10190 matches found
_sendNative in tapiocaz::Balancer::rebalance() not sending ETH can break service
Lines of code Vulnerability details Impact function sendNative address payable oft, uint256 amount, uint16 dstChainId, uint256 slippage private if addressthis.balance amount revert ExceedsBalance; routerETH.swapETH dstChainId, oft, //refund abi.encodePackedconnectedOFTsoftdstChainId.dstOft, amoun...
borrowInternal() of BaseTOFTMarketModule.sol has phantom permit functions
Lines of code Vulnerability details Impact A malicious actor could steal funds from a User who has already done his first deposit. Proof of Concept Consider the case where attacker uses a token with phantom permit function as collateral, the most famous ones being WETH, BNB, HEX etc. Let’s consid...
Permanent funds lock in StargateRewardableWrapper
Lines of code Vulnerability details Impact The staked funds might be locked because the deposit/withdraw/transfer logic reverts. Proof of Concept In StargateRewardableWrapper, claimAssetRewards claims the accumulated rewards from the staking contract and it's called during every...
Setting debtStartPoint > 0 breaks many BigBang actions
Lines of code Vulnerability details Impact If BigBang.debtStartPoint is set to a value 0, many core features will break, e.g. deposits of collateral will be possible, but removal not, which would effectively lock collateral inside the contract. Proof of Concept BigBang.getDebtRate uses the variab...
Asset.lotPrice only uses oracleTimeout to determine if the price is stale.
Lines of code Vulnerability details Impact OracleTimeout is the number of seconds until an oracle value becomes invalid. It is set in the constructor of Asset. And Asset.lotPrice uses OracleTimeout to determine if the saved price is stale. However, OracleTimeout may not be the correct source to...
Incorrect liquidity calculations if snapshot errors occur
Lines of code Vulnerability details Impact incorrect liquidity values that undermine the risk checks and constraints of the protocol Proof of Concept getHypotheticalAccountLiquidityInternal does not handle snapshot errors properly. Specifically: It calls MToken.getAccountSnapshot to get the...
the getChainlinkPrice() function calling the latestRoundData without using the try/catch to avoid bad possible scenario
Lines of code Vulnerability details Impact Call to latestRoundData could potentially revert and make it impossible to query any prices. the getChainlinkPrice function should use try/catch to avoid the case of the getChainlinkPrice function revert and cause dos/block the system. Proof of Concept t...
Divide before multiply
Lines of code Vulnerability details Impact Solidity's integer division truncates. Thus, performing division before multiplication can lead to precision loss. Proof of Concept Tools Used Recommended Mitigation Steps Consider ordering multiplication before division. Assessed type Math --- The text...
## [M-07] ERC20 return values not checked
Lines of code Vulnerability details Impact Tokens that don’t actually perform the transfer and return false are still counted as a correct transfer and the tokens remain in the SingleNativeTokenExitV2 contract and could potentially be stolen by someone else. Proof of Concept The ERC20.transfer an...
Signature malleability not protected against
Lines of code Vulnerability details Impact A signature should never be included into a signed message hash to check if previously messages have been processed by the contract. See reference: Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any othe...
[ H ] Infinite loop in calculateNewIndex prevents tokens from being minted and rewards from being distributed
Lines of code Vulnerability details Impact Recursive calls from calculateNewIndex in MultiRewardDistributor will result in an infinite loop and out of gas errors, preventing tokens from being minted and rewards being sent to some users as disburseSupplierRewardsInternal will not be called. Proof ...
Default Account fallback lack payable
Lines of code Vulnerability details Impact fallback lack payable,will lead to differences from the mainnet, and many existing protocols may not work Proof of Concept DefaultAccount Defined as follows: DefaultAccount The implementation of the default account abstraction. This is the code that is...
Whitelisted profile creators could accidentally break migration for V1 profiles
Lines of code Vulnerability details Bug Description Profiles that exist before the V2 upgrade are migrated using the batchMigrateProfiles function, which works by minting the profile's handle and linking it to their profile: MigrationLib.solL69-L85 string memory handle =...
loss of user funds in ARCDVestingVault.sol
Lines of code Vulnerability details Impact In the contract ARCDVestingVault.sol the function delegate is used to delegate user votes to desired address but it fails to maintain the sanity check if the provided address is a zeroaddress or not function delegateaddress to external...
Time Manipulation attack on reliance on block.timestamp for time-sensitive operations.
Lines of code Vulnerability details Impact The block.timestamp allows a miner to call the mint function before the intended starting time mintingAllowedAfter which could lead to time manipulation. Contract name: ArcadeToken.sol Code link: Code line: function mintaddress to, uint256 amount externa...
Manager can delete any users voting power
Lines of code Vulnerability details Impact A manager can maliciously/accidentally remove all voting power for all users due to missing input validation when setting the multiplier value. By setting a value smaller than 1e3 it will result in all multiplier calculations rounding to 0, causing loss ...
It's possible to block some user from voting for (or against) some proposal
Lines of code Vulnerability details Note: Although some code involved is inside a contract which is out of scope, I argue that this finding is in scope, since the vulnerability exists in the in-scope contract. In the Arcade protocol, there are several voting vaults implemented so that users can u...
Not all profiles can be migrated to V2 profile
Lines of code Vulnerability details Impact There seem to be some differences in the validation logic that makes the V1 to V2 conversion for some profiles impossible. Proof of Concept // SPDX-License-Identifier: UNLICENCED pragma solidity =0.8.4; contract HandleMigration uint256 internal constant...
THIS IS A TEST
Lines of code L1 Vulnerability details TESTING REFACTOR Assessed type Context --- The text was updated successfully, but these errors were encountered: All reactions...
Collateralization ratio manipulation can cause a denial of service
Lines of code Vulnerability details Impact Stablecoin redeeming and profit accruing in the SavingsVest contract can be blocked when the collateralization ratio has overflown. Proof of Concept The mitigation recommended in 31 and implemented by the sponsor in this commit doesn't resolve the root...
Unauthorized Contract Upgrade Vulnerability in Upgradable Contract
Lines of code Vulnerability details In the "upgrade" function, the contract allows the owner to upgrade the contract to a new implementation using the provided address and code hash. However, there is a flaw in the implementation that can allow an attacker to bypass the contract upgrade checks an...
All co-signers pay during executeMultisigProposal
Lines of code Vulnerability details Impact The executeMultisigProposal will receive payment from all cosigners when only one payment of nativeValue amount is required. Proof of Concept The executeMultisigProposal requires native payment and therefore requires the caller to pay an amount equivalen...
onlyProxy MODIFIER CAN BE BYPASSED BY A MALICIOUS PROXY CONTRACT AND CAN PUSH THE IMPLEMENTATION CONTRACT INTO AN UNDESIRABLE STATE
Lines of code Vulnerability details Impact The Upgradeable.onlyProxy modifier is used to ensure that a function can only be called by the proxy and can not be directly called in the Upgradeable.sol contract. The onlyProxy modifier implementation is as follows: modifier onlyProxy // Prevent setup...
Attacker can brick redemptions by donating a small amount
Lines of code Vulnerability details Impact While the fix properly fixes the issue of collateralization ratio overflows that can no longer occurs, it enables DoS attacks on the redemption mechanism: Issue description Consider the example that was already provided code-423n4/2023-06-angle-findings9...
Sponsor function allows voiding some elses chance to win
Lines of code Vulnerability details Impact Anyone can delegate someone elses balance to the sponsorship address, increasing their own likelihood of winning, while voiding the victims chance. Proof of Concept The issue is in the call-chain starting with Vault.sponsor: //Vault function sponsoruint2...
Allowed calls in LSP6KeyManager doesn't allow calls with empty calldata
Lines of code Vulnerability details Bug Description Whenever a controller attempts to call a LSP0 account's execute function without the relevant SUPER permissions, LSP6ExecuteModule will check that the call is one of the whitelisted allowed calls. If the controller is trying to perform a call wi...
LSP8CompatibleERC721's approve() deviates from ERC-721 specification
Lines of code Vulnerability details Bug Description The LSP8CompatibleERC721 contract is a wrapper around LSP8 that is meant to function similarly to ERC-721 tokens. One of its implemented functions is ERC-721's approve: LSP8CompatibleERC721.solL155-L158 function approveaddress operator, uint256...
Depositors might lose funds due to the lack of zero share check
Lines of code Vulnerability details Impact Depositors might lose funds due to the lack of checking whether the shares to be minted is equal to zero. When this happens, the assets will be deposited into the vault, but the depositors will receive zero shares. This is independent from the initial...
Anyone can mint to themselves type(uint96).max if _isVaultCollateralized() returns true
Lines of code Vulnerability details Impact There is no check that ensures the caller to mint is a trusted one. Moreover, there is a flaw which lets anyone to mint typeuint96.max number of shares Proof of Concept First, the mint function does not implement any check for the caller to be someone wi...
Malicious Yield Vault could deny Pool Together withdrawing assets
Lines of code Vulnerability details Impact Since vaults can be created by anyone as long as they provide an ERC-4626 compliant yield source, an attacker could set up a malicious ERC-4626 contract and set that as the yield source for a newly created Vault. The attacker could then have the maliciou...
user with ADDEXTENSIONS and CHANGEEXTENSIONS will remove extension unintentional
Lines of code Vulnerability details Summary Adding extension use 4 bytes function selector to add new extension, and if user with ADDEXTENSIONS permission also has CHANGEEXTENSIONS permission and wants to add new extension and there is an extension with that function selector, extension will be...
Users might lose their balances when they set delegates
Lines of code Vulnerability details Impact Undelegated users will lose their balances if they set delegate to themselves. Proof of Concept A User can set a delegate and the delegated balance of the user will be accounted on the delegate's delegated balance in the TWAB controller. The internal...
Using supportsERC165InterfaceUnchecked() might break LSP functionality for certain contracts
Lines of code Vulnerability details Bug Description Throughout the codebase, the protocol uses the supportsERC165InterfaceUnchecked function from Openzeppelin's ERC165Checker.sol to check for the support of ERC-165 interface IDs. However, supportsERC165InterfaceUnchecked only checks if the call t...
withdrawReserve will revert when withdrawing tokens with on chain tx fees
Lines of code Vulnerability details Impact Function will revert when reserve is equal to amount, when the token being transferred is a fee on transfer token. Proof of Concept function withdrawReserve address to, uint104 amount external onlyDrawManager function withdrawReserve address to, uint104...
Incorrect distribution of shares and liquidity as a result of total number of shares not equaling 100
Lines of code Vulnerability details Impact If the shares are not properly validated and do not add up to 100, there will be an imbalance in the distribution of funds resulting in loss of funds or locked funds that cannot be accessed or distributed correctly. Proof of Concept The constructor of th...
Attacker can force users to delegate to SPONSORSHIP_ADDRESS
Lines of code Vulnerability details Impact An attacker can change the delegatee of a user who deposited into the vault to the SPONSORSHIPADDRESS address by calling one of the functions sponsor or sponsorWithPermit and giving the address of the user as receiver. The impact of this issue is that th...
possible revert due to improper subtraction in _extendableMsgData() of LSP17Extension.sol
Lines of code Vulnerability details Impact in extendableMsgData of LSP17Extension.sol there is an arithmetic calculation msg.data:msg.data.length - 52; msg.data.length may be smaller than 52 in some instances. this can cause reverts in solidity Proof of Concept function extendableMsgData internal...
Vetoer has too huge privileges which allow to burn veto power and change his/her address
Lines of code Vulnerability details Impact Only a current user with veto power can either change vetoer or pernamently destroy veto power forever. Since this functions are crucial for governance, they should also be called by admin. In the current scenario, vetoer has some higher privileges in...
initializer can be front run
Lines of code Vulnerability details Impact Initialize function have the potential of front running by a malicious actor. An attacker can front-run the deployer and takeover the contract by setting itself as the owner in the NounsTokenFork.sol Contract. Taking ownership will result in passing valu...
The NounsDAOLogicV3.sol contract has a receive function but no withdraw function.
Lines of code Vulnerability details Impact All Ether sent to the NounsDAOLogicV3.sol will be locked in the contract because it implements a receive function without a withdraw function. Proof of Concept The NounsDAOLogicV3.sol contract implements the receive function but does not have a withdraw...
tx.origin may be removed in future and its usage is not recommended
Lines of code Vulnerability details Impact There is a chance that tx.origin will be removed from the Ethereum protocol in the future, so code that uses tx.origin must be avoid using it. There is also some EIPs being proposed for change/remove of tx.origin. ethereum/EIPs637 In NounsDAOLogicV2.sol,...
Fork DAO quit do not filter token duplicates and allows for stealing of the whole ERC20 holdings of its treasury
Lines of code Vulnerability details quit doesn't check erc20TokensToInclude argument for repetitions i.e. token address duplications, only checking the existence of a token in erc20TokensToIncludeInQuit. Each time a token repeats the corresponding share of treasury holdings will be transferred to...
The 'Nouns Fork' is considered unfair towards contributors, given they are not awarded any new tokens.
Lines of code Vulnerability details Impact The 'Nouns Fork' is considered unfair towards contributors, given they are not awarded any new tokens. Proof of Concept The Nouns Fork mechanism allows members of the minority in the Nouns DAO to exit to a new forked Nouns DAO, but the current approach m...
DoS by cancelling newly created proposals
Lines of code Vulnerability details Impact Malicious user can cancel any freshly created proposal, thus making the goverence not usuable to anyone. Whenever new proposal is being created, a malicious actor can cancel it. Proof of Concept Function cancel is external, thus it can be called by anyon...
dynamicQuorumVotes calculation has accuracy error resulting in the less required quorum
Lines of code Vulnerability details Impact dynamicQuorumVotes is divided by totalSupply, multiplied by quorumCoefficient, divided by 1e6 and then multiplied by totalSupply. There are precision errors in division before multiply. For quorumAdjustmentBPS, the division precision error is 1 and...
Lack of check for zero address in the function _transferOwnership before transferring ownership
Lines of code Vulnerability details Impact The absence of a check for the zero address address0 when transferring ownership can lead to unintended consequences and potential fund loss. If the contract allows transferring ownership to the zero address address0, it effectively means relinquishing...
Upgraded Q -> 2 from #835 [1689085140858]
Judge has assessed an item in Issue 835 as 2 risk. The relevant finding follows: L-02 --- The text was updated successfully, but these errors were encountered: All reactions...
Funds added to reserves through sync are accidentally transferred out to users
Lines of code Vulnerability details Impact Wells have the ability to shift funds to other Wells as part of gas-efficient multi-pool swaps. This natspec explanation of this can be find here. The sync function is intended to synchronize the underlying token amounts with the token reserves of the...
bad actore can increase gas usage in swapfrom function
Lines of code Vulnerability details Impact bad actor can increase gas in swapfrom function because everytime calling swapfrom function it store new unit and everytime runs the loop for length of it Proof of Concept the swapfrom function includes function setReservesIERC20 memory tokens, uint256...
Wherever possible, _safeMint() should be used rather than _mint()
Lines of code Vulnerability details Impact mint is not recommended in favour of safeMint, which guarantees that the recipient is either an EOA. Proof of Concept, , Tools Used Vscode use safeMint instead of mint. Assessed type Upgradable --- The text was updated successfully, but these errors were...