token.transferFrom signaling failure by returning false may allow for funds to be stolen

Lines of code Vulnerability details Impact ERC20MultiDelegate is expected to work with any ERC20-compliant tokens as long as they provide the same functionality and interface as ERC20Votes from OpenZeppelin. This makes it possible for ERC20MultiDelegate to work with a token that signals...

Rounding error leading to no reward being sent

Lines of code Vulnerability details Impact Rounding errors could occur if the provided amount is too small, Proof of Concept rewardsToSend += inRangeLiquidityOfPosition concRewardPerWeekpoolIdxweek / overallInRangeLiquidity; uint256 rewardsForWeek = timeWeightedWeeklyPositionAmbLiquidity poolIdx...

Users may be unable to claim their rewards and add/remove liquidity due exceeding gas limit

Lines of code Vulnerability details Impact If a user provides liquidity on ticks which are entered and exited a large number of times, the gas required to call the accrueConcentratedPositionTimeWeightedLiquidity can exceed the block gas limit. Proof of Concept The...

Incorrect functionID will not trigger fallback

Lines of code Vulnerability details Impact When encoding a payload for settlement of multiple tokens, the fallback flag is not set when it should be. This will cause no fallback to be triggered even though the user has paid enough to cover the additional costs that are required. Proof of Concept ...

Anyone can call replenishReserves(...) (token version) to repay borrowed reserves with reserves

Lines of code Vulnerability details Impact The replenishReservestoken, ... can be called by anyone. Proof of Concept The NATSPEC comment in the IBranchPort states the replenishReservestoken, ... can only be called by the port strategy itself as shown below / @notice allow approved address to repa...

Time-weighted liquidity accounting assumes consecutive activity; double counting possible, needs validation.

Lines of code Vulnerability details Impact Time-weighted liquidity accounting in accrueConcentratedPositionTimeWeightedLiquidity and similar functions assumes ticks were active consecutively between entry/exit timestamps. However, a tick could exit and re-enter in the same week, leading to double...

A Malicious user can create a rootBridgeAgent with a malicious endpoint and execute calls directly with the rootBridgeAgent.

Lines of code Vulnerability details Impact A Malicious user can create a rootBridgeAgent with a malicious endpoint and execute calls directly with the rootBridgeAgent. Since anyone can create a rootBridgeAgent with desired values for port, endpoint and router address in anychain. The Attacker can...

All tokens can be stolen from VirtualAccount due to missing access modifier

Lines of code Vulnerability details Impact All non-native assets ERC20 tokens, NFTs, etc. can be stolen by anyone from a VirtualAccount using its payableCall... method, which lacks the necessary access control modifier requiresApprovedCaller. See also, the call... method which utilizes the...

USAGE OF abi.encodePacked TO ENCODE DATA COULD LEAD TO payload DATA COLLISION IN THE RootBridgeAgent._createSettlementMultiple FUNCTION

Lines of code Vulnerability details Impact The RootBridgeAgent.callOutAndBridgeMultiple function is used to settle multiple assets and perform a remote call to a branch chain. callOutAndBridgeMultiple function calls the RootBridgeAgent.createSettlementMultiple internal function to compute the...

Tokens locking due to empty parameters to execute on the root chain router

Lines of code Vulnerability details Vulnerability details Impact User's tokens will be locked at the router contract if the params encoded parameters of functions callOutAndBridge and callOutAndBridgeMultiple are empty. The executionStatesrcChainIddepositNonce storage variable will have value...

if lzReceiveNonBlocking failed to execute , they don't send back ,accumulated msg.value . malicious user drain that

Lines of code Vulnerability details Impact PerformFallBack is gonna fail and msg.value will be accumulated in that BranchBridgeAgent and malicious user can take over them Proof of Concept User deposited and When it's not executed ,user want to retrieve and callRetrieveSettlement ,send message to...

If dt is not updated accurately then timeWeightedWeeklyPositionInRangeConcLiquidity_ might be updated incorrectly.

Lines of code Vulnerability details Impact In the function accrueConcentratedPositionTimeWeightedLiquidity, inside the while block, dt is initialised as: uint32 dt = uint32 nextWeek If tickTracking.exitTimestamp != 0 then the following else block is executed on line 117: else // Tick is no longer...

Rewards cannot be transferred when calling protocol command

Lines of code Vulnerability details Summary Rewards are set up using protocol commands, but it's entrypoint is not payable. Impact Rewards can be set up by protocol authorities using the functions setConcRewards and setAmbRewards present in the LiquidityMiningPath contracts. These two are part of...

functions in FixedMath.sol directly converting uint256 arguments to int256 which may overflow

Lines of code Vulnerability details Impact functions in FixedMath.sol directly converting uint256 arguments to int256 which may overflow or return unexpected values Proof of Concept functions in FixedMath.sol like uintDiv , uintMul , toFixed directly converting its arguments from uint256 to int25...

updateScore() is vulnerable to flashloan manipulation

Lines of code Vulnerability details Impact vToken.balanceOfuser can be manipulated by dong some flash loan of vToken. Proof of Concept A flash loan attack is a type of exploit that takes advantage of the fact that flash loans are uncollateralized and do not require a credit check. In a flash loan...

Inefficient handling when the Prime contract is unfunded during interest claims

Lines of code Vulnerability details Impact Loss of funds. Transferring of wring user amount interests. This issue also might leave the PrimeLiquidityProvider with a depleted balance, making it unable to fulfill other potential interest payouts. Additionally, if the PrimeLiquidityProvider doesn't...

M-05 MitigationConfirmed

Lines of code Vulnerability details In the previous implementation when stakingContract.totalAllocPoint = 0 stakingContract.withdraw and stakingContract.deposit will div 0 , revert This results in StargateRewardableWrapper no longer being able to execute StargateRewardableWrapper.withdraw The...

Swap functionality to sell rewards is too permissive and could cause accidental or intentional loss of value

Lines of code Vulnerability details Summary While the intention is to use the 0x protocol to sell rewards, the implementation doesn't provide any basic guarantee this will correctly happen and grants the rewarder arbitrary control over the tokens held by the strategy. Impact Rewards earned in the...

Some Outgoing functions are not supported on the gateway

Lines of code Vulnerability details Impact The gateway serves both outgoing and incoming calls, All incoming calls should have corresponding outgoing calls and vice versa However, some incoming calls like addPool , allowPoolCurrency , addTranche have no corresponding calls via the gateway contrac...

Incorrent approval for escrow tokens, not allowing to burn on redeem

Lines of code Vulnerability details Impact Liquidity pool approval for burning escrow tokens is not correctly assigned when pool is deployed on PoolManager deployLiquidityPool lines: EscrowLikeescrow.approveliquidityPool, addressinvestmentManager, typeuint256.max; // Approve investment manager on...

There is no concept of a requestDeposit, requestRedeem receipt made on the source chain, resulting in no recovery proces escrowed funds in the event of bridge or Centrifuge fall.

Lines of code Vulnerability details Impact There is no kind of request receipt on the EVM chain at all. The InvenstmentManagerrequestDeposit simply puts users tokens in the escrow and then the request gets routed to the Gateway and later to the outgoingRouter. The flow goes as follows 1.Buyer cal...

Blocking assets/shares in escrow

Lines of code Vulnerability details Impact An investor can lose a part of assets or shares due to their blocking in escrow. Proof of Concept Suppose the user decided to invest an amount of assets which is more than typeuint128.max. This can be done by calling the requestDeposit function several...

transferIn() is susceptible to a front-running attack

Lines of code Vulnerability details Impact Another auth caller can exploit the vulnerability by executing front-running transactions using the source address that has just given allowance approval to the contract. This allows the attacker to acquire and increase the destination amount of the...

Access Control Dependency on msg.sender: The onlyGateway modifier relies solely on msg.sender for access control. If the address of the gateway contract is compromised or manipulated, it can lead to unauthorized access to critical functions within the contract.

Lines of code Vulnerability details Access Control Dependency on msg.sender Impact: The onlyGateway modifier relies solely on msg.sender for access control. If the address of the gateway contract is compromised or manipulated, it can lead to unauthorized access to critical functions within the...

The executeScheduledRely function in the code allows any external caller to execute it without proper access control checks. This means that anyone can make themselves a ward on a contract without authorization, which poses a security risk.

Lines of code Vulnerability details Issue: The executeScheduledRely function in the code allows any external caller to execute it without proper access control checks. This means that anyone can make themselves a ward on a contract without authorization, which poses a security risk. Proof of...

Contract lacks proper error handling. Without meaningful error messages, it becomes difficult to identify the exact reasons for failures or unexpected behavior. Often leading end user astray.

Lines of code Vulnerability details Contract lacks proper error handling. Without meaningful error messages, it becomes difficult to identify the exact reasons for failures or unexpected behavior. Often leading end user astray. The code lacks proper error handling mechanisms, which can make it...

approve function can be frontrun and funds will be stolen as a result

Lines of code Vulnerability details Impact The user that gives allowances will lose funds. Proof of Concept In the file ERC20.sol there is a function approve. This function is problematic as it is susceptible to frontrunning attacks. PoC: Consider the following scenario: Alice calls the function...

lack of an ownership transfer mechanism

Lines of code Vulnerability details Issue: The code does not have a mechanism to transfer ownership of the contract. In the current implementation, once deployed, the contract owner's address cannot be changed. This can be problematic for contract maintenance and security, as it restricts the...

In transferFrom() address "from" can be put of contract address and bypass Errors.FromNotCreateOfferer(from)

Lines of code Vulnerability details Impact In transferFrom address "from" can be put of contract address and bypass Errors.FromNotCreateOffererfrom Proof of Concept the code should be function transferFromaddress from, address targetTokenReceiver, uint256 createOrderHashAsTokenId external...

Expiry time is of no use

Lines of code Vulnerability details Impact DelegateToken holder can withdraw before expiry. Even if the principalToken holder extends the time it is of no use. And anyone can withdraw any delegateTokenId and send all the tokens to their address. Proof of Concept The withdraw function in the...

yryryserywretsh

Lines of code L1 Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assess...

Precision Error in getPrice due to Omission of Last Day's Interest

Lines of code Vulnerability details The code attempts to calculate the price based on the interest from the previous day by using range.end - 1. However, if the last day represented by range.end has fully passed, the interest for this day is never taken into account. Over time, these slight...

Discrepancy in Token Allowance After Rebase Events

Lines of code Vulnerability details The function returns the number of tokens that spender is allowed to spend on behalf of owner. However, in the context of tokens with rebase mechanisms, the owner's balance can dynamically change without explicit transactions. The described behavior might lead ...

_execute can be reorder a batch of commands while executing

Lines of code Vulnerability details Impact Lets see what is written in by Axelar: AxelarGatewayMultisig.execute takes a signed batch of commands. Each command has a corresponding commandID. This is guaranteed to be unique from the Axelar network. execute intentionally allows retrying a commandID ...

Zero Redemption Amount in RdpxDecayingBonds Contract

Lines of code Vulnerability details Impact The redeem function, as described, checks whether the assets to be redeemed assets are not zero. This check is in place to ensure that a user isn't redeeming a non-zero amount of rdpxAmount tokens in exchange for zero assets. Such a check is essential to...

Attacker can DOS the sync function of RdpxV2Core which will brick critical functionality

Lines of code Vulnerability details Impact The sync function of the RdpxV2Core contract is critical for ensuring that the cached balances of the tokens in the contract are up to date. For example, all of the AMO logic involves sending tokens directly to the RdpxV2Core contract, meaning there's no...

Fully slashed transcoder can vote with 0 weight messing up the voting calculations

Lines of code Vulnerability details Impact If a transcoder gets slashed fully he can still vote with 0 amount of weight making any other delegated user that wants to change his vote to subtract their weight amount from other delegators/transcoders. Proof of Concept In BondingManager.sol any...

Swap Slippage Check Missing Location: reLP function

Lines of code Vulnerability details Impact If the swap doesn't meet the slippage tolerance, the function will still continue executing. This could lead to the contract holding less tokenA than expected, which could affect the subsequent addLiquidity call and the final balances of the AMO and...

Attacker can steal funding yield from the PerpetualAtlanticVaultLP contract atomically

Lines of code Vulnerability details Impact An attacker is able to atomically steal large amounts of the funding yield from the PerpetualAtlanticVaultLP contract. This is due to the fact that the deposit function of the PerpetualAtlanticVaultLP contract will first issue the attacker shares based o...

The quorum calculation in the _quorumReached() function is inconsistent and could allow abstain votes to prevent a proposal from reaching quorum even if most participating voters are in favor

Lines of code Vulnerability details Impact This allows abstain voters to effectively veto a proposal, even if most participating voters approve it. Proof of Concept The quorum numerator and denominator are inconsistent. The quorum uses totalVotes for the denominator which includes abstains. But t...

missing in calculation parameter issue in Earnings Pool

Lines of code Vulnerability details Impact here is the vulnerable part in code : function getLastTranscoderRewardsEarningsPooladdress transcoder, uint256 round internal view returns uint256 rewardRound, EarningsPool.Data memory pool BondingCheckpoint storage bond = getBondingCheckpointAttranscode...

[H-01] GovernorCountingOverridable.castVoteBySig()/castVoteWithReasonAndParamsBySig(): Possible signature replay attacks to influence proposal execution

Lines of code Vulnerability details Impact In the GovernorCountingOverridable.sol inherited by LivePeerGovernor.sol, users can provide a signature to allow someone else to vote on their behalf using the castVoteBySig/castVoteWithReasonAndParamsBySig function since this functions are not overriden...

BondManager.updateTranscoderWithFees wrong decimal multiplication. Function always revert due to underflow

Lines of code Vulnerability details BondingManager.sol have 2 mathUtils libraries, MathUtils use 1e6 as precision while PreciseMathUtils use 1e27 as precision. Some variable use MathUtils while other use PreciseMathUtils which might cause confusion. It happen with treasuryRewardCutRate variable...

Users can withdraw token multiple times by calling `withdrawStake' thereby depleting the treasury

Lines of code Vulnerability details The withdrawStake function is used to withdraw tokens for an unbounding lock that has existed through an unbounding period. All it needs is the unbondingLockId to carry out the operation. The associated ID gets deleted & the amount that has been bounded is...

Potential Over-redemption Vulnerability in redeem Function

Lines of code Vulnerability details Impact In the redeem function, when a third party is using their allowance to redeem shares on behalf of an owner, there exists a potential scenario where the third party could redeem more than originally intended by the owner. Proof of Concept This is how the...

DOS the system by frontrunning the initialize function

Lines of code Vulnerability details Impact LivepeerGovernor and Treasury are vulnerable to DOS. Proof of Concept The initialize function present in these two contracts is not called just after their construction. Which is confirmed in the contract LivepeerGovernorUpgradeMock.sol while initializin...

Slashing transcoders on violation should not effect the delegators who staked into such transcoders, delegators should continue to earn rewards

Lines of code Vulnerability details Impact Due to violation of norms, when a transcoder is slashed and force to resign, the delegators who provided stake into such transcoder should not be effected. They delegators should be able to continue earning the rewards as they delegated their tokens to...

Incorrect slippage calculation in _curveswap function

Lines of code Vulnerability details Impact swaps will fail or execute with higher slippage than intended. Proof of Concept In curveSwap function of RdpxV2Core contract , getEthPrice should be used in place of getDpxEthPrice, and getDpxEthPrice should be used in place of getEthPrice. / @notice...

The bond manager contract does not properly zero out the transcoder's cumulative rewards/fees between rounds.

Lines of code Vulnerability details Impact transcoder's cumulative rewards and fees can continue accumulating from previous rounds, instead of resetting each round. This means a transcoder could claim portion of rewards/fees that it should not be entitled to. Proof of Concept This only resets the...

LastRewardRound is sometimes not checkpointed for Delegators

Lines of code Vulnerability details Impact lastRewardRound is not updated/checkpointed for delegators when transcoder changes state. This results in incorrect rewards and votes. It also violates this checkpointing condition specified by the technical specification: Quote: "In practical terms, it...