10190 matches found
Hash Collisions and Front-Running Risk
Lines of code Vulnerability details Salt Value in Proxy Deployment: The contract uses a salt value of 0 during the deployment of proxy delegator contracts. This introduces a significant security concern related to potential hash collisions. If multiple delegators attempt to deploy to the same...
Approval Verification
Lines of code Vulnerability details Impact There is a great need for approval check before commencement of token transfer and clearing of excess approvals after token transfer has been done, to prevent potential third-party exploitation that could drain funds from unsuspecting users via the...
Limit accrueConcentratedPositionTimeWeightedLiquidity calls to prevent reward manipulation.
Lines of code Vulnerability details Impact It may be possible for a user to artificially increase their tracked liquidity right before claiming by rapidly entering/exiting positions. This could allow them to claim a larger % of rewards than they deserve. Proof of Concept The main risk of...
payableCall in VirtualAccount isn’t protected by requiresApprovedCaller modifier
Lines of code Vulnerability details Impact due to the lack of access control in payableCall function in VirtualAccount contract, anyone can call payableCall on a user virtual account . An attacker can use this vulnerability to steal the users funds after a failed settlement by the user . Proof of...
Potential denial of service due to out of bound gas usage
Lines of code Vulnerability details Summary The implementation of accrueConcentratedPositionTimeWeightedLiquidity incurs in complex and unbounded computations that could lead to significant gast costs and a potential denial of service. Impact The liquidity mining program in the Ambient DEX will...
LiquidityMining.sol cannot be funded for rewards distribution.
Lines of code Vulnerability details During a rewards claim LiquidityMining.sol uses a low-level call with the msg.value as the rewardsToSend to the liquidity providers, but the contract lacks a receive or fallback function for funds be deposited in it, leaving the contract empty and unable to sen...
Mismatch of decimals for some underlying tokens across chains could cause a huge loss of funds
Lines of code Vulnerability details Impact The issue is, some ERC20 underlying tokens could have different decimals on other chains. For example, USDC in BNB chain has 18 decimals where it has 6 decimals in other chains such as Ethereum, Polygon ...etc. The root chain doesn't account for decimals...
users will receive lesser rewards than they are supposed to.
Lines of code Vulnerability details Impact Due to risky math being used in the contract LiquidityMining.sol, the user could lose their rewards. Proof of Concept The calculation for user rewards in the LiquidityMining.sol Contract in multple instances divides the rewards earned by the user with a...
RootBridgeAgent.retrieveSettlement doesn't check if settlement is in FAILED state
Lines of code Vulnerability details Impact The RootBridgeAgent.retrieveSettlement function is supposed to be used to retrieve a failed settlement to be able to redeem it but because the function doesn't actually check that the input settlement is in fact in FAILED state, the function can be used ...
Functions can be called directly externally
Lines of code Vulnerability details Impact @dev This exists as a standalone contract but will only ever contain proxy code, not state. As such it should never be called directly or externally, and should only be invoked with DELEGATECALL so that it operates on the contract state within the primar...
Validate poolIdx input to prevent storage corruption in critical functions.
Lines of code Vulnerability details Impact No validation on poolIdx input for key functions like claimConcentratedRewards. Could pass invalid poolId and corrupt storage. Proof of Concept The claimConcentratedRewards function. It takes in a poolIdx as one of the parameters: function...
USAGE OF abi.encodePacked TO ENCODE DATA COULD LEAD TO payload DATA COLLISION IN THE RootBridgeAgent._createSettlementMultiple FUNCTION
Lines of code Vulnerability details Impact The RootBridgeAgent.callOutAndBridgeMultiple function is used to settle multiple assets and perform a remote call to a branch chain. callOutAndBridgeMultiple function calls the RootBridgeAgent.createSettlementMultiple internal function to compute the...
BranchBridgeAgent.retrieveDeposit doesn't check if the deposit is in FAILED state
Lines of code Vulnerability details Impact The BranchBridgeAgent.retrieveDeposit function is supposed to be called for retrieving a failed deposit in order to get funds back to branch chain, but the function doesn't check that the deposit being used is really in FAILED state, so a malicious user...
Unprotected payableCall() exposes user funds to malicious actors
Lines of code Vulnerability details Impact The function payableCall is used to make calls on to other contracts from the virtualAccount which is linked to a userAddress. This function utilizes the PayableCall struct show below. struct PayableCall address target; bytes callData; uint256 value; It...
add sendBack function to origin when lzReceiveNonBlocking is not executed
Lines of code Vulnerability details Impact lzReceiveNonBlocking won't revert to the ILayerZeroEndpoint.send could lead to that execution on side of send is exectued and execution on side of receieve is not executed. Proof of Concept Tools Used manual view Recommended Mitigation Steps if calls are...
Unexpected behavior when settings rewards for existing pools or past/ongoing periods
Lines of code Vulnerability details Summary There are different missing considerations in the liquidity mining process that may lead to unexpected behavior due to failed assumptions. Impact The liquidity mining feature is mainly implemented by tracking liquidity at a global level the aggregation ...
accrueConcentratedPositionTimeWeightedLiquidity() can easily DOS due to the for loop in it
Lines of code Vulnerability details Impact accrueConcentratedPositionTimeWeightedLiquidity will iterate every single tick of a user's position. Since that total tick number can be large, this function can encounter a out of gas issue and users may not be able to claim the rewards properly. Proof ...
accrueConcentratedPositionTimeWeightedLiquidity may revert under special situations
Lines of code Vulnerability details Impact LiquidityMining.accrueConcentratedPositionTimeWeightedLiquidity may unintentionally reverts and make transactions does not succeed Proof of Concept The LiquidityMining.accrueConcentratedPositionTimeWeightedLiquidity function calculates the concentrated...
The Liquidity mining callpath sidecar owner can pull native tokens from the Dex
Lines of code Vulnerability details Impact The owner of liquidity mining sidecar can pull the native coins that are stored in the CrocSwapDex to reward the users. Proof of Concept The setConcRewards and setAmbRewards functions doesn't check if the quoted amount of rewards are actually sent by the...
Using .call for external calls leaves the contract vulnerable to reentrancy.
Lines of code Vulnerability details Impact claimConcentratedRewards and claimAmbientRewards call external contracts via call. This could leave the contract vulnerable to reentrancy attacks if the recipient contract calls back into the contract before updating state. Proof of Concept The calls to...
A malicious user can spam ghost deposits to DoS the LayerZeroEndpoint messaging layer
Lines of code Vulnerability details Impact There can be many deposits that will strain the messaging layer, especially in chains that do not cost much to send a transaction. Proof of Concept The entry point of the bridge is callOutSignedAndBridge in BranchBridgeAgent.sol. This function will pack...
Access control check in the setAmbRewards and setAmbRewards functions is missing
Lines of code Vulnerability details Impact Any user can call the setAmbRewards and setAmbRewards functions and set their values for weeklyReward, which opens up many attack vectors. For example, it is possible to set a large reward and withdraw all funds from the protocol. Proof of Concept functi...
Race condition on timeWeightedWeeklyGlobalConcLiquidityLastSet_ can lead to incorrect rewards.
Lines of code Vulnerability details Impact timeWeightedWeeklyGlobalConcLiquidityLastSet is read and written in multiple functions. If two transactions call at similar times, the state updates could overwrite each other. The timeWeightedWeeklyGlobalConcLiquidityLastSet state variable is used in...
[M-16] Reentrancy in the BaseBranchRouter contract
Lines of code Vulnerability details Impact In a Re-entrancy attack, a malicious contract calls back into the calling contract before the first invocation of the function is finished. This may cause the different invocations of the function to interact in undesirable ways, especially in cases wher...
LiquidityMining.initTickTracking() called by MarketSequencer.initCurve() Check if the liquidity curve for the pool is already initialized.
Lines of code Vulnerability details MarketSequencer.initCurve can call LiquidityMining.initTickTracking any number of times, because their is no restriction for reinitialization. As stated in the comment section, putting the caller in charge of not reinitializing can lead to an unintentional...
Existing pools will be bricked due to uninitialized state
Lines of code Vulnerability details Existing pools will be bricked due to uninitialized Summary Pools already present in the exchange will be bricked when crossTicks is called with an uninitialized tickTracking storage, which will trigger an array out of bounds error. Impact New pools in the...
All tokens can be stolen from VirtualAccount due to missing access modifier
Lines of code Vulnerability details Impact All non-native assets ERC20 tokens, NFTs, etc. can be stolen by anyone from a VirtualAccount using its payableCall... method, which lacks the necessary access control modifier requiresApprovedCaller. See also, the call... method which utilizes the...
Anyone can call replenishReserves(...) (token version) to repay borrowed reserves with reserves
Lines of code Vulnerability details Impact The replenishReservestoken, ... can be called by anyone. Proof of Concept The NATSPEC comment in the IBranchPort states the replenishReservestoken, ... can only be called by the port strategy itself as shown below / @notice allow approved address to repa...
User can selectively turn on the fallback flag to take all ETH on the agent contract as layerzero fee refund
Lines of code Vulnerability details Impact performFallbackCall can revert sliently when refundee is not capable of taking ETH refund from layerzero side Proof of Concept In RootBridgeAgent.sol when the has fall back toggle flag is on, the smart contract aim to perform a fallback call to notify th...
VirtualAccount.sol:payableCall() lack requiresApprovedCaller modifier
Lines of code Vulnerability details Impact Anyone can use a user's virtual account payableCall and calls functions like retrySettlement/redeemSettlement/retrieveSettlement that require the caller to be the virtual account, which can lead to economic loss to users. Proof of Concept In...
VirtualAccount::payableCall is missing access control
Lines of code Vulnerability details Impact The lack of access control in VirtualAccount::payableCall function allows anyone to execute arbitrary calls with any contract from a user's VirtualAccount. This enables malicious actors to steal user's funds easily, ultimately resulting in a...
users funds will be stuck in the BaseBranchRouter when making deposit
Lines of code Vulnerability details Impact Users are debited twice the intended amount of every underlying token deposit made at the branch port while locking deposits into the branch port. The first deposit is transferred into the BaseBranchRouter and the second into the BranchPort. The funds...
VirtualAccount as a wallet can be called by anyone
Lines of code Vulnerability details A VirtualAccount represents a user wallet that allows the user to manage assets and perform remote interactions. But because payableCall method lacks any form of authentication it can be called by anyone. The call can be also executed directly to the desired...
Lack of Access Control in public function VirtualAccount.payableCall
Lines of code Vulnerability details Description The VirtualAccount contract allows users to manage assets and perform interactions remotely while maintaining an encapsulated user balance. The contract includes a payableCall function that aggregates and executes a batch of calls to external...
code written in MulticallRootRouter.sol is wrong .
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps 0x01 |...
[M-17] Reentrancy in the BranchBridgeAgent contract
Lines of code Vulnerability details Impact In a Re-entrancy attack, a malicious contract calls back into the calling contract before the first invocation of the function is finished. This may cause the different invocations of the function to interact in undesirable ways, especially in cases wher...
USDT tokens should approve to zero first otherwise it may cause other tokens to get stuck in the case of aprooveMultipleTokens
Lines of code Vulnerability details Impact Unsafe ERC20 approve that do not handle non-standard erc20 behavior. Some token contracts do not return any value. Some token contracts revert the transaction when the allowance is not zero. Proof of Concept When receiving tokens to the destination chain...
The governance will fail to add an ecosystem token if someone creates a hToken that uses that ecosystem token
Lines of code Vulnerability details Ecosystem tokens are tokens that dont have an underlying token address in any branch and only the global representation exists. The governance adds them by calling addEcosystemToken where the ecoTokenGlobalAddress will be the Maia or Hermes token as the sponsor...
Gas that was sent by LayerZero can get stuck in the contract in some cases
Lines of code Vulnerability details If a tx on the destination chain calls back the chain from where the transaction was initiated by the user, the first transaction on the source chain needs to "airdrop" gas to the destination chain so it is able to call back the source chain. The problem is tha...
[M-14] Reentrancy in the RootBridgeAgent contract
Lines of code Vulnerability details Impact In a Re-entrancy attack, a malicious contract calls back into the calling contract before the first invocation of the function is finished. This may cause the different invocations of the function to interact in undesirable ways, especially in cases wher...
Tokens locking due to empty parameters to execute on the root chain router
Lines of code Vulnerability details Vulnerability details Impact User's tokens will be locked at the router contract if the params encoded parameters of functions callOutAndBridge and callOutAndBridgeMultiple are empty. The executionStatesrcChainIddepositNonce storage variable will have value...
if lzReceiveNonBlocking failed to execute , they don't send back ,accumulated msg.value . malicious user drain that
Lines of code Vulnerability details Impact PerformFallBack is gonna fail and msg.value will be accumulated in that BranchBridgeAgent and malicious user can take over them Proof of Concept User deposited and When it's not executed ,user want to retrieve and callRetrieveSettlement ,send message to...
LACK OF INPUT VALIDATION ON THE _recipient ADDRESS IN THE RootBridgeAgent.retrySettlement FUNCTION CAN LEAD TO LOSS OF FUNDS TO THE USER
Lines of code Vulnerability details Impact The RootBridgeAgent.retrySettlement function is used to retry the settlement of tokens by the settlement owner. The retrySettlement function is an external payable function which does not have access control, hence can be called by any settlement owner b...
FallBack Function might revert
Lines of code Vulnerability details The performFallbackCall function appears to be designed to send a message to the RootBridgeAgent using the lzReceive function. It includes the settlement nonce encoded as part of the message. Overall, the function seems fine for its intended purpose, but there...
An attacker can exploit the accruing liquidity functionality to accrue liquidity for more weeks than intended.
Lines of code Vulnerability details Instances The whole exploit works due to similar functionality being broken at these 4 instances: here, here, here and here. Impact An attacker can accrue both Position time weighted liquidity and Global time weighte...
Slippage attack on claiming rewards
Lines of code Vulnerability details Impact Exploiter can abuse slippage to claim more weekly reward. The amount of slippage damage is unclear due to lack of deployment context and testing. Worst case scenario is the exploiter own 100% deposit of single pool allowing extreme slippage to steal enti...
require statement commented posses attack by malicious contract
Lines of code Vulnerability details Impact The 'require' statement commented posses attack by malicious contract. The LiquidityMiningPath.sol contract has the Governance requirement of the ‘require’ statement commented. If the intention was to make use of the ‘require’ statement, uncomment it so ...
ClaimConcentratedRewards and claimAmbientRewards don't update liquidity, enabling double rewards claims. Update liquidity after claims.
Lines of code Vulnerability details Impact The claimConcentratedRewards and claimAmbientRewards functions do not update the liquidity amount after withdrawing rewards. This could allow a user to withdraw rewards multiple times for the same liquidity. Proof of Concept The liquidity amount is not...
Lack of tick range validation allows initialization of invalid ticks.
Lines of code Vulnerability details Impact Function initTickTracking initializes the tick tracking data structure, but does not validate that tick is within the min/max tick range for the pool. This could allow initializing invalid tick values. Proof of Concept Here is the line in initTickTrackin...
Lack of validation allows invalid ticks, impacting data integrity.
Lines of code Vulnerability details Impact Function crossTicks updates the tick tracking data when ticks are crossed, but does not validate that exitTick and entryTick are valid and make sense. For example, exitTick could be lower than entryTick. Proof of Concept Here is the relevant code in the...