percsion error that causes buyoutprice to be very low causing the fractionPrice very low or very high

Lines of code Vulnerability details percsion error that causes buyoutprice to be very low causing the fractionPrice very low detials how does buyout become realy low? because of this percison error in the code if you supply msg.value=1 depsitAmount=1 totalSupply=5 1. also there is a possiblity th...

Buyout griefing can block almost all functionalities

Lines of code Vulnerability details Impact Everyone can start a Buyout for a vault by paying only 1 wei. For the next 4 days no other Buyout can start. If someone is fast enough, they can start another griefing buyout as soon as one finishes, meaning that it's possible to block the functionality ...

Migration Module: Usage of withdrawContribution instead of leave before buyout

Lines of code Vulnerability details Impact HIGH - Assets can be compromised directly. One can use eth from the module for buyout process. Basically sending somebody else's eth from migration module to buyout module Proof of Concept proof of concept The proof of concepts shows a scenario where one...

createCollectionFor doesn't transfer ownership to _controller that specified in the parameter.

Lines of code Vulnerability details Impact controller is supplied to the function parameter to be controller of the token and owner of the vault. But actually owner of the vault is VaultRegistry that can't control anything in the Vault. Proof of Concept function createCollectionFor bytes32...

Migration Module: Disable to join, leave, commit by starting a buyout

Lines of code Vulnerability details Impact MED - the function of the protocol could be impacted. Anyone can call Buyout::start to disable to join, leave, commit functions for migration proposal Proof of Concept The Buyout module is unaware of migration module. So, even when some migration is...

The splits configuration will become frozen once enough splits are added

Lines of code Vulnerability details Impact If there are enough entries in the splits array, the checks done to ensure existing locks are respected will cause attempts to change the split to revert, preventing the existing split assignment from changing. If the project has a lock with a long...

Price Feed is not checked for freshness and may report old / incorrect value

Lines of code Vulnerability details Price Feed is not checked for freshness In times of network conjestion, the priceFeed may take longer than expected to update, and the price may take longer than usual to update, in order to ensure the latest price is fresh within update window, you should veri...

Insufficient oracle validation

Lines of code Vulnerability details Impact Oracle my return stale price. Proof of Concept Round completeness and the quoted timestamp are not checked to ensure that the reported price is not stale. roundId, startedAt, updatedAt, and answeredInRound are omitted from the return result of...

JBProjects.sol#createFor(...) function is open to reentrancy attacks

Lines of code Vulnerability details JBProjects.solcreateFor... which used in JPController.sollaunchProjectFor... can be used for reentrancy. PoC contracts/JBProjects.sol: 131: function createForaddress owner, JBProjectMetadata calldatametadata 132 external 133 override 134 returns uint256 project...

onERC721Received() could delegatecall to transder the tokens

Lines of code Vulnerability details onERC721Received could delegatecall to transder the tokens Impact Some onERC721Received could use delegatecall to drain the tokens Putty holds. Because the msg.sender is Putty contract, the tarnsfer can go through. Or taking the ownership of the Putty contract...

Counter offer is not implemented correctly

Lines of code Vulnerability details Impact acceptCounterOffer is not verifying if the original order has already been filled. In case maker makes a counter offer and by the time counter offer is called, some user has already filled the original order then both original and counter offer will be...

Attacker may front-run acceptCounterOffer() cause users to take both original order and new one

Lines of code Vulnerability details Impact Function PuttyV2.acceptCounterOffer is used in case users see better deal and want to cancel their own order before filling the new one. But attacker can abuse this function by front-run calling fillOrder before it is cancelled in acceptCounterOffer...

accountant and admin cannot be updated at Note.sol once accountant is initialized

Lines of code Vulnerability details Impact Once state variable accountant is set, accountant and admin will no longer be updated using setAccountantAddress function. Proof of Concept function setAccountantAddressaddress accountant external requiremsg.sender == admin; requireaddressaccountant ==...

getSupplyRate is returning baseRatePerYear instead of baseRatePerBlock

Lines of code Vulnerability details Impact getSupplyRate must return rate per block as defined in compound interest rate model but currently return rate per year. Defined here: Proof of Concept This is definition / @notice Calculates the current supply interest rate per block @param cash The tota...

Oracle periodSize = 0 which is as same as not using any oracle.

Lines of code Vulnerability details Impact Oracle periodSize = 0 which is as same as not using any oracle. It should be 1800 as expected 30 minutes. Proof of Concept // Capture oracle reading every 30 minutes uint constant periodSize = 0; You comment said that capture oracle reading every 30...

No authentication for SimplePriceOracle

Lines of code Vulnerability details Impact Anyone can call setUnderlyingPrice on the SimplePriceOracle to set the oracle values. These are in turn used for the interest calculations, meaning anyone can manipulate this calculation via the Oracle. Note that SimplePriceOracle in Compound is only...

Deny of service in AccountantDelegate.sweepInterest

Lines of code Vulnerability details Impact The sweepInterest method is susceptible to denial of service. Proof of Concept The logic of the sweepInterest method relative to the treasury is as follows: bool success = cnote.transfertreasury, amtToSweep; if !success revert SweepErrortreasury ,...

Upgraded Q -> M from 161 [1656344885887]

Judge has assessed an item in Issue 161 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 439 [1656339464232]

Judge has assessed an item in Issue 439 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 408 [1656345785644]

Judge has assessed an item in Issue 408 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 413 [1656340156818]

Judge has assessed an item in Issue 413 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 413 [1656341455160]

Judge has assessed an item in Issue 413 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Unpaused modifier can be sidestepped in one of the lend functions.

Lines of code Vulnerability details Impact Suppose you tried to pause the lend function that is connected to Swivel. In that case, the attacker could sidestep it because there is no verification that the number input from the user corresponds with the desired input. Proof of Concept Let's say a b...

User to lose all the funds when lend() to Swivel

Lines of code Vulnerability details function lend uint8 p, address u, uint256 m, uint256 memory a, address y, Swivel.Order calldata o, Swivel.Components calldata s public unpausedp returns uint256 // lent represents the number of underlying tokens lent uint256 lent; // returned represents the...

Functions in the BatchRequests contract revert for removed contract addresses

Lines of code Vulnerability details Impact Removing Yieldy contract addresses from the contracts array with BatchRequests.removeAddress replaces the contract address with a zero-address due to how delete works. Each function that loops over the contracts array or accesses an array item by index,...

Unsafe transferFrom()

Lines of code Vulnerability details Impact Yieldy.transferFrom returns false on failure instead of reverting. This might lead to moveFundsToUpgradedContract incorrectly unstaking and restaking tokens, potentially causing user or Migration.sol to lose funds depending on NEWCONTRACT and OLDCONTRACT...

Yieldy._storeRebase() saves and emits wrong values.

Lines of code Vulnerability details Impact Yieldy.storeRebase saves and emits wrong values. I don't think the asset will be lost directly because of this but the rebase storage will have wrong values and it might affect the system later. Proof of Concept The previousCirculating must be a previous...

Call to lend() function can be frontrunned with fee increase

Lines of code Vulnerability details Impact Malicious admin could frontrun users lend transaction anytime and set feenominator to any value using setFee and bigger fee than user expected. /// @notice sets the admin address /// @param a address of a new admin /// @return bool true if successful...

removeAddress doesn't decrease the contracts.length

Lines of code Vulnerability details Impact The contracts length will always increase because the removeAddress function just deleting the value inside the array and never decrease the length by calling pop method. This can lead to Dos when calling functions that doing loop on contracts storage:...

No minting done in the Element version of lend function, user funds are frozen within the system

Lines of code Vulnerability details Lender's Element lend transfers the funds from a user, opens the position with Element, but fails to mint a corresponding Illuminate position to a user. Setting severity to be high as there is no account of user investment is effectively created, so there is no...

lender variable in is not the same as constructory and method in the construcotr ther is no check for address zero

Lines of code Vulnerability details Impact lender variable not the same as constructory and method its no check for address zero Recommended Mitigation Steps check for address zero in the constructor --- The text was updated successfully, but these errors were encountered: 😕 1 KenzoAgada reacted...

Griefing Attack by staking for any receipent

Lines of code Vulnerability details Impact Any user can grief attack and lock funds of victim by staking with victim address as recipient. Proof of Concept If warmup period is more than 1, it is possible to do this by staking with victim address as recipient with 1 wei amount, and increasing the...

[PNM-004] Calculation of _secondaryReserveRatio can be overflowed

Lines of code Vulnerability details Description uint32 secondaryReserveRatio = uint32msg.value SCALE 1e18 / initialTokenSupply initialTokenPrice; secondaryReserveRatio can be overflowed by setting a relatively small initialTokenSupply and initialTokenPrice. The result will be truncated by uint32,...

Reentrancy bug in Basket's withdraw multiple tokens function which gives attacker ability to transfer basket ownership and spend it but withdraw all the tokens out of basket

Lines of code Vulnerability details Impact Basket is used for keep multiple tokens in contract and mint one NFT token to represent their ownership. Basket only allows for owner of NFTid=0 to withdraw tokens from Basket address. users can deposit multiple tokens in one Basket and then create a...

NibblVault buyout duration longer than update timelock

Lines of code Vulnerability details Impact User can buy out NFT by initiating the process through initiateBuyout, then he has to wait BUYOUTDURATION which is 5 days and if the buyout will not get rejected he can claim the NFT. During that period bidder cannot cancel the process. The issue is that...

_updateTwav() and _getTwav() will revert when cumulativePrice overflows

Lines of code Vulnerability details Impact Contract will break when cumulativeValuation overflows. PoC Cumulative prices are designed to work with overflows/underflows because in the end the difference is important. In updateTwav when prevCumulativeValuation + valuation timeElapsed overflows the...

[PNM-002] Unfairness: the curator (or users with large shares) can always reject payout by sandwich attacks

Lines of code Vulnerability details Impact 15% Attack Description The initiateBuyout function uses the current valuation instead of the time-weighted average one to determine buyoutRejectionValuation, making the curator or any other early buyers with a relatively large sharing able to reject...

Buy logic is not correct

Lines of code Vulnerability details Impact This will affect the curves from where the buy need to happen. This will lead to erroneous result. Proof of Concept Tools Used Manual calculation and code review Recommended Mitigation Steps Update the Buy logic by referring the sell logic. --- The text...

User Could Change The State Of The System While In Pause Mode

Lines of code Vulnerability details Proof-of-Concept Calling NibblVault.updateTWAP function will change the state of the system. It will cause the TWAP to be updated and buyout to be rejected in certain condition. When the system is in Pause mode, the system state should be frozen. However, it wa...

whenNotPaused modifier missing

Lines of code Vulnerability details Impact whenNotPaused modifier is missing in both createBasket function NibblVaultFactory.solL80 and withdrawUnsettledBids function NibblVault.solL424 This means even when contract is in paused state this function will still be operational Note Other impacted...

ERC1155 support unchecked - NFT can be lost

Lines of code Vulnerability details Impact It is not checked whether withdrawn token supports ERC1155 interface. Also there is no check to see if necessary approval have been set for sending nft The fix need to be applied for all other functions withdrawing ERC1155 Proof of Concept 1. Observe the...

Incorrect repayAmount used in CNote

Lines of code Vulnerability details Impact repayAmount was used instead of repayAmountFinal in CNote.repayBorrowFresh. This will lead to revert if the borrower want to repay full amount with typeuint.max Proof of Concept uint actualRepayAmount = doTransferInpayer, repayAmount; Recommended...

Only the state() of the latest proposal can be checked

Lines of code Vulnerability details Impact state function cannot view the state from any proposal except for the latest one. Proof of Concept requireproposalCount = proposalId && proposalId initialProposalId, "GovernorBravo::state: invalid proposal id"; Currently proposalCount needs to be bigger ...

Stack too deep error within BaseV1-periphery.sol

Lines of code BaseV1-periphery.sol lines 323-341 Vulnerability details Impact Stack too deep error when using remove liquidity function, fixing issue allows for avoiding using optimizations thus increases the periphery contract's longevity/scalability. Proof of Concept function...

Overprivileged admin can grant unlimited WETH

Lines of code Vulnerability details Impact Admin can grantComp to any address using any amount and drain the contract. Proof of Concept If admin key gets compromised there is no timelock, no amount boundaries and no address limitations to prevent the assets to be drained immediately to the...

getCashPrior == 0 not checked at the end of redeemFresh

Lines of code CNote.solL332 Vulnerability details Impact To ensure that there are no Note tokens in CNote.sol the getCashPrior value should be exactly 0 at the end of every function that transfers tokens in and out of the contract. In the redeemFresh function, the getCashPior value is not checked...

newblockchain report: Missing access control in Proposal-Store.sol

Lines of code Vulnerability details Impact Anyone can add proposal. These proposals are used later to be executed by timelock in GovernorBravoDelegate. However, it is unclear whether the code works as intended: see the QA report "Upon queue executed true in GovernorBravoDelegate". Possible...

routerBalances[msg.sender][_local] can be inflated in repayAavePortal due to underflow in unchecked math

Lines of code Vulnerability details function repayAavePortal address local, uint256 backingAmount, uint256 feeAmount, uint256 maxIn, bytes32 transferId external uint256 totalAmount = backingAmount + feeAmount; // in adopted uint256 routerBalance = s.routerBalancesmsg.senderlocal; // in local //...

Rescue ETH at InfinityExchange.sol is incorrectly implemented

Lines of code Vulnerability details Impact Admins are unable to recover any ETH locked in the contract PoC The function rescueETHInfinityExchange.sol is incorrectly implemented. It is using msg.value instead of the balance of the contract function rescueETHaddress destination external payable...

Current implementation of arbitrary call execute failure handler may break some use case for example NFT bridge.

Lines of code Vulnerability details Impact Current implementation of arbitrary call execute failure handler may break some use case for example NFT Bridge. In the case of NFT Bridge, NFT may be lost forever. This is likely to be happened in the case of out of gas. Proof of Concept Relayer receive...