Tokens could be stolen by specifying an unauthorized address.

Lines of code Vulnerability details Impact transferBetweenDelegators transfers tokens between proxy contract addresses without any validation. Tokens could be stolen by specifying an unauthorized address. Proof of Concept The issue with transferBetweenDelegators occurs here as we can see: functio...

token.transferFrom signaling failure by returning false may allow for funds to be stolen

Lines of code Vulnerability details Impact ERC20MultiDelegate is expected to work with any ERC20-compliant tokens as long as they provide the same functionality and interface as ERC20Votes from OpenZeppelin. This makes it possible for ERC20MultiDelegate to work with a token that signals...

users will receive lesser rewards than they are supposed to.

Lines of code Vulnerability details Impact Due to risky math being used in the contract LiquidityMining.sol, the user could lose their rewards. Proof of Concept The calculation for user rewards in the LiquidityMining.sol Contract in multple instances divides the rewards earned by the user with a...

[M-16] Reentrancy in the BaseBranchRouter contract

Lines of code Vulnerability details Impact In a Re-entrancy attack, a malicious contract calls back into the calling contract before the first invocation of the function is finished. This may cause the different invocations of the function to interact in undesirable ways, especially in cases wher...

RootBridgeAgent.retrieveSettlement doesn't check if settlement is in FAILED state

Lines of code Vulnerability details Impact The RootBridgeAgent.retrieveSettlement function is supposed to be used to retrieve a failed settlement to be able to redeem it but because the function doesn't actually check that the input settlement is in fact in FAILED state, the function can be used ...

ChainLink should be used as an Oracle for messaging instead of Google Cloud

Lines of code Vulnerability details Impact Each User Application contract e.g. BranchBidgeAgent built on LayerZero will work without configuration using defaults, but a UA will also be able to configure its own. Maia intends to use the default config. However, Google Cloud Oracle is the default a...

Gas that was sent by LayerZero can get stuck in the contract in some cases

Lines of code Vulnerability details If a tx on the destination chain calls back the chain from where the transaction was initiated by the user, the first transaction on the source chain needs to "airdrop" gas to the destination chain so it is able to call back the source chain. The problem is tha...

LiquidityMining.initTickTracking() called by MarketSequencer.initCurve() Check if the liquidity curve for the pool is already initialized.

Lines of code Vulnerability details MarketSequencer.initCurve can call LiquidityMining.initTickTracking any number of times, because their is no restriction for reinitialization. As stated in the comment section, putting the caller in charge of not reinitializing can lead to an unintentional...

ClaimConcentratedRewards and claimAmbientRewards don't update liquidity, enabling double rewards claims. Update liquidity after claims.

Lines of code Vulnerability details Impact The claimConcentratedRewards and claimAmbientRewards functions do not update the liquidity amount after withdrawing rewards. This could allow a user to withdraw rewards multiple times for the same liquidity. Proof of Concept The liquidity amount is not...

Rounding error leading to no reward being sent

Lines of code Vulnerability details Impact Rounding errors could occur if the provided amount is too small, Proof of Concept rewardsToSend += inRangeLiquidityOfPosition concRewardPerWeekpoolIdxweek / overallInRangeLiquidity; uint256 rewardsForWeek = timeWeightedWeeklyPositionAmbLiquidity poolIdx...

Users may be unable to claim their rewards and add/remove liquidity due exceeding gas limit

Lines of code Vulnerability details Impact If a user provides liquidity on ticks which are entered and exited a large number of times, the gas required to call the accrueConcentratedPositionTimeWeightedLiquidity can exceed the block gas limit. Proof of Concept The...

Validate poolIdx input to prevent storage corruption in critical functions.

Lines of code Vulnerability details Impact No validation on poolIdx input for key functions like claimConcentratedRewards. Could pass invalid poolId and corrupt storage. Proof of Concept The claimConcentratedRewards function. It takes in a poolIdx as one of the parameters: function...

An attacker can exploit the accruing liquidity functionality to accrue liquidity for more weeks than intended.

Lines of code Vulnerability details Instances The whole exploit works due to similar functionality being broken at these 4 instances: here, here, here and here. Impact An attacker can accrue both Position time weighted liquidity and Global time weighte...

LayerZero endpoint can get blocked by a malicious user (or even a honest one)

Lines of code Vulnerability details Description Contract Endpoint, from LayerZero is the one responsible of sending/receiving messages to/from other chains. Specifically it has function receivePayload, which is called by contract UltraLightNodeV2 the current default library of the protocol after...

THE RETURN BOOLEAN VALUE OF THE excessivelySafeCall FUNCTION IS NOT CHECKED IN THE BranchBridgeAgent.lzReceive FUNCTION

Lines of code Vulnerability details Impact The BranchBridgeAgent.lzReceive function is used to send cross-chain messages using the layer zero messaging layer. The lzReceive function uses the excessivelySafeCall library on the same contract address addressthis to ensure the layer zero cross chain...

FallBack Function might revert

Lines of code Vulnerability details The performFallbackCall function appears to be designed to send a message to the RootBridgeAgent using the lzReceive function. It includes the settlement nonce encoded as part of the message. Overall, the function seems fine for its intended purpose, but there...

Many issues around addGlobalToken due to lack of input validation when linking a global token to local token

Lines of code Vulnerability details Impact addGlobalToken is used to add a global token to a branch. The flow as follows: 1 = CoreBranchRouter.addGlobalToken 2 = Send Cross-Chain request System Response/Request with FuncId 0x01 Notice that is uses normal callOut though. Anyway, let's continue...

CoreRootRouter.executeDepositSingle FUNCTION REVERTS FOR SINGLE ASSETS DEPOSITS THUS FAILING THE TRANSACTION

Lines of code Vulnerability details Impact The RootBridgeAgent.lzReceiveNonBlocking function calls the respective RootBridgeAgentExecutor functions based on the flag parsed via the payload0. The payload0 == 0x02 stands for the Call with Deposit remote call. The...

The protocolCmd is permisionless but does not check if the user provide native tokens

Lines of code Vulnerability details Proof of Concept Anyone can call protocolCmd which calls setConcRewards and setAmbRewards to set rewards. LiquidityMiningPath.solL26-L37 function protocolCmdbytes calldata cmd public virtual uint8 code, bytes32 poolHash, uint32 weekFrom, uint32 weekTo, uint64...

Incorrect functionID will not trigger fallback

Lines of code Vulnerability details Impact When encoding a payload for settlement of multiple tokens, the fallback flag is not set when it should be. This will cause no fallback to be triggered even though the user has paid enough to cover the additional costs that are required. Proof of Concept ...

Airdropped Gas will remain in the Agent in case of failure

Lines of code Vulnerability details Impact The protocol uses LayerZeros Airdrop mechanism to send gas to BridgeAgents which they need to pay for subsequential cross-chain-messages. If the transaction on the receiver fails, this airdropped gas will remain in the BridgeAgent and can be used up by t...

users can make multiple deposits through the same deposit nonce in branch bridge agent

Lines of code Vulnerability details Impact When a user retries the deposit there is a check that the deposit owner should be msg.sender but there is no check that the deposit failed so user can even retry successful deposits with the same nonce which can affect accounting badly Proof of Concept...

Lack of validation in accrued index allows excess rewards claim.

Lines of code Vulnerability details Impact Mapping tickTrackingIndexAccruedUpTo tracks the index up to which rewards have been accrued for a position. However, there is no validation that this index is incremented properly and stays in sync with tickTracking. An attacker could manipulate the...

accrueConcentratedPositionTimeWeightedLiquidity() can easily DOS due to the for loop in it

Lines of code Vulnerability details Impact accrueConcentratedPositionTimeWeightedLiquidity will iterate every single tick of a user's position. Since that total tick number can be large, this function can encounter a out of gas issue and users may not be able to claim the rewards properly. Proof ...

payableCall in VirtualAccount isn’t protected by requiresApprovedCaller modifier

Lines of code Vulnerability details Impact due to the lack of access control in payableCall function in VirtualAccount contract, anyone can call payableCall on a user virtual account . An attacker can use this vulnerability to steal the users funds after a failed settlement by the user . Proof of...

Lack of force resume support for LZ which is crucially important to have

Lines of code Vulnerability details Impact The User Application LZReceiver should implement the ILayerZeroUserApplicationConfig interface which includes the forceResumeReceive function. This is very important as in the worst case, it can allow the owner to unblock the queue of messages if somethi...

Anyone can call replenishReserves(...) (token version) to repay borrowed reserves with reserves

Lines of code Vulnerability details Impact The replenishReservestoken, ... can be called by anyone. Proof of Concept The NATSPEC comment in the IBranchPort states the replenishReservestoken, ... can only be called by the port strategy itself as shown below / @notice allow approved address to repa...

Liquidity providers may recieve wrong rewards due to loss of precision in the calculation of currWeek and nextWeek.

Lines of code Vulnerability details Throughout LiquidityMining.sol the values for currWeek and nextWeek are generated using the lastAccrued timestamp embedded in a local variable time. currWeek is determined by uint32 currWeek = uint32time / WEEK WEEK; And nextWeek is calculated by uint32 nextWee...

CoreRootRouter._setLocalToken FUNCTION COULD OVERWRITE THE EXISTING VALUES OF THE getLocalTokenFromGlobal MAPPING VALUES DUE TO LACK OF CONDITIONAL CHECKS

Lines of code Vulnerability details Impact The CoreRootRouter.setLocalToken function is used to set the local token on a specific chain for a global token. The function initially checks whether the local token is is already added as shown below: if IPortrootPortAddress.isLocalTokenlocalAddress,...

Missing Access Control on setConcRewards and setAmbRewards

Lines of code Vulnerability details Impact The function setConcRewards and setAmbRewards are accessible by any user to set the rewardsConcentrated and Ambient rewards. Proof of Concept The access validations are commented out. function setConcRewardsbytes32 poolIdx, uint32 weekFrom, uint32 weekTo...

Lack of Access Control in public function VirtualAccount.payableCall

Lines of code Vulnerability details Description The VirtualAccount contract allows users to manage assets and perform interactions remotely while maintaining an encapsulated user balance. The contract includes a payableCall function that aggregates and executes a batch of calls to external...

Using .call for external calls leaves the contract vulnerable to reentrancy.

Lines of code Vulnerability details Impact claimConcentratedRewards and claimAmbientRewards call external contracts via call. This could leave the contract vulnerable to reentrancy attacks if the recipient contract calls back into the contract before updating state. Proof of Concept The calls to...

LACK OF INPUT VALIDATION ON THE _recipient ADDRESS IN THE RootBridgeAgent.retrySettlement FUNCTION CAN LEAD TO LOSS OF FUNDS TO THE USER

Lines of code Vulnerability details Impact The RootBridgeAgent.retrySettlement function is used to retry the settlement of tokens by the settlement owner. The retrySettlement function is an external payable function which does not have access control, hence can be called by any settlement owner b...

Event not emitted after sensitive action of setting new concentrated and ambient rewards.

Lines of code Vulnerability details Impact The 'setConcRewards' and 'setAmbRewards' doesn't emit event to to signify to all parties involved the new concentrated and ambient results. Proof of Concept A user not aware of new reward price might suppose he/she have been swindled upon realizing that...

DoS in System Component lead to System Failure

Lines of code Vulnerability details Impact Proof Of Concept Tools Used Recommended Mitigation Steps Assessed type DoS --- The text was updated successfully, but these errors were encountered: All reactions...

[M-14] Reentrancy in the RootBridgeAgent contract

Lines of code Vulnerability details Impact In a Re-entrancy attack, a malicious contract calls back into the calling contract before the first invocation of the function is finished. This may cause the different invocations of the function to interact in undesirable ways, especially in cases wher...

A malicious user can spam ghost deposits to DoS the LayerZeroEndpoint messaging layer

Lines of code Vulnerability details Impact There can be many deposits that will strain the messaging layer, especially in chains that do not cost much to send a transaction. Proof of Concept The entry point of the bridge is callOutSignedAndBridge in BranchBridgeAgent.sol. This function will pack...

Race condition on timeWeightedWeeklyGlobalConcLiquidityLastSet_ can lead to incorrect rewards.

Lines of code Vulnerability details Impact timeWeightedWeeklyGlobalConcLiquidityLastSet is read and written in multiple functions. If two transactions call at similar times, the state updates could overwrite each other. The timeWeightedWeeklyGlobalConcLiquidityLastSet state variable is used in...

Use of flashloan to inflate timeWeightedWeeklyGlobalAmbLiquidity_[poolIdx][currWeek] and timeWeightedWeeklyPositionAmbLiquidity_[poolIdx][posKey][currWeek]

Lines of code Vulnerability details Impact It is possible for a bad player to use flashloan to manipulate the system by making "valuable" LP to get lower reward than expected, while they get a minimal reward for a liquidity provided that offers no "value" to Ambient DEX. This attack will thrive...

Manipulation of Overall Liquidity Calculation

Lines of code Vulnerability details Impact in this part in code : is handle the claiming of rewards for liquidity mining. It calculates rewards based on the liquidity provided by a user, their position, and certain parameters like ambRewardPerWeek and overallTimeWeightedLiquidity, the problem is ...

Access control vulnerability due to dismissive git & test politics

Lines of code Vulnerability details Impact High risk access control vulnerability due to overutilizing rewards logic Proof of Concept Commenting out accessibility checks may lead to overutilizing existing rewards logic Tools Used Manual review Recommended Mitigation Steps git diff test coverage...

The while loop used in all the accrueXXXPositionTimeWeightedLiquidity function could make a call reach the block gas limit

Lines of code Vulnerability details Proof of Concept If a user neither modifies his position nor claims rewards for a very long time, it might become impossible for him to do any action involving the internal functions accrueAmbientPositionTimeWeightedLiquidity or...

The Liquidity mining callpath sidecar owner can pull native tokens from the Dex

Lines of code Vulnerability details Impact The owner of liquidity mining sidecar can pull the native coins that are stored in the CrocSwapDex to reward the users. Proof of Concept The setConcRewards and setAmbRewards functions doesn't check if the quoted amount of rewards are actually sent by the...

Unexpected behavior when settings rewards for existing pools or past/ongoing periods

Lines of code Vulnerability details Summary There are different missing considerations in the liquidity mining process that may lead to unexpected behavior due to failed assumptions. Impact The liquidity mining feature is mainly implemented by tracking liquidity at a global level the aggregation ...

code written in MulticallRootRouter.sol is wrong .

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps 0x01 |...

Lack of validation allows invalid ticks, impacting data integrity.

Lines of code Vulnerability details Impact Function crossTicks updates the tick tracking data when ticks are crossed, but does not validate that exitTick and entryTick are valid and make sense. For example, exitTick could be lower than entryTick. Proof of Concept Here is the relevant code in the...

Unvalidated ticks in claimConcentratedRewards allow unauthorized users to claim undeserved rewards. Validate ticks.

Lines of code Vulnerability details Impact There is no check that the ticks passed into claimConcentratedRewards actually match the position's ticks. A user could pass in arbitrary ticks to try to claim rewards for liquidity they don't own. Proof of Concept The claimConcentratedRewards function...

Time-weighted liquidity accounting assumes consecutive activity; double counting possible, needs validation.

Lines of code Vulnerability details Impact Time-weighted liquidity accounting in accrueConcentratedPositionTimeWeightedLiquidity and similar functions assumes ticks were active consecutively between entry/exit timestamps. However, a tick could exit and re-enter in the same week, leading to double...

deleted

Lines of code Vulnerability details deleted Assessed type Other --- The text was updated successfully, but these errors were encountered: All reactions...

Lack of proper access restrictions on functions setConcRewards() and setAmbRewards()

Lines of code Vulnerability details Impact Contract Reward distribution can be drained / manipulated Proof of Concept For setConcRewards and setAmbRewards, they are both lack of proper access restrictions, leads to the situation that anyone can execute these functions. This oversight presents a...