Reward and base token decimals difference isn't accounted for in LiquidityFarming

Lines of code Vulnerability details Impact Reward and base token decimals can differ, while this difference isn't accounted for in the reward amount calculations, which will lead to either missing rewards or sending the whole rewards balance to the first eligible user. For example: If reward is...

[WP-H14] LiquidityProviders.sol The share price of the LP can be manipulated and making future liquidityProviders unable to removeLiquidity()

Lines of code Vulnerability details function removeLiquidityuint256 nftId, uint256 amount external nonReentrant onlyValidLpTokennftId, msgSender whenNotPaused address tokenAddress, uint256 nftSuppliedLiquidity, uint256 totalNFTShares = lpToken.tokenMetadatanftId;...

[WP-H8] Wrong formula for the fee to be added to the incentivePool

Lines of code Vulnerability details The protocol takes part of the fees to incentivize liquidity, which is recorded as incentivePooltokenAddress on LiquidityPool.sol. However, the formula used to calculate the updated amount of incentivePooltokenAddress in the current implementation is wrong...

A supported token can be unsupported and liquidity provider won't be able to withdraw their funds

Lines of code Vulnerability details Impact Liquidity provider will be unable to withdraw tokens that were previously supported Proof of Concept In liquidityProviders.sol users can provide liquidity only in supported tokens. This is checked when the user provides liquidity and checked again when h...

Executors can steal funds meant to be sent to users

Lines of code Vulnerability details Impact The executor can provide any value it wants as the tokenGasPrice when it calls sendFundsToUser since it is not included in the hash checks. The executor can set the value to be exactly the number that will take all of the funds the user is requesting...

FUNCTION SETBASEGAS LACKS BOUNDS CHECK AND EVENT EMIT AFFECTS TRANSFER

Lines of code Vulnerability details Impact Executors can, unintentionally, send a huge amount of ETH Proof of Concept The function setBaseGasuint128 gasLiquidityPool.sol should have bounds like MAXBASEGAS. Even worse this function lacks of event emit. As a result, executors can call sendFundsToUs...

DDOS - csanuragjain

Duplicate of 119 --- The text was updated successfully, but these errors were encountered: All reactions...

Too many amms - omik

Duplicate of 97 --- The text was updated successfully, but these errors were encountered: All reactions...

There is a possibility of Token transfer getting stuck when using Erc1155BatchMessage

Lines of code Vulnerability details Impact In the event of user error while making the calldata for encodeTransferErc1155BatchMessage, where the size of the arrays of ids and amounts donot match, the message will get encoded due to no input validation, however the transfer will fail at the other...

Not compatible with Rebasing/Deflationary/Inflationary tokens

Lines of code Vulnerability details Proof of Concept The DepositBoxERC20 contract do not appear to support rebasing/deflationary/inflationary tokens whose balance changes during transfers or over time. The necessary checks include at least verifying the amount of tokens transferred to contracts...

NFT Creators Can Avoid Paying The Primary Foundation Fee

Lines of code Vulnerability details Impact The primary foundation fee is charged on the initial sale of newly minted NFTs. However, the isCreator && !nftContractToTokenIdToFirstSaleCompletednftContracttokenId check can easily be bypassed to avoid paying the primary foundation fee by selling the...

transferredAmount on mainnet can be drained if a malicious account can mint more tokens on Schain

Lines of code Vulnerability details Impact Anyone on Schain that is able to mint more tokens, other than the mint action from postMessage in tokenManagerERC20 by bridging tokens over, can potentially drain the locked tokens in transferredAmount in depositBoxERC20 on mainnet by calling exit with t...

Centralisation Risk: Admin Role of TokenManagerEth can Rug Pull All Eth from the Bridge

Lines of code Vulnerability details Impact There is a Centralisation risk of the bridge where the DEFAULTADMINROLE of TokenManagerEth.sol is able to modify the ERC20 token on the SChain to any arbitrary address. This would allow the admin role to change the address to one where they have infinite...

_autoAcceptOffer doesn't check if caller of setBuyPrice owns the NFT

Lines of code Vulnerability details Impact An attacker can create an offer then auto accept that offer for an NFT they don't own. This can happen for any NFT that the contract is approved for, or any NFT left in escrow with no active limitations Proof of concept Alice has an NFT that they either...

Foundation Treasury initialize() function can be called by an attacker first

Lines of code Vulnerability details Impact In FoundationTreasury.sol the initialize function can only be called once setting the admin and operator roles which are used in other contracts. The problem is that this initialize function is not called in any deployment script which means an attacker...

Missing Slippage Checks on ClearingHouse._liquidateMaker()

Lines of code Vulnerability details Impact The liquidateMaker function makes a call to AMM.removeLiquidity but does not provide suitable values for minQuote and minBase. As per the @todo, this call is prone to sandwich attacks, resulting in potentially fewer tokens for the maker. Proof of Concept...

denial fo service

Lines of code Vulnerability details processWithdrawals can process limited amount in each call. an attacker can push to withdrawals enormous amount of withdrawals with amount = 0. in order to stop the dos attack and process the withdrawal, the governance needs to spend as much gas as the attacker...

[WP-M6] Chainlink's latestRoundData might return stale results

Lines of code Vulnerability details function getUnderlyingPriceaddress underlying virtual external view returnsint256 answer if stablePriceunderlying != 0 return stablePriceunderlying; ,answer,,, = AggregatorV3InterfacechainLinkAggregatorMapunderlying.latestRoundData; answer /= 100; uint80 round,...

Functions getLatestRoundData and getRoundData do not check that the price returned from a chainlink aggregator is != 0 (Oracle.sol)

Lines of code Vulnerability details Impact The getLatestRoundData function in the contract Oracle.sol fetches the latestPrice directly from a Chainlink aggregator using the latestRoundData function. While latestPrice is checked for 0 and staleness, there is no check if the value is != 0. This cou...

[WP-H4] The collateral assets impounded with settleBadDebt() will be frozen in the insuranceFund contract

Lines of code Vulnerability details In MarginAccount.solsettleBadDebt, the collateral assets will be seized and transferred to the insuranceFund contract. However, there is no way for the liquidity providers of the insuranceFund to get back the collateral assets. In the current implementation,...

getFeePercentageForSafe may send lower fees

Lines of code Vulnerability details Impact May cause lower fees to be calculated Proof of Concept 1. customFeePercentageForSafe = 100 2. customFeePercentageForCollateral = 200 3. slurp gets call which calls getFeePercentageForSafe as part of its interest calculation 4. getFeePercentageForSafe wil...

TurboRouter: Dangerous PeripheryPayments Contract

Lines of code Vulnerability details Impact As an entry contract, the TurboRouter contract plays an important role in interacting with users. And the TurboRouter contract inherits from the PeripheryPayments contract. In the PeripheryPayments contract, anyone can use the tokens and ETH in the...

totalAssets() can overflow leading to the incorrect pricing of assets

Lines of code Vulnerability details The TurboSafe's totalAssets function is used by ERC4626.previewDeposit, ERC4626.previewMint, ERC4626.previewWithdraw, and ERC4626.previewRedeem. These preview functions are called directly by the non-preview versions and therefore if totalAssets has the wrong...

non erc20 token might revert when calling emergencyWithdrawERC20()

Lines of code Vulnerability details Impact when there is an emergency situation, the admin can call emergencyWithdrawERC20 to save the funds, however due to mismatch between non erc20 token like USDT and openzeppelin IERC20 where the open zeppelin IERC20 is expecting a return on the transfer...

onSafeSlurp() can be called by anyone on TurboMaster.sol

Lines of code Vulnerability details Impact In TurboMaster.sol the onSafeSlurp function can be called directly by anyone while the logic implies that it should only be called by the slurp function on the TurboSafe.sol contract which performs the required calculations beforehand. When onSafeSlurp i...

Turbo Safe's can be created with malicious tokens

Lines of code Vulnerability details Impact In TurboMaster.sol the createSafe function is called when the user calls a function with the same name in the TurboRouter.sol file. It then creates a new Turbo Safe with an arbitrary token supplied by the user. Since there is no whitelist of acceptable...

admin can rug pull

Lines of code Vulnerability details In the links I provided, the admin can steal all user funds. this can cause reputation risk. --- The text was updated successfully, but these errors were encountered: All reactions...

[WP-M1] Inappropriate handling of referralFee makes collecting Mirror fails without error when referrerProfileId is burned

Lines of code Vulnerability details In the current implementation, even when the profile's owner burnt the ProfileNFT, as the profile's legacy, the publications can still be collected. However, if the publication is a Mirror and there is a referralFee set by the original publication, the user won...

NestedFactory.addOperator/removeOperator have no effect until importOperators

Lines of code Vulnerability details Impact addOperator/removeOperator being run alone don't have any effect, as the cache is used in operations, which is only updated when an implementation is added or removed via importOperators. If an operation is added via addOperator, but importOperators isn'...

Repeated Calls to Shelter.withdraw Can Drain All Funds in Shelter

Lines of code Vulnerability details Impact tl;dr Anyone who can call withdraw to withdraw their own funds can call it repeatedly to withdraw the funds of others. withdraw should only succeed if the user hasn't withdrawn the token already. The shelter can be used for users to withdraw funds in the...

Repeated withdrawals from Shelter

Lines of code Vulnerability details Impact function withdraw in Shelter sets claimed flag: claimedtokento = true; but it never actually checks if the user has already claimed, so users can invoke the withdrawal function multiple times and claim more rewards than were entitled. Recommended...

Possible rug #3

Lines of code Vulnerability details Impact Tokens can be consumed by the contract and sent to the saleRecipient address without any guarantee that sale tokens will ever be deposited in the sale contract. The sold tokens are only required in the finalize function, which clearly does not provide an...

No guarantee sale organizer will fulfil their end of the deal

Lines of code Vulnerability details Impact Sale participants will only be able to claim their CTDL tokens once the sale is finalized. However, there is no guarantee that it ever will be, because: Sale finalisation can only be performed by the owner The owner is able to change the sale parameters...

Lack of access control on assertGovernanceApproved can cause funds to be locked

Handle shw Vulnerability details Impact Lack of access control on the assertGovernanceApproved function of FlashGovernanceArbiter allows anyone to lock other users' funds in the contract as long as the users have approved the contract to transfer flashGovernanceConfig.amount of...

FarmingPools.sol Some users may not be able to get back their funds for tokens with tax on transfer

Handle WatchPug Vulnerability details Per the doc: Token with tax and rewards should accounted correctly and share with all holder accordingly. In the current implementation of FarmingPools.solstake, it assumes that the received amount is the same as the transfer amount, and recording it to...

Drain of funds by reentrancy in OpenLevV1.addMarket

Handle 0x1f8b Vulnerability details Impact It's possible to create a market, create trades, create a new market with different values, and preserve the previous trades pointing to the new tokens. Proof of Concept The method addMarket inside the contract OpenLevV1Lib increase the marketId numPairs...

Use of deprecated Chainlink function latestAnswer

Handle WatchPug Vulnerability details According to Chainlink's documentation, the latestAnswer function is deprecated. This function does not revert if no answer has been reached but returns 0, causing an incorrect price fed to the EIP1271Wallet. See: code-423n4/2021-07-wildcredit-findings75 ---...

Lack of access control in the parameterize function of proposal contracts

Handle shw Vulnerability details Impact Most of the proposal contracts have a parameterize function for setting the proposal parameters, and these functions are protected only by the notCurrent modifier. When the proposal is proposed through a lodgeProposal transaction, an attacker can front-run...

Slippage protection

Handle pauliax Vulnerability details Impact Consider adding a configurable slippage parameter here to prevent users suffering from sandwitch bots: minAmountsOut0 = 0; minAmountsOut1 = 0; IVault.ExitPoolRequest ... minAmountsOut and used in both sNOTE and TreasuryManager contracts:...

Oracle data feed is insufficiently validated.

Handle throttle Vulnerability details Impact Price can be stale and can lead to wrong quoteAmount return value Proof of Concept Oracle data feed is insufficiently validated. There is no check for stale price and round completeness. Price can be stale and can lead to wrong quoteAmount return value...

admin is not set in any function

Handle rfa Vulnerability details Impact all function that need to validate msg.sender == admin cannot be run. BscDexAggregator.sol Proof of Concept BscDexAggregator.sol is the child contract of Adminable.sol. some function in it need to validate that msg.sender is admin. There is no function that...

Cooldown and redeem windows can be rendered useless.

Handle ShippooorDAO Vulnerability details Impact Cooldown and redeem windows can be rendered useless. Proof of Concept Given an account that has not staked sNOTE. Account calls sNOTE.startCooldown Account waits for the duration of the cooldown period. Redeem period starts. Account can then deposi...

addVault and removeVault lack validation of caller address

Handle cccz Vulnerability details Impact The addVault and removeVault functions of the ConvexYieldWrapper contract lack validation of the caller address, allowing anyone to add or remove vaults from other addresses function addVaultbytes12 vaultId external address account =...

LaunchEvent's createPair can be cause to always revert

Handle UncleGrandpa925 Vulnerability details Impact This issue impacts all LaunchEvent, forcing the issuer to write additional contracts to be able to createPair in LaunchEvent else it will always revert. Issue & Proof of Concept In LaunchEvent.sol, the function createPair is supposed to be calle...

Users' tokens can be stuck inside LaunchEvent if the token doesn't revert on failed transfers

Handle UncleGrandpa925 Vulnerability details Impact Users' tokens can be stuck inside LaunchEvent if the token doesn't revert on failed transfers. Issue When users call withdrawIncentives, if for any reasons the token transfer fails & the token doesn't revert but only returns a boolean, the user'...

Anyone can withdraw others

Handle mics Vulnerability details Anyone can withdraw users shares. Although we think that they are sent to the right address, it is still 1 not the desired behavior 2 can be dangerous if the receiver is a smart contract 3 the receiver may not know someone withdraw him XOLE.withdrawReward...

Reentrancy in withdrawGovernanceAsset

Handle 0x1f8b Vulnerability details Impact The method withdrawGovernanceAsset it's vulnerable to reentrancy attacks. Proof of Concept The method FlashGovernanceArbiter.withdrawGovernanceAsset it's vulnerable to reentrancy attacks because the flag stored in pendingFlashDecision it's deleted AFTER...

Attacker can collect all positive rebase from the poll

Handle gzeon Vulnerability details Impact The concept of ElasticSwap is not to change relative price upon positive rebase event. However, this allow an attacker to sandwich a known positive rebase event for profit. Proof of Concept 1. Assuming we have pool with 10000 base and 10000 quote token 2...

calculateLiquidityTokenFees returns zero fee

Handle sirhashalot Vulnerability details Impact The MathLib.sol calculateLiquidityTokenFees function returns a non-zero fee quantity only if rootK rootKLast. The rootK and rootKLast values are calculated from the same values, so this will never occur. This will result in the DAO never receiving a...

Denial-of-service condition: emergency shutdown after pair creation loses contract funds

Handle static Vulnerability details Impact If the owner of the contract set specifically the Factory owner, executes allowEmergencyWithdraw after the pair is created, then the withdraw functions including the emergencyWithdraw will not function and the funds including the liquidity tokens, will b...