[WP-M11] Wrong implementation of DexManagerFacet.sol#batchRemoveDex() will remove only the first item

Lines of code Vulnerability details function batchRemoveDexaddress calldata dexs external LibDiamond.enforceIsContractOwner; for uint256 i; i dexs.length; i++ if s.dexWhitelistdexsi == false continue; s.dexWhitelistdexsi = false; for uint256 j; j s.dexs.length; j++ if s.dexsj == dexsi removeDexj;...

[WP-M9] sendNative with CBridge will always revert

Lines of code Vulnerability details function startBridgeCBridgeData memory cBridgeData internal Storage storage s = getStorage; address bridge = bridge; // Do CBridge stuff requires.cBridgeChainId != cBridgeData.dstChainId, "Cannot bridge to the same network."; if...

[WP-H10] GenericSwapFacet.sol#swapTokensGeneric() duplicated .call{ value: msg.value } makes it possible for the attacker to steal native tokens (ETH) from the contract

Lines of code Vulnerability details function swapTokensGenericLiFiData memory lifiData, LibSwap.SwapData calldata swapData public payable uint256 receivingAssetIdBalance = LibAsset.getOwnBalancelifiData.receivingAssetId; // Swap executeSwapslifiData, swapData; uint256 postSwapBalance =...

Potential DoS

Lines of code Vulnerability details the balance of outputToken is checked to be exactly a specified value that is not declared in this specific function. Therefore, a malicious user can transfer to the contract address tiny amount of tokens and the user transactions will always revert. Potential...

Owner Can Stop Bridge All Functionality Only With One Change

Lines of code Vulnerability details Impact Owner can stop all bridge functionality with the changing cBridge contract address with the zero. The centralized structure can cause to pause all operations. Proof of Concept Tools Used Code Review Recommended Mitigation Steps It is recommended to place...

[WP-H7] Infinite approval to an arbitrary address can be used to steal all the funds from the contract

Lines of code Vulnerability details function startBridgeAnyswapData memory anyswapData internal // Check chain id requireblock.chainid != anyswapData.toChainId, "Cannot bridge to the same network."; address underlyingToken = IAnyswapTokenanyswapData.token.underlying; if underlyingToken ==...

Risk of centralization

Lines of code Vulnerability details Medium Risk Risk of centralization Impact Diamond owner has too many roles on setting the functions, initiating payable functions. If the Owner account is compromised, the assets may be drained in this trustless system. Proof of Concept Tools Used Static testin...

If contract holds balance of any ERC20 token, any user can take it

Lines of code Vulnerability details Impact If the LiFiDiamond contract ends up holding any ERC20 token, any user is able to perform a swap from the held asset to another asset, and the swap will use the contracts' funds as input instead of their own. The result is that a user can take all of the...

admin can rug

Lines of code Vulnerability details admin can steal all user funds --- The text was updated successfully, but these errors were encountered: All reactions...

dangerous payable function

Lines of code Vulnerability details A user might accidently send ether if sendingAssetId is not ether. Recommendation add in line 54: requiremsg.value == 0; --- The text was updated successfully, but these errors were encountered: All reactions...

twitterId is unrelaible source of link

Lines of code Vulnerability details Impact Registration link cannot be relied upon. After the user is registered, User can easily change there twitterId to something else. The old id can later be acquired by someone else, thus making registration link to incorrect person Proof of Concept 1. User ...

Borrower funds can get stuck

Lines of code Vulnerability details Impact If request status is expired then full borrower collateral amount will get stuck as withdrawableCollateral will always be 0 even though borrower has repaid 90% of the amount Proof of Concept 1. User A deposit collateral against his request using...

Existing credit line can be overwritten

Lines of code Vulnerability details Impact If pooledCLConstants1 already exists and Admin calls create function with id as 1 then pooledCLConstants1 will be overwritten with new value Proof of Concept 1. User A calls the create function to prepare a new credit line with id 1 2. This credit line i...

Interest accrued could be zero for small decimal tokens

Lines of code Vulnerability details Details & Impact Interest is calculated as principal.mulborrowRate.multimeElapsed.divYEARINSECONDS.divSCALINGFACTOR; It is possible for the calculated interest to be zero for principal tokens with small decimals, such as EURS 2 decimals. Accumulated interest ca...

onlyOwner modifier missing

Lines of code Vulnerability details Impact Function is missing onlyOwner modifier meaning any user could register without need to be an owner Proof of Concept registerSelf function is missing the onlyOwner modifier. Recommended Mitigation Steps Change definition to function registerSelf...

Users can transfer tokens to themselves to set cooldowns to 0, and then increase the lock time of other users' tokens when transferring to other users

Lines of code Vulnerability details Impact In the beforeTokenTransfer function, cooldowns will be set to 0 when the user transfers all tokens to himself. function beforeTokenTransfer address from, address to, uint256 amount internal virtual override iffrom != address0 //check must be skipped on...

DoS: User's May Claim _splitId Causing Other Transactions to Revert

Lines of code Vulnerability details Impact Users may set splitId to any value when calling SplitFactory.createSplit allowing the user to claim this ID. This is exploitable to front-running in a denial of service attack where an attacker may call see a transaction in the mempool and call...

Fixed Amount of Gas Sent in Call May Be Insufficient

Lines of code Vulnerability details Impact The function attemptETHTransfer makes a call with a fixed amount of gas, 30,000. If the receiver is a contract this may be insufficient to process the receive function. As a result the user would be unable to receive funds from this function. Proof of...

[WP-H6] Swapper can be used to steal all the funds from the contract

Lines of code Vulnerability details function swapTokensGenericLiFiData memory lifiData, LibSwap.SwapData calldata swapData public payable uint256 receivingAssetIdBalance = LibAsset.getOwnBalancelifiData.receivingAssetId; // Swap executeSwapslifiData, swapData; uint256 postSwapBalance =...

Incorrect implementation of the _startBridge function in CBridgeFacet

Lines of code Vulnerability details Impact The startBridge function in CBridgeFacet is to bridge the tokens to CBridge by calling the sendNative or send function on the bridge contract. However, when calling the sendNative function, no native token is sent to the bridge. The sendNative call alway...

Incorrect number of seconds in ONE_YEAR variable

Lines of code Vulnerability details Impact In HolyPaladinToken.sol the ONEYEAR variable claims that there are 31557600 seconds in a year when this is incorrect. The ONEYEAR variable is used in the getCurrentVotes function as well as the getPastVotes function so it is vital that the correct time i...

Missing require can lead to funds lost

Lines of code Vulnerability details Failed transfer with low level call won't revert Impact A missing require may cause user to lose funds if a corner case issue filed separately named Failed transfer with low level call won't revert. This may result in user funds lost because funds were...

Must approve 0 first

Lines of code Vulnerability details Impact Some tokens like USDT do not work when changing the allowance from an existing non-zero allowance value.They must first be approved by zero and then the actual allowance must be approved. Proof of Concept Tools Used None Recommended Mitigation Steps Use...

Missing input validation could lead to loss of fund

Lines of code Vulnerability details Impact A faulty input in GenericSwapFacet.swapTokensGeneric could cause funds to get stuck in the contract. In addition, tokens left in the LiFi contract can be retrieved by anyone see issue: ERC20 withdrawals can be frontrun, leading to loss of fund. Proof of...

A swap with a token amount received of zero does not fail

Lines of code Vulnerability details Impact A token swap via NXTPFacet::swapAndCompleteBridgeTokensViaNXTP in which the receiving amount of tokens is zero does not fail. Proof of Concept The function NXTPFacet::swapAndCompleteBridgeTokensViaNXTP does not require that the token balance after the sw...

All swapping functions lack checks for returned tokens

Lines of code Vulnerability details Impact Every function that stems from the GenericSwapFacet lacks checks to ensure that some tokens have been returned via the swaps. In LibSwap.sol in the swap function, the swap call is sent to the target DEX. A return of success is required, otherwise the...

Reliance on lifiData.receivingAssetId can cause loss of funds

Lines of code Vulnerability details Impact In the swapTokensGeneric function, an arbitrary number of swaps can be performed from and to various tokens. However, the final balance that is sent to the user relies on lifiData.receivingAssetId which has no use in the swapping functionality. LifiData ...

Constructor cannot be used in upgradeable contracts

Lines of code Vulnerability details Details As per OpenZeppelin’s documentation, “Due to a requirement of the proxy-based upgradeability system, no constructors can be used in upgradeable contracts.” reason being “the code within a logic contract’s constructor will never be executed in the contex...

Borrower can stop lenders from withdrawing interest payments

Lines of code line Vulnerability details Impact A borrower can prevent lenders from being able to withdraw any interest payments. For example, a malicious borrower could create a credit line proposal with a long duration and a promise of regular interest payments to entice lenders to deposit into...

Lack of checks between _swapData and _lifiData could lead to loss of funds and reputation risk.

Lines of code LibSwap.swap swapTokensGeneric Vulnerability details Impact Users could input incongruent values for lifiData and swapData leading to a swap no being processed correctly and users not getting any of the expected lifiData.receivingAssetId. It can also damage reputation because LiFi...

Funds are transferred to saleRecipient before settlement

This issue has been created to subdivide a multi-part submission to a single, medium severity finding. See issue 50 and in particular, judge @0xleastwood's comment here. --- The text was updated successfully, but these errors were encountered: All reactions...

Changing a token buy price during the sale by front-running buyers by forcing them to purchase at an unfair token price

This issue has been created to subdivide a multi-part submission to a single, medium severity finding. See issue 50 and in particular, judge @0xleastwood's comment here. --- The text was updated successfully, but these errors were encountered: All reactions...

[WP-H7] CollateralToken.sol's COLLATERAL_BURNER_ROLE and COLLATERAL_MINTER_ROLE can rug users

Lines of code Vulnerability details In the current design/implementation, CollateralToken is minted and burned by COLLATERALMINTERROLE and COLLATERALBURNERROLE. Such roles can be granted by the owner of QuantConfig, which is the deployer of the QuantConfig. Once the attacker managed to acquire on...

[WP-H2] EIP712MetaTransaction.executeMetaTransaction() failed txs are open to replay attacks

Lines of code Vulnerability details Any transactions that fail based on some conditions that may change in the future are not safe to be executed again later e.g. transactions that are based on others actions, or time-dependent etc. In the current implementation, once the low-level call is failed...

admin can rug by minting collateral tokens

Lines of code Vulnerability details The admin can set himself COLLATERALMINTERROLE, then mint unlimited collateral tokens, allowing them to drain the protocol. --- The text was updated successfully, but these errors were encountered: All reactions...

Mint spread collateral-less and conjuring collateral claims out of thin air with implicit arithmetic rounding and flawed int to uint conversion

Lines of code Vulnerability details Impact This report presents 2 different incorrect behaviour that can affect the correctness of math calculations 1. Unattended Implicit rounding in QuantMath.sol div and mul 2. Inappropriate method of casting integer to unsigned integer in SignedConverter.sol...

Spreads can be minted with a deactivated oracle

Lines of code Vulnerability details Impact When deactivateOracle is called for an oracle in OracleRegistry it is still available for option spreads minting. This way a user can continue to mint new options within spreads that rely on an oracle that was deactivated. As economic output of spreads i...

[WP-H6] Admin of the upgradeable proxy contract of Controller.sol can rug users

Lines of code Vulnerability details Use of Upgradeable Proxy Contract Structure allows the logic of the contract to be arbitrarily changed. This allows the proxy admin to perform malicious actions e.g., taking funds from users' wallets up to the allowance limit. This action can be performed by th...

[WP-H4] Initializer of QuantConfig.sol can rug users

Lines of code Vulnerability details function initializeaddress payable timelockController public override initializer require timelockController != address0, "QuantConfig: invalid TimelockController address" ; AccessControlinit; Ownableinitunchained; setupRoleDEFAULTADMINROLE, msgSender;...

Incorrect strike price displayed in name/symbol of qToken

Lines of code Vulnerability details Impact slice in options/QTokenStringUtils.sol cut a string into stringstart:end However, while fetching bytes, it uses bytessstart+1 instead of bytessstart+i. This causes the return string to be composed of sstartend-start. The result of this function is then...

Low-level transfer via call() can fail silently

Lines of code Vulnerability details Impact In the call function in TimelockController.sol, a call is executed with the following code: function call bytes32 id, uint256 index, address target, uint256 value, bytes memory data private // solhint-disable-next-line avoid-low-level-calls bool success,...

Arbitrary code can be run with Controller as msg.sender

Lines of code Vulnerability details Impact A malicious user can call Controller's operate with ActionType.QTokenPermit, providing a precooked contract address as qToken, that will be called by Controller contract with IQTokenqToken.permit, which implementation can be arbitrary as long as IQToken...

QTokens with the same symbol will lead to mistakes

Lines of code Vulnerability details The README.md states: Bob can then trade the QToken with Alice for a premium. The method for doing that is beyond the scope of the protocol but can be done via any smart contract trading platform e.g. 0x. It is therefore important that tokens be easily...

Use of deprecated Chainlink function latestAnswer

Lines of code Vulnerability details function getCurrentPriceaddress asset external view overrideProviderOracleManager, IProviderOracleManager returns uint256 address assetOracle = getAssetOracleasset; IEACAggregatorProxy aggregator = IEACAggregatorProxyassetOracle; int256 answer =...

[WP-H0] Wrong implementation of EIP712MetaTransaction

Lines of code Vulnerability details 1. EIP712MetaTransaction is a utils contract that intended to be inherited by concrete actual contracts, therefore. it's initializer function should not use the initializer modifier, instead, it should use onlyInitializing modifier. See the implementation of...

[WP-M3] OperateProxy.callFunction() should check if the callee is a contract

Lines of code Vulnerability details /// @notice Allows a sender/signer to make external calls to any other contract. /// @dev A separate OperateProxy contract is used to make the external calls so /// that the Controller, which holds funds and has special privileges in the Quant /// Protocol, is...

ConfigTimeLockController will put QuantConfig in a stalemate(rendering it unusable)

Lines of code Vulnerability details The QuantConfig contract has these important setters, setProtocolAddress, setProtocolUint256, setProtocolBoolean and setProtocolRole. This contract is subjected to a timelock before all such processes above are executed. But, the issue arises in the fact that i...

Usage of deprecated Chainlink functions

Lines of code Vulnerability details Impact The Chainlink functions latestAnswer and getAnswer are deprecated. Instead, use the latestRoundData and getRoundData functions. Proof of Concept Go to and search for latestAnswer or getAnswer. You'll find the deprecation notice. Tools Used none Recommend...

Chainlink pricer is using a deprecated API

Lines of code Vulnerability details Impact According to Chainlink's documentation, the latestAnswer function is deprecated. This function might suddenly stop working if Chainlink stop supporting deprecated APIs. And the old API can return stale data. Proof of Concept Tools Used None Recommended...

Incorrect implementation of Lender can result in lost tokens

Lines of code Vulnerability details Impact MapleLoanInternals.sendFee should check returnData.length == 32 before decoding, otherwise if it returns bytes data, the abi.decode will return 0x20, result in lost tokens. Proof of Concept This contract can test that when the function returns bytes data...