10190 matches found
Slippage protection missing
Lines of code Vulnerability details The MaxHeap contract does not check for slippage when updating item values. This could enable the admin to manipulate asset prices. Recommendation: Implement slippage protection by adding min/max checks in updateValue: function updateValueuint256 itemId, uint25...
Input Validation for _vote Function
Lines of code Vulnerability details Potential Risk: The vote function in the CultureIndex contract takes two parameters: pieceId and voter. While the function includes some input validation checks, there are some potential issues and missing checks that should be addressed. Proof of Concept PoC:...
Error Handling and Consistency in '_settleAuction' Function
Lines of code Vulnerability details Potential Risk: The 'settleAuction' function is responsible for settling an auction by finalizing the bid and handling payouts to various parties. It performs several operations and interactions with external contracts. However, the function lacks proper error...
Users receive fewer tokens due to inaccuracy in calculation
Lines of code Vulnerability details Impact There is a loss of precision in the VRGDAC.yToX function, because in several places division occurs first, and then the result is multiplied. This results in users receiving fewer tokens. According to test data, the difference can be 8 digits. The choice...
liquidator will always take what is left of borrowers premium
Lines of code Vulnerability details Impact A liquidator can manipulate the pool they are swapping in to take any potential left over premium from the borrower. Proof of Concept When liquidating a position the liquidator essentially closes the position on behalf of the borrower for a liquidation...
Liquidator has no incentives to execute a favorable trade to the borrower
Lines of code Vulnerability details Summary Swaps involved in liquidations may negatively impact the owner of the lien, since there is no incentive to execute a favorable trade as long as the received amount is enough to recover the liquidity. Impact When an existing position is closed, the...
No access control on critical functions
Lines of code Vulnerability details The contract lacks proper access control on critical functions, allowing unauthorized parties to execute them. Recommendation: Use OpenZeppelin Ownable control for minting/burning, etc. Before: // No access control checks in critical functions function...
Bidders can bid at previous auction reserve price by frontrunning the setter transactions
Lines of code Vulnerability details Impact The AuctionHouse.settleCurrentAndCreateNewAuction can frontrun the setter functions such as setCreatorRateBps, setMinCreatorRateBps, setEntropyRateBps, setTimeBuffer, setMinBidIncrementPercentage & setReservePrice. As soon as the current auction ends, an...
liquidatePosition() change LOAN_TERM may result in the borrower paying additional liquidation fees.
Lines of code Vulnerability details Vulnerability details Currently, there are three ways to close a position: 1. The borrower voluntarily closes it through closePosition. 2. If Premium is insufficient, it is forcibly closed by liquidatePosition. 3. After the loan expires, LP forcibly closes it b...
Using addPremium() to evade part of the fees from marginFrom
Lines of code Vulnerability details Vulnerability details When openPosition, we will charge a certain fee, the calculation formula is as follows: marginFrom + amountFromBorrowed FEEFACTOR / Base.BASISPOINT It will include marginFrom, which is mainly used to ensure enough collateralTo after swap,...
An artPiece with a creator address set to address(0) leads to a pseudo-permanent DoS if it ends up being auctioned.
Lines of code Vulnerability details Vulnerability details Description There is a potential for a DoS in the AuctionHouse contract related to the buyToken call from the ERC20TokenEmitter. This is due to the buyToken using the mint function to all the addresses that are stored on the creators array...
The builderReferral, purchaseReferral and deployer can never be equal to address(0), which leads to the revolutionRewardRecipient stealing their rewards
Lines of code Vulnerability details HIGH The builderReferral, purchaseReferral and deployer can never be equal to address0, which leads to the revolutionRewardRecipient stealing their rewards Description: revolutionRewardRecipient will receive the rewards of the builderReferral, purchaseReferral...
Tighten Admin Access Control
Lines of code Vulnerability details Admin functions do not use a custom admin role and rely only on owner access control. Recommendation: Implement a custom admin role. // Custom admin role instead of owner enum Role ADMIN // Restrict drop function function dropTopVotedPiece external...
Reverting when the heap is full
Lines of code Vulnerability details Reverting when the heap is full: a You mentioned in the comments that the function will revert if the heap is full. b However, the code as it stands doesn't have any logic to check if the heap is indeed full. c Depending on the context, you might want to add a...
If the NFT is because the auction is not met the reservePrice in _settleAuction() function, during the auction the totalSupply of erc721VotingToken is get in the quorumVotes, leading that the piece cannot be drpped
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assessed...
Loss of Funds for Users Due to Token Purchase after Maximum Supply
Lines of code Vulnerability details Summary When the token's total supply reaches its maximum, users lose funds when attempting to buy tokens, as the transaction completes without minting new tokens. Vulnerability Details To engage in the voting system, users must acquire tokens directly from the...
_verifyVoteSignature wrong implementation
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. voteHash = keccak256abi.encodeVOTETYPEHASH, from, pieceIds, noncesfrom++, deadline; here we are using noncesfrom++ for calculating voteHash but different from address can have the same noncesfrom++...
Input Validation for createPiece Function
Lines of code Vulnerability details Potential Risk: The createPiece function in the CultureIndex contract takes two parameters: metadata and creatorArray. While the function calls the validateCreatorsArray and validateMediaType functions to validate the input data, it does not verify whether the...
Missing access control on critical functions
Lines of code Vulnerability details The broad admin role enables arbitrary manipulation of the heap without restrictions. Recommendation: Implement granular access control and privilege separation. Implement an access control system such as OpenZeppelin AccessControl to restrict access to these...
Signature Malleability in CultureIndex::_verifyVoteSignature function
Lines of code Vulnerability details Impact The elliptic curve used in Ethereum for signatures is symmetrical, hence for every v,r,s there exists another v,r,s that returns the same valid result. Therefore two valid signatures exist which allows attackers to compute a valid signature without knowi...
Owners of LPs can be dosed when removing their position
Lines of code Vulnerability details Summary LP owners can reclaim liquidity to stop it from being extended for current liens but this doesn't stop from being used in new positions. Impact LP owners can signal their intention to pull liquidity by calling reclaimLiquidity. This function updates the...
Incorrect fee calculation may lead to borrower overpaying
Lines of code Vulnerability details Summary Fees are incorrectly snapshotted when a new lien is created, potentially leading to a fee overpay. Impact The Particle LAMM protocol tracks fees using the same internal tracking built in Uniswap V3. Positions in Uniswap V3 contain a couple of variables...
liquidatePosition() liquidator can construct malicious data to steal the borrower's profit.
Lines of code Vulnerability details Vulnerability details When the Loan expires, and RenewalCutoffTime has been set, anyone can execute the liquidation method liquidatePosition. Execution path: liquidatePosition - closePosition - Base.swapparams.data The problem is that this params.data can be...
Zero amount token transfers may cause a denial of service during liquidations
Lines of code Vulnerability details Summary Some ERC20 implementations revert on zero value transfers. Since liquidation rewards are based on a fraction of the available position's premiums, this may cause an accidental denial of service that prevents the successful execution of liquidations...
Liquidation condition should not factor the liquidation reward into the premiums
Lines of code Vulnerability details Summary The premiums used to determine the liquidation condition have the liquidation reward already discounted, potentially causing a lien to be considered underwater while technically it is not. Impact Positions in Particle LAMM can be liquidated if the owed...
Dangerous use of deadline parameter
Lines of code Vulnerability details Summary The protocol is using block.timestamp as the deadline argument while interacting with the Uniswap NFT Position Manager, which completely defeats the purpose of using a deadline. Impact Actions in the Uniswap NonfungiblePositionManager contract are...
Signature Verification for _verifyVoteSignature Function
Lines of code Vulnerability details Potential Risk: The verifyVoteSignature function in the CultureIndex contract is responsible for verifying signatures for specific votes. While it attempts to verify signatures, there are potential risks associated with signature verification. Proof of Concept...
Use SafeMath for overflow protection
Lines of code Vulnerability details Unchecked math could potentially trigger overflows. Recommendation: Utilize SafeMath library for overflow safe operations. using SafeMath for uint256; function mintaddress account, uint256 amount public onlyOwner // Overflow protected totalSupply =...
lack of deadline for uniswap interactions
Lines of code Vulnerability details Impact Lack of deadline can cause a transaction to be executed at an unfavorable time. Causing loss for the trader/liquidity provider. Proof of Concept In all three liquidity interactions with uniswap there is a lack of deadline parameter as block.timestamp is...
Lack of receive() inside MoneyMarketHook contract when interacting with WNATIVE.
Lines of code Vulnerability details Impact MoneyMarketHook is expected to work with the native balance when interacting with WNATIVE, especially when params.returnNative is set to true during the execute operation. However, due to the lack of a receive function inside the contract, MoneyMarketHoo...
Efficiency
Lines of code Vulnerability details Depending on the size of your heap, the while loop may execute a significant number of times. Consider whether you can optimize this loop for performance, especially if you expect a large number of insertions. Assessed type Loop --- The text was updated...
If the borrower enters token blacklist, LP may never be able to retrieve Liquidity
Lines of code Vulnerability details Vulnerability details Currently, there are two ways to retrieve Liquidity 1. borrower actively close position : call closePosition 2. be forced liquidation leads to close position : liquidatePosition - closePosition No matter which one, if there is a profit in...
collectLiquidity() Lack of can specify recipient leads to inability to retrieve token1 after entering the blacklist of token0
Lines of code Vulnerability details Vulnerability details LP has only one way to retrieve token, first decreaseLiquidity, then retrieve through the collectLiquidity method. collectLiquidity only has one parameter, tokenId. function collectLiquidity uint256 tokenId external override nonReentrant...
Liquidator can get higher rate for liquidation
Lines of code Vulnerability details Proof of Concept When position is unhealthy then it can be liquidated. In order to incentivize someone to liquidate positions they receive some extra amount of collateral. This incentive percentage is calculated inside...
Position owners can steal others position's Wlp collaterals
Lines of code Vulnerability details Impact Position's owner can steal other users Wlp collateral, as long as it doesn't completely withdraw all the balance of tokenId LP. Proof of Concept When users call decollateralizeWLp function from InitCore, as long as Wlp is whitelisted and the mode's...
A wLP collateral that is no longer whitelisted but was at some point won't let users decollateralize or be liquidated
Lines of code Vulnerability details Impact Users who collateralized using wLP won't ever be liquidated unless the wLP is whitelisted back, but this could be dangerous depending on the reason it was removed from the whitelist. They can't also decollateralize. The severity of this issue depends...
Votes delegated to the zero address will be stuck forever and user can no longer delegate votes
Lines of code Vulnerability details Bug Description VotesUpgradeable automatically delegates a user's votes to themselves if a delegatee is not set. VotesUpgradeable.solL165-168 function delegatesaddress account public view virtual returns address VotesStorage storage $ = getVotesStorage; return...
voteForManyWithSig functions in CultureIndex are open to replay attacks if fails.
Lines of code Vulnerability details Impact If vote fails or reverts for any reason, the nonce in verifyVoteSignature doesn't increment. This leads to the same vote tx being replayed by anyone. Proof of Concept A user submits a vote via voteForManyWithSig, triggering verifyVoteSignature for...
Swap Input Validation
Lines of code Vulnerability details Input Validation: - The swap function assumes that fpos and spos are valid positions within the heap. - Ensure that you are providing valid positions, and consider adding checks to verify that fpos and spos are within the bounds of your heap. requirefpos size &...
MaxHeapify: find children with large value and swap
Lines of code Vulnerability details Input Validation: - The maxHeapify function assumes that pos is a valid position within the heap. - Similar to the swap function, you should consider adding a check to verify that pos is within the bounds of your heap. requirepos size, "Invalid position...
Modifying the loan term setting can default existing loans
Lines of code Vulnerability details Summary Protocol admins can modify the loan term settings. This action can inadvertently default existing loans created under different terms. Impact Positions in the Particle LAMM protocol are created for a configurable period of time, defined by the LOANTERM...
Increase liquidity in close position may not cover original borrowed liquidity
Lines of code Vulnerability details Summary When a position is closed, there is no check to ensure that the effective added liquidity covers the original borrowed liquidity from the LP. Impact Closing a position in the Particle LAMM protocol must ensure that the borrowed liquidity gets fully adde...
Decimals of LendingPool don't take into account the offset introduced by VIRTUAL_SHARES
Lines of code Vulnerability details Impact The impact of this finding is more on the marketing/data fetching side, on exchanges it would appear that the shares are worth less VIRTUALSHARES than the underlying token. Given that it would influence the perception of the value of the shares token,...
The entire AuctionHouse contract can be disabled by a wrong creator bps sum.
Lines of code Vulnerability details Vulnerability details Description There is a potential for a DoS in the AuctionHouse contract related to the buyToken call from the ERC20TokenEmitter. This is due to the buyToken requiring the bpsSum to be equal to 10000, but there is no restriction when creati...
Signature Verification for voteForManyWithSig Function
Lines of code Vulnerability details Potential Risk: The voteForManyWithSig function in the CultureIndex contract allows users to vote on multiple pieceIds using a provided signature. While it attempts to verify the signature, there are some potential risks associated with signature verification...
Some buyers wont get expected tokens minted due to precision loss
Lines of code Vulnerability details Impact The ERC20TokenEmitter.buyToken mints tokens according to the configured bps per address. This is due to the below code's implementation in buyToken function. for uint256 i = 0; i 0 // transfer tokens to address mintaddressesi, uint256totalTokensForBuyers...
Input Validation for 'createBid' Function
Lines of code Vulnerability details Potential Risk: The 'createBid' function in the contract is responsible for allowing users to place bids on a Verb auction by sending Ether. While the function includes several checks, it lacks explicit input validation for certain parameters, which could lead ...
setPosMode function doesn't check if wLp is whitelisted
Lines of code Vulnerability details Proof of Concept Using setPosMode function owner of position can change it's mode. When the function is called, then there are a lot of checks, like if current mode allows to decollateralize and if new mode allows to collateralize. Also it's checked, that all...
Error Handling in '_createAuction' Function
Lines of code Vulnerability details Potential Risk: The 'createAuction' function attempts to mint a new Verb by calling the 'verbs.mint' function. However, it lacks proper error handling for the minting process. If the minting operation fails e.g., due to insufficient gas or other reasons, the...
CultureIndex.sol#_vote() - Creators of certain piece can vote for their piece
Lines of code Vulnerability details Impact In CultureIndex there is a function vote that allows users to vote for a piece to get sold on the auction house. Each piece has creators that get cut of the sale. The problem is that there is no checks if the user voting for a certain piece is it's own...