10190 matches found
Locked amount incorrectly updated in JPEGLock.sol
Lines of code Vulnerability details Impact The lockAmount gets overwritten each time the lockFor function is called in JPEGLock.sol. If the function is called multiple times, the parameter will be updated wrongly. Proof of Concept The lockAmount parameter gets assigned with the amount locked each...
yVaultLPFarming: No guarantee JPEG currentBalance > previousBalance
Lines of code Vulnerability details Details & Impact yVault users participating in the farm have to trust that: vault.balanceOfJPEG returns the correct claimable JPEG amount by its strategy / strategies the strategy / strategies will send all claimable JPEG to the farm Should either of these...
Not calling approve(0) before setting a new approval causes the call to revert when used with Tether (USDT)
Lines of code Vulnerability details Some tokens do not implement the ERC20 standard properly but are still accepted by most code that accepts ERC20 tokens. For example Tether USDT's approve function will revert if the current approval is not zero, to protect against front-running changes of...
Undercollateralized loans possible
Lines of code Vulnerability details Impact The setPoolCollateralFactors function does not check that the collateral factor is 100%. It's possible that it's set to 200% and then borrows more than the collateral is worth, stealing from the pool. Recommended Mitigation Steps Disable the possibility ...
Malicious users can frontrun borrowers trying to repay loans, causing DoS and possibly a loan default
Lines of code Vulnerability details Impact Attackers can listen for a borrower to call repayAndCloseLoan on a specific loanId, and frontrun their transaction with a call to lend, creating a new loan with an increased amount, causing the borrower's transaction to fail due to the new loanAmount bei...
Borrower can be their own lender and steal funds from buyout due to reentrancy
Lines of code Vulnerability details Impact If borrower lends their own loan, they can repay and close the loan before ownership of the lend ticket is transferred to the new lender. The borrower will keep the NFT + loan amount + accrued interest. Proof of Concept This exploit requires that the...
Code credits fee-on-transfer tokens for amount stated, not amount transferred
Lines of code Vulnerability details Some ERC20 tokens, such as Tether USDT, allow for charging a fee any time transfer or transferFrom is called. Impact The code miscalculates whether the loan has been fully paid or bought out because it relies on the value of amounts passed in rather than the...
Consistently check account balance before and after transfers for Fee-On-Transfer discrepancies
Lines of code Vulnerability details Impact Wrong amount calculated for facilitatorTake Proof of Concept Arbitrary ERC20 tokens can be passed as loanAssetContractAddress. With a transfer, the received amount should be calculated every time to take into consideration a possible fee-on-transfer or...
Loan buyouts can stick users with huge surprise bills
Lines of code Vulnerability details Impact If a small loan is bought out with a new loanAmount in the millions, so much interest can be charged that the borrower is unable to pay back the loan, essentially guaranteeing whales will be able to Seize NFTs. Proof of Concept The only requirement as it...
Unauthorized ERC20 changes
Lines of code Vulnerability details Impact It's possible by anyone to change the name and symbol of CToken. Proof of Concept The require was made in reverse condition, it checks that the sender must be different than admin in order to be able to change the name and symbol requiremsg.sender !=...
Lack of Limit on amount Allows Borrowers To Be Extorted For Interest Payments
Lines of code Vulnerability details Impact There is on limit on the upper bounds on the amount a lender may send to a borrower. Borrowers will then be forced to pay interest and facilitators fee on the full amount loaned. The impact for a borrower is that they may be forced to repay significantly...
Staking cooldown can be avoided for a part of the funds
Lines of code Vulnerability details Impact Part of the stake can be withdrawn immediately at any time. Proof of Concept Ratio between COOLDOWNPERIOD and UNSTAKEPERIOD = 2 only and should be much higher ex 5 or 10 l.28 COOLDOWNPERIOD = 864000; // 10 days ... UNSTAKEPERIOD = 432000; // 5 days Vario...
Add a timelock to setPlatformFee()
Lines of code Vulnerability details Impact It is a good practice to give time for users to react and adjust to critical changes. A timelock provides more guarantees and reduces the level of trust required, thus decreasing risk for users. It also indicates that the project is legitimate. Here, no...
CoreCollection.setRoyaltyVault doesn't check royaltyVault.royaltyAsset against payableToken, resulting in potential permanent lock of payableTokens in royaltyVault
Lines of code Vulnerability details Impact Each CoreProxy is allowed to be associated with a RoyaltyVault, the latter which would be responsible for collecting minting fees and distributing to beneficiaries. Potential mismatch between token used in CoreProxy and RoyaltyVault might result in minti...
Non unique token ID might lead to collusion
Lines of code Vulnerability details Impact Token IDs are defined as concatenation of points, total supply + 1. The total supply can decrease when split process in progress. This means that the contract might try to mint a token with an ID which already exists. Proof of Concept 1. Navigate to the...
Not handling return value of transferFrom command can create inconsistency
Lines of code Vulnerability details The below transferFrom command is called at two places in the core contracts, followed by an emit event payableToken.transferFrommsg.sender,recipient,amount emit ......; The return value is not checked during the payableToken.transferFrom Impact In the event of...
Result of transfer not checked
Lines of code Vulnerability details Impact A call to transfer is done without checking the results. For certain ERC20 tokens, if insufficient tokens are present, no revert occurs but a result of "false" is returned. So it's important and also a best practice to check this. Note that, in almost al...
approve and safeApprove Should Approve the Zero Amount First
Lines of code Vulnerability details Impact The PooledCreditLine.sol and LenderPool.sol contracts approve the strategy contract on the collateral or borrow assets before depositing funds. This allows the strategy contracts to transfer on behalf of these contracts, pulling assets out from the pool...
Using payable.transfer functions in WithdrawFacet.sol and Libasset.sol is not usable for smart contract calls due to possible shortage of gas.
Lines of code Vulnerability details Impact Withdrawals and transferERC20 tokens are executed via transferERC20 and withdraw functions. Since these functions calls with a fixed amount of gas, it's not yet guaranteed to reach to the destination if the receiver is a smart contract. Proof of Concept...
Borrower funds can get stuck
Lines of code Vulnerability details Impact If request status is expired then full borrower collateral amount will get stuck as withdrawableCollateral will always be 0 even though borrower has repaid 90% of the amount Proof of Concept 1. User A deposit collateral against his request using...
Interest accrued could be zero for small decimal tokens
Lines of code Vulnerability details Details & Impact Interest is calculated as principal.mulborrowRate.multimeElapsed.divYEARINSECONDS.divSCALINGFACTOR; It is possible for the calculated interest to be zero for principal tokens with small decimals, such as EURS 2 decimals. Accumulated interest ca...
Swap Functions Do Not Verify Final Token Matches The Swapped Token
Lines of code Vulnerability details Impact When calling Swapper.executeSwaps there are no checks to ensure the received token matches the final swapped token. If these are different it may result in user funds being locked in the contract. This issue is present in each of the following functions:...
Usage of deprecated Chainlink functions
Lines of code Vulnerability details Impact The Chainlink functions latestAnswer and getAnswer are deprecated. Instead, use the latestRoundData and getRoundData functions. Proof of Concept Go to and search for latestAnswer or getAnswer. You'll find the deprecation notice. Tools Used none Recommend...
[WP-M10] Wrong formula of getSharesForAmount() can potentially cause fund loss when being used to calculate the shares to be used in withdraw()
Lines of code Vulnerability details In Collateral, the getter functions getAmountForShares and getSharesForAmount is using totalAssets instead of strategyController.totalValue, making the results can be different than the actual shares amount needed to withdraw a certain amount of baseToken and t...
Can steal collateral deposit
Lines of code Vulnerability details Impact The Collateral.deposit function mints initial shares equal to the deposited amount. The deposit / withdraw functions also use the strategyController.totalValue, which includes the strategy contract balance, to compute the shares. It's possible to increas...
getSharesForAmount returns wrong value when totalAssets == 0
Lines of code Vulnerability details Impact The getSharesForAmount function returns 0 if totalAssets == 0. However, if totalSupply == 0, the actual shares that are minted in a deposit are amount even if totalAssets == 0. Contracts / frontends that use this function to estimate their deposit when...
Market Expiration is Not Enforced Onchain
Lines of code Vulnerability details Impact The expiryTime variable is stored in the PrePOMarket.sol contract but not enforced anywhere in the contract. As a result, if a public offering never comes to fruition, then finalLongPrice will never be set and hence users will be expected to redeem...
Strategy Migration May Leave Tokens in the Old Strategy Impacting Share Calculations
Lines of code Vulnerability details Impact If a strategy does not have sufficient funds to withdraw for the full amount then it is possible that tokens will be left in this yield contract during migrate. It is common for withdrawal from a strategy to withdraw less than a user's balance. The reaso...
Market expiry behaviour differs in implementation and documentation
Lines of code Vulnerability details Description The docs say that “If a market has not settled by its expiry date, it will automatically settle at the lower bound of its Valuation Range.” However, in the implementation, the expiry date is entirely ignored. The default settlement after expiry is a...
[WP-H17] Users will lose a majority or even all of the rewards when the amount of total shares is too large, due to precision loss
Lines of code Vulnerability details function getUpdatedAccTokenPerShareaddress baseToken public view returns uint256 uint256 accumulator = 0; uint256 lastUpdatedTime = poolInfobaseToken.lastRewardTime; uint256 counter = block.timestamp; uint256 i = rewardRateLogbaseToken.length - 1; while true if...
Whitelisting is Disabled in CrossAnchorBridge.sol
Lines of code Vulnerability details Impact Upon deployment/initialisation, an array of collateral tokens are added to a whitelist, meaning that these tokens are the only tokens that should be deposited/redeemed. Any unsupported tokens should correctly revert so as to avoid instances where Terra...
Governance Voting Dis-proportionally Favours Users Who Stake And Vote After A Poll Has Been Created And Had Its Snapshot Taken
Lines of code Vulnerability details Impact Polls are created by targeting the receivecw20 function which is queried whenever the contract receives tokens. By setting the hook message to Cw20HookMsg::CreatePoll, the sender is able to create a poll, assuming the amount sent satisfies the minimum...
Wrong implementation of OperatorResolver::areOperatorsImported
This issue has been created to upgrade a QA report submission to a medium severity finding. From kenzo: Wrong implementation of OperatorResolver::areOperatorsImported The function as implemented will return true if the operators have same implementation but different selector, or different...
_getCreatorPaymentInfo() is Not Equipped to Handle Reverts on an Unbounded _recipients Array
Lines of code Vulnerability details Impact The getCreatorPaymentInfo function is utilised by distributeFunds whenever an NFT sale is made. The function uses try and catch statements to handle bad API endpoints. As such, a revert in this function would lead to NFTs that are locked in the contract...
Rare scenario where seller can steal NFT after an auction by creating an offer for it through reentrancy
Lines of code Vulnerability details Impact It's a very specific scenario. The seller auctions off an NFT. If the buyer relists it directly while keeping the token in the escrow, the seller has the opportunity to steal it. They do it by creating an offer for it and accepting it. Proof of Concept...
Can drain ETHERBASE
Lines of code Vulnerability details Impact The postIncomingMessages function tops up the contract with the gas token in topUpBalance. Note that the amount of gas tokens to be topped up from the ETHERBASE contract depends on msg.sender.balance, the caller's gas token balance. Attackers with a zero...
constructor function used with upgradeable contracts
Lines of code Vulnerability details Impact In FETH.sol it uses Open Zeppelin upgradeable contracts in the file while also including a constructor function. Upgradeable contracts should have an initialize function instead of a constructor in order not the clash with one another. Proof of Concept...
Front-Runnable Initializer on pre-determined address
Lines of code Vulnerability details Impact Traditionally, the risk-level from a front-runnable initializer issue is low. However, in this case, it's different. It is mentioned that Delegator.sol is instantiated via CREATE2, which is deterministic. The only protection that can be seen here is...
Ownership of Swap.vy cannot be transferred
Lines of code Vulnerability details Impact Ownership transfer function of Swap.vy is commented out. Fund can be stuck if an AMM and governance change/upgrade is required. Proof of Concept --- The text was updated successfully, but these errors were encountered: All reactions...
[WP-M2] Wrong implementation of TurboSafe.sol#less() may cause boosted record value in TurboMaster bigger than actual lead to BoostCapForVault and BoostCapForCollateral to be permanently occupied
Lines of code Vulnerability details // Get out current amount of Fei debt in the Turbo Fuse Pool. uint256 feiDebt = feiTurboCToken.borrowBalanceCurrentaddressthis; // If our debt balance decreased, repay the minimum. // The surplus Fei will accrue as fees and can be sweeped. if feiAmount feiDebt...
QA Report
Low and non-critical bugs wrong implementation of ERC4626RouterBase's withdraw function In the interface we can see the function description: / @notice withdraw amount from an ERC4626 vault. @param vault The ERC4626 vault to withdraw assets from. @param to The destination of assets. @param amount...
Timelock for critical changes
Lines of code Vulnerability details Impact setDefaultFeePercentage, setCustomFeePercentageForCollateral and setCustomFeePercentageForSafe functions should have a timelock to give users time to react to the fee changes. ref: code-423n4/2021-11-overlay-findings120 Proof of Concept Tools Used Manual...
permit() without updating nonce can result in replay attacks
Lines of code Vulnerability details Impact In PermitAndMulticall.sol the permit is called on the permitToken which allows you to sign the meta-transaction while someone else can submit it to the blockchain on your behalf. The problem is that a valid signature might be used several times in other...
TurboRouter: deposit(), mint(), createSafeAndDeposit() and createSafeAndDepositAndBoost() functions do not work
Lines of code Vulnerability details Impact The TurboRouter contract inherits from the ERC4626RouterBase contract. When the user calls the deposit, mint, createSafeAndDeposit and createSafeAndDepositAndBoost functions of the TurboRouter contract, the deposit and mint functions of the...
ERC4626 mints token amount, not number of shares
Lines of code Vulnerability details Impact If the number of assets is different from the number of shares, the user will get more or less shares than they expect. Users don't have to be sophisticated at all, just using the contract as intended can cause users to get more or less of the shares of ...
RewardDistributor._claim uses native token payable.transfer, which is usafe for smart contracts
Lines of code Vulnerability details Impact When reward.token is set to vault address and native token is used, it is sent out via payable.transfer call. This is unsafe as transfer has hard coded gas budget and can fail when the account is a smart contract. Such transactions will fail for smart...
Slurp misses boost cap checks
Lines of code Vulnerability details Impact Missing checks of canSafeBoostVault in onSafeSlurp function in TurboMaster.solL279. The current vault deposit could already be at BoostCap. Calling slurp on this vault would add interest on the getTotalFeiBoostedForVaultV which will now becomes BoostCap...
Name squatting
Lines of code Vulnerability details Impact Creating profiles through LensHub/PublishingLogic.createProfile does not cost anything and will therefore result in "name squatting". A whitelisted profile creator will create many handles that are in demand, even if they don't need them, just to flip th...
Reentrancy
Lines of code Vulnerability details Impact Potential Reentrancy Proof of Concept Reentrancy in ConcurRewardPool.claimRewardsaddress contracts/ConcurRewardPool.sol34-40: External calls: - IERC20tokensi.safeTransfermsg.sender,getting contracts/ConcurRewardPool.sol37 State variables written after th...
Shelter funds can be stolen
Lines of code Vulnerability details Impact Shelter has a function withdraw that lets whitelisted users withdraw a specified amount of some token. The function does not check if the user has already withdrew the tokens. Since, a user can withdraw allowed amount any number of times, stealing all th...