Lack of ERC1155 Token Balance Check in flashloan Smart Contract Function

Lines of code Vulnerability details Description: : The flashloan function in the code you provided does not check if the amount of ERC1155 tokens being flashed is available. This could lead to a situation where the function fails to complete because the caller does not have enough ERC1155 tokens ...

Wrong input hash given to decodeType function in CreateOffererHelpers library

Lines of code Vulnerability details Impact The RegistryHashes.decodeType function is supposed to take a specific bytes32 hash as input with an encoded token type in the last bytes to know token type is used, but when this function is called in the CreateOffererHelpers library it is given a simple...

Incorrect use of getTokenAmounts causes getReserves / getTVL to be overestimated

Lines of code Vulnerability details Impact Previously, getTVL counted the balance of TokenisableRange and multiplied it by the LP value. After reconstruction, getTVL obtains the balance of token0 and token1 through getTokenAmounts and multiplies the token value. The problem is that when calculati...

The onlySeaport is a single point of failure and a centralization risk

Lines of code Vulnerability details Impact The onlySeaport holds a lot of power within the system, which can compromise the system integrity and it's permission-less nature. Having a single EOA as onlySeaport is a large centralization risk and a single point of failure. A single private key may b...

Incorrect Handling of Empty rights Parameter in delegateAll Function

Lines of code Vulnerability details Description The delegateAll function does not correctly handle the case where the rights parameter is empty. In this case, the function will attempt to write an empty string to the Storage.POSITIONSRIGHTS storage location. This behavior could lead to unexpected...

M-08 Unmitigated

Lines of code Vulnerability details Comments The success of low-level calls is not checked in V3Proxy. If msg.sender is a contract and the fallback function has additional logic, the protocol will succeed transfer by default, which will result in the loss of user funds. Mitigation There is no...

H-01 Unmitigated

Lines of code Vulnerability details test test --- The text was updated successfully, but these errors were encountered: All reactions...

Potential Price Slippage Due to Gaps in Consecutive Ranges

Lines of code Vulnerability details The method allows appending new Range instances without restrictions on the gap between the end of the last range and the start of the new one. Significant gaps between these ranges can result in considerable price slippages, introducing volatility in price...

_execute can be reorder a batch of commands while executing

Lines of code Vulnerability details Impact Lets see what is written in by Axelar: AxelarGatewayMultisig.execute takes a signed batch of commands. Each command has a corresponding commandID. This is guaranteed to be unique from the Axelar network. execute intentionally allows retrying a commandID ...

Owner cannot rescueToken if blocklisted.

Lines of code Vulnerability details Impact Token could be stuck if owner is blocklisted by the token. Proof of Concept rescueToken can be used to rescue token sent to the contracts. function rescueTokensaddress token external onlyOwner uint256 balance = IRWALiketoken.balanceOfaddressthis;...

Rounding in the unwrap function in rUSDY may cause fund loss for users.

Lines of code Vulnerability details Impact Rouding with BPSDENOMINATOR in function unwrap in rUSDY.sol may cause users to be transfered back less than expected USDY. POC The rUSDY.sol contract provides a way to wrap an amount of USDY as shares in order to gain profit in rUSDY. This is done throug...

Loss of token if a smart contract perform a cross-chain transfer using source bridge

Lines of code Vulnerability details Impact Loss of a token ownership if a smart contract perform a cross-chain transfer using source bridge Proof of Concept When a caller call burnAndCallAxelar, the token is burnt on source chain and the payload is encoded in this way: bytes memory payload =...

Transaction origin check in ROE Markets make Options positions opened by contract users impossible to reduce or close

Lines of code Vulnerability details This issue was present in the original contest but I did not notice it as I did not have time to review OptionsPositionManager. The Roe Markets LendingPool.sol that OptionsPositionManager uses is a modified version of Aave V2 with an added PMTransfer...

Missing Slippage Protection in unwrap function

Lines of code Vulnerability details Summary The unwrap function swaps rUSDY to USDY and calls the oracle during these process to get the current USDY price. There is no slippage protection implemented, which can lead to loss of funds. Vulnerability Details Unexpected changes between the call to t...

Cross-chain smart contract call can revert and burned tokens in source chain can't be recovered

Lines of code Vulnerability details Summary AXELARGATEWAY.callContract doesn't revert on failure in destination chain , execute function can revert for varies reasons such as not passing require statements, or low gas so tokens remained burned in source chain and can't be recovered . Impact Loss ...

The user will receive more/less funds when calling unwrap() if the price of USDY falls/rises than expected

Lines of code Vulnerability details Impact There is a wrap function called by users to wrap their USDY tokens . In the future, to withdraw tokens, the user calls the unwrap function . However, in the unwrap function, the user can have more funds in case the price of USDY falls. Based on the case...

Tokens transferred with bridge can get lost if destination transaction can’t be executed

Lines of code Vulnerability details Impact User could lost his tokens, if tx on destination chain will failrevert. There is no option to recover the tokens on source chain. Revert could be cause by function attachThreshold. This function finds the correspondence between the amount and threshhold...

Stealing extra mint fund by applying reentrancy attack on _execute with calling approve() again due to external call before crucial state update

Lines of code Vulnerability details Impact By applying reentrancy attack involving the function mintIfThresholdMet, an user can steal extra amount of mint fund. Proof of Concept The functions mintIfThresholdMet make external mint call prior to updating the txnHashToTransaction state. If the real...

In DestinationBridge:rescueTokens function the owner can steal user tokens

Lines of code Vulnerability details Summary In the rescueToken function, it opens the door to potential insecurity for user funds because it lacks additional conditions specifying which types of tokens or under what conditions the onlyOwner can use this function. The function looks like: / @notic...

Precision Error in getPrice due to Omission of Last Day's Interest

Lines of code Vulnerability details The code attempts to calculate the price based on the interest from the previous day by using range.end - 1. However, if the last day represented by range.end has fully passed, the interest for this day is never taken into account. Over time, these slight...

guardian multisig should be timelock

Lines of code Vulnerability details Impact Per the rUSDYFactory.sol, The Natspec states the guardian address is a multsig address which will be passed in constructor during deployement of factory contract. @notice guardian address in constructor is a msig. and constructoraddress guardian guardian...

Minted Shares would be Inflate Shares by 10000 due to Math Error in the wrap function

Lines of code Vulnerability details Impact BPSDENOMINATOR in the rUSDY.sol contract is an important variable used to scale up usdy amount - shares as noted in it comment description but it is only used to scale up when minting shares but not scaled down before subtracting it from total shares and...

Wrong calculation of elapsed days

Lines of code Vulnerability details Impact For a certain period of time, the dailyIr is compounded every day. However, when calculating prevClosePrice, the last day's addition is missed. The formula for calculating the current price is as follows: Range.dailyInterestRate Days Elapsed + 1...

Discrepancy in Token Allowance After Rebase Events

Lines of code Vulnerability details The function returns the number of tokens that spender is allowed to spend on behalf of owner. However, in the context of tokens with rebase mechanisms, the owner's balance can dynamically change without explicit transactions. The described behavior might lead ...

Potential Out-of-Bounds Error When Modifying Ranges

Lines of code Vulnerability details The method allows for the modification of a range based on an index. However, there's no explicit check to ensure that the provided indexToModify is within the bounds of the ranges array. If an out-of-bounds index is provided, the method will throw a generic...

New from fees rework: fees can still be stolen with a flash-loan on GeVault

Lines of code Vulnerability details The TokenisableRange fees have been reworked to be sent to the corresponding GeVault instance This fixed the problems with fee accounting in TokenisableRange but created a new, similar one in GeVault, where the deposit function does not count the fees in the...

M-08 Unmitigated

Lines of code Vulnerability details The original issue M-08: Return value of low level call not checked, in scope for the mitigation review, was not acted upon, most likely overlooked during the fixing phase. Assessed type call/delegatecall --- The text was updated successfully, but these errors...

Lack of Post-Allowance Verification Before Token Minting

Lines of code Vulnerability details The code checks if the user txn.sender is allowed via the ALLOWLIST. If not, it sets the user's status to "allowed". However, after this step, there's no subsequent verification to ensure the user has indeed been added to the ALLOWLIST before minting tokens to...

The USDT.sol contract does not accrue additional income in the form of rUSDY tokens

Lines of code Vulnerability details Impact rUSDY is the rebasing variant of USDY token, and is heavily based on other rebasing tokens such as stETH. Users are able to acquire rUSDY tokens by calling the wrapuint256 function on the contract. Where as the price of a single USDY token varies over...

In the event of a fall in the price of USDY, the withdrawal of funds for the user may be blocked

Lines of code Vulnerability details Impact There is a wrap function called by users to wrap their USDY tokens . In the future, to withdraw tokens, the user calls the unwrap function . However, in the unwrap function, the user can have more funds in case the price of USDY falls. Based on the case...

Lack of an option in DestinationBridge.sol to cancel a transaction can lead to unwanted transactions

Lines of code Vulnerability details Impact DestinationBridge.sol is for handling calls from Axelar Gateway and must be deployed in the destination chain. DestinationBridge.sol requires that the address from which Axelar messages are sent must be registered in the recipient's contract. Once a...

abi.encode() function does not support dynamic arrays in Solidity version 0.8.16 or earlier.

Lines of code Vulnerability details Description The bug is in the burnAndCallAxelar function. The function uses the abi.encode function to encode the payload to send to the AxelarGateway contract. However, the abi.encode function was changed in Solidity version 0.8.17 to remove the support for...

Users will not receive on Token on Destination chain because the internal _executeWithToken(...) function is not implemented.

Lines of code Vulnerability details Impact Loss of tokens on the Destination chain. Proof of Concept The DestinationBridge.sol contract inherits AxelarExecutable.sol which has the executeWithToken... that's called at the end of executeWithToken... function. The executeWithToken... is not...

Reorgs could revert the setRange function and lead to a long lasting stale price of USDY

Lines of code Vulnerability details Summary Reorgs could revert the setRange function and therefore lead to stale prices for a long time depending on the off chain protection, against it Vulnerability Details Here is the setRange function of the USDY price oracle: function setRange uint256...

Token Loss on Failed Destination Chain Call

Lines of code Vulnerability details Impact The burnAndCallAxelar function allows users to burn tokens from their account with the intention of executing a cross-chain call. However, the tokens are burned before the cross-chain call is attempted. If the cross-chain call fails on the destination...

Critical Reentrancy Vulnerability in _mintIfThresholdMet Function

Lines of code Vulnerability details Impact The mintIfThresholdMet function contains a severe reentrancy vulnerability that can be exploited by malicious contracts. When the TOKEN.mint function is called and tokens are minted for txn.sender, the txn.amount is subsequently set to 0 by deleting...

Price Manipulation Through Vulnerability in simulateRange Function

Lines of code Vulnerability details Impact The simulateRange function, although designed for simulation and testing purposes, could potentially be exploited in a sandwich attack scenario. A malicious actor could front-run a user's transaction by using a flash loan to manipulate the price,...

lack of address(0) check for oracle address

Lines of code Vulnerability details Impact no oracle no updated prices. Not sure what happens if try to call getPrice in this scenario, but IF it returns price of zero, then number of tokens from getRUSDYByShares will be zero for any amount of USDY shares... Proof of Concept Tools Used Recommende...

Updating closed ranges with overrideRange() causes incorrect prevRangeClosePrice.

Lines of code Vulnerability details Impact Incorrect starting prices for ranges Incorrect historical price derivations Loss of accurate price data history Proof of Concept updating closed ranges with overrideRange can cause an incorrect prevRangeClosePrice value. Here is a more detailed...

No zero address check on constructor parameters in contracts

Lines of code Vulnerability details Impact Detailed description of the impact of this finding There is no address0 check in the constructor of the following contracts; 1. Sourcesbridge.sol 2. rSUDY.sol 3. Destination ridge.sol 4. rSUDYFactory.sol Lack of addr0 check can lead to loss of important...

Absence of Start-End Time Validation in Range Creation

Lines of code Vulnerability details The code allows the creation of a Range structure without ensuring that startTime is strictly less than endTime. The absence of this validation might lead to unintended behavior or logical errors in functionalities that rely on the order of these timestamps...

Incorrect initialization of rUSDY.sol

Lines of code Vulnerability details Impact rUSDY.sol contract inherits PausableUpgradeable contract but does not invoke its initialzers during its own initialization. Due to which the state of PausableUpgradeable contract remain uninitialized. File: contracts/usdy/rUSDY.sol contract rUSDY is...

Potential Out of Bound Error When Accessing Range Array

Lines of code Vulnerability details The code seems to be attempting to access an element of the 'ranges' array using an index calculated from the array's length minus one. However, during the deployment or initialization of the contract, if the length of 'ranges' is 1, this calculation results in...

Token recipient is an inaccessible address for contracts

Lines of code Vulnerability details Impact The msg.sender address from the SourceBridge.burnAndCallAxelar function is used by the DestinationBridge.mintIfThresholdMet function as the TOKEN recipient. However, the msg.sender address will not be controllable by contracts on L2, so any tokens will b...

Funds will be lost in case the block reorg occurs on the chain of sending bridge

Lines of code Vulnerability details Impact Funds will be lost in case the block reorg occurs on the chain of sending bridge Proof of Concept consider the following scenerio on sending chain: In block 1: Alice sends the 1000 tokens to the destination bridge and the nonce for it is set to 10 In blo...

Low level calls to accounts with no code will succeed in multiexcall function

Lines of code Vulnerability details Impact Low level calls behave differently than function calls in Solidity. Calls at the EVM level to accounts with no code are successful, this is the expected and normal behavior. It is Solidity that adds checks to prevent accidental calls to accounts with no...

No removal mechanism from blocklist, allowlist and sanctionsList

Lines of code Vulnerability details Impact rUSDY.sol has setBlocklist sets the blocklist address, setAllowlist sets the allowlist address, and setSanctionsList sets the sanctions list address functions: However, the mechanism for removing addresses from arrays is not implemented anywhere. Even in...

Maybe you get the same txnHash for different transactions in DestinationBridge._execute()

Lines of code Vulnerability details Impact DestinationBridge.execute is a function that is executed when contract is called by Axelar Gateway -L114. The function calculates bytes32 txnHash = keccak256payload. txnHash is calculated based on payload. However, srcChain is not taken into account in...

Lack of Oracle Price Validation in rUSDY

Lines of code Vulnerability details Summary Ondo's custom oracle, RWADynamicOracle, is responsible for delivering the price of USDY to the rUSDY token contract. The oracle is called in four different functions for the price of USDY; the results of which are also used in core functions in the toke...

In case of accrual of additional income for holding rUSDY tokens, the protocol is subject to a flashloan attack

Lines of code Vulnerability details Impact rUSDY is the rebasing variant of USDY token, and is heavily based on other rebasing tokens such as stETH. Users are able to acquire rUSDY tokens by calling the wrapuint256 function on the contract. Where as the price of a single USDY token varies over...