checkERC1155BeforePull Function in DelegateTokenTransferHelpers

Lines of code Vulnerability details Description The checkERC1155BeforePull function in Contract XYZ has a potential issue where it reverts if pullAmount is equal to 0, which might not always be the desired behavior for ERC1155 tokens. Issue Details Context In DelegateTokenTransferHelpers.sol, the...

Incorrect use of getTokenAmounts causes getReserves / getTVL to be overestimated

Lines of code Vulnerability details Impact Previously, getTVL counted the balance of TokenisableRange and multiplied it by the LP value. After reconstruction, getTVL obtains the balance of token0 and token1 through getTokenAmounts and multiplies the token value. The problem is that when calculati...

The number of ticks is incorrectly fixed and is not equal to liquidityPerTick, resulting in low fund utilization.

Lines of code Vulnerability details Impact In the readme, it states the goal after activeIndex is reconstructed is: Instead of depositing half of the assets into each of the 2 ticks above and below, this has been parameterized, allowing to change asset distribution in case of high volatility. But...

Upgraded Q -> 3 from #255 [1694460742612]

Judge has assessed an item in Issue 255 as 3 risk. The relevant finding follows: LOW-2 Missing check for checkBalancesint256 x, int256 y in reserveTokenSpecified could result in DoS of some critical operations --- The text was updated successfully, but these errors were encountered: All reactions...

test dupes medium

No description provided. --- The text was updated successfully, but these errors were encountered: All reactions...

Return value of ETH

Lines of code Vulnerability details Impact It is recommended that the return values of ether transfers be checked, however if transfer to the hardcoded address fails, it does not revert. Proof of Concept uint256 sc = uint256uint1600x0000000000000000000000000000000000000000; assembly "memory-safe"...

Unchecked Arithmetic Allows Nonce Replay

Lines of code Vulnerability details Vulnerability details The problem is the unchecked increment operation: ++nonce.value;. When nonce.value is already at its maximum value 2^256 - 1, incrementing it will wrap around to zero due to integer overflow. This means that if an attacker sends a...

Expiry time is of no use

Lines of code Vulnerability details Impact DelegateToken holder can withdraw before expiry. Even if the principalToken holder extends the time it is of no use. And anyone can withdraw any delegateTokenId and send all the tokens to their address. Proof of Concept The withdraw function in the...

Attacker can extract value from pool by sandwiching herself at swapAll during close

Lines of code Vulnerability details Attacker can drain the lending pool by leveraging two facts: 1. swapAll allows 1% slippage 2. There is no Health Factor check after close. Alice and Bob are good friends, the steps are in one single tx: 1. Alice deposits 10000 USDT and borrows 7000$ worth of TR...

Compound charges are sent to GeVault, making them potentially vulnerable to theft

Lines of code Vulnerability details Impact In the previous version, the compound fee would be saved in the TokenisableRange before being deposited into LP, and would be deposited into LP after reaching 1%. After reconstruction, the fees are sent directly to GeVault for distribution through getTVL...

Protocol will fail for ERC1155 tokens

Lines of code Vulnerability details Issue DelegateTokenTransferHelpers::checkERC1155BeforePull and DelegateTokenTransferHelpers::pullERC1155AfterCheck perform "set and check" operations on erc1155Pulled.flag which will always revert. In the first function, the value of erc1155Pulled.flag is set t...

delegate ID could differ from the expected order hash if the order hash was manipulated

Lines of code Vulnerability details Impact A malicious user could create an order hash that does not match the actual order data. When the delegate token is created, the actualDelegateId will be different than the requestedDelegateId calculated from the manipulated createOrderHash. But the check...

"rights" stored in memory is overwriting the memory block storing "from"

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Expected code should keccak over packed encoding of rights,from,to but as 'rights' values are overwriting 'from' values. So values available for encoding is not as expected. Proof of Concept Provide...

Unchecked return value of low level

Lines of code Vulnerability details In the code you provided earlier, there is a potential "Unchecked return value of low-level call" vulnerability in the following line: addressstrategy.delegatecallabi.encodeWithSignature"harvest"; This line of code uses the delegatecall function to invoke the...

GeVault LP calculations do not use scaling and are vulnerable to deposit attacks

Lines of code Vulnerability details Impact Currently, getTVL counts all token balances in GeVault, and attackers can manipulate getTVL to implement deposit attacks. Secondly, since the calculation of LP does not use scaling, because there is a precision error in the division, the cost for the...

getActiveTickIndex implementation error

Lines of code Vulnerability details Impact The implementation of getActiveTickIndex is wrong, and the searched ticks do not meet expectations, causing funds to be incorrectly allocated to edge ticks, and there is basically no staking income. Proof of Concept // if base token is token0, ticks abov...

Incorrect delegate token URI in MarketMetadata.sol.

Lines of code Vulnerability details Impact Web3 logic may be error prone by the wrong delegate token URL. Proof of Concept In DelegateToken.tokenURL, MarketMetadata.delegateTokenURI is called. MarketMetadata.delegateTokenURI is as follows. File: MarketMetadata.sol 37: function...

DelegateTokenRegistryHelpers::calculateDecreasedAmount() - Comment "Assumes the decreased amount won't underflow with "amount"", but it *can* underflow given the right value for parameter decreaseAmount, and is also inside unchecked {} block.

Lines of code Vulnerability details Impact Summary: Since the affected line is inside an unchecked block, the inbuilt solidity protection functionality wont revert this function execution on underflow, therefore the max uint256 value will be returned for calculateDecreasedAmount. Not only that, b...

Malicious caller tcan o pass arrays with more than 1 element to exploit the contract

Lines of code Vulnerability details Impact This can lead to assets being trapped in the contract or transferred improperly. Proof of Concept This expects and enforces that minimumReceived and maximumSpent will only have 1 element each. A malicious caller could call with arrays like: minimumReceiv...

Lack of access control lets anyone rescind any delegate token

Lines of code Vulnerability details Impact There is no access control for the function rescind, thus 1 it lets anyone rescind any token, either he is the owner or not and 2 the documentation does not adhere to the current implementation. Proof of Concept The documentation above the definition of...

Unchecked return value of low level call()/delegatecall()

Lines of code Vulnerability details The vulnerability related to an "Unchecked return value of low-level call/delegatecall" is a common and critical issue in Ethereum smart contracts. Let's break down this vulnerability and discuss its implications: 1. Low-Level Calls in Solidity: In Solidity,...

Lack of ERC1155 Token Balance Check in flashloan Smart Contract Function

Lines of code Vulnerability details Description: : The flashloan function in the code you provided does not check if the amount of ERC1155 tokens being flashed is available. This could lead to a situation where the function fails to complete because the caller does not have enough ERC1155 tokens ...

No protection against conduit front-running

Lines of code Vulnerability details Impact A malicious conduit could front-run and prevent the transfer Proof of Concept The conduit is trusted to conduct the transferFrom in the resulting order. A malicious conduit could front-run and prevent the transfer. calculateOrderHash: This uses the condu...

Tipping is not available for the protocol

Lines of code Vulnerability details Impact The reason that in the DelegateRegistry contract there's some payable function is because users can tip the contract and then owner can receive it using sweep later. But in the DelegateToken contract, there's no way to send the tipping to the...

A malicious contract could steal assets via a flash loan

Lines of code Vulnerability details Impact A malicious contract could fail to return the assets, essentially stealing the Proof of Concept The key vulnerability is in the flashloan function. It transfers the assets to the receiver contract specified in info.receiver without any checks. Then it...

Any user can withdraw a delegate token after expiration

Lines of code Vulnerability details Impact The withdraw function in the DelegateToken contract does not check the caller msg.sender when the expiration time has ended, thus anyone can make a call to withdraw to steal the funds/tokens associated with a delegate token owned by another user after th...

The DelegateToken.approve function will directly overwrite the old user's approval, resulting in a loss of user rights

Lines of code Vulnerability details Impact DelegateToken.approve will override the old approval with the same delegateId. This will directly impact the rights of users who were previously approved, effectively revoking their previous approval. function approveaddress spender, uint256...

"rights" stored in memory is overwriting the memory block storing "from" and 32 bytes memory is given to store 20 byes long "contract_"

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Expected code should keccak over packed encoding of rights, from, to, contract, tokenId but as 'rights' values are overwriting 'from' values and 32 bytes memory block has been allocated to 'contract'...

Impossible for the owner to change rights

Lines of code Vulnerability details Impact An escrowed token's rights can not be altered once it has been placed in escrow. When a user creates a delegate token and principal token, they set the rights. Rights such as "" and flashloan grant the ability to use the flashloan function. If the delega...

The onlySeaport is a single point of failure and a centralization risk

Lines of code Vulnerability details Impact The onlySeaport holds a lot of power within the system, which can compromise the system integrity and it's permission-less nature. Having a single EOA as onlySeaport is a large centralization risk and a single point of failure. A single private key may b...

test

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assessed...

An attacker can steal assets due to an incorrect revertInvalidWithdrawalConditions check in DelegateToken.withdraw()

Lines of code Vulnerability details Impact Function withdraw - allows principal rights owner or approved operator to withdraw the underlying token once the delegation rights have either met their expiration or been rescinded. To withdraw assets, a check is made that the assets are being withdrawn...

An attacker can use the flashloan() function without real collateral assets

Lines of code Vulnerability details Impact Function flashloan - allows delegate token owner or approved operator to borrow their underlying tokens for the duration of a single atomic transaction. The function uses Structs.FlashInfo calldata info as an input parameter. However, some parameters fro...

flashloan() allows both owner and approver to call

Lines of code Vulnerability details Impact Allowing the borrower to borrow more than the current limit Proof of Concept As we can see ,flashloan uses StorageHelpers.revertNotOperator to check if the msg.sender has permissions to call. function flashloanStructs.FlashInfo calldata info external...

To protect the contract in case of hacking or detection of incorrect operation, it is necessary to add pause and blacklist functions

Lines of code Vulnerability details Impact Cases of hacking and self-identification of errors in contact often occur. To protect the contract in such a case, the pause and blacklist functions in the contract are usually used. This would provide protection for the DelegateToken.sol contract in cas...

Non-standart ERC20 tokens are not supported

Lines of code Vulnerability details Impact The issue here is that some non-standard ERC20 tokens can have fee-on-transfer Proof of Concept The issue here is that some non-standard ERC20 tokens can have fee-on-transfer, so it could cause a problem that the protocol will lose tokens on each call...

CreateOffererLib#createOrderHash function can be front-run by attacker and cause user create order failed

Lines of code Vulnerability details Impact Function CreateOffererLibcalculateOrderHashAndId is used to calculate ERC20/ERC721/ERC1155 order hash and delegateTokenId. It create delegateTokenId parameter by calling DelegateTokenStorageHelpersdelegateIdNoRevert function, this function calculate...

Failure to Return Value from Low-Level Call

Lines of code Vulnerability details In Solidity, the "low-level call" operation, often used with inline assembly, is a powerful tool for interacting with external contracts. However, there is a specific bug related to low-level calls that can result in unexpected behavior. Instances 1: File:...

Wrong input hash given to decodeType function in CreateOffererHelpers library

Lines of code Vulnerability details Impact The RegistryHashes.decodeType function is supposed to take a specific bytes32 hash as input with an encoded token type in the last bytes to know token type is used, but when this function is called in the CreateOffererHelpers library it is given a simple...

Missing Ownership Check in mint Function

Lines of code Vulnerability details Description: The mint function in the PrincipalToken contract lacks a crucial ownership check before allowing token minting. While it correctly checks if the caller is the delegateToken contract to restrict minting to authorized contracts, it doesn't verify if...

Incorrect Handling of Empty rights Parameter in delegateAll Function

Lines of code Vulnerability details Description The delegateAll function does not correctly handle the case where the rights parameter is empty. In this case, the function will attempt to write an empty string to the Storage.POSITIONSRIGHTS storage location. This behavior could lead to unexpected...

Fee on Transfer tokens cause incorrect accounting

Lines of code Vulnerability details Impact Incorrect accounting for fee on transfer tokens Proof of Concept Delegate accepts all ERC20 token types as specified by the contest page. Some ERC20 tokens include a fee on transfer which means means that the amount of tokens sent to the contract will be...

In ratifyOrder there is no need for array

Lines of code Vulnerability details Impact In ratifyOrder there is no need for array for SpentItem and ReceivedItem calldata consideration Single object can be used, there is use of the array Proof of Concept The single variable can be used instead of offer0.identifier and consideration0 Array is...

There is a potential vulnerability with the nonce not incrementing as expected if there is an error or revert during the seaport flow

Lines of code Vulnerability details Impact This would allow the attacker to reuse the same nonce in multiple seaport transactions by reverting the first transaction after processNonce increments the stored nonce. Proof of Concept There is a potential issue with the nonce not incrementing as...

removeFromAllTicks should be done before getTVL

Lines of code Vulnerability details After the mitigation, the TR fee is directly sent to GE vault. Suppose 0.1 eth trading fee has accumulated in TR. uint vaultValueX8 = getTVL; uint adjBaseFee = getAdjustedBaseFeetoken == addresstoken0; // Wrap if necessary and deposit here if msg.value 0...

Protocols does not work with fee-on-transfer ERC20 tokens

Lines of code Vulnerability details Impact The protocol does not work with fee-on-transfer ERC20 tokens. When this type of token is escrowed, the amount is sent to the DelegateToken contract. After that the underlying amount delegateInfo.amount is stored in the...

yryryserywretsh

Lines of code L1 Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assess...

create function will DoS with ERC1155s.

Lines of code Vulnerability details Impact ERC1155 tokens can never be used. Proof of Concept If we look at the create function in the delegateToken contract we can see the line : TransferHelpers.checkAndPullByTypeerc1155PullAuthorization, delegateInfo; this line calls the...

test dupes medium 2

No description provided. --- The text was updated successfully, but these errors were encountered: All reactions...

The roerouter hard-coded address error causes all fee funds to be sent to the treasury instead of the vault

Lines of code Vulnerability details Impact The roerouter hard-coded address error causes all fee funds to be sent to the treasury instead of the vault. This will reduce the capital utilization rate, because the fee should be added to the LP to earn interest, but now because the vault address cann...