Unrestricted access for request permission :Any one can call requestPermissions in Operator.sol, PriceConfig.sol, TreasuryCustodian.sol, VoterRegistration.sol

Lines of code Vulnerability details Impact Anyone can call for requestPermissions. Proof of Concept Policies, Operator.sol, PriceConfig.sol, TreasuryCustodian.sol, VoterRegistration.sol are allowing for request permission to anyone. Please refer the below lines of codes of each polices,...

Invalid payout is accepted

Lines of code Vulnerability details Impact In callback function, getMarketInfoForPurchase also returns maxPayout as last argument. This is not compared against outputAmount which means if market asks for higher outputAmount then the contract will simply pay Similar instance Also check the...

ERC20 return value not checked and not compatible with tokens like USDT, OMG, etc

Lines of code Vulnerability details ERC20 return value not checked and not compatible with tokens like USDT, OMG, etc Detail The ERC20.transfer and ERC20.transferFrom functions return a boolean value indicating success. This parameter needs to be checked for success. Furthermore, some tokens like...

_getPriceDecimals() can return wrong decimal

Lines of code Vulnerability details Impact The decimal returned from function getPriceDecimals is used in function activate to create bond market. If the decimal is not accurate, the price for bond can be wrong, could result in: too low price: abnormal arbitrage opportunity and fund loss to the...

Multiple Withdrawal Attack Vector in TRSRY.sol

Lines of code Vulnerability details Impact Multiple Withdrawal Attack Vector in TRSRY.sol Proof of Concept The TRSRY.sol has setApprovalFor method to set approval for specific withdrawer addresses. The function is as below; function setApprovalFor address withdrawer, ERC20 token, uint256 amount...

USER CAN BLOCK GOVERNANCE VOTING BY SUBMITTING MULTIPLE PROPOSALS

Lines of code Vulnerability details Impact A user can submit multiple proposals and then endorse each one of them to be able to activate them, and because the Governance contract allow only one active proposal, this user will be able to always activate his proposals and thus not allowing any othe...

BondCallback Re-Entrancy vulnerability

Lines of code Vulnerability details Impact when withdraw reserves from TRSRY to msg.sender,it may go to other external uncontrollable contract logic if reserve token contract transferFrom function call to other contract ,it will cause other market use this callback asset loss or this contract...

Operator role can update a policy without going through the governance / kernel update execution mechanism

Lines of code Vulnerability details Impact A privileged role can make contract updates that should go through governance Proof of Concept In OlympusDao updates to policies and modules are made by the kernel and are only callable by the governanceExecutors that only executes updates voted by the...

# ERC20 transfer / transferFrom with not checked return value

Lines of code Vulnerability details ERC20 transfer / transferFrom with not checked return value Impact Not every ERC20 token follows OpenZeppelin's recommendation. It's possible inside ERC20 standard that a transferFrom doesn't revert upon failure but returns false. Code doesn't check return...

Lack of check if token is a contract

Lines of code Vulnerability details Impact TransferHelper.sol and solmate won't check if the token is a contract or not. A hacker could set traps for non existing tokens to steal future funds from users. Proof of Concept The safeTransfer functions used in the contract are wrappers around the...

Proposal functions are lacking access control for Governance.sol

Lines of code Vulnerability details Impact For the Governance.sol contract, the functions activateProposal and executeProposal can be called by anyone. Proof of Concept An malicious user could monitor the protocal DAO and activate or execute a proposal in a time not intended by the proposal...

Moving average precision is lost

Lines of code Vulnerability details Now the precision is lost in moving average calculations as the difference is calculated separately and added each time, while it typically can be small enough to lose precision in the division involved. For example, 10000 moves of 990 size, numObservations =...

Div by 0 can block functions such as updateMovingAverage

Lines of code Vulnerability details Prevent div by 0 Impact On several locations in the code precautions are taken not to divide by 0, because this will revert the code. However on some locations this isn’t done. All this reverts can be caused by state variables assigned to 0 or with length 0, th...

Race condition produces DDOS on governance : 20% minority can block the other 80% from passing a proposal.

Lines of code Vulnerability details Impact An account controlling enough voting percentage to endorse a proposal can block an unwanted proposal from being activated. This can be done by frontrunning or by paying more for gas. There can only be one concurrent activated proposal so there is a race...

Privilege Escalation

Lines of code Vulnerability details Impact An attacker with permissions to the INSTR.store function can obtain the "executor" and "admin" role. This implementation also gives space to human error because when the Kernel's executor changes, the permissions to INSTR.store needs to be changed manual...

[NAZ-M2] Centralization Risk with "voter_admin" Has The Ability To mintTo/BurnFrom Any Arbitrary Amount of VOTES

Lines of code Vulnerability details Impact "voteradmin" has the ability to mint/burn any arbitrary amount of VOTES. Creating a centralization risk that allows "voteradmin" to pass or veto any proposal. Proof of Concept 1. Alice submits a proposal that benefits the users at an expense of Mallory's...

User can get loan without dept

Lines of code Vulnerability details Impact User can get loan without permission and dept Proof of Concept TRSRY.withdrawReserves does same validation with TRSRY.getLoan and TRSRY.withdrawReserves does not have permissioned modifier, so anyone can get loan from Treasury without any permission and...

Governance wrong vote

Lines of code Vulnerability details Description There is a function vote in OlympusGovernance smart contract. This function must accept a vote for or against a proposal. But it is possible that someone will wote not for the proposal he expected: this is possible to activate another proposal using...

getLastPrice() return wrong price

Lines of code Vulnerability details Impact operate and addObservation both of them use PRICE.getLastPrice but it will return wrong price. So all the updates are just random prices Proof of Concept 1- keeper invoke beat on Heart.sol 2- this operator.operate; to trigger price range update and marke...

Cushion bond markets are opened at wall price rather than current price

Lines of code Vulnerability details Impact Incorrect initial bond market price Proof of Concept uint256 initialPrice = range.wall.high.price.mulDivbondScale, oracleScale; uint256 initialPrice = invWallPrice.mulDivbondScale, oracleScale; In the above lines the initial prices are set to the wall...

Lock of voting power

Lines of code Vulnerability details Description There is a function vote in OlympusGovernance smart contract. It contains the logic for voting on proposals. In the case of failed vote voters' tokens will remain on the balance of OlympusGovernance until the activation of the new proposal. But for...

DDOS to withdraw funds

Lines of code Vulnerability details Impact DDOS to approval / withdraw mechanism Proof of Concept If someone who's not a policy is given the approval to withdraw funds by the custodian with the grantApproval function anyone can revoke his approval and prevent him from withdrawing funds from the...

Governance: users cannot endorse if they voted, which may cause deadlock

Lines of code Vulnerability details Impact It may cause a deadlock situation Condition: there is no proposal with enough endorsement majority depending on the endorsement threshold of votes are locked in the current proposal The votes for the current proposal are balanced between for and against ...

Olympus votes can be locked in OlympusGovernance contract

Lines of code Vulnerability details Impact Olympus votes can be locked in Governance.sol OlympusGovernance contract. Proof of Concept When a user votes for a proposal, their current balance of VOTE is transferred to the OlympusGovernance contract. Those votes can be reclaimed once the proposal is...

permissioned modifier has a mismatch with TRSRY.withdrawReserves

Lines of code Vulnerability details Proof of Concept TRSRY.withdrawReserves is used in two polices: BondCallback and Operator. Permission is added in BondCallback, but not in Operator. And actually TRSRY.withdrawReserves does not have permissioned modifier, and there is no problem here. But...

Governance functions relies on the proposal Id which says nothing about the proposal content

Lines of code Vulnerability details Impact There are submitProposal/endorseProposal/activateProposal functions on the Governance smart contract. The functions accept the proposed, which does not contain any information about the proposal. As a result, transactions of users can be front-ran. Proof...

Treasury module is vulnerable to cross-contract reentrancy

Lines of code Vulnerability details Impact An attacker can pay back their loan to the treasury module with protocol-owned tokens. This will cause their loan to decrease despite the protocol won't be given funds for it. Proof of Concept The code first measures the number of tokens in the treasury,...

Check additional fields returned by latestRoundData to ensure price data is not stale/incorrect

Lines of code Vulnerability details Impact Not checking additional fields returned by Chainlink might cause incorrect prices being processed. Proof of Concept The only values being check from latestRoundData are price and updatedAt. File: src/modules/PRICE.sol 161: , int256 ohmEthPriceInt, ,...

Reentrancy in repayLoan

Lines of code Vulnerability details Reentrancy in repayLoan Impact token.safeTransferFrom is called and after that state with the value is calcualted, if token can be a wrong or compromised contract this would lead to a clasic reentrancy attack that would transfer more from the balance than...

User Votes will stuck

Lines of code Vulnerability details Impact Due to insufficient checks User will not be able to withdraw there Votes after a non successful proposal. 1. The effect could be permanent if majority vote holders participated in the proposal, such that new proposal can't be created due to noone having...

Possibility of unfair voting

Lines of code Vulnerability details Impact The proposal could never get the THRESHOLD Proof of Concept On VoterRegistration.sol: 1- the voteradmin could mint issueVotesTo unlimited tokens to address0 or any address On Governance.sol: 2- this will effect to the totalSupply so no one can execute...

Checked range.low.market and range.high.market can be deliver wrong return

Lines of code Vulnerability details Impact Deactived checked can be deliver wrong return Proof of Concept When auctioneer was live, so range.low.market and range.high.market was checked is back above the cushion and if the price is below the wall the only way was used && since if the case was the...

PRICE's getCurrentPrice() can return zero price

Lines of code Vulnerability details Currently no price validity check is performed in getCurrentPrice. This way zero ohmEthPriceFeed.latestRoundData produced prices will yield zero getCurrentPrice which will be passed over to the logic. Also, negative OHM price or zero / negative reserve...

Swap at the lower cushion is impossible due to non approved withdrawal. Wrong implementation can cause free swaps.

Lines of code Vulnerability details Impact Currently it is not clear how the swap user is approved for withdrawing from treasury. Depending on implementation, user could swap without spending any tokens, due to approval mechanism in the TRSRY module. Description In the swap function it should be...

Upgraded Q -> M from 225 [1661964062759]

Judge has assessed an item in Issue 225 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 253 [1661943600779]

Judge has assessed an item in Issue 253 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 37 [1661964537299]

Judge has assessed an item in Issue 37 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 61 [1661963759888]

Judge has assessed an item in Issue 61 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 76 [1661962956364]

Judge has assessed an item in Issue 76 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 57 [1661963466075]

Judge has assessed an item in Issue 57 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 249 [1661962692824]

Judge has assessed an item in Issue 249 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 44 [1661943686466]

Judge has assessed an item in Issue 44 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 127 [1661943678709]

Judge has assessed an item in Issue 127 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 97 [1661943666994]

Judge has assessed an item in Issue 97 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 14 [1661943693368]

Judge has assessed an item in Issue 14 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

taetaw

Lines of code L1 Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps --- Th...

Upgraded Q -> M from 144 [1661781003780]

Judge has assessed an item in Issue 144 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 69 [1661781432655]

Judge has assessed an item in Issue 69 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 239 [1661780295145]

Judge has assessed an item in Issue 239 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 161 [1661780870133]

Judge has assessed an item in Issue 161 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...