unstreamed not updated in withdraw()

Handle gpersoon Vulnerability details Impact The function stake increases unstreamed, however the function withdraw, that does the inverse of stake doesn't decrease unstreamed. The function withdraw does update all the other relevant variables so this seems to be an omission. Thus the value of...

Undesired tokens can be called

Handle 0x1f8b Vulnerability details Impact Possible call to unwanted tokens. Proof of Concept In the method reclaimTokens of Vault contract it was called tranfer to tokens provided by the caller, but maybe these tokens are not allowed by the governance, it must be checked that isAllowedTokenaddre...

Governed.sol: setPendingGov() should use the emergency_governed modifier.

Handle itsmeSTYJ Vulnerability details Impact In the event the governor gets compromised leaked pk, unauthorised remote access, phishing etc., you will not be able to recover it with the emergency governor however if the emergency governor gets compromised, you can still resolve the problem w/ th...

Possible deny of service by human error

Handle 0x1f8b Vulnerability details Impact Possible Deny of service. Proof of Concept The method removeFromTokenWhitelist of the contract ProtocolGovernance doesn't check if the argument addr it's inside the tokensAllowed map before remove it, the problem is if the user call twice this method it'...

LockeERC20.sol: Frontrun attack on approve()

Handle itsmeSTYJ Vulnerability details Impact It is possible to frontrun the standard ERC20 token approve function. Proof of Concept Read this for more info. Recommended Mitigation Steps Either require that allowance is 0 before approve can be called or use increase / decrease allowance e.g...

Require with not comprehensive message

Handle robee Vulnerability details The following requires has a non comprehensive messages. This is very important to add a comprehensive message for any require. Such that the user has enough information to know the reason of failure: Solidity file: GatewayVaultGovernance.sol, In line 63 with...

LockeERC20 is vulnerable to frontrun attack

Handle egjlmn1 Vulnerability details Impact a user can steal another user's tokens if he frontrun before he changes the allowance. The approve function receives an amount to change to. Lets say user A approved user B to take N tokens, and now he wants to change from N to M, if he calls approveM t...

Timelock delay can be changed by without any delay

Handle 0x0x0x Vulnerability details Impact Delay can be changed without any delay. Therefore, it is possible to call functions from this contract in a single block by changing the delay. This creates a huge attack vector, since if governor private keys would be stolen, everything can be withdrawn...

UniswapHandler.maltMarketPrice returns wrong decimals

Handle cmichel Vulnerability details The UniswapHandler.maltMarketPrice function returns a tuple of the price and the decimals of the price. However, the returned decimals do not match the computed price for the else if rewardDecimals maltDecimals branch: else if rewardDecimals maltDecimals uint2...

Slippage protection

Handle pauliax Vulnerability details Impact functions buyMalt and sellMalt, and removeLiquidity have no slippage protection and addLiquidity hardcodes it to 5%: 0, // amountOutMin Mempool snipers can profit from that by monitoring the chain and sandwiching these functions. Now it is left for the...

_addTostakepadding() will return 0 for users who already had a stakepadding but would like to add on top of their previous stake with 'newStakePadding' on line 186-190(AbstractRewardMine.sol)

Handle 0xwags Vulnerability details Impact The handleStakePadding function handles the calculations for users without a prior stake padding and the ones who already had a stakepadding but want to add to their existing stakepadding. The condition within 'newStakePadding' will return false for user...

Excessive privilege for Timelock governor

Handle gzeon Vulnerability details Impact Timelock governor can change delay and gracePeriod at will, which render the timelock useless. function setDelayuint256 delay public onlyRoleGOVERNORROLE, "Must have timelock role" function setGracePerioduint256 gracePeriod public onlyRoleGOVERNORROLE,...

Timelock can be bypassed

Handle WatchPug Vulnerability details The purpose of a Timelock contract is to put a limit on the privileges of the governor, by forcing a two step process with a preset delay time. However, we found that the current implementation actually won't serve that purpose as it allows the governor to...

Dutch auction can be manipulated

Handle gzeon Vulnerability details Impact When malt is under-peg and the swing trader module do not have enough capital to buy back to peg, a Dutch auction is triggered to sell arb token. The price of the Dutch auction decrease linearly toward endprice until endAuction is called. endAuction is...

Unable to remove liquidity in Recovery Mode

Handle gzeon Vulnerability details Impact According to When the Malt price TWAP drops below a specified threshold eg 2% below peg then the protocol will revert any transaction that tries to remove Malt from the AMM pool ie buying Malt or removing liquidity. Users wanting to remove liquidity can...

MovingAverage.setSampleMemory() may broke MovingAverage, making the value of exchangeRate in StabilizerNode.stabilize() being extremely wrong

Handle WatchPug Vulnerability details function setSampleMemoryuint256 sampleMemory external onlyRoleADMINROLE, "Must have admin privs" requiresampleMemory 0, "Cannot have sample memroy of 0"; if sampleMemory sampleMemory for uint i = sampleMemory; i sampleMemory; i++ samples.push; counter = count...

User can bypass Recovery Mode via UniswapHandler to buy Malt

Handle gzeon Vulnerability details Impact One of the innovative feature of Malt is to block buying while under peg. The buy block can be bypassed by swapping to the whitelisted UniswapHandler, and then extract the token by abusing the add and remove liquidity function. This is considered a high...

RewardReinvestor.provideReinvest and splitReinvest are vulnerable to sandwich attacks as market price isn't checked

Handle hyh Vulnerability details Impact Liquidity provision can happen at a manipulated price which leads to immediate loss for liquidity provider i.e. IL happens right after liquidity provision in this case. This yields direct loss for an LP account owner, for example schematically: 0. Suppose...

_calculateMaltRequiredForExit makes wrong calculations

Handle 0x0x0x Vulnerability details Proof of concept calculateMaltRequiredForExit calculates the quantity of malts returned. uint256 maltQuantity = userMaltPurchased.mulamount.divuserCommitment; uint256 fullReturn = maltQuantity.mulcurrentPrice / pegPrice; userMaltPurchased / userCommitment...

Permissions - notSameBlock is insufficient for reentrancy protection

Handle ScopeLift Vulnerability details Impact TBD how bad the impact is The docs mention that the notSameBlock modifier and associated notSameBlock method is used to guard against reentrancy. However, users can still call a method twice in a single transaction by using transferring assets/positio...

stabilize() is vulnerable to flashloan sandwich attack

Handle WatchPug Vulnerability details When the price of Malt is off the lowerThreshold and upperThreshold, StabilizerNode.sol will market buy/sell Malt. However, since the market sell can be triggered by anyone, and there is no slippage control, it makes it vulnerable to flashloan sandwich attack...

purchaseArbitrageTokens() can be front run

Handle WatchPug Vulnerability details The current implementation of purchaseArbitrageTokens provides no parameter for slippage control, making it vulnerable to front-run attacks. function purchaseArbitrageTokensuint256 amount external notSameBlock ... uint256 purchased =...

MiningService.setBonding should use BONDING role instead of REINVESTOR one

Handle hyh Vulnerability details Impact BONDINGROLE cannot be managed after it was initialized. Proof of Concept setBonding set the wrong role via swapRole: Recommended Mitigation Steps Set BONDINGROLE instead of REINVESTORROLE in setBonding function: Now: function setBondingaddress bonding publi...

AddLiquidity allows sandwich attacks on direct use within hard coded 5% slippage tolerance

Handle hyh Vulnerability details Impact Liquidity provision can happen at a manipulated price which leads to immediate loss for liquidity provider i.e. IL happens right after liquidity provision in this case. This yields direct loss for an account owner, for example schematically: 0. Suppose...

Permissions - notSameBlock is insufficient for reentrancy protection

Handle ScopeLift Vulnerability details Impact TBD how bad the impact is The docs mention that the notSameBlock modifier and associated notSameBlock method is used to guard against reentrancy. However, users can still call a method twice in a single transaction by using transferring assets/positio...

AbstractRewardMine.sol#setRewardToken is dangerous

Handle 0x0x0x Vulnerability details Impact In case the reward token is changed, totalDeclaredReward will be changed and likely equal to 0. Since userStakePadding and globalStakePadding are accumulated, changing the reward token will not reset those values. Thus, it will create problems...

Bonding doesn't work with fee-on transfer tokens

Handle cmichel Vulnerability details Certain ERC20 tokens make modifications to their ERC20's transfer or balanceOf functions. One type of these tokens is deflationary tokens that charge a certain fee for every transfer or transferFrom. Impact The Bonding.bond function will revert in the...

Permissions - return values not checked when sending ETH

Handle ScopeLift Vulnerability details Impact On lines 85 and 101, ETH is transferred using a .call to an address provided as an input, but there is no verification that the call call succeeded. This can result in a call to emergencyWithdrawGAS or partialWithdrawGAS appearing successful but in...

AbstractRewardMine - Re-entrancy attack during withdrawal

Handle ScopeLift Vulnerability details Impact The internal withdraw method does not follow the checks-effects-interactions pattern. A malicious token, or one that implemented transfer hooks, could re-enter the public calling function such as withdraw before proper internal accounting was complete...

MiningService _withdrawMultiple will fail most of the times

Handle hyh Vulnerability details Impact Impact depends on subtraction overflow handling and this way on the compiler version used for production deployment. If compiler version above 0.8: The compiler will check subtraction and fail, so: a user will have all withdrawals failed most of the times,...

AuctionEschapeHatch.sol#exitEarly updates state of the auction wrongly

Handle 0x0x0x Vulnerability details Vulnerability AuctionEschapeHatch.solexitEarly takes as input amount to represent how much of the When the user exits an auction with profit, to apply the profit penalty less maltQuantity is liquidated compared to how much malt token the liquidated amount...

swapExactTokensForTokens in is used with amountOutMin = 0

Handle 0x0x0x Vulnerability details Impact In UniswapHandler.sol two important functions sellMalt and buyMalt use swapExactTokensForTokens with amountOutMin = 0. This is a big problem since miners can exploit this intensively. So miners can strongly manipulate the price, since they can order the...

splitReinvest() can be front run

Handle WatchPug Vulnerability details function splitReinvestuint256 rewardLiquidity external retrieveRewardrewardLiquidity; uint256 rewardBalance = rewardToken.balanceOfaddressthis; rewardToken.safeTransferaddressdexHandler, rewardBalance.div2; dexHandler.buyMalt; bondAccountmsg.sender; emit...

Wrong decimals returned by maltMarketPrice()

Handle gzeon Vulnerability details Impact maltMarketPrice in UniswapHandle return incorrect decimals of price when rewardDecimals maltDecimals else if rewardDecimals maltDecimals uint256 diff = maltDecimals - rewardDecimals; price = rewardReserves.mul10diff.mul10rewardDecimals.divmaltReserves;...

Missing slippage/min-return check in UniswapHandler

Handle cmichel Vulnerability details The contracts are missing slippage checks which can lead to being vulnerable to sandwich attacks. A common attack in DeFi is the sandwich attack. Upon observing a trade of asset X for asset Y, an attacker frontruns the victim trade by also buying asset Y, lets...

arbitraryCall() can get blocked by an attacker

Handle GiveMeTestEther Vulnerability details Impact "arbitraryCall"'s L733 use case is to claim airdrops by "gov". If the address "who" is a token that could be send as an incentive by an attacker via "createIncentive" then such claim can be made unusable, because on L735 there is a...

_getFirstSample returns wrong sample if count < sampleMemory

Handle cmichel Vulnerability details The MovingAverage.sol contract defines several variables that in the end make the samples array act as a ring buffer: sampleMemory: The total length buffer size of the samples array. samples is initialized with sampleMemory zero observations. counter: The...

onUnbond calculations incorrect leading to lost funds

Handle harleythedog Vulnerability details Impact Consider the stake padding example given in the contest description here: . At the end of the example, User A has 100 bonded LP and has 100 stake padding. User B has 100 bonded LP and 200 stake padding. There are 300 in rewards in the system. For...

Slippage checks when adding liquidity are too strict

Handle cmichel Vulnerability details When adding liquidity through UniswapHandler.addLiquidity, the entire contract balances are used to add liquidity and the min amounts are set to 95% of these balances. If the balances in this contract are unbalanced the ratio is not similar to the current...

AuctionBurnReserveSkew.getPegDeltaFrequency() Wrong implementation can result in an improper amount of excess Liquidity Extension balance to be used at the end of an auction

Handle WatchPug Vulnerability details function getPegDeltaFrequency public view returns uint256 uint256 initialIndex = 0; uint256 index; if count auctionAverageLookback initialIndex = count - auctionAverageLookback; uint256 total = 0; for uint256 i = initialIndex; i count; ++i index =...

UniswapHandler vulnerable to sandwich bots

Handle Koustre Vulnerability details Impact Any user or contract that has the buyer role that uses the functions buyMalt and sellMalt will be vulnerable to sandwich attacks from bots that will causes slippage loses to users. Proof of Concept Provide direct links to all referenced code in GitHub...

AMM pool can be drained using a flashloan and calling stabilize

Handle stonesandtrees Vulnerability details Impact All of the rewardToken in a given AMM pool can be removed from the AMM pool and distributed as LP rewards. Proof of Concept In the stabilize method in the StabilizerNode the initial check to see if the Malt price needs to be stabilized it uses a...

Malt Protocol Uses Stale Results From MaltDataLab Which Can Be Abused By Users

Handle leastwood Vulnerability details Impact MaltDataLab integrates several MovingAverage contracts to fetch sensitive data for the Malt protocol. Primary data used by the protocol consists of the real value for LP tokens, the average price for Malt and average reserve ratios. trackMaltPrice,...

RewardReinvestor Is Vulnerable To Sandwich Attacks

Handle leastwood Vulnerability details Impact The splitReinvest function in RewardReinvestor is called upon by bonded users. An attacker can monitor the blockchain for calls to this function and launch a sandwich attack in combination with a flash loan to steal funds. A malicious user is...

StabilizerNode Is Vulnerable To Sandwich Attacks

Handle leastwood Vulnerability details Impact The permissionless stabilize function in StabilizerNode is called to correct deviations in the Malt token price. When the price of Malt has appreciated above its peg, the function simply distributes rewards to LP token holders, effectively taking Malt...

StabilizerNode Is Vulnerable To Sandwich Attacks

Handle leastwood Vulnerability details Impact The permissionless stabilize function in StabilizerNode is called to correct deviations in the Malt token price. When the price of Malt has appreciated above its peg, the function simply distributes rewards to LP token holders, effectively diluting th...

Unauthenticated remove liquidty function

Handle ad3sh Vulnerability details Impact Anyone can call removeLiquidity function and remove the liquidity from contract Contract is not validating or checking the users wallet LP Attacker can drain the pool by calling remove liquidity Proof of Concept while removing the liquidty the function...

Usage of an incorrect version of ERC20Permit contract can give unknown token with 0 decimals after upgrade.

Handle Jujic Vulnerability details Impact Based on the context and comments in the code, the Malt.sol contract is designed to be deployed as an upgradeable proxy contract. In Solidity, code that is inside a constructor or part of a global variable declaration is not part of a deployed contract’s...

Anyone can remove liquidity

Handle jayjonah8 Vulnerability details Impact In UniswapHandler.sol, anyone can call the removeLiquidity function stealing all the lp tokens in the contract even if they never added liquidity in the first place since the function simply credits the msg.sender with the entire lp token balance of t...

getAuctionCore function returns wrong values out of order

Handle jayjonah8 Vulnerability details Impact In the AuctionEscapeHatch.sol file both earlyExitReturn and calculateMaltRequiredForExit call the getAuctionCore function which has 10 possible return values most of which are not used. It gets the wrong value back for the "active" variable since it's...