Lucene search
K
Code423n4Recent

10190 matches found

Code423n4
Code423n4
•added 2022/02/23 12:0 a.m.•10 views

ClearingHouse fail if too many amm whitelisted

Lines of code Vulnerability details Impact Governance can whitelist amm in ClearingHouse using the whitelistAmm function. Since a lot of function in the ClearingHouse contract will iterate each of the amm in amms and call various amm.function, if too many amm is whitelisted it is possible for tho...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/23 12:0 a.m.•12 views

QA Report

1. VUSD.sol - withdrawals list can become too large so normal users will cost more gas to withdraw. Impact Function withdraw do not have check for amount 0, an user can call it infinite time and make withdrawal list too large And because the function processWithdrawals processes withdrawals in...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/23 12:0 a.m.•12 views

ClearingHouse looping over dynamic array might result in a DOS because of the block gas limit

Lines of code Vulnerability details Impact Inside the ClearingHouse contract there are multiple instances where it loops over the dynamic amms array. There is no way looping over a subset of the array or continuing for you left off. Thus, if the array is large enough certain functions won't be...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/23 12:0 a.m.•14 views

[WP-M3] TurboRouter.sol#createSafeAndDeposit*() CreateSafeAndDeposit combo methods won't work as an allowance cannot be granted to a newly created Safe for deposit

Lines of code Vulnerability details The TurboRouter.soldeposit function can be used in a multicall together with approve and pullToken from PeripheryPayments to pull tokens from msg.sender and grant allowance for the ERC4626 Safe to call asset.safeTransferFrom with the msg.sender being the router...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/22 12:0 a.m.•11 views

The initialize() function can be called first by an attacker

Lines of code Vulnerability details Impact In Delegation.sol the initialize function sets the owner of the contract and can only be called once. The problem is that an attacker can monitor the blockchain byte code and call the initialize function first automatically before the protocol has a chan...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/22 12:0 a.m.•12 views

permit() without updating nonce can result in replay attacks

Lines of code Vulnerability details Impact In PermitAndMulticall.sol the permit is called on the permitToken which allows you to sign the meta-transaction while someone else can submit it to the blockchain on your behalf. The problem is that a valid signature might be used several times in other...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/22 12:0 a.m.•20 views

ERC4626.mint() doesn't mint the correct amount

Lines of code Vulnerability details Impact The ERC4626.mint function doesn't mint the correct amount of tokens. Instead of minting amount number of tokens, it should mint shares number of tokens. Since the user doesn't receive the correct amount of tokens I'd rate this issue "HIGH". Proof of...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/22 12:0 a.m.•10 views

Use of external calls without reentrancy modifers

Lines of code Vulnerability details Impact In TWAPDelegator.sol functions like updateDelegatee and createDelegation have external calls without the use of reentrancy modifiers. These modifiers can serve as a strong security tool to prevent attacks when using external calls. Proof of Concept Tools...

7AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/22 12:0 a.m.•7 views

DoS in permitAndMulticall

Lines of code Vulnerability details Impact The permitAndMulticall function does not authenticate the data argument through any signatures. Only the from, amount parameters are as chosen by the from user as these are checked in the permitAndMulticall - ERC20ticket.permit call. An attacker can...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/22 12:0 a.m.•9 views

batched delegate calls used can result in double spending bug

Lines of code Vulnerability details Impact In TWABDelegator.sol anyone can call the multicall function which then calls multicall in PermitAndMulticall.sol. When using batched delegatecalls the msg.sender and msg.value are not updated on every iteration and this can result in double spending bugs...

7.1AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/22 12:0 a.m.•16 views

Lack of approve after creating a safe in TurboRouter

Lines of code Vulnerability details Impact Both createSafeAndDeposit function and createSafeAndDepositAndBoost would revert on every call. Proof of Concept Both functions suffers from the same mistake so I'll detailed only on createSafeAndDeposit link 1. First the function calls...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/22 12:0 a.m.•9 views

Bypass MAX_LOCK duration + External calls even when delegation is locked

Lines of code Vulnerability details Impact Delegation owner can change the MAXLOCK duration even though current lock set on delegation has not yet expired Also Delegation owner can execute calls even when delegation is locked Proof of Concept Bypass MAXLOCK: 1. User A creates a new Delegation usi...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/21 12:0 a.m.•13 views

Griefing attack at VUSD withdraw queue is possible

Lines of code Vulnerability details Impact A malicious user can make lots of withdrawal requests to fill up the queue, making VUSD withdrawals unreachable for all other users Proof of Concept There is no control of the size or number of the withdrawal requests, and VUSD will burn even 1 wei amoun...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/21 12:0 a.m.•7 views

TokenManagerERC721.sol _exit() function uses transferFrom

Lines of code Vulnerability details Impact In TokenManagerERC721 the exit function makes use of transferFrom instead of safeTransferFrom. Tokens that don’t correctly implement the latest EIP20 spec will be unusable in the protocol as they revert the transaction because of the missing return value...

7AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/21 12:0 a.m.•7 views

CONSTANT_SETTER_ROLE is never assigned in CommunityLocker.sol

Lines of code Vulnerability details Impact In CommunityLocker.sol only the caller with the CONSTANTSETTERROLE can call the setTimeLimitPerMessage function. The problem is that the CONSTANTSETTERROLE is never assigned in the contract. Only the DEFAULTADMINROLE is assigned in the initialize functio...

7AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/21 12:0 a.m.•10 views

InsuranceFund depositors can be priced out & deposits can be stolen

Lines of code Vulnerability details Impact The InsuranceFund.deposit function mints initial shares equal to the deposited amount. The deposit / withdraw functions also use the VUSD contract balance for the shares computation. balance = vusd.balanceOfaddressthis It's possible to increase the share...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/21 12:0 a.m.•10 views

Withdrawals can be spammed and other users blocked

Lines of code Vulnerability details Impact The VUSD.processWithdrawals function only performs maxWithdrawalProcesses actually maxWithdrawalProcesses + 1 iterations per call. Withdrawals can be freely spammed by a griefer calling burnamount with a zero amount. All future withdrawals are blocked...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/20 12:0 a.m.•11 views

totalAssets() can overflow leading to the incorrect pricing of assets

Lines of code Vulnerability details The TurboSafe's totalAssets function is used by ERC4626.previewDeposit, ERC4626.previewMint, ERC4626.previewWithdraw, and ERC4626.previewRedeem. These preview functions are called directly by the non-preview versions and therefore if totalAssets has the wrong...

7AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/20 12:0 a.m.•9 views

ERC4626RouterBase.withdraw should use a **max** shares out check

Lines of code Vulnerability details Impact The docs/video say ERC4626RouterBase.sol is in scope as its part of TurboRouter The ERC4626RouterBase.withdraw function withdraws the asset amount parameter by burning shares. function withdraw IERC4626 vault, address to, uint256 amount, uint256...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/20 12:0 a.m.•10 views

ERC4626 mint uses wrong amount

Lines of code Vulnerability details Impact The docs/video say ERC4626.sol is in scope as its part of TurboSafe The ERC4626.mint function mints amount instead of shares. This will lead to issues when the asset shares are not 1-to-1 as will be the case for most vaults over time. Usually, the asset...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/20 12:0 a.m.•9 views

TurboRouter can't interact with existing TurboSafe because of the authentication modifier

Lines of code Vulnerability details Impact The TurboRouter is not able to interact with an existing TurboSafe because of the authentication modifier of the respective TurboSafe functions. Because of that, those router functions are unusable. Proof of Concept Here's the test file I used to confirm...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/20 12:0 a.m.•7 views

totalFeiBoosted vars can desync in TurboSafe and TurboMaster

Lines of code Vulnerability details Impact The TurboSafe and TurboMaster contracts each keep track of totalFeiBoosted, getTotalFeiBoostedForVault, and Master keeps track of getTotalBoostedAgainstCollateral in addition. For the TurboMaster contract, these values should be the sum of the...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/20 12:0 a.m.•6 views

Slurp can be frontrun with fee increase

Lines of code Vulnerability details Impact The TurboSafe.slurp function fetches the current fee from the clerk. This fee can be changed. The slurp transaction can be frontrun with a fee increase specifically targeted for the vault or the asset by the clerk and steal the vault yield that should go...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/20 12:0 a.m.•65 views

ERC4626 does not work with fee-on-transfer tokens

Lines of code Vulnerability details Impact The docs/video say ERC4626.sol is in scope as its part of TurboSafe The ERC4626.deposit/mint functions do not work well with fee-on-transfer tokens as the amount variable is the pre-fee amount, including the fee, whereas the totalAssets do not include th...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/20 12:0 a.m.•9 views

TurboRouter: deposit(), mint(), createSafeAndDeposit() and createSafeAndDepositAndBoost() functions may be vulnerable to FRONT-RUN attack

Lines of code Vulnerability details Impact The TurboRouter contract inherits from the PeripheryPayments contract. To execute the deposit, mint, createSafeAndDeposit and createSafeAndDepositAndBoost functions of the TurboRouter contract, the user needs to first execute the pullToken and approve...

7.3AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/20 12:0 a.m.•12 views

User can't create TurboSafe through TurboMaster.createSafe()

Lines of code Vulnerability details Impact A user can't create a safe because of the requiresAuth modifier in createSafe. Neither directly through the TurboMaster contract nor through the router. Proof of Concept Here's the test file I used to confirm it. I had to modify the contracts a little bi...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/20 12:0 a.m.•13 views

ERC4626 mints more shares than it should

Lines of code Vulnerability details bug in the mint function of the ERC4626 contract The mint function recieves an amount of shares and an address to and mints the amount of shares to the to address. The sender must transfer an amount of token, so that the ratio will be saved - shares / totalShar...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/20 12:0 a.m.•12 views

TurboRouter: Dangerous PeripheryPayments Contract

Lines of code Vulnerability details Impact As an entry contract, the TurboRouter contract plays an important role in interacting with users. And the TurboRouter contract inherits from the PeripheryPayments contract. In the PeripheryPayments contract, anyone can use the tokens and ETH in the...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/19 12:0 a.m.•5 views

High Risk Title

Lines of code 2022-01-dev-test-repo-findings/README.md Line 1 in 21e7cf8 | | THIS IS A TEST REPO FOR DEV PURPOSES ---|--- 2022-01-dev-test-repo-findings/README.md Line 1 in 21e7cf8 | THIS IS A TEST REPO FOR DEV PURPOSES ---|--- Vulnerability details Impact Detailed description of the impact of th...

7.1AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/18 12:0 a.m.•13 views

ERC4626 mints token amount, not number of shares

Lines of code Vulnerability details Impact If the number of assets is different from the number of shares, the user will get more or less shares than they expect. Users don't have to be sophisticated at all, just using the contract as intended can cause users to get more or less of the shares of ...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/18 12:0 a.m.•9 views

TurboRouter: deposit(), mint(), createSafeAndDeposit() and createSafeAndDepositAndBoost() functions do not work

Lines of code Vulnerability details Impact The TurboRouter contract inherits from the ERC4626RouterBase contract. When the user calls the deposit, mint, createSafeAndDeposit and createSafeAndDepositAndBoost functions of the TurboRouter contract, the deposit and mint functions of the...

7AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/18 12:0 a.m.•12 views

Mint does not produce the intended amount of shares

Lines of code Vulnerability details Resubmitting this issue with a better explanation, apologize for the double submit. Impact In the mint function, it should produce shares token, but there is an inattention mistake and it produces amount tokens. Proof of Concept Assume the contract manages 1000...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/18 12:0 a.m.•13 views

TurboRouter: deposit(), mint(), createSafeAndDeposit() and createSafeAndDepositAndBoost() functions do not work

Lines of code Vulnerability details Impact The TurboRouter contract inherits from the ERC4626RouterBase contract. When the user calls the deposit, mint, createSafeAndDeposit and createSafeAndDepositAndBoost functions of the TurboRouter contract, the deposit and mint functions of the...

7AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/18 12:0 a.m.•7 views

Seems to be an inattention error

Lines of code Vulnerability details Shouldn't it be mintto, shares; ? Currently the using mint , one would receive as many shares as assets they transfer, which is not the intended behaviour --- The text was updated successfully, but these errors were encountered: All reactions...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/17 12:0 a.m.•11 views

Reentrancy in depositBribeERC20

Lines of code Vulnerability details Description The contract was found vulnerable to Reentrancy attack. It was noticed that the function depositBribeERC20 makes an external call to another untrusted address or a contract before it resolves any effects at line "" If the attacker controls the...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/17 12:0 a.m.•13 views

[WP-H5] RewardDistributor.setBribeVault() can cause users who haven't claimed their native tokens yet can not claim the reward anymore

Lines of code Vulnerability details In the current implementation, RewardDistributor.claim is using if token != bribeVault token is from rewardsrewardIdentifier.token to detect whether it's a ERC20 token or native token ETH. However, this is not a trustworthy way to determine whether the reward i...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/17 12:0 a.m.•12 views

RewardDistributor._claim uses native token payable.transfer, which is usafe for smart contracts

Lines of code Vulnerability details Impact When reward.token is set to vault address and native token is used, it is sent out via payable.transfer call. This is unsafe as transfer has hard coded gas budget and can fail when the account is a smart contract. Such transactions will fail for smart...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/17 12:0 a.m.•11 views

admin can rug pull

Lines of code Vulnerability details In the links I provided, the admin can steal all user funds. this can cause reputation risk. --- The text was updated successfully, but these errors were encountered: All reactions...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/17 12:0 a.m.•4 views

Non-Standard ERC20 Tokens Are Not Supported

Lines of code Vulnerability details Impact There are several contracts which do not utilise OpenZeppelin's SafeERC20 library when performing token transfers. The Redacted Cartel suite of smart contracts intends to support bribes from all tokens, including non-standard tokens such as USDT which do...

7AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/17 12:0 a.m.•9 views

DEPOSITOR_ROLE can manipulate b.amount value

Lines of code Vulnerability details Impact Malicious DEPOSITORROLE can doing self transfer and manipulate b.amount Proof of Concept In case malicious DEPOSITORROLE inputing WETH address and putting briber == addressthis in safeTransferFrom argument which is self transfering. Therefore, it is...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/17 12:0 a.m.•9 views

[WP-H3] Centralization Risk: Funds can be frozen when critical key holders lose access to their keys

Lines of code Vulnerability details The current implementation requires trusted key holders DEFAULTADMINROLE of BribeVault to send transactions transferBribes to move funds from BribeVault to RewardDistributor before the users can get rewards from the contract. This introduces a high centralizati...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/17 12:0 a.m.•4 views

Reentrancy in depositBribe in TokemakBribe.sol

Lines of code Vulnerability details Description The contract was found vulnerable to Reentrancy attack. It was noticed that the function depositBribe makes an external call to another untrusted address or a contract before it resolves any effects at line "" If the attacker controls the untrusted...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/17 12:0 a.m.•8 views

Reentrancy in depositBribeERC20 in TokemakBribe.sol

Lines of code Vulnerability details Description The contract was found vulnerable to Reentrancy attack. It was noticed that the function depositBribeERC20 makes an external call to another untrusted address or a contract before it resolves any effects at line "" If the attacker controls the...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/17 12:0 a.m.•10 views

Turbo Safe's can be created with malicious tokens

Lines of code Vulnerability details Impact In TurboMaster.sol the createSafe function is called when the user calls a function with the same name in the TurboRouter.sol file. It then creates a new Turbo Safe with an arbitrary token supplied by the user. Since there is no whitelist of acceptable...

7AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/17 12:0 a.m.•9 views

Arbitrary fees

Lines of code Vulnerability details Impact Function transferBribes has a parameter named fees. Essentially, it allows an admin to apply any arbitrary fees and send them to the feeRecipient. This makes no sense because admins can manipulate the amounts however they want with 0 restrictions. I see...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/17 12:0 a.m.•15 views

Reentrancy in depositBribeERC20 function

Lines of code Vulnerability details Impact depositBribeERC20 function in BriveVault is reentrant in line 187, where an address supplied by the caller is called. A bad actor that has DEPOSITORROLE and is a contract can execute a folowing attack: 1. Create a dummy token contract, reentrant in the...

7AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/17 12:0 a.m.•10 views

Wrong pragma

Lines of code Vulnerability details Impact Use a buggy version of solidity with immutable. Proof of Concept The contract use immutable, and this solidity version defined in the pragma has some issues with them, as you can see here. Recommended Mitigation Steps Use at least 0.8.9 --- The text was...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/17 12:0 a.m.•9 views

Use of IERC20.transfer() instead of SafeERC20.safeTransfer()

Lines of code Vulnerability details Impact There are multiple external calls to IERC20.transfer that suppose to transfer out tokens from the system. However, there are tokens like USDT that don't return any return value in their implementation of the transfer function, so calling IERC20.transfer ...

7AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/17 12:0 a.m.•10 views

DoS by Creating Excessive Length withdrawals List.

Lines of code Vulnerability details Impact It is possible for an attacker to add a large number of withdrawals to the list withdrawals. The result is that users will be required to submit numerous processWithdrawals transactions before they are able to withdraw any of their own funds. This may...

6.6AI score
Exploits0
Code423n4
Code423n4
•added 2022/02/17 12:0 a.m.•14 views

canSafeBoostVault() doesn't actually check the feiAmount passed in

Lines of code Vulnerability details Impact In TurboMaster.sol the onSafeBoost function calls canSafeBoostVault on the booster contract to check if the safe is allowed to boost the vault using the feiAmount which is passed in by the caller as an argument. The problem is that the feiAmount is never...

6.9AI score
Exploits0
Total number of security vulnerabilities10190