Vulnerability in swapGivenInputAmount Function that could Leads to Unintended Token Draining

Lines of code Vulnerability details Impact The vulnerability discovered in the swapGivenInputAmount function has the potential to cause unintended token draining in the smart contract. Due to an incorrect check for a negative result in the code requireresult 0;, the function may allow swaps to...

Loss of precision due to division occurring before multiplication across multiple statements leads to lesser number of receiving tokens

Lines of code Vulnerability details Impact Swaps and Deposits work with two tokens X and Y. The computed amount of tokens on the receiving end decrease due to this multi-statement loss of precision occurring due to division before multiplication. Note: This finding is different from the L-06 bot...

Swapping lacks deadline check

Lines of code Vulnerability details Impact There is no deadline when swapping tokens using EvolvingProteus. Swaps that are done through low gas transactions may be stuck in the mempool for a long time, resulting in unfavourable swap. Proof of Concept Evolving prometeus seems like an upgrade to...

Swaps affect LP token mint/burn during liquidity addition/removal

Lines of code Vulnerability details Impact The LP token removal/addition forces a recalculation of the bonding curve, and the utility of the curve. The utility curve in proteus looks like the graph below, where the point A represents a certain composition of the pool. If we try to remove add/remo...

Swap Tokens with Fee Consideration and Balance Checks

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. In the swap function, the discrepancy lies in the usage of the variable specifiedAmount instead of roundedSpecifiedAmount when checking the final balance in the swap function. if specifiedToken ==...

Lack of slippage parameter in swap can cause losses for users

Lines of code Vulnerability details Impact Users can incure losses do to lack of slippage control. Detailed description of the impact of this finding. Slippage control helps to safeguard user funds against price falling below a certain threshold. This can be caused byfrontrunning attack. Proof of...

Lack of Deadline Protection in Key Functions Poses Potential Exploits

Lines of code Vulnerability details Impact The absence of a deadline parameter in key function calls within the EvolvingProteus contract poses a significant vulnerability. Transactions that stay pending in the mempool due to outdated slippage could be executed at a much later time than initially...

M-22 Unmitigated

Lines of code Vulnerability details Comments The underlying yield vaults used by the V5 vaults usually round down shares received when depositing. As a result, if the Vault deposits to an underlying yield vault that has already issued shares, it is possible that a deposit could be rounded down to...

Number of prize tiers may never scale due to aggressive new algorithm

Lines of code Vulnerability details Comments This issue is very similar to M-14 but covers another edge case where the threshold check is not performed when there are currently 14 prize tiers and at least 1 canary tier is claimed. This is due to an early return of MAXIMUMNUMBEROFTIERS. Mitigation...

Claiming prizes will be bricked if prize periods are not aligned with twab periods

Lines of code Vulnerability details Comments The previous implementation allowed a malicious user to keep updating their balances provided the previous observation fell within the same period. As such, if a draw ends part way through a period, the user would be able to manipulate their average...

Loss of precision in the YieldVault causes DoS when depositing from the Vault

Lines of code Vulnerability details Title Loss of precision in the YieldVault causes DoS when depositing from the Vault Original Issue M-22 - Loss of precision leads to undercollateralized Details The original demonstrates how the Vault could fall into undercollateralization mode if the YieldVaul...

TwabController::_periodEndOnOrAfter() function returns the period start instead of the period end

Lines of code Vulnerability details Original Issue M-03 - TwabLib::getTwabBetween can return innacurate balances if startTime and endTime aren't safely bounded Details The original finding is about the lack of a mechanism to validate if the startTime and endTime are safely bounded, otherwise, if...

Upgraded Q -> 2 from #273 [1692910023114]

Judge has assessed an item in Issue 273 as 2 risk. The relevant finding follows: L-01 --- The text was updated successfully, but these errors were encountered: All reactions...

M-02 - Malicious users can set their hooks to contracts that will always revert, causing Claimers to get their tx to claim the user's prizes to be reverted

Lines of code Vulnerability details Title M-02 - Malicious users can set their hooks to contracts that will always revert, causing Claimers to get their tx to claim the user's prizes to be reverted Original Issue M-02 - Unintended or Malicious Use of Prize Winners' Hooks Details The previous...

Vault will stop participating in draws in case if they deposited maximum assets to the underlying vault

Lines of code Vulnerability details Impact Vault will stop participating in draws in case if they deposited maximum assets to the underlying vault. Proof of Concept Vault contract has maxMint function. This function first checks allowed amount to mint in the PtVault and then also checks amount...

H-08 MitigationConfirmed

Lines of code Vulnerability details Original Issue H-08 - Increasing reserves breaks PrizePool accounting Details The previous implementation to increase reserves in the PrizePool contract didn't take into account the injected reserves, which caused the accounted balance in the prize pool to not ...

M-10 Unmitigated

Lines of code Vulnerability details Issue not mitigated About the problem There was unsafe cast in the getTier function and warden has stated, that in case if value will be bigger than uint96.max, then wrong prize amount will be used. Solution Pool together has increased Tier.prizeSize variable t...

H-09 Unmitigated

Lines of code Vulnerability details Issue not mitigated About the problem In the report i have described some vaults that will not work in the designed system. Example of such vault will be any vault that has withdraw limit. In this case yieldVault.maxWithdraw call will not return actual amount o...

H-05 Unmitigated

Lines of code Vulnerability details Issue not mitigated About the problem sponsor function allows caller to delegate his shares to the special address. In this case caller losses ability to win prizes. Previous version of code had sponsor function, which allowed to deposit funds on behalf of owne...

Auctions run at significantly different speeds for different prize tiers

Lines of code Vulnerability details Comments The V5 implementation delegates the task of claiming prizes to a network of claimers. The fees received by a claimer are calculated based on a dutch auction and limited based on the prize size of the highest tier the smallest prize. As a result, it is...

M-02 Unmitigated

Lines of code Vulnerability details Comments In the previous implementation a malicious user could set arbitrary vault hooks for afterClaimPrize and beforeClaimPrize that could be used to gas grief the claimer or cause other claims in the same call to fail by deliberately reverting Mitigation The...

Upgraded Q -> 2 from #422 [1692189363530]

Judge has assessed an item in Issue 422 as 2 risk. The relevant finding follows: L-04 --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 3 from #264 [1691857350267]

Judge has assessed an item in Issue 264 as 3 risk. The relevant finding follows: Let's see how it can be exploited. You can add this test to Withdraw.t.sol and run with forge test -vv --match-contract VaultWithdrawTest --match-test testWithdrawAllAssetsForHalfShares: function...

TEST PR 1093 - edited

Lines of code L1 Vulnerability details edited Assessed type call/delegatecall --- The text was updated successfully, but these errors were encountered: All reactions...

_scheduleUpdate() should be called during initialize ing the SecurityCouncilManager

Lines of code Vulnerability details Impact Updates will not be scheduled through timelocks and target upgrade executors by the scheduleUpdate call. Initial set of cohort members will not be scheduled. Proof of Concept In SecurityCouncilManager whenever a new member is added, or removed or swapped...

Governor relay() functions can be used to bypass voting an directly run critical SecurityCouncilManager functions

Lines of code https://github.com/ArbitrumFoundation/governance/blob/c18de53820c505fc459f766c1b224810eaeaabc5/src/security-council-mgmt/governors/SecurityCouncilNomineeElectionGovernor.sol...

check for the reentrancy attack is missed in the claim function

Lines of code Vulnerability details Impact the function claim in the LendingLedger.sol will send native token $CANTO to the msg.sender by .call which it can be EOA or Contracts, because there is no any RA checks the caller can make double call in the same time to get himself more tokens reward th...

Undelegation logic doesn't work as expected, duo to that an owner of a lock would be enforced to extend their lock time for another 5 years.

Lines of code Vulnerability details Impact Undelegation logic doesn't work as expected, duo to that an owner of a lock would be enforced to reset his lock time for another 5 years through the function increaseAmount in order to successfully undelegate. Proof of Concept There are few differences...

Missing __Governor_init() call in SecurityCouncilMemberRemovalGovernor's initialize() function

Lines of code Vulnerability details Bug Description The SecurityCouncilMemberRemovalGovernor contract inherits Openzeppelin's GovernorUpgradeable: SecurityCouncilMemberRemovalGovernor.solL17-L19 contract SecurityCouncilMemberRemovalGovernor is Initializable, GovernorUpgradeable, However, in its...

newEmergencySecurityCouncil in GovernanceChainSCMgmtActivationAction.sol is not given the TIMELOCK_CANCELLER_ROLE

Lines of code Vulnerability details Proof of Concept GovernanceChainSCMgmtActivationAction.sol checks that the prevEmergencySecurityCouncil has the TIMELOCKCANCELLERROLE first. Then, the role is revoked from the prevEmergencySecurityCouncil. In the last few lines, the function makes sure that the...

No security council member can be proposed for removal using the propose function because it will always return MemberNotFound

Lines of code L134-L139 Vulnerability details Impact No security council member can be proposed for removal. Proof of Concept Going by the Arbitrum DAO constitution, a security council member cannot belong to first and second cohort at the same time. A security council member can either be in the...

Failed transfer with low level call could be overlooked

Lines of code Vulnerability details Impact In LendingLedger.sol and votingEscrow.sol, low level call made using the call, According to the Solidity docs, "The low-level functions call, delegatecall and staticcall return true as their first return value if the account called is non-existent, as pa...

GaugeController.sol isn't updated when voting power is delegated, enabling users to arbitrarily increase gauge weight

Lines of code Vulnerability details Impact A malicious user can arbitrarily increase any gauge's weight, resulting in loss of rewards for lenders of other gauges. Proof of Concept Note that the below code snippet from GaugeController.voteforgaugeweights called by users to cast and change votes...

The Owner of SecurityCouncilMemberElectionGovernor Can Replace Cohorts And Bypass The Election Process

Lines of code Vulnerability details Impact In SecurityCouncilManager contract: the cohorts members are replaced by election via replaceCohort function; the process goes as follows: 1. an election proposal is made by anyone after 6-months of the last election via...

GovernanceChainSCMgmtActivationAction : TIMELOCK_CANCELLER_ROLE is not set to the newEmergencySecurityCouncil

Lines of code Vulnerability details Impact newEmergencySecurityCouncil will not have the TIMELOCKCANCELLERROLE. Proof of Concept GovernanceChainSCMgmtActivationAction has the function perform which will be used to activate elections on Arbitrum One. while the function set and revoke the...

User funds can be lost

Lines of code Vulnerability details Impact User funds sent by users can be lost forever Proof of Concept The contract LendingLedger.sol implements the function receive external payable to allow to the protocol to deposit the Canto used in the expected behaviour. But since the receive external...

the _checkpoint_market may not work as expected when it called more than twice at least

Lines of code Vulnerability details Impact the checkpointmarket function in the lendingLedger.sol contract did not work as it expected when the caller make a call to the function for the third time. the checkpointmarket would called more than once to update the market, however the function will n...

prev emergency security council still has cancellor role in SecurityCouncilMgmtActivationAction

Lines of code Vulnerability details Description In the GovernanceChainSCMgmtActivationAction.perform function. This function is responsible for activating the new emergency security council and revoking the roles of the previous emergency security council. The bug occurs in the following line of...

Proposals will not be submitted in SecurityCouncilMemberElectionGovernor.sol and SecurityCouncilNomineeElectionGovernor.sol

Lines of code Vulnerability details Impact SecurityCouncilNomineeElectionGovernor::execute and SecurityCouncilNomineeElectionGovernor::createElection will always revert, since the form of description at the proposal is not compliant to the format required at GovernorUpgradable of Openzeppelin...

Misaligned Epoch Calculation for Reward Claims

Lines of code Vulnerability details Impact When users attempt to claim rewards, the contract calculates the claimEnd and subsequently updates the userClaimedEpoch using claimEnd + WEEK. This might result in misaligned epochs in scenarios where claimUpToTimestamp is less than or more than a week. ...

Timelock canceller role is removed from council and transferred to upgrade executor

Lines of code Vulnerability details Impact In L1SCMgmtActivationAction the TIMELOCKCANCELLORROLE is removed from the previous EmergencySecurityCouncil and not transferred to the new EmergencySecurityCouncil but rather to the L1 UpgradeExecutor. In SecurityCouncilNomineeElectionGovernor the...

Signatures can be replayed in castVoteWithReasonAndParamsBySig() to use up more votes than a user intended

Lines of code Vulnerability details Bug Description In the SecurityCouncilNomineeElectionGovernor and SecurityCouncilMemberElectionGovernor contracts, users can provide a signature to allow someone else to vote on their behalf using the castVoteWithReasonAndParamsBySig function, which is in...

GaugeController` allows for quick vote and withdraw

Lines of code Vulnerability details This issue was identified in the original Curve Finance audit, finding ID TOB-CURVE-DAO-004. It remains unresolved in the mkt.market implementation, but was fixed in the Curve implementation. Impact A malicious voter is able to use full voting power for multipl...

getPastCirculatingSupply() returns the ARB token supply instead of circulating votes supply

Lines of code Vulnerability details Bug Description In ArbitrumGovernorVotesQuorumFractionUpgradeable, the getPastCirculatingSupply function is used when calculating quorum for proposals: ArbitrumGovernorVotesQuorumFractionUpgradeable.solL31-L35 /// @notice Get "circulating" votes supply; i.e.,...

otherCohort() is not returning different value when the Election has ended.

Lines of code Vulnerability details Impact In SecurityCouncilNomineeElectionGovernor.sol when the otherCohort function is called, it should return the otherCohort. But it is not the case because it returns the cohort at electionIndexToCohort at electionCount - 2 which is only updated when another...

TEST FINDING

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assessed...

Lenders can deposit at anytime during the week and still claim rewards for that week

Lines of code Vulnerability details Impact Anytime a user deposits during an epoch i.e a week he immediately is eligible to earn from the rewards for that lending market that week. This occurs because when the lending pool calls syncledger, LendingLedger adds the deposit to the users deposit for...

Delegation empowers more voting weight than expected

Lines of code Vulnerability details Description and Impact The user's voting power decreases linearly from the moment of the lock. To prevent this decrease, users can delegate their voting power to a new wallet. Here is an example scenario illustrating this: 1. The user owns two wallets, Wallet A...

GaugeController - Vulnerability with changing gauge weight would make the contract stop working

Lines of code Vulnerability details Impact The issue is applied differently based on how changegaugeweight works. 1. When changing gauge weight is essential for every enabled gauge before any vote happens An attacker can front-run changegaugeweight transaction to manipulate slope which can result...

Missing access control for whitelisted smart contract

Lines of code Vulnerability details Impact Because this contract is a copy from the curve side, the verwa side is missing the check of a whitelisted/blacklisted smart contract. If the "blacklist" check is not added or implemented within the function, then the contract would lack the necessary...