10190 matches found
earn results in decreasing share price
Handle jonah1005 Vulnerability details Impact For a dai vault that pairs with NativeStrategyCurve3Crv, every time earn is called, shareholders would lose money. about 2% There're two issues involved. The Vault contract and the controller contract doesn't handle the price difference between the wa...
Controller transfer extra token on withdrawing tokens
Handle jonah1005 Vulnerability details Impact The Controlle�r's function withdrawaddress token, uint256 amount should return whatever amount of the token user/vault asks. However, it tries to withdraw strategy.want token and convert it. Take for example, when a user/vault calls withdrawdai, 100,...
set cap breaks vault's Balance
Handle jonah1005 Vulnerability details Impact In controller.sol's function setCap, the contract wrongly handles vaultDetailsvault.balance. While the balance should be decreased by the difference of strategies balance, it subtracts the remaining balance of the strategy. Controller.solL262-L278...
No safety check in addToken
Handle jonah1005 Vulnerability details Impact There's no safety check in Manager.sol addToken. There are two possible cases that might happen. 1. One token being added twice in a Vault. Token would be counted doubly in the vault. Ref: Vault.solL293-L303. There would be two item in the array when...
Vault treats all tokens exactly the same that creates (huge) arbitrage opportunities.
Handle jonah1005 Vulnerability details Impact The v3 vault treats all valid tokens exactly the same. Depositing 1M DAI would get the same share as depositing 1M USDT. User can withdraw their share in another token. Though there's withdrawalProtectionFee 0.1 percent, the vault is still a no slippa...
removeToken would break the vault/protocol.
Handle jonah1005 Vulnerability details removeToken would break the vault. Impact There's no safety check in Manager.sol's removeToken. Manager.solL454-L487 1. The token would be locked in the original vault. Given the current design, the vault would keep a ratio of total amount to save the gas...
Potential DOS in Contracts Inheriting UUPSUpgradeable.sol
Handle leastwood Vulnerability details Impact There are a number of contracts which inherit UUPSUpgradeable.sol, namely; GovernanceAction.sol, PauseRouter.sol and NoteERC20.sol. All these contracts are deployed using a proxy pattern whereby the implementation contract is used by the proxy contrac...
Cannot actually submit evidence
Handle jmak Vulnerability details Impact Detailed description of the impact of this finding. The SubmitBadSignatureEvidence is not actually registered in the handler and hence no one can actually submit this message, rendering the message useless. This harms the security model of Gravity since...
cumulativePower check should be inclusive
Handle pauliax Vulnerability details Impact Based on my understanding cumulativePower checks should be inclusive to indicate when the threshold is met. Otherwise, there might be impossible to reach it in certain cases e.g. when 100% power is required. Replace '' with '=' in constructor and functi...
DAO proposals can be executed by anyone due to vulnerable TimelockController
Handle cmichel Vulnerability details Vulnerability Details The GovernorAlpha inherits from a vulnerable TimelockController. This TimelockController allows an EXECUTOR role to escalate privileges and also gain the proposer role. See details on OZ and the fix here. The bug is that executeBatch chec...
lack of validation for the v and s value in recover() funciton
Handle JMukesh Vulnerability details Impact due to lack of checking of v and s value in recover it become prone to signature malleability Proof of Concept check out the tryRecover of ECDSA.sol Tools Used manual reveiw Recommended Mitigation Steps add necessary check to make the signature unique -...
Insufficient validation of rate value
Handle JMukesh Vulnerability details Impact it lack the checking of the value that it is fresh or not, if data is not fresh it can affect exchange rate. these following condition should be met to ensure that data is fresh requireupdateTime != 0, "Incomplete round"; requireansweredInRound = roundI...
CompoundToNotionalV2.enableToken ERC20 missing return value check
Handle cmichel Vulnerability details Vulnerability Details The enableToken function performs an ERC20.approve call but does not check the success return value. Some tokens do not revert if the approval failed but return false instead. Impact Tokens that don't actually perform the approve and retu...
veCVXStrategy.manualRebalance has wrong logic
Handle cmichel Vulnerability details Vulnerability Details The veCVXStrategy.manualRebalance function computes two ratios currentLockRatio and newLockRatio and compares them. However, these ratios compute different things and are not comparable: currentLockRatio =...
Arithmetic Error - manualRebalance function has multiple arithmetic bugs
Handle tabish Vulnerability details In short there are 2 errors in manualRebalance function : a ratio currentLockRatio has been compared to balance newLockRatio and at another point in the same function subtracted . 1 Expanding on the first one - checking newLockRatio Solution: Instead the if...
Filter Logic calls to gravity cosmos at client level to avoid reverts
Handle hack3r-0m Vulnerability details Add a check for call.logiccontractaddress to make sure it is not the same as gravity contract to avoid panics from the orchestrator by failing gas estimations --- The text was updated successfully, but these errors were encountered: All reactions...
logic calls can steal tokens
Handle 0xito Vulnerability details Impact attacker can send a logic call that performs a token.approveattackerAddress, typeuint256.max using the submitLogicCall function. afterwards, they can steal all tokens from the bridge using token.safetransferfrombridge, attacker, amount. Proof of Concept...
DoS for submitting batches and logic calls
Handle 0xito Vulnerability details Impact when submitbatch is called with a batchnonce of the maximum unsigned number typeuint256.max, all future calls will fail due to this check: requirestatelastBatchNoncestokenContract = typeuint256.max batchNonce, "..."; no batches can be submitted again but...
Incorrect accounting on transfer-on-fee/deflationary tokens in Gravity
Handle shw Vulnerability details Impact The sendToCosmos function of Gravity transfers amount of tokenContract from the sender using the function transferFrom. If the transferred token is a transfer-on-fee/deflationary token, the actually received amount could be less than amount. However, since...
Lack of sufficient power check in updateValset of Gravity
Handle shw Vulnerability details Impact The updateValset function does not check whether the new valset has sufficient power to pass a vote see the constructor for more details. If the new valset does not, any function calling checkValidatorSignatures will be disabled since the transaction revert...
Access restrictions on CompoundToNotionalV2.notionalCallback can be bypassed
Handle cmichel Vulnerability details Vulnerability Details The CompoundToNotionalV2.notionalCallback is supposed to only be called from the verified contract that calls this callback but the access restrictions can be circumvented by simply providing sender = this as sender is a parameter of the...
Panics as error-handling
Handle nascent Vulnerability details H-04 Panics as error-handling Severity: High Likelihood: Medium The use of .unwrap, expect, and assert! should be limited to tests, compile-time assertions e.g. consts, and configuration checks. Panicks are at the thread level, so stopping one thread...
Access restrictions on NotionalV1ToNotionalV2.notionalCallback can be bypassed
Handle cmichel Vulnerability details Vulnerability Details The NotionalV1ToNotionalV2.notionalCallback is supposed to only be called from the verified contract that calls this callback but the access restrictions can be circumvented by simply providing sender = this as sender is a parameter of th...
CvxLocker.setBoost wrong validation
Handle cmichel Vulnerability details Vulnerability Details The CvxLocker.setBoost function does not validate the max, rate parameters, instead it validates the already set storage variables. // @audit this is checking the already-set storage variables, not the parameters requiremaximumBoostPaymen...
Downcasting Can Freeze The Chain
Handle nascent Vulnerability details M-01 Downcasting Can Freeze The Chain Severity: Medium Likelihood: Low The function utils::downcastuint256 - Option returns None if the input value is greater than U64MAX. If the value being downcast is read from a contract e.g. a nonce, and the contract could...
TokenHandler.setToken ERC20 missing return value check
Handle cmichel Vulnerability details Vulnerability Details The setToken function performs an ERC20.approve call but does not check the success return value. Some tokens do not revert if the approval failed but return false instead. Impact Tokens that don't actually perform the approve and return...
nTokenERC20Proxy emits events even when not success
Handle cmichel Vulnerability details Vulnerability Details The nTokenERC20Proxy functions emit events all the time, even if the return value from the inner call returns false indicating an unsuccessful action. Impact An off-chain script scanning for Transfer or Approval events can be tricked into...
Unhandled reverts from Cosmos to Eth batches can cause *Denial Of Service*
Handle hack3r-0m Vulnerability details At the above-mentioned places in Gravity contract, it makes external call to a function to transfer erc20 token. This can cause revert in cases where erc20 safeTransfer fails for e.g erc20 contract has blacklisted address of gravity contract to alllow...
Use of transfer() instead of call() to send eth
Handle JMukesh Vulnerability details Impact Use of transfer might render ETH impossible to withdraw becuase after istanbul hardfork , there is increases in the gas cost of the SLOAD operation and therefore breaks some existing smart contracts.Those contracts will break because their fallback...
TokenHandler.safeTransferOut does not work on non-standard compliant tokens like USDT
Handle cmichel Vulnerability details Vulnerability Details The TokenHandler.safeTransferOut function uses the standard IERC20 function for the transfer call and proceeds with a checkReturnCode function to handle non-standard compliant tokens that don't return a return value. However, this does no...
nTokenAction does not emit Approval events
Handle cmichel Vulnerability details Vulnerability Details The nTokenAction is supposed to mimic the ERC20 but the allowance changes do not emit the Approval event in nTokenTransferFrom. Impact Off-chain scripts will have the wrong allowance value as it's tracked in nTokenTransferApproveAll but t...
Allowance checks not correctly implemented
Handle cmichel Vulnerability details Vulnerability Details The nTokenAction implements two token approvals, the nTokenWhitelist which is always used first, and the nTokenAllowance which is checked second. If the nTokenWhitelist does not have enough allowance for the transfer, the transaction fail...
Privilige escalation in ERC1155
Handle cmichel Vulnerability details Vulnerability Details The ERC1155.checkPostTransferEvent function allows the from address to specify trades that are executed by the to address if to approved msg.sender. Impact An approved account can execute arbitrary batch actions on behalf of the approver,...
TokenHandler.safeTransferIn does not work on non-standard compliant tokens like USDT
Handle cmichel Vulnerability details Vulnerability Details The TokenHandler.safeTransferIn function uses the standard IERC20 function for the transfer call and proceeds with a checkReturnCode function to handle non-standard compliant tokens that don't return a return value. However, this does not...
notionalCallback can be tricked by anyone
Handle pauliax Vulnerability details Impact Anyone can call function notionalCallback with arbitrary params and pass the auth check. The only auth check can be easily bypassed by setting sender param to the address of this contract. It allows to choose any parameter that I want: function...
Missing validation on latestRoundData
Handle adelamo Vulnerability details On ExchangeRate.sol, we are using latestRoundData, but there are no validations that the data is not stale. The current code is: / uint80 /, rate, / uint256 /, / uint256 /, / uint80 / = AggregatorV2V3InterfacerateOracle.latestRoundData; requirerate 0,...
Liquidity token value can be manipulated
Handle cmichel Vulnerability details Vulnerability Details The liquidity token value AssetHandler.getLiquidityTokenValue is the sum of the value of the individual claims on cash underlying or rather cTokens and fCash. The amount to redeem on each of these is computed as the LP token to redeem...
SettV3.transferFrom block lock can be circumvented
Handle cmichel Vulnerability details Vulnerability Details The SettV3.transferFrom implements a blockLocked call to prevent users to call several functions at once, for example, deposit and then transferring the tokens. function blockLocked internal view requireblockLockmsg.sender block.number,...
CompoundToNotionalV2.notionalCallback ERC20 return values not checked
Handle cmichel Vulnerability details Vulnerability Details Some tokens like USDT don't correctly implement the EIP20 standard and their transfer/transferFrom function return void instead of a success boolean. Calling these functions with the correct EIP20 function signatures will always revert. S...
ChainLink price data could be stale
Handle cmichel Vulnerability details Vulnerability Details There is no check in ExchangeRate.buildExchangeRate if the return values indicate stale data. This could lead to stale prices according to the Chainlink documentation: under current notifications: "if answeredInRound roundId could indicat...
Win all relayer rewards
Handle nascent Vulnerability details "Large Validator Sets/Rapid Validator Set Updates May Freeze the Bridge or Relayer" can affect just the relayers & not affect the oracle in certain circumstances. This could result in valid attestations, but prevent any of the other relayers from being able to...
The gravity.sol router should have pause/unpause functionality.
Handle tensors Vulnerability details In case a hack is occuring or an exploit is discovered, the team or validators in this case should be able to pause functionality until the necessary changes are made to the system. Additionally, the gravity.sol contract should be manged by proxy so that...
Large Validator Sets/Rapid Validator Set Updates May Freeze the Bridge or Relayers
Handle nascent Vulnerability details In a similar vein to "Freeze The Bridge Via Large ERC20 Names/Symbols/Denoms", a sufficiently large validator set or sufficiently rapid validator update could cause both the ethoraclemainloop and relayermainloop to fall into a state of perpetual errors. In...
Freeze The Bridge Via Large ERC20 Names/Symbols/Denoms
Handle nascent Vulnerability details Ethereum Oracles watch for events on the Gravity.sol contract on the Ethereum blockchain. This is performed in the checkforevents function, ran in the ethoraclemainloop. In this function, there is the following code snippet: let erc20deployed = web3...
Freeze Bridge via Non-UTF8 Token Name/Symbol/Denom
Handle nascent Vulnerability details Manual insertion of non-utf8 characters in a token name will break parsing of logs and will always result in the oracle getting in a loop of failing and early returning an error. The fix is non-trivial and likely requires significant redesign. Proof of Concept...
Crash Eth Oracle On Any LogicCallEvent
Handle nascent Vulnerability details Severity: Medium Likelihood: High In ethoraclemainloop, getlastcheckedblock is called. Followed by: let logiccallexecutedevents = web3 .checkforevents endsearch.clone, Somecurrentblock.clone, vec!gravitycontractaddress, vec!LOGICCALLEVENTSIG, .await; and may h...
Large ValSets potentially freezes Gravity.sol
Handle nascent Vulnerability details Gas requirements of makeCheckpoint: If the size of the validator set grows large enough during a time of block-size expansion, it may be possible to make the validator set large enough that, when the block size shrinks, the gas required to perform makeCheckpoi...
SHOULD CHECK RETURN DATA FROM CHAINLINK AGGREGATORS
Handle defsec Vulnerability details Impact The latestRoundData function in the contract ExchangeRate.sol fetches the asset price from a Chainlink aggregator using the latestRoundData function. However, there are no checks on roundID nor timeStamp, resulting in stale prices. Stale prices could put...
ERC20s that block transfer to particular addresses enable DoS/Censorship
Handle nascent Vulnerability details Tokens that prevent transfers to particular addresses most commonly address0 as is the OpenZeppelin standard enables DoS against a batch. If the attacker submits the bad transaction, the relayer wont submit the batch. The attacker never has to worry about the...
Possible miner incentive for chain reorgs if ETHBlockDelay is too small
Handle tensors Vulnerability details Impact If ETHBlockDelay is too small and the incentive for miners is large enough, it would profitable for miners to attempt to double spend by depositing assets, waiting for confirmation on the cosmos-SDK and then reorging the blockchain. Although an attack...