10190 matches found
A MALICIOUS USER CAN FRONT RUN AND EXECUTE THE Tokenomics.initializeTokenomics TRANSACTION TO BECOME THE OWNER OF THE Tokenomics CONTRACT
Lines of code Vulnerability details Impact The Tokenomics.initializeTokenomics is an external function which can be called by anyone, Since there is no access control. Hence a malicious user can front-run the valid initialization transaction and become the owner of the Tokenomics contract. This i...
Griefing attack on liquidity_lockbox withdrawals due to lack of minimum deposit
Lines of code Vulnerability details Impact The liquiditylockbox contract does not enforce a minimum deposit limit. This allows a user to open many positions with minimum liquidity, forcing other users to close these positions one by one in order to withdraw. This could lead to a griefing attack...
Silent failure in user reward transfer in Treasury.withdrawToAccount() can lead to loss of rewards
Lines of code Vulnerability details Impact The withdrawToAccount function of the Treasury contract is designed to send ETH rewards and OLAS top-ups to a specified account. However, there is a potential issue where a user's reward transfer could silently fail. This occurs when the...
[H1] Custom upgrade functionality is dangerous
Lines of code Vulnerability details Impact Unsafe upgrade can break protocol Analysis of the vulnerability You are using a custom upgrade for the tokenomics contract not following UUPS standard function changeTokenomicsImplementationaddress implementation external // Check for the contract...
CM can exploit a pause in GuardCM to gain permanent unrestricted access
Lines of code Vulnerability details Impact The GuardCM contract is designed to restrict the Community Multisig CM actions within the protocol to only specific contracts and methods. Under specific circumstances, the protocol allows the guard to be paused, which temporarily pauses the guard and...
Changing the quorumNumerator should not be only possible by the governance
Lines of code Vulnerability details Impact Only the DAO can reduce the quorumNumerator. This means that if the participation for proposals in the DAO decreases below the quorumNumerator, there is no way to reduce the quorumNumerator so the DAO can start making decisions again. Proof of Concept Fo...
NO access control in decreaseAllowance and increaseAllowance
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. NO access control in decreaseAllowance and increaseAllowance.Anyone can call this function and increase or decrease the allowlance. Proof of Concept Provide direct links to all referenced code in GitHub...
THE EXECUTION OF THE GOVERNANCE ACTIONS (CONTINOUS TRANSACTIONS PACKED TOGETHER) ON GNOSIS CHAIN COULD DoS, IF A SINGLE MALICIOUS target CONTRACT REVERTS THE TRANSACTION
Lines of code Vulnerability details Impact In the HomeMediator.processMessageFromForeign function the data variable is passed into the function. The issue here is that set of continuous transactions can be packed into a single buffer and executed in the function. The data variable is parsed insid...
Service owners can accrue OLAS top-ups even when donating to their own services
Lines of code Vulnerability details Impact The basis of this exploit is the ability for a topUpEligible service owner — any registrant of a service who also stakes enough OLAS in the voting escrow contract — to accrue OLAS top-ups even when they donate to services that they own themselves. As lon...
Reliance on unknown governorCheckProposalId is a potential backdoor and risks loss of critical function control
Lines of code Vulnerability details Impact The GuardCM contract is designed to restrict the actions of the Community Multisig CM. However, a potential backdoor could allow the CM to bypass these restrictions and gain unrestricted access. The issue arises from the reliance on a specific proposal I...
Upgraded Q -> 2 from #549 [1704652745528]
Judge has assessed an item in Issue 549 as 2 risk. The relevant finding follows: L-02 The first piece created can pass quorumVotes without any votes if totalSupply of ERC20 votes is zero --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> 2 from #286 [1704653766013]
Judge has assessed an item in Issue 286 as 2 risk. The relevant finding follows: L-02 Quorum for existing piece cannot be changed L-03 Token inflation gives advantage to new pieces --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> 2 from #643 [1704652543122]
Judge has assessed an item in Issue 643 as 2 risk. The relevant finding follows: L-2 Setting Auction::reservePrice equal to 0 can create a chain of 0 price bids --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> 2 from #49 [1704028025372]
Judge has assessed an item in Issue 49 as 2 risk. The relevant finding follows: L-05 Some tokens revert on 0 amount transfer ParticlePositionManager::liquidatePosition: File: protocol/ParticlePositionManager.sol 376: // reward liquidator 377: TransferHelper.safeTransfercloseCache.tokenFrom,...
Upgraded Q -> 2 from #8 [1703832984112]
Judge has assessed an item in Issue 8 as 2 risk. The relevant finding follows: Remove WLP from whitelist should not block user from removing WLP --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> 2 from #37 [1703589922038]
Judge has assessed an item in Issue 37 as 2 risk. The relevant finding follows: L-02 openPosition maybe underflow in openPosition - Base.swap function openPosition DataStruct.OpenPositionParams calldata params public override nonReentrant returns uint96 lienId, uint256 collateralTo...
collectLiquidity() Lack of can specify recipient leads to inability to retrieve token1 after entering the blacklist of token0
Lines of code Vulnerability details Vulnerability details LP has only one way to retrieve token, first decreaseLiquidity, then retrieve through the collectLiquidity method. collectLiquidity only has one parameter, tokenId. function collectLiquidity uint256 tokenId external override nonReentrant...
Users can avoid liquidation by splitting their positions into smaller ones
Lines of code Vulnerability details Impact Bad debt creation, as the total sum of positions could yield a signicant underwater position, but they would likely not be liquidated as it wouldn't compensate liquidators. Proof of Concept A recent, random transaction on Mantle shows a gas fee of 0.47...
CultureIndex.sol#_vote() - Creators of certain piece can vote for their piece
Lines of code Vulnerability details Impact In CultureIndex there is a function vote that allows users to vote for a piece to get sold on the auction house. Each piece has creators that get cut of the sale. The problem is that there is no checks if the user voting for a certain piece is it's own...
The entire AuctionHouse contract can be disabled by a wrong creator bps sum.
Lines of code Vulnerability details Vulnerability details Description There is a potential for a DoS in the AuctionHouse contract related to the buyToken call from the ERC20TokenEmitter. This is due to the buyToken requiring the bpsSum to be equal to 10000, but there is no restriction when creati...
No access control on critical functions
Lines of code Vulnerability details The contract lacks proper access control on critical functions, allowing unauthorized parties to execute them. Recommendation: Use OpenZeppelin Ownable control for minting/burning, etc. Before: // No access control checks in critical functions function...
Ether will get stuck in ERC20TokenEmitter
Lines of code Vulnerability details ERC20TokenEmitter.sol:buyToken distributes the funds sent to purchase the tokens in the following way: 2.5% of the funds are sent to the RevolutionProtocolRewards contract. From the remaining funds, a percentage dependent on the creatorRateBps variable is sent ...
Error prone and complex code
Lines of code Vulnerability details Used function is error prone and complex that leads to incorrect asset handling so have suggested below maxHeapify implementation. function maxHeapifyuint256 pos internal uint256 left = 2 pos + 1; uint256 right = 2 pos + 2; uint256 largest = pos; if left...
Signature Verification for voteForManyWithSig Function
Lines of code Vulnerability details Potential Risk: The voteForManyWithSig function in the CultureIndex contract allows users to vote on multiple pieceIds using a provided signature. While it attempts to verify the signature, there are some potential risks associated with signature verification...
impossible to open a position with a large marginTo
Lines of code Vulnerability details Description marginTo/From is a way to both cover your position and increase your premium when opening a position. There is however a unintended limit on how much marginTo you can provide when opening a position. When doing the swap to increase leverage, the...
An artPiece with a creator address set to address(0) leads to a pseudo-permanent DoS if it ends up being auctioned.
Lines of code Vulnerability details Vulnerability details Description There is a potential for a DoS in the AuctionHouse contract related to the buyToken call from the ERC20TokenEmitter. This is due to the buyToken using the mint function to all the addresses that are stored on the creators array...
Business Logic Vulnerability in dropTopVotedPiece Function
Lines of code Vulnerability details Potential Risk: The dropTopVotedPiece function in the CultureIndex contract allows the dropperAdmin to drop the top-voted piece. While the function checks if the caller is the dropperAdmin, there is a potential business logic vulnerability. The function only...
lack of deadline for uniswap interactions
Lines of code Vulnerability details Impact Lack of deadline can cause a transaction to be executed at an unfavorable time. Causing loss for the trader/liquidity provider. Proof of Concept In all three liquidity interactions with uniswap there is a lack of deadline parameter as block.timestamp is...
Liquidation condition should not factor the liquidation reward into the premiums
Lines of code Vulnerability details Summary The premiums used to determine the liquidation condition have the liquidation reward already discounted, potentially causing a lien to be considered underwater while technically it is not. Impact Positions in Particle LAMM can be liquidated if the owed...
Loss of precision in calculations
Lines of code Vulnerability details The use of regular division can lead to loss of precision. This could enable certain manipulations through precision attacks. Recommendation: Use SafeMath's div for integer division. Division used in parent can lead to loss of precision. Safemath usage is...
lack of slippage protection for increaseLiquidity, and decreaseLiquidity
Lines of code Vulnerability details Impact Lack of slippage protection for increasing and decreasing liquidity can cause the liquidity provider to provide liquidity at an unfavorable price. Or the borrower to borrow/repay in a manipulated pool. Proof of Concept When adding liquidity eventually...
Incorrect Termination Condition
Lines of code Vulnerability details The provided termination condition if pos = size / 2 && pos = size is incorrect. This condition is not suitable for terminating the maxHeapify function. It should instead be based on comparing values in the heap to ensure the max heap property. The condition if...
Overflow potential
Lines of code Vulnerability details Overflow: Be cautious about integer overflow when incrementing size. Depending on how the size variable is used in your contract, it might be beneficial to check for potential overflow conditions. requiresize typeuint256.max, "Heap size exceeds maximum"; Assess...
repay(), liquidate() and liquidateWLp() receive shares as argument, which may revert if from approval to tx settled blocks have passed
Lines of code Vulnerability details Impact repay, liquidate and liquidateWLp transactions revert if users approve the exact repay amount they need in the frontend and only after some blocks have passed is the transaction settled. This happens because the interest accrual is by timestamp, so the...
Delegation to address(0) causes permanent loss of voting power
Lines of code Vulnerability details Impact As stated in the comment on line 12 of NontransferableERC20Votes.sol, delegation of vote power can be done through the delegate function or by providing a signature to be used with delegateBySig. However, these functions do not prevent users from...
Dangerous use of deadline parameter
Lines of code Vulnerability details Summary The protocol is using block.timestamp as the deadline argument while interacting with the Uniswap NFT Position Manager, which completely defeats the purpose of using a deadline. Impact Actions in the Uniswap NonfungiblePositionManager contract are...
increaseLiquidity/decreaseLiquidity Lack of slippage protection
Lines of code Vulnerability details Vulnerability details In ParticlePositionManager.mint, there is slippage protection by params.amount0Min / params.amount1Min But in increaseLiquidity, pool.mint will also be executed There is no slippage protection function increaseLiquidity uint256 tokenId,...
Delisted wLp still could be used for collateralization by changing position mode
Lines of code Vulnerability details Protocol governor address has the power to whitelist and delist wLp addresses using the ConfigsetWhitelistedWLps function. Only whitelisted wLp tokens are allowed to collateralize and de-collateralize users' positions: File: InitCore.sol 244: function...
Efficiency
Lines of code Vulnerability details Depending on the size of your heap, the while loop may execute a significant number of times. Consider whether you can optimize this loop for performance, especially if you expect a large number of insertions. Assessed type Loop --- The text was updated...
Swap Input Validation
Lines of code Vulnerability details Input Validation: - The swap function assumes that fpos and spos are valid positions within the heap. - Ensure that you are providing valid positions, and consider adding checks to verify that fpos and spos are within the bounds of your heap. requirefpos size &...
Input Validation for createPiece Function
Lines of code Vulnerability details Potential Risk: The createPiece function in the CultureIndex contract takes two parameters: metadata and creatorArray. While the function calls the validateCreatorsArray and validateMediaType functions to validate the input data, it does not verify whether the...
burn() and borrow() in LendingPool are very likely to revert due to insufficient cash and could be triggered maliciously
Lines of code Vulnerability details Impact Users might not always be able to burn or borrow due to being frontrunned by other borrow or burn calls, potentially in a malicious manner so funds don't leave the LendingPool. Proof of Concept This attack could happen frequently because the health of a...
Validate Creators Array
Lines of code Vulnerability details Potential Risk: The validateCreatorsArray function in the CreatorUtils contract performs input validation for the creatorArray parameter, which is an array of CreatorBps structs. While the function checks the individual elements of the array for valid addresses...
In some pools, borrowers can maliciously prevent liquidatePosition()
Lines of code Vulnerability details Vulnerability details in liquidatePosition At the end of the liquidation, the liquidation fee will be transferred to the liquidator. function liquidatePosition DataStruct.ClosePositionParams calldata params, address borrower external override nonReentrant...
wrong implementation of maxHeap.extractMax();
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. wrong implementation of maxHeap.extractMax; as it should return values but here its not assigned to anything. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, log...
Users receive fewer tokens due to inaccuracy in calculation
Lines of code Vulnerability details Impact There is a loss of precision in the VRGDAC.yToX function, because in several places division occurs first, and then the result is multiplied. This results in users receiving fewer tokens. According to test data, the difference can be 8 digits. The choice...
Signature Verification for batchVoteForManyWithSig Function
Lines of code Vulnerability details Potential Risk: The batchVoteForManyWithSig function in the CultureIndex contract allows multiple users to execute a batch of votes using provided signatures. While it attempts to verify the signatures, there are potential risks associated with signature...
collateralizeWLp can be bypassed even when collateralization is paused
Lines of code Vulnerability details Impact Admin can pause collateralization for a specific mode to prevent users from providing more collateral either via collateralize or collateralizeWLp. However, due to not properly using internal accounting when tracking wLP collateral, users can still provi...
MaxHeapify: find children with large value and swap
Lines of code Vulnerability details Input Validation: - The maxHeapify function assumes that pos is a valid position within the heap. - Similar to the swap function, you should consider adding a check to verify that pos is within the bounds of your heap. requirepos size, "Invalid position...
Missing Input Validation for Media Type
Lines of code Vulnerability details The validateMediaType function in the ArtPieceMetadata contract performs some input validation for the mediaType field in the metadata parameter. However, it lacks validation for the associated data fields based on the mediaType. This could lead to issues where...