Protocol fee rate can be arbitrarily modified by the owner and the new rate will apply to all existing orders

Lines of code Vulnerability details function matchOneToOneOrders OrderTypes.MakerOrder calldata makerOrders1, OrderTypes.MakerOrder calldata makerOrders2 external uint256 startGas = gasleft; uint256 numMakerOrders = makerOrders1.length; requiremsg.sender == MATCHEXECUTOR, 'OME';...

_handleExecuteTransaction may not working correctly on fee-on-transfer tokens. Moreover, if it is failed, fund may be locked forever.

Lines of code Vulnerability details Impact handleExecuteTransaction may not working correctly on fee-on-transfer tokens. As duplicated fee is applied to fee on transfer token when executing a arbitrary call message passing request. Moreover, the Executor contract increase allowance on that token...

Tokens with decimals larger than 18 are not supported

Lines of code Vulnerability details For tokens with decimals larger than 18, many functions across the codebase will revert due to underflow. function getPriceFromDexaddress tokenAddress public view returns uint256 PriceInfo storage priceInfo = priceRecordstokenAddress; if priceInfo.active uint25...

Consistently check account balance before and after transfers for Fee-On-Transfer discrepancies

Lines of code Vulnerability details As arbitrary ERC20 tokens can be passed, the amount here should be calculated every time to take into consideration a possible fee-on-transfer or deflation. Also, it's a good practice for the future of the solution. Affected code:...

Timelock able to be bypassed because of wrong check in LibDiamond

Lines of code Vulnerability details Impact In the walkthrough video, it said that the upgrades of Diamond must go through a proposal window with a delay of 7 days. Upgrade should be done by first call proposeDiamondCut and then wait 7 days and call diamondCut. But this timelock can be bypassed...

Accumulated ETH fees of InfinityExchange cannot be retrieved

Lines of code Vulnerability details ETH fees accumulated from takeOrders and takeMultipleOneOrders operations are permanently frozen within the contract as there is only one way designed to retrieve them, a rescueETH function, and it will work as intended, not being able to access ETH balance of...

Bridging could be temporarily disrupted when setConnext is called without deactivating sponsorVault

Lines of code Vulnerability details When a sponsor wants to stop sponsoring bridge fees, it's possible that they call SponsorVault.setConnext to stop allowing Connext to reimburse fees, but forgot to inform the Connext team. This will cause bridging executions to be temporarily disrupted. For fee...

Should it transfer underSpentAmount to _msgSender() instead of reserve?

Lines of code Vulnerability details Impact underSpentAmount is dust amount, if being transferred to reserve without any state modification. These tokens might be lost. Normally, dust amount must transfer back to only msgSender as a best practice. Proof of Concept unchecked uint256 underSpentAmoun...

attacker can lock all the auraBAL rewards in contract address forever and they won't be accessible

Lines of code Vulnerability details Impact auraBAL token is in protected tokens list, so it can't be transferred to bribeProcessor by using sweepRewardToken. function harvest is supposed to call LOCKER.getReward and then swap received auraBAL rewards and deposit them in LOCKER, but it only can do...

receive function is unrestricted

Lines of code Vulnerability details Impact The receive function has not placed any restriction which means if any user accidentally sends any ETH to this contract then it is permanently freezed until timelock decides to release it by creating and approving a new transaction on timelock which...

TimelockControllerEmergency: The sent ether may be locked in the OwnerProxy contract

Lines of code Vulnerability details Impact The call function in the TimelockControllerEmergency contract will send ether to the OwnerProxy contract, and the OwnerProxy contract will delegatecall the script contract. The two existing script contracts will neither use ether nor withdraw ether, whic...

Malicious Owner can steal all user funds

Lines of code Vulnerability details Submitting as med risk because it would require malicious multisig, but there should never be absolute trust in any party especially when there's no reason fees would ever need to be that high anyways Impact Owner steals all of user funds Proof of Concept...

reentrancy by _harvest() and _deposit() code in the middle of claimBribesFromHiddenHand() external calls to tokens and change balances of AURA token so claimBribesFromHiddenHand() make wrong transfers and fund would be lost

Lines of code Vulnerability details Impact Function claimBribesFromHiddenHand makes some external calls to token lists which fetches from hiddenHandDistributor.rewards if AURA was on of those tokens and also one of those tokens were malicious or made some external call then it's possible to reent...

All withdrawal functionality is paused when contract is paused

Lines of code Vulnerability details Impact When the strategy contract is paused, all withdrawal functionality will be paused. Based on the comments in MyStrategy.sol and baseStrategy.sol, withdrawToVault should not be affected by the pause functionality. This is not the case due to the...

wfCashERC4626.sol#redeem() Lack of slippage control for market sell

Lines of code Vulnerability details function redeem uint256 shares, address receiver, address owner public override returns uint256 // It is more accurate and gas efficient to check the balance of the // receiver here than rely on the previewRedeem method. uint256 balanceBefore =...

Users Might Not Be Able To Purchase Or Redeem SetToken

Lines of code Vulnerability details Proof-of-Concept Whenever a setToken is issued or redeemed, the moduleIssueHook and moduleRedeemHook will be triggered. These two hooks will in turn call the redeemMaturedPositions function to ensure that no matured fCash positions remain in the Set by redeemin...

cause users to revet right after deployment so they cant lend or borrow

Lines of code Vulnerability details Impact because of deployment hasMatured is false mintInternal reverts then cause users' to loose money on gas and users' cant lend which could lead to worse things and cause more attack vectors. Recommended Mitigation Steps check for delay after deployment or g...

PortcalFacet.repayAavePortal() can trigger an underflow of routerBalances

Lines of code Vulnerability details Impact The caller of repayAavePortal can trigger an underflow to arbitrarily increase the caller's balance through an underflow. Proof of Concept // Relevant code sections: // PortalFacet.sol function repayAavePortal address local, uint256 backingAmount, uint25...

Wrapped idiosyncratic (non-tradable) fCash can possibly not be unwrapped prior to maturity

Lines of code Vulnerability details What is idiosyncratic fCash? Markets may not always trade at the exact maturities of all fCash assets. fCash that does not fall on an exact maturity is called idiosyncratic fCash. To value these assets, Notional takes the linear interpolation of the rates of th...

Upgraded Q -> H from 63 [1655008454311]

Judge has assessed an item in Issue 63 as High risk. The relevant finding follows: Function CoreCollection:initialize can be executed by owner after initialisation and state variables like mintFee, maxSupply can be changed to increase/decrease fee and supply, isForSale can be set to false to stop...

Upgraded Q -> M from 95 [1654474439349]

Judge has assessed an item in Issue 95 as Medium risk. The relevant finding follows: Incompatability with deflationary / fee-on-transfer tokens Function Cally.createVault function takes a tokenIdOrAmount parameter but this parameter is not the actual transferred amount for fee-on-transfer /...

Minter.sol#startInflation() can be bypassed

Lines of code Vulnerability details function startInflation external override onlyGovernance requirelastEvent == 0, "Inflation has already started."; lastEvent = block.timestamp; lastInflationDecay = block.timestamp; As lastEvent and lastInflationDecay are not initialized in the constructor, they...

A malicious zone operator can piggyback other transactions, when a caller tries to fulfill the restricted order

Lines of code Vulnerability details If an order has a restricted order type and, if the caller is other than the offerer or zone, then a staticcall to isValidOrder on the zone is made. This call outside the Seaport contract opens up a possible misuse by the zone contract implementation. The zone...

There are multiple ways for admins/governance to rug users

Lines of code Vulnerability details Impact A malicious admin can steal user funds or lock their balances forever Even if the user is benevolent the fact that there is a rug vector available may negatively impact the protocol's reputation. Proof of Concept Unlike the original Convex code that goes...

Vote locking should block wrapper contracts

Lines of code Vulnerability details The reason that users are given boosted rewards for locking their governance tokens is that by making them illiquid for a set amount of time, the supply available to be sold is restricted, and users buying the token are more able to push the price up. Impact By...

RewardHandler.burnFees() will work only once and revert after that if burnedAmount is different.

Lines of code Vulnerability details Impact RewardHandler.burnFees will work only once and revert after that if burnedAmount is different. Proof of Concept OpenZeppelin’s safeApprove will revert if the account already is approved and the new safeApprove is done with a non-zero value. Tools Used...

Frontrunning Private Trades Vulnerability

Lines of code Vulnerability details Impact The inability to create private trades in the Seaport contract would affect users significantly. Users will be forced to create public trades that run the risk of being frontrun. Proof of Concept Today, all trades are private meant for specific offerer a...

Total Supply is not guaranteed and is not deterministic.

Lines of code Vulnerability details Impact The actual total supply of the token is random and depends on when executeInflationRateUpdate is executed. Proof of concept The README and tokenomic documentation clearly states that “The token supply is limited to a total of 268435456 tokens.”. However...

Pickle Investor Unable To Receive Rewards

Lines of code Vulnerability details Proof-of-Concept Pickle Investor people who locked their PICKLE or deposit their pToken will not be able to collect their rewards. Whenever, Pickle Investor called the Booster.earmarkRewards function to claim their veAsset and extra rewards and disperse them to...

Governance can arbitrarily burn VeToken from any address

Lines of code Vulnerability details Impact Governance can burn any amount of VeToken from any address. Unlike VE3Token which is minted when users deposit veAsset and burned when users withdraw, the burn function in the governance token VeToken.sol is unnecessary and open up the risk of...

_aggregateValidFulfillmentConsiderationItems() can be tricked to accept invalid inputs

Lines of code Vulnerability details Impact The aggregateValidFulfillmentConsiderationItems function aims to revert on orders with zero value or where a total consideration amount overflows. Internally this is accomplished by having a temporary variable errorBuffer, accumulating issues found, and...

Missing inheritance makes fulfillBasicOrder() in Consideration.sol non-functional

Lines of code Vulnerability details Impact fulfillBasicOrder in Consideration.sol would not function properly since the call in line 83 - validateAndFulfillBasicOrder is not possible as there's no existing function for it due to a missing inheritance. Users will not be able to fulfill any Basic...

totalSupplyAtEpoch will revert

Lines of code Vulnerability details Impact The line for uint256 i = epoch; i + 1 != 0; i-- relies on uint256 underflow and overflow, which would revert in solidity ^0.8.0 Proof of Concept function totalSupplyAtEpochuint256 epoch external view returns uint256 supply uint256 epochStart =...

DoS in FeeBurner due to address not matching interface.

Lines of code Vulnerability details Impact The if found in L60 addresstoken == address0 will never be executed, since when one goes through the tokens in the for and this line is executed: IERC20 token = IERC20tokensi; address0 does not comply with the IERC20 interface, so it will always revert...

Rewards can be locked in Bribe contract because distributing them is depend of base token reward amount and Gauge.deliverBribes() is not get called always by Voter.distribute()

Lines of code Vulnerability details Impact Voter.distribute calls Gauge.deliverBribes if claimablegauge / DURATION 0 was True and claimablegauge shows base token rewards for gauge. Gauge.deliverBribes calls Bribe.deliverReward which transfers the rewards to Gauge. so for Bribe rewards to been...

User will get free funds

Lines of code Vulnerability details Impact If contract has an existing balance of WETH, ETH or targetUnderlying then user will get extra funds. Proof of Concept 1. Assume contract has existing amount 10 of targetUnderlying token 2. User calls burnToTarget function which converts all his passed...

Reentrancy attack

Lines of code Vulnerability details Impact High impact. Reentrancy Attack may lead in lost of funds. Proof of Concept Reentrancy in RubiconMarket.matchouint256,ERC20,uint256,ERC20,uint256,bool c ontracts/RubiconMarket.sol1049-1108: External calls: - buybestmakerid,minmpayamt,t...

DoS on deposit(), incrementLock() and createLock() because of a safeApprove(0)

Lines of code Vulnerability details Impact Since SafeERC20 is the one implemented by OpenZeppelin, if one checks the code at this address: You will see that the safeApprove executes this validation: require value == 0 || token.allowanceaddressthis, spender == 0, "SafeERC20: approve from non-zero ...

BathPair.sol#rebalancePair() can be front run to steal the pending rebalancing amount

Lines of code Vulnerability details function underlyingBalance public view returns uint256 uint256 pool = IERC20underlyingToken.balanceOfaddressthis; return pool.addoutstandingAmount; function removeFilledTradeAmountuint256 amt external onlyPair outstandingAmount = outstandingAmount.subamt; emit...

AuraClaimZap's claimRewards can permanently freeze user Aura funds

Lines of code Vulnerability details If claimRewards is called with depositCvxMaxAmount 0 and Options.LockCvx == false, the up to depositCvxMaxAmount AURA tokens are pulled from the user, but never get staked. There looks to be no way to retrieve Aura tokens ended up on AuraClaimZap balance this...

CrvDepositor.sol Wrong implementation of the 2-week buffer for lock

Lines of code Vulnerability details uint256 unlockAt = block.timestamp + MAXTIME; uint256 unlockInWeeks = unlockAt/WEEKWEEK; //increase time too if over 2 week buffer ifunlockInWeeks.subunlockTime 2 IStakerstaker.increaseTimeunlockAt; unlockTime = unlockInWeeks; In lockCurve, unlockInWeeks -...

TransmuterBuffer's setAlchemist will freeze deposited funds

Lines of code Vulnerability details Currently setAlchemist doesn't check whether there are any open positions left with the old Alchemist before switching to the new one. As this require a number of checks the probability of operational mistake isn't low and it's prudent to introduce the main...

Withdrawing ETH collateral with max uint256 amount value reverts transaction

Lines of code Vulnerability details Impact Withdrawing ETH collateral via the withdrawCollateral function using typeuint256.max for the amount parameter reverts the transaction due to asset being the zero-address and IERC20Detailedasset.decimals not working for native ETH. Proof of Concept...

LidoVault: Premature return after sending ETH

Lines of code Vulnerability details Details & Impact The require check is performed after exiting the function, meaning that the ETH transfer’s validity check is skipped. This would thus cause invalid withdrawals to be erroneously processed as valid. Recommended Mitigation Steps Swap the require...

[WP-H12] Wrong implementation of ConvexCurveLPVault#withdrawOnLiquidation() may cause the positions collateralized with ConvexCurveLP unbale to be liquidated as withdrawOnLiquidation() will always fail

Lines of code Vulnerability details function withdrawuint256 amount, address to internal returns uint256 // Withdraw from Convex address baseRewardPool = getBaseRewardPool; IConvexBaseRewardPoolbaseRewardPool.withdrawAndUnwrapamount, true; // Deliver Curve LP Token...

Overexert on-chain slippage/loss control may cause users' funds to be frozen in the contract

Lines of code Vulnerability details requirewithdrawAmount = amount.percentMul9900, Errors.VTWITHDRAWAMOUNTMISMATCH; The GeneralVault.sol contract comes with a on-chain slippage/loss control to ensure the output amount is no more than 1% less of the requested amount. This can be a problem when the...

Reward Manager of the Convex Base Reward Pool Can DoS processYield()

Lines of code Vulnerability details Impact The ConvexCurveLPVault.sol contract allows users to earn a yield on curve token deposits. Rewards are paid out in native CRV and CVX tokens but the reward manager of the base pool may opt to add extra rewards. Because the reward manager has the ability t...

Fee can possibly be set maliciously

Lines of code Vulnerability details Fee is set by an admin and can be set maliciously to steal the funds that are entitled to go to the user. Impact Fee can be set to a maliciously high value to unfairly extract funds from protocol users. An owner can buy options, set fee to 100% and exercise...

EthAssetManager and ThreePoolAssetManager don't control Meta tokens decimals

Lines of code Vulnerability details Both contracts treat meta assets as if they have fixed decimals of 18. Minting logic breaks when it's not the case. However, meta tokens decimals aren't controlled. If actual meta assets have any other decimals, minting slippage control logic of both contracts...

missing input validation for _liquidityPool

189 comment Warden: kenta missing input validation for liquidityPool. The owner can change always liquidityPool but this liquidityPool will be used to execute low-level calls. To avoid errors with an empty address this must be checked always. requireliquidityPool != address0, “liquidityPool canno...