10190 matches found
Fee on transfer tokens not supported
Lines of code Vulnerability details Impact Fee on transfer tokens would lead to sellers getting more PT than what the pool has received in underlying as the difference in balance is not accounted for, only the a input. This is also true for mintWithUnderlying as minters get more in relation to th...
Upgraded Q -> H from 222 [1656255302682]
Judge has assessed an item in Issue 222 as High risk. The relevant finding follows: L-02 totalAssets of erc4626 should never revert eip-4626 According to the spec, totalAssets of erc4626 should never revert MUST NOT revert. wfcash would revert if it's matured but hasn't settled...
LiquidityReserve may break if underlying token is upgraded to have fees
Lines of code Vulnerability details Impact One of the tokens supported by this project is USDC, which is an upgradeable contract, and the code specifically casts addresses to IERC20Upgradeable rather than to IERC20, so the intention is for the code to support upgrades. If USDC ever upgrades to ha...
Illuminate PT redeeming do not return underlying to a user
Lines of code Vulnerability details In the second step of two step redeeming process, the underlying funds should be located in the Redeemer contract as external system burned the shares the Redeemer obtained from the Lender contract and returned underlying to Redeemer. Then Redeemer's Illuminate...
[PNM-003] _totalStakedBefore_ and _totalStakedAfter_ are the always the same
Lines of code Vulnerability details Description It can be medium or high according to the off-chain logic which is not avaiable for the contest. Specifically, rebases can only be updated by function storeRebase and the only callsite of function storeRebase is in function rebase. While we have...
arbitrage on stake()
Lines of code Vulnerability details Issue: there is a huge arb opportunity for people who deposit 1 block before the rebase Consequences: then they can call instantUnstakeReserve or instantUnstakeCurve to unstake the staked amount, in this way the profit that needs to be distributed on the next...
No check for set with address(0)
Lines of code Vulnerability details Impact can mint and get approve from address 0. Proof of Concept function setMarketPlaceaddress m external authorizedadmin returns bool if marketPlace != address0 revert ExistsmarketPlace; marketPlace = m; return true; Tools Used None Recommended Mitigation Ste...
User to lose all the funds when lend() to Swivel
Lines of code Vulnerability details function lend uint8 p, address u, uint256 m, uint256 memory a, address y, Swivel.Order calldata o, Swivel.Components calldata s public unpausedp returns uint256 // lent represents the number of underlying tokens lent uint256 lent; // returned represents the...
[H-04] Some fees are locked on contract without ever being able to be collected
Lines of code Vulnerability details Proof of Concept The full amount a is transferFrom lender on L215 The amount - fee is invested on L219 and L229. Unlike other lend function, this one is missing crediting the project with the fees they entitled to. As a result, these fees cannot be collected vi...
Unable to redeem from Notional
Lines of code Redeemer.solL193 Vulnerability details Impact The maxRedeem function is a view function which only returns the balance of the Redeemer.sol contract. After this value is obtained, the PT is not redeemed from Notional. The user will be unable to redeem PT from Notional through...
[H-05] Not minting iPTs for lenders in several lend functions
Lines of code Vulnerability details Impact Using any of the lend function mentioned, will result in loss of funds to the lender - as the funds are transferred from them but no iPTs are sent back to them! Basically making lending via these external PTs unusable. Proof of Concept There is no mintin...
Improper Upper Bound Definition on the Fee
Lines of code Vulnerability details Impact The feenominator does not have any upper or lower bounds. Values that are too large will lead to reversions in several critical functions or the platform user will lost all funds when paying the fee. Proof of Concept 1. Navigate to the following contract...
Functions in the BatchRequests contract revert for removed contract addresses
Lines of code Vulnerability details Impact Removing Yieldy contract addresses from the contracts array with BatchRequests.removeAddress replaces the contract address with a zero-address due to how delete works. Each function that loops over the contracts array or accesses an array item by index,...
instead of call() , transfer() is used to withdraw the ether
Lines of code Vulnerability details Impact To withdraw eth it uses transfer, this trnansaction will fail inevitably when : - The withdrwer smart contract does not implement a payable function. Withdrawer smart contract does implement a payable fallback which uses more than 2300 gas unit Thw...
[M-04] Admin can lose control on the contract
Lines of code Vulnerability details Proof of Concept The setAdmin function is too loose, if no one have access to the address passed in this function, the whole project is stuck - cannot withdraw funds or fees, cannot create new markets, etc. Recommended Mitigation Steps Change setAdmin in favour...
In Notional case Redeemer's redeem() will not do the position redeeming
Lines of code Vulnerability details Currently no actual redeeeming is done in Notional case as maxRedeem is a balance view function that doesn't close the position. This way one more operation, the redeeming itself, is now committed and in Notional case Redeemer's redeem doesn't perform anything,...
Upgraded Q -> M from 104 [1656258768065]
Judge has assessed an item in Issue 104 as Medium risk. The relevant finding follows: L01: Silent overflow of fCashAmount Line References Description If a fCashAmount value that is greater than uint88 is passed into the mint function, downcasting it to uint88 will silently overflow. Recommended...
Staking.setCurvePool() doesn't approve allowance when changes CURVE_POOL.
Lines of code Vulnerability details Impact Staking.setCurvePool doesn't approve allowance when changes CURVEPOOL. It will affect when users exchange asset through CURVEPOOL. Proof of Concept When initialize the contract, Staking contract approves CURVEPOOL here. But when admin updates CURVEPOOL...
Redeemer.sol#redeem() can be called by anyone before maturity, which may lead to loss of user funds
Lines of code Vulnerability details function redeem uint8 p, address u, uint256 m public returns bool // Get the principal token that is being redeemed by the user address principal = IMarketPlacemarketPlace.marketsu, m, p; // Make sure we have the correct principal if p !=...
if attacker gets admin private key then he can drain all the tokens that Lender.sol contract holds
Lines of code Vulnerability details Impact if attacker gets admin private key then he can drain all the tokens that Lender.sol contract holds Recommended Mitigation Steps make it harder for admin to do this with some internal sec requirements --- The text was updated successfully, but these error...
Unsafe transferFrom()
Lines of code Vulnerability details Impact Yieldy.transferFrom returns false on failure instead of reverting. This might lead to moveFundsToUpgradedContract incorrectly unstaking and restaking tokens, potentially causing user or Migration.sol to lose funds depending on NEWCONTRACT and OLDCONTRACT...
wrong passing value in rebase function
Lines of code Vulnerability details Impact wrong information in rebases array Proof of concept rebase function should pass the totalStakedBefore the totalSupply before adding the profit to function storeRebase, but as in the code rebase pass the updatedTotalSupply Tools Used Manual review...
Yieldy._storeRebase() saves and emits wrong values.
Lines of code Vulnerability details Impact Yieldy.storeRebase saves and emits wrong values. I don't think the asset will be lost directly because of this but the rebase storage will have wrong values and it might affect the system later. Proof of Concept The previousCirculating must be a previous...
Centralization Risk On The Withdraw Operation
Lines of code Vulnerability details Impact During the code review, It has been observed that admin can withdraw all tokens from the system. Proof of Concept 1. Navigate to the following contract : Tools Used Code Review Recommended Mitigation Steps We advise the client to carefully manage the adm...
Sandwich attacks are possible as there is no slippage control option in Marketplace and in Lender yield swaps
Lines of code Vulnerability details Swapping function in Marketplace and Lender's yield can be sandwiched as there is no slippage control option. Trades can happen at a manipulated price and end up receiving fewer tokens than current market price dictates. Placing severity to be medium as those a...
griefing on claim()
Lines of code Vulnerability details Issue: griefing can happen if coolDownPeriod is 0 due to the fact that you can stake for someone else, whenever a stake happens, the expiry variable increases with coolDownPeriod. This can be done either by watching the mempool and frontrun a stake when someone...
Upgraded Q -> H from 104 [1656255316696]
Judge has assessed an item in Issue 104 as High risk. The relevant finding follows: L02: Incompatibility with ERC-4626 Line References Description The EIP-4626 specification requires that totalAssets to NOT revert, but the current implementation does so in the underlying methods: int256...
Inaccurate fee calculation
Lines of code Vulnerability details Impact The equation in the calculateFee function has a high degree of inaccuracy Solidity use integers, when divide an uint256 for other uint256 the divition take the floor number and ignore the decimal part In example: a = 1999 ETH feenominator = 1000 the retu...
Illuminate PT redeeming allows for burning from other accounts
Lines of code Vulnerability details Illuminate PT burns shares from a user supplied address account instead of user's account. With such a discrepancy a malicious user can burn all other's user shares by having the necessary shares on her balance, while burning them from everyone else. Setting th...
[M-01] Cannot set or change curve pool after initialization
Lines of code Vulnerability details Impact Inability to set or change curve pool after initialization will hurt the project liquidity and block the ability to instant unstake from curve. Approving the CURVEPOOL address is done only on initialize and only if non zero address supplied. When using...
Front running Staking can bypass warmUpPeriod
Lines of code Vulnerability details Impact Yieldy implements a warmUpPeriod to prevent new stakers from using freshly minted yieldy tokens in the Staking.sol contract. warmUpPeriod is not initialised in the contract initialisation therefore a user can frontrun when the onlyOwner calls...
_storeRebase() is called with the wrong parameters
Lines of code Vulnerability details storeRebase's signature is as such: Yieldy.solstoreRebase File: Yieldy.sol 104: / 105: @notice emits event with data about rebase 106: @param previousCirculating uint 107: @param profit uint 108: @param epoch uint 109: / 110: function storeRebase 111: uint256...
[H-03] Attacker can mint unbound amount of iPTs (on APWine)
Lines of code Vulnerability details Note that I've reported a similar vulnerability, on a different 'Principals' and POC\attack vector is a bit different. I will leave it to the judge to decide if these should be grouped as 1 report or not - but I wanted to be specific at the POC instead of...
Yieldy: WarmUp expiry can be prolonged by staking from somebody else
WarmUp expiry can be prolonged by staking from somebody else Staking.sol:406 Staking.sol:439-444 Staking.sol:691 Impact When warmUpPeriod is greater than 1, a third person can stake to the victim to prolong the warmUp expiry. The expiry prolongation also happens with cool down, although a third...
Transfer the principal token from the lender contract to here but actually transfer underlying token
Lines of code Vulnerability details Impact Transfer the principal token from the lender contract to here but actually transfer underlying token from lender to redeemer. Proof of Concept // Transfer the principal token from the lender contract to here Safe.transferFromIERC20u, lender, addressthis,...
Fund migration should trigger a rebase to prevent missing out on potential rewards
Lines of code Vulnerability details Impact Rebasing allows the protocol to "distribute" profit/rewards to Yieldy and Foxy token holders by increasing the supply of tokens and increasing the balance of each token holder relative to the token balance creditBalances. The order of rebasing and...
IStaking(contracts[i]).canBatchContracts() will revert due to the fact that contracts[i] can contain address(0)
Lines of code Vulnerability details Issue: canBatchContracts will revert due to the fact that contractsi can contain address0 as an address which will revert the whole call. Affected Code File: BatchRequests.sol 33: function canBatchContracts external view returns Batch memory 34: uint256...
Upgraded Q -> M from 150 [1656258796240]
Judge has assessed an item in Issue 150 as Medium risk. The relevant finding follows: Unsafe casting may overflow SafeMath and Solidity 0.8. handles overflows for basic math operations but not for casting. Consider using OpenZeppelin's SafeCast library to prevent unexpected overflows when casting...
Call to lend() function can be frontrunned with fee increase
Lines of code Vulnerability details Impact Malicious admin could frontrun users lend transaction anytime and set feenominator to any value using setFee and bigger fee than user expected. /// @notice sets the admin address /// @param a address of a new admin /// @return bool true if successful...
[M-01] Easily bypassing admins 'pause' for swivel
Lines of code Vulnerability details Impact Assuming admin decides to pause an external principle when it's dangerous, malicious or unprofitable, Bypassing the admins decision can result in loss of funds for the project. Proof of Concept The principals enum p is only used for unpausedp modifier, a...
User fund lose in addLiquidity() of LiquidityReserve by increasing (totalLockedValue / totalSupply()) to very large number by attacker
Lines of code Vulnerability details Impact Function addLiquidity suppose to do add Liquidity for the staking Token and receive lrToken in exchange. to calculate amount of IrToken codes uses this calculation: amountToMint = amount lrFoxSupply / totalLockedValue but it's possible for attacker to...
removeAddress doesn't decrease the contracts.length
Lines of code Vulnerability details Impact The contracts length will always increase because the removeAddress function just deleting the value inside the array and never decrease the length by calling pop method. This can lead to Dos when calling functions that doing loop on contracts storage:...
Lender.sol amountIn is used as returned for Pendle
Lines of code Vulnerability details uint256 returned; // Add the accumulated fees to the total uint256 fee = calculateFeea; feesu += fee; address memory path = new address; path0 = u; path1 = principal; // Swap on the Pendle Router using the provided market and params returned =...
No support for fee on transfer tokens
Lines of code Vulnerability details Impact stake will revert for tokens that charge a fee on transfer. Proof of Concept Note: POC below assumes tokePoolContract.depositamount transfers part of Staking.sol balance to tokePoolContract. stake uses the amount as a reference for depositToTokemak and...
Fees should be paid by the user when lend() to Swivel
Lines of code Vulnerability details function lend uint8 p, address u, uint256 m, uint256 memory a, address y, Swivel.Order calldata o, Swivel.Components calldata s public unpausedp returns uint256 // lent represents the number of underlying tokens lent uint256 lent; // returned represents the...
Cannot mint to exactly max supply using _mint function
Lines of code Vulnerability details Impact Cannot mint to exactly max supply using mint function Proof of Concept requiretotalSupply MAXSUPPLY, "Max supply"; if totalSupply == MAXSUPPLY this assert will be failed and reverted. But is shouldn't be reverted as totalSupply == MAXSUPPLY is valid. Too...
Sense AMM address can be manipulated, allowing unlimited mint of principal tokens
Lines of code Vulnerability details Lender's lend for Sense uses ISensex.swapUnderlyingForPTs output to determine the Illuminate PT amount to be minted for the user. x is a user supplied and not verified address, which can be precooked by a malicious user to return any inflated amount, that will ...
Funds may be stuck when redeeming for Illuminate
Lines of code Vulnerability details Impact Funds may be stuck when redeeming for Illuminate. Proof of Concept Assuming the goal of calling redeem for Illuminate here is to redeem the Illuminate principal held by the lender or the redeemer, then there is an issue because the wrong balance is...
Principal token is not transferred
Lines of code Vulnerability details Impact When redeeming from APWine and Tempus here, the principal token is not transferred to the redeemer, so may be stuck on the lender contract. Proof of Concept Instead of Safe.transferFromIERC20u, lender, addressthis, amount; it should be...
Staking.sol#stake() DoS by staking 1 wei for the recipient when warmUpPeriod > 0
Lines of code Vulnerability details if warmUpPeriod == 0 IYieldyYIELDYTOKEN.mintrecipient, amount; else // create a claim and mint tokens so a user can claim them once warm up has passed warmUpInforecipient = Claim amount: info.amount + amount, credits: info.credits +...