10190 matches found
Collateral limit can be bypassed in auction
Lines of code Vulnerability details Collateral limit could be bypassed, allowing more collateral to be auctioned concurrently than intended by governance. // There is a limit on how much collateral can be concurrently put at auction, but it is a soft limit. // If the limit has been surpassed, no...
There is no boundaries for starting an auction.
Lines of code Vulnerability details Impact The team has brought this contest to be fairer to their users in terms of liquidation mechanism. Looking through this perspective, it can be developed more on the process to be much fairer to the users in volatile market conditions. Proof of Concept The...
Someone can create non-liquidatable auction if the collateral asset fails on transferring to address(0)
Lines of code Vulnerability details Impact might lead to systematic debt. Cause errors for liquidators to run normally. Proof of Concept In the function auction, there is on input validation around whether the to is address0 or not. and if the auctioneerReward is set to an value 0 as default, eac...
Upgraded Q -> M from 358 [1657932904826]
Judge has assessed an item in Issue 358 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
ladle address change can lead to fail other functionalities
Lines of code Vulnerability details Impact for ongoing auctions, it will not return any join. Proof of Concept Tools Used Manual Analysis Recommended Mitigation Steps add checks or set proper mechanism before change ladle address --- The text was updated successfully, but these errors were...
User can set auctioneer to address(0) to prevent vault from being liquidated
Lines of code Vulnerability details Impact Vault cannot be liquidated Proof of Concept auction can be called with any address as the 'to' address. A majority of ERC20 tokens will revert if a transfer is initiated to address0, notably, including USDC. Since the auctioneer is paid each time a payme...
Attacker Can Front-run auction() To Modify Auctioneer Reward Receiver Address
Lines of code Vulnerability details Impact An attacker can front-run the auctioneerās call to auction with another address to to receive the auctioneer reward instead of the original caller. Proof of Concept 1. Alice wants to liquidate a specific vault. 2. Mallory observes Alice's auction...
Concurrently auctioned collateral limit can be gamed
Lines of code Vulnerability details Proof of concept: Letās say for collateral USDT we put a limit that maximum concurrent auctioned collateral can be 100,000 USDT. Now if there are two big vaults, one is 9,999 USDT and other is 100,000 USDT and they are both undercollateralized, now if someone...
Upgraded Q -> M from 279 [1657955636898]
Judge has assessed an item in Issue 279 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 190 [1657955157754]
Judge has assessed an item in Issue 190 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 233 [1657954928095]
Judge has assessed an item in Issue 233 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 153 [1657934352278]
Judge has assessed an item in Issue 153 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 358 [1657932899986]
Judge has assessed an item in Issue 358 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 253 [1657932408647]
Judge has assessed an item in Issue 253 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 253 [1657932404226]
Judge has assessed an item in Issue 253 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 316 [1657933321396]
Judge has assessed an item in Issue 316 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 306 [1657954489063]
Judge has assessed an item in Issue 306 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Collateral limit can be exceeded on a new auction
Lines of code Vulnerability details Witch's auction checks the total collateral limit before updating the structure with the current auction's data. This way this limit end up not being respected in result of auction call and can be actually breached for an arbitrary big amount as auction.ink tha...
Upgraded Q -> M from 390 [1657876456166]
Judge has assessed an item in Issue 390 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Not safe transferFrom
Lines of code Vulnerability details Impact The Safe library says: @dev Caution! This library won't check that a token has code, responsibility is delegated to the caller. But this check is not made in Swivel contract, so the Safe library it's prone to phantom methods attacks. Supposedly it is a...
Upgraded Q -> M from 228 [1657895129928]
Judge has assessed an item in Issue 228 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 330 [1657894715614]
Judge has assessed an item in Issue 330 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Swivel.setFee() is implemented wrongly.
Lines of code Vulnerability details Impact Swivel.setFee is implemented wrongly. Swivel.feenominators won't be set as expected. Proof of Concept This function has a parameter "i" for the index of the new fee denomination but it isn't used during the update. Tools Used Solidity Visual Developer of...
Fee-on-transfer tokens not supported
Lines of code Vulnerability details Impact Incorrect accounting will lead to wrong assets distribution and some users gaining more and some users getting fewer tokens than they should. Proof of Concept Functions rely on user input to calculate distribution of tokens instead of relying on the...
minInkOut parameter will likely cause revert
Lines of code Vulnerability details Impact In payBase, the user is able to supply maxBaseIn and minInkOut params. There is logic in the function that if the user has attempted to send more base than the cauldron currently needs, then it only takes the amount of base necessary. // If offering too...
Funds can be stuck or lost if address(this)or address(0) is passed as to`
Lines of code Vulnerability details Impact Funds can be stuck or lost. Proof of Concept There is no checks to prevent to == addressthis or to == address0. This might lead to funds being stuck in the contract or lost. function auctionbytes12 vaultId, address to external returns DataTypes.Auction...
IF A SINGLE ORDER FAILS, THE WHOLE FUNCTION REVERTS
Lines of code Vulnerability details Impact If a single order of the orders array fails, the whole function initiate or exit reverts with no information about which was the vulnerable order, the only information given is an Exception with a code of 5 Proof of Concept Tools Used editor Recommended...
Incorrect check in ZcToken.withdraw and ZcToken.redeem leads to underlying tokens not being able to be transferred
Lines of code Vulnerability details Incorrect check in ZcToken.withdraw and ZcToken.redeem leads to underlying tokens not being able to be transferred In both ZcToken.withdraw and ZcToken.redeem, in the case where holder != msg.sender, a check of the msg.sender's ZcToken allowance is performed. B...
Wrong allowance logic
Lines of code Vulnerability details Impact The logic around the decrementing the allowance in the withdraw and redeem methods of the contract ZcToken are wrong implemented and cannot be used. Proof of Concept There are a Denial of Service in the withdraw and redeem methods of the ZcToken contract...
Implementation does not exist
Lines of code fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Marketplace/MarketPlace.solL156 Vulnerability details Impact ZcToken.withdraw and ZcToken.redeem will be reverted. Proof of Concept In ZcToken.withdraw and ZcToken.redeem, it calls redeemer.authRedeem. redeemer can be MarketPlace here. But...
ISwivel.authRedeem() doesn't have an implementation in Swivel.sol
Lines of code Vulnerability details Impact ZcToken.withdraw and ZcToken.redeem will always revert because Swivel.sol doesn't contain authRedeem function. Proof of Concept ZcToken.withdraw and ZcToken.redeem call MarketPlace.authRedeem and ISwivelswivel.authRedeem isn't implemented. I think...
Invalid testing of allowance in ZcToken.withdraw and ZcToken.redeem
Lines of code Vulnerability details Impact / Description In the ZcToken contract, the withdraw and redeem methods both support being called from an other account with an appropriate allowance set, but these functions fail to properly validate allowance. The problem is the condition allowed = amou...
VaultTracker miscalculates compounding interest
Lines of code Vulnerability details Impact VaultTracker neglect previously accrued interest while attempting to calculate new interest. This causes nToken holders to receive less yield than they should. All functions within VaultTracker that calculate interest are affected, including addNotional,...
Functions of MarketPlace.sol will always revert
Lines of code Vulnerability details Impact Functions which call VaultTracker admin functions e.g. addNotional from MarketPlace will always revert since the admin is Creator. Proof of Concept VaultTracker.sol has an authorizedadmin modifier which only allows admin to call these functions. And the...
Error in allowance logic
Lines of code Vulnerability details Impact There is an error in the allowance functionality to allow a non-owner to withdraw or redeem ZcTokens for the owner. Taking ZcToken.redeem as an example, behold the following if/else block: if holder == msg.sender return redeemer.authRedeemprotocol,...
MarketPlace - authRedeem does not work
Lines of code Vulnerability details Impact The redeem process looks broken, impacting one of the core functionality of the protocol. Proof of Concept The redeem process is the following: User calls redeem or withdraw in ZcToken, which forwards the call to MarketPlace, which calls...
Upgraded Q -> M from 219 [1657897148559]
Judge has assessed an item in Issue 219 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 219 [1657897144347]
Judge has assessed an item in Issue 219 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 163 [1657895636410]
Judge has assessed an item in Issue 163 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 163 [1657895640147]
Judge has assessed an item in Issue 163 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 330 [1657894711383]
Judge has assessed an item in Issue 330 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 330 [1657894706461]
Judge has assessed an item in Issue 330 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 277 [1657879288067]
Judge has assessed an item in Issue 277 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 277 [1657879283610]
Judge has assessed an item in Issue 277 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 118 [1657878801501]
Judge has assessed an item in Issue 118 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> M from 390 [1657876451641]
Judge has assessed an item in Issue 390 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
ZcToken.withdraw() and ZcToken.redeem() will always revert when msg.sender != holder.
Lines of code Vulnerability details Impact ZcToken.withdraw and ZcToken.redeem will always revert when msg.sender != holder. These 2 functions will work only when users withdraw/redeem from their balances. Proof of Concept When we check allowance here, it reverts when allowance is greater than...
Accidentally cancel order
Lines of code Vulnerability details Accidentally cancel order Impact Some market maker's limit order might be accidentally cancelled, and has to be resubmitted again. If the user did not do this on purpose, without knowing the fact that the order has been cancelled, it may lead to unexpected...
Upgraded Q -> M from 340 [1657877639047]
Judge has assessed an item in Issue 340 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
zcTokens cannot be redeemed through authRedeemZcToken()
Lines of code Vulnerability details Impact The description of the function says "Allows users to redeem zcTokens and withdraw underlying, boiling up from the zcToken instead of starting on Swivel". In order for the function to be called, it needs to pass the modifier authorizedmarketPlace, where...