Lack of validation in accrued index allows excess rewards claim.

Lines of code Vulnerability details Impact Mapping tickTrackingIndexAccruedUpTo tracks the index up to which rewards have been accrued for a position. However, there is no validation that this index is incremented properly and stays in sync with tickTracking. An attacker could manipulate the...

No poolIdx validation; arbitrary values can corrupt storage, require validation.

Lines of code Vulnerability details Impact No validation on poolIdx input for key functions like claimConcentratedRewards. Could pass invalid poolId and corrupt storage. The claimConcentratedRewards function is defined on LiquidityMining.sol. It takes in a poolIdx as one of the parameters functio...

Unbounded tick arrays; add max length check to prevent gas issues.

Lines of code Vulnerability details Impact Tick arrays like tickTracking can grow unbounded. Could hit gas limit. As ticks are crossed, new TickTracking elements are pushed: function crossTicks bytes32 poolIdx, int24 exitTick, int24 entryTick internal tickTrackingpoolIdxexitTick.push...

deleted

Lines of code Vulnerability details deleted Assessed type Other --- The text was updated successfully, but these errors were encountered: All reactions...

Missing Access Control on setConcRewards and setAmbRewards

Lines of code Vulnerability details Impact The function setConcRewards and setAmbRewards are accessible by any user to set the rewardsConcentrated and Ambient rewards. Proof of Concept The access validations are commented out. function setConcRewardsbytes32 poolIdx, uint32 weekFrom, uint32 weekTo...

No access control on protocolCmd and userCmd; potential for abuse.

Lines of code Vulnerability details Impact There is no access control on the protocolCmd and userCmd functions in LiquidityMiningPath. This means anyone can call them. There should be some checks to restrict access. The protocolCmd and userCmd functions are defined on LiquidityMiningPath.sol: /...

The protocolCmd is permisionless but does not check if the user provide native tokens

Lines of code Vulnerability details Proof of Concept Anyone can call protocolCmd which calls setConcRewards and setAmbRewards to set rewards. LiquidityMiningPath.solL26-L37 function protocolCmdbytes calldata cmd public virtual uint8 code, bytes32 poolHash, uint32 weekFrom, uint32 weekTo, uint64...

If dt is not updated accurately then timeWeightedWeeklyPositionInRangeConcLiquidity_ might be updated incorrectly.

Lines of code Vulnerability details Impact In the function accrueConcentratedPositionTimeWeightedLiquidity, inside the while block, dt is initialised as: uint32 dt = uint32 nextWeek If tickTracking.exitTimestamp != 0 then the following else block is executed on line 117: else // Tick is no longer...

Unvalidated ticks in claimConcentratedRewards allow unauthorized users to claim undeserved rewards. Validate ticks.

Lines of code Vulnerability details Impact There is no check that the ticks passed into claimConcentratedRewards actually match the position's ticks. A user could pass in arbitrary ticks to try to claim rewards for liquidity they don't own. Proof of Concept The claimConcentratedRewards function...

Lack of access control in claimConcentratedRewards and claimAmbientRewards functions allows unauthorized fund drainage. Implement access restrictions.

Lines of code Vulnerability details Impact Any caller can call claimConcentratedRewards or claimAmbientRewards and drain funds. The contract should restrict calling these functions to authorized roles. Proof of Concept The lack of access control on claimConcentratedRewards and claimAmbientRewards...

Global and Position liquidity accrual can significantly impact the performance

Lines of code Vulnerability details Impact Global and Position liquidity accrual can significantly impact the performance Proof of Concept The calculation of currWeek and nextWeek as shown in the provided code snippet aims to determine two time points within a week, primarily for the purpose of...

Rounding error leading to no reward being sent

Lines of code Vulnerability details Impact Rounding errors could occur if the provided amount is too small, Proof of Concept rewardsToSend += inRangeLiquidityOfPosition concRewardPerWeekpoolIdxweek / overallInRangeLiquidity; uint256 rewardsForWeek = timeWeightedWeeklyPositionAmbLiquidity poolIdx...

Event not emitted after sensitive action of setting new concentrated and ambient rewards.

Lines of code Vulnerability details Impact The 'setConcRewards' and 'setAmbRewards' doesn't emit event to to signify to all parties involved the new concentrated and ambient results. Proof of Concept A user not aware of new reward price might suppose he/she have been swindled upon realizing that...

Time-weighted liquidity accounting assumes consecutive activity; double counting possible, needs validation.

Lines of code Vulnerability details Impact Time-weighted liquidity accounting in accrueConcentratedPositionTimeWeightedLiquidity and similar functions assumes ticks were active consecutively between entry/exit timestamps. However, a tick could exit and re-enter in the same week, leading to double...

Front-Running Vulnerability: Exploiting Reward Updates for Maximized Payouts

Lines of code Vulnerability details Impact Malicious users claim rewards at a higher rate than what was intended by front-running governance actions meant to reduce rewards. This allows them to claim rewards at a higher rate than what was intended, undermining the protocol's intended economic...

Virtual account lacks access control

Lines of code Vulnerability details Impact The Virtual Account lacks access control on a function that allows arbitrary calls. This enables anyone to take any assets contained within the account. Proof of Concept The Virtual account has the requiresApprovedCaller modifier to prevent use from...

Use of flashloan to inflate timeWeightedWeeklyGlobalAmbLiquidity_[poolIdx][currWeek] and timeWeightedWeeklyPositionAmbLiquidity_[poolIdx][posKey][currWeek]

Lines of code Vulnerability details Impact It is possible for a bad player to use flashloan to manipulate the system by making "valuable" LP to get lower reward than expected, while they get a minimal reward for a liquidity provided that offers no "value" to Ambient DEX. This attack will thrive...

Incorrect functionID will not trigger fallback

Lines of code Vulnerability details Impact When encoding a payload for settlement of multiple tokens, the fallback flag is not set when it should be. This will cause no fallback to be triggered even though the user has paid enough to cover the additional costs that are required. Proof of Concept ...

LayerZero endpoint can get blocked by a malicious user (or even a honest one)

Lines of code Vulnerability details Description Contract Endpoint, from LayerZero is the one responsible of sending/receiving messages to/from other chains. Specifically it has function receivePayload, which is called by contract UltraLightNodeV2 the current default library of the protocol after...

[M-15] Reentrancy in the BranchPort contract

Lines of code Vulnerability details Impact In a Re-entrancy attack, a malicious contract calls back into the calling contract before the first invocation of the function is finished. This may cause the different invocations of the function to interact in undesirable ways, especially in cases wher...

LiquidityMining.claimConcentratedRewards() does not properly account user liquidity across ticks

Lines of code Vulnerability details Let’s say a user creates two separate positions, one is tick-15, tick and the second is tick, tick+15. The user is covering the entirety of the tick range to receive rewards but does not receive any. We see that posKey is defined like this: bytes32 posKey =...

CrossTicks is not called when Users claimConcentratedRewards.

Lines of code Vulnerability details Vulnerability Details The crossTicks function is called to keep track and update the ticks whenever a tick is crossed, as specified by the Natspec /// @notice Keeps track of the tick crossings /// @dev Needs to be called whenever a tick is crossed function...

Liquidity providers may recieve wrong rewards due to loss of precision in the calculation of currWeek and nextWeek.

Lines of code Vulnerability details Throughout LiquidityMining.sol the values for currWeek and nextWeek are generated using the lastAccrued timestamp embedded in a local variable time. currWeek is determined by uint32 currWeek = uint32time / WEEK WEEK; And nextWeek is calculated by uint32 nextWee...

Anyone can create multiple RootBridgeAgent

Lines of code Vulnerability details Impact createBridgeAgent is used to create a new Root Bridge Agent. This new RootBridgeAgent is added to the array on the rootPort. This can be used to randomly spam the array with thousand of array addresses whereby the ones deployed by the protocol are harder...

Lack of proper access restrictions on functions setConcRewards() and setAmbRewards()

Lines of code Vulnerability details Impact Contract Reward distribution can be drained / manipulated Proof of Concept For setConcRewards and setAmbRewards, they are both lack of proper access restrictions, leads to the situation that anyone can execute these functions. This oversight presents a...

Smart Contract calling callOutSignedAndBridge via BranchBridgeAgent can cause loss of fund

Lines of code Vulnerability details Impact Smart Contract calling callOutSignedAndBridge via BranchBridgeAgent can cause loss of fun Proof of Concept One of the cross-chain request pass is that when user calling callOutSignedAndBridge via BranchBridgeAgent the payload is created //Encode Data for...

Reentrancy is possible in claim functions, which call out via .call().

Lines of code Vulnerability details Impact Reentrancy is possible in claim functions, which call out via .call. Proof of Concept The claimConcentratedRewards Function & claimAmbientRewards Function The claim functions that are vulnerable to reentrancy are: For...

VirtualAccount.sol CONTRACT DOES NOT CORRECTLY IMPLEMENT THE eip1155 STANDARD WHILE INHERITING THE ERC1155Receiver

Lines of code Vulnerability details Impact The VirtualAccount.sol contract inherits the ERC1155Receiver contract to receive the ERC1155 tokens. Both onERC1155Received and onERC1155BatchReceived functions are declared in the VirtualAccount contract as per the eip1155 standard. The respective ERC11...

Logic Error

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Manual Recommended Mitigation Steps...

Incorrect srcAddress check renders all layerzero messages unusable

Lines of code Vulnerability details Impact The source address of LayerZero messages is validated on a wrong part of the calldata, which will cause all cross-chain-messages to fail on a live deployment. Proof of Concept The receivers of cross-chain-messages BranchBridgeAgent and RootBridgeAgent bo...

Manipulation of Overall Liquidity Calculation

Lines of code Vulnerability details Impact in this part in code : is handle the claiming of rewards for liquidity mining. It calculates rewards based on the liquidity provided by a user, their position, and certain parameters like ambRewardPerWeek and overallTimeWeightedLiquidity, the problem is ...

Protect against griefing by allowing only owner to manipulate global liquidity.

Lines of code Vulnerability details Impact There don't seem to be protections against a malicious actor griefing others by manipulating the global liquidity accounting. This could potentially block honest users from claiming their earned rewards. Proof of Concept The main risk of griefing by...

Many issues around addGlobalToken due to lack of input validation when linking a global token to local token

Lines of code Vulnerability details Impact addGlobalToken is used to add a global token to a branch. The flow as follows: 1 = CoreBranchRouter.addGlobalToken 2 = Send Cross-Chain request System Response/Request with FuncId 0x01 Notice that is uses normal callOut though. Anyway, let's continue...

DoS in System Component lead to System Failure

Lines of code Vulnerability details Impact Proof Of Concept Tools Used Recommended Mitigation Steps Assessed type DoS --- The text was updated successfully, but these errors were encountered: All reactions...

A Malicious user can create a rootBridgeAgent with a malicious endpoint and execute calls directly with the rootBridgeAgent.

Lines of code Vulnerability details Impact A Malicious user can create a rootBridgeAgent with a malicious endpoint and execute calls directly with the rootBridgeAgent. Since anyone can create a rootBridgeAgent with desired values for port, endpoint and router address in anychain. The Attacker can...

The while loop used in all the accrueXXXPositionTimeWeightedLiquidity function could make a call reach the block gas limit

Lines of code Vulnerability details Proof of Concept If a user neither modifies his position nor claims rewards for a very long time, it might become impossible for him to do any action involving the internal functions accrueAmbientPositionTimeWeightedLiquidity or...

Cross-Chain Token Cap Disparity

Lines of code Vulnerability details Impact Potential loss of token value when minted values exceed the uint capacity of target chains, leading to incorrect token representation and financial discrepancies. Proof of Concept This function mints tokens or at least a representation of other chain...

if the Virtual Account's owner is a Contract Account (multisig wallet), attackers can gain control of the Virtual Accounts by gaining control of the same owner's address in a different chain

Lines of code Vulnerability details Impact Attackers can gain control of User's Virtual Accounts and steal all the assets these accounts hold in the Root environment Proof of Concept When sending signed messages from a Branch to Root, the RootBridgeAgent contract calls the...

THE RETURN BOOLEAN VALUE OF THE excessivelySafeCall FUNCTION IS NOT CHECKED IN THE BranchBridgeAgent.lzReceive FUNCTION

Lines of code Vulnerability details Impact The BranchBridgeAgent.lzReceive function is used to send cross-chain messages using the layer zero messaging layer. The lzReceive function uses the excessivelySafeCall library on the same contract address addressthis to ensure the layer zero cross chain...

users can make multiple deposits through the same deposit nonce in branch bridge agent

Lines of code Vulnerability details Impact When a user retries the deposit there is a check that the deposit owner should be msg.sender but there is no check that the deposit failed so user can even retry successful deposits with the same nonce which can affect accounting badly Proof of Concept...

Airdropped Gas will remain in the Agent in case of failure

Lines of code Vulnerability details Impact The protocol uses LayerZeros Airdrop mechanism to send gas to BridgeAgents which they need to pay for subsequential cross-chain-messages. If the transaction on the receiver fails, this airdropped gas will remain in the BridgeAgent and can be used up by t...

Timestamp Manipulation

Lines of code Vulnerability details Impact there is a problem in that contract especiall when updating tickTrackingIndex within the loop an attacker can manipulate the values of enterTimestamp and exitTimestamp to force tickActiveEnd to be significantly larger than tickActiveStart inflate the...

Lack of force resume support for LZ which is crucially important to have

Lines of code Vulnerability details Impact The User Application LZReceiver should implement the ILayerZeroUserApplicationConfig interface which includes the forceResumeReceive function. This is very important as in the worst case, it can allow the owner to unblock the queue of messages if somethi...

Rewards cannot be transferred when calling protocol command

Lines of code Vulnerability details Summary Rewards are set up using protocol commands, but it's entrypoint is not payable. Impact Rewards can be set up by protocol authorities using the functions setConcRewards and setAmbRewards present in the LiquidityMiningPath contracts. These two are part of...

Users may be unable to claim their rewards and add/remove liquidity due exceeding gas limit

Lines of code Vulnerability details Impact If a user provides liquidity on ticks which are entered and exited a large number of times, the gas required to call the accrueConcentratedPositionTimeWeightedLiquidity can exceed the block gas limit. Proof of Concept The...

CoreRootRouter.executeDepositSingle FUNCTION REVERTS FOR SINGLE ASSETS DEPOSITS THUS FAILING THE TRANSACTION

Lines of code Vulnerability details Impact The RootBridgeAgent.lzReceiveNonBlocking function calls the respective RootBridgeAgentExecutor functions based on the flag parsed via the payload0. The payload0 == 0x02 stands for the Call with Deposit remote call. The...

Access control vulnerability due to dismissive git & test politics

Lines of code Vulnerability details Impact High risk access control vulnerability due to overutilizing rewards logic Proof of Concept Commenting out accessibility checks may lead to overutilizing existing rewards logic Tools Used Manual review Recommended Mitigation Steps git diff test coverage...

CoreRootRouter._setLocalToken FUNCTION COULD OVERWRITE THE EXISTING VALUES OF THE getLocalTokenFromGlobal MAPPING VALUES DUE TO LACK OF CONDITIONAL CHECKS

Lines of code Vulnerability details Impact The CoreRootRouter.setLocalToken function is used to set the local token on a specific chain for a global token. The function initially checks whether the local token is is already added as shown below: if IPortrootPortAddress.isLocalTokenlocalAddress,...

ChainLink should be used as an Oracle for messaging instead of Google Cloud

Lines of code Vulnerability details Impact Each User Application contract e.g. BranchBidgeAgent built on LayerZero will work without configuration using defaults, but a UA will also be able to configure its own. Maia intends to use the default config. However, Google Cloud Oracle is the default a...

Irrevocable token can be downgrade to be revocable

Lines of code Vulnerability details Impact Code Invariant Irrevocable token cannot be downgrade to be revocable can be break leading to loss of user accrued rewards. Proof of Concept In this message one of the contest sponsors syas: "irrevocable token cannot be downgrade to be revocable" To...