# [KB123-M-1]. return(timestamp / WEEK) * WEEK; is in seconds instead of weeks.

Lines of code Vulnerability details Medium Report KB123-M-1. returntimestamp / WEEK WEEK; is in seconds instead of weeks. Vulnerability details Impact return timestamp / WEEK WEEK; is in seconds Rounded by seconds in 1 week instead of weeks Causing timestamp logic to be broken POC Epoch timestamp...

no interest calculation charging & lp provider reward in market contract

Lines of code Vulnerability details Impact there is no accrued interest charging for the borrower' debt, borrower at the same time cannot decrease their accured interestthis bug's detail is present in my previous finding, and there is also no reward for those lp provider who deposit their token i...

rewardAmount and totalRewardAmount break 18 decimals logic by / UNIT

Lines of code Vulnerability details Impact This leads to wrong calculation in rewardAmount for users who will only receive their rewards 18 times less than the actual amount due to / UINT feeAmount are also affected which leads to loss for the protocol Proof of Concept Tools Used Manual Recommend...

setRoyalties can lead to royalties set to greater than 100%, breaking royalty functionality

Lines of code Vulnerability details enforcer/PA1D can be used by NFT smart contracts to provide royalty info. The owner can call setRoyalties to set the royalties for a specific token id, or the default royalty of the collection. Marketplaces implementing EIP-2981 can then use royaltyInfo to get...

Operator is not randomly selected

Lines of code Vulnerability details Impact Operator is not selected randomly, but entirely determined by the number of operators in pod. Proof of Concept The pod is selected by taking a number random modulo the number of pods Np. But then the operator is selected by taking the modulo of the same...

Recursive call attack of the fallback function of Holographer

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. The fallback function will forward all calls except those that appear in Holographer to the HolographerEnforcer which is obtained by calling address holographEnforcer = getHolographEnforcer; However, if...

it is possible to front run the deployHolographableContract and alter the configuration

Lines of code Vulnerability details deployHolographableContract uses abi.encodePacked to encode configuration data and make the hash . thats while when using abi.encodePacked instead of abi.encode with dynamic types may result in some issues...

Duplicated / Split H -> H from 625 [1666621826143]

Judge has assessed an item in Issue 625 as High risk. The relevant finding follows: Lines of code Vulnerability details storage used in VoteEscrow, modifying data it shouldn't, and vice versa In both the functions delegate and removeDelegation and removeElement, a storage var is used, causing to...

Selftransfer increases balance by sent amount.

Link to code Impact When a malicious user decides to send LBTokens to their own address they will increase their own balance by the sent amount. Vulnerable function transfer is reachable via the public functions safeBatchTransferFrom and safeTransferFrom. L187 effectively saves toBalance before...

Unchecked math in LBToken.sol may cause overflow

Lines of code Vulnerability details Impact Affected code: Currently the safeTransferFrom function in LBToken.sol calls transfer which performs unchecked math to deal with user balances. This is what happens: unchecked balancesidfrom = fromBalance - amount; balancesidto = toBalance + amount; While...

Attacker can steal entire reserves by abusing fee calculation

Lines of code Vulnerability details Description Similar to other LP pools, In Trader Joe users can call mint to provide liquidity and receive LP tokens, and burn to return their LP tokens in exchange for underlying assets. Users collect fees using collectFessaccount,binID. Fees are implemented...

Wrong calculation in function LBRouter._swapSupportingFeeOnTransferTokens make amountOut of swap less than expected

Lines of code Vulnerability details Vulnerable detail Function LBRouter.swapSupportingFeeOnTransferTokens is a helper function to swap exact tokens supporting for a fee on transfer tokens. This function will check the pair of token and tokenNext is JoePair or LBPair using binStep. If binStep == 0...

Volatility update bypassed with small transactions

Lines of code Vulnerability details Impact Volatility, and by extension the fee rate increase due to volatility can be circumvented by starting swaps with a token amount. The volatility is accumulated only at specific intervals, similar to the cumulative number of bins crossed. This is an issue...

Beneficiary credit balance can unwillingly be used to mint low tier NFT

Lines of code Vulnerability details Impact In the function processPayment, it will use provided JBDidPayData from JBPaymentTerminal to mint to the beneficiary. The value from JBDidPayData will be sum up with previous credits balance of beneficiary. There are 2 cases that beneficiary credit balanc...

Future tier can be removed

Lines of code Vulnerability details Impact A newly created tier can be marked as removed right after it was added if this tier's ID was mistakenly removed earlier. Proof of Concept The recordRemoveTierIds function doesn't check whether a tier ID exists or not JBTiered721DelegateStore.solL890:...

NFT not minted when contributed via a supported payment terminal

Lines of code Vulnerability details Impact A contributor won't get an NFT they're eligible for if the payment is made through a payment terminal that's supported by the project but not by the NFT delegate. Proof of Concept A Juicebox project can use multiple payment terminals to receive...

Redemption weight of tiered NFTs miscalculates, making users redeem incorrect amounts - Bug #1

Lines of code Vulnerability details Description Redemption weight is a concept used in Juicebox to determine investor's eligible percentage of the non-locked funds. In redeemParams, JB721Delegate calculates user's share using: uint256 redemptionWeight = redemptionWeightOfdecodedTokenIds; uint256...

NFT Owner can keep add new tiers to increase the NFT supply with no upper limit to dilute the redemption power of the NFT from old tiers

Lines of code Vulnerability details Impact Owern can adjust tiers, adding tiers with no restriction. function adjustTiersJB721TierParams calldata tiersToAdd, uint256 calldata tierIdsToRemove // Add the tiers. if numberOfTiersToAdd != 0 // Record the added tiers in the store. uint256 memory...

Upgraded Q -> M from 266 [1666361934775]

Judge has assessed an item in Issue 266 as Medium risk. The relevant finding follows: Stop Using Transfer Use call instead of transfer, as per. This does not introduce any issues for re-entrancy as all calling functions are marked non-reentrant. --- The text was updated successfully, but these...

Upgraded Q -> M from 497 [1666363365064]

Judge has assessed an item in Issue 497 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Lack of a contract existence check may lead to undefined behavior

Lines of code Vulnerability details Impact Low-level calls call/delegatecall/staticcall return true even if the account called is non-existent per EVM design. Solidity documentation warns: “The low-level functions call, delegatecall and staticcall return true as their first return value if the...

Governor can rug all GRT by setting the gateway to her wallet (Governor may be hacked)

Lines of code Vulnerability details Impact Governor can rug all GRT by setting the gateway to her wallet Governor may be hacked. Proof of Concept First, the Governor set the gateway contract to her wallet function setGatewayaddress gw external onlyGovernor requiregw != address0, "INVALIDGATEWAY";...

execute does not work for ERC1155 tokens orders where amount > 1

Lines of code Vulnerability details Impact StandardPolicyERC1155 functions canMatchMakerBid and canMatchMakerBid always return amount == 1, regardless of the function arguments. This means that calling execute on an agreed order of ERC1155 token with an amount 1 will always transfer amount == 1 o...

Standard policy price matching is flawed

Lines of code Vulnerability details Impact Already placed orders may be highly unlikely able to be matched and executed. An order has to be created specifically for an already existing order with the intent to match and execute it. This severely impedes the functionality of the exchange, wastes...

The seller could stoln the Creator Royalties

Lines of code Vulnerability details Impact the seller could set their address to get the Creator Royalties Proof of Concept execute == executeFundsTransfer == transferFees for uint8 i = 0; i fees.length; i++ uint256 fee = price feesi.rate / INVERSEBASISPOINT; transferTopaymentToken, from,...

USE OF SOLIDITY VERSION 0.8.14 WHICH HAS KNOWN ISSUES APPLICABLE TO Blur Exchange

Lines of code Vulnerability details Vulnerability details Vulnerability related to ‘Optimizer Bug Regarding Memory Side Effects of Inline Assembly’ ref : Blur Exchange inherits solidity contracts from openzeppelin and these uses inline assembly, and optimization is enabled while compiling...

Critical matching policy logic is unenforced

Lines of code Vulnerability details Impact Malicious order matching. Proof of Concept When being executed two orders are matched using custom matching policies. Certain checks are critical for every order matching. Currently these checks would have to be implemented in the matching policies...

Upgraded Q -> M from 657 [1664812795523]

Judge has assessed an item in Issue 657 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Type Error

Lines of code Vulnerability details Impact Type Error Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Foundry - Forge Recommended Mitigation Steps Consider changing uint to int and ...

ArtGobblers contract wouldn't receive a random seed forever by a malicious user.

Lines of code Vulnerability details Impact ArtGobblers contract wouldn't receive a random seed forever by a malicious user. Currently it can't execute revealGobblers and upgradeRandProvider when gobblerRevealsData.waitingForSeed == true. So if the contract fails to receive the random seed after...

Dutch auction on-chain might work as expected

Lines of code Vulnerability details Impact Dutch auction on-chain for Page and Gobbler might work as expected. Bidders could spontaneously form some group to take advantage of the rule. The protocol will receive much less fund from auctions, effectively the auction funds being stolen. Proof of...

Lack of address check for contract ownership changes

Lines of code Vulnerability details Impact Not Checking for zero address input can cause to lose of ownership by accident . Proof of Concept owner try to change ownership to a zero address and it cause to lose of funds . Tools Used Recommended Mitigation Steps Add a check that address in not zero...

Cannot Withdraw GOO Accrued In GobblerReserve Contracts

Lines of code Vulnerability details Impact The affected GobblerReserve contract does not implement any functionality to withdraw any accrued GOO. Considering that the community and team addresses in the ArtGobblers contract are going to be newly deployed GobblerReserve contracts, immutable and...

Some users may not be able to withdraw till the end of the rewardsCycle, due to possible underflow in the function beforeWithdraw()

Lines of code Vulnerability details Impact In xERC4626.sol If an underflow occur in the function beforeWithdraw, some users may not be able to withdraw till the end of the rewardsCycle. storedTotalAssets is a cached value of total assets, which will only include the unlockedRewards, when the whol...

Possible lost msg.value

Lines of code Vulnerability details In call submit can will send value and the asset can be an ERC20!= address0, if frxETHMinter.sol contract receive this call the fouds will lost. Recommended Mitigation Steps In frxETHMinter, submit function: Check if the msg.value is zero when the asset is...

Mint legendary gobbler for free

Lines of code Vulnerability details Impact Minting a legendary gobbler does not delete getApproved, thus an owner can approve himself before minting the legendary and later transfer back these ordinary gobblers. mintLegendaryGobbler performs an imitation of burning by setting an owner to address0...

Frontrunning by malicious validator

Lines of code Vulnerability details Impact Frontrunning by malicious validator changing withdrawal credentials Proof of Concept A malicious validator can frontrun depositEther transaction for its pubKey and deposit 1 ether for different withdrawal credential, thereby setting withdrawal credit...

Use safetransfer/safetransferFrom instead of transfer/transferFrom in ERC20

Lines of code Vulnerability details Impact Its a good to checks the return value of token transfer using safetransfer or safetransferFrom on Openzeppelin to ensure the token revert when transfer failure. Failure to do so will cause silent failures of transfer and affect token accountng in contrac...

User will lose rewards

Lines of code Vulnerability details Impact User will lose there rewards even when vesting period has completed. Also the reward will get stuck in the contract with no one able to retrieve them Proof of Concept 1. Admin creates a new claim using createClaim function function createClaim address...

Overflow can make a claim impossible to revoke by the admin and fully withdraw by the recipient

Lines of code Vulnerability details Impact In contract VTVLVesting.sol, the multiplication in function baseVestedAmount can overflow for big enough values of truncatedCurrentVestingDurationSecs and linearVestAmount. This means the claim could be successfully created by the admin, but could NEVER ...

_releaseIntervalSecs is not validated

Lines of code Vulnerability details Impact VTVLVesting.sol has createClaimUnchecked function to create the claims internally while validating parameters with the users' allocations. However, releaseIntervalSecs is not validated comparing to user's linearVestAmount and startTimestamp endTimestamp...

VariableSupplyERC20Token cannot be deployed due to wrong access control

Lines of code Vulnerability details Impact VariableSupplyERC20Token contract cannot be deployed resulting in not functioning contract. Proof of Concept mint function is called in the constructor of VariableSupplyERC20Token contract. constructorstring memory name, string memory symbol, uint256...

beforeWithdraw() call syncRewards() results in incorrect nextRewards

Lines of code Vulnerability details Impact beforeWithdraw call syncRewards cause the number of "nextRewards" to be incorrect . if a large amount is withdraw at the end of the cycle, then the next cycle reward will incorrectly increase by the corresponding amount Proof of Concept when call...

Ambiguous situation exists for calling triggerDepeg and triggerEndEpoch functions when block.timestamp is set to epochEnd

Lines of code Vulnerability details Impact As shown by the following isDisaster modifier, which is used by the triggerDepeg function below, and the triggerEndEpoch function below, when block.timestamp is set to epochEnd, both of the triggerDepeg and triggerEndEpoch functions are allowed to be...

First depositor can break share minting

Lines of code Vulnerability details Impact Users will be unable to deposit their wished amount of tokens. Proof of Concept Similar to this ToB yearn audit, an attacker can mint a very small amount of shares and transfer a large amount of WETH to the contract, inflating the share price and making ...

[NAZ-M1] No Storage Gap for Upgradeable Contract Might Lead to Storage Slot Collision

Lines of code Vulnerability details Impact For upgradeable contracts, there must be storage gap to "allow developers to freely add new state variables in the future without compromising the storage compatibility with existing deployments" quote OpenZeppelin. Otherwise it may be very difficult to...

[NAZ-M3] Use safeTransfer()/safeTransferFrom() instead of transfer()/transferFrom()

Lines of code Vulnerability details Impact It is a good idea to add a require statement that checks the return value of ERC20 token transfers or to use something like OpenZeppelin’s safeTransfer/safeTransferFrom unless one is sure the given token reverts in case of a failure. Failure to do so wil...

Fee = 0 in case supply is less then 10

Lines of code Vulnerability details In case supply is less then 10 fee will be always = 0, which is almost impossible with ETH but it's not 100% excludible with an ERC20 token in case it's value is very high and precision is low . A check that supply shall more then 10 shall be set. --- The text...

Vault does not verify that tokens were transferred successfully.

Lines of code Vulnerability details Impact If for some reason the ERC20 transfer is temporarily failing, the user could call deposit for free or if calling withdraw the user would totally lose his allocation and funds. All the state variables would already have been updated at this stage, so he...

Arbitrary contract call allows attacker to steal from user's wallet

Lines of code Vulnerability details Impact In function prepareGate , in the following line : bool s, bytes memory r = addressgateKeeper.callcreateGateCallData; A call to an arbitrary contractgateKeeper with custom calldata createGateCallData is made in prepareGate, which means the contract...