Deprecated safeApprove() function

Originally submitted by warden Dravee in 146, duplicate of 178 related to the use of safeApprove. This is upgraded from a QA report to standalone issue because it correctly described the revert when trying to call safeApprove on non-zero allowance. QA report that only describe safeApprove as...

CNft.sol - revert inside safeTransferFrom will break composability & standard behaviour

Lines of code Vulnerability details The function safeTransferFrom is a standard interface in ERC1155, and its expected to succeed if all the parametes are valid, and revert on error, which is not the case here so its a deviation. Refer to the EIP-1155 safeTransferFrom rules: MUST revert if to is...

Admin can manipulate nft prices by _setNftPriceOracle

Lines of code Vulnerability details impact setNftPriceOracle is an admin-only function which can set a new nftOracle. But there is no restriction in this function. An admin can set any oracle unconditionally. It could be used to manipulate nft prices in liquidateCalculateSeizeNfts. Proof of Conce...

call() should be used instead of transfer() on an address payable

Lines of code Vulnerability details This is a classic Code4rena issue: instead of call , transfer is used to withdraw the ether 2021-04-meebits-findings2 Swap.sol implements potentially dangerous transfer 2021-10-tally-findings20 OpenLevV1Lib's and LPool's doTransferOut functions call native...

Use of deprecated Chainlink function latestAnswer

Lines of code Vulnerability details Impact Use of deprecated Chainlink function latestAnswer According to Chainlink's documentation, the latestAnswer function is deprecated. This function does not error if no answer has been reached but returns 0, causing an incorrect price feed to USDC Price...

amount requires to be updated to contract balance increase (4)

Lines of code Vulnerability details Impact Every time transferFrom or transfer function in ERC20 standard is called there is a possibility that underlying smart contract did not transfer the exact amount entered. It is required to find out contract balance increase/decrease after the transfer. Th...

amount requires to be updated to contract balance increase (3)

Lines of code Vulnerability details Impact Every time transferFrom or transfer function in ERC20 standard is called there is a possibility that underlying smart contract did not transfer the exact amount entered. It is required to find out contract balance increase/decrease after the transfer. Th...

amount requires to be updated to contract balance increase (5)

Lines of code Vulnerability details Impact Every time transferFrom or transfer function in ERC20 standard is called there is a possibility that underlying smart contract did not transfer the exact amount entered. It is required to find out contract balance increase/decrease after the transfer. Th...

amount requires to be updated to contract balance increase (14)

Lines of code Vulnerability details Impact Every time transferFrom or transfer function in ERC20 standard is called there is a possibility that underlying smart contract did not transfer the exact amount entered. It is required to find out contract balance increase/decrease after the transfer. Th...

amount requires to be updated to contract balance increase (18)

Lines of code Vulnerability details Impact Every time transferFrom or transfer function in ERC20 standard is called there is a possibility that underlying smart contract did not transfer the exact amount entered. It is required to find out contract balance increase/decrease after the transfer. Th...

amount requires to be updated to contract balance increase (12)

Lines of code Vulnerability details Impact Every time transferFrom or transfer function in ERC20 standard is called there is a possibility that underlying smart contract did not transfer the exact amount entered. It is required to find out contract balance increase/decrease after the transfer. Th...

amount requires to be updated to contract balance increase (17)

Lines of code Vulnerability details Impact Every time transferFrom or transfer function in ERC20 standard is called there is a possibility that underlying smart contract did not transfer the exact amount entered. It is required to find out contract balance increase/decrease after the transfer. Th...

amount requires to be updated to contract balance increase (10)

Lines of code Vulnerability details Impact Every time transferFrom or transfer function in ERC20 standard is called there is a possibility that underlying smart contract did not transfer the exact amount entered. It is required to find out contract balance increase/decrease after the transfer. Th...

amount requires to be updated to contract balance increase (8)

Lines of code Vulnerability details Impact Every time transferFrom or transfer function in ERC20 standard is called there is a possibility that underlying smart contract did not transfer the exact amount entered. It is required to find out contract balance increase/decrease after the transfer. Th...

amount requires to be updated to contract balance increase (1)

Lines of code Vulnerability details Impact Every time transferFrom or transfer function in ERC20 standard is called there is a possibility that underlying smart contract did not transfer the exact amount entered. It is required to find out contract balance increase/decrease after the transfer. Th...

using tx.origin does not guarantee EOA (3)

Lines of code Vulnerability details Impact This condition does not guarantee that msg.sender is EOA. The best is to use !isContractmsg.sender. Having tx.origin == msg.sender is possible to bypass from another smartcontract which means attacker could have access to whitelist-protected functions...

amount requires to be updated to contract balance increase (13)

Lines of code Vulnerability details Impact Every time transferFrom or transfer function in ERC20 standard is called there is a possibility that underlying smart contract did not transfer the exact amount entered. It is required to find out contract balance increase/decrease after the transfer. Th...

using tx.origin does not guarantee EOA (2)

Lines of code Vulnerability details Impact This condition does not guarantee that msg.sender is EOA. The best is to use isContractmsg.sender. Having tx.origin == msg.sender is possible to bypass from another smartcontract which means attacker could have access to whitelist-protected functions...

amount requires to be updated to contract balance increase (7)

Lines of code Vulnerability details Impact Every time transferFrom or transfer function in ERC20 standard is called there is a possibility that underlying smart contract did not transfer the exact amount entered. It is required to find out contract balance increase/decrease after the transfer. Th...

amount requires to be updated to contract balance increase (11)

Lines of code Vulnerability details Impact Every time transferFrom or transfer function in ERC20 standard is called there is a possibility that underlying smart contract did not transfer the exact amount entered. It is required to find out contract balance increase/decrease after the transfer. Th...

amount requires to be updated to contract balance increase (6)

Lines of code Vulnerability details Impact Every time transferFrom or transfer function in ERC20 standard is called there is a possibility that underlying smart contract did not transfer the exact amount entered. It is required to find out contract balance increase/decrease after the transfer. Th...

amount requires to be updated to contract balance increase (15)

Lines of code Vulnerability details Impact Every time transferFrom or transfer function in ERC20 standard is called there is a possibility that underlying smart contract did not transfer the exact amount entered. It is required to find out contract balance increase/decrease after the transfer. Th...

amount requires to be updated to contract balance increase (9)

Lines of code Vulnerability details Impact Every time transferFrom or transfer function in ERC20 standard is called there is a possibility that underlying smart contract did not transfer the exact amount entered. It is required to find out contract balance increase/decrease after the transfer. Th...

amount requires to be updated to contract balance increase (2)

Lines of code Vulnerability details Impact Every time transferFrom or transfer function in ERC20 standard is called there is a possibility that underlying smart contract did not transfer the exact amount entered. It is required to find out contract balance increase/decrease after the transfer. Th...

The ownership context is too centralized leaving room for other attack surfaces

Lines of code Vulnerability details Impact The ownership context is too centralized leaving room for other attack surfaces and leaving impression of distrust for the participants. Proof of Concept Almost all of the functions have onlyOwner modifier which allows accessing all the vital points of t...

Oracle data feed is insufficiently validated

Lines of code Vulnerability details description When using Chainlink Price feeds it is important to ensure the price feed data was updated recently. While getting started with chainlink requires just one line of code, it is best to add additional checks for in production environments. findings...

Limit not enforced on teamSummon function

Lines of code Vulnerability details Impact The docs say there is a cap on how many tokens the project team can mint, however there are no checks or tracking implemented in the teamSummon function to enforce that limit. An admin calling that function could accidentally or maliciously exceed the...

A malicious actor can cause DoS with Block Gas Limit and destroy the sale flow also having advantage of buying cheaper price

Lines of code Vulnerability details Impact A malicious actor can cause DoS with Block Gas Limit and mint NFT's on cheaper price as the price drop is in action or destroy the sale flow. Proof of Concept Each block has an upper bound on the amount of gas that can be spent, and thus the amount...

All approved addresses can burn tokens

Lines of code Vulnerability details Impact The burn function calls isApprovedOrOwner to check if a caller is authorized to burn tokens. This means that any address that has been approved can burn a user's token. Reading the ERC721 documentation from OpenZeppelin makes it understood that the...

NFT's can be bought to lowestprice even the final price is closed over the lowestprice

Lines of code Vulnerability details Impact NFT's can be bought to lowestprice even the final price is closed over the lowestprice Proof of Concept Say the 8000 NFT's are not sold at the bidSummon phase and optimistically the finalprice will be closed above the lowestprice of 0,6 ETH. A malicious...

reentryattack with owner checks and effecst pattern not implemented

Lines of code Vulnerability details Impact reentryattack can happen because checks and effects pattern not implemented Proof of Concept a owner can be millousius and take advantage of effects after a call Recommended Mitigation Steps do the checks and effects pattern --- The text was updated...

Usage of deprecated transfer to send ETH

Lines of code Vulnerability details Vulnerability details The usage of address.send is considered a bad practice as it only uses 2300 gas and you create a high dependency of gas. It is true that this is only used in an emergency to transfer the funds to the vault, but it always a better practice ...

Lack of validation on many important setters can lead to unwanted results

Lines of code Included below Vulnerability details Impact There are several important setter functions that lack validation on either the value itself or the timing on which the function can be called. It seems that the developer intentionally wrote these contracts with flexibility in mind, so I ...

Total loss of funds on owner account compromise

Lines of code Vulnerability details Issue: The vault address may be arbitrarily updated by the owner using setVaultAddress. The owner can also call withdrawAll to move all funds to the vault. Consequence: A malicious owner or owner account compromise can siphon the entire contract's funds to an...

Missing validations in setter and setPhaseTimes() functions.

Lines of code Vulnerability details Impact Time variable validations daStartTime, mintlistStartTime, publicStartTime, claimsStartTime, selfRefundsStartTime are only done in setPhaseTimes and not even all validations. These validations should be performed: daStartTime block.timestamp...

Unhandled return value of ERC20 transfer

Lines of code Vulnerability details Impact For reference, see similar Medium-severity finding from Consensys Diligence Audit of Aave Protocol V2: As stated in the above finding: “ERC20 implementations are not always consistent. Some implementations of transfer and transferFrom could return ‘false...

Deprecated oracle can return 0 as a price

Lines of code Vulnerability details Impact According to Chainlink's documentation, the latestAnswer function is deprecated. Proof of Concept This function does not error if no answer has been reached but returns 0. Besides, the latestAnswer is reported with 18 decimals for crypto quotes but 8...

Chainlink latestAnswer has been deprecated

Lines of code PriceOracleImplementation.solL29-L31 Vulnerability details Impact latestAnswer function is deprecated. This function does not revert if no answer has been reached but returns zero. There is no check for stale price and round completeness. Price can be stale and lead to wrong return...

Inexistent Chainlink Data Staleness Sanitization

Lines of code Vulnerability details Impact The IChainlinkAggregator implementation utilized by the codebase is outdated and as such is not properly sanitized. Recommended Mitigation Steps While the interface itself needs to be updated in its dedicated finding, the code utilizing it should also be...

Outdated Interface Implementation

Lines of code Vulnerability details Impact The Chainlink aggregator interface used by the project is outdated and does not permit the project to properly sanitize the price values it receives. Recommended Mitigation Steps The interface is to be updated according to the official Chainlink...

Using deprecated Chainlink function latestAnswer

Lines of code Vulnerability details Impact According to Chainlink's documentation, the latestAnswer function is deprecated. Proof of Concept This function does not error if no answer has been reached but returns 0. Besides, the latestAnswer is reported with 18 decimals for crypto quotes but 8...

Usage of deprecated Chainlink oracle function

Lines of code Vulnerability details Impact The Chainlink oracle latestAnswer function is deprecated. Instead, you're supposed to use latestRoundData. Using deprecated functions can result in the PriceOracleImplementation not returning the correct value anymore. It will affect the availability of...

Chainlink pricer is using a deprecated API

Lines of code Vulnerability details Impact According to Chainlink's documentation, the latestAnswer function is deprecated. This function might suddenly stop working if Chainlink stop supporting deprecated APIs. And the old API can return stale data. Proof of Concept Tools Used None Recommended...

Division by zero

I'm upgrading the following issue from a QA report issue 48 to Medium risk: Division by zero calculateDeviationThresholdBasisPoints was important enough to be in a separate library rather than being just a normal function of another contract so it should be generic enough for other contracts to u...

Dutch Auction fails when maxDaSupply is not reached

Lines of code Vulnerability details Impact Dutch Auction fails when maxDaSupply is not reached Proof of Concept Dutch Auction should update finalPrice every time price decreases. However, currently fianlPrice is updated only when auction reaches full supply reserved for auction phase. 1. Alice bu...

Use of ChainlinkFeed latestAnswer in PriceOracleImplementation is deprecated and not sufficiently validated

Lines of code Vulnerability details Impact PriceOracleImplementation.sol uses the latestAnswer function on the mainnet deployed ChainlinkFeed for the USDC oracle price. However, this function is deprecated as outlined in the comments of the deployed Chainlink contract see POC below. Notably,...

Anyone can rebalance vaults on behalf of owner and eventually extract funds

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept - rebalance When using Aave's flashLoan, a recipient can be specified. Therefore the access control of executeOperation in SuperVault is useless as anyone could take a flashloan to call...

Usage of deprecated transfer to send ETH in VaultsCore.sol

Lines of code Vulnerability details Impact Smart contract is not robust as it depends on gas cost so it can fail in some circumstances. PoC The usage of transfer to send ETH is widely considered a bad practice as it limits the gas usage to 2300. msg.sender.transferamount; @Audit deprecated transf...

Reentrancy Bugs in GenericMinerV2

Lines of code Vulnerability details Impact No ETH reentrancy decreaseStake: makes external call releaseRewards and updates the state variables afterwards totalStake, updateBoost increaseStake: makes call to releaseRewards and updates state variables afterwards totalStake, updateBoost Recommended...

Unbound loop can brick contract and freeze miner payments

Lines of code Vulnerability details Impact The payees array in the MinerPayer.sol contract can grow to an unbounded size. That means it could grow so large that the MinerPayer.release function can't loop through them all without triggering an out of gas error. Updating the payees array in the...