_verifyVoteSignature wrong implementation

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. voteHash = keccak256abi.encodeVOTETYPEHASH, from, pieceIds, noncesfrom++, deadline; here we are using noncesfrom++ for calculating voteHash but different from address can have the same noncesfrom++...

_handleRepay of MoneyMarketHook does not consider the actual debt shares of the posId inside the position manager and could lead to a user's tokens getting stuck inside the hook.

Lines of code Vulnerability details Impact When users construct repay operations via MoneyMarketHook, it doesn't consider the actual debt shares of the position inside the InitCore and PosManager. This could lead to users' tokens getting stuck inside the MoneyMarketHook contract. Proof of Concept...

Lack of receive() inside MoneyMarketHook contract when interacting with WNATIVE.

Lines of code Vulnerability details Impact MoneyMarketHook is expected to work with the native balance when interacting with WNATIVE, especially when params.returnNative is set to true during the execute operation. However, due to the lack of a receive function inside the contract, MoneyMarketHoo...

LP owner cannot control slippage while managing their position

Lines of code Vulnerability details Summary The owner of the LP cannot specify the slippage parameters while interacting with this position in increaseLiquidity and decreaseLiquidity. Impact Liquidity interaction with Uniswap is protected by minimum amount parameters that control the slippage of...

changing LOAN_TERM changes terms for existing loans

Lines of code Vulnerability details Impact If the protocol updates the loan terms, this will affect existing loans taken under different terms. Proof of Concept LOANTERM is a guarantee for the lender liquidity provider to eventually get their liquidity back. After loan term has passed the lender...

Api3OracleReader may be unavailable up to 1 hour if the timestamp of the price from the Api3Server is bigger than the current block.timestamp

Lines of code Vulnerability details Impact Oracle unavailable for up to 1 hour, which could lead to positions going underwater and being liquidated when it becomes live again, without users having the chance to repay/collateralize. Proof of Concept The airnode code has a note concerning this...

Missing access control on critical functions

Lines of code Vulnerability details The broad admin role enables arbitrary manipulation of the heap without restrictions. Recommendation: Implement granular access control and privilege separation. Implement an access control system such as OpenZeppelin AccessControl to restrict access to these...

marginTo when opening a position increases slippage

Lines of code Vulnerability details Impact Providing marginTo when opening position will not increase premium but be stolen by MeV. This can be mitigated by providing amountOutMin in swap params but the protocol should guarantee proper swap. Proof of Concept When opening a position a borrower can...

openPosition() Lack of minimum token0PremiumPortion/token1PremiumPortion limit

Lines of code Vulnerability details Vulnerability details In openPosition, it allows token0PremiumPortion and token1PremiumPortion to be 0 at the same time. In this case, if tokenId enters outofprice, for example, UpperOutOfRange, anyone might be able to input: marginFrom = 0 marginTo = 0...

Using addPremium() to evade part of the fees from marginFrom

Lines of code Vulnerability details Vulnerability details When openPosition, we will charge a certain fee, the calculation formula is as follows: marginFrom + amountFromBorrowed FEEFACTOR / Base.BASISPOINT It will include marginFrom, which is mainly used to ensure enough collateralTo after swap,...

Signature Verification for _verifyVoteSignature Function

Lines of code Vulnerability details Potential Risk: The verifyVoteSignature function in the CultureIndex contract is responsible for verifying signatures for specific votes. While it attempts to verify signatures, there are potential risks associated with signature verification. Proof of Concept...

When the returnNative parameter is set to true in the _params provided to MoneyMarketHook.execute, it is not handled properly and could disrupt user expectations

Lines of code Vulnerability details Impact When param.returnNative is set to true while calling MoneyMarketHook.execute, users expect the returned token from the withdraw operation to be in native form and sent to the caller. However, in the current implementation, this is not considered and coul...

voteForManyWithSig functions in CultureIndex are open to replay attacks if fails.

Lines of code Vulnerability details Impact If vote fails or reverts for any reason, the nonce in verifyVoteSignature doesn't increment. This leads to the same vote tx being replayed by anyone. Proof of Concept A user submits a vote via voteForManyWithSig, triggering verifyVoteSignature for...

Some buyers wont get expected tokens minted due to precision loss

Lines of code Vulnerability details Impact The ERC20TokenEmitter.buyToken mints tokens according to the configured bps per address. This is due to the below code's implementation in buyToken function. for uint256 i = 0; i 0 // transfer tokens to address mintaddressesi, uint256totalTokensForBuyers...

The creator does not receive additional ether - it accumulates on the contract

Lines of code Vulnerability details Impact In some cases, the ERC20TokenEmitter contract may accumulate residual ether that was not sent to the creator. The contract does not have a function to pick up the remaining ether. When a user wants to buy tokens, he sends ether to the...

Input Validation for _vote Function

Lines of code Vulnerability details Potential Risk: The vote function in the CultureIndex contract takes two parameters: pieceId and voter. While the function includes some input validation checks, there are some potential issues and missing checks that should be addressed. Proof of Concept PoC:...

Decimals of LendingPool don't take into account the offset introduced by VIRTUAL_SHARES

Lines of code Vulnerability details Impact The impact of this finding is more on the marketing/data fetching side, on exchanges it would appear that the shares are worth less VIRTUALSHARES than the underlying token. Given that it would influence the perception of the value of the shares token,...

Exclusion of New Users Due to Token Max Supply

Lines of code Vulnerability details Summary New users are unable to participate in the protocol once the governance token's maximum supply is reached. Vulnerability Details To engage in the voting system, users need to acquire tokens directly from the protocol, a process managed by...

Bidders can bid at previous auction reserve price by frontrunning the setter transactions

Lines of code Vulnerability details Impact The AuctionHouse.settleCurrentAndCreateNewAuction can frontrun the setter functions such as setCreatorRateBps, setMinCreatorRateBps, setEntropyRateBps, setTimeBuffer, setMinBidIncrementPercentage & setReservePrice. As soon as the current auction ends, an...

liquidatePosition() liquidator can construct malicious data to steal the borrower's profit.

Lines of code Vulnerability details Vulnerability details When the Loan expires, and RenewalCutoffTime has been set, anyone can execute the liquidation method liquidatePosition. Execution path: liquidatePosition - closePosition - Base.swapparams.data The problem is that this params.data can be...

Liquidations can be prevented by frontrunning and liquidating 1 debt (or more) due to wrong assumption in POS_MANAGER

Lines of code Vulnerability details Impact Users can avoid being liquidated if they frontrun liquidation calls with a liquidate call with 1 wei. Or, they may do a partial liquidation and avoid being liquidated before the interest reaches the value of the debt pre liquidation. The total interest...

Signature Malleability in CultureIndex::_verifyVoteSignature function

Lines of code Vulnerability details Impact The elliptic curve used in Ethereum for signatures is symmetrical, hence for every v,r,s there exists another v,r,s that returns the same valid result. Therefore two valid signatures exist which allows attackers to compute a valid signature without knowi...

Error Handling in '_createAuction' Function

Lines of code Vulnerability details Potential Risk: The 'createAuction' function attempts to mint a new Verb by calling the 'verbs.mint' function. However, it lacks proper error handling for the minting process. If the minting operation fails e.g., due to insufficient gas or other reasons, the...

Error Handling and Consistency in '_settleAuction' Function

Lines of code Vulnerability details Potential Risk: The 'settleAuction' function is responsible for settling an auction by finalizing the bid and handling payouts to various parties. It performs several operations and interactions with external contracts. However, the function lacks proper error...

Owners of LPs can be dosed when removing their position

Lines of code Vulnerability details Summary LP owners can reclaim liquidity to stop it from being extended for current liens but this doesn't stop from being used in new positions. Impact LP owners can signal their intention to pull liquidity by calling reclaimLiquidity. This function updates the...

Two items having same number of votes above the quorum can lead to invariant violation and unfairness towards either of the item

Lines of code Vulnerability details Impact When an item is dropped or extracted from the maxHeap tree, it is directly done so from the item at the root of the tree i.e. index 0. Although this is expected, if one of the child itemIds have number of votes equal to that of the root node, this would ...

malicious borrowers can follow reclaimLiquidity() then execute addPremium() to invalidate renewalCutoffTime

Lines of code Vulnerability details Vulnerability details LP can set renewalCutoffTime=block.timestamp by executing reclaimLiquidity, to force close position function liquidatePosition DataStruct.ClosePositionParams calldata params, address borrower external override nonReentrant ... if...

liquidatePosition() change LOAN_TERM may result in the borrower paying additional liquidation fees.

Lines of code Vulnerability details Vulnerability details Currently, there are three ways to close a position: 1. The borrower voluntarily closes it through closePosition. 2. If Premium is insufficient, it is forcibly closed by liquidatePosition. 3. After the loan expires, LP forcibly closes it b...

Tighten Admin Access Control

Lines of code Vulnerability details Admin functions do not use a custom admin role and rely only on owner access control. Recommendation: Implement a custom admin role. // Custom admin role instead of owner enum Role ADMIN // Restrict drop function function dropTopVotedPiece external...

Add premium doesn't collect fees

Lines of code Vulnerability details Summary Fees are applied to premiums when a new position is opened, but the same mechanism is not enforced when margin is added to an existing position. Impact When a new position is created in the LAMM protocol, fees are collected in favor of the LP owner that...

Input Validation for 'createBid' Function

Lines of code Vulnerability details Potential Risk: The 'createBid' function in the contract is responsible for allowing users to place bids on a Verb auction by sending Ether. While the function includes several checks, it lacks explicit input validation for certain parameters, which could lead ...

Votes delegated to the zero address will be stuck forever and user can no longer delegate votes

Lines of code Vulnerability details Bug Description VotesUpgradeable automatically delegates a user's votes to themselves if a delegatee is not set. VotesUpgradeable.solL165-168 function delegatesaddress account public view virtual returns address VotesStorage storage $ = getVotesStorage; return...

Position owners can steal others position's Wlp collaterals

Lines of code Vulnerability details Impact Position's owner can steal other users Wlp collateral, as long as it doesn't completely withdraw all the balance of tokenId LP. Proof of Concept When users call decollateralizeWLp function from InitCore, as long as Wlp is whitelisted and the mode's...

Reverting when the heap is full

Lines of code Vulnerability details Reverting when the heap is full: a You mentioned in the comments that the function will revert if the heap is full. b However, the code as it stands doesn't have any logic to check if the heap is indeed full. c Depending on the context, you might want to add a...

Liquidator can get higher rate for liquidation

Lines of code Vulnerability details Proof of Concept When position is unhealthy then it can be liquidated. In order to incentivize someone to liquidate positions they receive some extra amount of collateral. This incentive percentage is calculated inside...

Modifying the loan term setting can default existing loans

Lines of code Vulnerability details Summary Protocol admins can modify the loan term settings. This action can inadvertently default existing loans created under different terms. Impact Positions in the Particle LAMM protocol are created for a configurable period of time, defined by the LOANTERM...

Increase liquidity in close position may not cover original borrowed liquidity

Lines of code Vulnerability details Summary When a position is closed, there is no check to ensure that the effective added liquidity covers the original borrowed liquidity from the LP. Impact Closing a position in the Particle LAMM protocol must ensure that the borrowed liquidity gets fully adde...

If the NFT is because the auction is not met the reservePrice in _settleAuction() function, during the auction the totalSupply of erc721VotingToken is get in the quorumVotes, leading that the piece cannot be drpped

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assessed...

Zero amount token transfers may cause a denial of service during liquidations

Lines of code Vulnerability details Summary Some ERC20 implementations revert on zero value transfers. Since liquidation rewards are based on a fraction of the available position's premiums, this may cause an accidental denial of service that prevents the successful execution of liquidations...

borrower can prevent liquidity provider from withdrawing their liquidity

Lines of code Vulnerability details Description When a liquidity provider wants to withdraw their liquidity they can call ParticlePositionManager::reclaimLiquidity. This will prevent any renewals: ParticlePositionManager::addPremium: File: protocol/ParticlePositionManager.sol 508: // check LP...

Incomplete Creator Rewards in Auction Settlement

Lines of code Vulnerability details Summary During the settlement of auctions in the AuctionHouse, the proceeds meant for creators are not accurately distributed, leading to potential loss of funds for the creators. Vulnerability Details In the process of settling auctions...

reclaimLiquidity() Malicious borrowers can force LPs to be unable to retrieve Liquidity by closing and reopening the Position before it expires.

Lines of code Vulnerability details Vulnerability details If LP wants to retrieve the Liquidity that has been lent out, it can set a renewalCutoffTime through reclaimLiquidity. If the borrower does not voluntarily close, liquidatePosition can be used to forcibly close the position after the loan...

The builderReferral, purchaseReferral and deployer can never be equal to address(0), which leads to the revolutionRewardRecipient stealing their rewards

Lines of code Vulnerability details HIGH The builderReferral, purchaseReferral and deployer can never be equal to address0, which leads to the revolutionRewardRecipient stealing their rewards Description: revolutionRewardRecipient will receive the rewards of the builderReferral, purchaseReferral...

Liquidator has no incentives to execute a favorable trade to the borrower

Lines of code Vulnerability details Summary Swaps involved in liquidations may negatively impact the owner of the lien, since there is no incentive to execute a favorable trade as long as the received amount is enough to recover the liquidity. Impact When an existing position is closed, the...

position can be opened without premium

Lines of code Vulnerability details Description Premium in ParticlePositionManager is used to cover trading fees accrued for the liquidity borrowed. When liquidating, a portion of the premium is also used for the liquidation reward. The issue is that a borrower can open a position without any...

Incorrect fee calculation may lead to borrower overpaying

Lines of code Vulnerability details Summary Fees are incorrectly snapshotted when a new lien is created, potentially leading to a fee overpay. Impact The Particle LAMM protocol tracks fees using the same internal tracking built in Uniswap V3. Positions in Uniswap V3 contain a couple of variables...

A wLP collateral that is no longer whitelisted but was at some point won't let users decollateralize or be liquidated

Lines of code Vulnerability details Impact Users who collateralized using wLP won't ever be liquidated unless the wLP is whitelisted back, but this could be dangerous depending on the reason it was removed from the whitelist. They can't also decollateralize. The severity of this issue depends...

setPosMode function doesn't check if wLp is whitelisted

Lines of code Vulnerability details Proof of Concept Using setPosMode function owner of position can change it's mode. When the function is called, then there are a lot of checks, like if current mode allows to decollateralize and if new mode allows to collateralize. Also it's checked, that all...

openPosition() use stale feeGrowthInside0LastX128/feeGrowthInside1LastX128

Lines of code Vulnerability details Vulnerability details When openPosition, we need to record the current feeGrowthInside0LastX128/feeGrowthInside1LastX128. And when closing the position, we use Base.getOwedFee to calculate the possible fees generated during the borrowing period, which are used ...

liquidator will always take what is left of borrowers premium

Lines of code Vulnerability details Impact A liquidator can manipulate the pool they are swapping in to take any potential left over premium from the borrower. Proof of Concept When liquidating a position the liquidator essentially closes the position on behalf of the borrower for a liquidation...