10190 matches found
## block.timestamp used as time proxy
Lines of code Vulnerability details block.timestamp used as time proxy Summary: Risk of using block.timestamp for time should be considered. Details: block.timestamp is not an ideal proxy for time because of issues with synchronization, miner manipulation and changing block times. This kind of...
Unsafe downcast
Lines of code Vulnerability details Impact It's possible to generate silent overflows when downcasting. E.g. if the value if bigger than the type being cast, it will overflow starting from zero. Proof of concept For the Price.sol constructor, if observationFrequency is a small value and...
Proposals can be submitted and executed sucessfully when VOTES totalySupply is 0.
Lines of code Vulnerability details Impact When all contracts have been deployed and/or initialized, the OlympusVotes contract does not mint an initial token supply. This would allow users to be able to submit proposals, then vote and execute proposals if there has been no token supply totalSuppl...
getLastPrice() return wrong price
Lines of code Vulnerability details Impact operate and addObservation both of them use PRICE.getLastPrice but it will return wrong price. So all the updates are just random prices Proof of Concept 1- keeper invoke beat on Heart.sol 2- this operator.operate; to trigger price range update and marke...
Multiple Withdrawal Attack Vector in TRSRY.sol
Lines of code Vulnerability details Impact Multiple Withdrawal Attack Vector in TRSRY.sol Proof of Concept The TRSRY.sol has setApprovalFor method to set approval for specific withdrawer addresses. The function is as below; function setApprovalFor address withdrawer, ERC20 token, uint256 amount...
# ERC20 transfer / transferFrom with not checked return value
Lines of code Vulnerability details ERC20 transfer / transferFrom with not checked return value Impact Not every ERC20 token follows OpenZeppelin's recommendation. It's possible inside ERC20 standard that a transferFrom doesn't revert upon failure but returns false. Code doesn't check return...
[NAZ-M2] Centralization Risk with "voter_admin" Has The Ability To mintTo/BurnFrom Any Arbitrary Amount of VOTES
Lines of code Vulnerability details Impact "voteradmin" has the ability to mint/burn any arbitrary amount of VOTES. Creating a centralization risk that allows "voteradmin" to pass or veto any proposal. Proof of Concept 1. Alice submits a proposal that benefits the users at an expense of Mallory's...
Governance: users cannot endorse if they voted, which may cause deadlock
Lines of code Vulnerability details Impact It may cause a deadlock situation Condition: there is no proposal with enough endorsement majority depending on the endorsement threshold of votes are locked in the current proposal The votes for the current proposal are balanced between for and against ...
_movingAverage may drift
Lines of code Vulnerability details Impact The moving average is critical for the RBS-system. Its current calculation allows for compounding drift, randomly as well as maliciously, detaching from the true value, which invalidates the entire system, including affecting the way funds are handled...
Lack of check if token is a contract
Lines of code Vulnerability details Impact TransferHelper.sol and solmate won't check if the token is a contract or not. A hacker could set traps for non existing tokens to steal future funds from users. Proof of Concept The safeTransfer functions used in the contract are wrappers around the...
Unrestricted access for request permission :Any one can call requestPermissions in Operator.sol, PriceConfig.sol, TreasuryCustodian.sol, VoterRegistration.sol
Lines of code Vulnerability details Impact Anyone can call for requestPermissions. Proof of Concept Policies, Operator.sol, PriceConfig.sol, TreasuryCustodian.sol, VoterRegistration.sol are allowing for request permission to anyone. Please refer the below lines of codes of each polices,...
Moving average precision is lost
Lines of code Vulnerability details Now the precision is lost in moving average calculations as the difference is calculated separately and added each time, while it typically can be small enough to lose precision in the division involved. For example, 10000 moves of 990 size, numObservations =...
Proposal functions are lacking access control for Governance.sol
Lines of code Vulnerability details Impact For the Governance.sol contract, the functions activateProposal and executeProposal can be called by anyone. Proof of Concept An malicious user could monitor the protocal DAO and activate or execute a proposal in a time not intended by the proposal...
Governance functions relies on the proposal Id which says nothing about the proposal content
Lines of code Vulnerability details Impact There are submitProposal/endorseProposal/activateProposal functions on the Governance smart contract. The functions accept the proposed, which does not contain any information about the proposal. As a result, transactions of users can be front-ran. Proof...
User can get loan without dept
Lines of code Vulnerability details Impact User can get loan without permission and dept Proof of Concept TRSRY.withdrawReserves does same validation with TRSRY.getLoan and TRSRY.withdrawReserves does not have permissioned modifier, so anyone can get loan from Treasury without any permission and...
Div by 0 can block functions such as updateMovingAverage
Lines of code Vulnerability details Prevent div by 0 Impact On several locations in the code precautions are taken not to divide by 0, because this will revert the code. However on some locations this isn’t done. All this reverts can be caused by state variables assigned to 0 or with length 0, th...
permissioned modifier has a mismatch with TRSRY.withdrawReserves
Lines of code Vulnerability details Proof of Concept TRSRY.withdrawReserves is used in two polices: BondCallback and Operator. Permission is added in BondCallback, but not in Operator. And actually TRSRY.withdrawReserves does not have permissioned modifier, and there is no problem here. But...
TRSRY.sol is susceptible to ERC20 approve functionality front-running exploit
Lines of code Vulnerability details Proof of concept The problem is perfectly described here The tldr; is that if you approved a person to spend 100 tokens and then you want to decrease his allowance to 50, if he spends his 100 tokens allowance before you set his allowance to 50 he will be able t...
_getPriceDecimals() can return wrong decimal
Lines of code Vulnerability details Impact The decimal returned from function getPriceDecimals is used in function activate to create bond market. If the decimal is not accurate, the price for bond can be wrong, could result in: too low price: abnormal arbitrage opportunity and fund loss to the...
The users are not able to withdraw the swapped amount
Lines of code Vulnerability details Impact The user will invoke swap from Operator.sol to swap their OHM tokens. But he will transfer their OHM and will never get the AmountOut Proof of Concept On Operator.sol: 1- invoking swap with tokenIn == ohm 2- the ohm.safeTransferFrommsg.sender, addressthi...
Governance wrong vote
Lines of code Vulnerability details Description There is a function vote in OlympusGovernance smart contract. This function must accept a vote for or against a proposal. But it is possible that someone will wote not for the proposal he expected: this is possible to activate another proposal using...
Race condition produces DDOS on governance : 20% minority can block the other 80% from passing a proposal.
Lines of code Vulnerability details Impact An account controlling enough voting percentage to endorse a proposal can block an unwanted proposal from being activated. This can be done by frontrunning or by paying more for gas. There can only be one concurrent activated proposal so there is a race...
Reentrancy in repayLoan
Lines of code Vulnerability details Reentrancy in repayLoan Impact token.safeTransferFrom is called and after that state with the value is calcualted, if token can be a wrong or compromised contract this would lead to a clasic reentrancy attack that would transfer more from the balance than...
BondCallback Re-Entrancy vulnerability
Lines of code Vulnerability details Impact when withdraw reserves from TRSRY to msg.sender,it may go to other external uncontrollable contract logic if reserve token contract transferFrom function call to other contract ,it will cause other market use this callback asset loss or this contract...
In Governance.sol, it might be impossible to activate a new proposal forever after failed to execute the previous active proposal.
Lines of code Vulnerability details Impact Currently, if users vote for the active proposal, the VOTES are transferred to the contract so that users can't vote or endorse other proposals while the voted proposal is active. And the active proposal can be replaced only when the proposal is executed...
Treasury module is vulnerable to cross-contract reentrancy
Lines of code Vulnerability details Impact An attacker can pay back their loan to the treasury module with protocol-owned tokens. This will cause their loan to decrease despite the protocol won't be given funds for it. Proof of Concept The code first measures the number of tokens in the treasury,...
Swap at the lower cushion is impossible due to non approved withdrawal. Wrong implementation can cause free swaps.
Lines of code Vulnerability details Impact Currently it is not clear how the swap user is approved for withdrawing from treasury. Depending on implementation, user could swap without spending any tokens, due to approval mechanism in the TRSRY module. Description In the swap function it should be...
Non-standard/Malicious token transfers may cause loans not to be paid.
Lines of code Vulnerability details Impact Non-standard token transfers may cause loans not to be paid. Proof of Concept The TRSRY.sol has repayLoan function for the users to repay their loan as per the ERC20 token. The function is as below; function repayLoanERC20 token, uint256 amount external...
ERC20 return value not checked and not compatible with tokens like USDT, OMG, etc
Lines of code Vulnerability details ERC20 return value not checked and not compatible with tokens like USDT, OMG, etc Detail The ERC20.transfer and ERC20.transferFrom functions return a boolean value indicating success. This parameter needs to be checked for success. Furthermore, some tokens like...
[NAZ-M1] Chainlink's latestRoundData Might Return Stale Results
Lines of code Vulnerability details Impact Across these contracts, you are using Chainlink's latestRoundData API, but there is only a check on updatedAt. This could lead to stale prices according to the Chainlink documentation: Historical Price data Checking Your returned answers The result of...
USER CAN BLOCK GOVERNANCE VOTING BY SUBMITTING MULTIPLE PROPOSALS
Lines of code Vulnerability details Impact A user can submit multiple proposals and then endorse each one of them to be able to activate them, and because the Governance contract allow only one active proposal, this user will be able to always activate his proposals and thus not allowing any othe...
Invalid payout is accepted
Lines of code Vulnerability details Impact In callback function, getMarketInfoForPurchase also returns maxPayout as last argument. This is not compared against outputAmount which means if market asks for higher outputAmount then the contract will simply pay Similar instance Also check the...
User with 33% votes held can execute self-endorsed Proposal
Lines of code Vulnerability details Impact Two issues here with one being low/medium and another being high severity. Not sure if it should be put into 2 separate reports. For OlympusGovernance contract in Governance.sol , a Proposal submitter can self-endorse a proposal they submitted themselves...
DDOS to withdraw funds
Lines of code Vulnerability details Impact DDOS to approval / withdraw mechanism Proof of Concept If someone who's not a policy is given the approval to withdraw funds by the custodian with the grantApproval function anyone can revoke his approval and prevent him from withdrawing funds from the...
Upgraded Q -> M from 97 [1661943666994]
Judge has assessed an item in Issue 97 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 61 [1661963759888]
Judge has assessed an item in Issue 61 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 57 [1661963466075]
Judge has assessed an item in Issue 57 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 37 [1661964537299]
Judge has assessed an item in Issue 37 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 14 [1661943693368]
Judge has assessed an item in Issue 14 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 225 [1661964062759]
Judge has assessed an item in Issue 225 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 76 [1661962956364]
Judge has assessed an item in Issue 76 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 253 [1661943600779]
Judge has assessed an item in Issue 253 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 127 [1661943678709]
Judge has assessed an item in Issue 127 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 249 [1661962692824]
Judge has assessed an item in Issue 249 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 44 [1661943686466]
Judge has assessed an item in Issue 44 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
taetaw
Lines of code L1 Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps --- Th...
Upgraded Q -> M from 161 [1661780870133]
Judge has assessed an item in Issue 161 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 239 [1661780295145]
Judge has assessed an item in Issue 239 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 69 [1661781432655]
Judge has assessed an item in Issue 69 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 144 [1661781003780]
Judge has assessed an item in Issue 144 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...