is confirmed in the contract LivepeerGovernorUpgradeMock.sol while initializin...
Potential Over-redemption Vulnerability in redeem Function
Lines of code Vulnerability details Impact In the redeem function, when a third party is using their allowance to redeem shares on behalf of an owner, there exists a potential scenario where the third party could redeem more than originally intended by the owner. Proof of Concept This is how the...
[H-01] GovernorCountingOverridable.castVoteBySig()/castVoteWithReasonAndParamsBySig(): Possible signature replay attacks to influence proposal execution
Lines of code Vulnerability details Impact In the GovernorCountingOverridable.sol inherited by LivePeerGovernor.sol, users can provide a signature to allow someone else to vote on their behalf using the castVoteBySig/castVoteWithReasonAndParamsBySig function since this functions are not overriden...
DOS in governance when voting after delegate
Lines of code Vulnerability details Impact The GovernorCountingOverridable::handleVoteOverrides function substracts the delegator vote weight from the total votes when the delegatee has already submited a vote. However, if the delegator's vote is greater than the current total vote the substracti...
PerpetualAtlanticVaultLP incentives can be stolen via flash loan
Lines of code Vulnerability details Impact The liquidity pooled from the PerpetualAtlanticVaultLP is used by the core contract. This liquidity is provided by anyone, and after each epoch 1 week an incentive is paid after to further incentivise liquidity provision. However, the funds can be stolen...
Initialization Issue in EarningsPoolL
Lines of code Vulnerability details Impact the vulnerable part in code : uint256 prevCumulativeRewardFactor = prevEarningsPool.cumulativeRewardFactor != 0 ? prevEarningsPool.cumulativeRewardFactor : PreciseMathUtils.percPoints1, 1; earningsPool.cumulativeRewardFactor =...
Condition will not revert when block.timestamp is == to the compared variable
Lines of code Vulnerability details Medium Issues | | Issue | Instances ---|---|--- M-1 | Condition will not revert when block.timestamp is == to the compared variable | 1 M-1 Condition will not revert when block.timestamp is == to the compared variable The condition does not revert when...
Loss of precision due to division occurring before multiplication across multiple statements leads to lesser number of receiving tokens
Lines of code Vulnerability details Impact Swaps and Deposits work with two tokens X and Y. The computed amount of tokens on the receiving end decrease due to this multi-statement loss of precision occurring due to division before multiplication. Note: This finding is different from the L-06 bot...
Accounting for Fixed_Fee and Base_Fee twice leading to less amount or token recieved
Lines of code Vulnerability details Impact There are multiple instances where fees is deducted twice. I will explain this with one function similar logic follows in other functions as well.So whenever the swapGivenInputAmount function is called by the user with inputAmount provided by the user th...
Using incorrect parameter for checking the reserve
Lines of code Vulnerability details Impact At line 549 within the swap function's code, the internal call to the function checkBalances checks the reserve for token x is carried out using xi + specifiedAmount instead of xi + roundedSpecifiedAmount. When using roundedSpecifiedAmount passes the che...
overflow vulnerability in the _lpTokenSpecified() function when calculating computedAmount
Lines of code Vulnerability details Impact uf will be incorrect, which will lead to incorrect final price points xf, yf and ultimately an incorrect computedAmount. It also allows an attacker to manipulate the pool in their favor by depositing or withdrawing more assets than they should be able to...
Loss of precision in the YieldVault causes DoS when depositing from the Vault
Lines of code Vulnerability details Title Loss of precision in the YieldVault causes DoS when depositing from the Vault Original Issue M-22 - Loss of precision leads to undercollateralized Details The original demonstrates how the Vault could fall into undercollateralization mode if the YieldVaul...
H-08 MitigationConfirmed
Lines of code Vulnerability details Original Issue H-08 - Increasing reserves breaks PrizePool accounting Details The previous implementation to increase reserves in the PrizePool contract didn't take into account the injected reserves, which caused the accounted balance in the prize pool to not ...
H-09 Unmitigated
Lines of code Vulnerability details Issue not mitigated About the problem In the report i have described some vaults that will not work in the designed system. Example of such vault will be any vault that has withdraw limit. In this case yieldVault.maxWithdraw call will not return actual amount o...
H-05 Unmitigated
Lines of code Vulnerability details Issue not mitigated About the problem sponsor function allows caller to delegate his shares to the special address. In this case caller losses ability to win prizes. Previous version of code had sponsor function, which allowed to deposit funds on behalf of owne...
M-02 Unmitigated
Lines of code Vulnerability details Comments In the previous implementation a malicious user could set arbitrary vault hooks for afterClaimPrize and beforeClaimPrize that could be used to gas grief the claimer or cause other claims in the same call to fail by deliberately reverting Mitigation The...
getPastCirculatingSupply() returns the ARB token supply instead of circulating votes supply
Lines of code Vulnerability details Bug Description In ArbitrumGovernorVotesQuorumFractionUpgradeable, the getPastCirculatingSupply function is used when calculating quorum for proposals: ArbitrumGovernorVotesQuorumFractionUpgradeable.solL31-L35 /// @notice Get "circulating" votes supply; i.e.,...
Anyone can change the members of Security Council
Lines of code Vulnerability details Impact Anyone can change the members of security council by calling the function perform in the contract SecurityCouncilMemberSyncAction.sol as the function is open to all. Proof of Concept uint256 updateNonce = getUpdateNoncesecurityCouncil; if nonce =...
Anyone can call perform in SecurityCouncilMemberSyncAction to update members of security council multisig
Lines of code Vulnerability details Impact Anyone can update members of security council multisig Proof of Concept SecurityCouncilMemberSyncAction contract has a perform function which is used to update members of security council multisig. File: SecurityCouncilMemberSyncAction.sol /// @notice...
Consider Disabling Inherited _cancel Function In The Governor Contracts
Lines of code Vulnerability details Impact The currently used openzeppelin upgradeable contracts dependency @openzeppelin/contracts-upgradeable is v4.7.3 The security council management contracts are inheriting the openzeppelin GovernorUpgradeable contracts to manage proposals. This version of...
prev emergency security council still has cancellor role in SecurityCouncilMgmtActivationAction
Lines of code Vulnerability details Description In the GovernanceChainSCMgmtActivationAction.perform function. This function is responsible for activating the new emergency security council and revoking the roles of the previous emergency security council. The bug occurs in the following line of...
No need to stack lend pool to take lendlaunger rewards
Lines of code Vulnerability details Impact Lending lenger give reward tokens to users if they lend their tokens to selected pools. Lendingledger give rewards as weekly and it records user's balance until end of the weekespacially thursday because 1 jan 1970 was thursday. But protocol records can ...
_scheduleUpdate() should be called during initialize ing the SecurityCouncilManager
Lines of code Vulnerability details Impact Updates will not be scheduled through timelocks and target upgrade executors by the scheduleUpdate call. Initial set of cohort members will not be scheduled. Proof of Concept In SecurityCouncilManager whenever a new member is added, or removed or swapped...
LendingLedger Lack of method to rescue accidentally sent Canto
Lines of code Vulnerability details Impact There is no function to rescue Canto accidentally sent to LendingLedger so if governance fat-finger those Canto could be lost forever. Proof of Concept There is no function to transfer native token out of LendingLedger Tools Used Manual inspection...
Undelegation logic doesn't work as expected, duo to that an owner of a lock would be enforced to extend their lock time for another 5 years.
Lines of code Vulnerability details Impact Undelegation logic doesn't work as expected, duo to that an owner of a lock would be enforced to reset his lock time for another 5 years through the function increaseAmount in order to successfully undelegate. Proof of Concept There are few differences...
swapExactAmountOut() does not have deadline which allows pending transactions to be maliciously executed
Lines of code Vulnerability details Impact In LiquidationRouter.sol, swapExactAmountOut function has no deadline for the transaction when swapping. File: src/LiquidationRouter.sol function swapExactAmountOut LiquidationPair liquidationPair, address receiver, uint256 amountOut, uint256 amountInMax...
Unchecked Call Return Value
Lines of code Vulnerability details Impact The functions do not check the return value of low-level calls. This can lock Ether in the contract if the call fails or may compromise the contract if the ownership is being changed. The following calls were detected without return value validations -...
Some functions in TokenisableRange contracts does not allow user to deadline.
Lines of code Vulnerability details Impact Not allowing users to supply their own deadline could potentially expose them to sandwich attacks Proof of Concept Consider the following scenario: if fee0 100 bal0 && fee1 100 bal1 TOKEN0.token.safeIncreaseAllowanceaddressPOSMGR, fee0;...