DDOS - Omik

Duplicate of 119 --- The text was updated successfully, but these errors were encountered: All reactions...

Too many amms - Dravee

Duplicate of 97 --- The text was updated successfully, but these errors were encountered: All reactions...

Governance issue - robee

Title: Usage of an incorrect version of Ownbale library can potentially malfunction all onlyOwner functions Severity: High Risk --- The text was updated successfully, but these errors were encountered: All reactions...

DDOS - robee

Duplicate of 119 --- The text was updated successfully, but these errors were encountered: All reactions...

bEth Rewards May Be Depleted By Flashloans or Whales

Lines of code Vulnerability details Impact Rewards are dispersed to users as a percentage of the user's balance vs total balance of bEth. Rewards are accumulated each time a user calls executedecreasebalance, executeincreasebalance or executeclaimrewards as these functions will in term call...

Users Can Frontrun Token Distributions Using Flashloans

Lines of code Vulnerability details Impact The collector suite of contracts will actively send ANC token distributions to staked ANC token holders. However, because it is known beforehand that a distribution will be made to the governance contract, users can abuse this to frontrun distributions b...

Potential lock of rewards in the custody contracts

Lines of code Vulnerability details Impact The swaptostabledenom function in the custody contracts swaps all other native tokens into a specific one. The function creates swap messages for all the other native tokens and adds them as sub-messages, and handles the reply only when the last...

[WP-H3] money-market-contracts/oracle#feed_prices() delayed transaction may disrupt price feeds

Lines of code Vulnerability details The implementation only takes two attributes: asset and price. And the lastupdatedtime of the record will always be set to the current block.time. This makes it possible for the price feeds to be disrupted when the network is congested, or the endpoint is down...

money-market-contracts::overseer: Market ltv is not capped

Lines of code Vulnerability details Impact There is no check to ensure that maxltv is less than 100% Decimal::One. It is therefore possible to set a collateral factor of 1, allowing anyone to borrow more than the collateral value ie. enabling under-collateralized loans. While the likelihood of...

Spend limit on owner can be bypassed

Lines of code Vulnerability details Impact It seems that the owner is only allowed to spend amount uptil config.spendlimit. However it was observed that this config.spendlimit is never decreased even if owner has spend an amount. This makes config.spendlimit useless as owner can simply send...

Whitelisting is Disabled in CrossAnchorBridge.sol

Lines of code Vulnerability details Impact Upon deployment/initialisation, an array of collateral tokens are added to a whitelist, meaning that these tokens are the only tokens that should be deposited/redeemed. Any unsupported tokens should correctly revert so as to avoid instances where Terra...

Governance Voting Dis-proportionally Favours Users Who Stake And Vote After A Poll Has Been Created And Had Its Snapshot Taken

Lines of code Vulnerability details Impact Polls are created by targeting the receivecw20 function which is queried whenever the contract receives tokens. By setting the hook message to Cw20HookMsg::CreatePoll, the sender is able to create a poll, assuming the amount sent satisfies the minimum...

Simple interest calculation is not exact

Lines of code Vulnerability details Impact The borrow rate uses a simple interest formula to compute the accrued debt, instead of a compounding formula. pub fn computeinterestraw state: &mut State, blockheight: u64, balance: Uint256, aterrasupply: Uint256, borrowrate: Decimal256, targetdepositrat...

Missing Access Control for FabricateMIRClaim and FabricateANCClaim

Lines of code Vulnerability details Impact FabricateMIRClaim and FabricateANCClaim should only be issued by the Hub contract the central hub for all minted bLuna managed by Lido. However, executefabricateanchorclaim and executefabricatemirclaim do not restrict the caller, allowing anyone to submi...

[WP-H4] anchor_basset_reward pending yields can be stolen

Lines of code Vulnerability details For yield farming aggregators, if the pending yield on an underlying strategy can be harvested and cause a surge of rewards to all existing investors, especially if the harvest can be triggered permissionlessly. Then the attacker can amplify the attack using a...

Staking tokens can be stolen

Lines of code Vulnerability details Impact The staking contract keeps track of shares of each user. When withdrawing from the staking contract the amount parameter is converted to shares and this value is decreased shares = amount / totalbalance totalshare. This shares calculation rounds down whi...

Inconsistency behavior between bAsset tokens and the standard cw20 tokens

Lines of code Vulnerability details Impact The implementation of the send function of bAsset tokens is inconsistent with the standard cw20's implementation. In the standard implementation, the msg and the transfer amount are passed to the recipient contract as a regular message. However, in the...

bETH rewards can be timed

Lines of code Vulnerability details Impact The bETH reward contract allocates new rewards sent to the contract whenever updateglobalindex is called. It should be possible to time the transfer of the rewards to the contract and frontrun it with increasing one's token balance to capture more reward...

[WP-H0] When transferring tokens not in whitelist on Ethereum to Terra with CrossAnchorBridge.depositStable(), the funds may get frozen

Lines of code Vulnerability details In the current implementation of CrossAnchorBridge, all require that "Check that token is a whitelisted token" is commented out. As a result, users may send transcations with the non-whitelisted tokens and as they can not be processd properly on the Terra side,...

Unbonding validator random selection can be predicted

Lines of code Vulnerability details Impact When unbonding, the pickvalidator function is supposed to choose a random validator to unstake from. However, this randomness can be predicted knowing the block height which is very easy to predict. let mut iterationindex = 0; while claimed.u128 0 let mu...

Missing allowlist checks on tokens in CrossAnchorBridge could cause loss of funds

Lines of code Vulnerability details Impact The CrossAnchorBridge contract accepts any ERC20 token and transfers them to the wormhole bridge. There were allowlist checks on the tokens before, but they were commented out in this version for the audit. If a user transfers, for example, non-supported...

Sandwich attack on astroport sweep

Lines of code Vulnerability details Impact The collector contract allows anyone to sweep, swapping an asset token to ANC through astro port. Note that beliefprice is not set and config.maxspread might not be set as well or misconfigured. This allows an attacker to create a contract to perform a...

Spend limit can be circumvented

Lines of code Vulnerability details Impact The spending limit is on a single message. One can circumvent it by splitting the transaction up into several messages. if config.spendlimit amount return ErrStdError::genericerr"Cannot spend more than spendlimit"; It does not seem like a useful spend...

[WP-H2] money-market-contracts/contracts/market claim_rewards may revert due to spend_limit set on distributor

Lines of code Vulnerability details While claimrewards from the money-market, it calls the distributorcontractspend to send the rewards. let messages: Vec = if !claimamount.iszero vec!CosmosMsg::WasmWasmMsg::Execute contractaddr: deps .api .addrhumanize&config.distributorcontract? .tostring, fund...

Updating the hub’s token contract address may lead to incorrect undelegation amount

Lines of code Vulnerability details Updating the hub’s token contract address may lead to incorrect undelegation amounts Impact The hub contract allows config updates to the tokencontract config values in anchor-bAsset-contracts/contracts/anchorbassethub/src/config.rs Such updates can cause wrong...

Rewards can be stolen from contract

Lines of code Vulnerability details It was observed that executeclaimrewards/executedecreasebalance/executeincreasebalance are missing to update the global index before calculating user rewards in anchorbassetreward contract This can lead to serious consequences: 1. executeincreasebalance functio...

Possible Wrong bAsset Rewards/Borrow limits Calculation

Lines of code Vulnerability details Impact During the code review, It has been observed that reward calculation has been done with executeepochoperations function. However, the config are stored in the storage. When the ancpurchasefactor is updated by the owner, the executeepochoperations is not...

Whitelist check commented out on the Cross Chain Stable tokens

Lines of code Vulnerability details Impact During the code review, It has been observed that the whitelisted token check is commented out. That will cause to user fund lost on the bridge. The related function only should allow white-listed tokens. Proof of Concept 1. Navigate to the the following...

Underflown variable in borrowGivenDebtETHCollateral function

Lines of code Vulnerability details Impact borrowGivenDebtETHCollateral function does never properly call ETH.transfer due to underflow. If borrowGivenDebtETHCollateral function is not deprecated, it would cause unexpected behaviors for users. Proof of Concept Here are codes which contain a...

[WP-H1] Wrong timing of check allows users to withdraw collateral without paying for the debt

Lines of code Vulnerability details function payPayParam calldata param external override lock returns uint128 assetIn, uint128 collateralOut requireblock.timestamp = param.ids.length, 'E205'; for uint256 i; i = uint256collateralOut due.debt, 'E303'; due.debt -= param.assetsIni; due.collateral -=...

Borrowers can get back collateral without repaying loans

Lines of code Vulnerability details Impact A borrower can put up collateral for a loan then immediately withdraw the collateral, effectively stealing the loan amount from the lender. Proof of Concept The previous implementation from the prior contest used this check in TimeswapPair.pay which...

The pay() function can still be DOSed

Lines of code Vulnerability details Impact From the prior contest: in the pay function users repay their debt and in line 364: it decreases their debt. lets say a user wants to repay all his debt, he calls the pay function with his full debt. an attacker can see it and frontrun to repay a single...

NPM Dependency confusion. Unclaimed NPM Package and Scope/Org

Lines of code Vulnerability details Impact I discovered an npm package and the scope of the package is unclaimed on the NPM website. This will give any User to claim that package and be able to Upload a Malicious Code under that unclaimed package. This results in achieving the Remote code executi...

Missing Signature Verification Leads To Critical Parameter Changes

Lines of code Vulnerability details Impact During the code review, It has been observed that, signature verification is commented out in the protocol. Without off-chain signature verification, an attacker is able to edit parameters in the protocol Proof of Concept 1. Navigate to the following...

Fee-on-transfer/deflationary tokens cause problems

Lines of code Vulnerability details Some ERC20 tokens, such as Tether USDT, allow for charging a fee any time transfer or transferFrom is called. If a contract does not allow for amounts to change after transfers, subsequent transfer operations based on the original amount will revert due to the...

Wrong implementation of OperatorResolver::areOperatorsImported

This issue has been created to upgrade a QA report submission to a medium severity finding. From kenzo: Wrong implementation of OperatorResolver::areOperatorsImported The function as implemented will return true if the operators have same implementation but different selector, or different...

Deposit Box Does Not Account for Fee On Transfer Tokens Causing the Bridge To Absorb the Fees

Lines of code Vulnerability details Impact The function DepositBoxERC20.depositERC20 does not account for FoT Fee on Transfer tokens. FoT tokens charge a fee when transfer or transferFrom is called and it is subtracted from amount so the receiving address will receive less than amount of tokens...

function rebuildCache() in MixinOperatorResolver does not delete removed operators from operatorCache

This issue has been created to upgrade a QA report submission to a medium severity finding. From pauliax: function rebuildCache in MixinOperatorResolver does not delete removed operators from operatorCache. resolverOperatorsRequired return current active operators, so it will not contain removed...

The store method allows you to store the same token twice

This issue has been created to upgrade a QA report submission to a medium severity finding. From 0x1f8b: The store method allows you to store the same token twice in NestedRecords.solL130 To do this you must first call storenftId,tokenA,0,reserve and then storenftId,tokenA,100000,reserve because ...

Check if a value is in an array before a push

This issue has been created to upgrade a QA report submission to a medium severity finding. From Dravee: Check if a value is in an array before a push In NestedRecords.sol's store function, it's possible to push an existing address token several times in the same array File: NestedRecords.sol 130...

Schain owner dictate fund usage after kill

Lines of code Vulnerability details Impact After a schain is killed by both the owner and the IMA admin, schain admin can control all the fund using e.g. DepositBoxERC20.getFunds functions. This pose a significant centralization risk after the schain is killed. Proof of Concept function...

[WP-H2] When transferring tokens native on SKALE to Ethereum with TokenManagerERC20.exitToMainERC20(), the tokens on the schain will be frozen on TokenManagerERC20, but they will not receive tokens on Ethereum

Lines of code Vulnerability details In the current implementation of TokenManagerERC20, it allows exitToMainERC20tokenOnSchain, amount. At L277 of TokenManagerERC20.sol in exitToMainERC20, if tokenOnSchain is minted on SKALE schain natively, there are no such require statement that prevents the...

areOperatorsImported has incorrect logic

This issue has been created to upgrade a QA report submission to a medium severity finding. From 0xliumin: areOperatorsImported has incorrect logic Right now, this function returns false if the implementation AND the selector don't match. It's possible to provide a destination with either a...

Possible underflow when exit to mainnet with full amount after receiving tokens from another schain

Lines of code Vulnerability details Impact When tokens are transferred from one schain to another schain, the outgoing messages are not transmitted to the mainnet receiver. The amount of tokens on the receiving schain will increase but when exiting on mainnet with the full amount, it will cause...

Loss of pending messages (if any) in case removeConnectedChain is called

Lines of code Vulnerability details Impact If there are any unprocessed messages to be executed or processed, while removeConnectedChain is called, then they may be stuck from getting processed on the other end. If these messages have transactions for any token transfer then it will get stuck or...

Not compatible with Rebasing/Deflationary/Inflationary tokens

Lines of code Vulnerability details Proof of Concept The DepositBoxERC20 contract do not appear to support rebasing/deflationary/inflationary tokens whose balance changes during transfers or over time. The necessary checks include at least verifying the amount of tokens transferred to contracts...

Centralisation Risk: TokenManager Gives Unnecessary Permissions to The Default Admin Through changeDepositBoxAddress() Which May Cause The Bridge to Get Stuck

Lines of code Vulnerability details Impact The function changeDepositBoxAddress allows the DEFAULTADMINROLE to change the depositBox associated with a TokenManager. If the newDepositBox is incorrectly set either accidentally or maliciously it will cause the bridge to become stuck. For example if ...

There is a possibility of Token transfer getting stuck when using Erc1155BatchMessage

Lines of code Vulnerability details Impact In the event of user error while making the calldata for encodeTransferErc1155BatchMessage, where the size of the arrays of ids and amounts donot match, the message will get encoded due to no input validation, however the transfer will fail at the other...

Nodes can drain SKALE chain owners' wallets

Lines of code Vulnerability details The contest code does a good job of preventing users from withdrawing too quickly or attempting to do things without funds for gas. The nodes themselves however are not as well-secured. Impact By monitoring the values of headerMessageGasCost and messageGasCost...

Miners Can Manipulate tx.gasprice to Drain Users' Wallets in postIncomingMessages()

Lines of code Vulnerability details Impact The postIncomingMessages function is used to broadcast signed data indicating that a funds on an schain will be moved to mainnet. While the function performs proper signature verification, it doesn't prevent any arbitrary user from frontrunning the...