Position owners can steal others position's Wlp collaterals

Lines of code Vulnerability details Impact Position's owner can steal other users Wlp collateral, as long as it doesn't completely withdraw all the balance of tokenId LP. Proof of Concept When users call decollateralizeWLp function from InitCore, as long as Wlp is whitelisted and the mode's...

Liquidator has no incentives to execute a favorable trade to the borrower

Lines of code Vulnerability details Summary Swaps involved in liquidations may negatively impact the owner of the lien, since there is no incentive to execute a favorable trade as long as the received amount is enough to recover the liquidity. Impact When an existing position is closed, the...

Calls to get_virtual_price() are vulnerable to read-only reentrancy

Lines of code 117 Vulnerability details getvirtualprice was originally considered to be a manipulation-resistant price - suitable as a price oracle, but it was later found to be vulnerable to a read-only reentrancy attack, where the Curve contract could be put into a partially-modified state, and...

Some tokens may revert when zero value transfers are made

Lines of code 356, 371, 145, 272, 252, 116, 445, 374, 506, 488https://github.com/Tapioca-DAO/tap-token-audit/blob/59749be5bc2286f0bdbf59d7ddc258ddafd49a9f/contracts/options/TapiocaOptionBroker...

Contracts are vulnerable to fee-on-transfer accounting-related issues

Lines of code 359, 448, 509, 530, 42, 797, 162 Vulnerability details The functions below transfer funds from the caller to the receiver via transferFrom, but do not ensure that the actual number of tokens received is the same as the input amount to the transfer. If the token is a fee-on-transfer...

addRewardToken() does note remove old entries before adding new ones

Lines of code 455, 280, 378, 411 Vulnerability details Each time addRewardToken is called, new entries are added to the array, but doing so does not remove any old entries. By calling the function multiple times, an attacker can can increase their voting power indefinitely, without having to...

addRewardToken() does note remove old entries before adding new ones

Lines of code 455, 280, 378, 411 Vulnerability details Each time addRewardToken is called, new entries are added to the array, but doing so does not remove any old entries. By calling the function multiple times, an attacker can can increase their voting power indefinitely, without having to...

TRST-M-1 finding from previous audit still exists

Lines of code Vulnerability details Proof of Concept Issue TRST-M-1 from previous audit still exist. In order to calculate collateral amount getCollateralCreditCurrente36 function is used. uint tokenValuee36 = ILendingPoolpoolsi.toAmtCurrentsharesi tokenPricee36; tokenValuee36 is usd value of...

Using block.timestamp as the deadline/expiry invites MEV

Lines of code 307 Vulnerability details Passing block.timestamp as the expiry/deadline of an operation does not mean "require immediate execution" - it means "whatever block this transaction appears in, I'm comfortable with that block's timestamp". Providing this value means that a malicious mine...

addRewardToken() does note remove old entries before adding new ones

Lines of code 455, 280, 378, 411 Vulnerability details Each time addRewardToken is called, new entries are added to the array, but doing so does not remove any old entries. By calling the function multiple times, an attacker can can increase their voting power indefinitely, without having to...

Only ensure the Lp is repaid when close the position invites MEV bot

Lines of code Vulnerability details Impact Only ensure the Lp is repaid when close the position invites MEV bot Proof of Concept in the function closePosition function closePosition DataStruct.ClosePositionParams calldata params, DataCache.ClosePositionCache memory cache, Lien.Info memory lien,...

The owner is a single point of failure and a centralization risk

Lines of code 56, 109, 127, 172, 219, 250, 115, 131, 154, 116, 131https://github.com/Tapioca-DAO/tapiocaz-audit/blob/bcf61f79464cfdc0484aa272f9f6e28d...

Core function of Ocean contract like doInteraction | doMultipleInteractions | forwardedDoInteraction may revert under certain conditions

Lines of code Vulnerability details Impact Core functions like doInteraction, forwardedDoInteraction, doMultipleInteractions, forwardedDoMultipleInteractions etc, will always revert under certain conditions due to overflow in calculations. Proof of Concept Core external functions like doInteracti...

Title of issue/finding

Lines of code , Vulnerability details Impact description for the issue found Content includes @Audit stack and code example of the issue Content includes @Audit stack and code example of the issue Assessed type other --- The text was updated successfully, but these errors were encountered: All...

buggy reward calculation

Lines of code Vulnerability details Impact This is very similar to an inflation attack. Rewards increase whenever splitFees is being called which is anywhere buy/sell/mint/burn. The calculation is done like this: shareDataid.shareHolderRewardsPerTokenScaled += shareHolderFee 1e18 / tokenCount;...

asD::withdrawCarry assumes wrong number of decimals returned by exchangeRateCurrent which will cause owner to not be able to withdraw revenue

Lines of code Vulnerability details tl;dr asD::withdrawCarry assumes that the exchange rate returned by the cNote contract will be scaled by 1e28, but in reality it will be only scaled by 1e18. It will cause withdrawCarry to always revert with Integer Underflow, which means that owner won't ever ...

Potential Race Condition in Rewards Calculation

Lines of code Vulnerability details Impact If exploited, this race condition could allow an attacker to manipulate rewards in transactions involving the buy, sell, mintNFT, or burnNFT functions. The attacker may gain an advantage in claiming rewards before the rewards calculation is updated. Proo...

wrong implementation cause unfair distribution

Lines of code Vulnerability details Impact wrong implementation cause unfair fee distribution among sharesHolder Proof of Concept In sell and mintNFt ,tokensInCirculation and tokens owned by address is deducted only after split fee is happened .To be fair , user should not get fee from tokens tha...

LACK OF DEADLINE AND SLIPPAGE CHECKS COULD PROMPT THE USERS TO EXECUTE THE BUY AND SELL TRANSACTIONS AT UNFAVOURABLE PRICE POINTS

Lines of code Vulnerability details Impact The Market.sol contract implements four functions which depend on the linear bonding curve to calculate the price and fee amounts associated with their logic execution. These functions are Market.buy, Market.sell, Market.mintNFT and Market.burnNFT. The...

Changing rsETH address breaks contract

Lines of code Vulnerability details Impact manipulating rsETH price Proof of Concept admin can change rsETH token address, while total supply of rsETH is used to calculate its price changing rsETH address changes its price. Tools Used Manual Review Recommended Mitigation Steps prevent changing...

No function to distribute secondary sales royalties split.

Lines of code Vulnerability details Impact The minter contract currently does not have a way to reliably share the secondary sales revenue for the proposed addresses and splits. Proof of Concept Contract : NextGenMinterContract The minter contract uses collectionArtistSecondaryAddresses and...

Risk of Permanent ETH Loss for Bidders

Lines of code Vulnerability details Impact There's a risk of ETH becoming irretrievably locked in the contract if a bidder's address is a contract with either complex logic in its receive function or no receive function at all. In such cases, ETH transfers to these addresses could fail and result...

Cross-Contract Reentrancy can occur during burnToMint

Lines of code Vulnerability details Impact Cross Contract re-entrancy can occur due to not following CEI Proof of Concept 1. Attacker can call burnToMint, with any of the tokenId he owns! 2. This calls the burnToMint in GenCore, which mints the the new token from the to be minted collection...

Upgraded Q -> 2 from #385 [1699689442074]

Judge has assessed an item in Issue 385 as 2 risk. The relevant finding follows: L-04 ODSafeManager.allowSAFE function enables any allowed address to add/remove other allowed addresses Details The ODSafeManager.allowSAFE function is meant by design to allow/disallow any address to manage the safe...

Fund Drainage Due to Reentrancy Vulnerability in Crowdfunding

Lines of code Vulnerability details Impact in the refund function, there is a problem, this function is reads the isAuthority state variable from the PartyGovernanceNFT contract after making an external call to the burn function of the same contract. The burn function in the PartyGovernanceNFT...

Arthimetic operation result in loss of voting power

Lines of code Vulnerability details Impact Carrying out calculation of voting power in function finalize based on division with value 1e4, then subtracting it with totalContributions and after that multiplying and dividing again will be a resultant that cause large precision error or even loss of...

StakedUSDe contract allows attackers to steal staked USDe tokens of soft-restricted users

Lines of code Vulnerability details Description The modifier called checkMinShares that is used to ensure that there is always a small non-zero amount of shares in circulation. This is to prevent a donation attack, where an attacker donates a small amount of USDe tokens to the contract and then...

A user with SOFT_RESTRICTED_STAKER_ROLE can earn yield.

Lines of code Vulnerability details Impact Any user blacklisted with SOFTRESTRICTEDSTAKERROLE role can earn yield by buying stUSDe token from open market and unstake stUSDe for USDe token on the StakedUSDeV2.sol contract. Proof of Concept The unstake function calls the internal withdraw function...

Unrestricted access to critical admin functions in StakedUSDe due to extremely flawed implementation in SingleAdminAccessControl

Lines of code Vulnerability details Summary There is a critical vulnerability in the StakedUSDe CA, allowing an attacker to manipulate the state of the CA and/or drain assets without proper authorization. Vulnerability Detail The StakedUSDe inherits from the SingleAdminAccessControl CA, which...

EthenaMinting.sol#_setMaxRedeemPerBlock() - Function doesn't enforce any constraints

Lines of code Vulnerability details Explanation The EthenaMinting.solsetMaxMintPerBlock function is responsible for setting the maximum limit for minting USDe tokens in a single block. function setMaxMintPerBlockuint256 maxMintPerBlock external onlyRoleDEFAULTADMINROLE...

StakedUSDe.totalSupply() may decrease below MIN_SHARES by StakedUSDe.redistributeLockedAmount.

Lines of code Vulnerability details Impact StakedUSDe runs checkMinShares in deposit and withdraw to keep the totalSupply more than MINSHARES, 1e18. It is to prevent an ERC4626 inflation attack. However, StakedUSDe.redistributeLockedAmountuser, address0 burns all the user's shares and decreases t...

Taking deposits hostage

Lines of code Vulnerability details Impact An initial attacker can gain the power to hold subsequent deposits into StakedUSDeV2 hostage, and release them at will e.g. for a ransom. Proof of concept The checkMinShares requirement called after any withdrawal and deposit function checkMinShares...

Borrower escapes delinquency penalty if no intermittent action happens

Lines of code Vulnerability details Impact Once the market goes below required reserves, it is marked as delinquent only if an updateState action happens. Actions like market.updateState, executeWithdrawal, deposit, etc. have to happen else the protocol remains unaware of the market's delinquency...

Deploying a market with a non-ERC20 asset can cause incorrect interaction with asset

Lines of code Vulnerability details Impact The market contract may expect certain ERC20 functions to be present and behave in a specific way. If the asset contract does not adhere to the ERC20 standard, the market may behave unexpectedly, resulting in incorrect token balances, pricing, or other...

TRANSFERING FUNDS TO YOURSELF INCREASES YOUR BALANCE

Lines of code Vulnerability details Impact If transferred to yourself, it will cause your balance to increase, thus growing the token balance infinitely. Proof of Concept File: src/market/WildcatMarketToken.sol 54: transferfrom, to, amount; 74: accountsfrom = fromAccount; 78: accountsto =...

Interest accumulation linked to state updates may leak value

Lines of code Vulnerability details Impact The protocol compounds interest on every call that updates the state. This is an intentional design choice. However, this does mean that the total return for the lender, and, conversely, the cost of debt for the borrower, can be influenced by the frequen...

Upgraded Q -> 2 from #272 [1698254247989]

Judge has assessed an item in Issue 272 as 2 risk. The relevant finding follows: ERC1155 can be inflated if the token doesn’t revert on failed transfer --- The text was updated successfully, but these errors were encountered: All reactions...

[ADRIRO-NEW-H-02] Users loses their share of rewards while waiting for withdrawal

Lines of code Vulnerability details Summary Withdrawals in AfEth undergo a delay until the underlying CVX tokens can be withdrawn. Depositors need to request a withdrawal and wait until the required withdrawal epoch before making their withdrawal effective. During this period of time, they will...

ODProxy contract can't grant safeRights (can't change the state of the called contracts) which will disable generating debts functionality

Lines of code Vulnerability details Impact The protocol implements a proxy mechanism to enable only the Vault721 contract from transferring SAFEs, as each SAFE is represented by a NFV non fungible vault. This contract has only one function execute that makes delegatecalls to other contracts, so...

All functions in ODSafeManager.sol related to handlerAllowed modifier can never be called.

Lines of code Vulnerability details Impact All the functions with handlerAllowed modifier are unusable and can never be called. Proof of Concept Handler is deployed and assigned to the Safe/NFT when ODSafeManager.sol/openSAFE function is called. The SafeHandler.sol have only a constructor and not...

[ADRIRO-NEW-M-03] Safe approval could lead to a denial of service in VotiumStrategy

Lines of code Vulnerability details Summary The introduction of the SafeERC20 wrapper may lead to an accidental denial of service due to how the safeApprove function works internally. Impact The updated codebase uses the SafeERC20 wrapper provided by the OpenZeppelin contracts library to handle...

Delegating the call from ODProxy will make the changes in the context of ODProxy's storage layer which breaks the invariant.

Lines of code Vulnerability details Impact Making the delegate call to ODSafeManager will affect the storage of ODProxy leaving behind the inconsistent state in ODSafeManager, moreover this issue will also breaks the invariant 'Users must exclusively use the ODProxy to interact with their safes.'...

Upgraded Q -> 2 from #2037 [1698131784473]

Judge has assessed an item in Issue 2037 as 2 risk. The relevant finding follows: L‑01 Early users can modify the underlying assets’ unit share price Summary: ERC4626, an extension of ERC20, is a standard that is mostly used in yield-bearing tokens. The contract of an ERC4626 token itself is an...

the nonce value is not increasing everytime

Lines of code Vulnerability details Impact the nonce value is not increasing everytime The nonce value is used to create the TypeHashHelper.Transaction struct that's passed to the buildTransactionStructHash function. The actual value of executorNonceexecRequest.accountexecRequest.executor is...

DoS issue presented in Brahma's latest audit still has potential control flow paths that can lead to same vulnerability

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Following the "ConsoleAccount execTransaction" flow outlined via Brahma's Architecture diagram, as we can see: calling execTransaction calls checkTransaction function on...

No proper validation of Singleton

Lines of code Vulnerability details Bug Description Operators, executors, or the Main Console account can execute transactions on behalf of a SubAccount. SubAccounts must have an enabled SafeModerator guard, which checks whether the guard and handler have not been disabled or updated, and whether...

Zero address Salt used in Creating delegate contract

Lines of code Vulnerability details Impact A zero-valued salt used, means an attacker can predict the contract address of a new delegate, this can lead an attacker to create the ERC20ProxyDelegator on behalf of the user, this is to allow for max access to the tokens to be transfered Proof of...

Loss of tokens because target address can be set to zero

Lines of code Vulnerability details Impact Due to the possibility of target addresses being zero, tokens transferred to zero address will be lost forever, leading to loss of funds for the users of the protocol and that tokens being out of circulation forever burned. Proof of Concept Users can...

Front-Running during Proxy Creation

Lines of code Vulnerability details Impact An ill-intentioned party might front run every proxy contracts creation and deploy one first causing the transaction for every user to revert. It is worth noting that for this attack to succeed, the attacker would need to get their transaction mined in t...

ERC20Votes tokens has maximum token supply capped at type(uint208).max approving type(uint256).max in ERC20ProxyDelegator will cause overflow

Lines of code Vulnerability details Impact Maximum token supply in OpenZeppelin ERC20Votes.sol. Defaults to typeuint208.max 2^208^ - 1. This maximum is enforced in update. It limits the total supply of the token, which is otherwise a uint256, so that checkpoints can be stored in the Trace208...