Unsafe casts to uint120

Handle pauliax Vulnerability details Impact contract IndexPool does unsafe casts to uint120, e.g.: uint120 ratio = uint120divtoMint, totalSupply; It trusts the input from the user and converts without assurance that the value will fit in this narrow type. Depending on the pool state and parameter...

IndexPool.sol#_pow() Wrong implementation

Handle WatchPug Vulnerability details function powuint256 a, uint256 n internal pure returns uint256 output output = n % 2 != 0 ? a : BASE; for n /= 2; n != 0; n /= 2 a = a a; if n % 2 != 0 output = output a; 1. a a without div by BASE will accumulate decimals unexpectedly and leads to overflow...

onlyOwner Role Can Manipulate Price Oracle

Handle leastwood Vulnerability details Impact The V2 LendingController.sol contract incorporates a custom oracle used to fetch the relevant price feeds for token pairs. The onlyOwner role is controlled by a modified timelock contract callable only from a single externally owned account. This role...

bondBurn() Leads to Unrecoverable Tokens

Handle leastwood Vulnerability details Impact An auction bonder has a single day's worth of blocks to call settleAuction and perform the necessary rebalance. In the event this does not happen, any user is able to call bondBurn and have the bond burnt in its entirety. As a result, the basketTokens...

Incorrect data location specifier can be abused to cause DoS and fund loss

Handle 0xRajeev Vulnerability details Impact The withdrawBounty loops through the bounties array looking for active bounties and transferring amounts from active ones. However, the data location specifier used for bounty is memory which makes a copy of the bounties array member instead of a...

Auction.sol#settleAuction() Mishandling bounty state could potentially disrupt settleAuction()

Handle WatchPug Vulnerability details function withdrawBountyuint256 memory bountyIds internal // withdraw bounties for uint256 i = 0; i bountyIds.length; i++ Bounty memory bounty = bountiesbountyIdsi; requirebounty.active; IERC20bounty.token.transfermsg.sender, bounty.amount; bounty.active =...

Carefully add tokens to the list that the protocol uses

Handle tensors Vulnerability details Impact As of right now I believe the only outside tokens the protocol uses are DAI, USDC, USDT and WETH. If other tokens are added, make sure to check that they have no callbacks on transfer. For example, CREAM protocol added the AMP token which has a callback...

Anyone can call harvestNextStrategy with a very low amount of _estimated tokens

Handle tensors Vulnerability details Impact The amounts estimatedWETH and estimatedYAXIS are lower bounds that the protocol expects to recieve. An attacker can call havervestNextStrategyvault, 1, 1 after manipulating the pools called in harvest and swap. The protocol sees nothing wrong with only...

PostAuctionLauncher can be manipulated by a caller other than the owner

Handle tensors Vulnerability details Impact A comment in the code asks whether it is safe to allow anyone to call PostAuctionLauncher, finalize. In the case that an attacker can get even a few wei of the auction token, it is not safe. Suppose an attacker somehow gets a small amount of the auction...

An attacker can steal funds from multi-token vaults

Handle WatchPug Vulnerability details The total balance should NOT be simply added from different tokens' tokenAmounts, considering that the price of tokens may not be the same. function balanceOfThis public view returns uint256 balance address memory tokens = manager.getTokensaddressthis; for...

Missing check for duplicate token in addToken

Handle 0xRajeev Vulnerability details Impact addToken does not check for token being added a duplicate of what was already added. If a duplicate token is added, removeToken only removes the first matching token and the later duplicates still remain. With the vaulttoken deleted, this may lead to...

Vault may not have enough tokens for withdraw

Handle 0xRajeev Vulnerability details Impact There is an assumption in LegacyController.vault that the vault will have enough tokens0 to cover the balance difference. If not, the user may receive less than amount requested and balance funds get lost/locked unless the vault withdraws from the...

convert fails for fee-on-transfer tokens

Handle 0xsanson Vulnerability details Impact The Controller contract can call converter.convert inside earn and withdraw functions, after transferring amount of tokens to the Converter contract. This contract assumes that it has received exactly amount tokens, however this isn't true for...

harvestNextStrategy never executes because lastCalled is 0 and stays 0

Handle gpersoon Vulnerability details Impact The function harvestNextStrategy of Harvester.sol checks canHarvest to make sure it can harvest. Initially strategy.lastCalled will be 0 so canHarvest will return false. Thus the require in harvestNextStrategy fails And it never reaches the point where...

Arithmetic Error - manualRebalance function has multiple arithmetic bugs

Handle tabish Vulnerability details In short there are 2 errors in manualRebalance function : a ratio currentLockRatio has been compared to balance newLockRatio and at another point in the same function subtracted . 1 Expanding on the first one - checking newLockRatio Solution: Instead the if...

Missing validation on latestRoundData

Handle adelamo Vulnerability details On ExchangeRate.sol, we are using latestRoundData, but there are no validations that the data is not stale. The current code is: / uint80 /, rate, / uint256 /, / uint256 /, / uint80 / = AggregatorV2V3InterfacerateOracle.latestRoundData; requirerate 0,...

Freeze The Bridge Via Large ERC20 Names/Symbols/Denoms

Handle nascent Vulnerability details Ethereum Oracles watch for events on the Gravity.sol contract on the Ethereum blockchain. This is performed in the checkforevents function, ran in the ethoraclemainloop. In this function, there is the following code snippet: let erc20deployed = web3...

Crash Eth Oracle On Any LogicCallEvent

Handle nascent Vulnerability details Severity: Medium Likelihood: High In ethoraclemainloop, getlastcheckedblock is called. Followed by: let logiccallexecutedevents = web3 .checkforevents endsearch.clone, Somecurrentblock.clone, vec!gravitycontractaddress, vec!LOGICCALLEVENTSIG, .await; and may h...

Can't call external functions internally

Handle tensors Vulnerability details Impact Within GovernerAlpha.sol, certain functions are locked because of the improper modifier. addressthis cannot call external functions in lines L470-497. Proof of Concept Recommended Mitigation Steps Change external to internal. --- The text was updated...

Exchange rates from Compound are assumed with 18 decimals

Handle shw Vulnerability details Impact The CTokenMultiOracle contract assumes the exchange rates borrowing rate of Compound always have 18 decimals, while, however, which is not true. According to the Compound documentation, the exchange rate returned from the exchangeRateCurrent function is...

TimeLock cannot schedule the same calls multiple times

Handle cmichel Vulnerability details The TimeLock.schedule function reverts if the same targets and data fields are used as the txHash will be the same. This means one cannot schedule the same transactions multiple times. Impact Imagine the delay is set to 30 days, but a contractor needs to be pa...

Use safeTransfer instead of transfer

Handle shw Vulnerability details Impact Tokens not compliant with the ERC20 specification could return false from the approve call to indicate the approval fails, while the calling contract would not notice the failure if the return value is not checked. Proof of Concept Referenced code:...

initialMarket always initialize the latest market

Handle jonah1005 Vulnerability details Impact In longshort contract's initializeMarket, while it should initialize according to the parameter marketIndex, it initialize latestMarket. This would break two market, the market of marketIndex' and the latest market. User's fund would get stuck at the...

OracleManagerFlippening_V0 wrong decimals

Handle cmichel Vulnerability details The OracleManagerFlippeningV0.updatePrice function states that it wants to return the eth dominance as a percentage where 100% = 1e20. It's unclear why there is a division by 1e10 to compute the bitcoin market cap: uint256btcPrice btcSupply 1e10 Impact The pri...

Potential underflow on userAmountStaked[token][msg.sender] in _withdraw

Handle 0xImpostor Vulnerability details Impact Underflowing userAmountStakedtokenmsg.sender once will let me exploit the entire token balance in the Staker contract. This can only be exploited if marketUnstakeFeee18 is ≥ 50%. Proof of Concept 1. Admin sets marketUnstakeFeee18 for this marketIndex...

getUsersConfirmedButNotSettledSynthBalance is potentially calculated wrongly

Handle 0xImpostor Vulnerability details Impact Incorrect tabulation of getUsersConfirmedButNotSettledSynthBalance will lead to the wrong balances returning. Fortunately, there are no important functions that are dependent on balanceOf so the impact of this erroneous calculation is limited. Tools...

Inconsistent balance when supplying transfer-on-fee or deflationary tokens

Handle shw Vulnerability details Impact The supplyTokenTo function of SwappableYieldSource assumes that amount of depositToken is transferred to itself after calling the safeTransferFrom function and thus it supplies amount of token to the yield source. However, this may not be true if the...

Deposits don't work with fee-on transfer tokens

Handle cmichel Vulnerability details There are ERC20 tokens that may make certain customizations to their ERC20 contracts. One type of these tokens is deflationary tokens that charge a certain fee for every transfer or transferFrom. Others are rebasing tokens that increase in value over time like...

Transfer-on-fee/deflationary tokens are not correctly accounted for

Handle shw Vulnerability details Impact When a user stakes or a protocol deposits a transfer-on-fee/deflationary token, the solution does not correctly handle the received amount, which could be less than what is accounted for. Proof of Concept Referenced code: PoolOpen.solL36-L38...

[Gov.sol] Ignoring the return value of function _token.approve(...)

Handle eriksal1217 Vulnerability details Impact Medium Risk vulnerability - This does not immediately affect the contract, tokens, or funds associated but could have negative effects in regards to how the contract behaves when executing this functionality. Proof of Concept According to Slither...

Flash loan manipulation on getPoolShareWeight of Utils

Handle shw Vulnerability details Impact The getPoolShareWeight function returns a user's pool share weight by calculating how many SPARTAN the user's LP tokens account for. However, this approach is vulnerable to flash loan manipulation since an attacker can swap a large number of TOKEN to SPARTA...

Missing input validation in realise()

Handle 0xsanson Vulnerability details Impact In synth.sol, the function realisepool can be called using any existing pool as input. From my understanding, it's supposed that pool and synth must have the same underlying token. With the current implementation an user can call various synth contract...

Missing slippage checks

Handle cmichel Vulnerability details The Router and Pool does not implement any slippage checks with comparing the swap / liquidity results with a minimum swap / liquidity value. Impact Users can be frontrun and receive a worse price than expected when they initially submitted the transaction...

SynthVault withdraw forfeits rewards

Handle cmichel Vulnerability details Vulnerability Details The SynthVault.withdraw function does not claim the user's rewards. It decreases the user's weight and therefore they are forfeiting their accumulated rewards. The synthReward variable in processWithdraw is also never used - it was probab...

Unused/Incorrect onlyDAO modifier could be an indication of missing access control

Handle 0xRajeev Vulnerability details Impact Unused/incorrect access control modifier is typically an indication of missing critical authorization checks. The onlyDAO modifier used in various protocol contracts is present in Synth.sol but unused in any of the contract functions and is also...

No ERC20 safe* versions called

Handle cmichel Vulnerability details Some tokens like USDT don't correctly implement the EIP20 standard and their transfer/transferFrom function return void instead of a success boolean. Calling these functions with the correct EIP20 function signatures will always revert. This is generally not a...

Router.removeLiquidityExact(uint256,address) has unchecked transfers

Handle heiho1 Vulnerability details Impact Router.removeLiquidityExactuint256,address line 114 does not check the boolean return of a token transfer. This is a brittle implementation because it relies on the boolean return value being hard-coded to true. Tokens may not revert in case of failure a...

Router.zapLiquidity(uint256,address,address) has unchecked transfers

Handle heiho1 Vulnerability details Impact Router.zapLiquidityuint256,address,address has unchecked transfers on lines 65, 67 and 69. Several tokens do not revert in case of failure and return false. If one of these tokens is used in Router, deposit will not revert if the transfer fails, and an...

Unused return value from transfer()

Handle JMukesh Vulnerability details Impact It is usually good to add a require-statement that checks the return value or to use something like safeTransfer; unless one is sure the given token reverts in case of a failure. Proof of Concept Tools Used manual review Recommended Mitigation Steps che...

LendingPair.liquidateAccount fails if tokens are lent out

Handle cmichel Vulnerability details The LendingPair.liquidateAccount function tries to pay out underlying supply tokens to the liquidator using safeTransferIERC20supplyToken, msg.sender, supplyOutput but there's no reason why there should be enough supplyOutput amount in the contract, the contra...

Signatures use only tx ID instead of entire digest

Handle 0xRajeev Vulnerability details Impact The signature check in recoverFulfillSignature only uses transaction ID along with the relayer fee which can be accidentally reused by the user, in which case the older signatures with the older relayer fees can be replayed. The signature should be on...

Expired transfers will lock user funds on the sending chain

Handle 0xRajeev Vulnerability details Impact The cancelling relayer is being paid in receivingAssetId on the sendingChain instead of in sendingAssetID. If the user relies on a relayer to cancel transactions and that receivingAssetId asset does not exist on the sending chain assuming only...

addLiquidity can be denied

Handle cmichel Vulnerability details Vulnerability Details The addLiquidity function can be called by anyone to transfer funds from the router address specified as a function argument. These funds must be approved first by the router prior to calling this function. There are different griefing...

No support for token with decimals > 18

Handle s1m0 Vulnerability details Impact The smart contract doesn't behave correctly if deployed with token that have decimals 18. Proof of Concept The functions tokenToWad and wadToToken revert if the tokenDecimals is 18. These functions are called in critical places like deposit and withdraw...

Wrong trading pricing calculations

Handle 0xsanson Vulnerability details Impact In the Pricing contract, an agent can manipulate the trading prices by spamming an high amount of trades. Indeed an agent can create an high amount of orders at an arbitrary price and with a near-zero amount so the agent doesn't even need large funds;...

erc20 transfers do not check the return value

Handle pauliax Vulnerability details Impact When transfering erc20 tokens, functions transfer and transferFrom are used. These functions return boolean to indicate if the action was sucessfull, however, none of the usages check the returned value: collateralToken.transferFrommsg.sender,...

SafeMath not completely used in yield source contracts

Handle shw Vulnerability details Impact SafeMath is not completely used at the following lines of yield source contracts, which could potentially cause arithmetic underflow and overflow: 1. line 78 in SushiYieldSource 2. line 67 in BadgerYieldSource 3. line 91 and 98 in IdleYieldSource Proof of...

Return values of ERC20 transfer and transferFrom are unchecked

Handle shw Vulnerability details Impact In the contracts BadgerYieldSource and SushiYieldSource, the return values of ERC20 transfer and transferFrom are not checked to be true, which could be false if the transferred tokens are not ERC20-compliant e.g., BADGER. In that case, the transfer fails...

Using transferFrom on ERC721 tokens

Handle shw Vulnerability details Impact In the function awardExternalERC721 of contract PrizePool, when awarding external ERC721 tokens to the winners, the transferFrom keyword is used instead of safeTransferFrom. If any winner is a contract and is not aware of incoming ERC721 tokens, the sent...

Lack of input validation on onlyOwner critical parameters

Handle 0xRajeev Vulnerability details Impact The owner potentially untrustworthy/malicious of the prize pool is allowed to set a liquidation cap for guarded launch and the credit rate and limit parameters which affect the crucial fairness of the pool. However, there is no input validation on thes...