Closing auction return value Of cauldron is not checked

Lines of code Vulnerability details Impact When the auction is ended, cauldron gaves vault id with related parameters. However, the return value is not checked on the cauldron. If the cauldron does not revert, the protocol can delete auction without functionality. Proof of Concept Tools Used Code...

Vault owners can grief auctioneers by cancelling auctions

Lines of code Vulnerability details Since auctioneers are only paid keeper incentives on successful bids, a malicious vault owner can grief auctioneers by creating a risky vault, luring an auctioneer to start an auction, and then immediately canceling it. This is a somewhat elaborate and risky...

Validation check for payFYToken and payBase functions to allow only valid users.

Lines of code Vulnerability details Impact This will prevent from calling the functions by invalid users. Unnecessary condition verification. Proof of Concept Tools Used Manual code review Recommended Mitigation Steps At the start of the functions, add validation check such that only the user who...

User can set auctioneer to address(0) to prevent vault from being liquidated

Lines of code Vulnerability details Impact Vault cannot be liquidated Proof of Concept auction can be called with any address as the 'to' address. A majority of ERC20 tokens will revert if a transfer is initiated to address0, notably, including USDC. Since the auctioneer is paid each time a payme...

Upgraded Q -> M from 358 [1657932899986]

Judge has assessed an item in Issue 358 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Concurrently auctioned collateral limit can be gamed

Lines of code Vulnerability details Proof of concept: Let’s say for collateral USDT we put a limit that maximum concurrent auctioned collateral can be 100,000 USDT. Now if there are two big vaults, one is 9,999 USDT and other is 100,000 USDT and they are both undercollateralized, now if someone...

Upgraded Q -> M from 316 [1657933321396]

Judge has assessed an item in Issue 316 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

ladle address change can lead to fail other functionalities

Lines of code Vulnerability details Impact for ongoing auctions, it will not return any join. Proof of Concept Tools Used Manual Analysis Recommended Mitigation Steps add checks or set proper mechanism before change ladle address --- The text was updated successfully, but these errors were...

Upgraded Q -> M from 153 [1657934352278]

Judge has assessed an item in Issue 153 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 233 [1657954928095]

Judge has assessed an item in Issue 233 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 279 [1657955636898]

Judge has assessed an item in Issue 279 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 253 [1657932404226]

Judge has assessed an item in Issue 253 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 253 [1657932408647]

Judge has assessed an item in Issue 253 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 306 [1657954489063]

Judge has assessed an item in Issue 306 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 190 [1657955157754]

Judge has assessed an item in Issue 190 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 358 [1657932904826]

Judge has assessed an item in Issue 358 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Attacker Can Front-run auction() To Modify Auctioneer Reward Receiver Address

Lines of code Vulnerability details Impact An attacker can front-run the auctioneer’s call to auction with another address to to receive the auctioneer reward instead of the original caller. Proof of Concept 1. Alice wants to liquidate a specific vault. 2. Mallory observes Alice's auction...

ISwivel.authRedeem() doesn't have an implementation in Swivel.sol

Lines of code Vulnerability details Impact ZcToken.withdraw and ZcToken.redeem will always revert because Swivel.sol doesn't contain authRedeem function. Proof of Concept ZcToken.withdraw and ZcToken.redeem call MarketPlace.authRedeem and ISwivelswivel.authRedeem isn't implemented. I think...

IF A SINGLE ORDER FAILS, THE WHOLE FUNCTION REVERTS

Lines of code Vulnerability details Impact If a single order of the orders array fails, the whole function initiate or exit reverts with no information about which was the vulnerable order, the only information given is an Exception with a code of 5 Proof of Concept Tools Used editor Recommended...

Funds can be stuck or lost if address(this)or address(0) is passed as to`

Lines of code Vulnerability details Impact Funds can be stuck or lost. Proof of Concept There is no checks to prevent to == addressthis or to == address0. This might lead to funds being stuck in the contract or lost. function auctionbytes12 vaultId, address to external returns DataTypes.Auction...

MarketPlace - authRedeem does not work

Lines of code Vulnerability details Impact The redeem process looks broken, impacting one of the core functionality of the protocol. Proof of Concept The redeem process is the following: User calls redeem or withdraw in ZcToken, which forwards the call to MarketPlace, which calls...

Upgraded Q -> M from 163 [1657895636410]

Judge has assessed an item in Issue 163 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 417 [1657853118593]

Judge has assessed an item in Issue 417 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 219 [1657897148559]

Judge has assessed an item in Issue 219 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 330 [1657894706461]

Judge has assessed an item in Issue 330 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Implementation does not exist

Lines of code fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Marketplace/MarketPlace.solL156 Vulnerability details Impact ZcToken.withdraw and ZcToken.redeem will be reverted. Proof of Concept In ZcToken.withdraw and ZcToken.redeem, it calls redeemer.authRedeem. redeemer can be MarketPlace here. But...

zcTokens cannot be redeemed through authRedeemZcToken()

Lines of code Vulnerability details Impact The description of the function says "Allows users to redeem zcTokens and withdraw underlying, boiling up from the zcToken instead of starting on Swivel". In order for the function to be called, it needs to pass the modifier authorizedmarketPlace, where...

Upgraded Q -> M from 277 [1657879288067]

Judge has assessed an item in Issue 277 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Not safe transferFrom

Lines of code Vulnerability details Impact The Safe library says: @dev Caution! This library won't check that a token has code, responsibility is delegated to the caller. But this check is not made in Swivel contract, so the Safe library it's prone to phantom methods attacks. Supposedly it is a...

Upgraded Q -> M from 228 [1657895129928]

Judge has assessed an item in Issue 228 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Wrong allowance logic

Lines of code Vulnerability details Impact The logic around the decrementing the allowance in the withdraw and redeem methods of the contract ZcToken are wrong implemented and cannot be used. Proof of Concept There are a Denial of Service in the withdraw and redeem methods of the ZcToken contract...

Upgraded Q -> M from 219 [1657897144347]

Judge has assessed an item in Issue 219 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Cannot withdraw or redeem approved tokens

Lines of code Vulnerability details Title Cannot withdraw or redeem approved tokens Impact A contract/EOA which has been approved some ZcToken cannot redeem or withdraw the approved tokens since these functions always revert if msg.sender != holder. Proof of Concept In the withdraw function...

Upgraded Q -> M from 330 [1657894715614]

Judge has assessed an item in Issue 330 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 163 [1657895640147]

Judge has assessed an item in Issue 163 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from 340 [1657877639047]

Judge has assessed an item in Issue 340 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Incorrect check for signature malleability

Lines of code Vulnerability details Impact Sig.recover has an Incorrect check: c.v != 27 || c.v != 28. Thus, Sig.recover always reverts. Proof of Concept c.v != 27 || c.v != 28 is always true function recoverbytes32 h, Components calldata c internal pure returns address // EIP-2 and malleable...

ZcToken.withdraw() and ZcToken.redeem() will always revert when msg.sender != holder.

Lines of code Vulnerability details Impact ZcToken.withdraw and ZcToken.redeem will always revert when msg.sender != holder. These 2 functions will work only when users withdraw/redeem from their balances. Proof of Concept When we check allowance here, it reverts when allowance is greater than...

Incorrect check in ZcToken.withdraw and ZcToken.redeem leads to underlying tokens not being able to be transferred

Lines of code Vulnerability details Incorrect check in ZcToken.withdraw and ZcToken.redeem leads to underlying tokens not being able to be transferred In both ZcToken.withdraw and ZcToken.redeem, in the case where holder != msg.sender, a check of the msg.sender's ZcToken allowance is performed. B...

Upgraded Q -> M from 118 [1657878801501]

Judge has assessed an item in Issue 118 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Allowance should always larger or equal to the transferred amount

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Wrong operators are set. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Line 111 - 115 if allowe...

Upgraded Q -> M from 277 [1657879283610]

Judge has assessed an item in Issue 277 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

Error in allowance logic

Lines of code Vulnerability details Impact There is an error in the allowance functionality to allow a non-owner to withdraw or redeem ZcTokens for the owner. Taking ZcToken.redeem as an example, behold the following if/else block: if holder == msg.sender return redeemer.authRedeemprotocol,...

Functions of MarketPlace.sol will always revert

Lines of code Vulnerability details Impact Functions which call VaultTracker admin functions e.g. addNotional from MarketPlace will always revert since the admin is Creator. Proof of Concept VaultTracker.sol has an authorizedadmin modifier which only allows admin to call these functions. And the...

Swivel.sol is missing authRedeem() function called in Marketplace.sol

Lines of code Vulnerability details Impact A user redeems or withdraws from their ZcToken by calling ZcToken.withdraw or ZcToken.redeem. Both of these functions then call MarketPlace.authRedeem which in turn calls Swivel.authRedeem. The issue is that Swivel.sol does not have an authRedeem functio...

Upgraded Q -> M from 330 [1657894711383]

Judge has assessed an item in Issue 330 as Medium risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...

With most functions in VaultTracker.sol, users can call them only once after maturity has been reached.

Lines of code Vulnerability details Impact With most functions in VaultTracker.sol, users can call them only once after maturity has been reached. So from the second call of any functions after maturity, it will revert and users might lose their funds or interests. Proof of Concept The main probl...

Collateral limit can be exceeded on a new auction

Lines of code Vulnerability details Witch's auction checks the total collateral limit before updating the structure with the current auction's data. This way this limit end up not being respected in result of auction call and can be actually breached for an arbitrary big amount as auction.ink tha...

Invalid testing of allowance in ZcToken.withdraw and ZcToken.redeem

Lines of code Vulnerability details Impact / Description In the ZcToken contract, the withdraw and redeem methods both support being called from an other account with an appropriate allowance set, but these functions fail to properly validate allowance. The problem is the condition allowed = amou...

VaultTracker miscalculates compounding interest

Lines of code Vulnerability details Impact VaultTracker neglect previously accrued interest while attempting to calculate new interest. This causes nToken holders to receive less yield than they should. All functions within VaultTracker that calculate interest are affected, including addNotional,...