Lucene search
K
Code423n4Recent

10190 matches found

Code423n4
Code423n4
•added 2021/12/12 12:0 a.m.•8 views

TwabRewards: fee on transfer token as promotion token can make claimRewards() fail

Handle GiveMeTestEther Vulnerability details Impact If the rewards creator sets a token that applies transfer fees for the promotion token, users won't be able to claim some of their rewards because the claimRewards uses calculateRewardAmount that assumes for each epoch there are...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/12 12:0 a.m.•12 views

If a promoter cancels a promotion, unclaimed rewards of ticket holders are lost

Handle hubble Vulnerability details Impact Loss of rewards for the ticket holders who have not yet claimed the rewards accrued until the previous epocs, if the promoter cancels the promotion after any epoch. Proof of Concept contract : TwabRewards function : cancelPromotion line 132 delete...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/12 12:0 a.m.•8 views

Rewards not worth to claim will accumulate in the contract

Handle 0x0x0x Vulnerability details Let's say there is a Ticket called A. Ticket A has many users and assume there are some whales and they control most of the supplies. In this case most users rewards can be less than gas cost to claim rewards. Therefore, users with rewards less than gas cost...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/12 12:0 a.m.•8 views

TwabRewards: fee on transfer token as promotion token will block at least one epoch reward claim

Handle GiveMeTestEther Vulnerability details Impact If the promotion token applies transfer fees, the total amount to claim will be less than "tokensPerEpoch numberOfEpochs" bcs a part of this amount is the fee = funds + fee, but only the "funds" can be withdrawn but the calculation in...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/12 12:0 a.m.•10 views

TwabRewards: fee on transfer token as promotion token can make claimRewards() & cancelPromotion() fail

Handle GiveMeTestEther Vulnerability details Vulnerability details Impact If the rewards creator sets a token that applies transfer fees for the promotion token, users won't be able to claim some of their rewards because the claimRewards uses calculateRewardAmount that assumes for each epoch ther...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/12 12:0 a.m.•15 views

cancelPromotion will revert if the promotion is not started yet

Handle certora Vulnerability details cancelPromotion might fail unexpectedly. cancelPromotion calls getRemainingRewards which calls getCurrentEpochId: function getCurrentEpochIdPromotion memory promotion internal view returns uint256 // elapsedTimestamp / epochDurationTimestamp return...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/12 12:0 a.m.•12 views

Missing Check When Transferring Tokens Out For A Given Promotion

Handle leastwood Vulnerability details Impact The claimRewards function is called upon by ticket holders who parse a set of epochIds they wish to claim rewards on. An internal call is made to calculateRewardAmount to calculate the correct reward amount owed to the user. Subsequently, the...

7AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/12 12:0 a.m.•6 views

After a promotion is cancelled, not claimed rewards are stuck

Handle 0x0x0x Vulnerability details After a promotion is cancelled using cancelPromotion, not awarded rewards for remaining epochs are sent to an address given by promotion creator. Awarded rewards not claimed by users stay in the contract. Since the promotion is deleted from promotions, users...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/12 12:0 a.m.•9 views

Large _epochId value impacts rewards calculation

Handle sirhashalot Vulnerability details Impact The epochId value is a uint256 that can be provided by the user in the epochIds array in the important claimRewards and getRewardsAmount functions. The epochId value should be between 0 and 255, as evidenced by the bit shifting of a uint256 type in...

7.3AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/12 12:0 a.m.•11 views

Missing Validation Of createPromotion Parameters

Handle leastwood Vulnerability details Impact The createPromotion function is called by a creator account denoted as msg.sender to fund a promotion with tokens allocated on a per epoch basis across a set epochs. However, the function does not perform the necessary checks on function inputs to...

7.1AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/12 12:0 a.m.•14 views

Reward stuck if promotion cancel before all past reward claimed

Handle gzeon Vulnerability details Impact When owner call cancelPromotion, the contract 1. Delete the promotion struct L132 2. Return all token reserved for future epochs L133 If there are token left for previous epochs, they will be stuck in the contract as the promotion struct is gone. Proof of...

7AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/12 12:0 a.m.•11 views

Can drain any promotion rewards

Handle gzeon Vulnerability details Impact There are no checks to make sure epochId const promotionId = 1; const wallet2Amount = toWei'750'; const wallet3Amount = toWei'250'; await ticket.mintwallet2.address, wallet2Amount; await ticket.connectwallet2.delegatewallet2.address; await...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/12 12:0 a.m.•11 views

Tokens with fee on transfer are not supported

Handle WatchPug Vulnerability details There are ERC20 tokens that charge fee for every transfer or transferFrom. In the current implementation, createPromotion assumes that the received amount is the same as the transfer amount, and uses it to calculate reward amounts. As a result, in claimReward...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/12 12:0 a.m.•13 views

Non compatile with all tokens

Handle 0x1f8b Vulnerability details Impact It could not work with all tokens. Proof of Concept The method fromTokenAmount inside the contract Token18 can't work with tokens with 0 decimals, the result of UFixed18Lib.ratio will throw and error because it will divide by zero. It's mandatory to chec...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/12 12:0 a.m.•11 views

getRemainingRewards might fail unexpectedly

Handle certora Vulnerability details getRemainingRewards might fail unexpectedly. getRemainingRewards calls getRemainingRewards which calls getCurrentEpochId: function getCurrentEpochIdPromotion memory promotion internal view returns uint256 // elapsedTimestamp / epochDurationTimestamp return...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/12 12:0 a.m.•13 views

Can claim epoch > 255 repeatedly due to bitshift truncation

Handle gzeon Vulnerability details Can claim epoch 255 repeatedly due to bitshift truncation Impact TwabRewards contract store user claimed reward in a claimedEpochs bitmap. function isClaimedEpochuint256 userClaimedEpochs, uint256 epochId internal pure returns bool return userClaimedEpochs epoch...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/11 12:0 a.m.•10 views

StartTimestamp is not checked

Handle defsec Vulnerability details Impact When the promotion is created, the promotion.startTimestamp variable can be so old date. That will cause to affect to epoch calculation. Proof of Concept 1. Navigate to the following contract code. promotionsnextPromotionId = Promotion msg.sender, ticket...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/11 12:0 a.m.•12 views

Possibility to drain SavingsAccount contract assets

Handle kemmio Vulnerability details Impact A malicious actor can manipulate switchStrategy function in a way to withdraw tokens that are locked in SavingsAccount contract the risk severity should be reviewed Proof of Concept Firstly an attacker need to deploy a rogue strategy contract implementin...

7.1AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/11 12:0 a.m.•7 views

AaveYield: Misspelled external function name making functions fail

Handle 0xngndev Vulnerability details Impact In AaveYield.sol the functions: liquidityToken withdrawETH depositETH Make a conditional call to IWETHGatewaywethGateway.getAWETHAddress This function does not exist in the wethGateway contract, causing these function to fail with the error "Fallback n...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/11 12:0 a.m.•15 views

getRewardsAmount doesn't check epochs haven't been claimed

Handle harleythedog Vulnerability details Impact In ITwabRewards.sol, it is claimed that getRewardsAmount should account for epochs that have already been claimed, and not include these epochs in the total amount indeed, there is a line that says @dev Will be 0 if user has already claimed rewards...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/10 12:0 a.m.•9 views

divide-before-multiply

Handle 0v3rf10w Vulnerability details Impact divide-before-multiply can lead to miscalculation of fees in below function Proof of Concept Vulnerable Function : Basket.handleFeesuint256 Basket.sol133-153 : uint256 feePct = timeDiff licenseFee / ONEYEAR; uint256 fee = startSupply feePct / BASE -...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/10 12:0 a.m.•9 views

Basket:handleFees(): fees are overcharged

Handle GiveMeTestEther Vulnerability details Impact The fee calculation is based on the totalSupply of the basket token. But some amount of the totalSupply represents the fees paid to the publisher/ protocol owner. Therefore the fees are "overcharged": because the fee amount is calculated on a pa...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/10 12:0 a.m.•14 views

Auction.sol#settleAuction() Bonder may not be able to settle a bonded auction, leading to loss of funds

Handle WatchPug Vulnerability details uint256 a = factory.auctionMultiplier basket.ibRatio; uint256 b = bondBlock - auctionStart BASE / factory.auctionDecrement; uint256 newRatio = a - b; address memory pendingTokens, uint256 memory pendingWeights, uint256 minIbRatio = basket.getPendingWeights;...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/10 12:0 a.m.•10 views

Publisher can scam users by changing license fees and using auction to freeze user funds

Handle 0x0x0x Vulnerability details Publisher can call changeLicenseFee to change fees. There is no maximum cap for this parameter. At first glance, because there is a timelock period of 1 day, the users have enough time to react. But if the publisher can start an auction and bondForRebalance. Th...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/10 12:0 a.m.•12 views

Fee calculation is slightly off

Handle gzeon Vulnerability details Impact The fee calculation uint256 timeDiff = block.timestamp - lastFee; uint256 feePct = timeDiff licenseFee / ONEYEAR; uint256 fee = startSupply feePct / BASE - feePct; tries to calculate a fee such that fee/supply+fee = %fee using a simple interest formula i....

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/10 12:0 a.m.•10 views

Change in auctionMultiplier/auctionDecrement change profitability of auctions and factory can steal all tokens from a basket abusing it

Handle 0x0x0x Vulnerability details When factory changes auctionMultiplier or auctionDecrement profitability of bonded auctions change. There is no protection against this behaviour. Furthermore, factory owners can decide to get all tokens from baskets where they are bonded for the auction. Proof...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/10 12:0 a.m.•7 views

Missing cap on LicenseFee

Handle gzeon Vulnerability details Impact There is no cap on LicenseFee. While change of LicenseFee is under 1 day timelock, introducing a maxLicenseFee can improve credibility by removing the "rug" vector. There is a minLicenseFee in the contracts, while imo make little sense to have minLicenseF...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/10 12:0 a.m.•17 views

Reentrancy vulnerability in Basket contract's initialize() method.

Handle broccolirob Vulnerability details A malicious "publisher" can create a basket proposal that mixes real ERC20 tokens with a malicious ERC20 token containing a reentrancy callback in it's approve method. When the initialize method is called on the newly cloned Basket contract, a method calle...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/10 12:0 a.m.•9 views

Promotion creator can't cancel promotion before it has begun

Handle kenzo Vulnerability details If a promotion creator has created a promotion for the future, and decides to cancel it, he can not do so due to an underflow in a calculation. Impact Promotion creator funds will be locked until promotion begins. Proof of Concept Promotion's startTimestamp is...

7AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/10 12:0 a.m.•16 views

Basket.sol#publishNewIndex() Lack of input validation may cause fund loss to anyone who bonds an auction

Handle WatchPug Vulnerability details According to the newRatio formula in settleAuction, the maximum value of newRatio is factory.auctionMultiplier basket.ibRatio. However, since there is no validation for the value of minIbRatio when setting it, if the publisher publishes a newIndex with...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/10 12:0 a.m.•6 views

Multiple initialization of Collateral contract

Handle 0x1f8b Vulnerability details Impact The attacker can initialize the contract, take malicious actions, and allow it to be re-initialized by the project without any error being noticed.. Proof of Concept The initialize method of the Collateral contract does not contain the initializer...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/10 12:0 a.m.•15 views

Basket.sol#auctionBurn calculates ibRatio wrong

Handle 0x0x0x Vulnerability details The function is implemented as follows: function auctionBurnuint256 amount onlyAuction nonReentrant external override uint256 startSupply = totalSupply; handleFeesstartSupply; burnmsg.sender, amount; uint256 newIbRatio = ibRatio startSupply / startSupply -...

7AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/09 12:0 a.m.•12 views

Basket can be fully drained if the auction is settled within a specific block

Handle Ruhum Vulnerability details Impact The settleAuction function allows someone to settle the auction by transferring funds in a way that the new pending index is fulfilled. As a reward, they are able to take out as many tokens as they want as long as the pending index is fulfilled after that...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/09 12:0 a.m.•8 views

Lost fees due to precision loss in fees calculation

Handle kenzo Vulnerability details In fees calculation, division is being used in the midst of the calculation, not at the end of it. This leads to lost precision in fee amount as solidity doesn't save remainder of division. Division should happen at the end to maintain precision. Impact Lost fee...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/09 12:0 a.m.•12 views

Wrong emergencyWithdraw logic

Handle 0x1f8b Vulnerability details Impact The contract doesn't work as expected. Proof of Concept The method, emergencyWithdraw inside the contract yield/NoYield doesn't work as expected, the transfer was done with received value, and it should be done with amount, so the emergencyWithdraw never...

7AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/09 12:0 a.m.•9 views

Publisher can lock all user funds in the Basket in order to force a user to have their bond burned

Handle TomFrenchBlockchain Vulnerability details Impact All user funds in a basket being held hostage by the publisher Proof of Concept The Basket publisher can propose an auction in order to set new tokens and weights with a 1 day timelock. As part of this call they can set the minIbRatio variab...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/09 12:0 a.m.•5 views

Wrong fee calculation after totalSupply was 0

Handle kenzo Vulnerability details handleFees does not update lastFee if startSupply == 0. This means that wrongly, extra fee tokens would be minted once the basket is resupplied and handleFees is called again. Impact Loss of user funds. The extra minting of fee tokens comes on the expense of the...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/09 12:0 a.m.•8 views

Missing SafeApprove(0)

Handle sirhashalot Vulnerability details There are instances where the SafeApprove function is called only once without setting the allowance to zero. Some tokens, like USDT, require first reducing the address' allowance to zero by calling approvespender, 0. Additionally, the comment before the...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/08 12:0 a.m.•15 views

UniswapV3's path issue for swapExactOutput

Handle cmichel Vulnerability details UniswapV3 expects a path object like tokenA, feeAB, tokenB, feeBC, tokenC. The UniV3Trader.swapExactOutput code tries to reverse this path to get to tokenC, feeBC, tokenB, feeAB, tokenA but that's not what the reverseBytes function does. Note that it reverts t...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/08 12:0 a.m.•8 views

Basket:handleFees fee calculation is wrong

Handle GiveMeTestEther Vulnerability details Impact The fee calculation on L141 is wrong. It should only get divided by BASE and not BASE - feePct Proof of Concept This shows dividing only by BASE is correct: Assumptions: BASE is 1e18 accordign to the code timeDiff is exactly ONEYEAR for easier...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/08 12:0 a.m.•7 views

Basket publisher can raise licenseFee in an unbounded fashion, stealing other users tokens

Handle TomFrenchBlockchain Vulnerability details Impact Publisher can make licenseFee arbitrarily large and then steal any funds remaining in the basket after 1 day. Proof of Concept On minting or burning basket tokens the handleFees function is called. This mints a number of basket tokens to the...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/08 12:0 a.m.•10 views

Bad redirects can make it impossible to deposit & withdraw

Handle cmichel Vulnerability details The GatewayVault.push function gets redirects from the strategyParams. If redirectsi = j, vault index i's deposits are redirected to vault index j. Note that the deposits for vault index i are cleared, as they are redirected: for uint256 j = 0; j The same is...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/08 12:0 a.m.•10 views

Unsafe implementation of fundLoan() allows attacker to steal collateral from an unfunded loan

Handle WatchPug Vulnerability details uint256 treasuryFee = fundsLent ILenderLikelender.treasuryFee paymentInterval paymentsRemaining / uint256365 days 10000; // Transfer delegate fee, if any, to the pool delegate, and decrement drawable funds. uint256 delegateFee = fundsLent...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/08 12:0 a.m.•8 views

Anyone can call closeLoan() to close the loan

Handle WatchPug Vulnerability details function closeLoanuint256 amount external override returns uint256 principal, uint256 interest // The amount specified is an optional amount to be transfer from the caller, as a convenience for EOAs. requireamount == uint2560 ||...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/08 12:0 a.m.•11 views

Unlimited allowances let anyone move funds to child vaults

Handle 0x0x0x Vulnerability details A malicious attacker can move someones funds between their vaults, since max allowances are given. As a consequence, a malicious user can block activities such as reclaimTokens. Although, funds are not directly stolen, it is possible to revert transactions of...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/08 12:0 a.m.•8 views

UniV3Vault.sol#collectEarnings() can be front run

Handle WatchPug Vulnerability details For UniV3Vault, it seems that lp fees are collected through collectEarnings callable by the strategy and reinvested rebalanced. However, in the current implementation, unharvested yields are not included in tvl, making it vulnerable to front-run attacks that...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/08 12:0 a.m.•10 views

ChiefTrader.sol Wrong implementation of swapExactInput() and swapExactOutput()

Handle WatchPug Vulnerability details When a caller calls ChiefTrader.solswapExactInput, it will call ITradertraderAddress.swapExactInput. return ITradertraderAddress.swapExactInput0, amount, recipient, path, options; However, in the current implementation, inputToken is not approved to the...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/08 12:0 a.m.•12 views

Governor can steal funds from vaults

Handle 0x0x0x Vulnerability details reclaimTokens function is as follows function reclaimTokensaddress to, address memory tokens external nonReentrant requirenft 0, ExceptionsLibrary.INITIALIZATION; IProtocolGovernance governance = vaultGovernance.internalParams.protocolGovernance; bool...

7AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/08 12:0 a.m.•11 views

IsContract Function Usage

Handle defsec Vulnerability details Impact the isContract function that uses EXTCODESIZE was discovered to be hackable. The function will return false if it is invoked from a contract's constructor because the contract has not been deployed yet. The code should be used very carefully, if at all, ...

7.1AI score
Exploits0
Code423n4
Code423n4
•added 2021/12/08 12:0 a.m.•10 views

tokenWhitelist might break if removeFromTokenWhitelist is called multiple times with the same token

Handle gzeon Vulnerability details Impact In removeFromTokenWhitelist of ProtocolGovernance, numberOfValidTokens is decreased by 1 if addr is in tokenEverAdded. There are no check if the addr is still in the whitelist and therefore numberOfValidTokens can be repeatedly decreased to 0 by calling...

7AI score
Exploits0
Total number of security vulnerabilities10190