10190 matches found
ClearingHouse fail if too many amm whitelisted
Lines of code Vulnerability details Impact Governance can whitelist amm in ClearingHouse using the whitelistAmm function. Since a lot of function in the ClearingHouse contract will iterate each of the amm in amms and call various amm.function, if too many amm is whitelisted it is possible for tho...
QA Report
1. VUSD.sol - withdrawals list can become too large so normal users will cost more gas to withdraw. Impact Function withdraw do not have check for amount 0, an user can call it infinite time and make withdrawal list too large And because the function processWithdrawals processes withdrawals in...
ClearingHouse looping over dynamic array might result in a DOS because of the block gas limit
Lines of code Vulnerability details Impact Inside the ClearingHouse contract there are multiple instances where it loops over the dynamic amms array. There is no way looping over a subset of the array or continuing for you left off. Thus, if the array is large enough certain functions won't be...
[WP-M3] TurboRouter.sol#createSafeAndDeposit*() CreateSafeAndDeposit combo methods won't work as an allowance cannot be granted to a newly created Safe for deposit
Lines of code Vulnerability details The TurboRouter.soldeposit function can be used in a multicall together with approve and pullToken from PeripheryPayments to pull tokens from msg.sender and grant allowance for the ERC4626 Safe to call asset.safeTransferFrom with the msg.sender being the router...
The initialize() function can be called first by an attacker
Lines of code Vulnerability details Impact In Delegation.sol the initialize function sets the owner of the contract and can only be called once. The problem is that an attacker can monitor the blockchain byte code and call the initialize function first automatically before the protocol has a chan...
permit() without updating nonce can result in replay attacks
Lines of code Vulnerability details Impact In PermitAndMulticall.sol the permit is called on the permitToken which allows you to sign the meta-transaction while someone else can submit it to the blockchain on your behalf. The problem is that a valid signature might be used several times in other...
ERC4626.mint() doesn't mint the correct amount
Lines of code Vulnerability details Impact The ERC4626.mint function doesn't mint the correct amount of tokens. Instead of minting amount number of tokens, it should mint shares number of tokens. Since the user doesn't receive the correct amount of tokens I'd rate this issue "HIGH". Proof of...
Use of external calls without reentrancy modifers
Lines of code Vulnerability details Impact In TWAPDelegator.sol functions like updateDelegatee and createDelegation have external calls without the use of reentrancy modifiers. These modifiers can serve as a strong security tool to prevent attacks when using external calls. Proof of Concept Tools...
DoS in permitAndMulticall
Lines of code Vulnerability details Impact The permitAndMulticall function does not authenticate the data argument through any signatures. Only the from, amount parameters are as chosen by the from user as these are checked in the permitAndMulticall - ERC20ticket.permit call. An attacker can...
batched delegate calls used can result in double spending bug
Lines of code Vulnerability details Impact In TWABDelegator.sol anyone can call the multicall function which then calls multicall in PermitAndMulticall.sol. When using batched delegatecalls the msg.sender and msg.value are not updated on every iteration and this can result in double spending bugs...
Lack of approve after creating a safe in TurboRouter
Lines of code Vulnerability details Impact Both createSafeAndDeposit function and createSafeAndDepositAndBoost would revert on every call. Proof of Concept Both functions suffers from the same mistake so I'll detailed only on createSafeAndDeposit link 1. First the function calls...
Bypass MAX_LOCK duration + External calls even when delegation is locked
Lines of code Vulnerability details Impact Delegation owner can change the MAXLOCK duration even though current lock set on delegation has not yet expired Also Delegation owner can execute calls even when delegation is locked Proof of Concept Bypass MAXLOCK: 1. User A creates a new Delegation usi...
Griefing attack at VUSD withdraw queue is possible
Lines of code Vulnerability details Impact A malicious user can make lots of withdrawal requests to fill up the queue, making VUSD withdrawals unreachable for all other users Proof of Concept There is no control of the size or number of the withdrawal requests, and VUSD will burn even 1 wei amoun...
TokenManagerERC721.sol _exit() function uses transferFrom
Lines of code Vulnerability details Impact In TokenManagerERC721 the exit function makes use of transferFrom instead of safeTransferFrom. Tokens that don’t correctly implement the latest EIP20 spec will be unusable in the protocol as they revert the transaction because of the missing return value...
CONSTANT_SETTER_ROLE is never assigned in CommunityLocker.sol
Lines of code Vulnerability details Impact In CommunityLocker.sol only the caller with the CONSTANTSETTERROLE can call the setTimeLimitPerMessage function. The problem is that the CONSTANTSETTERROLE is never assigned in the contract. Only the DEFAULTADMINROLE is assigned in the initialize functio...
InsuranceFund depositors can be priced out & deposits can be stolen
Lines of code Vulnerability details Impact The InsuranceFund.deposit function mints initial shares equal to the deposited amount. The deposit / withdraw functions also use the VUSD contract balance for the shares computation. balance = vusd.balanceOfaddressthis It's possible to increase the share...
Withdrawals can be spammed and other users blocked
Lines of code Vulnerability details Impact The VUSD.processWithdrawals function only performs maxWithdrawalProcesses actually maxWithdrawalProcesses + 1 iterations per call. Withdrawals can be freely spammed by a griefer calling burnamount with a zero amount. All future withdrawals are blocked...
totalAssets() can overflow leading to the incorrect pricing of assets
Lines of code Vulnerability details The TurboSafe's totalAssets function is used by ERC4626.previewDeposit, ERC4626.previewMint, ERC4626.previewWithdraw, and ERC4626.previewRedeem. These preview functions are called directly by the non-preview versions and therefore if totalAssets has the wrong...
ERC4626RouterBase.withdraw should use a **max** shares out check
Lines of code Vulnerability details Impact The docs/video say ERC4626RouterBase.sol is in scope as its part of TurboRouter The ERC4626RouterBase.withdraw function withdraws the asset amount parameter by burning shares. function withdraw IERC4626 vault, address to, uint256 amount, uint256...
ERC4626 mint uses wrong amount
Lines of code Vulnerability details Impact The docs/video say ERC4626.sol is in scope as its part of TurboSafe The ERC4626.mint function mints amount instead of shares. This will lead to issues when the asset shares are not 1-to-1 as will be the case for most vaults over time. Usually, the asset...
TurboRouter can't interact with existing TurboSafe because of the authentication modifier
Lines of code Vulnerability details Impact The TurboRouter is not able to interact with an existing TurboSafe because of the authentication modifier of the respective TurboSafe functions. Because of that, those router functions are unusable. Proof of Concept Here's the test file I used to confirm...
totalFeiBoosted vars can desync in TurboSafe and TurboMaster
Lines of code Vulnerability details Impact The TurboSafe and TurboMaster contracts each keep track of totalFeiBoosted, getTotalFeiBoostedForVault, and Master keeps track of getTotalBoostedAgainstCollateral in addition. For the TurboMaster contract, these values should be the sum of the...
Slurp can be frontrun with fee increase
Lines of code Vulnerability details Impact The TurboSafe.slurp function fetches the current fee from the clerk. This fee can be changed. The slurp transaction can be frontrun with a fee increase specifically targeted for the vault or the asset by the clerk and steal the vault yield that should go...
ERC4626 does not work with fee-on-transfer tokens
Lines of code Vulnerability details Impact The docs/video say ERC4626.sol is in scope as its part of TurboSafe The ERC4626.deposit/mint functions do not work well with fee-on-transfer tokens as the amount variable is the pre-fee amount, including the fee, whereas the totalAssets do not include th...
TurboRouter: deposit(), mint(), createSafeAndDeposit() and createSafeAndDepositAndBoost() functions may be vulnerable to FRONT-RUN attack
Lines of code Vulnerability details Impact The TurboRouter contract inherits from the PeripheryPayments contract. To execute the deposit, mint, createSafeAndDeposit and createSafeAndDepositAndBoost functions of the TurboRouter contract, the user needs to first execute the pullToken and approve...
User can't create TurboSafe through TurboMaster.createSafe()
Lines of code Vulnerability details Impact A user can't create a safe because of the requiresAuth modifier in createSafe. Neither directly through the TurboMaster contract nor through the router. Proof of Concept Here's the test file I used to confirm it. I had to modify the contracts a little bi...
ERC4626 mints more shares than it should
Lines of code Vulnerability details bug in the mint function of the ERC4626 contract The mint function recieves an amount of shares and an address to and mints the amount of shares to the to address. The sender must transfer an amount of token, so that the ratio will be saved - shares / totalShar...
TurboRouter: Dangerous PeripheryPayments Contract
Lines of code Vulnerability details Impact As an entry contract, the TurboRouter contract plays an important role in interacting with users. And the TurboRouter contract inherits from the PeripheryPayments contract. In the PeripheryPayments contract, anyone can use the tokens and ETH in the...
High Risk Title
Lines of code 2022-01-dev-test-repo-findings/README.md Line 1 in 21e7cf8 | | THIS IS A TEST REPO FOR DEV PURPOSES ---|--- 2022-01-dev-test-repo-findings/README.md Line 1 in 21e7cf8 | THIS IS A TEST REPO FOR DEV PURPOSES ---|--- Vulnerability details Impact Detailed description of the impact of th...
ERC4626 mints token amount, not number of shares
Lines of code Vulnerability details Impact If the number of assets is different from the number of shares, the user will get more or less shares than they expect. Users don't have to be sophisticated at all, just using the contract as intended can cause users to get more or less of the shares of ...
TurboRouter: deposit(), mint(), createSafeAndDeposit() and createSafeAndDepositAndBoost() functions do not work
Lines of code Vulnerability details Impact The TurboRouter contract inherits from the ERC4626RouterBase contract. When the user calls the deposit, mint, createSafeAndDeposit and createSafeAndDepositAndBoost functions of the TurboRouter contract, the deposit and mint functions of the...
Mint does not produce the intended amount of shares
Lines of code Vulnerability details Resubmitting this issue with a better explanation, apologize for the double submit. Impact In the mint function, it should produce shares token, but there is an inattention mistake and it produces amount tokens. Proof of Concept Assume the contract manages 1000...
TurboRouter: deposit(), mint(), createSafeAndDeposit() and createSafeAndDepositAndBoost() functions do not work
Lines of code Vulnerability details Impact The TurboRouter contract inherits from the ERC4626RouterBase contract. When the user calls the deposit, mint, createSafeAndDeposit and createSafeAndDepositAndBoost functions of the TurboRouter contract, the deposit and mint functions of the...
Seems to be an inattention error
Lines of code Vulnerability details Shouldn't it be mintto, shares; ? Currently the using mint , one would receive as many shares as assets they transfer, which is not the intended behaviour --- The text was updated successfully, but these errors were encountered: All reactions...
Reentrancy in depositBribeERC20
Lines of code Vulnerability details Description The contract was found vulnerable to Reentrancy attack. It was noticed that the function depositBribeERC20 makes an external call to another untrusted address or a contract before it resolves any effects at line "" If the attacker controls the...
[WP-H5] RewardDistributor.setBribeVault() can cause users who haven't claimed their native tokens yet can not claim the reward anymore
Lines of code Vulnerability details In the current implementation, RewardDistributor.claim is using if token != bribeVault token is from rewardsrewardIdentifier.token to detect whether it's a ERC20 token or native token ETH. However, this is not a trustworthy way to determine whether the reward i...
RewardDistributor._claim uses native token payable.transfer, which is usafe for smart contracts
Lines of code Vulnerability details Impact When reward.token is set to vault address and native token is used, it is sent out via payable.transfer call. This is unsafe as transfer has hard coded gas budget and can fail when the account is a smart contract. Such transactions will fail for smart...
admin can rug pull
Lines of code Vulnerability details In the links I provided, the admin can steal all user funds. this can cause reputation risk. --- The text was updated successfully, but these errors were encountered: All reactions...
Non-Standard ERC20 Tokens Are Not Supported
Lines of code Vulnerability details Impact There are several contracts which do not utilise OpenZeppelin's SafeERC20 library when performing token transfers. The Redacted Cartel suite of smart contracts intends to support bribes from all tokens, including non-standard tokens such as USDT which do...
DEPOSITOR_ROLE can manipulate b.amount value
Lines of code Vulnerability details Impact Malicious DEPOSITORROLE can doing self transfer and manipulate b.amount Proof of Concept In case malicious DEPOSITORROLE inputing WETH address and putting briber == addressthis in safeTransferFrom argument which is self transfering. Therefore, it is...
[WP-H3] Centralization Risk: Funds can be frozen when critical key holders lose access to their keys
Lines of code Vulnerability details The current implementation requires trusted key holders DEFAULTADMINROLE of BribeVault to send transactions transferBribes to move funds from BribeVault to RewardDistributor before the users can get rewards from the contract. This introduces a high centralizati...
Reentrancy in depositBribe in TokemakBribe.sol
Lines of code Vulnerability details Description The contract was found vulnerable to Reentrancy attack. It was noticed that the function depositBribe makes an external call to another untrusted address or a contract before it resolves any effects at line "" If the attacker controls the untrusted...
Reentrancy in depositBribeERC20 in TokemakBribe.sol
Lines of code Vulnerability details Description The contract was found vulnerable to Reentrancy attack. It was noticed that the function depositBribeERC20 makes an external call to another untrusted address or a contract before it resolves any effects at line "" If the attacker controls the...
Turbo Safe's can be created with malicious tokens
Lines of code Vulnerability details Impact In TurboMaster.sol the createSafe function is called when the user calls a function with the same name in the TurboRouter.sol file. It then creates a new Turbo Safe with an arbitrary token supplied by the user. Since there is no whitelist of acceptable...
Arbitrary fees
Lines of code Vulnerability details Impact Function transferBribes has a parameter named fees. Essentially, it allows an admin to apply any arbitrary fees and send them to the feeRecipient. This makes no sense because admins can manipulate the amounts however they want with 0 restrictions. I see...
Reentrancy in depositBribeERC20 function
Lines of code Vulnerability details Impact depositBribeERC20 function in BriveVault is reentrant in line 187, where an address supplied by the caller is called. A bad actor that has DEPOSITORROLE and is a contract can execute a folowing attack: 1. Create a dummy token contract, reentrant in the...
Wrong pragma
Lines of code Vulnerability details Impact Use a buggy version of solidity with immutable. Proof of Concept The contract use immutable, and this solidity version defined in the pragma has some issues with them, as you can see here. Recommended Mitigation Steps Use at least 0.8.9 --- The text was...
Use of IERC20.transfer() instead of SafeERC20.safeTransfer()
Lines of code Vulnerability details Impact There are multiple external calls to IERC20.transfer that suppose to transfer out tokens from the system. However, there are tokens like USDT that don't return any return value in their implementation of the transfer function, so calling IERC20.transfer ...
DoS by Creating Excessive Length withdrawals List.
Lines of code Vulnerability details Impact It is possible for an attacker to add a large number of withdrawals to the list withdrawals. The result is that users will be required to submit numerous processWithdrawals transactions before they are able to withdraw any of their own funds. This may...
canSafeBoostVault() doesn't actually check the feiAmount passed in
Lines of code Vulnerability details Impact In TurboMaster.sol the onSafeBoost function calls canSafeBoostVault on the booster contract to check if the safe is allowed to boost the vault using the feiAmount which is passed in by the caller as an argument. The problem is that the feiAmount is never...