Check if the token of projectId matches the projectToken of the JBXBuybackDelegate

Lines of code Vulnerability details Impact At line 202, the amountReceived returned by the swap function is based on the projectToken defined in JBXBuybackDelegate. This will incorrectly trigger the mint function and because there is no verification of projectToken, it will mistakenly mint...

[M-01] Access control in *payParams* function

Lines of code Vulnerability details Impact Anyone can call this function and change mutex parameters. In this case we have a potential risk that malicious user can try to send several transactions: one from terminal and parallel one from other address and try front-run them to play for example wi...

Verify the correspondence between trading pairs and pools

Lines of code Vulnerability details Impact It may cause the correct ProjectToken to be locked, and transfer the wrong ProjectToken to the beneficiary. Proof of Concept Add test USDC after line 78 in the test file. IERC20 usdc = IERC200xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48; Modify line 142...

If the controller for _data.projectId is not defined, it can lead to incorrect execution of _swap() and theft of funds by the beneficiary.

Lines of code Vulnerability details Impact If the controller is not defined in the swap function, then it becomes impossible to mint and burn tokens, which leads to incorrect execution of the function. IJBController controller = IJBControllerjbxTerminal.directory.controllerOfdata.projectId; Proof...

If, as a result of the calculation, _tokenCount = 0, then this may lead to incorrect execution of the _mint function(_data, _tokenCount).

Lines of code Vulnerability details Impact If the payParams function receives null values in data, then uint256 tokenCount = PRBMath.mulDivdata.amount.value, data.weight, 10 18 may result in a null value. Proof of Concept If, as a result of the calculation, tokenCount = 0, then this may lead to...

Delegate uses incorrect parameter for the token amount

Lines of code Vulnerability details Delegate uses incorrect parameter for the token amount The delegate implementation uses the incorrect "amount" parameter from the JBDidPayData struct that is sent to the didPay function. Impact The implementation of the pay function in the terminal builds the...

Delegate doesn't verify payed ETH value matches amount in parameter

Lines of code Vulnerability details Delegate doesn't verify payed ETH value matches amount in parameter The JBXBuybackDelegate delegate fails to check that the sent ETH amount matches the value passed in the amount parameter. Impact The payable didPay function present in the delegate is called by...

Upgraded Q -> 2 from #597 [1684599709636]

Judge has assessed an item in Issue 597 as 2 risk. The relevant finding follows: L9 --- The text was updated successfully, but these errors were encountered: All reactions...

TEST-medium

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assessed...

Incorrectly calculation of the total tokens to be seized because of the difference on the scale of magnitude for the prices of the underlying assets

Lines of code Vulnerability details Impact The total number of tokens to be seized could be wrongly calculated if the underlying assets of vTokenBorrowed & vTokenCollateral have a different decimals. Proof of Concept The price returned by the ChainlinkOracle contract of the Venus Protocol, the...

stakedBalance() The wrong number of balance may be returned

Lines of code Vulnerability details Impact stakedBalance maybe return wrong number,Causes AMO.sol not to work properly Proof of Concept stakedBalance use for get the current staked balance of CVXStaker The code is as follows: function stakedBalance public view returns uint256 balance balance =...

Whales can freeze all user funds

Lines of code Vulnerability details Impact Whales can freeze user funds by adding large amounts of a smaller token, while keeping collateral in other tokens. By accumulating interest in the small token, they will be able to call reduceReserves once the interest increased enough to match the cash...

Incorrect slippage check in the AMO2.rebalanceUp can be attacked by MEV

Lines of code Vulnerability details Impact The AMO2.rebalanceUp uses AMO2.bestRebalanceUpQuote function to avoid MEV attack when removing liquidity with only one coin. But the bestRebalanceUpQuote does not calculate the slippage correctly in this case, which is vulnerable to be attacked by MEV...

Inadequate checks for comptroller in PoolRegistry#addMarket allows malicious comptrollers to be added

Lines of code Vulnerability details Impact Malicious comptrollers will be available in the protocol Proof of Concept The addMarket function only checks that the input.comptroller is not the 0 address, but does not check if the comptroller was actually created by the PoolRegistry contract. A...

Potential Division by Zero in utilizationRate method

Lines of code Vulnerability details Impact In the case where cash + borrows - reserves equals 0, the function would try to divide by zero which will result in a runtime error. Proof of Concept An attacker might manipulate the state of the contract to where cash + borrows - reserves equals zero...

Precision differences when calculating the _startAuction of funds accumulated in RiskFund

Lines of code Vulnerability details Impact When calculating startAuction uint256 usdValue in RiskFund, Auction state divides the value of each market in the vToken list in token list precision. This skew is fine for most tokens but will cause problems with certain token pairs. Proof of Concept Wh...

Unfair handling of rewards for users with a high amount of rewards

Lines of code Vulnerability details Users can claim their rewards in RewardDistributor.claimRewardToken. The reward handling part is done in grantRewardToken: 416: function grantRewardTokenaddress user, uint256 amount internal returns uint256 417: uint256 rewardTokenRemaining =...

PLACEBID() IN SHORTFALL.SOL MAY LEAD TO DENIAL OF SERVICE AND FRONT RUNNING ATTACKS

Lines of code Vulnerability details Impact The Shortfall.placeBid function in the Venus protocol exhibits potential vulnerabilities that may lead to denial-of-service DoS and front-running attacks. A malicious actor could exploit these vulnerabilities to disrupt the auction process, manipulate...

Zero token transfer can cause a potential DoS in CVXStaker

Lines of code Vulnerability details Zero token transfer can cause a potential DoS in CVXStaker The CVXStaker contract doesn't check for zero amount while transferring rewards, which can end up blocking the operation. Impact The CVXStaker contract is in charge of handling interaction with the Conv...

An expired parameter is required because there may be slippage in the calculation.

Lines of code Vulnerability details Impact Due to changes in interest rates, failure to process transactions in a timely manner may result in missing out on ideal rewards. Proof of Concept The calculation of the clainRewards function involves interest rates, which are variable. If...

Attacker can drain the token from the user's account

Lines of code Vulnerability details Vulnerability details Impact There is a potential vulnerability if the increaseLPAllowance function is not implemented safely and allows for arbitrary increases to the token allowance. File: ajna-core/src/PositionManager.sol pool.increaseLPAllowanceowner,...

ExtraordinaryFunding may fail due to a decrease in the treasury funds due to a StandardFunding new distribution round

Lines of code Vulnerability details Impact Users could spend gas and possibly other off chain resources voting on an ExtraordinaryFunding proposal which would later revert when executing. Proof of Concept If an ExtraordinaryFunding proposal requests an amount of tokens between 48.5% and 50% of th...

stake() function: The provided stake function lacks checks to prevent a lender from staking multiple NFTs in the same Ajna pool. The function allows any owned position NFT to be staked without considering whether the lender has already staked in the pool. This potentially opens up the system to an abuse where a lender stakes multiple NFTs for the same liquidity position.

Lines of code Vulnerability details Impact The current stake function lacks checks to prevent a lender from staking multiple NFTs in the same Ajna pool. This could lead to an abuse of the system where a lender stakes multiple NFTs for the same liquidity position, potentially earning more rewards...

Unchecked increment in calculateRewards function of RewardsManager.sol.

Lines of code Vulnerability details Impact In the calculateRewards function, there is an unchecked increment in the for loop, in the code it can allow an attacker to cause an integer overflow in the calculateRewards function by manipulating the loop variable, resulting in incorrect rewards...

Treasury accounting miss voters rewards

Lines of code Vulnerability details treasury is overstated over time as each distribution period it adds back the delegate rewards part, which is actually spent on voters rewards. I.e. it is updated with fundsAvailable - totalTokensRequested difference, while totalTokensRequested is limited to 90...

Imprecise block calculation

Lines of code Vulnerability details Vulnerability details Impact @dev Roughly equivalent to the number of blocks in 7 days. @dev Roughly equivalent to the number of blocks in 90 days. @dev Roughly equivalent to the number of blocks in 10 days. As described in the NatSpec comment above these are...

Integer Overflow in ScreeningVote Function of StandardFunding.sol.

Lines of code Vulnerability details Impact In the screeningVote function of StandardFunding.sol contract, specifically in the line where the votes parameter is converted to a uint128 using the SafeCast.toUint128 function. The issue is that the votes parameter is not limited to 128 bits, which can...

Upgraded Q -> 2 from #279 [1683710498041]

Judge has assessed an item in Issue 279 as 2 risk. The relevant finding follows: L-06 EllipticCurve.validateSignature has wrong and needless code blocks if P2 == 0 return false; uint256 Px = inverseModP2, p; Px = mulmodP0, mulmodPx, Px, p, p; Px = p0 inverseP2^2 is not correct here. Fortunately, ...

high risk issue

Lines of code Vulnerability details Submitting a high risk issue! Assessed type ERC4626 --- The text was updated successfully, but these errors were encountered: All reactions...

Mitigation Confirmed for NEW

Note: Issue has not actually been resolved but for some reason I can't get my issues to submit without "Mitigation confirmed no new vulnerabilities detected" checked so I am doing this as a work around Severity Medium Lines of code Impact Contract still assumes 1:1 peg for stETH in WstETHwithdraw...

Rounding loss in and with approxPrice()

Rounding loss in and with approxPrice Description SafEth.approxPrice contains a rounding loss of the form a/k + b/k = ac/b. We would...

[M-1] Potential DoS attack due to unchecked array lengths in loop

Lines of code Vulnerability details M-1 Potential DoS attack due to unchecked array lengths in loop Impact If strategies and shares have different lengths and the code uses them in a loop without checking their lengths, it could potentially cause an out-of-bounds error, which could lead to a...

State variables are initialized in an upgradeable contract + there is constructor

Lines of code Vulnerability details Impact Due to a requirement of the proxy-based upgradeability system, no constructors can be used in upgradeable contracts. State variables are initialized in an upgradeable contract Proof of Concept See -upgradeableavoid-initial-values-in-field-declarations...

Manipulation Compromised proposal processing claimDelayedWithdrawals

Lines of code Vulnerability details Impact By exploiting legitimate users' access to claim delayed withdrawals, an attacker could potentially drain a sizable portion of the contract's funds before detection. Manipulative access to critical system functions poses a substantial financial risk. Proo...

Zero address pauser assignment

Lines of code Vulnerability details Impact By allowing any address to be assigned as the pauser, the StrategyBase contract leaves itself vulnerable to losing critical functionality that controls token transfers in and out. Assigning a zero address would result in no valid pauser, preventing the...

Assuming a 1-1 peg of Liquid Staked Tokens like stETH and rETH to ETH is dangerous

Lines of code Vulnerability details Impact The price of ETH staking derivatives may not be pegged 1-1 to ETH which affect staking conditions. Proof of Concept To stake eth, a user calls depositBeaconChainETH. The amount parameter is passed into the addShares function. In addShares, the amount...

High gas consumption vulnerability due to high merkle tree heights

Lines of code Vulnerability details Impact The issue stems from the utilization of tall trees in numerous merkle trees within the BeaconChainProofs library. This could lead to considerable gas consumption during the creation and verification of such trees. The consequence of this vulnerability is...

Upgraded Q -> 3 from #903 [1683219188466]

Judge has assessed an item in Issue 903 as 3 risk. The relevant finding follows: L-2. Use SafeCast Library Description Downcasting from uint256/int256 in Solidity does not revert on overflow. This can easily result in undesired exploitation or bugs, since developers usually assume that overflows...

Upgraded Q -> 3 from #421 [1683219158450]

Judge has assessed an item in Issue 421 as 3 risk. The relevant finding follows: 1. Unchecked Cast May Overflow As of Solidity 0.8 overflows are handled automatically; however, not for casting. For example uint324294967300 will result in 4 without reversion. Consider using OpenZepplin's SafeCast...

Overflow Excessive claims could overwhelm storage _userWithdrawals mapping

Lines of code Vulnerability details Impact By submitting an excessive number of claims through a compromised user, an attacker could theoretically overwhelm the storage used for mapping users to their delayed withdrawals. If critical data is overwritten, the contract would be rendered unusable...

High Reentrancy Withdrawals can be frontrun

Lines of code Vulnerability details Impact A reentrancy attack on the withdrawal functions could allow an attacker to drain the contract of all funds by repeatedly calling the functions faster than transactions can complete. By calling completeQueuedWithdrawal and withdrawBeaconChainETH multiple...

Upgraded Q -> 2 from #225 [1683100933057]

Judge has assessed an item in Issue 225 as 2 risk. The relevant finding follows: uint256 exponent = baseToken == address0 ? 18 - 4 : ERC20baseToken.decimals - 4; will revert since ERC20baseToken.decimals - 4; causes an underflow --- The text was updated successfully, but these errors were...

Upgraded Q -> 3 from #878 [1683053134023]

Judge has assessed an item in Issue 878 as 3 risk. The relevant finding follows: L-7 Potential overflow while updating reserves values in PrivatePool contract - --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #215 [1683053585771]

Judge has assessed an item in Issue 215 as 2 risk. The relevant finding follows: QA10 Both EthRouterbuy and EthRoutersell do not check whether recipient == address0, as a result, they might send royalty fees to the zero address - loss of funds. --- The text was updated successfully, but these...

Upgraded Q -> 2 from #854 [1683053410661]

Judge has assessed an item in Issue 854 as 2 risk. The relevant finding follows: L-01 Reorg attack possibility in pool factory 1 --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #878 [1683053122687]

Judge has assessed an item in Issue 878 as 2 risk. The relevant finding follows: L-2 Royalties are paid assuming all NFTs in the batch are equally priced - --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #680 [1683016846473]

Judge has assessed an item in Issue 680 as 2 risk. The relevant finding follows: D. FlashFee is a flat amount, meaning the cost to flash loan an NFT at floor price is the same as one worth 5x the floor price. FlashFee should instead be based on the weigh of the NFT being flashloaned, with more...

Upgraded Q -> 2 from #245 [1683017351880]

Judge has assessed an item in Issue 245 as 2 risk. The relevant finding follows: L-05 PrivatePoolMetadata.tokenURI is not compliant with EIP721 It implements PrivatePoolMetadata.tokenURI , a function overriding ERC721's tokenURI. This function returns the metadata URI of the provided token ID The...

DNS wire format AND DNS label-sequence format ARE USED INTERCHANGABLY TO REPRESENT DOMAIN NAMES DURING RRSet VALIDATION

Lines of code Vulnerability details Impact @param name The name to claim, in DNS wire format. above format is used in DNSRegistrar.proveAndClaim and DNSRegistrar.proveAndClaimWithResolver functions @param name The name of the RRSIG record, in DNS label-sequence format. above format is used in...

Incorrect implementation of RecordParser.readKeyValue()

Lines of code Vulnerability details Impact RecordParser.readKeyValue returns a wrong value if the terminator not found. This is a fundamental library and any contract using it may experience unexpected errors and problems due to this bug. Proof of Concept The implementation logic of...