10190 matches found
Invalid Access Control Modifiers
Lines of code Vulnerability details Impact The LybraConfigurator is the contract in charge of all core functionality in the Lybra ecosystem. However, the modifiers checks here are invalid. So anybody could call any function in the protocol. All funds could be stolen and governance overturned Proo...
contract has the tendency to mint more tokens than it actually has
Lines of code Vulnerability details Impact If the contract does not have enough esLBR tokens to mint and transfer as rewards, users will not be able to claim their rewards even if they have earned them. Proof of Concept There is no check to ensure that the contract's balance of esLBR tokens is...
Calls to rigidRedemption can fail due to an underflow when collateralAsset price falls.
Lines of code Vulnerability details Impact When the collateralAsset price falls drastically a wrong collateralAmount is calculated in the line below from the eusdAmount. The collateralAmount calculated can be greater than the amount deposited by the provider in the rigidRedemption. Which leads to...
Wrong validation when setting BadCollateralRatio
Lines of code Vulnerability details Impact Setting of BadCollateralRatio has a slight bug //@audit-issue bug here, should be - 1e19 function setBadCollateralRatioaddress pool, uint256 newRatio external onlyRoleDAO requirenewRatio = 130 1e18 && newRatio = 160 1e18, "eUSD vault safe...
There is no deadline for swaps
Lines of code Vulnerability details Impact If the receiver that is specified in the IBC callback doesn't have enough tokens for interacting with the Canto network defaults at 4 CANTO, then the middleware is going to swap the tokens for some CANTO tokens on the Canto network and convert the rest t...
Bypass check with one non-standard denom
Lines of code Vulnerability details Impact Wrong conditional when checking for non-standard denoms Proof of Concept The conditional is used to sanitize if the denom1 and denom2 are indeed standardDenom see the error in the next line. However, the condition can be bypassed with one of them being...
Arbitrary parameters
Lines of code Vulnerability details Impact There is no way to check that the sequence parameter is indeed a correct one Proof of Concept It is being passed straight to a function which modifies the KVStore's pools, thus it could be any value due to not being checked e. g. it could be 0,...
Users potentially cannot have Canto token swapped automatically when bridging assets to the Canto Network
Lines of code Vulnerability details Impact If the field AutoSwapThreshold is set to zero value, the logic that compares standardCoinBalance to the autoSwapThreshold always evaluates to false so there isn't any swap operation from bridged asset to Canto token for users. Therefore, the purpose of t...
users being overcharged or not receiving the full amount of coins as they expected caused by the incorrect calculation of the amount of coins bought
Lines of code Vulnerability details Impact in the GetInputPrice function there a line inputAmtWithFee := inputAmt.Mulsdk.NewIntFromBigIntdeltaFee.BigInt tat make a problem so here we have in that line in the GetInputPrice function, the sdk.NewIntFromBigInt function it's takes the big.Int as an...
AutoSwapThreshold field is not checked for exceeding MaxAutoSwapThreshold constant
Lines of code Vulnerability details Impact validateAutoSwapThreshold function has a problem that does not check the AutoSwapThreshold field is less than or equal to the MaxAutoSwapThreshold constant, this can caused that a malicious user could set the AutoSwapThreshold field to a value that is...
Schedule recovery DOS by front-running with original schedule recovery transaction if no other transaction is executed
Lines of code Vulnerability details Description If after scheduling a recovery no transaction is executed, anyone can DOS the execution of this scheduled recovery by a signature replay attack given that the nonce is not increased Impact DOS of scheduled recovery execution if after a recovery is...
M-02 Unmitigated
Lines of code Vulnerability details Mitigation of M-02: Issue partially mitigated, see comments Link to Issue: code-423n4/2023-05-ambire-findings18 Comments While the issue mentioned in M-02 has been technically mitigated, the same attack can be performed in another function present in the wallet...
M-03 Unmitigated
Lines of code Vulnerability details Mitigation of M-03: Issue not mitigated, see comments Link to Issue: code-423n4/2023-05-ambire-findings16 Comments The issue is not mitigated. There is an error in the implementation of the mitigation of M-03. See report adriro-MR-M-03-ERROR for details. Assess...
M-03 Unmitigated
Lines of code Vulnerability details adriro-MR-M-03-ERROR: Recovery transaction can be replayed after a cancellation The mitigation of M-03 contains an error in the implementation of the fix. The original issue is still present. Impact The report in M-03 describes an issue related to the replay of...
User who stakes into StRSRVotes doesn't have any voting power
Lines of code Vulnerability details Impact User who stakes into StRSRVotes doesn't have any voting power. This is not intuitive clear and user who thinks that he can vote, actually will not be able until he will delegate votes to himself. Proof of Concept StRSRVotes contract extends StRSR which h...
GnosisTrade contract can be frontrunned in order to make it report violation and block broker
Lines of code Vulnerability details Impact GnosisTrade contract can be frontrunned in order to make it report violation and block broker. This will stop broker from creating another traders. Proof of Concept When BackingManager is rebalancing, then it can open trade, which can be gnosis trade...
ecrecover function is vulnerable to signature malleability
Lines of code Vulnerability details Impact Signature malleability potential exists which can be carried out by malicious actor to have two or more signatures that recover signer of same message. ecrecover function can be used to recover address by having signature and signed message hash to which...
THERE IS NO INPUT VALIDATION FOR CRITICAL STATE VARIABLES WHICH COULD BREAK THE CORE FUNCTIONALITY OF THE PROTOCOL
Lines of code Vulnerability details Impact In the LlamaAbsoluteStrategyBase.queuingPeriod variable denotes the minimum time in seconds between queueing and execution of action. The LlamaAbsoluteStrategyBase.minExecutionTime returns the block.timestamp + queuingPeriod timestamp. Here queuingPeriod...
Success value and msg.value not checked in llamaExecutor.sol
Lines of code Vulnerability details Impact Success value not checked. Result can fail silently. Msg.value can be lost. Proof of Concept Function execute does not check the validity of success. If execute is called and msg.value is greater than value, then excess msg.value will be stucked in...
Gas griefing/thief in LlamaAccount execute()
Lines of code Vulnerability details Impact LlamaAccount execute function either delegatecall or call to the provided address. The address may contain malicious contract and should be treated as a malicious. This assumption was confirmed by implementation of this function and its comments...
_newCastCount can overflow and lead to wrong state
Lines of code Vulnerability details Impact The method newCastCount only checks for overflow via the two parameters that are passed. If a user were to pass a quantity that is equal to typeuint128.max - currentCount + 1, they could effectively bring the newCastCount value to 0 or to any value they...
LlamaExecutor#execute is not payable
Lines of code Vulnerability details Impact Since the execute function in LlamaExecutor.sol is not payable, nor the contract has the ability to receive ether, any action that requires sending ETH will eventually fail. Proof of Concept Tools Used Manual review Recommended Mitigation Steps One of th...
Manually assigning token IDs in ERC-721 can cause problems in the future
Lines of code Vulnerability details Impact 1. It can lead to duplicate token IDs. If two different people manually assign the same token ID to their tokens, this can create a conflict. This can lead to problems when trying to transfer or sell the tokens, as the recipient may not be able to claim...
[ H ] In executeAction function, ETH can remain stuck after reverting due to a failed call.
Lines of code Vulnerability details Impact If and when the executeAction function reverts at either of the checks, the amount of ETH sent along with the call will be locked in the contract forever, with no current measures of recovery. Proof of Concept executeAction is called, but the call fails ...
Incorrect validation in LlamaRelativeQuorum results in improper approvals/disapprovals
Lines of code Vulnerability details Impact The LlamaRelativeQuorum contract is intended to allow for approvals/disapprovals to be configured such that, for example, an approval is triggered when a certain percentage of the total quantity for a role with this quantity being fixed at the creation o...
Adding Block.number to Block.timestamp
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. In the highlighted functions, the lastExcessETHDepositBlock is updated every time the function depositETHOverTargetWeight is called because it is set to the last block.number. If the function is called...
Oracle data is not sufficiently validated
Lines of code Vulnerability details Impact The retrieved price from the oracle can be stale value or outdated and used anyways as a valid data. The usage of such data can impact on how the further logics of that price are implemented. Proof of Concept File: StaderOracle.sol function getPORFeedDat...
There is no check to see if eth was successfully sent from ValidatorWithdrawalVault to StaderStakePoolsManager.
Lines of code Vulnerability details Impact Eth may not complete successfully. As a result, the user will not receive their share from the validator. Tools Used Manual audit Recommended Mitigation Steps Add to StaderStakePoolManager.receiveWithdrawVaultUserShare function. ifmsg.value == 0 revert...
Manager and DEFAULT_ADMIN_ROLE can create a scenario where user deposits more than he is permitted to withdraw
Lines of code Vulnerability details Impact manager and DEFAULTADMINROLE can update conflicting values as max deposit limit and max withdrawal limit, where maxDepositAmount is than maxWithdrawAmount. Users will be able to deposit more than they are permitted to withdraw. considering the extremes i...
Unauthorized Access and Control in Proxy Contract
Lines of code Vulnerability details Summary: The code contains a bug that can lead to unauthorized access and control over the contract. This bug allows any caller, even those who are not the owner or address0, to bypass the intended access control mechanisms and execute arbitrary code on the...
User with large stacked ETH can deny other stacker from withdrawing.
Lines of code Vulnerability details Description The withdraw flow of Stader splitted in two steps, first the user has to requestWithdraw by passing his owned ETHx amount which add a new record to userWithdrawRequestsnextRequestId, second, finalizeUserWithdrawalRequest got called by any user to...
MISSING ACCESS CONTROL AND MISSING LOGICAL CHECKS IN PENALTY.sol
Lines of code Vulnerability details Impact In the penalty.sol contract anyone can call the markValidatorSettled... function to clear the penalty of an erring validator. Proof of Concept Anyone can clear the penalty of an erring validator without by calling markValidatorSettled... as the function...
FRONT-RUNNING SUSCEPTIBILITY IN ADDBID()
Lines of code Vulnerability details Impact Auction.addBid is susceptible to front-running attacks. This vulnerability presents a significant risk as participants with adequate knowledge or skill could manipulate Ethereum transaction ordering to gain undue advantage, potentially compromising the...
accountsMap[ADMIN] not set in initialize function of StaderConfig contract
Lines of code Vulnerability details Impact When initializing the StaderConfig contract with the initialize function, the admin address is not set in accountsMapADMIN variable, so the getAdmin function will return address0. This will cause the loss of the ownership of the VaultProxy contract as it...
Lack of Event Signature Verification
Lines of code Vulnerability details Impact The functions submitExchangeRateData, submitSDPrice, and submitValidatorStats emit events without verifying the signature of the calling contract. Malicious contracts can exploit this by emitting events with misleading information, potentially deceiving...
The _poolId and _id values are not within the expected range and not performing appropriate bounds checking in the VAULTPROXY contract
Lines of code Vulnerability details Impact When the poolId and id values are not within the expected range and appropriate bounds checking is not performed in the contract, it can result in high risk and vulnerabilities. Here are some potential risks and vulnerabilities that can arise: 1. Invalid...
Bug on e handling of excess ETH deposits
Lines of code Vulnerability details The StaderStakePoolsManager contract contains a critical bug that could lead to financial loss and system instability. The bug is related to the handling of excess ETH deposits and the calculation of available ETH for new deposits. Bug Description: In the...
A trusted node has the ability to submit the ExchangeRate multiple times for a single reportingBlockNumber.
Lines of code Vulnerability details Impact In this code, a trusted node can submit data several times. The trusted node can submit ExchangeRateData and then it can submit different data again about same reportingBlockNumber. This will occur mess of staderOracle contract, so it will be needed to b...
Upgraded Q -> 2 from #240 [1686228586164]
Judge has assessed an item in Issue 240 as 2 risk. The relevant finding follows: L-04 --- The text was updated successfully, but these errors were encountered: All reactions...
Withdrawal with gas limit more than 28_750_517 can never be executed with CrossDomainMessenger
Lines of code Vulnerability details Impact Withdrawal with gas limit more than 28750517 can never be executed with CrossDomainMessenger. User that will initiate such withdrawal will loose his funds and will not be able to execute the withdrawal, because of reaching maximum block gas limit. Proof ...
4 issues in the L2CrossDomainMessenger.relayMessage() function. Described one after other.
Lines of code Vulnerability details Impact 1. Loss of funds. 2. Unpermitted function calls. Proof of Concept 1. The function proceeds only if successfulMessagesxDomainCalldataHash is false require successfulMessagesxDomainCalldataHash == false, "Provided message has already been received." ; but...
withdrawNftWithInterest() possible take away other Lien's NFT
Lines of code Vulnerability details Impact Possible take away other Lien's NFT Proof of Concept withdrawNftWithInterest Used to retrieve NFT The only current restriction is that if you can transfer out of NFT, it means an inactive loan function withdrawNftWithInterestLien calldata lien, uint256...
Borrower can reject receiving ETH thus prevent lender from calling withdrawEthWithInterest()
Lines of code Vulnerability details Impact The withdrawEthWithInterest function transfers ETH with interest back to the lender in case the loan is insolvent or the auction has concluded. It also transfers PnL to the borrower. However, if the borrower is a smart contract and rejects receiving ETH,...
Host can bypass reentrancy guard in rageQuit()
Lines of code Vulnerability details Impact Host can bypass reentrancy guard in rageQuit. Proof of Concept In PartyGovernanceNFT.rageQuit there is a reentrancy guard: // Check if ragequit is allowed. uint40 currentRageQuitTimestamp = rageQuitTimestamp; if currentRageQuitTimestamp !=...
Burning an NFT can be used to block voting
Lines of code Vulnerability details Burning an NFT can be used to block voting Impact A new validation in the accept function has been introduced in order to mitigate a potential attack to the party governance. By burning an NFT, a party member can reduce the total voting power of the party just...
Requirement for having timelocks on recovery transactions is not enforceable
Lines of code Vulnerability details Impact When calling the following AmbireAccount.execute function with sigMode being SIGMODERECOVER, a recovery transaction can be scheduled if requireprivilegessignerKeyToRecover == recoveryInfoHash, 'RECOVERYNOTAUTHORIZED' and requireisIn,...
test with new label
Lines of code L1 Vulnerability details test Assessed type CanAuto --- The text was updated successfully, but these errors were encountered: All reactions...
Check if the token of projectId matches the projectToken of the JBXBuybackDelegate
Lines of code Vulnerability details Impact At line 202, the amountReceived returned by the swap function is based on the projectToken defined in JBXBuybackDelegate. This will incorrectly trigger the mint function and because there is no verification of projectToken, it will mistakenly mint...
[M-01] Access control in *payParams* function
Lines of code Vulnerability details Impact Anyone can call this function and change mutex parameters. In this case we have a potential risk that malicious user can try to send several transactions: one from terminal and parallel one from other address and try front-run them to play for example wi...
Verify the correspondence between trading pairs and pools
Lines of code Vulnerability details Impact It may cause the correct ProjectToken to be locked, and transfer the wrong ProjectToken to the beneficiary. Proof of Concept Add test USDC after line 78 in the test file. IERC20 usdc = IERC200xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48; Modify line 142...