10190 matches found
Minting to user after funds deposit is now omitted in Lender's Swivel lend
Lines of code Vulnerability details Lender's Swivel version of lend pulls the underlying funds from the user, opens the necessary positions, but now fails to mint Illuminate PT for the user, so there will be no records for her investment and the corresponding funds aren't recoverable. Setting...
Yieldy._totalSupply has different upper bounds.
Lines of code Vulnerability details Impact Yieldy.totalSupply has different upper bounds. Yieldy.mint will revert when totalSupply is exactly same as MAXSUPPLY. Proof of Concept From L91-L98, we can see totalSupply can be same as MAXSUPPLY and I think "totalSupply = MAXSUPPLY" is reasonable also...
It's possible to perform DOS and fund lose in Stacking by transferring tokens directly to contract
Lines of code Vulnerability details Impact Function rebase in contract Staking calls Yieldy.rebaseprofit, and Yieldy.rebaseprofit, would revert if rebasingCredits / updatedTotalSupply was equal to 0. it's possible to transfer some STAKINGTOKEN directly to Stacking contract before or after...
Sending batch withdrawal requests can possibly DoS
Lines of code Vulnerability details Impact The function BatchRequests.sendWithdrawalRequests allows calling the sendWithdrawalRequests function on all of the Yieldy contracts at once. However, due to the unbounded for loop, if many Yieldy contracts are added to contracts, this function can...
Uninitialized local variables
Lines of code Vulnerability details Impact Configuration -Check: uninitialized-local -Severity: Medium -Confidence: Medium -Description:.Lender.approveaddress,uint256,address.i Lender.sol87 is a local variable never initialized.A smart contract with uninitialized local variables may lead to...
Yield of LiquidityReserve can be stolen
Lines of code Vulnerability details Impact Using sandwich attacks and JIT Just-in-time liquidity, the yield of LiquidityReserve could be extracted for liquidity providers. Proof of Concept The yield of LiquidityReserve is distributed when a user calls instantUnstakeReserve in Staking. Then, in...
No minting done in the Element version of lend function, user funds are frozen within the system
Lines of code Vulnerability details Lender's Element lend transfers the funds from a user, opens the position with Element, but fails to mint a corresponding Illuminate position to a user. Setting severity to be high as there is no account of user investment is effectively created, so there is no...
Rug vector for admin of Lender.sol who can max approve all principal tokens for any market without waiting the 3 days to themselves
Lines of code Vulnerability details Impact The admin of Lender.sol is authorized to call the function approve which will grant any address max approval over the principal tokens of a particular market. I assume that this functionality is used to approve the respective redeemer contracts used in...
Reentrancy vulnerabilities
Lines of code Vulnerability details Impact Reentrancy attacks can allow malicious actors to take over the control flow, and make...
can override a marketplace
Lines of code Vulnerability details Impact There is no check if there is a market place in the m address and we can override all of the exist market places. Proof of Concept function setMarketPlaceaddress m external authorizedadmin returns bool if marketPlace != address0 revert ExistsmarketPlace;...
DoS attack on claiming rewards can lead to user never being able to claim
Lines of code Vulnerability details Proof of Concept: the stake function can be called for a different recipient than msg.sender. Each time you stake tokens your warmUpInfo.expiry or the time when you are able to claim rewards grows by warmUpPeriod as is visible the last line here not the line wi...
setCurvePool does not approve the new curve pool to transfer the TOKE_POOL token, making it unusable for its intended purpose.
Lines of code Vulnerability details Staking.solsetCurvePool File: Staking.sol 153: / 154: @notice sets the curve pool address 155: @param curvePool uint 156: / 157: function setCurvePooladdress curvePool external onlyOwner 158: CURVEPOOL = curvePool; 159: setToAndFromCurve; 160:...
lend() to Tempus will return less than expected or just revert
Lines of code Vulnerability details function lend uint8 p, address u, uint256 m, uint256 a, uint256 r, uint256 d, address t, address x public unpausedp returns uint256 // Instantiate market and tokens address principal = IMarketPlacemarketPlace.marketsu, m, p; if ITempusprincipal.yieldBearingToke...
instantUnstake function can be frontrunned with fee increase
Lines of code Vulnerability details Impact instantUnstake allows user to unstake their stakingToken for a fee paid to the liquidity providers. This fee could be changed up to 100% any moment by admin. Malicious admin could frontrun users instantUnstake transaction and set fee to any value using...
Griefing on claim()
Lines of code Vulnerability details Issue: griefing can happen if coolDownPeriod 0 due to the fact that you can stake for someone else. Whenever a stake happens, the expiry variable increases with coolDownPeriod. This can be done either by watching the mempool and frontrun a stake when someone...
Unused Return
Lines of code Vulnerability details Impact Configuration Check: unused-return Severity: Medium Confidence: Medium Description: The return value of this external call is not stored in a local or state variable. Unused return values of function calls are indicative of programmer errors which may ha...
[M-02] transferring LESS funds from lender than needed
Lines of code Vulnerability details Impact Wrong accounting calculation may result in malfunctioning and loss of funds for the project. Proof of Concept As seen in the lines above, the amount transferred from the lender is after subtracting the fee he actually needs to pay On the other hand, the...
Safe.approve may not work for USDT
Lines of code Vulnerability details Impact Some tokens like USDT do not work when changing the allowance from an existing non-zero allowance value. They must first be approved by zero and then the actual allowance must be approved. Proof of concept: The following function may fail and make USDT...
lender variable in is not the same as constructory and method in the construcotr ther is no check for address zero
Lines of code Vulnerability details Impact lender variable not the same as constructory and method its no check for address zero Recommended Mitigation Steps check for address zero in the constructor --- The text was updated successfully, but these errors were encountered: π 1 KenzoAgada reacted...
No withdrawal possible for ETH TOKE pool
Lines of code Vulnerability details Impact The withdraw function of the ETH Tokemak pool has an additional parameter asEth. This can be seen in the Tokemak Github repository or also when looking at the deployed code of the ETH pool. Compare that to e.g. the USDC pool, which does not have this...
Upgraded Q -> H from 158 [1656140317935]
Judge has assessed an item in Issue 158 as High risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Griefers can prevent users from claiming YIELDY_TOKENs from the warm up
Lines of code Vulnerability details Impact When warmUpPeriod is greater than 0, anyone can deny i.e.: grief any user from claiming their YIELDYTOKENs from Staking.sol. Proof of Concept 1. Admin sets the warmUpPeriod to 2. 2. A user deposits a decent amount STAKINGTOKENs, with the expectation that...
Upgraded Q -> H from 158 [1656140803140]
Judge has assessed an item in Issue 158 as High risk. The relevant finding follows: --- The text was updated successfully, but these errors were encountered: All reactions...
Griefing Attack by staking for any receipent
Lines of code Vulnerability details Impact Any user can grief attack and lock funds of victim by staking with victim address as recipient. Proof of Concept If warmup period is more than 1, it is possible to do this by staking with victim address as recipient with 1 wei amount, and increasing the...
Denial of Service by wrong BatchRequests.removeAddress logic
Lines of code Vulnerability details Impact The BatchRequests.removeAddress logic is wrong and it will produce a denial of service. Proof of Concept Removing the element from the array is done using the delete statement, but this is not the proper way to remove an entry from an array, it will just...
Staking: Attacker can stake very few tokens for others to increase the lock time of others' tokens.
Lines of code Vulnerability details Impact In the stake function of the Staking contract, anyone can stake tokens for others. And each time a token is staked, the lock time of all tokens is increased. This allows an attacker to stake few tokens for others to increase the lock time of others'...
[PNM-004] Calculation of _secondaryReserveRatio can be overflowed
Lines of code Vulnerability details Description uint32 secondaryReserveRatio = uint32msg.value SCALE 1e18 / initialTokenSupply initialTokenPrice; secondaryReserveRatio can be overflowed by setting a relatively small initialTokenSupply and initialTokenPrice. The result will be truncated by uint32,...
Reentrancy bug in Basket's withdraw multiple tokens function which gives attacker ability to transfer basket ownership and spend it but withdraw all the tokens out of basket
Lines of code Vulnerability details Impact Basket is used for keep multiple tokens in contract and mint one NFT token to represent their ownership. Basket only allows for owner of NFTid=0 to withdraw tokens from Basket address. users can deposit multiple tokens in one Basket and then create a...
NibblVault buyout duration longer than update timelock
Lines of code Vulnerability details Impact User can buy out NFT by initiating the process through initiateBuyout, then he has to wait BUYOUTDURATION which is 5 days and if the buyout will not get rejected he can claim the NFT. During that period bidder cannot cancel the process. The issue is that...
sell() and buy() should not have whenNotPaused modifier
Lines of code Vulnerability details Impact Impacts are two fold: 1. admin should not be allowed to stop users from selling/cashing out their assets under any circumstance. 2. Due to poor timing or malicious admin activity, it could be the case that buy is put on pause right after initiateBuyout i...
Ineffective TWAV Implementation
Lines of code Vulnerability details Background The current TWAV implementation consists of an array of 4 observations/valuations called twavObservations. Whenever, the new valuation is updated, the new cumulative valuation will be appended to the twavObservations array and the oldest...
_updateTwav() and _getTwav() will revert when cumulativePrice overflows
Lines of code Vulnerability details Impact Contract will break when cumulativeValuation overflows. PoC Cumulative prices are designed to work with overflows/underflows because in the end the difference is important. In updateTwav when prevCumulativeValuation + valuation timeElapsed overflows the...
Discrepancies between document and code implementation
Lines of code Vulnerability details Impact This will tarnish the credibility of the system. Proof of Concept Document says buyout time as 3 days. But the code is implemented with 5 days as buyout time. Tools Used Manual verification Recommended Mitigation Steps Implement the code as per what...
[PNM-005] Reentrancy of function sell
Lines of code Vulnerability details Description In function chargeFee, a potential reetrancy can be triggered by the factory. Since function sell invokes chargeFee in the middle of its function body, it potentially impacts the calculation, e.g., the totalSupply would be incorrect since the tokens...
Avoid using address(this).balance for internal accounting
Lines of code Vulnerability details Impact This could reduce or increase the amount of ETH that token-holders are able to redeem for a reserve token in the case of a buyout success. Proof of Concept Using addressthis.balance for any internal accounting for smart contract poses risks. Using...
Buys/sells will be front-run by MEV bots
Lines of code Vulnerability details Impact Since the value of the vault depends on the Bancor formula, it's important that transactions can't be front-run, because doing so, even for small amounts, will change the valuation price for subsequent buys/sells. The link the sponsor provided describes...
Basket NFT have no name and symbol
Lines of code Vulnerability details Impact The Basket contract is intended to be used behind a proxy. But the ERC721 implementation used is not upgradeable, and its constructor is called at deployment time on the implementation. So all proxies will have a void name and symbol, breaking all...
Potential denial of service issues
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. I noticed that the withdrawUnsettledBids and redeem functions return the Ether amount by calling safeTransferETH, but if the to address passed in is a malicious contract address and the receive function...
DoS with block gas limit--External calls inside a loop might lead to a denial-of-service attack.
Lines of code Vulnerability details Impact --Check: calls-loop --Severity: Medium --Confidence: Medium External calls can fail accidentally or deliberately, which can cause a DoS condition in the contract. Proof of Concept -- --ConsenSys Smart Contract Best Practices -- -- Tools Used...
_rejectBuyout() does not take buys and sells into account until next block, can lead to false effects due to timing
Lines of code Vulnerability details Impact Buyout that should be rejected will be allowed to happen. Proof of Concept Last user to call buy that could have pushed rejectBuyout to reject the buyout wont be accounted for because rejecBuyout is place before the minting of new tokens. Therefore even ...
sell function does not have minimum threshold on the _minAmtOut
Lines of code Vulnerability details Impact During the code review, It has been observed saleReturn value is not resistant to slippage on the minAmtOut. For the protecting value from slippage, the protocol should ensure that minAmtOut is different than zero. Proof of Concept Tools Used Recommended...
Missing notBoughtOut modifier
Lines of code Vulnerability details Impact On the withdrawUnsettledBids function, unsettledBid can be withdraw when buyout is rejected. However, the contract is missing notBoughtOut modifier in the function. From that reason, during buyout period the function can be called. On the redeem function...
Buyer can initiateBuyout by sending less value than current valuation
Lines of code Vulnerability details Impact Intuitively, a buyer calling initiateBuyout should be sending a msg.value greater than or equal to current valuation. However, they can actually send less than this amount and still initiate the buyout. On line 404 we have requirebuyoutBid =...
[PNM-002] Unfairness: the curator (or users with large shares) can always reject payout by sandwich attacks
Lines of code Vulnerability details Impact 15% Attack Description The initiateBuyout function uses the current valuation instead of the time-weighted average one to determine buyoutRejectionValuation, making the curator or any other early buyers with a relatively large sharing able to reject...
Twav.sol#_getTwav() will revert when timestamp > 4294967296
Lines of code Vulnerability details function getTwav internal view returnsuint256 twav if twavObservationsTWAVBLOCKNUMBERS - 1.timestamp != 0 uint8 index = twavObservationsIndex + TWAVBLOCKNUMBERS - 1 % TWAVBLOCKNUMBERS; TwavObservation memory twavObservationCurrent = twavObservationsindex;...
TWAP array can be artificially filled up with the most recent quote
Lines of code Vulnerability details A malicious user can run updateTWAV on each block, quickly replacing all four values of the twavObservations array with the most recent valuation. I.e. the time weighted averaging essence of the recorded price can be directly reduced to always be just most rece...
Proxy storage collision - contracts might be bricked
Lines of code Vulnerability details The proxy contracts save the implementation variables in the first storage slot see links above. This will lead to storage collusions when the implementation contract tries to read/update the first storage slot. For the implementation contract, the first storag...
Division by 0
Lines of code Vulnerability details Division by 0 can lead to accidentally revert, An example of a similar issue - code-423n4/2021-10-defiprotocol-findings84 Code instances: https://github.com/code-423n4/2022-06-nibbl/tree/main/contracts/NibblVault.solL183 initialTokenSupply, initialTokenPrice...
ProxyVault implementation can be changed retroactively bricking old NibblVaults
Lines of code Vulnerability details Impact The ProxyVault.sol contract refers back to the NibbleVaultFactory.vaultImplementation This value can change over time, potentially breaking storage of the old implementations. Notice that querying the implementation from NibbleVaultFactory also incurs a...
Malicious NFT
Lines of code Vulnerability details Impact Anybody can create a vault which fractionalizes their NFT. However, this process should go through a whitelist and review process because a maliciously implemented NFT contracts can reclaim ownership of the contract despite it technically being 'owned' b...