10190 matches found
Owner's delegates should be decreased in _burn()
Lines of code Vulnerability details function burnuint tokenId internal requireisApprovedOrOwnermsg.sender, tokenId, "caller is not owner nor approved"; address owner = ownerOftokenId; // Clear approval approveaddress0, tokenId; // TODO add delegates // Remove token removeTokenFrommsg.sender,...
Not calling _safeApprove(0) before setting a new approval causes the call to revert when used with Tether (USDT)
Lines of code Vulnerability details Impact Some tokens like the very popular USDT do not work when changing the allowance from an existing non-zero allowance value it will revert if the current approval is not zero to protect against front-running changes of approvals. These tokens must first be...
Bribe Rewards Not Claimable By Voters
Lines of code Vulnerability details Background Based on the code of Gauge contract, there are two types of rewards that can be claimed from the Gauge contract by its users. 1. Gauge Rewards - For users Liquidity providers who deposit their LP tokens a.k.a LP Token Staker into the liquidity gauge...
Bribe.sol is not meant to handle fee-on-transfer tokens
Lines of code Vulnerability details Impact Should a fee-on-transfer token be added as a reward token and deposited, the tokens will be locked in the Bribe contract. Voters will be unable to withdraw their rewards. Proof of Concept Tokens are deposited into the Bribe contract using...
Gauge Functionalities Still Accessible After Being "Killed"
Lines of code Vulnerability details Proof-of-Concept The Voter contract contains a killGauge function that allow the emergency council to kill a gauge. The killGauge function will set the isAlive mapping to false. Thus, calling Voter's functions e.g. Voter.updateGauge, Voter.distributegauge again...
Attacker can block LayerZero channel
Lines of code Vulnerability details Impact According to the LayerZero docs, the default behavior is that when a transaction on the destination application fails, the channel between the src and dst app is blocked. Before any new transactions can be executed, the failed transaction has to be retri...
Multi-hop routes will leave a dust trail
Lines of code Vulnerability details Impact By calling RubiconMarket.buyid, quantity as a consequence of L239 and L241 with quantity = currentAmount - currentAmount expectedMarketFeeBPS / 10000 ...the fee calculated by the buy function amounts to: currentAmount - currentAmount expectedMarketFeeBPS...
Reentrancy attack
Lines of code Vulnerability details Impact High impact. Reentrancy Attack may lead in lost of funds. Proof of Concept Reentrancy in RubiconMarket.matchouint256,ERC20,uint256,ERC20,uint256,bool c ontracts/RubiconMarket.sol1049-1108: External calls: - buybestmakerid,minmpayamt,t...
ConvexMasterChef: safeRewardTransfer can cause loss of funds
Lines of code Vulnerability details Impact Same as code-423n4/2022-02-concur-findings244 All calculations are rounded down, since a lack of tokens in the contracts cannot be rounding errors' fault. So the function is redundant. On the other hand, if the contract is undersupplied with cvx tokens,...
No rewards will be queued for users at intervals
Lines of code Vulnerability details Impact The 20% penalty that is taken from users who claim their rewards but choose not to stake in the AuraLocker is sent to the penaltyForwarder. Thereafter, it gets distributed to the locker to be queued but the issue in AuraLocker.queueNewRewards is that the...
Impossible Clearance of Delegate
Lines of code Vulnerability details ALR-01M: Impossible Clearance of Delegate | File | Lines | Type ---|---|--- AuraLocker.sol | L464-L509 | Code Functionality Description The delegate function disallows clearance of any existing delegation, thereby forcing the user to retain a delegate active...
Users can grief reward distribution
Lines of code Vulnerability details Impact Users can grief reward distributions by spending dust Proof of Concept If a reward is targeted for an epoch in the past, a user can front-run the txn in the mempool and call addRewardToEpoch with a dust amount at an epoch after the one in question. This...
Alchemist can mint AlTokens above their assigned ceiling by calling lowerHasMinted()
Lines of code Vulnerability details Impact An alchemist / user can mint more than their alloted amount of AlTokens by calling lowerHasMinted before they reach their minting cap. Proof of Concept Function mint in AlchemicTokenV2Base.sol function mintaddress recipient, uint256 amount external...
DoS in wrap and unwrap
Lines of code Vulnerability details Impact the code is doing wrong check, so when things will work it will revert. Proof of Concept In the function wrap there is this lines: if error = ICERC20token.mintamount != NOERROR revert FuseErrorerror; but mint returns the amount that minted, so when error...
[WP-H1] Debt can be repaid with a depegged underlyingToken, which can be exploited by arbitrageurs and drives the market price of alToken to match the worst depegged underlyingToken
Lines of code Vulnerability details function normalizeUnderlyingTokensToDebtaddress underlyingToken, uint256 amount internal view returns uint256 return amount underlyingTokensunderlyingToken.conversionFactor; function repayaddress underlyingToken, uint256 amount, address recipient external...
[gALCX.sol] Attacker can make the contract unusable when totalSupply is 0
Lines of code Vulnerability details Impact An attacker can make the contract unusable when totalSupply is 0. Specifically, bumpExchangeRate function does not work correctly which results in making stake, unstake and migrateSource functions that do not work as expected. Proof of Concept Here are...
New gALCX token denomination can be depressed by the first depositor
Lines of code Vulnerability details An attacker can become the first depositor for a recently created gALCX contract, providing a tiny amount of ALCX tokens by calling stake1 raw values here, 1 is 1 wei, 1e18 is 1 ALCX. Then the attacker can directly transfer, for example, 10^6 1e18 - 1 of ALCX t...
TransmuterBuffer's _alchemistWithdraw use hard coded slippage that can lead to user losses
Lines of code Vulnerability details exchange - exchange - alchemistWithdraw is user funds utilizing call sequence and the slippage hard coded to 1% there can cause a range of issues. For example, if there is not enough shares, the number of shares to withdraw will be unconditionally reduced to th...
If totalShares for a token falls to zero while there is pendingCredit the contract will become stuck
Lines of code Vulnerability details Impact It is possible for the contract to become stuck and unable to perform any actions if the totalShares of a yield token fall to zero while there is some pendingCredit still to be paid. It will then be impossible to call deposit or withdraw functions, mints...
User does not get funds if sending ETH in LidoVault.sol fails, funds stay suck in the contract
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. If the user uses smart contract to interact with the protocol with no receive/ payable fallback function, sending of ETH to the user will fail and the ETH would stay in the contract and withdraw action...
Overexert on-chain slippage/loss control may cause users' funds to be frozen in the contract
Lines of code Vulnerability details requirewithdrawAmount = amount.percentMul9900, Errors.VTWITHDRAWAMOUNTMISMATCH; The GeneralVault.sol contract comes with a on-chain slippage/loss control to ensure the output amount is no more than 1% less of the requested amount. This can be a problem when the...
L10: Deposits donāt work with FoT tokens
78 comment Warden: hickuphh3 Line References Description FoT token deposits are not supported because amount is used for internal accounting, but the actual amount received will be less than it due to the fee. I gave a low severity rating because of the existence of a token whitelist. Referenced...
sendFundsToUser() function, where executors are fully trusted to provide the correct information to complete the cross-chain transfer
78 comment Warden: hickuphh3 One area of concern is the sendFundsToUser function, where executors are fully trusted to provide the correct information to complete the cross-chain transfer. Any executor that becomes compromised will enable the attacker to fully drain the available liquidity of a...
Possible lost msg.value
Lines of code Vulnerability details Impact Possible lost value in depositCollateral function call Proof of Concept In call depositCollateral can will send value and the asset can be an ERC20!= address0, if LidoVault and ConvexCurveLPVault contract receive this call the fouds will lost Also in...
C4-004 : Centralization Risk
112 comment Warden: defsec Impact - LOW The system is heavily relies on the ExecutorManager. Therefore, It contains centralization risk If the execution manager is EOA and captured. Proof of Concept 1. Navigate to the following contract...
Cally does not support ERC20 tokens with built-in fee
Lines of code Vulnerability details Impact Contract Cally does not properly handle ERC20 tokens that charge fee on their transfers. Implementation of such a tokens does not transfer exact amount provided to transfer but part of it is charged as a fee, burned or used in some other way. This leads ...
Loss of asset due to improperly setting dutchAuctionReserveStriked
Lines of code Vulnerability details The Option writer Victim believes they will be writing a call option, but ends up selling their asset at a discount. Proof of Concept If dutchAuctionReserveStrike is improperly set, the writer is effectively writing a call option that is immediately in the mone...
[WP-H0] Fake balances can be created for not-yet-existing ERC20 tokens, which allows attackers to set traps to steal funds from future users
Lines of code Vulnerability details function createVault uint256 tokenIdOrAmount, address token, ... external returns uint256 vaultId ... Vault memory vault = Vault ... ; // vault index should always be odd vaultIndex += 2; vaultId = vaultIndex; vaultsvaultId = vault; // give msg.sender vault tok...
Setting a high feeRate can block exercise or cause negative flow of funds
Lines of code Vulnerability details Impact When an admin intentionally or unintentionally sets a feeRate greater than 1e18 100%, The exercise function can fail with arithmetic operation underflow at line 289 In the case, when beneficiary is connected to multiple vaults, the exercise function will...
Fee-on-transfer / rebasing ERC20 cannot be used as underlying
Lines of code Vulnerability details Some ERC20 tokens may have fee-on-transfer or change balance without owner intervention. If these tokens are used as underlying in the protocol they can be lost. Proof of concept Alice creates a vault with a token that has a 1% fee on transfer. She sends...
Inefficiency in the Dutch Auction due to lower duration
Lines of code Vulnerability details The vulnerability or bug is in the implementation of the function getDutchAuctionStrike The AUCTIONDURATION is defined as 24 hours, and consider that the dutchAuctionReserveStrike or reserveStrike will never be set to 0 by user. Now if a vault is created with...
No cap on fee parameters
143 comment Warden: gzeon Consider adding caps to fee parameters to reduce rug risk --- The text was updated successfully, but these errors were encountered: All reactions...
createVault() does not verify ERC20 token contract exists before transferring
Lines of code Vulnerability details Impact There are no checks to ensure the the vault.token contract exists when creating a vault. Token address are deterministic in the EVM and can be known ahead of time. As a result it is possible for a user to call createVault with token set to a ERC20 contra...
A malicious user can create a vault that is actually empty
Lines of code Vulnerability details description A malicious user can call the createVault function to create a vault with an ERC20 token that returns false rather than revert on failed transfer. By specifying the tokenType parameter to be ERC721 the transferFrom function will be called rather tha...
in depositErc20 - no check that token address != NATIVE
103 comment Warden: CertoraInc The depositErc20 doesn't have any check that the given token address doesn't equal to the NATIVE address in this case the user should use the depositNative function. This is a needed check, it can be seen also in the withdrawErc20GasFee, so it needs to be applied in...
Admin can rug users, withdraw all the locked funds
Lines of code Vulnerability details function withdrawERC20 address tokenAddress external requirecudosAccessControls.hasAdminRolemsg.sender, "Recipient is not an admin"; uint256 totalBalance = IERC20tokenAddress.balanceOfaddressthis; IERC20tokenAddress.safeTransfermsg.sender , totalBalance; The...
No Storage Gap for Upgradeable Contract Might Lead to Storage Slot Collision
Lines of code Vulnerability details Impact For upgradeable contracts, there must be storage gap to "allow developers to freely add new state variables in the future without compromising the storage compatibility with existing deployments" quote OpenZeppelin. Otherwise it may be very difficult to...
it's possible that validators don't have enough power
Lines of code Vulnerability details newValset parameter in updateValset can have validators that don't have enough power combined for passing the threshold. Recomendation mitigation steps check that the validators power combined is bigger than the threshold --- The text was updated successfully,...
Re-entrancy attack on the main functions
Lines of code Vulnerability details Impact A malicious token, or one that implemented transfer hooks, could re-enter the public calling function such as withdraw before proper internal accounting was completed. Because the earned reward function looks up the pool.totalDepositsWei and...
Unchecked return value of transferFrom() leading to zero cost RewardFunding
Lines of code Vulnerability details Impact Due to unchecked return value of transferFrom in https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.solL144 , it is possible to fund a pool during creation without transferring tokens to use as rewardToken...
steal user funds with front-running when he calls depositTokens() of MerkleDropFactory with wrong treeIndex (uninitiated)
Lines of code Vulnerability details Impact If a user calls depositTokens with wrong treeIndex value by mistake, attacker can perform front-running attack and steal user funds before user transaction reach the contract, attacker will create multiple trees in MerkleDropFactory until he reach tree...
Excess ETH is not returned to sender
Lines of code Vulnerability details Impact In passThruGate function, msg.value is checked to be greater than the required cost, but the excess amount is not returned to the sender. Proof of Concept function passThruGateuint index, address override external payable Gate memory gate = gatesindex;...
Fee-On-Transfer Tokens Are Not Supported
Lines of code Vulnerability details Impact The FactoryDAO suite of contracts interact with any arbitrary ERC20 token. Because of this, there is a specific instance and likely several others where a fee-on-transfer token will not be correctly handled. PermissionlessBasicPoolFactory.fundPool will...
SpeedBumpPriceGate does not refund excess ETH payment
Lines of code Vulnerability details The FixedPricePassThruGate accepts ETH amounts greater than or equal to the calculated price, and forwards the full amount to the gate's configured beneficiary address. However, there is no mechanism to refund these excess payments, and no guarantee that the...
Deprecated safeApprove() function
Originally submitted by warden Dravee in 146, duplicate of 178 related to the use of safeApprove. This is upgraded from a QA report to standalone issue because it correctly described the revert when trying to call safeApprove on non-zero allowance. QA report that only describe safeApprove as...
Use of deprecated Chainlink function latestAnswer
Lines of code Vulnerability details Impact Use of deprecated Chainlink function latestAnswer According to Chainlink's documentation, the latestAnswer function is deprecated. This function does not error if no answer has been reached but returns 0, causing an incorrect price feed to USDC Price...
Oracle data feed is insufficiently validated
Lines of code Vulnerability details description When using Chainlink Price feeds it is important to ensure the price feed data was updated recently. While getting started with chainlink requires just one line of code, it is best to add additional checks for in production environments. findings...
Missing validations in setter and setPhaseTimes() functions.
Lines of code Vulnerability details Impact Time variable validations daStartTime, mintlistStartTime, publicStartTime, claimsStartTime, selfRefundsStartTime are only done in setPhaseTimes and not even all validations. These validations should be performed: daStartTime block.timestamp...
reentryattack with owner checks and effecst pattern not implemented
Lines of code Vulnerability details Impact reentryattack can happen because checks and effects pattern not implemented Proof of Concept a owner can be millousius and take advantage of effects after a call Recommended Mitigation Steps do the checks and effects pattern --- The text was updated...
Inexistent Chainlink Data Staleness Sanitization
Lines of code Vulnerability details Impact The IChainlinkAggregator implementation utilized by the codebase is outdated and as such is not properly sanitized. Recommended Mitigation Steps While the interface itself needs to be updated in its dedicated finding, the code utilizing it should also be...