Slippage protection

Handle pauliax Vulnerability details Impact Consider adding a configurable slippage parameter here to prevent users suffering from sandwitch bots: minAmountsOut0 = 0; minAmountsOut1 = 0; IVault.ExitPoolRequest ... minAmountsOut and used in both sNOTE and TreasuryManager contracts:...

Treasury cannot claim COMP tokens & COMP tokens are stuck

Handle cmichel Vulnerability details The TreasuryAction.claimCOMPAndTransfer function uses pre- and post-balances of the COMP token to check which ones to transfer: function claimCOMPAndTransferaddress calldata cTokens external override onlyManagerContract nonReentrant returns uint256 // Take a...

Bypass Vote Flipping Time Addition

Handle kirk-baird Vulnerability details Impact It is possible to bypass the additional 2hrs added to the length of voting when the vote flips from positive to negative or vice versa. This can be done by breaking the vote into two steps first sending enough fate to make the proposal zero. Then...

Locking of User Funds Without Permission

Handle kirk-baird Vulnerability details Impact The function assertGovernanceApprovedaddress sender, address target, bool emergency has public visibility and may be called by any user. Since the user who creates the transaction is able to specify the sender address they are able to force users who...

Loss Of Flash Governance Tokens If They Are Not Withdrawn Before The Next Request

Handle kirk-baird Vulnerability details Impact Users who have not called withdrawGovernanceAsset after they have locked their tokens from a previous proposal i.e. assertGovernanceApproved, will lose their tokens if assertGovernanceApproved is called again with the same target and sender. The send...

flan can't be transferred unless the flan contract has flan balance greater than the amount we want to transfer

Handle CertoraInc Vulnerability details Flan.sol safeTransfer function The flan contract must have balance and must have more flan then we want to transfer in order to allow flan transfers. If it doesn't have any balance, the safeTransfer, which is the only way to transfer flan, will call transfe...

Stacking with 0 amount will reset rewarded without claiming any flan.

Handle Randyyy Vulnerability details Impact A user can stake their token by calling stake function, by supplying a token, however staking 0 amount token is allowed, staking 0 amount will reset the reward debt, without minting a single flan token, the function will treat as if the user do the...

Burning a User's Tokens for a Flash Proposal will not Deduct Their Balance

Handle kirk-baird Vulnerability details Impact The proposal to burn a user's tokens for a flash governance proposal does not result in the user losing any funds and may in fact unlock their funds sooner. Proof of Concept The function burnFlashGovernanceAsset will simply overwrite the user's state...

sNote one sided LP provisions are vulnerable to sandwich attacks

Handle hyh Vulnerability details Impact Both types of one sided liquidity addition are enabled with sNote minting: a user can mint with only ETH/WETH and with only Note. In both cases a price impact of the operation isn't controlled. As a result the sandwich attack is possible and can be...

Reentrancy on Flash Governance Proposal Withdrawal

Handle kirk-baird Vulnerability details Impact The function withdrawGovernanceAsset is vulnerable to reentrancy, which would allow the attacker to drain the balance of the flashGoverananceConfig.asset. Note: this attack assumes the attacker may gain control of the execution flow in asset.tranfer...

Use of deprecated Chainlink latestAnswer()

Handle sirhashalot Vulnerability details Impact Chainlink's documentation listed the latestAnswer function as deprecated. This function doesn't revert if no answer is available but returns 0, and the return value of latestanswer is not checked in the Notional code. In fact, Chainlink removed thei...

user won't be able to get his rewards in case of staking with amount = 0

Handle CertoraInc Vulnerability details Limbo.sol stake function if a user has a pending reward and he call the stake function with amount = 0, he won't be able to get his reward he won't get the reward, and the reward debt will cover the reward that's happening because the reward calculation is...

The system can get to a "stuck" state if a bad proposal (proposal that can't be executed) is accepted

Handle CertoraInc Vulnerability details LimboDAO.sol updateCurrentProposal modifier and makeProposal function The LimboDAO contract has a variable that indicates the current proposal - every time there can be only one proposal. The only way a proposal can be done and a new proposal can be...

You can grief migrations by sending SCX to the UniswapHelper

Handle camden Vulnerability details Impact The attack here allows the attacker to prevent migrations. The attack here is recoverable because we can just call buyFlanAndBurn f it worked as expected with SCX as the input token to buy Flan with the extra SCX, then run the migration again. Proof of...

You can flip governance decisions without extending vote duration

Handle camden Vulnerability details Impact The impact here is that a user can, right at the end of the voting period, flip the decision without triggering the logic to extend the vote duration. The user doesn't even have to be very sophisticated: they can just send one vote in one transaction to ...

ConvexYieldWrapper Does Not Check If A Vault Is Undercollateralised In _getDepositedBalance

Handle leastwood Vulnerability details Impact The ConvexYieldWrapper.sol contract makes use of a user's total collateral held by all their vaults, however, there is no check to ensure the vault is sufficiently collateralised. Hence, it is possible for a user to claim protocol generated yield on a...

Calling generateFLNQuote twice in every block prevents any migration

Handle camden Vulnerability details Impact and PoC In the Uniswap helper, generateFLNQuote is public, so any user can generate the latest quote. If you call this twice in any block, then the two latest flan quotes will have a blockProduced value of the current block's number. These quotes are use...

Timelock for sNOTE.sol:setCoolDownTime()

Handle Dravee Vulnerability details Impact It is a good practice to give time for users to react and adjust to critical changes. Proof of Concept Here, if the cooldown were to be updated by being raised: a user that was falling outside of it might get right back inside the cooldown period at a...

Upper limit for set CoolDownTime

Handle Jujic Vulnerability details Impact There is no upper limit for coolDownTimeInSeconds. It may be set too large. Proof of Concept function setCoolDownTimeuint32 coolDownTimeInSeconds external onlyOwner coolDownTimeInSeconds = coolDownTimeInSeconds; emit...

DoS of UniswapHelper.sol By Generating FLN Price too Quickly

Handle kirk-baird Vulnerability details Impact There is a denial of service DoS attack on UniswapHelper.sol which will cause the ensurePriceStability modifier to revert whenever it is called by regularly calling generateFLNQuote. By calling generateFLNQuote at intervals of less than...

unwrap() can be called by anybody leading to loss of funds.

Handle GeekyLumberjack Vulnerability details Impact The caller of unwrap would receive all of the unwrapped convex tokens. Potentially depriving the user of all collateral and any rewards. Proof of Concept This portion of the readme describes the process that leads to the vulnerability. To repay ...

Arbitrary call

Handle Tomio Vulnerability details Impact In the https://github.com/code-423n4/2022-01-yield/blob/main/contracts/ConvexModule.solL15 the addVault take 2 parameters as input, convexStakingWrapper, and vaultId, however the convexStakingWrapper is user controllable therefore the user could make an...

Improper Validation Of Chainlink's latestRoundData Function

Handle leastwood Vulnerability details Impact latestRoundData is missing additional validation to ensure that the round is complete and has returned a valid/expected price. This is documented here. Proof of Concept , int256 daiPrice, , , = DAI.latestRoundData; , int256 usdcPrice, , , =...

Attacker can steal part of the rewards if one of the extraRewards is rewarded with Convex Token

Handle WatchPug Vulnerability details Given that ConvexYieldWrapper.solwrap allows anyone to wrap with the contract's balance of convexToken to an arbitrary address. function wrapaddress to, address from external require!isShutdown, "shutdown"; uint256 amount =...

Chainlink oracles might return stale data

Handle hack3r-0m Vulnerability details Location: DAI.latestRoundData returns data from the latest round, but there is no guarantee that the latest round happened frequently, it might be a case where latestRoundData has happened 1 hour or 1 day ago. This can lead to stale data used for calculation...

Miscalculation of rewards due to removal of vaults

Handle hack3r-0m Vulnerability details Location: getDepositedBalance gives balance of account + collateralbalance of all vaults if a malicious party removes the vault of the usersince anyone can add/remove vaults of anyone if they are present in the cauldron before some critical action involving ...

ConvexStakingWrapper does not update rewards state before transferring tokens

Handle kenzo Vulnerability details ConvexStakingWrapper saves data for reward calculation in dedicated variables for each user, such as reward.rewardintegralforaccount. These variables are not updated when transferring wrapped staked tokens. Please note that Convex's original ConvexStakingWrapper...

ConvexYieldWrapper wrap can be front-run

Handle hyh Vulnerability details Impact Now wrap operate with tokens that were sent to the contract before, expecting a user to deal with any front running issues. If a user will not make actual token transfer and wrap atomic, i.e. will not run them from an another contract within one transaction...

latestRoundData data may be stale

Handle sirhashalot Vulnerability details Impact The Chainlink latestRoundData function is used in Cvx3CrvOracle.sol, but it is used without checking whether the data returns from the oracle is stale or not. Chainlink warns about this issue and describes how to check for it: Proof of Concept From...

MINTING to collateralVault could inflating totalsupply, without giving the balance to anyone

Handle Tomio Vulnerability details Impact First of all, this is an address zero issue, however, this could lead to an imbalance between total supply circulating and the actual balance that was assigned to another user, in the...

Cvx3CrvOracle does not check that Chainlink data is fresh.

Handle TomFrenchBlockchain Vulnerability details Impact Usage of stale prices when querying chainlink oracles. Proof of Concept Cvx3CrvOracle queries chainlink oracles for the prices of DAI, USDC and USDT, however it doesn't require that the response is fresh by checking which round the answer wa...

Rewards distribution can be disrupted by a early user

Handle WatchPug Vulnerability details function calcRewardIntegral uint256 index, address2 memory accounts, uint2562 memory balances, uint256 supply, bool isClaim internal RewardType storage reward = rewardsindex; uint256 rewardIntegral = reward.rewardintegral; uint256 rewardRemaining =...

Oracle data feed is insufficiently validated.

Handle throttle Vulnerability details Impact Price can be stale and can lead to wrong quoteAmount return value Proof of Concept Oracle data feed is insufficiently validated. There is no check for stale price and round completeness. Price can be stale and can lead to wrong quoteAmount return value...

Cvx3CrvOracle can report stale prices

Handle hyh Vulnerability details Impact Whenever Chainlink's latestRoundData for any reason returns some not recent, but positive price, it will be used as current price by Cvx3CrvOracle's peek and get despite there will be no confirmation for it. This way an attacker can monitor Chainlink oracle...

ConvexYieldWrapper griefing attack is possible that removes all the vaults from any user

Handle hyh Vulnerability details Impact Griefing attack is possible, an attacker can can remove all vaultIds from an arbitrary account. I.e. anyone can mix up vault configuration for any user. Proof of Concept ConvexYieldWrapper.removeVault doesn't have access controls and allows anyone to manage...

OpenLevV1.closeTrade with V3 DEX doesn't correctly accounts fee on transfer tokens for repayments

Handle hyh Vulnerability details Impact The amount that OpenLevV1 will receive can be less than V3 DEX indicated as a swap result, while it is used as given for position debt repayment accounting. This way actual funds received can be less than accounted, leaving to system funds deficit, which ca...

Malicious Users Can Duplicate Protocol Earned Yield By Transferring wCVX Tokens To Another Account

Handle leastwood Vulnerability details Impact ConvexYieldWrapper.sol is a wrapper contract for staking convex tokens on the user's behalf, allowing them to earn rewards on their deposit. Users will interact with the Ladle.sol contract's batch function which: Approves Ladle to move the tokens...

admin is not set in any function

Handle rfa Vulnerability details Impact all function that need to validate msg.sender == admin cannot be run. BscDexAggregator.sol Proof of Concept BscDexAggregator.sol is the child contract of Adminable.sol. some function in it need to validate that msg.sender is admin. There is no function that...

Cvx3CrvOracle.sol _peek() returns wrong units

Handle sirhashalot Vulnerability details Impact The Cvx3CrvOracle.sol contract claims it "provides current values for Cvx3Crv". When getting the current values, "only cvx3crvid and ethId are accepted as asset identifiers" for the base and quote parameters to the peek and get functions. peek and g...

Chainlink's latestRoundData might return stale results

Handle WatchPug Vulnerability details function peek bytes6 base, bytes6 quote, uint256 baseAmount private view returns uint256 quoteAmount, uint256 updateTime require base == ethId && quote == cvx3CrvId || base == cvx3CrvId && quote == ethId, "Invalid quote or base" ; , int256 daiPrice, , , =...

Cvx3CrvOracle misses sanity checks for Chainlink responses

Handle kenzo Vulnerability details When querying Chainlink for stable prices, Cvx3CrvOracle doesn't run sanity checks against stale or incomplete results. This is unlike Yield's ChainlinkMultiOracle, which does execute those checks. Impact Stale or incorrect results might be returned. Proof of...

Malicious Users Can Transfer Vault Collateral To Other Accounts To Extract Additional Yield From The Protocol

Handle leastwood Vulnerability details Impact ConvexYieldWrapper.sol is a wrapper contract for staking convex tokens on the user's behalf, allowing them to earn rewards on their deposit. Users will interact with the Ladle.sol contract's batch function which: Approves Ladle to move the tokens...

Cooldown and redeem windows can be rendered useless.

Handle ShippooorDAO Vulnerability details Impact Cooldown and redeem windows can be rendered useless. Proof of Concept Given an account that has not staked sNOTE. Account calls sNOTE.startCooldown Account waits for the duration of the cooldown period. Redeem period starts. Account can then deposi...

Oracle might return stale or incorrect results (Cvx3CrvOracle.sol)

Handle ye0lde Vulnerability details Impact Oracle might return stale or incorrect results Cvx3CrvOracle.sol The peek function in the contract Cvx3CrvOracle.sol fetches the daiPrice, usdcPrice, usdtPrice from a Chainlink aggregator using the latestRoundData function. If there is a problem with...

Chainlink oracle query in _validateOrder does not check that response is fresh

Handle TomFrenchBlockchain Vulnerability details Impact Potential for TreasuryManager to use a stale price to calculate the slippage limit, allowing unacceptable slippage relative to if the price feed was current. Proof of Concept EIP1271Wallet queries Chainlink for the most recent price for...

OpenLevV1 runs price update for UniV2Class DEXes only

Handle hyh Vulnerability details Impact If the price currently recorded by the system is outdated, the marginTrade and liquidate functions will use a stale price if being run with V3 dexData, which is what system allows. A malicious user can act on a stale price observation, using trade opening a...

Lack of auth for vaults

Handle 0x1f8b Vulnerability details Impact Anyone can create vaults and remove vaults from anyone. Proof of Concept The contract ConvexYieldWrapper expose two methods: addVault show in his comment Adds a vault to the user's vault list but according to the code it not use the users vault, it use...

Lack of slippage protection on minting sNOTE from underlying assets.

Handle TomFrenchBlockchain Vulnerability details Impact Users minting sNOTE from ETH, WETH or NOTE can receive significantly less sNOTE than they expect. Minting from BPT is unaffected. Proof of Concept sNOTE allows users to deposit NOTE, ETH or WETH as a single-asset deposit into the NOTE-WETH...

Eth sent to Timelock will be locked in current implementation

Handle defsec Vulnerability details Impact Eth sent to Timelock will be locked in current implementation. I came across this problem while playing around with the governance contract. Proof of Concept Setup the governance contracts GovernanceAlpha, Timelock Send eth to timelock contract Setup a...

Chainlink's latestRoundData might return stale or incorrect results

Handle cccz Vulnerability details Impact On Cvx3CrvOracle.sol, we are using latestRoundData, but there is no check if the return value indicates stale data. This could lead to stale prices according to the Chainlink documentation: function peek bytes6 base, bytes6 quote, uint256 baseAmount privat...