10190 matches found
Anyone can complete the Rng relay auction
Lines of code Vulnerability details Impact There's no access restriction on rngComplete which allows anyone to execute this function and complete the auction. This can lead to unexpected behavior or potential DOS attack where a user completes the auction. Tools Used Manual Analysis Recommended...
Lack of check in LiquidationPair.sol#_computePeriod() can lead to DOS
Lines of code Vulnerability details Impact computePeriod will revert because lack of check input validation Proof of Concept In LiquidationPair.sol, computePeriod is used to computes the current auction period: see here. It is called in functions like getPeriodStart and checkUpdateAuction. 377:...
Potential Near-Zero Scenarios for purchasePrice in the Continuous Gradual Dutch Auction
Lines of code Vulnerability details Impact The Continuous Gradual Dutch Auction CGDA model has potential scenarios where the purchasePrice for an amount of tokens could approach near-zero values. This is influenced mainly by two factors: emissionRate and timeSinceLastAuctionStart. If either one o...
Owner of _liquidationPair can add malicious liquidation source and insufficient input parameter validations
Lines of code Vulnerability details Impact Malicious liquidationPair owner can deploy liquidationPair using malicious sourceliquidation source that the pair will use and other insufficient input validations that can put users' funds at risk. File: src/LiquidationPairFactory.sol function createPai...
LiquidationQueue brings centralization risk in the contract.
Lines of code Vulnerability details Impact the owner has too much unilateral control over liquidations and can manipulate te country in the following ways: The owner of LiquidationQueue sees a profitable liquidation opportunity Before anyone else can liquidate, they use LiquidationQueue to place ...
Lack of slippage checks on public withdraw fees function
Lines of code Vulnerability details Impact function withdrawAllMarketFees IMarket calldata markets, ISwapper calldata swappers, IPenrose.SwapData calldata swapData public notPaused require markets.length == swappers.length && swappers.length == swapData.length, "Penrose: length mismatch" ;...
No slippage control while minting GLP
Lines of code Vulnerability details Impact glpRewardRouter.mintAndStakeGlpaddressweth, wethAmount, 0, 0; Here, minUSDG = 0 and minGlp = 0 means no slippage checks. This can be sandwitched in certain conditions in which delta between min and max glp price is higher due to following factors: delta...
Broker Address can be Claim by a MEV Bot
Lines of code Vulnerability details Impact If the broker address is a malicious user, he can mint as many OTAP as he wants. Proof of Concept Protocol deploy the OTAP contract A Bot wait until the contract is deployed Then call the "brokerClaim" straight away with his own address. He can then call...
Lack of protection when withdrawing Static Atoken
Lines of code Vulnerability details Impact The Aave plugin is associated with an ever-increasing exchange rate. The earlier a user wraps the AToken, the more Static Atoken will be minted and understandably no slippage protection is needed. However, since the rate is not linearly increasing,...
Missing check of how recent the price is can lead to stale price being used in the protocol
Lines of code Vulnerability details Impact In the ChainlinkOracle.sol file, in the function getChainlinkPriceAggregatorV3Interface feed, there is the check requireupdatedAt != 0, "Round is in incompleted state";. However, there is no check to see that the price is recent and acceptable. If there ...
Cannot unwrap token after recovering through wrapping
Lines of code Vulnerability details Impact Cannot unwrap token after recovering through wrapping. Proof of Concept FollowNFTunwrap checks if followerProfileId for the token is not 0: if followDataByFollowTokenIdfollowTokenId.followerProfileId == 0 revert NotFollowing; while after recovering token...
Overflow/underflow when creating the exchange rate Exp.
Lines of code Vulnerability details Impact Incorrect exchange rate values Proof of Concept the exchangeRateStoredInternal function is missing validation on the Exp mantissa size before creating the exchange rate Exp. This could lead to overflow. This would make the mantissa of exchangeRate equal ...
Current setUnderlyingPrice and setDirectPrice open to incorrect liquidation of users' positions and result in financial losses for users
Lines of code Vulnerability details Impact Price feeds can be affected by network congestion, causing transactions with outdated prices to be treated as current prices. As price feeds are crucial to the protocol's functioning, this situation can lead to incorrect liquidation of users' positions a...
Migration of Profiles can fail due to difference in handle validity in V1 and V2
Lines of code Vulnerability details Impact Profiles with certain type of handles in V1 cannot be migrated to V2. Proof of Concept In V1 and V2, the validity of handles is determined differently. Due to this it is possible that some profiles have handles that are valid according to V1 validation b...
missing check for the max/min price in the chainlinkOracle.sol contract
Lines of code Vulnerability details Impact the chainlinkOracle.sol contract specially the getChainlinkPrice function using the aggregator v2 and v3 to get/call the latestRoundData. the function should check for the min and max amount return to prevent some case happen, something like this: if cas...
function _queueProposal not checking if the required time is passed to allow proposal to set to the queue list
Lines of code Vulnerability details Impact in the queueProposal function there is no check for if the requested time is passed to allow queue the proposal. in this case any proposal after creating can be added to the queue list. Proof of Concept the TemporalGovernor.sol contract have a variable...
Front-Running Vulnerability in LensHub.sol's commentWithSig and quoteWithSig Functions
Lines of code Vulnerability details Impact A vulnerability has been discovered in LensHub.sol's commentWithSig and quoteWithSig functions. This vulnerability potentially enables an attacker to disrupt users' actions by front-running transactions, resulting in undesirable modifications of comments...
Incorrect implementation of binary search in _find() in History.sol can make BaseVotingVault.sol break and cannot return correct staleIndex
Lines of code Vulnerability details Impact The binary search implemented in find in History.sol is incorrect and in some cases cannot return a correct stale index, and as a result some functions in baseVotingVault.sol can not work properly like queryVotePower. Although History.sol is not in scope...
Collateralization ratio manipulation can cause a denial of service
Lines of code Vulnerability details Impact Stablecoin redeeming and profit accruing in the SavingsVest contract can be blocked when the collateralization ratio has overflown. Proof of Concept The mitigation recommended in 31 and implemented by the sponsor in this commit doesn't resolve the root...
InterchainProposalExecutor doesn't support actions with value
Lines of code Vulnerability details Impact An interchain call consists of the target address, calldata, and value. When InterchainProposalExecutor performs the call, it passes the value along function executeProposalInterchainCalls.Call memory calls internal for uint256 i = 0; i calls.length; i++...
The _currentExchangeRate of the Vault contract can't increase, and always be lower than or equal to _assetUnit
Lines of code Vulnerability details Impact The currentExchangeRate of the Vault contract can not increase, and always be lower than or equal to assetUnit. Therefore, when the vault is undercollateralized currentExchangeRate assetUnit, it can't be further collateralized. Proof of concept function...
The output amount validation in Vault.liquidate() is not correct.
Lines of code Vulnerability details Impact The output amount validation is not correct in Vault.liquidate, so the method might accept invalid output amount and refuse valid output amount. Proof of Concept In Vault.liquidate, there is a validation about the output share amount should be less than ...
Anyone can mint to themselves type(uint96).max if _isVaultCollateralized() returns true
Lines of code Vulnerability details Impact There is no check that ensures the caller to mint is a trusted one. Moreover, there is a flaw which lets anyone to mint typeuint96.max number of shares Proof of Concept First, the mint function does not implement any check for the caller to be someone wi...
Missing access control in mintYieldFee allowing everybody to mint the available YieldFee to himself
Lines of code Vulnerability details Impact Everybody can call the mintYieldFee function in the Vault, when there is yieldFeeTotalSupply available and mint shares to himself for free, which latter results in stealing funds form the Vault. if this is a desired behavior, which it shouldn't based on...
Possible centralization issue in PrizePool.closeDraw
Lines of code Vulnerability details The winning random number is chosen by DrawManager, which will lead to centralization risk. Despite haventt really deep dive in codebase of this issue, but if DrawManager ,can somehow calculate which random number can make their controlled address is winner wit...
Pending owner can be the wrong recipient of ownership
Lines of code Vulnerability details Impact An attacker can call the acceptOwnership function with their address as the pending owner before the legitimate pending owner has a chance to call the function Proof of Concept The transferOwnership function allows the current owner to set a pending owne...
Missing External Transfer Function In Vault
Lines of code Vulnerability details Impact Balances of TwabController for a vault can not be transferred. Proof of Concept The Vault implements an internal transfer function meant to be used to transfer balances within the TwabController: function transferaddress from, address to, uint256 shares...
Users with DEPLOY permission can grief each other through CREATE2
Lines of code Vulnerability details Bug Description In ERC725XCore.sol, the deployCreate2 function uses Openzeppelin's Create2.deploy to deploy new contracts: ERC725XCore.solL253-L267 function deployCreate2 uint256 value, bytes memory creationCode internal virtual returns bytes memory newContract...
dynamicQuorumVotes calculation has accuracy error resulting in the less required quorum
Lines of code Vulnerability details Impact dynamicQuorumVotes is divided by totalSupply, multiplied by quorumCoefficient, divided by 1e6 and then multiplied by totalSupply. There are precision errors in division before multiply. For quorumAdjustmentBPS, the division precision error is 1 and...
Same proposer can make duplicate proposals
Lines of code Vulnerability details Impact A proposer can continuously create new proposals, even if they are redundant or unnecessary. This can overload the system and make it difficult for other participants to navigate through legitimate proposals. Proof of Concept In the propose function, the...
Arbitrary Pending _setPendingVetoer Address Assignment.
Lines of code Vulnerability details Impact If an attacker successfully impersonates the vetoer, they can set any address as the pending vetoer. This can compromise the integrity of the vetoer role and enable unauthorized access or control over certain functions or actions within the contract. Pro...
Storage collision risk in NounsDAOProxy contracts
Lines of code Vulnerability details Impact NounsDAOProxy contract may lose tracking its implementation address Proof of Concept One of the main vulnerabilities of upgradeable contracts is storing the implementation address in the beginning slots. This address is later used by proxy for delegateca...
The 'Nouns Fork' is considered unfair towards contributors, given they are not awarded any new tokens.
Lines of code Vulnerability details Impact The 'Nouns Fork' is considered unfair towards contributors, given they are not awarded any new tokens. Proof of Concept The Nouns Fork mechanism allows members of the minority in the Nouns DAO to exit to a new forked Nouns DAO, but the current approach m...
The fork mechanism of Nouns DAO may be completely ineffective or abused, because there is no reasonable limit to the maximum or minimum value of the fork threshold.
Lines of code Vulnerability details Impact Nouns Fork is a Last-Resort Minority Protection Mechanism, created to protect the minority from the tyranny of the majority. As described in this article: . In the initial case, if a quorum of 20% of tokens signals to exit, the fork will succeed, but sin...
ABI encodePacked Collision
Lines of code Vulnerability details Impact Collision occurs Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Do not use more than one dynamic type in...
Potential for Permanent Lock of Funds in NounsDAOExecutorV2 Contract
Lines of code Vulnerability details Impact The NounsDAOExecutorV2 contract has a potential vulnerability where Ether or ERC20 tokens could become permanently locked in the contract. This could occur if funds are sent to the contract by someone other than the admin, or if the admin loses access to...
Upgraded Q -> 2 from #727 [1689056893075]
Judge has assessed an item in Issue 727 as 2 risk. The relevant finding follows: ERC20 check success issue --- The text was updated successfully, but these errors were encountered: All reactions...
Well.sol#removeLiquidityImbalanced - Handling Excess Reserves in removeLiquidityImbalanced Function to Prevent Unnecessary Reverts
Lines of code Vulnerability details Impact The removeLiquidityImbalanced function in the Well.sol contract is vulnerable to a potential underflow. This could disrupt the contract's functionality and prevent users from removing liquidity in an imbalanced manner. Furthermore, the function does not...
The MultiFlowPump.sol/update() function will neither update nor revert any call made to it by any Well Implementation, hence will fail in storing the correct reserve values.
Lines of code Vulnerability details Impact The MultiFlowPump will not be able to update the lastReserves, emaReserves, cumulativeReserves. This will let any attacker to manipulate the value of reserves to any number. Proof of Concept As provided the code of update function, the getDeltaTimestamp...
Code Execution on the ERC725Account in ILSP6KeyManager.sol
Lines of code Vulnerability details Impact The ILSP6KeyManager interface has a few potential security vulnerabilities. These vulnerabilities allow an attacker to execute malicious code on the ERC725Account, bypass nonce checking, and bypass timestamp checking. These vulnerabilities could be...
Stealing excess tokens from other users by either front-running skim function or calling it before legitimate user
Lines of code Vulnerability details Impact File /src/interfaces/IWell.sol comment's defines what the skim function is being responsible for: / @notice Sends excess tokens held by the Well to the recipient. @param recipient The address to send the tokens @return skimAmounts The amount of each toke...
Unsafe cast in getCollateralRatio()
Lines of code Vulnerability details Impact LibGetters.getCollateralRatio might return the incorrect ratio due to the unsafe cast. Proof of Concept getCollateralRatio outputs the collateral ratio using the total collaterals and issued agTokens. // The stablecoinsIssued value need to be rounded up...
uint128 changeAmount might overflow
Lines of code Vulnerability details Impact This issue is an edge case, that uint128 changeAmount could overflow, making the protocol fail for certain amount of swap. Proof of Concept Let's break down the changeAmount: 1. amountOut/amountIn 2. BASE27 3. normalizer File:...
Not using slippage parameter in swap() while swapping causes loss of funds
Lines of code Vulnerability details Impact While making a swap on UniswapV3 the caller should use the slippage parameter amountOutMinimum parameter to avoid losing funds. In swapToEqualAmounts does not use the slippage parameter amountOutMinimum. File: /src/talos/libraries/PoolActions.solL46-L52...
Calculation during rebalancing can overflow
Lines of code Vulnerability details Proof of Concept Rebalancing logic in TalosBaseStrategy will start by the strategy manager calling TalosBaseStrategy.rebalance to swap imbalanced tokens. This function will call TalosStrategySimple.doRebalance Next, PoolActions.swapEqualAmounts will be called...
Potential Loss of Funds Due to Zero Slippage Hardcoding in TalosBaseStrategy#deposit
Lines of code Vulnerability details Impact In the deposit function within the TalosBaseStrategy contract, both slippage for two tokens amount0Min and amount1Min are hardcoded to zero. This can have severe implications as users may unintentionally accept a minimum of zero output tokens from a swap...
The code uses arithmetic operations without explicitly checking for possible overflows or underflows
Lines of code Vulnerability details Impact The impact of the Integer Overflow/Underflow vulnerability can be summarized as follows: Data Inaccuracy: The vulnerability can lead to incorrect calculations and inaccurate data, potentially compromising the integrity of voting processes and other...
Functions don't update after being called
Lines of code Vulnerability details Impact Without updating the reserve or vault value of tokens after calling different functions, the contract may be prone to inconsistent state, security issues, financial implications, and bad user experience. It is important to review and update the reserve...
Not using slippage parameter when interacting with AMMs
Lines of code Vulnerability details Impact The slippage parameters are hardcoded to 0, meaning the minimum amount can be 0. The absence of slippage protection causes transactions to be vulnerable to front running. This can result in users potentially losing their funds. Proof of Concept...
Reentrancy Vulnerability: The contract inherits from the ReentrancyGuard contract, which smay be vulnerable to reentrancy attacks if not properly handled in the contract's logic.
Lines of code Vulnerability details Impact The impact of the reentrancy vulnerability in the incrementGaugeWeight function can be summarized as follows: Loss of Funds: Attackers can drain funds from the contract or manipulate balances. Unexpected State Changes: Manipulation of variables can lead ...