10190 matches found
The LendingLedger.sync_ledger function is susceptible to a potential reentrancy attack
Lines of code Vulnerability details Impact The primary focus is on the functions deposit/withdraw situated within the LendingMarket smart contracts, as they trigger the invocation of the LendingLedger.syncledger function. These functions carry the potential risk of containing a reentrancy issue,...
receive() in LendingLedger should be replaced by an appropriate function to prevent users from sending native by mistake
Lines of code Vulnerability details Impact Users lose funds by transferring them by mistake to LendingLedger. Proof of Concept Since the LendingLedger contract has a receive external payable function which receives native without any validation, which means that anyone can transfer native to it b...
electionToTimestamp() might return incorrect timestamps depending on the day of the first election
Lines of code Vulnerability details Bug Description For nominee elections, election dates are determined using the the electionToTimestamp function in the SecurityCouncilNomineeElectionGovernorTiming module. When SecurityCouncilNomineeElectionGovernor is initialized after deployment, the first...
Missing validation for the _l1TimelockMinDelay parameter in the constructor to ensure it's within a reasonable or expected range.
Lines of code Vulnerability details Impact The constructor accepts a parameter l1TimelockMinDelay and assigns it to l1TimelockMinDelay without performing any validation checks. This means potentially erroneous or extreme values can be set, which could cause undesired behaviors in the system or op...
SecurityCouncilMemberSyncAction.perform is not exclusively can be scheduled from SecurityCouncilManager's operations
Lines of code Vulnerability details Impact SecurityCouncilMemberSyncAction.perform is a crucial function that will be triggered by upgrade executor via delegate call after the whole election process or after current members do some update add/remove/replace/rotate to update security council...
Reusing other user's votes for both nominee and member elections
Lines of code Vulnerability details Impact The two elections nominee and member are sharing the same proposal id. This give an attack opportunity to a malicious user to reuse signature of other users who casted vote by signature in nominee election for casting vote in member election. In other...
SecurityCouncilMemberElectionGovernor Owner Can Change votingPeriod During an Active Election
Lines of code Vulnerability details Impact In SecurityCouncilMemberElectionGovernor contract : relay function enables the contract owner from making calls to any contract address. And in SecurityCouncilMemberElectionGovernorCountingUpgradeable contract: setFullWeightDuration can be accessed only ...
Revert error in SecurityCouncilNomineeElectionGovernor.sol#_execute()
Lines of code Vulnerability details Impact Current implementation of SecurityCouncilNomineeElectionGovernor.solexecute will always revert whenever it is executed Proof of Concept 1. Take a look at SecurityCouncilNomineeElectionGovernor.solexecute 324: function execute 325: uint256 proposalId, 326...
Users can abuse VotingEscrow.delegate() to avoid voting power decay. Additionally, users can delegate expired locks to regain full voting power.
Lines of code Vulnerability details Impact Voting power will not decay over the course of the lock. Proof of Concept The VotingEscrow.delegate function allows users to delegate to locks with a longer expiry time. See the below code snippet and inline comments: requiretoLocked.end = fromLocked.end...
Users can vote infinitely via delegation
Lines of code Vulnerability details Summary GaugeControllervoteforgaugeweights is designed to allow users to vote for gauge rewards based on the amount of $CANTO they have locked in the VotingEscrow contract. VotingEscrow includes functionality for users to delegate their voting power to another...
add_gauge doesn't initialize time_weight and update time_sum
Lines of code Vulnerability details Impact In Curve's implementation, when adding gauge, timeweight of gauge type is being initialized and timesum being updated. if self.timesumgaugetype == 0: self.timesumgaugetype = nexttime self.timeweightaddr = nexttime Since timesum has been set in constructo...
Missing validation to ensure that the _l2CoreGovTimelock parameter is not the zero address in the initialize function
Lines of code Vulnerability details Impact The initialize function accepts a parameter l2CoreGovTimelock and does check if it's a contract address using Address.isContract. However, there's no explicit check to ensure that l2CoreGovTimelock is not the zero address...
LendingLedger Lack of method to rescue accidentally sent Canto
Lines of code Vulnerability details Impact There is no function to rescue Canto accidentally sent to LendingLedger so if governance fat-finger those Canto could be lost forever. Proof of Concept There is no function to transfer native token out of LendingLedger Tools Used Manual inspection...
Contrary to sponsor's intent, the gauge's weight will not be updated properly if governance do not change weight before any voting
Lines of code Vulnerability details Impact This is the intended procedure based on Sponsor's answer in discord: Q: when we add new gauge we don't set any weight point or any data for it, did the new gauge will get the weight and power by time when users vote for it ?! A: Yes, the idea is that the...
Decayed voting power can be restored by delegating to newer lock
Lines of code Vulnerability details Impact Delegation to newer lock updates slope and bias of delegatee according to new delegated amount and lengthier lock time which leads to decayed voting power from delegator older lock to be restored // @audit - slope and bias being updated according to...
GaugeController.remove_gauge() may indefinitely trap user voting power
Lines of code Vulnerability details Impact Users will permanently lose voting power equal to their power used to vote in the removed gauge unless the gauge is re-added and users re-vote to remove their voting power from the gauge. Proof of Concept GaugeController.sol does not have any function fo...
User can claim most of the rewards for a lending market by depositing cNote for just 2 blocks / epoch
Lines of code Vulnerability details Impact For a user to receive rewards for supplying cNote in a lending market LM, he only needs to have supplied the cNote at the end of an epoch. Users staking for the whole duration of an epoch get 0 benefits, compared to users who supply only at the end of th...
replaceMember and rotateMember redundancy
Lines of code Vulnerability details Impact The replaceMember and rotateMember functions have identical functionality which may lead to redundancy and confusion. Proof of Concept Both the replaceMember and rotateMember functions essentially perform the same action: replacing a current member...
SecurityCouncilMemberElectionGovernor propose() function is not properly restricted
Lines of code Vulnerability details summary The propose function in the SecurityCouncilMemberElectionGovernor contract is not properly restricted. This means that any user can call it, including attackers. Description The propose function in the SecurityCouncilMemberElectionGovernor contract is...
Lock owner DOS and funds stuck
Lines of code Vulnerability details Impact The lock's owner will no longer have the ability to use the delegate function. Meaning the person he chose to delegate can withdraw his funds when lock expires, but won't be able to. Proof of Concept Lets imagine 3 users with a Lock each: If user 1...
receive function allows any user to lose funds
Lines of code Vulnerability details Impact Lending ledger receive function allows for any user to send funds and lose them forever. Proof of Concept Any user that sends funds to the Lending Ledger contract through the receive function, can't withdraw their funds meaning they would be stuck in...
Fixed locking period of 5 years doesn't allow the delegator to withdraw funds for atleast another 5 years
Lines of code Vulnerability details Details Let's first understand how the process of delegation, withdraw and increaseAmount works 1. Rule 1: To delegate to some user A, A.lock.end needs to be longer than msg.sender.lock.end and A.Lock.end block.timestampLock mustn't be expired...
SecurityCouncilManager : removeMember does not make sure that the member is removed sucessfully.
Lines of code Vulnerability details Impact Incorrect information emitted as removed address. Remover would be thinking that they have successfully removed the harm causing cohort members, but still they are sitting inside the council. This is not good given the nature of the harmed action that...
Voters can vote on a single pool multiple times by redelegating
Lines of code Vulnerability details Impact Users should be able to have only one concurrent vote on a pool in GaugeController. When a user votes the weight of his vote is calculated using his userweight parameter and the slope and end time of his balance lock are used to calculate the bias for th...
Potential Overflow Bug in sync_ledger Function
Lines of code Vulnerability details Impact The syncledger function in the provided Solidity smart contract is vulnerable to potential overflow issues when processing a large value for the delta parameter. Depending on the magnitude of the delta value, the contract may encounter various undesired...
GaugeController allows for quick vote and withdraw voting strategy
Lines of code Vulnerability details Summary The GaugeController voting can be abused to apply all of the user's weight in every gauge's vote. GaugeController's voting changes the weight of the gauge. Each user can split their voting weight power between the gauges function...
Malicious user can drastically boost their voting power by increase a dust amount in lock
Lines of code Vulnerability details Impact A user's weight on a gauge weight voting by design decay with time. However, a user can simply bypass the decay by increasing a dust amount in their lock in VotingEscrow.sol. I think this is high severity due to easy and cheap manipulation. Proof of...
the claim function may underFlow when it calculate the claimEnd
Lines of code Vulnerability details Impact in the claim function there is possibility of the underflow which lead the transaction to revert, the function may underflow in this line uint256 claimEnd = Math.mincurrEpoch - WEEK, claimUpToTimestamp because the currEpoch will return the current epoch...
critical functions should emit an event when they called
Lines of code Vulnerability details Impact some critical functions should emit an even when they called because it contains important information and an event should be emitted, some functions in this contest did not emit an event and this may led to unwanted behavior in future functions like cla...
Delegating older lock to a newer one does not allow to undelegate it
Lines of code Vulnerability details Impact User who accidentally delegates his lock to the newer one, will get his lock stuck. User won't be able to undelegate his lock, because function delegate will always revert. Please notice, that this is the different issue than previously reported:...
No need to stack lend pool to take lendlaunger rewards
Lines of code Vulnerability details Impact Lending lenger give reward tokens to users if they lend their tokens to selected pools. Lendingledger give rewards as weekly and it records user's balance until end of the weekespacially thursday because 1 jan 1970 was thursday. But protocol records can ...
vulnerability due to the nonce rolling over and generating duplicate salts
Lines of code Vulnerability details Impact An attacker could take the transaction data from the original proposal and re-submit it to the L2 timelock with the same salt. This would get executed again since the salt matches, allowing the attacker to replay the state change. Proof of Concept The...
Consider Disabling Inherited _cancel Function In The Governor Contracts
Lines of code Vulnerability details Impact The currently used openzeppelin upgradeable contracts dependency @openzeppelin/contracts-upgradeable is v4.7.3 The security council management contracts are inheriting the openzeppelin GovernorUpgradeable contracts to manage proposals. This version of...
Any of the role setter , nominee Vetter should not be a council (cohort) member.
Lines of code Vulnerability details Impact The privileged cohort membercouncil member can influence the member addition, removal, rotating the nominee and excluding the nominee. The function of election can be rigged, arbitrary proposals can be passed. This is easy by the council member who has...
setFullWeightDuration() can be called while a member election is ongoing
Lines of code Vulnerability details Bug Description In SecurityCouncilMemberElectionGovernorCountingUpgradeable, fullWeightDuration which is the duration where a user's votes has weight 1 can be set using setFullWeightDuration: SecurityCouncilMemberElectionGovernorCountingUpgradeable.solL77-L84...
New election can be created when another election is running.
Lines of code Vulnerability details Impact In the SecurityCouncilNomineeElectionGovernor.sol When calling createElection function, there is this check called requireLastMemberElectionHasExecuted which checks if the last election has executed. But this is wrong, the check is done by checking if th...
block.number DOES NOT PROVIDE A FAIR EVALUATION OF TIME MEASUREMENTS WITHIN FUNCTIONS
Lines of code Vulnerability details Impact The SecurityCouncilMemberElectionGovernorCountingUpgradeable.votesToWeight function is used to calculate the weight of a vote for a given proposal, block number, and number of votes. During the weight calculation the weight given for each vote depends on...
L1SCMgmtActivationAction does not check executor role of new and prev emergency security council
Lines of code Vulnerability details Proof of Concept GovernanceChainSCMgmtActivationAction.sol checks that the newEmergencySecurityCouncil has a upgradeExecutor role whereas the prevEmergencySecurityCouncil does not have a upgradeExecutor role. GovernanceChainSCMgmtActivationAction.sol // confirm...
Upgraded Q -> 2 from #513 [1691698843467]
Judge has assessed an item in Issue 513 as 2 risk. The relevant finding follows: Issue 2 --- The text was updated successfully, but these errors were encountered: All reactions...
If the length of owners in the safe array is too large, may experience out of gas revert
Lines of code Vulnerability details Proof of Concept Function requireSafesEquivalent in SecurityCouncilMgmtUpgradeLib.sol checks whether the addresses in the two safe arrays are the same and of the same length. If the arrays are too large, like there are many addresses that manages a gnosis safe,...
Delegate system can be used to increase voting power without resetting the lockEnd
Lines of code Vulnerability details Impact The added delegate mechanism allows increasing the voting power without resetting the lockEnd. Proof of Concept IncreaseAmount increases the locked amount of a msg.sender staked native in VotingEscrow and resets its lockEnd to block.timestamp + LOCKTIME...
User don't have to deposit for a week into the market to get his weekly reward from the LendingLedger
Lines of code Vulnerability details Impact In the LendingLedger contract, a user is rewarded with CANTO tokens depending on how long he has his deposit in the market. Rewards are distributed for each week during which the deposit was inside the market. However, the user can cheat this condition...
Sencond hand Delegatee can Withdraw before owner undelegates
Lines of code Vulnerability details Impact When an original depositor delegates to another address, the new address can call withdraw before the delegator undelegates. Proof of Concept requirelocked.amount 0, "No lock"; requirelocked.end Attack Scenerio: 1. When an original depositor creates a...
Possible DoS of Election Process
Lines of code Vulnerability details Impact Contract SecurityCouncilNomineeElectionGovernor allows contenders to participate in the election process as nominee over function addContender. The necessary condition for this process is that proposal was created before and has status...
createLock, increaseAmount int128(int256(_value)) unsafe downcast can lead to asset loss
Lines of code Vulnerability details Impact Suppose users deposit more than typeint128.max value through createLock and increaseAmount, they may get less voting power and can't get the assets back. Proof of Concept The VotingEscrow.sol is forked from FIATDAO, but it seems don't consider a MEDIUM...
SecurityCouncilMemberSyncAction : perform function can be continually DOSed which will prevent the valid update the members of the gnosis safe
Lines of code Vulnerability details Impact The securityCouncil update will be prevented by continuously calling the perform function. Since the function rely on the nonce value, this function can be continuously called and nonce value is updated. This would prevent the valid security council upda...
Anyone can call the perform function because there is no access control
Lines of code L31-L75 Vulnerability details Impact Anyone can call the perform function. It can lead to unauthorized changes in the security council. Proof of Concept There is no access control in the perform function and it is marked "external". function performaddress securityCouncil, address...
GaugeController._get_sum() returns wrong value, breaking vote accounting
Lines of code Vulnerability details Impact The function to account for past historic total gauge weights getsum is supposed to return the sum for the future week. Instead it returns the sum for the oldest updated week. The returned value is used in voteforgaugeweights to compute the sum after the...
[M-01] SecurityCouncilNomineeElectionGovernor.includeNominee(): Missing check adhering to constitution when nominee vetter include nominee
Lines of code Vulnerability details Impact SecurityCouncilNomineeElectionGovernor.solL290-L317 function includeNomineeuint256 proposalId, address account external onlyNomineeVetter ProposalState state = stateproposalId; if state != ProposalState.Succeeded revert ProposalNotSucceededStatestate; if...
replaceMember&rotateMember; has no voting process
Lines of code Vulnerability details Impact The execution of the two methods replaceMember&rotateMember does not implement the voting process, which will violate the provisions of the following articles Address rotation: As a practical matter, a council member can rotate one of their own keys. Thi...