Lucene search
K
Code423n4Recent

10190 matches found

Code423n4
Code423n4
added 2021/12/15 12:0 a.m.11 views

In CreditLine#_borrowTokensToLiquidate, oracle is used wrong way

Handle 0x0x0x Vulnerability details Current implementation to get the price is as follows: uint256 ratioOfPrices, uint256 decimals = IPriceOraclepriceOracle.getLatestPriceborrowAsset, collateralAsset; But it should not consult borrowToken / collateralToken, rather it should consult the inverse of...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.11 views

denial of service

Handle certora Vulnerability details if the borrow token is address0 ether, and someone calls withdrawLiquidity, it calls SavingsAccountUtil.transferTokens which will transfer to msg.sender, msg.value of withdrawLiquidity, because it's an internal function. In other words, the liquidity provided...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.8 views

Wrong implementation of NoYield.sol#emergencyWithdraw()

Handle WatchPug Vulnerability details function emergencyWithdrawaddress asset, address payable wallet external onlyOwner returns uint256 received requirewallet != address0, 'cant burn'; uint256 amount = IERC20asset.balanceOfaddressthis; IERC20asset.safeTransferwallet, received; received = amount;...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.10 views

Collateral can be deposited in a finished pool

Handle pedroais Vulnerability details Proof of Concept The depositCollateral function doesn't check the status of the pool so collateral can be deposited in a finished loan. This can happen by mistake and all funds will be lost. Recommended Mitigation Steps Require loan status to be collection or...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.11 views

Missing approve(0)

Handle sirhashalot Vulnerability details Impact There are 3 instances where the IERC20.approve function is called only once without setting the allowance to zero. Some tokens, like USDT, require first reducing the address' allowance to zero by calling approvespender, 0. Transactions will revert...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.12 views

It is possible to liquidate not existing account

Handle 0x0x0x Vulnerability details It is possible to liquidate an address for any product when collateral = maintenance = 0. So in other words, if a user have never used a product and deposited collateral, the user can get liquidated blacklisted from the product by anyone, since a liquidated...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.15 views

Anyone can liquidate credit line when autoLiquidation is false without supplying borrow tokens

Handle harleythedog Vulnerability details Impact It is intended that if a credit line has autoLiquidation as false, then only the lender can be the liquidator see docs here: . However, this is not correctly implemented, and anyone can liquidate a position that has autoLiquidation set to false. Ev...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.11 views

Ether can be locked in the PoolFactory contract without a way to retrieve it

Handle broccolirob Vulnerability details If a borrower calls the createPool function with a non-zero value, but also includes an ERC20 token address for collateralToken, then the Ether value sent will be locked in the PoolFactory contract forever. createPool L260-317 In the createPool function, a...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.7 views

Incentivizer rewards are unclear and can be more than allotted?

Handle cmichel Vulnerability details Note that the Incentivizer.create allocates programInfo.amount.sum tokens to be rewarded. It's unclear how the rewards that are actually paid out see Program.unsettled over the duration relate to this value. The ProgramInfo.amountPerShare returns the...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.9 views

NoYield.sol Tokens with fee on transfer are not supported

Handle WatchPug Vulnerability details There are ERC20 tokens that charge fee for every transfer or transferFrom. In the current implementation, NoYield.sollockTokens assumes that the received amount is the same as the transfer amount, and uses it to calculate sharesReceived amounts. As a result, ...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.7 views

Wrong implementation of AaveYield.sol causing users to lose yields

Handle WatchPug Vulnerability details The current implementation of AaveYield.sol is taking AAVE aToken as a share token eg, cToken and yToken. However, AAVE's aTokens are quite different from cToken and yToken as it's always 1:1 to the underlying token, and the holder's balance will keep changin...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.7 views

Wrong returns of SavingsAccountUtil.depositFromSavingsAccount() can cause fund loss

Handle WatchPug Vulnerability details The function SavingsAccountUtil.depositFromSavingsAccount is expected to return the number of equivalent shares for given asset. / @notice internal function used to get amount of collateral deposited to the pool @param fromSavingsAccount if true, collateral i...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.14 views

Extension voting threshold check needs to rerun on each transfer

Handle cmichel Vulnerability details The Extension contract correctly reduces votes from the from address of a transfer and adds it to the to address of the transfer in case both of them voted on it before, but it does not rerun the voting logic in voteOnExtension that actually grants the...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.11 views

Borrow should increase principal by withdrawn amount

Handle cmichel Vulnerability details The CreditLine.borrow function increases the principal by the amount parameter, but the borrower only receives tokenDiffBalance. // @audit increases by amount instead of tokenDiffBalance creditLineVariablesid.principal =...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/15 12:0 a.m.9 views

In CreditLine#liquidate, lender doesn't receive _borrowTokens, when it is ETH

Handle 0x0x0x Vulnerability details When borrowAsset == address0, the liquidator sends ethereum via transaction value msg.value, but borrowTokens amount is not sent to the lender. Therefore, lender losses funds. As seen in: Mitigation step: Add bool success, = lender.callvalue: borrowTokens''; at...

7.1AI score
Exploits0
Code423n4
Code423n4
added 2021/12/14 12:0 a.m.11 views

SHOULD CHECK RETURN DATA FROM CHAINLINK AGGREGATORS

Handle defsec Vulnerability details Impact The sync function in the contract ChainlinkOracle.sol fetches the asset price from a Chainlink aggregator using the latestRoundData function. However, there are no checks on roundID, resulting in stale prices. The oracle wrapper calls out to a chainlink...

6.5AI score
Exploits0
Code423n4
Code423n4
added 2021/12/14 12:0 a.m.11 views

Chainlink's latestRoundData might return stale or incorrect results

Handle WatchPug Vulnerability details function sync public , int256 feedPrice, , uint256 timestamp, = feed.latestRoundData; Fixed18 price = Fixed18Lib.ratiofeedPrice, SafeCast.toInt256decimalOffset; if priceAtVersion.length == 0 || timestamp timestampAtVersioncurrentVersion + minDelay...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/14 12:0 a.m.12 views

SavingsAccount withdrawAll and switchStrategy can freeze user funds by ignoring possible strategy liquidity issues

Handle hyh Vulnerability details Impact Full withdrawal and moving funds between strategies can lead to wrong accounting if the corresponding market has tight liquidity, which can be the case at least for AaveYield. That is, as the whole amount is required to be moved at once from Aave, both...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/12/14 12:0 a.m.9 views

CreditLine.liquidate doesn't transfer borrowed ETH to a lender

Handle hyh Vulnerability details Impact Funds that are acquired from a liquidator and should be sent to a lender are left with the contract instead. The funds aren't lost, but after the fact mitigation will require manual accounting and fund transfer for each CreditLine.liquidate usage. Proof of...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/14 12:0 a.m.10 views

Approved by zero first

Handle Jujic Vulnerability details Some tokens like USDT do not work when changing the allowance from an existing non-zero allowance value. They must first be approved by zero and then the actual allowance must be approved. Impact When using one of these unsupported tokens, all transactions rever...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/14 12:0 a.m.6 views

outputBasket address not checked in EthSingleTokenJoin.sol

Handle jayjonah8 Vulnerability details Impact In the joinToKenEth function in EthSingleTokenJoin.sol, the outputBasket within the passed in data is not checked and could be an attacker controlled address returning any thing it wants in fake versions of calcTokensForAmount and joinPool functions...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/14 12:0 a.m.8 views

In SingleTokenJoinV2.sol, a user can provide malicious input

Handle jayjonah8 Vulnerability details Impact In SingleTokenJoinV2.sol, a user can provide malicious input to the joinTokenSingle function providing an attacker controlled inputToken and an attacker controlled outputBasket. This fake outputBasket can return anything it wants from a fake joinPool...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/14 12:0 a.m.9 views

transfer return value is ignored

Handle robee Vulnerability details Need to use safeTransfer instead of transfer. As there are popular tokens, such as USDT that transfer/trasnferFrom method doesn’t return anything. The transfer return value has to be checked as there are some other tokens that returns false instead revert, that...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/14 12:0 a.m.6 views

JoinTokenSingle() function does not validate against evil struct inputs

Handle jayjonah8 Vulnerability details Impact In SingleTokenJoin.sol, the joinTokenSingle function allows a user to add any token address as an inputToken and any address as the outputBasket address without validating the struct data to guard against malicious input Proof of Concept An attacker...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/14 12:0 a.m.8 views

no protection from sandwich attacks

Handle certora Vulnerability details the function joinTokenSingle has no protection from slippage and sandwich attacks. the balance after the swaps is not checked to have a minimum and the min amount in the swaps is set to zero: Impact malicious actors can front-run joinTokenSingle and perform a...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/14 12:0 a.m.8 views

Function sync in ChainlinkOracle.sol does not check the price returned from chainlink aggregators

Handle ye0lde Vulnerability details Impact The sync function in the contract ChainlinkOracle.sol fetches the feedPrice' from a Chainlink aggregator using the latestRoundDatafunction. There are checks on thetimeStampversus previous versions of the feed protecting against stale prices. But there is...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/13 12:0 a.m.4 views

Incorrect maintenance invariant check

Handle kenzo Vulnerability details In Collateral, maintenanceInvariant is used to check whether after withdrawal the user will have enough funds to cover the maintenance for his current position and for his next position. However, the modifier is wrongly checking this via a max function: if...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/12/13 12:0 a.m.3 views

setLock() function has no validation on the _lock number

Handle jayjonah8 Vulnerability details Impact In BasketFacet.sol, the setLock function allows the privileged caller to change the lockBlock number in storage without validating the lock arg number passed into it. This number is extremely important since if getLock returns true, it means the pool ...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/13 12:0 a.m.13 views

PriceOracle Does Not Filter Price Feed Outliers

Handle leastwood Vulnerability details Impact If for whatever reason the Chainlink oracle returns a malformed price due to oracle manipulation or a malfunctioned price, the result will be passed onto users, causing unintended consequences as a result. In the same time it's possible to construct...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/13 12:0 a.m.10 views

Unlinked address can link immediately again

Handle gpersoon Vulnerability details Impact After a master calls unlinkAddress to unlink an address, the address that has just been unlinked can directly link again without permission. The address that is just unlinked can call linkAddressmasterAddress which will execute because...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/13 12:0 a.m.9 views

Unable To Call emergencyWithdraw ETH in NoYield Contract

Handle leastwood Vulnerability details Impact The emergencyWithdraw function is implemented in all yield sources to allow the onlyOwner role to drain the contract's balance in case of emergency. The contract considers ETH as a zero address asset. However, there is a call made on asset which will...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/13 12:0 a.m.9 views

Wrong shortfall calculation

Handle kenzo Vulnerability details Every time an account is settled, if shortfall is created, due to a wrong calculation shortfall will double in size and add the new shortfall. Impact Loss of funds: users won't be able to withdraw the correct amount of funds. Somebody would have to donate funds ...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/12 12:0 a.m.7 views

TwabRewards: cancelPromotion() can revert if a promotion tokens applies fee on transfer

Handle GiveMeTestEther Vulnerability details Impact If the promotion token applies transfer fees, the total amount the contract holds will be less than "tokensPerEpoch numberOfEpochs" bcs a part of this amount is the fee = funds + fee, but only the "funds" can be withdrawn. If after each epoch al...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/12 12:0 a.m.9 views

A malicious ticket can drain the tokens

Handle pauliax Vulnerability details Impact Anyone can createPromotion with any arbitrary ticket supposed it follows the proposed interface. Thus, it is possible to create a promotion with a malicious ticket that returns arbitrary values for getAverageBalanceBetween and...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/12 12:0 a.m.13 views

cancelPromotion() Unable to cancel unstarted promotions

Handle WatchPug Vulnerability details For unstarted promotions, cancelPromotion will revert at block.timestamp - promotion.startTimestamp in getCurrentEpochId. Call stack: cancelPromotion - getRemainingRewards - getCurrentEpochId. function getRemainingRewardsPromotion memory promotion internal vi...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/12 12:0 a.m.10 views

unsafe cast can lead to theft

Handle certora Vulnerability details claimRewards gets epochs ids as uint256. However, it should be uint8. If a user provides an epoch Id that's larger than 256, isClaimedEpoch will return false: function isClaimedEpochuint256 userClaimedEpochs, uint256 epochId internal pure returns bool return...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/12 12:0 a.m.7 views

getRemainingRewards() Malfunction for unstarted promotions

Handle WatchPug Vulnerability details For unstarted promotions, cancelPromotion will revert at block.timestamp - promotion.startTimestamp in getCurrentEpochId. Call stack: getRemainingRewards - getRemainingRewards - getCurrentEpochId. function getCurrentEpochIdPromotion memory promotion internal...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/12 12:0 a.m.8 views

Support of deflationary / rebasing tokens

Handle pauliax Vulnerability details Impact Deflationary fee on transfer / rebasing tokens are not supported. Because anyone can createPromotion with an arbitrary token, such tokens may be lost forever. Recommended Mitigation Steps Consider checking the actual amounts transferred balance...

7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/12 12:0 a.m.12 views

Possibility to drain TwabRewards smart contract tokens

Handle kemmio Vulnerability details Impact Possibility to drain all smart contract assets abusing rogue ticket contract Proof of Concept The vulnerability arises because of inconsistent check of requireTicket in createPromotion requireTicketticket; function requireTicketaddress ticket internal vi...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/12 12:0 a.m.13 views

claimRewards Does Not Prevent Users From Claiming Rewards After A Promotion's End Epoch

Handle leastwood Vulnerability details Impact claimRewards allows a user to collect their TWAB calculated rewards for a provided set of epochIds. The contract utilises a claimedEpochs mapping which tracks claimed rewards per user. Each claimed epoch is represented by a single bit within a uint256...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/12 12:0 a.m.13 views

Possibility to drain TwabRewards smart contract tokens (even with valid ticket)

Handle kemmio Vulnerability details Impact Possibility to drain all smart contract assets abusing uint256 overflow in updateClaimedEpoch Proof of Concept The vulnerability arises because of uint256 overflow in updateClaimedEpoch return userClaimedEpochs | uint2561 The attacker needs to have in...

7.1AI score
Exploits0
Code423n4
Code423n4
added 2021/12/12 12:0 a.m.16 views

Drain the award pool by feeding outrange epoch into function claimRewards

Handle 0xabc Vulnerability details Impact in function claimRewards, there is no checking on value in epochIds. Exploiter can claim more than the promotion award by calling the function with outrange epochs. Proof of Concept Consider a promotion with promitionid X and numberOfEpochs =Y. Exploiter...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2021/12/12 12:0 a.m.16 views

Allowing more than 256 epochs leads to loss of funds

Handle cmichel Vulnerability details The TwabRewards contract has an implicit restriction of 256 epochs per promotion as it uses a bitmask in a uint256 to mark claimed epochs 0-255, see isClaimedEpoch. "/// @dev We pack epochs claimed by a user into a uint256. So we can't store more than 255...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/12 12:0 a.m.10 views

createPromotion() Lack of input validation for _epochDuration can potentially freeze promotion creator's funds

Handle WatchPug Vulnerability details function createPromotion address ticket, IERC20 token, uint216 tokensPerEpoch, uint32 startTimestamp, uint32 epochDuration, uint8 numberOfEpochs external override returns uint256 requireTicketticket; uint256 nextPromotionId = latestPromotionId + 1;...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/12/12 12:0 a.m.13 views

Attacker can empty all the funds by creating fake promotions

Handle WatchPug Vulnerability details The current implementation of calculateRewardAmount allows a arbitrary epochId, which can even be a epochId numberOfEpochs. A malicious user can call claimRewards with epochIds larger than numberOfEpochs and claim other users' rewards. Furthermore, since...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/12 12:0 a.m.4 views

Suggestion : To add explicit check for no of epochs to be 255 in createPromotion and extendPromotion

Handle 0x421f Vulnerability details So we are using uint256 to store 1/0 if that epoch is being claimed or not uint2561 is our base, so 255 is max limit we have now if someone creates a promotion with 255 epochs in epochs 255 , it will revert with "TypeError : Invalid Rational Number" Copied from...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/12/12 12:0 a.m.12 views

Malicious Promotion Creators Can Drain Token Balances

Handle leastwood Vulnerability details Impact The createPromotion allows any user to create and fund promotions for a specific number of epochs. Ticket holders are entitled to a percentage of the rewards based on their TWAB. createPromotion references a ticket address which can be controlled by t...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/12/12 12:0 a.m.11 views

Can drain any promotion rewards with a evil ticket

Handle gzeon Vulnerability details Impact TwabRewards check legitimacy of ticket by checking if the ticket have a controller method. function requireTicketaddress ticket internal view requireticket != address0, "TwabRewards/ticket-not-zero-address"; bool succeeded, bytes memory data =...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/12/12 12:0 a.m.11 views

Unsafe uint64 casting may overflow

Handle sirhashalot Vulnerability details Impact The calculateRewardAmount function casts epoch timestamps from uint256 to uint64 and these may overflow. The epochStartTimestamp value is a function of the user-supplied epochId value, which could be extremely large up to 2255 – 1. While Solidity...

7.1AI score
Exploits0
Code423n4
Code423n4
added 2021/12/12 12:0 a.m.9 views

Dust Token Balances Cannot Be Claimed By An admin Account

Handle leastwood Vulnerability details Impact Users who have a small claim on rewards for various promotions, may not feasibly be able to claim these rewards as gas costs could outweigh the sum they receive in return. Hence, it is likely that a dust balance accrues overtime for tokens allocated f...

7AI score
Exploits0
Total number of security vulnerabilities10190