10190 matches found
Rebalance will fail if a market has high utilization
Handle cmichel Vulnerability details The AssetManager.rebalance function iterates through the markets and withdraws all tokens in the moneyMarketsi.withdrawAll call. Note that in peer-to-peer lending protocols like Compound/Aave the borrower takes the tokens from the supplier and it might not be...
.latestRoundData() does not update the oracle - ExchangeRate.sol
Handle tensors Vulnerability details Impact The method .latestRoundData on an oracle returns the latest updated price from the oracle, but this is not the current price of an asset. To get an accurate current price you need to query it by calling the oracle and waiting for a callback to fulfill t...
PoolBase enables an easy withdrawal of funds
Handle walker Vulnerability details PoolBase enables an easy withdrawal of all funds severity: critical type: memory safety Description A memory safety bug in the pool base allows participants to trick the system into believing they're interacting with a pool's token. While in reality, they're...
safeTransferFrom in TransferHelper is not safeTransferFrom
Handle jonah1005 Vulnerability details Impact A non standard erc20 token would always raise error when calling safeTransferFrom. If a user creates a USDT/DAI pool and deposit into the pool he would find out there's never a counterpart deposit. Proof of Concept TransferHelper does not uses SafeERC...
Gas griefing attack on the removeUserActiveBlocks function
Handle shw Vulnerability details Impact The consumed gas to remove a user's active block is proportional to the total number of array elements i.e., block numbers. However, the array size can be arbitrarily increased by an attacker with only paying gas fees, causing a gas griefing attack when the...
nextEpoch is incorrect
Lines of code Vulnerability details Impact Rewards and voting weights are aligned on a weekly basis. However, nextEpoch is calculated incorrectly, which may break the invariant "The total rewards that are sent for one block should never be higher than the rewards that were configured for this...
use of 0.8.20
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. This is because solidity 0.8.20 introduces the PUSH0 0x5f opcode which is only supported on the ETH mainnet and not on any other chains. That's why other chains can't find the PUSH0 0x5f opcode and thro...
CM can exploit a pause in GuardCM to gain permanent unrestricted access
Lines of code Vulnerability details Impact The GuardCM contract is designed to restrict the Community Multisig CM actions within the protocol to only specific contracts and methods. Under specific circumstances, the protocol allows the guard to be paused, which temporarily pauses the guard and...
changeRegistries() from the Tokenomics contract changes different registries at the same time.
Lines of code Vulnerability details Impact In a case where either one of the agent, component or service registry are deprecated, attempting to replace the compromised registry necessitates an overall replacement of all the other registries. This not only utilizes excess gas but can also bring...
Slippage protection missing
Lines of code Vulnerability details The MaxHeap contract does not check for slippage when updating item values. This could enable the admin to manipulate asset prices. Recommendation: Implement slippage protection by adding min/max checks in updateValue: function updateValueuint256 itemId, uint25...
OverInflation or OverDeflation of Value of ERC20 tokens with unequal Wrap and Unwrap Token Decimal
Lines of code Vulnerability details Impact Due to wrong parameter arrangement of convertDecimals... function call during the course of wrap and unwrap of erc20 token function call, OverInflation or OverDeflation of Value of ERC20 tokens with unequal Wrap and Unwrap Token Decimal which would cause...
High risk in integrating Ocean with Curve TriCrypto pool on Arbitrum
Lines of code Vulnerability details Impact The Curve TriCrypto adapter contract enables swapping, adding liquidity, and removing liquidity for the USDT-WBTC-ETH pool on Arbitrum. However, this pool has been flagged for potential exploit risks. Curve Finance issued a warning: This pool might be at...
Calls to get_virtual_price() are vulnerable to read-only reentrancy
Lines of code 117 Vulnerability details getvirtualprice was originally considered to be a manipulation-resistant price - suitable as a price oracle, but it was later found to be vulnerable to a read-only reentrancy attack, where the Curve contract could be put into a partially-modified state, and...
vesting amount is overwritten when rewards are transferred consecutively before a user redeems thereby increasing/decreasing the totalAssets value than it actually should be
Lines of code Vulnerability details Impact In StakedUSDe there is a special rewarder role that can transfer additional usde as rewards for users who have staked usde tokens, now consider a scenario where a rewarder transfers 2 usde to the contract and the vesting period of 8 hours pass and the...
potential DOS cause of rounding up at rayMul and rayDiv
Lines of code Vulnerability details Impact In rayMul and rayDiv , there is always rounding up ,cause of that , there will be potential DOS Proof of Concept function normalizeAmount MarketState memory state, uint256 amount internal pure returns uint256 return amount.rayMulstate.scaleFactor; functi...
Sanction Bypass Through Depositing to Authorized Borrower's Market
Lines of code Vulnerability details Impact Wildcat protocol provides lending with lender backed collateral considered as reserves and the ratio must be upheld by the borrower. The protocol team has taken certain steps to prevent interaction with sanctioned users. However, sanction status is only...
Possible hash collision in retrieveProxyContractAddress()
Lines of code Vulnerability details Impact implemention of keccak256abi.encodePackeda, b with both dynamic types or same type with dynamic nature leads to collision in hash. Proof of Concept From the sol docs:link. i.e If you use keccak256abi.encodePackeda, b and both a and b are dynamic types, i...
User can selectively turn on the fallback flag to take all ETH on the agent contract as layerzero fee refund
Lines of code Vulnerability details Impact performFallbackCall can revert sliently when refundee is not capable of taking ETH refund from layerzero side Proof of Concept In RootBridgeAgent.sol when the has fall back toggle flag is on, the smart contract aim to perform a fallback call to notify th...
LiquidityPool.sol doesn't respect fully EIP 4626
Lines of code Vulnerability details Impact The EIP-4626 states that the function previewMint and previewWithdraw should be rounded up always, but that is not the case in the InvestmentManager.sol which makes it not fully compliant. Proof of Concept As can be seen by EIP-4626 the function...
Price Manipulation Through Vulnerability in simulateRange Function
Lines of code Vulnerability details Impact The simulateRange function, although designed for simulation and testing purposes, could potentially be exploited in a sandwich attack scenario. A malicious actor could front-run a user's transaction by using a flash loan to manipulate the price,...
StargateRewardableWrapper._claimAssetRewards should use stakingContract.withdraw(poolId, 0)
Lines of code Vulnerability details Impact StargateRewardableWrapper.claimAssetRewards leverage stakingContract.depositpoolId, 0; to claim rewards from Stargate. But it could fail to claim the reward in the edge case. Proof of Concept StargateRewardableWrapper.claimAssetRewards calls...
MID-Risk Vulnerabilities in the Axelar Smart Contracts
Lines of code Vulnerability details Impact The vulnerabilities that I have identified could have a significant impact on the Axelar network. These vulnerabilities could be exploited by an attacker to: Gain control of the Axelar network by proposing and voting on malicious proposals. Mint or burn...
Vault funds can be stolen by a malicious Yield Vault.
Lines of code Vulnerability details Impact When a vault is initialized, it sets Max Token Approval for the Yield Vault which allows the Yield Vault to ALWAYS have access to the funds in the vault. Since vaults can be created by anyone as long as they provide an ERC-4626 compliant yield source, an...
Balance invariant between individual and total twabs can be broken
Lines of code Vulnerability details Impact An edge case in the TwabController.transferBalance can cause total balance for a vault account to decrease although it did not actually decrease. This will cause the sum of individual delegateBalances for a vault to be greater than the registered total f...
Unsecure and predictable random number generation in closeDraw.winningRandomNumber_()
Lines of code Vulnerability details Impact Unsecure and predictable random number generation in closeDraw.winningRandomNumber can lead to external influence by malicious attackers. Leading to undermining of the fairness and security and unpredictability of the draw function. Both the timestamp an...
Unauthorized Withdrawal of ETH by Admin in _withdraw.
Lines of code Vulnerability details Impact An attacker with admin privileges can maliciously execute the withdraw function, resulting in the unauthorized withdrawal of all the ETH in the contract. Proof of Concept withdrawNounsDAOStorageV3.StorageV3 storage ds external onlyAdminds returns uint256...
Ex-token holders are still able to cast votes on proposals under certain circumstances
Lines of code Vulnerability details When casting a vote, an address is limited to a certain amount of votes derived from ds.nouns.getPriorVotes. However, due to the nature of ds.nouns.getPriorVotes, the amount of votes available to an address solely depends on the amount of tokens they held when ...
Well.sol::addLiquidity() Unauthorized Liquidity Addition for Fee-on-Transfer Tokens
Lines of code Vulnerability details Description The addLiquidity in the Well.sol contract allows any address to add liquidity to tokens with a fee-on-transfer mechanism. Although there is a another function available to add liquidity for Fee-on-transfer token name addLiquidityFeeOnTransfer. Howev...
Due to slot confusion, reserve amounts in the pump will be corrupted, resulting in wrong oracle values
Lines of code Vulnerability details Description The MultiFlowPump contract stores reserve counts on every update, using the libraries LibBytes16 and LibLastReserveBytes. Those libs pack bytes16 values efficiently with the storeBytes16 and storeLastReserves functions. In case of an odd number of...
Insecure State settleFunds function, state update
Lines of code Vulnerability details Impact The impact of this finding is that an unauthorized party can manipulate the state of the vaultSettleStatus variable before executing critical operations related to penalty marking, fund distribution, and reward deposits. This can potentially disrupt the...
Reentrancy guard in rageQuit() can be bypassed
Lines of code Vulnerability details Reentrancy guard in rageQuit can be bypassed The reentrancy guard present in the rageQuit function can be bypassed by host accounts, leading to reentrancy attack vectors and loss of funds. Impact The new rageQuit function can be used by party members to exit...
Upgraded Q -> 3 from #344 [1683218670048]
Judge has assessed an item in Issue 344 as 3 risk. The relevant finding follows: To ensure that there is no overflow when converting uint256 to uint128,and the totalNetInputAmount can be extracted so that it does not need to be calculated again later virtualBaseTokenReserves +=...
Strategy owner can steal staker funds.
Lines of code Vulnerability details Impact The functions StrategyManager.depositIntoStrategy and StrategyManager.depositIntoStrategyWithSignature doesn't check if the msg.sender != strategy. Hence, a strategy owner can deposit into his own strategy and specify the staker to his own EOA account, a...
Upgraded Q -> 3 from #222 [1683017474019]
Judge has assessed an item in Issue 222 as 3 risk. The relevant finding follows: L-02 Downcasting uint or int may result in overflow Consider using OpenZeppelin's SafeCast library to prevent unexpected overflows. Instances: 2 File: src/PrivatePool.sol 231: virtualNftReserves -= uint128weightSum;...
Ether Locked when Attempting to Call stake() during Setup
Lines of code Vulnerability details Impact During the period between the deployment of the SafEth contract and the addition of derivatives, there is a possibility for users to send Ether to the contract using the stake payable function. In this scenario, the funds will become locked and...
Potential reentrancy in unstake function
Lines of code Vulnerability details Impact there is a potential reentrancy vulnerability in the unstake function. After the user's safETH tokens are burned, the function sends ETH to the user's address using the call method. If the receiving address is a contract and it has a fallback function th...
(Pseudo) Random Number Generator can be gamed, allowing a user to target desirable NFT traits
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. The iteratePRNG function in the Utils.sol library is used in Tray.sol:drawing, which is used to determine the tile data that a user gets when they purchase an NFT in Tray.sol:buy. An attacker can exploi...
Gas check inaccuracy
Lines of code Vulnerability details Impact Since the gas forwarded will be limited to 63/64 of the total gasleft, L1 transactions will be vulnerable of being reverted. To achieve 1:1 partity with the EVM, the ZKEVM should account for 1/64 rule. Please refer to the 1/64 rule here. The actual amoun...
User may lose ETH
Lines of code Vulnerability details Impact User may lose ETH Proof of Concept If a non-existent function is called , the protocol may enter MsgValueSimulator.fallback.Inside the fallback function ,the protocol will transfer ETH from one address to another. If user calls a function that doesn't...
NeoTokyoStaker.getPoolReward function can be frontrun, which can cause staker and DAO to lose reward shares that they are entitled to
Lines of code Vulnerability details Impact When calling the following NeoTokyoStaker.stakeBytes and NeoTokyoStaker.stakeLP functions, the higher the specified amount to be staked is, the higher the pool.totalPoints is increased by. function stakeBytes uint256 private uint256 amount; uint256...
An malicious user can mint a huge amount of BYTES 2.0 tokens for himself
Lines of code Vulnerability details Impact An attacker can mint a huge amount of BYTES 2.0 tokens for himself. Additionally, the rewards system can be permanently damaged by making the pool.totalPoints a huge number, not reflecting the actual state of the system. Proof of Concept There are two co...
Integer Overflow
Lines of code Vulnerability details Impact The owner of the ActivePool contract can set yield distribution parameters that do not add to the expected 10000 BPS. This would cause the rebalance function to send the incorrect number of tokens when using the splits. Proof of Concept Calling...
Upgraded Q -> 2 from #308 [1676219092947]
Judge has assessed an item in Issue 308 as 2 risk. The relevant finding follows: 03 Upgradeable contract is missing a gap50 storage variable to allow for new storage variables in later versions --- The text was updated successfully, but these errors were encountered: All reactions...
Incorrect totalSupply() function design
Lines of code Vulnerability details Impact In ERC1155Enumerable.solL36-L37 line, totalsuppyl of ERC1155 is calculated packages/v2-token/src/base/ERC1155Enumerable.sol: 34 35: /// @inheritdoc IERC1155Enumerable 36: function totalSupply public view override returns uint256 37: return...
Missing Access Controls in Liquidity Position Library
Lines of code Vulnerability details Impact function feesEarnedOf LiquidityPosition memory liquidityPosition, uint256 long0FeeGrowth, uint256 long1FeeGrowth, uint256 shortFeeGrowth internal pure returns uint256 long0Fee, uint256 long1Fee, uint256 shortFee ... function updateLiquidityPosition stora...
Wrong decoding of paymaster data makes validatePaymasterUserOp always fail, DoS
Lines of code Vulnerability details Impact DoS of validatePaymasterUserOp makes UserOperation's with paymaster not executable Proof of Concept . decodePaymasterData on line 102 in VerifyingSingletonPaymaster.validatePaymasterUserOp returns wrong data and makes function always fail due to the...
When liquidation is not locked, anyone can liquidate another persons' collateral
Lines of code Vulnerability details Impact Petty users can liquidate other people's NFT immediately when the liquidation threshold is reached. Proof of Concept The owner controls the function setLiquidationsLocked and calls the function when a collateral needs to be liquidated function...
depositAndTrade function is incomplete & does not use returnValue of UniswapV3 router
Lines of code Vulnerability details Impact depositAndTrade function seems to be incomplete - the tokenOutput from swapRouter is currently owned by DepositTradeHelper account and needs to be transferred back to msg.sender who initiated this transaction. Since this contract doesn't seem to be part ...
Attackers can manipulate ERC4626 price per share to take an unfair share of future users
Lines of code Vulnerability details Impact The attacker can get funds from future users, and the future users will lose their funds. Proof of Concept A malicious early user can deposit with 1 wei of asset token and get 1 wei of shares. Then he/she can send 10000e18 - 1 of asset tokens and inflate...
Exchange owner can consume all orders at arbitrary price
Lines of code Vulnerability details Impact The choice of policy to use for a transaction is determined by the listingTime. The listingTime can be supplied by the caller of execute/bulkExecute and can be arbitrary as along as it passes validation. And the policy of a given order is used to determi...