Error of computation break the LpTokens supply, causes users to lose funds and make functions using _getUtilityFinalLp() broken.

Lines of code Vulnerability details Impact withdrawGivenOutputAmount and withdrawGivenInputAmount functions doesn't revert when balance of tokenX/tokenY = 0 and create an offset between reserve tokens and LP total supply. This lead to unwanted behaviors for the next operations on the protocol...

swapGivenInputAmount checks the wrong result out

Lines of code Vulnerability details Impact Wrong check amount results in unusable function. Proof of Concept swapGivenInputAmount calcaultes the value of result after calling swap. The check then requires that result 0. However, the comment states that amount cannot be less than 0...

Lack of balance checks in the withdrawGivenOutputAmount function

Lines of code Vulnerability details Impact Lack of balance checks in the withdrawGivenOutputAmount function can lead to various unpredictable consequences due to the breach of requirements "The pool's balances of the x reserve and y reserve tokens must be greater than the MINBALANCE" and "The...

Loss of precision due to division occurring before multiplication across multiple statements leads to lesser number of receiving tokens

Lines of code Vulnerability details Impact Swaps and Deposits work with two tokens X and Y. The computed amount of tokens on the receiving end decrease due to this multi-statement loss of precision occurring due to division before multiplication. Note: This finding is different from the L-06 bot...

Swapping lacks deadline check

Lines of code Vulnerability details Impact There is no deadline when swapping tokens using EvolvingProteus. Swaps that are done through low gas transactions may be stuck in the mempool for a long time, resulting in unfavourable swap. Proof of Concept Evolving prometeus seems like an upgrade to...

Upgraded Q -> 2 from #273 [1692910023114]

Judge has assessed an item in Issue 273 as 2 risk. The relevant finding follows: L-01 --- The text was updated successfully, but these errors were encountered: All reactions...

H-05 Unmitigated

Lines of code Vulnerability details Issue not mitigated About the problem sponsor function allows caller to delegate his shares to the special address. In this case caller losses ability to win prizes. Previous version of code had sponsor function, which allowed to deposit funds on behalf of owne...

M-02 Unmitigated

Lines of code Vulnerability details Comments In the previous implementation a malicious user could set arbitrary vault hooks for afterClaimPrize and beforeClaimPrize that could be used to gas grief the claimer or cause other claims in the same call to fail by deliberately reverting Mitigation The...

TEST PR 1093 - edited

Lines of code L1 Vulnerability details edited Assessed type call/delegatecall --- The text was updated successfully, but these errors were encountered: All reactions...

Undelegation logic doesn't work as expected, duo to that an owner of a lock would be enforced to extend their lock time for another 5 years.

Lines of code Vulnerability details Impact Undelegation logic doesn't work as expected, duo to that an owner of a lock would be enforced to reset his lock time for another 5 years through the function increaseAmount in order to successfully undelegate. Proof of Concept There are few differences...

No security council member can be proposed for removal using the propose function because it will always return MemberNotFound

Lines of code L134-L139 Vulnerability details Impact No security council member can be proposed for removal. Proof of Concept Going by the Arbitrum DAO constitution, a security council member cannot belong to first and second cohort at the same time. A security council member can either be in the...

Proposals will not be submitted in SecurityCouncilMemberElectionGovernor.sol and SecurityCouncilNomineeElectionGovernor.sol

Lines of code Vulnerability details Impact SecurityCouncilNomineeElectionGovernor::execute and SecurityCouncilNomineeElectionGovernor::createElection will always revert, since the form of description at the proposal is not compliant to the format required at GovernorUpgradable of Openzeppelin...

Timelock canceller role is removed from council and transferred to upgrade executor

Lines of code Vulnerability details Impact In L1SCMgmtActivationAction the TIMELOCKCANCELLORROLE is removed from the previous EmergencySecurityCouncil and not transferred to the new EmergencySecurityCouncil but rather to the L1 UpgradeExecutor. In SecurityCouncilNomineeElectionGovernor the...

_scheduleUpdate() should be called during initialize ing the SecurityCouncilManager

Lines of code Vulnerability details Impact Updates will not be scheduled through timelocks and target upgrade executors by the scheduleUpdate call. Initial set of cohort members will not be scheduled. Proof of Concept In SecurityCouncilManager whenever a new member is added, or removed or swapped...

electionToTimestamp() might return incorrect timestamps depending on the day of the first election

Lines of code Vulnerability details Bug Description For nominee elections, election dates are determined using the the electionToTimestamp function in the SecurityCouncilNomineeElectionGovernorTiming module. When SecurityCouncilNomineeElectionGovernor is initialized after deployment, the first...

Reusing other user's votes for both nominee and member elections

Lines of code Vulnerability details Impact The two elections nominee and member are sharing the same proposal id. This give an attack opportunity to a malicious user to reuse signature of other users who casted vote by signature in nominee election for casting vote in member election. In other...

SecurityCouncilMemberSyncAction.perform is not exclusively can be scheduled from SecurityCouncilManager's operations

Lines of code Vulnerability details Impact SecurityCouncilMemberSyncAction.perform is a crucial function that will be triggered by upgrade executor via delegate call after the whole election process or after current members do some update add/remove/replace/rotate to update security council...

GaugeController._get_sum() returns wrong value, breaking vote accounting

Lines of code Vulnerability details Impact The function to account for past historic total gauge weights getsum is supposed to return the sum for the future week. Instead it returns the sum for the oldest updated week. The returned value is used in voteforgaugeweights to compute the sum after the...

Security council election are vulnerable to signature replay attack

Lines of code Vulnerability details Impact SecurityCouncilNomineeElectionGovernor and SecurityCouncilMemberElectionGovernor contracts both inherit castVoteWithReasonAndParamsBySig function from the base GovernorUpgradeable contract, but implement custom countVote function respectively. The...

If user has delegated someone when locktime expires his tokens will be stuck forever.

Lines of code Vulnerability details Impact tokens will be stuck forever if user's locktime expired when his delegatee someone differant than him. Because he cannot withdraw his money also he cannot delegate himself too because his lock expired.Also he cannot use increaseamount for lockexpired and...

Delegated Votes Blocking Delegator Undelegation

Lines of code Vulnerability details Impact Once a delegator has delegated their votes to a delegatee, and the delegatee employs those votes in an ongoing proposal, the delegator loses the ability to undelegate their votes. VotingEscrow::delegate is used to delegate user A's votes to User B. Once...

_computeAvailable() the calculations are wrong

Lines of code Vulnerability details Impact computeAvailable incorrect calculations that result in a return value greater than the current balance, causing methods such as liquidate to fail Proof of Concept VaultBooster.computeAvailable used to count the number of tokens currently available There...

Lack of authentication in rngComplete

Lines of code Vulnerability details Impact In RngRelayAuction.sol the rngComplete function is meant to be called only by the rngAuctionRelayer contract, however, it can currently be called by any user. Consequently any random number can be used to close a prize pool draw, benefiting the malicious...

The absence of proper Access Control in RngRelayAuction::rngComplete() enables anyone to prematurely conclude the Auction Process.

Lines of code Vulnerability details Explanation For the DrawAuction to be successfully completed, a specific sequence of actions must be followed, and each step holds significance. This demands a carefully designed execution flow that considers both the procedure's requirements and the authorized...

Owner of _liquidationPair can add malicious liquidation source and insufficient input parameter validations

Lines of code Vulnerability details Impact Malicious liquidationPair owner can deploy liquidationPair using malicious sourceliquidation source that the pair will use and other insufficient input validations that can put users' funds at risk. File: src/LiquidationPairFactory.sol function createPai...

Inflation attacks with virtual shares and assets on GeVault

Lines of code Vulnerability details Impact An inflation attacks can be done on the first deposit into the GeVault contract. Making the first real depositor losing his deposit. Proof of Concept Inflation attack steps : First, Alice the attacker need to craft a deposit that put valueX8 = 1 = Thus...

CurveStableMetapoolCollateral.tryPrice returns a huge but valid high price when the price oracle of pairedToken is timeout

Lines of code Vulnerability details The CurveStableMetapoolCollateral is intended for 2-fiattoken stable metapools. The metapoolToken coin0 is pairedToken and the coin1 is lpToken, e.g. 3CRV. And the config.chainlinkFeed should be set for paired token. Impact The CurveStableMetapoolCollateral.pri...

No slippage control while minting GLP

Lines of code Vulnerability details Impact glpRewardRouter.mintAndStakeGlpaddressweth, wethAmount, 0, 0; Here, minUSDG = 0 and minGlp = 0 means no slippage checks. This can be sandwitched in certain conditions in which delta between min and max glp price is higher due to following factors: delta...

LiquidationQueue brings centralization risk in the contract.

Lines of code Vulnerability details Impact the owner has too much unilateral control over liquidations and can manipulate te country in the following ways: The owner of LiquidationQueue sees a profitable liquidation opportunity Before anyone else can liquidate, they use LiquidationQueue to place ...

Lack of protection when caling CusdcV3Wrapper._withdraw

Lines of code Vulnerability details Impact When unwrapping the wComet to its rebasing comet, users with an equivalent amount of wComet invoking CusdcV3Wrapper.withdraw at around the same time could end up having different percentage gains because comet is not linearly rebasing. Moreover, the...

Lack of protection when withdrawing Static Atoken

Lines of code Vulnerability details Impact The Aave plugin is associated with an ever-increasing exchange rate. The earlier a user wraps the AToken, the more Static Atoken will be minted and understandably no slippage protection is needed. However, since the rate is not linearly increasing,...

Users cannot unfollow if they do not own the FollowNFT of the followTokenId used for their profile

Lines of code Vulnerability details Bug Description If the followTokenId of a profile is wrapped, users will only be able to unfollow if they are either: 1. The owner of the follow NFT. 2. An approved operator of the follow NFT's owner. This can be seen in the unfollow function of FollowNFT.sol:...

Users repay more than the approved amount.

Lines of code Vulnerability details Impact More tokens can be repaid than were approved leading to loss of funds Proof of Concept The repayBorrowFresh function does the following: 1. Checks if repay is allowed by calling comptroller.repayBorrowAllowed with the input repayAmount. 2. Fetches the...

External visibility modifier on function that should be callable from address(this). Doesnt seem right.

Lines of code Vulnerability details Impact External visibility modifier on function that should be callable from addressthis. Doesnt seem right. Proof of Concept /// @notice grant the guardians the pause ability function grantGuardiansPause external require msg.sender == addressthis, /// @audit i...

Migration of Profiles can fail due to difference in handle validity in V1 and V2

Lines of code Vulnerability details Impact Profiles with certain type of handles in V1 cannot be migrated to V2. Proof of Concept In V1 and V2, the validity of handles is determined differently. Due to this it is possible that some profiles have handles that are valid according to V1 validation b...

The profileId is incremented using ++_profileCounter inside the createProfile function without any overflow checks in createProfile function

Lines of code Vulnerability details Impact If this issue exists, profileCounter reaches the maximum value, it will wrap around and reset to its minimum value, which is 0 for unsigned integers in Solidity. This unintended behavior can have several negative impacts on the functioning of the contrac...

approve() can be front-run

Lines of code Vulnerability details Impact In MToken.sol we have approve function: function approveaddress spender, uint256 amount override external returns bool address src = msg.sender; transferAllowancessrcspender = amount; emit Approvalsrc, spender, amount; ...

missing check for the max/min price in the chainlinkOracle.sol contract

Lines of code Vulnerability details Impact the chainlinkOracle.sol contract specially the getChainlinkPrice function using the aggregator v2 and v3 to get/call the latestRoundData. the function should check for the min and max amount return to prevent some case happen, something like this: if cas...

Any extra reward tokens that accumulate in the contract remain locked there permanently.

Lines of code Vulnerability details Impact Funds get locked in contract resulting to Loss of asset control, funds and increased costs to recover fund Proof of Concept Reviewing the list of external and public functions, there is no withdraw or reclaim function: 2. Scanning the contract code, ther...

Front-Running Vulnerability in LensHub.sol's commentWithSig and quoteWithSig Functions

Lines of code Vulnerability details Impact A vulnerability has been discovered in LensHub.sol's commentWithSig and quoteWithSig functions. This vulnerability potentially enables an attacker to disrupt users' actions by front-running transactions, resulting in undesirable modifications of comments...

Users with 0 votes can vote .

Lines of code Vulnerability details Impact Users with 0 votes can vote , which can lead to unwanted scenarios . Proof of Concept The function vote in CoreVoting.sol looks like this : function vote address memory votingVaults, bytes memory extraVaultData, uint256 proposalId, Ballot ballot public...

a user can not change there vote and will cause to revert when trying due to uninitialized enum

Lines of code Vulnerability details Impact in CoreVoting.vote if you are voting again or changing direction firstly it will subtract the previous vote amount of votes but when doing that it is using uninitialized enum castBallot which by default return 0 yes enum to subtract from if...

A grant cannot be removed if the user has already claimed/withdrawn all his tokens beforehand

Lines of code Vulnerability details The revokeGrant is used to removes a grant. Any available vested tokens will be sent to the grant recipient. Any remaining unvested tokens will be sent to the vesting manager. But in the case when the user has already claimed all his tokens, the revokeGrant wil...

InterchainProposalExecutor doesn't support actions with value

Lines of code Vulnerability details Impact An interchain call consists of the target address, calldata, and value. When InterchainProposalExecutor performs the call, it passes the value along function executeProposalInterchainCalls.Call memory calls internal for uint256 i = 0; i calls.length; i++...

MID-Risk Vulnerabilities in the Axelar Smart Contracts

Lines of code s://github.com/code-423n4/2023-07-axelar/tree/main/contracts/cgp/governance/AxelarServiceGovernance.solL73 Vulnerability details Impact The vulnerabilities that I have identified could have a significant impact on the Axelar network. These vulnerabilities could be exploited by an...

Users with DEPLOY permission can grief each other through CREATE2

Lines of code Vulnerability details Bug Description In ERC725XCore.sol, the deployCreate2 function uses Openzeppelin's Create2.deploy to deploy new contracts: ERC725XCore.solL253-L267 function deployCreate2 uint256 value, bytes memory creationCode internal virtual returns bytes memory newContract...

The _currentExchangeRate of the Vault contract can't increase, and always be lower than or equal to _assetUnit

Lines of code Vulnerability details Impact The currentExchangeRate of the Vault contract can not increase, and always be lower than or equal to assetUnit. Therefore, when the vault is undercollateralized currentExchangeRate assetUnit, it can't be further collateralized. Proof of concept function...

balanceOf method can be manipulate to liquidated vault

Lines of code Vulnerability details Impact Deriving price from balanceOf can be manipulated to liquidate vault see example Attacker can provide ERC20 token to the vaultAsset and mint vault shares. The deposited tokens will then be withdrawn with having same shares in the vault. The shares then wi...

Vault.mintYieldFee FUNCTION CAN BE CALLED BY ANYONE TO MINT Vault Shares TO ANY RECIPIENT ADDRESS

Lines of code Vulnerability details Impact The Vault.mintYieldFee external function is used to mint Vault shares to the yield fee recipient. The function is an external function and can be called by anyone since there is no access control. The function will revert only under following two...

Missing Input Validation

Lines of code Vulnerability details Impact The below situations do not have checks on their inputs: When bytes12inputDataKey == LSP6KEYADDRESSPERMISSIONSPERMISSIONSPREFIX: // AddressPermissions:Permissions: if bytes12inputDataKey == LSP6KEYADDRESSPERMISSIONSPERMISSIONSPREFIX // controller already...