[ H ] No Validation checks for "v" signature in castApprovalBySig

Lines of code Vulnerability details Impact V must correspond according to ECDSA principles values of either 27 or 28. Not checking this will result in an attacker crafting a malicious v value and bypassing any checks, withdrawing funds or accessing the function maliciously. Proof of Concept Craft...

Unsafe delegatecall functionality can break core protocol functionality

Lines of code Vulnerability details Impact There are multiple contracts which include delegatecall functionality, including the execute function of the LlamaAccount contract and the execute function of the LlamaExecutor contract. The issue is that there's no controls, other than the standard role...

Legacy version check should be removed to avoid double relaying message in CrossDomainMessager.sol

Lines of code Vulnerability details Impact Legacy version check should be removed to avoid double relaying message Proof of Concept In Optimism bedrock implementation, to handle the pre-bedrock migration, there is code check to make sure the transaction that finalized and relayed in pre-bedrock...

Tokens can be lost when trying to deposit in SDCaollateral.depositSDAsCollateral() or trying to withdraw SDCaollateral.withdraw()

Lines of code Vulnerability details Impact Some tokens do not return the success of the token submission. Because Since we don’t know for sure how the SD token is implemented, we need to take this into account. Proof of Concept A detailed example is listed in: Tools Used Manual audit Recommended...

The claim() function has a reentrancy vulnerability

Lines of code Vulnerability details Impact The claim function has a reentrancy vulnerability . In the function, the UtilLib.sendValue function is called before emitting the Claimed event. This violates the "check-effect-interaction" model, which is a best practice for secure smart contract...

Problem with Day values

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. In solidity, block.timestamp makes use of seconds in calculating time but in the highlighted codes, the stated period and their comments was miscalculated. 7200 was referred to as 24 hours and was used...

sell reward rTokens at low price because of skiping furnace.melt

Lines of code Vulnerability details Impact The reward rToken sent to RevenueTrader will be sold at a low price. RSR stakers will lose some of their profits. Proof of Concept RevenueTraderP1.manageToken function is used to launch auctions for any erc20 tokens sent to it. For the RevenueTrader of t...

EVENT EMITTED WITHOUT ACTION

Lines of code Vulnerability details Impact A malicious validator can remain in the system after exceeding it's exit penalty threshold. This poses a risk to users and a possible reputation risk to the protocol. Proof of Concept In the updateTotalPenaltyAmount... function, when the validators...

Anyone Can selfdestruct The VaultProxy Contract.

Lines of code Vulnerability details Vulnerability Details -Since the initialise function is missing initializer modifier as it's inteded to be not protected as per ETHx smart contract functions documentation , And Since VaultFactory contract doesn't initialize the VaultProxy upon its initializati...

Upgraded Q -> 2 from #240 [1686228552856]

Judge has assessed an item in Issue 240 as 2 risk. The relevant finding follows: L-02 --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #23 [1686021624118]

Judge has assessed an item in Issue 23 as 2 risk. The relevant finding follows: rageQuit cannot transfer ERC1155 fungible tokens --- The text was updated successfully, but these errors were encountered: All reactions...

[M-01] Unprotected function in Constructor

Lines of code Vulnerability details Impact anyone can deploy the contract, potentially with malicious intent. Proof of Concept The constructor is not protected by any access control mechanism. Recommended Mitigation Steps Add access control to the constructor, such as an Ownable pattern, to ensur...

Upgraded Q -> 2 from #9 [1685982867794]

Judge has assessed an item in Issue 9 as 2 risk. The relevant finding follows: Users might lose funds after calling rageQuit by malicious frontrunners. --- The text was updated successfully, but these errors were encountered: All reactions...

[M-02] Not having Self-Destruct Functions

Lines of code Vulnerability details Impact The contract does not have a self-destruct function, making it impossible to remove the contract from the blockchain once it's deployed. Recommended Mitigation Steps add a self-destruct function with proper access control to allow the contract to be...

addCredit() impacts the price curve of loan auctions

Lines of code Vulnerability details Impact The price curve of a loan auction is supposed to depend only on block.timestamp, meaning that the price increases as time goes on. However, the addCredit function allows anyone to change or increase the value of lien.credit. If lien.credit is increased,...

Marketplace may call onERC721Received() and create a lien during buyNftFromMarket(), creating divergence

Lines of code Vulnerability details Impact The contract supports a "push-based" NFT supply, where the price and rate are embedded in the data bytes. This way, the lender doesn't need to additionally approve the NFT but can just transfer it directly to the contract. However, since the contract als...

NFT withdrawal grief

Lines of code Vulnerability details Impact A lienee whose NFT is not currently on loan may be prevented from withdrawing it. Proof of Concept A lienee who wishes to withdraw his NFT calls withdrawNftWithInterest which tries to IERC721.safeTransferFrom the NFT, which therefore reverts if the NFT i...

Borrower can block being defaulted or auctioned

Lines of code Vulnerability details Borrower can block being defaulted or auctioned The borrower can potentially block the liquidation and auction processed by using a contract and reverting on ETH transfers. Impact When a loan is being liquidated or auctioned, any credit still available to the...

Upgraded Q -> 2 from #11 [1685422294441]

Judge has assessed an item in Issue 11 as 2 risk. The relevant finding follows: L-03:getReward It is recommended to add balance0 before executing transfer getReward will do a transfer on rewaredsToken Since the rewards are from convex, we can't be sure what kind of token it is. we can't be sure...

Current design won't allow to update reference implementation without breaking counterfactuality

Lines of code Vulnerability details Current design won't allow to update reference implementation without breaking counterfactuality The current design of the Ambire wallet doesn't allow to update the reference implementation as doing so will break counterfactuality. Impact Ambire wallets are...

AmbireAccount implementation can be destroyed by privileges

Lines of code Vulnerability details AmbireAccount implementation can be destroyed by privileges The AmbireAccount implementation can be destroyed, resulting in the bricking of all associated wallets. Impact The AmbireAccount contract has a constructor that setups privileges, these are essentially...

It is possible that recovery transaction cannot be performed even if signer still controls address that is an address of recoveryInfo.keys

Lines of code Vulnerability details Impact When a signer's privileged address is compromised, this signer can call the following AmbireAccount.execute function with sigMode being SIGMODERECOVER by using a signature signed by an address of recoveryInfo.keys that is still controlled by such signer ...

Missing "if (beneficiaryTokenCount < _minReturnedTokens) revert INADEQUATE_TOKEN_COUNT();" check in the _mint() function of the JBXBuybackDelegate.sol + DoS for the pay() function in the JBPayoutRedemptionPaymentTerminal3_1.sol (or the JBETHPaymentTerminal3_1.sol)

Lines of code Vulnerability details Impact The issue contains 2 parts: 1. The mint function has the "if beneficiaryTokenCount minReturnedTokens revert INADEQUATETOKENCOUNT;" check missing. This check is used to identify whether the beneficiaryTokenCount amount is greater than or equal to the...

JBXBuybackDelegate.didPay() allows for positive slippage theft

Lines of code Vulnerability details Impact The JBXBuybackDelegate.didPay calls swap which utilizes the Uniswap's swap function. JBXBuybackDelegate incorporates a negative slippage check in uniswapV3SwapCallback. However, it fails to consider the deadline parameter of the transaction. The deadline...

TEST Med

Lines of code L1 Vulnerability details test medium Assessed type Access Control --- The text was updated successfully, but these errors were encountered: All reactions...

Invalid conversion uint256 -> int256

Lines of code Vulnerability details Impact Invalid conversion uint256 - int256 in pool.swap.... The number may be incorrectly converted uint256 data.amount.value - int256 amountSpecified. As a result, number truncation may occur. Proof of Concept typeuint256.max =...

Mutexes can be tampered with to increase gas costs

Lines of code Vulnerability details Impact An attacker can set mintedAmount and reservedRate to 0 which incurs greater gas fees when calling payParams. In the worst case this might cause the transaction to revert if the gas limit was tightly set to the expected gas cost. Proof of Concept...

didPay() front-running

Lines of code Vulnerability details Impact The minting flow of tokens in JBXBuybackDelegate is divided into separate external functions: payParams and didPay. The didPay function can only be called by jbxTerminal, while payParams can be called by anyone without restrictions. The payParams functio...

Delegate architecture forces users to set zero slippage

Lines of code Vulnerability details Delegate architecture forces users to set zero slippage The design of the delegate forces users to set a zero value for the minReturnedTokens parameter when calling pay in the terminal. Technical details In order to implement the swap functionality, the...

Amount of project token minted to beneficiary by JBXBuybackDelegate._mint function is not checked against an expected minimum number of project tokens to be minted to such beneficiary

Lines of code Vulnerability details Impact Calling the following JBPayoutRedemptionPaymentTerminal31.pay function executes fundingCycle, tokenCount, delegateAllocations, memo = store.recordPaymentFrompayer, bundledAmount, projectId, baseWeightCurrency, beneficiary, memo, metadata. File:...

Potential frozen projectTokens due to discrepancy in reservedRate

Lines of code Vulnerability details The handling of projectToken in swap follows 3 steps: Burn all the reserved token in the delegate 293: controller.burnTokensOf 294: holder: addressthis, 295: projectId: data.projectId, 296: tokenCount: reservedToken, 297: memo: "", 298: preferClaimedTokens: tru...

Contributors will be unable to fund a project if UNISWAP token swapping is recommended over minting in JBXBuybackDelegate data source

Lines of code Vulnerability details Impact A core function of the juice-buyback contract, which is to maximise the project tokens received by the contributor, won't work whenever a swap from Uniswap V3 pool provides more tokens over minting because the transaction will revert. This can cause the...

The return value of an external transfer call is not checked on the function uniswapV3SwapCallback in the contract named JBXBuybackDelegate

Lines of code Vulnerability details Impact Several tokens do not revert in case of failure and return false. If one of these tokens is used in MyBank, deposit will not revert if the transfer fails, and an attacker can call deposit for free...

Upgraded Q -> 2 from #597 [1684599598059]

Judge has assessed an item in Issue 597 as 2 risk. The relevant finding follows: L4 --- The text was updated successfully, but these errors were encountered: All reactions...

Unspent allowance may break functionality in AMO

Lines of code Vulnerability details Unspent allowance may break functionality in AMO An unspent allowance may cause a denial of service during the calls to safeApprove in the AMO contract. Impact The AMO contract uses the safeApprove function to grant the Curve pool permission to spend funds whil...

Wrong WhitePaperInterestRateModel block per year calculations incur losses for users and the protocol

Lines of code Vulnerability details Vulnerability Details Blocks per year calculations in WhitePaperInterestRateModel improperly assume 15 seconds block time, while on Binance Smart Chain it’s 3 seconds. This has grave consequences, because it is used in calculating borrower’s interest rate and...

totalBorrows inflates faster than the sum of each position's debt

Lines of code Vulnerability details Impact File: VToken.sol 678 function accrueInterest public virtual override returns uint256 --skip-- 710 Exp memory simpleInterestFactor = mulExp mantissa: borrowRateMantissa , blockDelta; 711 uint256 interestAccumulated = mulScalarTruncatesimpleInterestFactor,...

Borrowers can be liquidated before default by being based on the borrowBalance from other pools

Lines of code Vulnerability details Impact Borrower can be liquidated before default based on the borrowBalance from other pools. In the liquidity snapshot, borrows from other pools are added as total borrow but the collateral that is used which might not be used as collateral for the poolfor the...

Incorrect decimal handling in _startAuction, resulting in wrong auction.startBidBps

Lines of code Vulnerability details Shortfall.startAuction uses the oracle price of the underlying tokens to price the pool bad debt: Shortfall.sol 389: for uint256 i; i the price returned by priceOracle.getUnderlyingPrice has a number of decimals equal to 36 - vToken decimals. This means the...

Virgin stake can claim all drops

Lines of code Vulnerability details Impact If wxETH drips when nothing is staked, then the first staker can claim every drop. Proof of Concept Suppose drip is enabled when totalSupply == 0. At least one block passes and the first staker stakes, just 1 xETH is enough. This mints her 1 wxETH. This...

Incorrect calculation of the remaining updatedRewards leads to possible underflow error

Lines of code Vulnerability details Impact RewardsManage.sol keeps track of the total number of rewards collected per epoch for all pools: File: 2023-05-ajna\ajna-core\src\RewardsManager.sol 73: /// @dev epoch = rewards claimed mapping. 74: mappinguint256 = uint256 public override rewardsClaimed;...

Race condition vulnerability in positionManager minting function

Lines of code Vulnerability details Impact race condition vulnerability can result in the issuance of duplicate token IDs. When multiple transactions are executed in quick succession attempting to mint tokens, they may end up being assigned the same ID due to a shared counter or variable used to...

Lack of Access Control in GrantFund Smart Contract's fundTreasury Function

Lines of code Vulnerability details Impact The fundTreasury function in the GrantFund.sol contract allows anyone to add funds to the contract's treasury without any access control, which can lead to unauthorized access to the contract's funds. The problem with this function is that it doesn't hav...

unstake() function: The unstake function permits the unstaking of multiple position NFTs from the same liquidity pool (LP) by the same lender. This opens the possibility for a lender to claim more Ajna token rewards than they are entitled to by staking and unstaking multiple NFTs associated with the same LP.

Lines of code Vulnerability details Impact The absence of a mechanism to prevent a lender from unstaking multiple NFTs for the same liquidity pool LP could potentially lead to the exploitation of the Ajna token reward system. A lender can mint, stake, and unstake multiple NFTs for the same LP fro...

Lack of Access Control in claimRewards Function

Lines of code Vulnerability details Impact The calculateNewRewards function should also check whether the rewardsCapped variable is greater than the rewardsClaimedInEpoch variable to ensure that rewards are not claimed that exceed the reward cap, because an attacker could exploit this vulnerabili...

Integer Overflow/Underflow in function fundTreasury.

Lines of code Vulnerability details Impact fundTreasury function in the GrantFund.sol contract is vulnerable to integer overflow if the value of treasury variable is close to the maximum value of a uint256 integer, which is 2^256-1, and a large value of fundingAmount is added to it. It is possibl...

Risk of Gas Limit Exceedance During Proposal Sorting

Lines of code Vulnerability details Impact The array of up to 10 proposals using the insertion sort algorithm in insertionSortProposalsByVotes function in the StandardFunding.sol contract but, if the number of proposals exceeds 10, the sorting process may cause the function to exceed the block ga...

Use of msg.sender in mayInteract Modifier

Lines of code Vulnerability details Impact The use of msg.sender in the mayInteract modifier in the contract. I have identified a potential vulnerability in the use of msg.sender. In this case, the vulnerability is caused by using msg.sender to authorize interactions with the contract. Since...

Extraordinary proposal can become stuck

Lines of code Vulnerability details Since standard and extraordinary proposals use the same treasury funds accounting variables and extraordinary voting period is long enough 1 month, it is possible that extraordinary proposal that was valid and gained enough votes will end up frozen: it might no...

Standard voting favors proposals which ask for lower GBC

Lines of code Vulnerability details Impact Proposals which ask for higher % of the GBC have a serious disadvantage. Proof of Concept For simplicity, let's say there are only 3 projects in the screening stage. Project A asks for 90% GBC and projects B and C ask for 40% GBC each. Therefore, project...