The _poolId and _id values are not within the expected range and not performing appropriate bounds checking in the VAULTPROXY contract

Lines of code Vulnerability details Impact When the poolId and id values are not within the expected range and appropriate bounds checking is not performed in the contract, it can result in high risk and vulnerabilities. Here are some potential risks and vulnerabilities that can arise: 1. Invalid...

Unauthorized Access and Control in Proxy Contract

Lines of code Vulnerability details Summary: The code contains a bug that can lead to unauthorized access and control over the contract. This bug allows any caller, even those who are not the owner or address0, to bypass the intended access control mechanisms and execute arbitrary code on the...

Problem with ValiodatorStatus.INITIALIZED

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. The default value for Enums in solidity are always the first parameters in them. In the ValidatorStatus Enum however, INITIALIZED is the first value and therefore the default value of the ValidatorStatu...

Upgraded Q -> 2 from #240 [1686228552856]

Judge has assessed an item in Issue 240 as 2 risk. The relevant finding follows: L-02 --- The text was updated successfully, but these errors were encountered: All reactions...

Withdrawal with gas limit more than 28_750_517 can never be executed with CrossDomainMessenger

Lines of code Vulnerability details Impact Withdrawal with gas limit more than 28750517 can never be executed with CrossDomainMessenger. User that will initiate such withdrawal will loose his funds and will not be able to execute the withdrawal, because of reaching maximum block gas limit. Proof ...

Borrower can block being defaulted or auctioned

Lines of code Vulnerability details Borrower can block being defaulted or auctioned The borrower can potentially block the liquidation and auction processed by using a contract and reverting on ETH transfers. Impact When a loan is being liquidated or auctioned, any credit still available to the...

withdrawNftWithInterest() possible take away other Lien's NFT

Lines of code Vulnerability details Impact Possible take away other Lien's NFT Proof of Concept withdrawNftWithInterest Used to retrieve NFT The only current restriction is that if you can transfer out of NFT, it means an inactive loan function withdrawNftWithInterestLien calldata lien, uint256...

NFT withdrawal grief

Lines of code Vulnerability details Impact A lienee whose NFT is not currently on loan may be prevented from withdrawing it. Proof of Concept A lienee who wishes to withdraw his NFT calls withdrawNftWithInterest which tries to IERC721.safeTransferFrom the NFT, which therefore reverts if the NFT i...

Host can bypass reentrancy guard in rageQuit()

Lines of code Vulnerability details Impact Host can bypass reentrancy guard in rageQuit. Proof of Concept In PartyGovernanceNFT.rageQuit there is a reentrancy guard: // Check if ragequit is allowed. uint40 currentRageQuitTimestamp = rageQuitTimestamp; if currentRageQuitTimestamp !=...

Upgraded Q -> 2 from #11 [1685422294441]

Judge has assessed an item in Issue 11 as 2 risk. The relevant finding follows: L-03:getReward It is recommended to add balance0 before executing transfer getReward will do a transfer on rewaredsToken Since the rewards are from convex, we can't be sure what kind of token it is. we can't be sure...

Requirement for having timelocks on recovery transactions is not enforceable

Lines of code Vulnerability details Impact When calling the following AmbireAccount.execute function with sigMode being SIGMODERECOVER, a recovery transaction can be scheduled if requireprivilegessignerKeyToRecover == recoveryInfoHash, 'RECOVERYNOTAUTHORIZED' and requireisIn,...

test with new label

Lines of code L1 Vulnerability details test Assessed type CanAuto --- The text was updated successfully, but these errors were encountered: All reactions...

[M-01] Access control in *payParams* function

Lines of code Vulnerability details Impact Anyone can call this function and change mutex parameters. In this case we have a potential risk that malicious user can try to send several transactions: one from terminal and parallel one from other address and try front-run them to play for example wi...

Missing "if (beneficiaryTokenCount < _minReturnedTokens) revert INADEQUATE_TOKEN_COUNT();" check in the _mint() function of the JBXBuybackDelegate.sol + DoS for the pay() function in the JBPayoutRedemptionPaymentTerminal3_1.sol (or the JBETHPaymentTerminal3_1.sol)

Lines of code Vulnerability details Impact The issue contains 2 parts: 1. The mint function has the "if beneficiaryTokenCount minReturnedTokens revert INADEQUATETOKENCOUNT;" check missing. This check is used to identify whether the beneficiaryTokenCount amount is greater than or equal to the...

Delegate doesn't verify payed ETH value matches amount in parameter

Lines of code Vulnerability details Delegate doesn't verify payed ETH value matches amount in parameter The JBXBuybackDelegate delegate fails to check that the sent ETH amount matches the value passed in the amount parameter. Impact The payable didPay function present in the delegate is called by...

JBXBuybackDelegate.didPay() allows for positive slippage theft

Lines of code Vulnerability details Impact The JBXBuybackDelegate.didPay calls swap which utilizes the Uniswap's swap function. JBXBuybackDelegate incorporates a negative slippage check in uniswapV3SwapCallback. However, it fails to consider the deadline parameter of the transaction. The deadline...

If, as a result of the calculation, _tokenCount = 0, then this may lead to incorrect execution of the _mint function(_data, _tokenCount).

Lines of code Vulnerability details Impact If the payParams function receives null values in data, then uint256 tokenCount = PRBMath.mulDivdata.amount.value, data.weight, 10 18 may result in a null value. Proof of Concept If, as a result of the calculation, tokenCount = 0, then this may lead to...

If the controller for _data.projectId is not defined, it can lead to incorrect execution of _swap() and theft of funds by the beneficiary.

Lines of code Vulnerability details Impact If the controller is not defined in the swap function, then it becomes impossible to mint and burn tokens, which leads to incorrect execution of the function. IJBController controller = IJBControllerjbxTerminal.directory.controllerOfdata.projectId; Proof...

Verify the correspondence between trading pairs and pools

Lines of code Vulnerability details Impact It may cause the correct ProjectToken to be locked, and transfer the wrong ProjectToken to the beneficiary. Proof of Concept Add test USDC after line 78 in the test file. IERC20 usdc = IERC200xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48; Modify line 142...

Upgraded Q -> 2 from #597 [1684599709636]

Judge has assessed an item in Issue 597 as 2 risk. The relevant finding follows: L9 --- The text was updated successfully, but these errors were encountered: All reactions...

Inadequate checks for comptroller in PoolRegistry#addMarket allows malicious comptrollers to be added

Lines of code Vulnerability details Impact Malicious comptrollers will be available in the protocol Proof of Concept The addMarket function only checks that the input.comptroller is not the 0 address, but does not check if the comptroller was actually created by the PoolRegistry contract. A...

Potential Division by Zero in utilizationRate method

Lines of code Vulnerability details Impact In the case where cash + borrows - reserves equals 0, the function would try to divide by zero which will result in a runtime error. Proof of Concept An attacker might manipulate the state of the contract to where cash + borrows - reserves equals zero...

Unfair handling of rewards for users with a high amount of rewards

Lines of code Vulnerability details Users can claim their rewards in RewardDistributor.claimRewardToken. The reward handling part is done in grantRewardToken: 416: function grantRewardTokenaddress user, uint256 amount internal returns uint256 417: uint256 rewardTokenRemaining =...

PLACEBID() IN SHORTFALL.SOL MAY LEAD TO DENIAL OF SERVICE AND FRONT RUNNING ATTACKS

Lines of code Vulnerability details Impact The Shortfall.placeBid function in the Venus protocol exhibits potential vulnerabilities that may lead to denial-of-service DoS and front-running attacks. A malicious actor could exploit these vulnerabilities to disrupt the auction process, manipulate...

Precision differences when calculating the _startAuction of funds accumulated in RiskFund

Lines of code Vulnerability details Impact When calculating startAuction uint256 usdValue in RiskFund, Auction state divides the value of each market in the vToken list in token list precision. This skew is fine for most tokens but will cause problems with certain token pairs. Proof of Concept Wh...

Incorrect slippage check in the AMO2.rebalanceUp can be attacked by MEV

Lines of code Vulnerability details Impact The AMO2.rebalanceUp uses AMO2.bestRebalanceUpQuote function to avoid MEV attack when removing liquidity with only one coin. But the bestRebalanceUpQuote does not calculate the slippage correctly in this case, which is vulnerable to be attacked by MEV...

stakedBalance() The wrong number of balance may be returned

Lines of code Vulnerability details Impact stakedBalance maybe return wrong number,Causes AMO.sol not to work properly Proof of Concept stakedBalance use for get the current staked balance of CVXStaker The code is as follows: function stakedBalance public view returns uint256 balance balance =...

Attacker can drain the token from the user's account

Lines of code Vulnerability details Vulnerability details Impact There is a potential vulnerability if the increaseLPAllowance function is not implemented safely and allows for arbitrary increases to the token allowance. File: ajna-core/src/PositionManager.sol pool.increaseLPAllowanceowner,...

Treasury accounting miss voters rewards

Lines of code Vulnerability details treasury is overstated over time as each distribution period it adds back the delegate rewards part, which is actually spent on voters rewards. I.e. it is updated with fundsAvailable - totalTokensRequested difference, while totalTokensRequested is limited to 90...

stake() function: The provided stake function lacks checks to prevent a lender from staking multiple NFTs in the same Ajna pool. The function allows any owned position NFT to be staked without considering whether the lender has already staked in the pool. This potentially opens up the system to an abuse where a lender stakes multiple NFTs for the same liquidity position.

Lines of code Vulnerability details Impact The current stake function lacks checks to prevent a lender from staking multiple NFTs in the same Ajna pool. This could lead to an abuse of the system where a lender stakes multiple NFTs for the same liquidity position, potentially earning more rewards...

ExtraordinaryFunding may fail due to a decrease in the treasury funds due to a StandardFunding new distribution round

Lines of code Vulnerability details Impact Users could spend gas and possibly other off chain resources voting on an ExtraordinaryFunding proposal which would later revert when executing. Proof of Concept If an ExtraordinaryFunding proposal requests an amount of tokens between 48.5% and 50% of th...

unstake() function: The unstake function permits the unstaking of multiple position NFTs from the same liquidity pool (LP) by the same lender. This opens the possibility for a lender to claim more Ajna token rewards than they are entitled to by staking and unstaking multiple NFTs associated with the same LP.

Lines of code Vulnerability details Impact The absence of a mechanism to prevent a lender from unstaking multiple NFTs for the same liquidity pool LP could potentially lead to the exploitation of the Ajna token reward system. A lender can mint, stake, and unstake multiple NFTs for the same LP fro...

Extraordinary Funding proposal could be susceptible back-run

Lines of code Vulnerability details Impact An extraordinary proposal can be proposed, voted on, and executed within a single transaction, in the same block. As a result, an attacker with enough voting power to meet the conditions on their own could back-run a transaction to steal funds from the...

Unchecked increment in calculateRewards function of RewardsManager.sol.

Lines of code Vulnerability details Impact In the calculateRewards function, there is an unchecked increment in the for loop, in the code it can allow an attacker to cause an integer overflow in the calculateRewards function by manipulating the loop variable, resulting in incorrect rewards...

Integer Overflow in ScreeningVote Function of StandardFunding.sol.

Lines of code Vulnerability details Impact In the screeningVote function of StandardFunding.sol contract, specifically in the line where the votes parameter is converted to a uint128 using the SafeCast.toUint128 function. The issue is that the votes parameter is not limited to 128 bits, which can...

Imprecise block calculation

Lines of code Vulnerability details Vulnerability details Impact @dev Roughly equivalent to the number of blocks in 7 days. @dev Roughly equivalent to the number of blocks in 90 days. @dev Roughly equivalent to the number of blocks in 10 days. As described in the NatSpec comment above these are...

Mitigation Confirmed for Mitigation of M-05: See comments

Mitigated issue M-05: Missing derivative limit and deposit availability checks will revert the whole stake function The issue was that stake calls deposit on each derivative without considering certain conditions under which some deposit might revert. There is an overlap between this issue and...

Mitigation Confirmed for NEW

Note: Issue has not actually been resolved but for some reason I can't get my issues to submit without "Mitigation confirmed no new vulnerabilities detected" checked so I am doing this as a work around Severity Medium Lines of code Impact Contract still assumes 1:1 peg for stETH in WstETHwithdraw...

Mitigation of M-02: Issue perhaps NOT sufficiently mitigated

Mitigation of M-02: Issue perhaps NOT sufficiently mitigated Mitigated issue M-02: sFrxEth may revert on redeeming non-zero amount The issue was that SfrxEth.withdrawamount may revert when called in unstake, blocking unstaking, if amount is low most realistically if amount == 1. Mitigation review...

Rounding loss in and with approxPrice()

Rounding loss in and with approxPrice Description SafEth.approxPrice contains a rounding loss of the form a/k + b/k = ac/b. We would...

Integer Overflow Large numbers of strategies/deposits could overflow arrays stakerStrategyList

Lines of code Vulnerability details Impact Overflows of the staker StrategyList and StrategyShares arrays could allow an attacker to manipulate a staker's data by reusing keys. Once the arrays have wrapped around, depositing into a large number of strategies or requesting withdrawals for the same...

State variables are initialized in an upgradeable contract + there is constructor

Lines of code Vulnerability details Impact Due to a requirement of the proxy-based upgradeability system, no constructors can be used in upgradeable contracts. State variables are initialized in an upgradeable contract Proof of Concept See -upgradeableavoid-initial-values-in-field-declarations...

Manipulation Compromised proposal processing claimDelayedWithdrawals

Lines of code Vulnerability details Impact By exploiting legitimate users' access to claim delayed withdrawals, an attacker could potentially drain a sizable portion of the contract's funds before detection. Manipulative access to critical system functions poses a substantial financial risk. Proo...

Zero address pauser assignment

Lines of code Vulnerability details Impact By allowing any address to be assigned as the pauser, the StrategyBase contract leaves itself vulnerable to losing critical functionality that controls token transfers in and out. Assigning a zero address would result in no valid pauser, preventing the...

Staker can bypass the debt accrued via beaconChainETHSharesToDecrementOnWithdrawal by transferring shares to another address

Lines of code Vulnerability details Description When a staker is verified to have over-committed and the over-committed amount is greater than their outstanding shares, they accrue a debt that is captured by beaconChainETHSharesToDecrementOnWithdrawal. This debt eventually gets settled when the...

Overflow Excessive claims could overwhelm storage _userWithdrawals mapping

Lines of code Vulnerability details Impact By submitting an excessive number of claims through a compromised user, an attacker could theoretically overwhelm the storage used for mapping users to their delayed withdrawals. If critical data is overwritten, the contract would be rendered unusable...

Upgraded Q -> 2 from #225 [1683100933057]

Judge has assessed an item in Issue 225 as 2 risk. The relevant finding follows: uint256 exponent = baseToken == address0 ? 18 - 4 : ERC20baseToken.decimals - 4; will revert since ERC20baseToken.decimals - 4; causes an underflow --- The text was updated successfully, but these errors were...

Upgraded Q -> 2 from #898 [1683143849953]

Judge has assessed an item in Issue 898 as 2 risk. The relevant finding follows: Royalty receiver will not get correct royalty as saleprice is not calculated properly uint256 salePrice = outputAmount / sellsi.tokenIds.length; Here the salesprice for an nft is calculated by using the above formula...

Upgraded Q -> 2 from #240 [1683052133668]

Judge has assessed an item in Issue 240 as 2 risk. The relevant finding follows: LOW‑11 tokenURI does not follow EIP-721 The EIP states that tokenURI "Throws if tokenId is not a valid NFT", which the code below does not do. If the NFT has not yet been minted, tokenURI should revert Proof Of Conce...

Upgraded Q -> 2 from #882 [1683052827510]

Judge has assessed an item in Issue 882 as 2 risk. The relevant finding follows: changeFeeQuote reverts for tokens with decimals less than 4 --- The text was updated successfully, but these errors were encountered: All reactions...