Lucene search
K
Code423n4Recent

10190 matches found

Code423n4
Code423n4
added 2021/12/19 12:0 a.m.5 views

Lacking slippage protection in RebalanceManagerV3

Handle p4st13r4 Vulnerability details Impact In RebalanceManagerV3 calls to UniswapV2-like router is lacking slippage protection exposing the rebalance process to front-running attacks. Proof of Concept Tools Used Editor Recommended Mitigation Steps Consider adding a minOutput to...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/19 12:0 a.m.14 views

SingleTokenJoinV2 doesn't take input deadline to consideration

Handle kenzo Vulnerability details SingleNativeTokenExitV2 takes as input from the user a deadline for the trades. However, it does not use this input for the actual trade but sets the deadline to be block.timestamp. Impact Trades will not work as expected. User might set a deadline for the trade...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/19 12:0 a.m.8 views

Attacker can break joinTokenSingle() by transferring basketToken to the contract

Handle WatchPug Vulnerability details uint256 outputAmount = outputToken.balanceOfaddressthis; require outputAmount == joinTokenStruct.outputAmount, "FAILEDOUTPUTAMOUNT" ; In the current implementation, joinTokenSingle requires balanceOf outputToken strictly equal to outputAmount in calldata...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/12/19 12:0 a.m.9 views

Unsafe token transfer

Handle WatchPug Vulnerability details Calling ERC20.transfer without handling the returned value is unsafe. outputToken.transfermsg.sender, outputTokenBalance; Recommendation Consider using OpenZeppelin's SafeERC20 library with safe versions of transfer functions. --- The text was updated...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/19 12:0 a.m.14 views

It might not be possible to withdraw tokens from the basket

Handle Czar102 Vulnerability details Impact When enough basket token owners exit, it will be impossible to exit pool with the last MINAMOUNT tokens because of this check. This will result in locking some tokens forever. Recommended Mitigation Steps Consider resigning from this check or performing...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/19 12:0 a.m.9 views

SingleNativeTokenExitV2 only returns single output token

Handle cmichel Vulnerability details The SingleNativeTokenExitV2.exit function performs a list of arbitrary user-defined swaps on the exited token basket. These could result in many different final "output" tokens ending up in the contract after the swaps. However, the contract assumes that there...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/19 12:0 a.m.7 views

BasketFacet.sol#joinPool() feeAmount should be considered when checking MAX_POOL_CAP_REACHED

Handle WatchPug Vulnerability details require totalSupply.addamount = this.getCap, "MAXPOOLCAPREACHED" ; uint256 feeAmount = amount.mulbs.entryFee.div1018; feeAmount should be considered. Otherwise, the new totalSupply may surpass pool cap. --- The text was updated successfully, but these errors...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/19 12:0 a.m.12 views

Basket's max cap can be surpassed due to beneficiary entry fee

Handle kenzo Vulnerability details When joining a basket, the function verifies that the total supply + tokens the user asks to mint is smaller than the basket's max supply. However, this doesn't take into account the fact that additional tokens will be minted if there's an entry fee beneficiary...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/19 12:0 a.m.7 views

Owner can lock any of basket tokens

Handle Czar102 Vulnerability details Impact Owner can remove any tokens, and since lock all funds that the contract has in a specific token. The owner may engineer the deletion in such way that afraid people will fear next locks and quit the basket, then the owner may add the token back, gaining...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/12/19 12:0 a.m.11 views

Annualized fee APY dependence on the frequency of executing a function

Handle Czar102 Vulnerability details Impact The APY of the annualized fee is dependent on the frequency of the execution of the BasketFacet::chargeOutstandingAnnualizedFee. If it is called more frequently, the compounding is more frequent and the APY is higher. For less used baskets, the APY migh...

7.1AI score
Exploits0
Code423n4
Code423n4
added 2021/12/19 12:0 a.m.10 views

wrong withdraw

Handle certora Vulnerability details the comment says that the function should byrn user shares, but it also mints them. in addition, that function transfers tokens from msg.sender to addressthis, but it should be upside down. --- The text was updated successfully, but these errors were...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/19 12:0 a.m.14 views

denial of service

Handle certora Vulnerability details the balance of outputToken is checked to be exactly joinTokenStruct.outputAmount. It is not recommeded and it's better to use = Impact The worst scenario is a denial of service in case there is already an amount of the output token in the contract. It is easil...

6.5AI score
Exploits0
Code423n4
Code423n4
added 2021/12/19 12:0 a.m.7 views

Unused ERC20 tokens are not refunded, and can be stolen by attacker

Handle WatchPug Vulnerability details Under certain circumstances, e.g. annualizedFee being minted to feeBeneficiary between the time user sent the transaction and the transaction being packed into the block and causing amounts of underlying tokens for each basketToken to decrease. It's possible ...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/19 12:0 a.m.10 views

Unchecked ERC20 transfer call

Handle p4st13r4 Vulnerability details Impact Standard ERC20 tokens return a boolean when transfer method is called. A check should be done to account for ERC20 tokens that are not compliant to the standard. Proof of Concept Relevant lines: 3 Tools Used Editor Recommended Mitigation Steps Check...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/19 12:0 a.m.6 views

ERC20 return values not checked

Handle cmichel Vulnerability details The ERC20.transfer and ERC20.transferFrom functions return a boolean value indicating success. This parameter needs to be checked for success. Some tokens do not revert if the transfer failed but return false instead. See: SingleNativeTokenExitV2.exit's...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/12/19 12:0 a.m.5 views

totalSupply may exceed LibBasketStorage.basketStorage().maxCap

Handle Czar102 Vulnerability details Impact Total supply of the token may exceed the maxCap introduced. This can happen when a user wants to join the pool. The check in BasketFacet::joinPool... includes only the base amount, without fee. Thus, if fee is on and someone will want to create as many...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/19 12:0 a.m.9 views

Lock time is dependent on the average block time

Handle Czar102 Vulnerability details Impact Function BasketFacet::getLock... checks the lock based on the block number, so the time of the lock is dependent on average block time. Average block time doesn't have to be maintained by the protocol and is a subject to changes. Furthermore, the...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/19 12:0 a.m.11 views

xToken Approvals Allow Spenders To Spend More Tokens

Handle leastwood Vulnerability details Impact The approve function has not been overridden and therefore uses xToken shares instead of the equivalent rebalanced amount, i.e. the underlying vault token amount. Proof of Concept The approved spender may spend more tokens than desired. In fact, the...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/19 12:0 a.m.8 views

callFacet is based on unprotected calls

Handle 0x0x0x Vulnerability details callFacet is based on unprotected calls and user funds can get stolen using them. This is unsafe for users and at least this risk has to be better documented. --- The text was updated successfully, but these errors were encountered: All reactions...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/19 12:0 a.m.11 views

Dishonest Stakers Can Siphon Rewards From xToken Holders Through The deposit Function In NFTXInventoryStaking

Handle leastwood Vulnerability details Impact xTokens is intended to be a representation of staked vault tokens. As the protocol's vaults accrue fees from users, these fees are intended to be distributed to users in an inconsistent fashion. NFTXInventoryStaking is one of the ways users can stake...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/12/19 12:0 a.m.9 views

Owner of the BasketFacet can cause DoS for exitPool(...) function

Handle Czar102 Vulnerability details Impact Provided an owner can add any tokens to the basket, it may add a token, for which the owner can burn tokens from any account. Then, after adding the token to the basket, the owner may burn tokens so that token.balanceofBasketFacet will be below MINAMOUN...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/12/18 12:0 a.m.10 views

_mint721() function can be broken because of strict equality check on token balance

Handle jayjonah8 Vulnerability details Impact In NFTXMarketplaceZap.sol the mint721 function has a require check that the balance must be equal to the amount of vault tokens in the contract. uint256 balance = count BASE - count INFTXVaultvault.mintFee; requirebalance ==...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/18 12:0 a.m.6 views

SHOULD CHECK RETURN DATA FROM CHAINLINK AGGREGATORS

Handle defsec Vulnerability details Impact The latestRoundData function in the contract PriceFeed.sol fetches the asset price from a Chainlink aggregator using the latestRoundData function. However, there are no checks on roundID. Stale prices could put funds at risk. According to Chainlink's...

6.6AI score
Exploits0
Code423n4
Code423n4
added 2021/12/18 12:0 a.m.11 views

NFTXMarketplaceZap Performs A Dangerous Equality Check Which Can Brick Contract

Handle leastwood Vulnerability details Impact NFTXMarketplaceZap provides an interface for users to interact with NFTX vaults by buying, selling and swapping ERC1155/ERC721 tokens. The mint721 and mint1155 functions perform strict equality checks on the vaults token balance for the...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/18 12:0 a.m.12 views

NFTXStakingZap Performs A Dangerous Equality Check Which Can Brick Contract

Handle leastwood Vulnerability details Impact NFTXStakingZap provides an interface for users to interact with NFTX vaults by adding ERC1155/ERC721 tokens as liquidity. The addLiquidity721WETH and addLiquidity1155WETH functions perform strict equality checks on the vaults balance for the...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/18 12:0 a.m.11 views

No access control on assignFees() function in NFTXVaultFactoryUpgradeable contract

Handle ych18 Vulnerability details In If the Vault owner decides to set factoryMintFee and factoryRandomRedeemFee to zero, any user could call the function NFTXVaultFactoryUpgradeable.assignFees and hence all the fees are updated. --- The text was updated successfully, but these errors were...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/17 12:0 a.m.8 views

User funds could be stuck

Handle csanuragjain Vulnerability details Impact Although chances are rare but user can be denied to exit pool Proof of Concept 1. If user decides to exit pool and any one token has MINAMOUNT then transaction will revert and user wont be able exit until that token has sufficient balance. This mea...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/17 12:0 a.m.8 views

sendAllocatedYETI() can be called by anyone

Handle jayjonah8 Vulnerability details Impact In TeamAllocation.sol, the sendAllocatedYETI function simply distributes YETI to the team. This is a transfer of value and it currently can be called by anyone as the onlyTeam modifier is not used here. Proof of Concept Tools Used Manual code review...

7.1AI score
Exploits0
Code423n4
Code423n4
added 2021/12/17 12:0 a.m.5 views

receiveCollateral() can be called by anyone

Handle jayjonah8 Vulnerability details Impact In StabilityPool.sol, the receiveCollateral function should be called by ActivePool per comments, but anyone can call it passing in tokens and amounts args to update stability pool balances. Proof of Concept Tools Used Manual code review Recommended...

7.1AI score
Exploits0
Code423n4
Code423n4
added 2021/12/17 12:0 a.m.6 views

User can lose Funds

Handle csanuragjain Vulnerability details Impact User funds lost Proof of Concept 1. Navigate to contract at 2. User joins a pool having 5 tokens in the basket by using joinPool function 3. Owner decides to remove 1 of the token from the basket 4. User exits the pool by calling exitPool function...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/17 12:0 a.m.8 views

Contract can lose funds

Handle csanuragjain Vulnerability details Impact Fund loss Proof of Concept 1. Navigate to contract at 2. Assume owner created a Basket with 1 token A which is 0.1 USD 3. User joins the pool using joinPool function 4. Owner removes the token so that basket becomes empty and adds another token B...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/12/17 12:0 a.m.10 views

Token mint without transfer

Handle csanuragjain Vulnerability details Impact User will be minted token without transferring any amount Proof of Concept 1. Owner has removed all tokens from the basket using removeToken function. So bs.tokens.length=0 2. User joins the pool using joinPool function. Now below happens: a. Since...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/16 12:0 a.m.11 views

No checks in setAddresses() functions

Handle jayjonah8 Vulnerability details Impact Since the setAddresses functions can only be called once during deployment and passes in many addresses which are set in storage, its important to have safety checks ensuring that there are no duplicate addresses which can easily happen while passing...

7.2AI score
Exploits0
Code423n4
Code423n4
added 2021/12/16 12:0 a.m.13 views

buyAndSwap1155WETH() function may cause loss of user assets

Handle cccz Vulnerability details Impact In the NFTXMarketplaceZap.sol contract, the buyAndSwap1155WETH function uses the WETH provided by the user to exchange VaultToken, but when executing the buyVaultToken method, msg.value is used instead of maxWethIn. Since msg.value is 0, the call will fail...

7.2AI score
Exploits0
Code423n4
Code423n4
added 2021/12/16 12:0 a.m.9 views

buyAndSwap1155WETH() function does not work

Handle cccz Vulnerability details Impact The buyAndSwap1155WETH function uses the WETH provided by the user to exchange VaultToken, but when executing the buyVaultToken method, msg.value is used instead of maxWethIn. Since msg.value is 0, the call will fail. function buyAndSwap1155WETH uint256...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/16 12:0 a.m.10 views

Users Can Siphon AaveYield Rewards By Depositing And Withdrawing Collateral

Handle leastwood Vulnerability details Impact The AaveYield contract provides users with the option to choose Aave as their strategy of choice to generate yield. Users will make deposits to this strategy via the SavingsAccount contract. Upon deposit, shares are minted at a 1:1 exchange rate and t...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/16 12:0 a.m.6 views

No use of reentrency guards

Handle jayjonah8 Vulnerability details Impact The README.md makes the point that reentrancy attacks are a cause for concern, but the protocol makes no use of reentrancy guards in any file or in the functions users interact with. Proof of Concept The are no Reentrancy guards in the entire code bas...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/16 12:0 a.m.7 views

_safeJoeTransfer doesn't refund users JOE incase of rounding error

Handle jayjonah8 Vulnerability details Impact In WJLP.sol a user can call the claimReward function to claim the JOE rewards they are owed. This eventually calls the safeJoeTransfer function which will check if the amount to send is greater than the joeBal of the contract. If the amount is greater...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/16 12:0 a.m.8 views

_from and _to can be the same address on wrap() function

Handle jayjonah8 Vulnerability details Impact In WJLP.sol, the wrap function pulls in amount base tokens from from, then stakes them to mint WAssets which it sends to to. It then updates rewardOwner's reward tracking such that it now has the right to future yields from the newly minted WAssets. B...

7.1AI score
Exploits0
Code423n4
Code423n4
added 2021/12/16 12:0 a.m.10 views

Constructor does not ensure that addresses are not the same

Handle jayjonah8 Vulnerability details Impact In WJLP.sol, 3 addresses are passed in setting the MasterChefJoe, JLP, and JOE addresses in storage. There are no checks ensuring that these addresses are different from one another. This means that during deployment, a mistake can easily be made of...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.18 views

Aave's share tokens are rebasing breaking current strategy code

Handle cmichel Vulnerability details When depositing into Aave through the AaveYield.lockTokens contract strategy, one receives the sharesReceived amount corresponding to the diff of aToken balance, which is just always the deposited amount as aave is a rebasing token and 1.0 aToken = 1.0...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.9 views

ChainLink price data could be stale

Handle cmichel Vulnerability details There is no check in ChainlinkOracle.sync if the oracle return values indicate stale data. This could lead to stale prices according to the Chainlink documentation: under current notifications: "if answeredInRound roundId could indicate stale data." under...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.14 views

No checks if given product is created by the factory

Handle 0x0x0x Vulnerability details An attacker can create a fake product. Collateral contract does not check whether the given product is created by the factory. A malicious product can return arbitrary maintenance amounts, therefore they can make any deposit to fake product stuck simply return...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.10 views

Incorrect safeApprove usage

Handle Jujic Vulnerability details Impact safeApprove won't work when current allowance 0, there may be cases when strategies will not use all allowance, so switch to new strategy will be blocked. Proof of Concept Tools Used Recommended Mitigation Steps I recommend approving to zero and then...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.12 views

No slippage tolerance checks during swap functions opens up flashloan attacks and price manipulation

Handle jayjonah8 Vulnerability details Impact With functions like joinTokenSingle in SingleTokenJoin.sol that handle swapping with uniswapV2 like exchanges there are no slippage tolerance checks in place to prevent flashloan attacks and price manipulation. Proof of Concept Tools Used Manual code...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.8 views

withdrawTo Does Not Sync Before Checking A Position's Margin Requirements

Handle leastwood Vulnerability details Impact The maintenanceInvariant modifier in Collateral aims to check if a user meets the margin requirements to withdraw collateral by checking its current and next maintenance. maintenanceInvariant inevitably calls AccountPosition.maintenance which uses the...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.10 views

Missing payable

Handle robee Vulnerability details The following functions are not payable but uses msg.value - therefore the function must be payable. This can lead to undesired behavior. CreditLine.sol, depositCollateral is payable but doesn't use msg.value CreditLine.sol, repay is payable but doesn't use...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.8 views

Failed transfer with low level call could be overlooked

Handle harleythedog Vulnerability details Impact There are several places where low level call is used within the contract. In particular, in SavingsAccount.sol, the external withdraw function has the to argument, which is eventually used in this code in transfer: bool success, = to.callvalue:...

7.1AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.12 views

Yearn token <> shares conversion decimal issue

Handle cmichel Vulnerability details The yearn strategy YearnYield converts shares to tokens by doing pricePerFullShare shares / 1e18: function getTokensForSharesuint256 shares, address asset public view override returns uint256 amount if shares == 0 return 0; // @audit should divided by...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.8 views

DoS when depositing collateral

Handle cmichel Vulnerability details The Pool.depositCollateral and Pool.addCollateralInMarginCall functions require the caller to have a pool token balance of zero. function depositCollateraluint256 amount, bool transferFromSavingsAccount external payable override requireamount != 0, 'DC1'; //...

6.8AI score
Exploits0
Total number of security vulnerabilities10190