10190 matches found
_processRefund() fails to update currentRedeemAmount when epochToService == currentEpoch
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. processRefund fails to update currentRedeemAmountwhenepochToService == currentEpoch. As a result, currentRedeemAmount will contain the portion that has already been refunded, an incorrect number. Proof ...
Upgradeable
Lines of code Vulnerability details Impact Since the contract OndoPriceOracle.sol is a critical contract it should have room to be upgrade, either use the library @openzeppelin/contracts-upgradeable or leave a storage gap. An example of this would be to add this line: uint25650 private gap; Proof...
Upgraded G -> 3 from #90 [1673938387276]
Judge has assessed an item in Issue 90 as 3 risk. The relevant finding follows: fenkge;gk --- The text was updated successfully, but these errors were encountered: All reactions...
Theft of funds under relaying the transaction
Lines of code Vulnerability details Description The execTransaction function is designed to accept a relayed transaction with a transaction cost refund. At the beginning of the function, the startGas value is calculated as the amount of gas that the relayer will approximately spend on the...
Replay attack on different batchId
Lines of code Vulnerability details Description The execTransaction function includes an input parameter called batchId that is used to determine the nonce which is included in the data signed by the owner. However, batchId is not part of the signed data. This allows any third party to replay a...
Attacker can gain control of counterfactual wallet
Lines of code Vulnerability details A counterfactual wallet can be used by pre-generating its address using the SmartAccountFactory.getAddressForCounterfactualWallet function. This address can then be securely used for example, sending funds to this address knowing in advance that the user will...
The owner's address is not declared as payable
Lines of code Vulnerability details Impact If someone sends ether to the contract, it would be highly possible that the ether could be locked forever or never withdrawn by its intended recipientOwner Proof of Concept Tools Used Manual Recommended Mitigation Steps Add "payable" keyword to the owne...
Upgraded Q -> M from #187 [1673006043496]
Judge has assessed an item in Issue 187 as M risk. The relevant finding follows: Lâ02 EthereumToArbitrumRelayer.processCalls does not check msg.sender is a contract The Arbitrum relay processCalls is intended to be called by EOA, as specified in the docs: Arbitrum requires an EOA to submit a brid...
TokenggAVAX.sol : First depositor can break minting of shares
Lines of code Vulnerability details Impact A well known attack vector for almost all shares based liquidity pool contracts, where an early user can manipulate the price per share and profit from late users' deposits because of the precision loss caused by the rather large value of price per share...
JIT(JUST-IN TIME) LIQUIDITY OPPORTUNITIES EXISTS FOR USERS
Lines of code Vulnerability details Impact The MEV opportunity created robs the honest users who deposit before the start of a reward cycle. Leading to loss of rewards for said users. Proof of Concept A user deposits AVAX into tokenggAVAX.sol and in return gets an lp token to represent their...
Borrowers donât need to run the risk of being liquidated
Lines of code Vulnerability details Impact Borrowers are able to borrow Papr, swap it for another asset in Uniswap without ever having to pay their debt because they can remove their collateral without paying their debt. Ultimately leading to free assets at the cost of others. Proof of Concept As...
There is no way to extract fees when someones wants to reduce a debt by paying with underlying tokens
Lines of code Vulnerability details Impact When a user is buying the debt of an account or its own debt, it either have the choice to use the reduceDebt function in order to pay with PAPR tokens, or by paying in underlying tokens can be USDC, WETH, .... A protocol that would choose to...
Oracle may return a stale price that is not resistant to flash crashes
Lines of code Vulnerability details Impact Oracle may return a stale price in the event of a flash crash which will affect protocol calculation of maxDebt and affect protocol. Proof of Concept Protocol uses the time weighted average pricing of 30 days to check the price of the NFT. uint256 consta...
User can send a proposal and instantly take back their collateral, keeping the proposal active without risking any Raes amount.
Lines of code Vulnerability details Description In OptimisticListingSeaport.sol, users call propose to set a new proposal. The pendingBalance is updated immediately for the calling proposer: // Sets collateral amount to pending balances for withdrawal pendingBalancesvaultproposedListing.proposer ...
Incorrect rounding in buyQuote
Lines of code Vulnerability details The function buyQuote present in the Pair contract is used to calculate the amount of base tokens required to buy a given amount of fractional tokens. function buyQuoteuint256 outputAmount public view returns uint256 return outputAmount 1000 baseTokenReserves /...
Attacker can make group pay for tokenID that is not intended.
Lines of code Vulnerability details Description purchase in GroupBuy.sol executes the purchase call for the group. There are two possibilities for which tokenIDs can be bought in GroupBuy: 1. If the group is for a specific NFT, the tokenID is the value in pool.merkleRoot variable. 2. If the group...
User will often overpay when adding liquidity
Lines of code Vulnerability details Impact One of the assets either baseTokens or fractionalTokens will likely be overpaid when the user calls Pair.add liquidity. Proof of Concept The Pair.add function takes baseTokenAmount, fractionalTokenAmount and minLpTokenAmount as inputs. The first two...
(*POTENTIAL DUPLICATE) unwrap function can be exploited to exchange lower priced NFT's for higher priced counterparts
Lines of code Vulnerability details POTENTIAL DUPLICATE - Submitted earlier but haven't received an email confirmation. Hence resubmitting - please ignore if my earlier submission was already recorded Impact nftRemove function takes an array of tokenIds and LPTokens, releases the fractional NFT...
Stealing liquidity provider's fund by manipulating the reserve
Lines of code Vulnerability details Impact An attacker can steal liquidity provider's fund by manipulating the reserve. During adding a liquidity, the amount of lpToken to be minted will be calculated in the function addQuote. function addQuoteuint256 baseTokenAmount, uint256 fractionalTokenAmoun...
[NAZ-H1] Reentrancy From Use of _safeMint()
Lines of code Vulnerability details Impact The mint function is used to mint a new position NFT and is only callable by minter. This function uses safeMint to mint these position NFTs which has been known in the past to have Reentrancy issues. Proof of Concept The dangers of surprising code by...
Might lose manager forever
Lines of code Vulnerability details Impact If project sets new manager with a typo, might lose manager forever Proof of Concept function setManager address manager public onlyOwner manager = manager; https://twitter.com/realgmhacker/status/1603362870699429889?s=20&t=vm4wY1ITefLhCW8BDa0oig...
Wrong address input in BondNFT.createLock results in wrong _owner being saved in memory
Lines of code Vulnerability details Impact Wrong address input in createLock results in function failure of extendLock and claim. Proof of Concept When someone calls lock in Lock.sol, the function BondNFT.createLock is called . bondNFT.createLock asset, amount, period, msg.sender;...
Extending period in Lock contract will block user funds
Lines of code Vulnerability details Impact Extending lock will block users' funds. Contract: Lock.sol Proof of Concept Locking tokens with function lock... will update mapping mapping totalLocked for given asset with value of amount, here: totalLockedasset += amount. However, when extending lock...
Malicious drawingToken can make bad actor claim the raffle NFT
Lines of code Vulnerability details Description Malicious drawingToken address passed into factory.makeNewDraw can claim the raffle NFT. It can be exploited via a social engineering attack or another scenario is that a malicious owner can pretend to make a raffle with a malicious drawingToken and...
Wrong calculation of MONTH_IN_SECONDS
Lines of code Vulnerability details Wrong calculation of MONTHINSECONDS : line 33 on VRFNFTRandomDraw.sol is calculating 30 weeks of 7 days instead of 30 days. 30 weeks of 7 days = 3600 24 7 30. 30 days = 3600 24 30. so and wont work properly --- The text was updated successfully, but these error...
Chainlink price feed is not sufficiently validated and can return stale price
Lines of code Vulnerability details Impact As mentioned by , "Prices provided by the oracle network are also compared to Chainlink's public price feeds for additional security. If prices have more than a 2% difference the transaction is reverted." The Chainlink price verification logic in the...
Minter privilege escalation vulnerability
Lines of code Vulnerability details Impact The contract owner could potentially abuse their privileges to manipulate the token supply and undermine the integrity of the token economy. Proof of Concept The 'setMinter' function in the contract allows the contract owner to set the minter status for...
Raffle is fair only if tokenRange is a power of 2.
Lines of code Vulnerability details Impact Based on the contract logic, the raffle works by sampling a value $ x \in \mathbbZ | 0 \leq x \lt 2^256 $ aka uint256 from a uniform distribution provided by Chainlink VRF, then applying modulo tokenRange, generating a new value $ y \in \mathbbZ | 0 \leq...
Storage collision in Collateral.sol
Lines of code Vulnerability details Vulnerability details collateral.sol is an upgradeable contract. Upgradeable contracts should not use the constructor to initialize variables, as these will be set in the contract storage of the implementation contract, instead of the intended contract storage ...
WithdrawHook doesn't check that userWithdrawLimitPerPeriod is less than globalWithdrawLimitPerPeriod
Lines of code Vulnerability details Impact WithdrawHook doesn't check that userWithdrawLimitPerPeriod is less than globalWithdrawLimitPerPeriod. It allows to user withdraw more then globalWithdrawLimitPerPeriod per period. Proof of Concept Function WithdrawHook.hook should not allow to withdraw...
PrePOMarket.sol : a sender who is not included in the account list can front run and mint prior to setting the _mintHook
Lines of code Vulnerability details Impact a sender who is not included in the account list can front run and mint prior to setting the mintHook. Proof of Concept The contract says, Minting will only be done by the team, and thus relies on the mintHook to enforce access controls. This is also why...
MintHook doesn't allow users with NFT score requirement to mint
Lines of code Vulnerability details Impact The depositHook contract checks that users are allowed to deposit either if they are on the allow list or if they have the required NFT score: if !accountList.isIncludedsender requiresatisfiesScoreRequirementsender, "depositor not allowed"; However, once...
Pool._amountToBin() returns a wrong value when protocolFeeRatio = 100%.
Lines of code Vulnerability details Impact Pool.amountToBin returns a larger value than it should when protocolFeeRatio = 100%. As a result, bin balances might be calculated wrongly. Proof of Concept delta.deltaInBinInternal is used to update the bin balances like this. if tokenAIn binBalanceA +=...
Value can be extracted from LPs
Lines of code Vulnerability details Impact Maverick allow liquidity to be moved based on TWAP to increase capital efficiency. However, the increased capital efficiency is not free. Consider a "right" move, the LP sell at lower price and move their liquidity to higher price, thus buying at higher...
Loss of ETH for NFT buyers in LPDA contract
Lines of code Vulnerability details Impact The buy function of LPDA sale contract can be invoked with 0 as the input value and 0 ETH as the sent valuemsg.value = 0. The buy function automatically ends the sale when newId == sale.finalId and distributes ETH to feeReceiver and saleReceiver. Since t...
Decimals of the oracle is not checked
Lines of code Vulnerability details Impact Decimals of the Chainlink oracle is not checked, it is assumed to have the same unit as BASECURRENCYUNIT but it might not always be the case. If the oracle use a different number of decimals all the price will be wrong by magnitudes. Proof of Concept...
Anyone can prevent themselves from being liquidated as long as they hold one of the supported NFTs
Lines of code Vulnerability details Contrary to what the function comments say, removeFeeder is able to be called by anyone, not just the owner. By removing all feeders i.e. floor twap price oracle keepers, a malicious user can cause all queries for the price of NFTs reliant on the NFTFloorOracle...
MarketplaceLogic.sol doesn't support ERC20 Tokens with fee on transfer
Lines of code Vulnerability details MarketplaceLogic.sol doesn't support ERC20 Tokens with fee on transfer Summary There are ERC20 tokens with transfer at fees. For checking if the transferred amount is the same as expected, code already compares balanceOf before and balanceOf after transfer...
There isn't an end time on FixedPrice and LPDA sales, and the sale can't be canceled after the sale start.
Lines of code Vulnerability details Impact The sale can't be canceled after the sale start. Moreover, the sale won't end, which contradict the fact that typical NFT sales nowadays have an end time. Even your OpenEdition have an end time. Proof of Concept struct Sale // slot 1 uint48 currentId;...
overflow in buy function
Lines of code Vulnerability details Impact the function doesn't check if the input is more the supply Proof of Concept the function doesn't have any condition check of amount Tools Used manually Recommended Mitigation Steps check the input for maximum or requirement for max supply --- The text wa...
saleReceiver and feeReceiver can steal refunds after sale has ended
Lines of code Vulnerability details First, lets go over how a buy happens. A buyer can buy NFTs at a higher price and then once the auction ends they can use refund to return the over payments. The effect is that they bought the NFTs at the lowest price Lowest Price Dutch Auction. Now, let's move...
Oracle will become invalid much faster than intended on non-mainnet chains
Lines of code Vulnerability details Description NFTFloorOracle is in charge of answering price queries for ERC721 assets. EXPIRATIONPERIOD constant is the max amount of blocks allowed to have passed for the reading to be considered up to date: uint256 diffBlock = currentBlock - priceInfo.updatedA...
Asset removal leaks previous asset prices which will be used again when asset is re-added.
Lines of code Vulnerability details Description NFTFloorOracle retrieves ERC721 prices for ParaSpace. Recordings of prices are managed in assetFeederMap, mapping between address and FeederRegistrar: struct FeederRegistrar // if asset registered or not bool registered; // index in asset list uint8...
Possible DoS On executeCalls() function
Lines of code Vulnerability details Impact The contract can be in a state of DoS as the function executeCalls would consume all the gas as there is no upper limit on the number of calls that can be inside the array calls. Proof of Concept In the function here it perform a for loop and loops throu...
CrossChainExecutorPolygon does not implement the executeCalls function
Lines of code Vulnerability details Impact The CrossChainExecutor contracts in the codebase are meant to follow the CrossChainExecutor interface as defined in EIP-5164. Each L2 network specific CrossChainExecutor contract is also expected to inherit and follow the ICrossChainExecutor interface...
Missing msg.value when executing the cross-chain request
Lines of code Vulnerability details Impact the cross-chain request will not support smart contract that requires ETH payment in destination chain on execution side. Proof of Concept When a user relayers call and performs a cross-chain request, the executor needs to execute the request in the...
Fail to verify the result of a low level function call
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. It fails to check properly if the call is successful because: 1 It does not check the return data; 2 it does not check if the target address is a valid contract. A contract that has no code will still...
[ZZ-004] During the deprecation period where both .eth registrar controllers are active, a crafted hack can be launched and cause the same malicious consequences of [ZZ-001] even if [ZZ-001] is properly fixed
Severity: High Status: Has not been reported Description, Specifically, according to the documentation, there will be a deprecation period that two types of .eth registrar controllers are active. Names can be registered as normal using the current .eth registrar controller. However, the new .eth...
tokenID that is not minted will be stored into the feeRecipient storage
Lines of code Vulnerability details Impact In the original code, tokenID is incremented just after mint function is executed. Afterwards, tokenID is stored into the feeRecipient storage. As a result, tokenID that is not minted will be stored into the feeRecipient storage. Proof of Concept In the...
Add reward token existence check in order to avoid user reward lost.
Lines of code Vulnerability details Impact The user can lost his rewards if the reward token is removed from the producerTokensproducerToken.rewardTokens list. If the reward token is removed, the rewardToken length is going to be zero, the user rewards going to be zero and the for statement will...