No protection against conduit front-running

Lines of code Vulnerability details Impact A malicious conduit could front-run and prevent the transfer Proof of Concept The conduit is trusted to conduct the transferFrom in the resulting order. A malicious conduit could front-run and prevent the transfer. calculateOrderHash: This uses the condu...

Unchecked return value of low level

Lines of code Vulnerability details In the code you provided earlier, there is a potential "Unchecked return value of low-level call" vulnerability in the following line: addressstrategy.delegatecallabi.encodeWithSignature"harvest"; This line of code uses the delegatecall function to invoke the...

removeFromAllTicks should be done before getTVL

Lines of code Vulnerability details After the mitigation, the TR fee is directly sent to GE vault. Suppose 0.1 eth trading fee has accumulated in TR. uint vaultValueX8 = getTVL; uint adjBaseFee = getAdjustedBaseFeetoken == addresstoken0; // Wrap if necessary and deposit here if msg.value 0...

Failure to Return Value from Low-Level Call

Lines of code Vulnerability details In Solidity, the "low-level call" operation, often used with inline assembly, is a powerful tool for interacting with external contracts. However, there is a specific bug related to low-level calls that can result in unexpected behavior. Instances 1: File:...

An attacker can use the flashloan() function without real collateral assets

Lines of code Vulnerability details Impact Function flashloan - allows delegate token owner or approved operator to borrow their underlying tokens for the duration of a single atomic transaction. The function uses Structs.FlashInfo calldata info as an input parameter. However, some parameters fro...

Expiry time is of no use

Lines of code Vulnerability details Impact DelegateToken holder can withdraw before expiry. Even if the principalToken holder extends the time it is of no use. And anyone can withdraw any delegateTokenId and send all the tokens to their address. Proof of Concept The withdraw function in the...

test

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assessed...

getActiveTickIndex returns wrong index

Lines of code Vulnerability details To find a tick that's above price ie its only underlying is the base token, getActiveTickIndex should not if baseTokenIsToken0 && amt0 == 0 || !baseTokenIsToken0 && amt0 == 0 return tickIndex; it should if baseTokenIsToken0 && amt1 == 0 || !baseTokenIsToken0 &&...

Upgraded Q -> 3 from #255 [1694460742612]

Judge has assessed an item in Issue 255 as 3 risk. The relevant finding follows: LOW-2 Missing check for checkBalancesint256 x, int256 y in reserveTokenSpecified could result in DoS of some critical operations --- The text was updated successfully, but these errors were encountered: All reactions...

test dupes medium 2

No description provided. --- The text was updated successfully, but these errors were encountered: All reactions...

yryryserywretsh

Lines of code L1 Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assess...

test dupes medium

No description provided. --- The text was updated successfully, but these errors were encountered: All reactions...

The roerouter hard-coded address error causes all fee funds to be sent to the treasury instead of the vault

Lines of code Vulnerability details Impact The roerouter hard-coded address error causes all fee funds to be sent to the treasury instead of the vault. This will reduce the capital utilization rate, because the fee should be added to the LP to earn interest, but now because the vault address cann...

The number of ticks is incorrectly fixed and is not equal to liquidityPerTick, resulting in low fund utilization.

Lines of code Vulnerability details Impact In the readme, it states the goal after activeIndex is reconstructed is: Instead of depositing half of the assets into each of the 2 ticks above and below, this has been parameterized, allowing to change asset distribution in case of high volatility. But...

GeVault LP calculations do not use scaling and are vulnerable to deposit attacks

Lines of code Vulnerability details Impact Currently, getTVL counts all token balances in GeVault, and attackers can manipulate getTVL to implement deposit attacks. Secondly, since the calculation of LP does not use scaling, because there is a precision error in the division, the cost for the...

create function will DoS with ERC1155s.

Lines of code Vulnerability details Impact ERC1155 tokens can never be used. Proof of Concept If we look at the create function in the delegateToken contract we can see the line : TransferHelpers.checkAndPullByTypeerc1155PullAuthorization, delegateInfo; this line calls the...

Fee on Transfer tokens cause incorrect accounting

Lines of code Vulnerability details Impact Incorrect accounting for fee on transfer tokens Proof of Concept Delegate accepts all ERC20 token types as specified by the contest page. Some ERC20 tokens include a fee on transfer which means means that the amount of tokens sent to the contract will be...

Lack of Access Control On Flashloan

Lines of code Vulnerability details Impact Anybody can get free flashloan on other users' tokens in the contract. Airdrops, token rights can be taken from the rightful owner. Proof of Concept The flashloan function takes in a Structs.FlashInfo calldata info parameter which specifies the below...

Protocol will fail for ERC1155 tokens

Lines of code Vulnerability details Issue DelegateTokenTransferHelpers::checkERC1155BeforePull and DelegateTokenTransferHelpers::pullERC1155AfterCheck perform "set and check" operations on erc1155Pulled.flag which will always revert. In the first function, the value of erc1155Pulled.flag is set t...

"rights" stored in memory is overwriting the memory block storing "from" and 32 bytes memory is given to store 20 byes long "contract_"

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Expected code should keccak over packed encoding of rights, from, to, contract, tokenId but as 'rights' values are overwriting 'from' values and 32 bytes memory block has been allocated to 'contract'...

Lack of access control lets anyone rescind any delegate token

Lines of code Vulnerability details Impact There is no access control for the function rescind, thus 1 it lets anyone rescind any token, either he is the owner or not and 2 the documentation does not adhere to the current implementation. Proof of Concept The documentation above the definition of...

delegate ID could differ from the expected order hash if the order hash was manipulated

Lines of code Vulnerability details Impact A malicious user could create an order hash that does not match the actual order data. When the delegate token is created, the actualDelegateId will be different than the requestedDelegateId calculated from the manipulated createOrderHash. But the check...

Unchecked token transfer

Lines of code Vulnerability details Impact Unchecked token transfer Proof of Concept Since the contract will work with many different ERC721 tokens, and not all of them are based, for instance, on the OZ ERC721 token contract. And some tokens can return False instead of reverting a transaction in...

Any user can withdraw a delegate token after expiration

Lines of code Vulnerability details Impact The withdraw function in the DelegateToken contract does not check the caller msg.sender when the expiration time has ended, thus anyone can make a call to withdraw to steal the funds/tokens associated with a delegate token owned by another user after th...

The DelegateToken.approve function will directly overwrite the old user's approval, resulting in a loss of user rights

Lines of code Vulnerability details Impact DelegateToken.approve will override the old approval with the same delegateId. This will directly impact the rights of users who were previously approved, effectively revoking their previous approval. function approveaddress spender, uint256...

An attacker can steal assets due to an incorrect revertInvalidWithdrawalConditions check in DelegateToken.withdraw()

Lines of code Vulnerability details Impact Function withdraw - allows principal rights owner or approved operator to withdraw the underlying token once the delegation rights have either met their expiration or been rescinded. To withdraw assets, a check is made that the assets are being withdrawn...

User funds may be blocked if tokens with a transfer fee are used as the underlyingToken

Lines of code Vulnerability details Impact The user can create rights token pair pulling underlying token. To do this, it calls the create function . During the execution of the function, the user sends tokens to the contract address . If an ERC20 token is used as a tokenContract, then the...

DelegateTokenRegistryHelpers::calculateDecreasedAmount() - Comment "Assumes the decreased amount won't underflow with "amount"", but it *can* underflow given the right value for parameter decreaseAmount, and is also inside unchecked {} block.

Lines of code Vulnerability details Impact Summary: Since the affected line is inside an unchecked block, the inbuilt solidity protection functionality wont revert this function execution on underflow, therefore the max uint256 value will be returned for calculateDecreasedAmount. Not only that, b...

The code uses assembly for memory allocation, which can be complex and prone to errors.

Lines of code Vulnerability details Impact The code uses assembly for memory allocation, which can be complex and prone to errors. Inefficient memory management can lead to gas inefficiency and potential vulnerabilities. Proof of Concept The code uses assembly for memory allocation, which can be...

Impossible for the owner to change rights

Lines of code Vulnerability details Impact An escrowed token's rights can not be altered once it has been placed in escrow. When a user creates a delegate token and principal token, they set the rights. Rights such as "" and flashloan grant the ability to use the flashloan function. If the delega...

Return value of ETH

Lines of code Vulnerability details Impact It is recommended that the return values of ether transfers be checked, however if transfer to the hardcoded address fails, it does not revert. Proof of Concept uint256 sc = uint256uint1600x0000000000000000000000000000000000000000; assembly "memory-safe"...

Unchecked return value of low level call()/delegatecall()

Lines of code Vulnerability details The vulnerability related to an "Unchecked return value of low-level call/delegatecall" is a common and critical issue in Ethereum smart contracts. Let's break down this vulnerability and discuss its implications: 1. Low-Level Calls in Solidity: In Solidity,...

Protocols does not work with fee-on-transfer ERC20 tokens

Lines of code Vulnerability details Impact The protocol does not work with fee-on-transfer ERC20 tokens. When this type of token is escrowed, the amount is sent to the DelegateToken contract. After that the underlying amount delegateInfo.amount is stored in the...

Unchecked Arithmetic Allows Nonce Replay

Lines of code Vulnerability details Vulnerability details The problem is the unchecked increment operation: ++nonce.value;. When nonce.value is already at its maximum value 2^256 - 1, incrementing it will wrap around to zero due to integer overflow. This means that if an attacker sends a...

checkERC1155BeforePull Function in DelegateTokenTransferHelpers

Lines of code Vulnerability details Description The checkERC1155BeforePull function in Contract XYZ has a potential issue where it reverts if pullAmount is equal to 0, which might not always be the desired behavior for ERC1155 tokens. Issue Details Context In DelegateTokenTransferHelpers.sol, the...

Tipping is not available for the protocol

Lines of code Vulnerability details Impact The reason that in the DelegateRegistry contract there's some payable function is because users can tip the contract and then owner can receive it using sweep later. But in the DelegateToken contract, there's no way to send the tipping to the...

In transferFrom() address "from" can be put of contract address and bypass Errors.FromNotCreateOfferer(from)

Lines of code Vulnerability details Impact In transferFrom address "from" can be put of contract address and bypass Errors.FromNotCreateOffererfrom Proof of Concept the code should be function transferFromaddress from, address targetTokenReceiver, uint256 createOrderHashAsTokenId external...

flashloan() allows both owner and approver to call

Lines of code Vulnerability details Impact Allowing the borrower to borrow more than the current limit Proof of Concept As we can see ,flashloan uses StorageHelpers.revertNotOperator to check if the msg.sender has permissions to call. function flashloanStructs.FlashInfo calldata info external...

Not cleaning scratch space/memory after delegatecalls leads to the caller to work with "dirty" memory

Lines of code Vulnerability details Impact NOTE - the link above is just the most critical example, the issue affects many functions in the libraries in scope Calls to deployed libraries are done via delegatecalls, so the storage AND MEMORY context in the library is the one of the caller. Sometim...

CreateOffererLib#createOrderHash function can be front-run by attacker and cause user create order failed

Lines of code Vulnerability details Impact Function CreateOffererLibcalculateOrderHashAndId is used to calculate ERC20/ERC721/ERC1155 order hash and delegateTokenId. It create delegateTokenId parameter by calling DelegateTokenStorageHelpersdelegateIdNoRevert function, this function calculate...

No way to revoke Approval in DelegateToken.approve leads to un authorized calling of DelegateToken.transferFrom

Lines of code Vulnerability details Impact There is no way to revoke the approval which given via DelegateToken.approveaddress,delegateTokenId. They can able call the DelegateToken.transferFrom even the tokenHolder revoke the permission using the DelegateToken.setApprovalForAll if the spender...

Non-standart ERC20 tokens are not supported

Lines of code Vulnerability details Impact The issue here is that some non-standard ERC20 tokens can have fee-on-transfer Proof of Concept The issue here is that some non-standard ERC20 tokens can have fee-on-transfer, so it could cause a problem that the protocol will lose tokens on each call...

"rights" stored in memory is overwriting the memory block storing "from"

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Expected code should keccak over packed encoding of rights,from,to but as 'rights' values are overwriting 'from' values. So values available for encoding is not as expected. Proof of Concept Provide...

An attacker can use the flashloan function with an invalid collateral asset

Lines of code Vulnerability details Impact Function flashloan - allows delegate token owner or approved operator to borrow their underlying tokens for the duration of a single atomic transaction. The function uses Structs.FlashInfo calldata info as an input parameter. Failure to call...

Malicious caller tcan o pass arrays with more than 1 element to exploit the contract

Lines of code Vulnerability details Impact This can lead to assets being trapped in the contract or transferred improperly. Proof of Concept This expects and enforces that minimumReceived and maximumSpent will only have 1 element each. A malicious caller could call with arrays like: minimumReceiv...

There is a potential vulnerability with the nonce not incrementing as expected if there is an error or revert during the seaport flow

Lines of code Vulnerability details Impact This would allow the attacker to reuse the same nonce in multiple seaport transactions by reverting the first transaction after processNonce increments the stored nonce. Proof of Concept There is a potential issue with the nonce not incrementing as...

A malicious contract could steal assets via a flash loan

Lines of code Vulnerability details Impact A malicious contract could fail to return the assets, essentially stealing the Proof of Concept The key vulnerability is in the flashloan function. It transfers the assets to the receiver contract specified in info.receiver without any checks. Then it...

getActiveTickIndex implementation error

Lines of code Vulnerability details Impact The implementation of getActiveTickIndex is wrong, and the searched ticks do not meet expectations, causing funds to be incorrectly allocated to edge ticks, and there is basically no staking income. Proof of Concept // if base token is token0, ticks abov...

The tokenType is concatenated rather than tightly integrated. An attacker could manipulate just the type byte of the hash.

Lines of code Vulnerability details Impact The attacker can create an unintended type of order and asset transfer. Proof of Concept The tokenType is concatenated rather than tightly integrated. An attacker could manipulate just the type byte of the hash. The issue is that the tokenType is...

Fee on transfer tokens will cause users to lose funds

Lines of code Vulnerability details Impact Some ERC20 tokens allow for charging a fee any time transfer or transferFrom is called. If a contract does not allow for amounts to change after transfers, subsequent transfer operations based on the original amount will revert due to the contract having...