10190 matches found
New Ward Can Revoke Admin Access
Lines of code Vulnerability details Impact A Newly added ward can remove all the wards from the system, including the admin one. Proof of Concept There is not a mechanism to prevent newly added wards from removing everyone else access' to the contracts, including the admin. Tools Used Manual...
LiquidityPool.sol doesn't respect fully EIP 4626
Lines of code Vulnerability details Impact The EIP-4626 states that the function previewMint and previewWithdraw should be rounded up always, but that is not the case in the InvestmentManager.sol which makes it not fully compliant. Proof of Concept As can be seen by EIP-4626 the function...
The current axelar router's implementation can't interact with any calls that requires native tokens
Lines of code Vulnerability details Impact Medium... this completely blocks off users that would need to call a contract and want to pass value to them, as they can't do this since the functions are not payable Proof of Concept See summary Additionally take a look at the Axelar's Router.sol and s...
Relying on string comparisons to determine which parameter to update in the file() function is brittle and could lead to unintended consequences.
Lines of code Vulnerability details Impact This can allow unintentionally changing sensitive state variables Proof of Concept The vulnerability arises because: file relies on a simple string comparison of the what parameter to determine which state variable to update. A developer could accidental...
Incorrent approval for escrow tokens, not allowing to burn on redeem
Lines of code Vulnerability details Impact Liquidity pool approval for burning escrow tokens is not correctly assigned when pool is deployed on PoolManager deployLiquidityPool lines: EscrowLikeescrow.approveliquidityPool, addressinvestmentManager, typeuint256.max; // Approve investment manager on...
Malicious RestrictionManger can be used to verify Tranche Members
Lines of code Vulnerability details The ability to file a new Restriction Manger after deployment can actually be utilized by a rouge ward and deploy a malicious version of the RestrictionManger that implements almost the same thing as the originals, but just tweaked to return the SUCCESSMESSAGE...
Allowing price updates once in an epoch is extremely risky and open windows to a lot of issues
Lines of code Vulnerability details Impact Protocol currently knows about how this could be an effect, since the comments to both previewDeposit and convertToShares suggest that any difference attached to this should be considered slippage, but measures are not taken to ensure that this slippage ...
Potential Incorrect Domain Separator Generation in _calculateDomainSeparator Function
Lines of code Vulnerability details The calculateDomainSeparator function generates the EIP-712 domain separator using the contract's name and version. However, there is no explicit guarantee that the name has been set before calling this function, leading to an unreliable domain separator. Impac...
Not enough valid checks in the Factory.sol
Lines of code Vulnerability details Impact The LiquidityPoolFactory contract is used to deploy LiquidityPools through a controlled newLiquidityPool , however a vital check is omitted. The newLiquidityPool is first called in the PoolManager.sol but it is not restricted to just that, it can also be...
There is no concept of a requestDeposit, requestRedeem receipt made on the source chain, resulting in no recovery proces escrowed funds in the event of bridge or Centrifuge fall.
Lines of code Vulnerability details Impact There is no kind of request receipt on the EVM chain at all. The InvenstmentManagerrequestDeposit simply puts users tokens in the escrow and then the request gets routed to the Gateway and later to the outgoingRouter. The flow goes as follows 1.Buyer cal...
Already allowed pool currency can not be removed
Lines of code Vulnerability details Impact Already allowed pool currency can not be removed. Once a currency is allowed, it can not be removed. Most of the time, the currency will be a stablecoin but in cases where the stablecoin depegs, as seen with USDC three months ago, new liquidity pools for...
Blocking assets/shares in escrow
Lines of code Vulnerability details Impact An investor can lose a part of assets or shares due to their blocking in escrow. Proof of Concept Suppose the user decided to invest an amount of assets which is more than typeuint128.max. This can be done by calling the requestDeposit function several...
Restriction Manager does not check the source address
Lines of code Vulnerability details Impact The detectTransferRestriction takes in all the necessary parameters: function detectTransferRestrictionaddress from, address to, uint256 value public view returns uint8 However it only performs a check on the address to The restriction used here is...
transferIn() is susceptible to a front-running attack
Lines of code Vulnerability details Impact Another auth caller can exploit the vulnerability by executing front-running transactions using the source address that has just given allowance approval to the contract. This allows the attacker to acquire and increase the destination amount of the...
Unchecked Minting
Lines of code Vulnerability details Impact There is a possibility, an attacker can force minting of tokens to self or any other diluting the token value and stealing funds in the process Proof of Concept Here is a step-by-step process The attacker calls the transferFrom function with msg.data...
Owners having valid permits might not be able to deposit or redeem assets/shares due to incorrect order of address validation in _isValidSignature
Lines of code Vulnerability details Proof of Concept requestDepositWithPermit requests asset deposit for a receiver to be included in the next epoch execution with a permit option. requestRedeemWithPermit request share redemption for a receiver to be included in the next epoch execution with a...
LiquidityPool inflation attack
Lines of code Vulnerability details Bug Description The LiquidityPool uses an algorithm that converts prices to shares through a linear relationship. For instance, if there are 10,000 assets and 100 shares, then holding 100 assets should yield 1 share. However, a situation arises when investor...
SafeTransferLib's safeApprove() does not set allowance 0 first which would lead to the escrow encountering issues when dealing with tether's USDT or tokens like it.
Lines of code Vulnerability details Impact Medium... a number of features within the protocol will not work if an approval reverts in the escrow or anywhere else NB: Report mainly focuses on the usage of the SafeTransferLib's safeApprove, but bug is attached to the underlying call made to approve...
"Divide-by-Zero Risk in convertToShares Function"
Lines of code Vulnerability details Description The convertToShares function calculates the number of shares based on the provided assets and the "latestPrice" obtained from the liquidityPool. While the code may appear straightforward, there is a specific security concern related to divide-by-zer...
Unsafe message encode and decode for cross chain message transfer and in execution process through axelar
Lines of code Vulnerability details Impact The cross chain message passing is done through the axelar gateway contracts. To pass the message, the message has to be formatted abi.encode and sent to destination chain from source chain. In destination chain, through gateway contract, the received...
Signature malleability in permit function
Lines of code Vulnerability details Impact In the ERC20 contract used to define the interface for tranche tokens the permit function uses ecrecover to verify a signature submitted by the token owner to approve an address to spend its tranche tokens. However there is a well known issue related to...
Any user can drain the escrow contract by calling decreaseDepositRequest with more amount than they deposited into the escrow while requesting.
Lines of code Vulnerability details Impact In the protocol, users submit deposit requests to the Centrifuge gateway for depositing assets into the Liquidity Pools. There is also a mechanism to decrease this deposit order by calling LiquidityPool::decreaseDepositRequest which decreases their depos...
possibility of reentrancy attack when poolManger.sol#Transfer called with malicious recipient contract address
Lines of code Vulnerability details Impact when users calls the transfer function in the poolManger.sol the transaction data will be send to the centrifuge chain first and then it will be back to the router and then direct it to thehandleTransfer function in poolManger.sol, user can make a...
Access Control Dependency on msg.sender: The onlyGateway modifier relies solely on msg.sender for access control. If the address of the gateway contract is compromised or manipulated, it can lead to unauthorized access to critical functions within the contract.
Lines of code Vulnerability details Access Control Dependency on msg.sender Impact: The onlyGateway modifier relies solely on msg.sender for access control. If the address of the gateway contract is compromised or manipulated, it can lead to unauthorized access to critical functions within the...
Transactions could be frontrun to deposit assets and collect shares between the deposit request and collection
Lines of code Vulnerability details Impact Attacker can spoof deposit to get free shares. Proof of Concept requestDeposit - Requests a deposit, locks up the assets. collectDeposit - Collects the shares after deposit execution. The vulnerability arises because: requestDeposit locks up the assets,...
The executeScheduledRely function in the code allows any external caller to execute it without proper access control checks. This means that anyone can make themselves a ward on a contract without authorization, which poses a security risk.
Lines of code Vulnerability details Issue: The executeScheduledRely function in the code allows any external caller to execute it without proper access control checks. This means that anyone can make themselves a ward on a contract without authorization, which poses a security risk. Proof of...
requestDeposit and requestRedeem do not allow for any price guarantee, opening users to sandwich attacks and other losses
Lines of code Vulnerability details Impact Request functions take only the desired input amount as a parameter, giving no way for the caller to control the fulfilment price. The price is decided by the Centrifuge mainnet only. function requestDeposituint256 assets, address owner; function...
Contract lacks proper error handling. Without meaningful error messages, it becomes difficult to identify the exact reasons for failures or unexpected behavior. Often leading end user astray.
Lines of code Vulnerability details Contract lacks proper error handling. Without meaningful error messages, it becomes difficult to identify the exact reasons for failures or unexpected behavior. Often leading end user astray. The code lacks proper error handling mechanisms, which can make it...
Vulnerability: An Attacker can steal Tranche Tokens and Drain the Pool / Contract: InvestmentManager.
Lines of code Vulnerability details Impact An Attacker can mint Tranche Tokens for free and use them to Drain the Pool and steal the user's money. Proof of Concept Let's imagine that some users deposit money in the pool and mint tranches but they didn't redeem/withdraw their tokens, one of the...
InvestmentManager.requestDeposit Arbitrary send erc20
Lines of code Vulnerability details Impact InvestmentManager.requestDeposit. In this function, the SafeTransferLib.safeTransferFrom function is called with an arbitrary from address. This means that the attacker can control who the tokens are transferred from. Proof of Concept Tools Used manual...
potential overflow in max.Deposit&maxMint; and max.redeem&max;.withdraw
Lines of code Vulnerability details Impact there is potential overflow in max.deposit and max.mint Proof of Concept there is only way to decrease max.deposit and max.mint is deposit to be excuted . function deposituint128 trancheTokenAmount, uint128 currencyAmount, address liquidityPool, address...
previewWithdraw doesn't round up the asset amount leading to confusion when external protocols integrate with the vaults of the protocol
Lines of code Vulnerability details Impact Protocols, that integrate with Centrifuge liquidity pools may wrongly assume that withdraw rounds the amount up as per the ERC-4626 specification leading to a wide array or issues for both parties. Proof of Concept The following is stated in the EIP's...
lack of failsafe mechanism to replay the failed transaction between source chain and destination chain. This would lead to loss of funds to user when transaction is failed.
Lines of code Vulnerability details Impact When the transaction fails in any of chain source or destination, it never be replayed. This would lead to loss of assets if the the transaction is target for token transfer. Similarly other issue can happen. Proof of Concept Centrifuge used the cross...
addPauser should be a two-step process in PauseAdmin.sol
Lines of code Vulnerability details Impact Adding new pauser should me two-step proccess. The identified issue pertains to the absence of a two-step process for adding a new pauser in the smart contract. This vulnerability could potentially allow an unauthorized entity to gain control over pausin...
No gas payment is done before calling the callContract in the Router.sol
Lines of code Vulnerability details Impact In the Axelar documentation it is specified that before calling callContract or callContractWithToken the user needs to first prepay the relayers gas fee on the source chain, but since the functions are not payable, nor does call...
Assumptions are currently made that prices would forever be positive
Lines of code Vulnerability details Impact Neglecting the potential for negative asset prices can lead to inaccurate value representation in the Liquidity Pool, possibly affecting calculations related to assets and tokens. It's crucial to note that the value of an asset, even if negative in the...
The price update timestamp doesn't get checked, allowing for the use of stale prices
Lines of code Vulnerability details Impact It allows for the use of stale prices in cases where they will either damage the protocol or the user. Proof of Concept The protocol has a price oracle system where the price gets updated by an account with a privileged role by calling updatePrice...
https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/InvestmentManager.sol#L467-L480
Lines of code Vulnerability details Impact In this function InvestmentManager.deposit, the require statement calls the lPool.transferFrom function with an arbitrary from address. This means that the attacker can control who the tokens are transferred from. Proof of Concept Tools Used manuel revie...
Expired members can lose their tranche tokens if they call transferTrancheTokensToCentrifuge or transferTrancheTokensToEVM in PoolManager.sol
Lines of code Vulnerability details Impact User can call transferTrancheTokensToCentrifuge or transferTrancheTokensToEVM to transfer their tranche tokens to other chains, but no verifying is done to see if they are expired members or not on the source chain, which can cause loss of funds for some...
approve function can be frontrun and funds will be stolen as a result
Lines of code Vulnerability details Impact The user that gives allowances will lose funds. Proof of Concept In the file ERC20.sol there is a function approve. This function is problematic as it is susceptible to frontrunning attacks. PoC: Consider the following scenario: Alice calls the function...
lack of an ownership transfer mechanism
Lines of code Vulnerability details Issue: The code does not have a mechanism to transfer ownership of the contract. In the current implementation, once deployed, the contract owner's address cannot be changed. This can be problematic for contract maintenance and security, as it restricts the...
Not cleaning scratch space/memory after delegatecalls leads to the caller to work with "dirty" memory
Lines of code Vulnerability details Impact NOTE - the link above is just the most critical example, the issue affects many functions in the libraries in scope Calls to deployed libraries are done via delegatecalls, so the storage AND MEMORY context in the library is the one of the caller. Sometim...
The owner of the PrincipalToken can redeem the asset from escrow before the selected time period expires
Lines of code Vulnerability details Impact After calling the create function, the owner of the DelegateToken gains delegate rights for the duration of the escrow. The documentation for the competition states: "The holder of the PrincipalToken will have the right to redeem the boredom ape from...
User funds may be blocked if tokens with a transfer fee are used as the underlyingToken
Lines of code Vulnerability details Impact The user can create rights token pair pulling underlying token. To do this, it calls the create function . During the execution of the function, the user sends tokens to the contract address . If an ERC20 token is used as a tokenContract, then the...
No way to revoke Approval in DelegateToken.approve leads to un authorized calling of DelegateToken.transferFrom
Lines of code Vulnerability details Impact There is no way to revoke the approval which given via DelegateToken.approveaddress,delegateTokenId. They can able call the DelegateToken.transferFrom even the tokenHolder revoke the permission using the DelegateToken.setApprovalForAll if the spender...
getActiveTickIndex returns wrong index
Lines of code Vulnerability details To find a tick that's above price ie its only underlying is the base token, getActiveTickIndex should not if baseTokenIsToken0 && amt0 == 0 || !baseTokenIsToken0 && amt0 == 0 return tickIndex; it should if baseTokenIsToken0 && amt1 == 0 || !baseTokenIsToken0 &&...
An attacker can use the flashloan function with an invalid collateral asset
Lines of code Vulnerability details Impact Function flashloan - allows delegate token owner or approved operator to borrow their underlying tokens for the duration of a single atomic transaction. The function uses Structs.FlashInfo calldata info as an input parameter. Failure to call...
The tokenType is concatenated rather than tightly integrated. An attacker could manipulate just the type byte of the hash.
Lines of code Vulnerability details Impact The attacker can create an unintended type of order and asset transfer. Proof of Concept The tokenType is concatenated rather than tightly integrated. An attacker could manipulate just the type byte of the hash. The issue is that the tokenType is...
In transferFrom() address "from" can be put of contract address and bypass Errors.FromNotCreateOfferer(from)
Lines of code Vulnerability details Impact In transferFrom address "from" can be put of contract address and bypass Errors.FromNotCreateOffererfrom Proof of Concept the code should be function transferFromaddress from, address targetTokenReceiver, uint256 createOrderHashAsTokenId external...
Lack of Access Control On Flashloan
Lines of code Vulnerability details Impact Anybody can get free flashloan on other users' tokens in the contract. Airdrops, token rights can be taken from the rightful owner. Proof of Concept The flashloan function takes in a Structs.FlashInfo calldata info parameter which specifies the below...