10190 matches found
quorum and quota calculation logic is flawed
Lines of code Vulnerability details Impact quorum and quota calculation logic is flawed Proof of Concept votes to be valid, and if the poll passed or failed. At the time of writing, then QUORUM value is 33% of active stake, and the QUOTA is 50%, meaning that as long as 1/3rd of active stake votes...
[M-02] BondingVotes.getPastVotes(): User can easily manipulate voting power for round
Lines of code Vulnerability details Impact User can take a collaterized loan of LPT and bond for a single round to gain voting power for a single round and vote on proposals. This is because when voting, only the single round is checked when retrieving the voting power via...
EIP-2938 Breaks Whitelist Logic
Lines of code Vulnerability details Impact Unauthorized contracts can bypass whitelistedContractsmsg.sender due to EIP-2938. Proof of Concept In the function isEligibleSender it checks if msg.sender != tx.origin... but when EIP-2938 a.k.a Account Abstraction is fully implemented it will be possib...
Malicious users can manipulate the withdrawRound to withdraw their stake before the unbonding period is over.
Lines of code Vulnerability details Impact Disruption the normal bonding incentives and mechanisms in the protocol. Validators or transcoders could withdrew unexpectedly, preventing governance responses to bonded token changes. Proof of Concept The withdrawStake function first checks if the...
DoS sending WETH from RdpxV2Core to PerpetualAtlanticVault via provideFunding()
Lines of code Vulnerability details Impact The amount of reserveAssetreservesIndex"WETH".tokenBalance can be set to 0, by first calling addToDelegate with the current value of reserveAssetreservesIndex"WETH".tokenBalance, then calling withdraw to withdraw all the deposited weth and then calling...
Upgraded Q -> 2 from #112 [1693761181150]
Judge has assessed an item in Issue 112 as 2 risk. The relevant finding follows: If a profile gets blocked, the user can refollow by accepting a pre-upgrade followNFT and then using the batchMigrateFollows function. --- The text was updated successfully, but these errors were encountered: All...
Lack of balance checks in the depositGivenInputAmount function
Lines of code Vulnerability details Impact Lack of balance checks in the depositGivenInputAmount function can lead to various unpredictable consequences due to the breach of requirement "The pool's ratio of y to x must be within the interval MINM, MAXM". Proof of Concept The depositGivenInputAmou...
Lack of Deadline Protection in Key Functions Poses Potential Exploits
Lines of code Vulnerability details Impact The absence of a deadline parameter in key function calls within the EvolvingProteus contract poses a significant vulnerability. Transactions that stay pending in the mempool due to outdated slippage could be executed at a much later time than initially...
The code uses block.timestamp for calculating the duration of the curve evolution which can be manipulated by miners
Lines of code L72 Vulnerability details Impact block.timestamp is used to set the initial time tinit and the final time tfinal for the curve's evolution - the duration over which these prices change tinit, tfinal. The potential issue here is that block.timestamp can be manipulated by miners to a...
Validating input parameters with the max value of uint
Lines of code Vulnerability details Impact Validating input values with uint256.max will not revert in any condition as solidity v0.8.0 reverts on overflow and underflow. Detailed description of the impact of this finding. Due to solidity v0.8.0 which reverts on overflow and underflow of integer...
Liquidity concentration rate is reduced by the use of timestamp instead of block number
Lines of code Vulnerability details Impact Liquidity concentration rate is reduced by the use of timestamp instead of block number Proof of Concept The document states that This primitive can passively update liquidity concentration over time. You can think of it like a hybrid between a Balancer...
Auctions run at significantly different speeds for different prize tiers
Lines of code Vulnerability details Comments The V5 implementation delegates the task of claiming prizes to a network of claimers. The fees received by a claimer are calculated based on a dutch auction and limited based on the prize size of the highest tier the smallest prize. As a result, it is...
Double voting in GaugeController
Lines of code Vulnerability details Impact Voting with the same collateral multiple times by delegating and undelegating, a process that could manipulatively influenceincrease the weight of a particular lending market where the malicious actor is the major Liquidity provider. Proof of Concept The...
createLock, increaseAmount int128(int256(_value)) unsafe downcast can lead to asset loss
Lines of code Vulnerability details Impact Suppose users deposit more than typeint128.max value through createLock and increaseAmount, they may get less voting power and can't get the assets back. Proof of Concept The VotingEscrow.sol is forked from FIATDAO, but it seems don't consider a MEDIUM...
setFullWeightDuration() can be called while a member election is ongoing
Lines of code Vulnerability details Bug Description In SecurityCouncilMemberElectionGovernorCountingUpgradeable, fullWeightDuration which is the duration where a user's votes has weight 1 can be set using setFullWeightDuration: SecurityCouncilMemberElectionGovernorCountingUpgradeable.solL77-L84...
GaugeController - Vulnerability with changing gauge weight would make the contract stop working
Lines of code Vulnerability details Impact The issue is applied differently based on how changegaugeweight works. 1. When changing gauge weight is essential for every enabled gauge before any vote happens An attacker can front-run changegaugeweight transaction to manipulate slope which can result...
Lock owner DOS and funds stuck
Lines of code Vulnerability details Impact The lock's owner will no longer have the ability to use the delegate function. Meaning the person he chose to delegate can withdraw his funds when lock expires, but won't be able to. Proof of Concept Lets imagine 3 users with a Lock each: If user 1...
Vote tokens of voters are not returned.
Lines of code Vulnerability details Impact In the docs and twitter spaces, it was mentioned that the voting tokens will be given back to the voters after the Election has ended. But no logic is implemented anywhere in the repo. This can cause voters to lose their valuable voting tokens which can...
currentCohort FUNCTION SHOULD REVERT WHEN electionCount == 0 RATHER THAN RETURNING Cohort.FIRST
Lines of code Vulnerability details Impact In the SecurityCouncilNomineeElectionGovernor.currentCohort function is used to retrieve the current Cohort of the contract. For a cohort to be elected the election should be created with the respective proposal Id. But with in the function scope of...
Vulnerability: Setting the userClaimedEpoch to a wrong Epoch / Contract: LendingLedger / Function: claim
Lines of code Vulnerability details Impact The userClaimedEpoch is setted to a different epoch week more than the actual epoch of the claim. Proof of Concept In the function to claim the canto for a market, the claiming can only be made for a prior epoch and the function does it in that way, but...
Failed transfer with low level call could be overlooked
Lines of code Vulnerability details Impact In LendingLedger.sol and votingEscrow.sol, low level call made using the call, According to the Solidity docs, "The low-level functions call, delegatecall and staticcall return true as their first return value if the account called is non-existent, as pa...
Any of the role setter , nominee Vetter should not be a council (cohort) member.
Lines of code Vulnerability details Impact The privileged cohort membercouncil member can influence the member addition, removal, rotating the nominee and excluding the nominee. The function of election can be rigged, arbitrary proposals can be passed. This is easy by the council member who has...
SecurityCouncilMemberSyncAction : perform function can be continually DOSed which will prevent the valid update the members of the gnosis safe
Lines of code Vulnerability details Impact The securityCouncil update will be prevented by continuously calling the perform function. Since the function rely on the nonce value, this function can be continuously called and nonce value is updated. This would prevent the valid security council upda...
_removeMemberFromCohortArray FUNCTION REDUCES THE cohort ARRAY LENGTH BY ONE THUS DoS THE addMember FUNCTIONALITY
Lines of code Vulnerability details Impact The SecurityCouncilManager.removeMemberFromCohortArray function is used to remove a member from a specific cohort. The function will replace the removing member with the last element of the cohort array and will pop the last element of the array as shown...
_computeRewardFraction logic looks susceptible to manipulation around the edges.
Lines of code Vulnerability details Impact if auctionElapsedTime is 0, it returns the full reward fraction Proof of Concept The RewardLib.fractionalReward calculates the reward fraction linearly based on the elapsed time. When auctionElapsedTime is 0, fractionalReward will return 1 full rewards...
The system is subjected to Cross-Contract Reentrancy due to Insufficient validation for tokens, source and liquidity Pairs
Lines of code Vulnerability details Impact A malicious actor can gain control of the liquidation process which can manipulate the POOL token price Proof of Concept Almost all the pieces of the protocol are open to everyone with no guard, and that can cause a serious problem. consider the followin...
GeVault cannot deposit ETH
Lines of code Vulnerability details Impact The GeVault contract has two instances where the require statement for token validation can cause reverts. In the first instance, the contract allows only token0 and token1 addresses for withdrawal, making it impossible to withdraw ETH. In the second...
initiator in OptionsPositionManager.executeOperation is not checked
Lines of code Vulnerability details Impact An attacker can execute flashloan pretending to be other user. Proof of Concept LendigPool.flashloan sends which user called in the parameter initiator, but it is not used in executeOperation. Tools Used Manual review. Recommended Mitigation Steps Check ...
Functions Not Considering ERC20 Transaction Fees
Lines of code Vulnerability details Impact Some ERC20 tokens charge a transaction fee for every transfer used to encourage staking, add to liquidity pool, pay a fee to contract owner, etc.. Sometimes this is not a problem but in the cases where the same value is passed to a state variable and to...
[M-01] Denial of Service with failed call Dos
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. External calls can fail accidentally or deliberately, which can cause a DoS condition in the contract. To minimize the damage caused by such failures, it is better to isolate each external call into its...
Protocol won't work with tokens that can prevent transfers
Lines of code Vulnerability details Impact There are various tokens and token standards that can result in transfers being stopped, blocked, blacklisted, paused or disallowed. This entails protocols may function well with these tokens up until a time when any of above measures activated leading t...
VaultBoosterFactory allows deployment of VaultBooster with phoney PrizePool
Lines of code Vulnerability details Impact A malicious VaultBooster can be deployed via VaultBoosterFactory contract. Users may lose funds while interacting with such VaultBooster. File: src/VaultBoosterFactory.sol function createVaultBoosterPrizePool prizePool, address vault, address owner...
the check in checkExpectedBalances only allows 2% slippage, which could be insufficient in volatile markets and lock user funds.
Lines of code Vulnerability details Impact This would cause the check to fail and revert the transaction, locking the user's funds Proof of Concept In volatile markets, the price could move more than 2% between when the user sends the transactions and when it gets mined. This would cause the chec...
[M-02] Denial of Service on failed call Dos
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. External calls can fail accidentally or deliberately, which can cause a DoS condition in the contract. To minimize the damage caused by such failures, it is better to isolate each external call into its...
TokenisableRange.sol claimFee function allows more slippage than intended due to incorrect calculation
Lines of code Vulnerability details Impact In TokenisableRange.sol, claimFee collects swap fees generated in uniswap and compound these fees by minting to Uniswap pool. During minting collected fees back in uniswap, slippage protection is conducted by comparing addedValue - a value based on added...
Missing sanityCheckUnderlying Call in Certain Functions of OptionsPositionManager Contract
Lines of code Vulnerability details Bug Description In the OptionsPositionManager contract, there is a missing call to the sanityCheckUnderlying function at the beginning of the sellOptions and close functions. These functions involve interactions with option assets and underlying tokens. However...
Upgraded Q -> 3 from #16 [1691315821722]
Judge has assessed an item in Issue 16 as 3 risk. The relevant finding follows: L-04: MorphoTokenisedDeposit override decimalsOffset ==0 increase ERC4626 inflation attack risk --- The text was updated successfully, but these errors were encountered: All reactions...
The USDOOptionsModule contract's exercise function allows for dangerous call delegation
Lines of code Vulnerability details Impact The USDOOptionsModule contract is a module that is used by the BaseUSDO contract to facilitate functionality for oTap actions. The module functionality is invoked through the invocation of a delegatecall within the BaseUSDO contract's executeModule...
Setting debtStartPoint > 0 breaks many BigBang actions
Lines of code Vulnerability details Impact If BigBang.debtStartPoint is set to a value 0, many core features will break, e.g. deposits of collateral will be possible, but removal not, which would effectively lock collateral inside the contract. Proof of Concept BigBang.getDebtRate uses the variab...
ARBTriCryptoOracle is prone to manipulation
Lines of code Vulnerability details Impact ARBTriCryptoOracle is used to determine price of LP token of tricrypto USDT, WBTC, WETH on arbitrum. This pool is susceptible to re-entrancy due to bug in vyper 0.2.15. and hence getvirtualprice can be manipulated which is used for pricing LP tokens. Pro...
borrowInternal() of BaseTOFTMarketModule.sol has phantom permit functions
Lines of code Vulnerability details Impact A malicious actor could steal funds from a User who has already done his first deposit. Proof of Concept Consider the case where attacker uses a token with phantom permit function as collateral, the most famous ones being WETH, BNB, HEX etc. Let’s consid...
_sendNative in tapiocaz::Balancer::rebalance() not sending ETH can break service
Lines of code Vulnerability details Impact function sendNative address payable oft, uint256 amount, uint16 dstChainId, uint256 slippage private if addressthis.balance amount revert ExceedsBalance; routerETH.swapETH dstChainId, oft, //refund abi.encodePackedconnectedOFTsoftdstChainId.dstOft, amoun...
The Asset.lotPrice doubles the oracle timeout in the worst case
Lines of code Vulnerability details When the tryPrice function revert, for example oracle timeout, the Asset.lotPrice will use a decayed historical value: uint48 delta = uint48block.timestamp - lastSave; // s if delta = oracleTimeout + priceTimeout return 0, 0; // no price after full timeout else...
Calc token amount can be manipulated
Lines of code Vulnerability details Impact function calcDepositInOneCoin uint2563 memory arr private view returns uint256 return liquidityPool.calctokenamountarr, true; This function is being used to calculate slippage, return value calctokenamount can be manipulated as described in POC section,...
Signature Validation Bypass in 'permit' Function of MarketERC20.sol
Lines of code Vulnerability details Description The 'MarketERC20.sol' contract contains a critical vulnerability in the 'permit' function, where insufficient signature validation allows for bypassing the authentication process. This loophole enables attackers to manipulate the function by providi...
Asset.lotPrice only uses oracleTimeout to determine if the price is stale.
Lines of code Vulnerability details Impact OracleTimeout is the number of seconds until an oracle value becomes invalid. It is set in the constructor of Asset. And Asset.lotPrice uses OracleTimeout to determine if the saved price is stale. However, OracleTimeout may not be the correct source to...
Upgraded Q -> 2 from #141 [1691046669399]
Judge has assessed an item in Issue 141 as 2 risk. The relevant finding follows: L-11 --- The text was updated successfully, but these errors were encountered: All reactions...
[ H ] Infinite loop in calculateNewIndex prevents tokens from being minted and rewards from being distributed
Lines of code Vulnerability details Impact Recursive calls from calculateNewIndex in MultiRewardDistributor will result in an infinite loop and out of gas errors, preventing tokens from being minted and rewards being sent to some users as disburseSupplierRewardsInternal will not be called. Proof ...
The project's reputation and user funds can be affected if a clear invariant is not met
Lines of code Vulnerability details Vulnerability details Impact The protocol may not work as expected in years that are not 365 days long, which could lead to a loss of confidence in the protocol. In fact, the next year is one of those years leap year. Furthermore, defining it as a constant in t...
## [M-07] ERC20 return values not checked
Lines of code Vulnerability details Impact Tokens that don’t actually perform the transfer and return false are still counted as a correct transfer and the tokens remain in the SingleNativeTokenExitV2 contract and could potentially be stolen by someone else. Proof of Concept The ERC20.transfer an...