10190 matches found
untyped data signing
Lines of code Vulnerability details in function deployHolographableContract the bytes32 hash is directly encoded without adding any domain separator . this will cause several issues an attacker can front run the signature and use them on same contract on another chain . eg a user wants to call...
MED: HolographOperator.sol 's resetOperator() function allows malicious or hacked admin to permanently freeze operator's bonded tokens.
Lines of code Vulnerability details Description In HolographOperator, the following function is implemented: function resetOperator uint256 blockTime, uint256 baseBondAmount, uint256 podMultiplier, uint256 operatorThreshold, uint256 operatorThresholdStep, uint256 operatorThresholdDivisor external...
Upgraded Q -> H from 744 [1666621202565]
Judge has assessed an item in Issue 744 as High risk. The relevant finding follows: 1. writeCheckpoint will fail to insert an initial checkpoint Due to solidity 0.8 overflow/underflow protection, accessing checkpointstoTokenIdnCheckpoints - 1 will throw if nCheckpoints == 0. As it is not possible...
Selftransfer increases balance by sent amount.
Link to code Impact When a malicious user decides to send LBTokens to their own address they will increase their own balance by the sent amount. Vulnerable function transfer is reachable via the public functions safeBatchTransferFrom and safeTransferFrom. L187 effectively saves toBalance before...
LBRouter's swapAVAXForExactTokens is unavailable when any extra AVAX funds supplied
swapAVAXForExactTokens logic includes transferring out the excess amount of the native funds supplied by a caller. However, amountsIn0 - msg.value amount that swapAVAXForExactTokens calculates for transfer out is negative. The reason is the inverted amount calculation, i.e. according to the logic...
Duplicated / Split H -> H from 461 [1666620942709]
Judge has assessed an item in Issue 461 as High risk. The relevant finding follows: Lines of code Vulnerability details Impact In VoteEscrowDelegation contract, the writeCheckpoint internal function has major logic errors which will make the delegate external function to always revert. Proof of...
Duplicated / Split H -> H from 625 [1666621826143]
Judge has assessed an item in Issue 625 as High risk. The relevant finding follows: Lines of code Vulnerability details storage used in VoteEscrow, modifying data it shouldn't, and vice versa In both the functions delegate and removeDelegation and removeElement, a storage var is used, causing to...
ReserveRate doesn't always work as expected
Lines of code Vulnerability details Impact Reserve NFTs are not available as expected Proof of Concept uint256 numberOfNonReservesMinted = storedTier.initialQuantity - storedTier.remainingQuantity - reserveTokensMinted; uint256 numerator = uint256numberOfNonReservesMinted storedTier.reservedRate;...
Token balance duplication if from==to
Lines of code Vulnerability details Impact In LBToken.transfer balances of from and to are stored in temporary variables and after the subtration, addition operation the results are written to storage. In the second operation since the original balance is used in the addition operation, if from =...
Missing input validation can lead to accidental burning of tokens
Lines of code Vulnerability details Impact Some token transfers do not check that the receiving address is not the zero address. This can lead to an unintended burning of tokens. Proof of Concept 1. Assume Alice uses a web3 frontend to interact with a DAI/USDT pool. 2. Alice wants to swap DAI for...
divide-before-multiply in JBTiered721DelegateStore
Lines of code Vulnerability details Impact Performing multiplication before division can sometimes avoid loss of precision. The calculation of return numberReservedTokensMintable - reserveTokensMinted; results in granting a slightly higher value on each call. Proof of Concept Slither Command...
Balance is not checked before reduction
Lines of code Vulnerability details Impact When decreasing the tier balance for the sender as follows, --tierBalanceOfmsg.senderfromtierId; it is not checked whether the balance is more than 0. So even the balance is 0, the transfer performs successfully, and results in wrong total supply and...
NFT not minted when contributed via a supported payment terminal
Lines of code Vulnerability details Impact A contributor won't get an NFT they're eligible for if the payment is made through a payment terminal that's supported by the project but not by the NFT delegate. Proof of Concept A Juicebox project can use multiple payment terminals to receive...
Need to check the validity of _blockNumber.
Lines of code Vulnerability details Impact The validity of blockNumber is not checked before hand, and thus would result in runtime error. Proof of Concept Tools Used Recommended Mitigation Steps It is suggested to add the following codes before the linked code at if blockNumber = block.number...
TokenHelper.sol#L40 : safeTransfer will revert due to insufficient gas.
Lines of code Vulnerability details Impact I am adding as high issue since most of the calling is done using the safeTransfer TokenHelper.solL40 : safeTransfer will revert due to insufficient gas. All the fuctions that are using the safeTransfer could fail due to insufficient gas. I see the...
Unused return _launchProjectFor
Lines of code Vulnerability details Impact the function will push the return value on the stack, the caller will then adjust the stack frame accordingly, but won't copy the returned value from the stack into any variable. ignores return value by Proof of Concept The execution of the message call...
Volatility update bypassed with small transactions
Lines of code Vulnerability details Impact Volatility, and by extension the fee rate increase due to volatility can be circumvented by starting swaps with a token amount. The volatility is accumulated only at specific intervals, similar to the cumulative number of bins crossed. This is an issue...
Incorrect output amount calculation for Trader Joe V1 pools
Lines of code Vulnerability details Impact Output amount is calculated incorrectly for a Trader Joe V1 pool when swapping tokens across multiple pools and some of the pools in the chain are V1 ones. Calculated amounts will always be smaller than expected ones, which will always affect chained swa...
LBPair.sol#L688 : Anyone can call the collectFees function and delete the other user's _unclaimedFees
Lines of code Vulnerability details Impact Malicious user can call the collectFees function with other user's address function collectFeesaddress account, uint256 memory ids who has valid claim and clear the unclaimedFees. This directly affecting the unclaimedFees of the other user. A valid user...
Beneficiary loses credit when specifying payment with flag _dontMint = true
Lines of code Vulnerability details Impact In the function processPayment, it will use provided JBDidPayData to mint to the beneficiary. The payment can specify some flags to help guiding how balance will be used to mint. There is a flag dontMint indicating if the transaction should not mint...
JB721Delegate#initialize _fundingCycleStore lack of zero address check can lead to redeployment
Lines of code Vulnerability details Impact initialize function does not check that fundingCycleStore is not zero. Given that state variable fundingCycleStore can not be set anywhere else, setting it to zero can lead to contract redeployment POC The deployer mistakenly call JB721Delegateinitialize...
trader-joe-v2 does not provide any mechanism to handle the pairs with different decimal values.
Lines of code Vulnerability details Impact Joe could not able to provide the swapping/staking for pair of tokens with different decimal values. Proof of Concept To my knowledge based on the code analys, nowhere I saw the handling for pairs with different decimal values. Tools Used Vs code and joe...
Unchecked math in LBToken.sol may cause overflow
Lines of code Vulnerability details Impact Affected code: Currently the safeTransferFrom function in LBToken.sol calls transfer which performs unchecked math to deal with user balances. This is what happens: unchecked balancesidfrom = fromBalance - amount; balancesidto = toBalance + amount; While...
Future tier can be removed
Lines of code Vulnerability details Impact A newly created tier can be marked as removed right after it was added if this tier's ID was mistakenly removed earlier. Proof of Concept The recordRemoveTierIds function doesn't check whether a tier ID exists or not JBTiered721DelegateStore.solL890:...
Error when calculating total redemption weight using the totalRedemptionWeight function
Lines of code Vulnerability details Impact When trying to calculate the total redemption weight named weight using the totalRedemptionWeight function the wrong tierId is passed to the function numberOfReservedTokensOutstandingFor which is responsible of determining the number of remaining reserve...
Logical error in function getSwapOut
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. There is a logical error between lines 178-184 for function getSwapOut in contract LBRouter if amountIn != 0 activeId = LBPair.findFirstNonEmptyBinIduint24activeId, swapForY; else break; // end while if...
Attacker can steal entire reserves by abusing fee calculation
Lines of code Vulnerability details Description Similar to other LP pools, In Trader Joe users can call mint to provide liquidity and receive LP tokens, and burn to return their LP tokens in exchange for underlying assets. Users collect fees using collectFessaccount,binID. Fees are implemented...
JBTiered721DelegateStore#totalRedemtionWeight contains critical tierID mismatch
Lines of code Vulnerability details Impact Loss of redemption functionality or incorrect redemptions Proof of Concept for uint256 i; i maxTierId; // Keep a reference to the stored tier. storedTier = storedTierOfnfti + 1; // Add the tier's contribution floor multiplied by the quantity minted. weig...
Transfering funds to yourself increases your balance
Lines of code Vulnerability details Impact Using temporary variables to update balances is a dangerous construction that has led to several hacks in the past. Here, we can see that toBalance can overwrite fromBalance: File: LBToken.sol 176: function transfer 177: address from, 178: address to, 17...
When admin sets fee parameters on a pair, it is guaranteed to corrupt the critical static fee parameters.
Lines of code Vulnerability details Description Factory owner can configure fee parameters of any pair using setFeesParametersOnPair. The actual change in pair storage happens in setFeeParameters: function setFeesParametersbytes32 packedFeeParameters internal bytes32 feeStorageSlot; assembly...
Redemption weight of tiered NFTs miscalculates, making users redeem incorrect amounts - Bug #1
Lines of code Vulnerability details Description Redemption weight is a concept used in Juicebox to determine investor's eligible percentage of the non-locked funds. In redeemParams, JB721Delegate calculates user's share using: uint256 redemptionWeight = redemptionWeightOfdecodedTokenIds; uint256...
Loss of user funds by balance manipulation
Lines of code Vulnerability details Impact Breaking of the accounting logic, loss of user funds Proof of Concept The project uses LBPair's mint function to mint LBTokens to the user with additional safety checks when the user provides liquidity to the pair...
LBPair swap() can be front-runned, a malicious attacker can call swap with higher gas than a user, getting the user swap amount transferred to the attacker address
Lines of code Vulnerability details Impact In the LBPair.sol contract, when a user calls swap after transferring tokens to the Pair, a malicious attacker can front-run that tx then call swap on the same pair with the parameter to changed to an malicious address of his choice, paying a higher gass...
Miss tier 0 when looping through all tiers
Lines of code Vulnerability details Impact Miss tier 0 when looping through all tiers, which will result in wrong data as not all tiers data are counted. Proof of Concept Tools Used Recommended Mitigation Steps Include the tier 0 when looping through all tiers and modify the codes to as follows:...
The tier reserved rate is not validated and can surpass JBConstants.MAX_RESERVED_RATE
Lines of code Vulnerability details If the reserved rate of a tier is set to a value JBConstants.MAXRESERVEDRATE, the JBTiered721DelegateStore.numberOfReservedTokensOutstandingFor function will return way more outstanding reserved tokens up to 6 times more than allowed - 2^16 - 1 due to the manua...
Redemption weight of tiered NFTs miscalculates, making users redeem incorrect amounts - Bug #2
Lines of code Vulnerability details Description This is another bug in the redemption weight calculation mechanism discussed in an issue with the same title. I recommend to read that first for context. Let's look at DelegateStore's totalRedemptionWeight implementation again: for uint256 i; i...
Reserved token rounding can be abused to honeypot and steal user's funds
Lines of code Vulnerability details Description When the project wishes to mint reserved tokens, they call mintReservesFor which allows minting up to the amount calculated by DelegateStore's numberOfReservedTokensOutstandingFor. The function has this line: // No token minted yet? Round up to 1. i...
Beneficiary credit balance can unwillingly be used to mint low tier NFT
Lines of code Vulnerability details Impact In the function processPayment, it will use provided JBDidPayData from JBPaymentTerminal to mint to the beneficiary. The value from JBDidPayData will be sum up with previous credits balance of beneficiary. There are 2 cases that beneficiary credit balanc...
JoeLibrary.sol#L19 : quote does not follow the constant sum formula to get the reserve value
Lines of code Vulnerability details Impact The quoted reserve value is not based on the constant sum approach. It is based on constant product method. The quoted values are not correct for constant sum based approach. Proof of Concept As per the Joe documentation, it says that joe is based on...
Deactivated tiers can still mint reserve tokens, even if no non-reserve tokens were minted.
Lines of code Vulnerability details Description Tiers in Juicebox can be deactivated using the adjustTiers function. It makes sense that reserve tokens may be minted in deactivated tiers, in order to be consistent with already minted tokens. However, the code allows the first reserve token to be...
Wrong calculation in function LBRouter._swapSupportingFeeOnTransferTokens make amountOut of swap less than expected
Lines of code Vulnerability details Vulnerable detail Function LBRouter.swapSupportingFeeOnTransferTokens is a helper function to swap exact tokens supporting for a fee on transfer tokens. This function will check the pair of token and tokenNext is JoePair or LBPair using binStep. If binStep == 0...
Wrong calculation in function LBRouter._getAmountsIn make user lose a lot of tokens when swap through JoePair (most of them will gifted to JoePair freely)
Lines of code Vulnerability details Vulnerable detail Function LBRouter.getAmountsIn is a helper function to return the amounts in with given amountOut. This function will check the pair of token and tokenNext is JoePair or LBPair using binStep. If binStep == 0, it will be a JoePair otherwise it...
Uninitialized local variable uint256 _i
Lines of code Vulnerability details Impact Uninitialized local variable uint256 i is a variable that was declared inside a function but it was not assigned a value. It contains default value for that data type. Using an uninitialized variable in an expression may give unexpected results or cause...
LBToken._transfer() won't work properly when _from == _to.
Lines of code Vulnerability details Impact LBToken.transfer won't work properly when from == to. Users can double their balances as they want by transferring the tokens to their accounts again. As a result, the token will be useless. Proof of Concept Inside the transfer, it uses fromBalance and...
FAILED TRANSFER WITH LOW LEVEL CALL COULD BE OVERLOOKED
Lines of code Vulnerability details Impact There is possibility that failed transfer with low level call could be overlooked Proof of Concept Based on this Solidity official documentation Solidity The low-level functions call, delegatecall and staticcall return true as their first return value if...
Minting and redeeming will break for fully minted tiers with reserveRate != 0 and reserveRate/MaxReserveRate tokens burned
Lines of code Vulnerability details Impact Minting and redeeming become impossible Proof of Concept uint256 numberOfNonReservesMinted = storedTier.initialQuantity - storedTier.remainingQuantity - reserveTokensMinted; uint256 numerator = uint256numberOfNonReservesMinted storedTier.reservedRate;...
Anyone can steal all the non-fee balance in LBPair.sol
Lines of code Vulnerability details Proof of concept When a user wants to execute a directswap tx, the way to check the tokens that he put in for the swap is by this code uint256 amountIn = swapForY ? tokenX.receivedpair.reserveX, pair.feesX.total : tokenY.receivedpair.reserveY, pair.feesY.total;...
No access control for function deployDeletateFor
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. There is no access control for the deployDelegateFor function, so anyone can call this function and initialize all the parameters for a project. Moreover, the caller can also transfer the owner to a...
Wrong implementation of function LBPair.setFeeParameter can break the funcionality of LBPair and make user's tokens locked
Lines of code Vulnerability details Vulnerable detail Struct FeeParameters contains 12 fields as follows: struct FeeParameters // 144 lowest bits in slot uint16 binStep; uint16 baseFactor; uint16 filterPeriod; uint16 decayPeriod; uint16 reductionFactor; uint24 variableFeeControl; uint16...
Removing tiers that weren't added
Lines of code Vulnerability details Vulnerability details Description Function recordRemoveTierIds in the JBTiered721DelegateStore removes the tiers by their ids. Perhaps, there is no check that tier is already added. Please note, the only one require that this function performs: if...