Some functions in TokenisableRange contracts does not allow user to deadline.

Lines of code Vulnerability details Impact Not allowing users to supply their own deadline could potentially expose them to sandwich attacks Proof of Concept Consider the following scenario: if fee0 100 bal0 && fee1 100 bal1 TOKEN0.token.safeIncreaseAllowanceaddressPOSMGR, fee0;...

Potential Precision Loss in claimFee() due to Division Before Multiplication

Lines of code Vulnerability details Impact The function claimFee may result in precision loss when calculating the addedValue variable. This issue arises due to division being performed before multiplication, leading to the possibility of truncated values and incorrect results. Proof of Concept T...

Missing sanityCheckUnderlying Call in Certain Functions of OptionsPositionManager Contract

Lines of code Vulnerability details Bug Description In the OptionsPositionManager contract, there is a missing call to the sanityCheckUnderlying function at the beginning of the sellOptions and close functions. These functions involve interactions with option assets and underlying tokens. However...

Only a relayer should call rngComplete function in RngRelayAuction.sol contract.

Lines of code Vulnerability details Impact An arbitrary user can set a wining number and set a rewardRecipient to take the rewards Proof of Concept The contract RngRelayAuction is setting a rngAuctionRelayer in the constructor. file: pt-v5-draw-auction/src/RngRelayAuction.sol /// @notice The...

slot0 is easily manipulatable

Lines of code Vulnerability details Impact The deposit amount of a user can be manipulated. Proof of Concept slot0 is extremely easy to manipulate as it is the most recent data point. The issue arises due to there not being any protection against sqrtPriceX96 manipulation. // @audit no check...

The RngRelayAuction::rngComplete() function can be called by anyone (malicious actor) causing that the draw will be closed using a malicious random number

Lines of code Vulnerability details Impact The rngComplete function is called by the RngAuctionRelayerDirect contract or the RngAuctionRelayerRemoteOwner contract. The rngComplete function receives the RNG results from the rng auction. The problem here is that the rngComplete function can be call...

_computeAvailable() the calculations are wrong

Lines of code Vulnerability details Impact computeAvailable incorrect calculations that result in a return value greater than the current balance, causing methods such as liquidate to fail Proof of Concept VaultBooster.computeAvailable used to count the number of tokens currently available There...

RangeManager.initRange does not refund leftover underlying assets to the contract owner

Lines of code Vulnerability details Impact The initRange function in the RangeManager contract has a vulnerability where leftover underlying assets from the tokenizable range are not properly refunded to the contract owner. This can lead to a situation where the owner's funds are stuck in the...

Closing the draw will be compromised if the recipient reward is address(0)

Lines of code Vulnerability details Impact The rngComplete function receives the RNG request results, it closes the draw using the randomNumber generated by the RNG request auction and it transfer the rewards. The problem is that a malicious actor can introduce a address zero in the recipient...

The system is subjected to Cross-Contract Reentrancy due to Insufficient validation for tokens, source and liquidity Pairs

Lines of code Vulnerability details Impact A malicious actor can gain control of the liquidation process which can manipulate the POOL token price Proof of Concept Almost all the pieces of the protocol are open to everyone with no guard, and that can cause a serious problem. consider the followin...

swapExactTokensForTokens and swapTokensForExactTokens in OptionsPositionManager.sol uses UniswapV2Router01 which doesn't exist on Arbitrum

Lines of code Vulnerability details Impact The functions swapExactTokensForTokens and swapTokensForExactTokens are using UniswapV2Router01 to make swaps in different functions like closeDebt, withdrawOptionAssets or swapTokens, but that would not be possible and those function would revert. Proof...

Check for the L2 Sequencer's uptime when calling the Chainlink feed is not implemented

Lines of code Vulnerability details Impact The getAnswer function in the LPOracle and OracleConvert contracts has a vulnerability that does not include a check for the Sequencer's uptime when calling the Chainlink feed CLTOKENA, CLTOKENB. In Layer 2 L2 systems, the Chainlink oracle may return an...

RETURN VALUE OF LOW LEVEL call FUNCTION IS NOT CHECKED FOR SUCCESFUL VALUE TRANSFER

Lines of code Vulnerability details Impact The V3Proxy.swapTokensForExactETH and V3Proxy.swapExactTokensForETH functions use the low level call function to transfer Eth to the msg.sender as shown below: payablemsg.sender.callvalue: amountOut""; But there is no verification of the return value of...

addDust in OptionsPositionManager.sol can add way more tokens than expected in cases where the asset used has less decimals

Lines of code Vulnerability details Impact The function addDust is used in closeDebt to // Add dust to be sure debt reformed = debt outstanding as stated in the NatSpec, but in the cases of tokens with less decimals, the amount calculated will be way bigger than expected which could make the whol...

It is possible that function rngComplete() does not iterate through all rewards

Lines of code Vulnerability details Impact In RngRelayAuction.sol we have rngComplete: function rngComplete uint256 randomNumber, uint256 rngCompletedAt, address rewardRecipient, uint32 sequenceId, AuctionResult calldata rngAuctionResult external returns bytes32 if...

integer underflow vulnerability in the _fractionalReward() function

Lines of code Vulnerability details Impact It could cause an integer underflow when calculating the reward fraction, resulting in the attacker getting more rewards than intended. True or false, explain in details, show relevant code and explain proof of co Proof of Concept The...

A malicious deployer can set auctionTargetTime close to auctionDuration to make it hard or impossible for anyone to win a reward.

Lines of code Vulnerability details Impact A malicious deployer could set auctionTargetTime very close to auctionDuration, making it hard/impossible for anyone to win a reward leading to losses Proof of Concept In the constructor, auctionTargetTime is not validated to be less than auctionDuration...

Wrong calculation of debt in function close0 may lead to loss of funds.

Lines of code Vulnerability details Impact In the function close, the debt was equated to the repayAmount after checking that repayAmountis greater than zero and less than the debt. Consider a situation where a user is owing 10 tokens and wants to repay 3 tokens. since 3 passes the check of being...

Re-org attack in factory LiquidationPairFactory.sol

Lines of code Vulnerability details Impact Allowing creation of new LiquidationPairs by Re-org attack may adversely affect pricing in LiquidationPair.sol contracts. Proof of Concept The LiquidationPairFactory.solcreatePair function deploys a new LiquidationPair using the create, where the address...

Avoid the use of hard coded slippage

Lines of code Vulnerability details Impact In OptionsPositionManager.sol, swapExactTokensForTokens has used the hardcoded slippage of 1% which is used in withdrawOptionAssets and swapTokens functions. function swapExactTokensForTokensIUniswapV2Router01 ammRouter, IPriceOracle oracle, uint amount,...

Lack of check in LiquidationPair.sol#_computePeriod() can lead to DOS

Lines of code Vulnerability details Impact computePeriod will revert because lack of check input validation Proof of Concept In LiquidationPair.sol, computePeriod is used to computes the current auction period: see here. It is called in functions like getPeriodStart and checkUpdateAuction. 377:...

TokenisableRange.sol does not have onERC721Received

Lines of code Vulnerability details Impact TokenisableRange.sol will be unable to mint Uniswap NFTs without a ERC721 Receiver. Proof of Concept TokenisableRange.sol intends to create liquidity NFTs using Uniswapv3 NonfungiblePositionManager. However, there is no callback to check onERC721Received...

INCORRECT ACCESS CONTROL

Lines of code https...

RngRelayAuction.rngComplete() DOS attack

Lines of code Vulnerability details Impact If the recipient maliciously enters the blacklist of priceToken, it may cause rngComplete to fail to execute successfully Proof of Concept The current implementation of RngRelayAuction.rngComplete immediately transfers the prizeToken to the recipient...

Calculation Errors in calculateAndSendFee Function of OptionsPositionManager Contract

Lines of code Vulnerability details Bug Description In the OptionsPositionManager contract, specifically in the calculateAndSendFee function lines 365 to 367, there are several mathematical errors that impact the accuracy of the feeAmount result. These errors can lead to incorrect fee calculation...

executeOperation() doesn't pass/authenticate the initiator address

Lines of code Vulnerability details Impact In OptionsPositionManager.sol executeFlashloan. File: contracts/PositionManager/OptionsPositionManager.sol function executeOperation address calldata assets, uint256 calldata amounts, uint256 calldata premiums, address initiator, bytes calldata params...

Lack of authentication in rngComplete

Lines of code Vulnerability details Impact In RngRelayAuction.sol the rngComplete function is meant to be called only by the rngAuctionRelayer contract, however, it can currently be called by any user. Consequently any random number can be used to close a prize pool draw, benefiting the malicious...

rngComplete() function is vulnerable to an array out of bounds error

Lines of code Vulnerability details Impact A malicious actor can manipulate the AuctionResult passed to RewardLib.rewards to make it return a short rewards array Proof of Concept The issue is that there is no check that i stays within the bounds of rewards. If rewards is shorter than expected, th...

The protocol uses IRouter01 from Uniswap, which should not be used anymore because of a bug found in the code

Lines of code Vulnerability details Impact The protocol implements Router01 from UniswapV2 to do any swaps of tokens in OptionsPositionManager.sol, but Router01 is deprecated and bugged and should not be used anymore. Proof of Concept As can be seen in the UniswapV2 documentation Router01 should...

Functions Not Considering ERC20 Transaction Fees

Lines of code Vulnerability details Impact Some ERC20 tokens charge a transaction fee for every transfer used to encourage staking, add to liquidity pool, pay a fee to contract owner, etc.. Sometimes this is not a problem but in the cases where the same value is passed to a state variable and to...

getTickAtSqrtRatio used in TokenisableRange.sol to calculate lower and upper ticks is used without letting for overflow behavior, which is required

Lines of code Vulnerability details Impact The function getTickAtSqrtRatio is used multiple times in the TokenisableRange.sol, but the library TickMath.sol is compiled with pragma solidity ^0.8.4 as you can see here which doesn't allow for overflows, and since the function is not unchecked,...

Usage of slot0 is extremely easy to manipulate

Lines of code Vulnerability details Impact Pool LP value can be manipulated and cause other users to receive less lp tokens. Proof of Concept TokenisableRange.sol uses slot0 to calculate several values in the code. slot0 is the most recent data point and is therefore extremely easy to manipulate...

CONTROLLED LOW-LEVEL CALL

Lines of code Vulnerability details Impact The contract was using call which was accepting address controlled by a user. This can have devastating effects on the contract as a delegate call allows the contract to execute code belonging to other contracts but using it’s own storage. This can very...

The absence of proper Access Control in RngRelayAuction::rngComplete() enables anyone to prematurely conclude the Auction Process.

Lines of code Vulnerability details Explanation For the DrawAuction to be successfully completed, a specific sequence of actions must be followed, and each step holds significance. This demands a carefully designed execution flow that considers both the procedure's requirements and the authorized...

isDeprecated CAN ONLY BE MADE TO true AND CAN NOT BE CHANGED TO false IN THE FUTURE IF THE NEED ARISES

Lines of code Vulnerability details Impact The RoeRouter.deprecatePool function is used to Deprecate a pool. It is a onlyOwner modifier controlled function. A pool can be deprecated via the deprecatePool function as shown below: function deprecatePooluint poolId public onlyOwner...

rounding error can lead to DISABLE the system

Lines of code Vulnerability details Impact In RNGAuction.sol, openSequenceId if the difference between currentTime and sequenceOffset is less than the sequencePeriod, it will round to zero leading to all functions depending on its value to return false like canStartNextSequence, or even revert in...

GeVault#poolMatchesOracle is extemely easy to manipulate due to how it calculates underlying token balances

Lines of code Vulnerability details Impact GeVaultpoolMatchesOracle uses the UniV3Pool.slot0 to determine the number of tokens it has in it's position. slot0 is the most recent data point and is therefore extremely easy to manipulate. Given that the protocol specializes in leverage, the effects o...

Unauthorized Access to Critical Functions in Smart Contract

Lines of code Vulnerability details Description The provided smart contract contains critical functions, such as close, closeDebt, and withdrawOptionAssets, that can be called by any external address without proper authentication or authorization checks. This lack of access control exposes the...

The treasury address can be updated by the contract owner to point to a malicious address after deployment

Lines of code Vulnerability details Impact Any fees or funds sent to the treasury could potentially be stolen or manipulated Proof of Concept The treasury address can be updated by the contract owner to point to a malicious address after deployment. This presents a risk as the treasury receives a...

VaultBoosterFactory allows deployment of VaultBooster with phoney PrizePool

Lines of code Vulnerability details Impact A malicious VaultBooster can be deployed via VaultBoosterFactory contract. Users may lose funds while interacting with such VaultBooster. File: src/VaultBoosterFactory.sol function createVaultBoosterPrizePool prizePool, address vault, address owner...

Missing access control in RngRelayAuction::rngComplete()

Lines of code Vulnerability details For a draw auction to complete, a bot must relay a completed RNG result to the Prize Pool. This is done by calling rngComplete and the data must originate from the relayer. However the rngComplete function is missing a check that the msg.sender is the relayer s...

RemoteOwner circular dependency at deployment time

Lines of code Vulnerability details Impact The RemoteOwner.sol contract has a security measure that ensures the sender from the remote/origin chain was the origin chain owner i.e. a RngAuctionRelayerRemoteOwner.sol deployment, and this address is set at deployment time in the constructor. The...

call() should be used instead of transfer() on an address payable

Lines of code Vulnerability details Impact The use of the transfer function for sending ETH to an address will inevitably make the transaction fail when: The claimer smart contract does not implement a payable function. The claimer smart contract does implement a payable fallback which uses more...

removeFromAllTicks() withdraws all tick assets before deposit and withdraw re-deposit them creates a reentrancy attacks.

Lines of code Vulnerability details Impact reentrancy attacks can result to stolen funds Proof of Concept The key issue is that removeFromAllTicks calls removeFromTickindex in a loop, which calls lendingPool.withdraw and tr.withdraw. These external calls could trigger a reentrant call back into t...

Calculations like valueX8 and liquidity do not account for potential rounding errors

Lines of code Vulnerability details Impact These small inaccuracies could accumulate and cause the total supply of liquidity tokens to not exactly match the vault holdings. This could allow an attacker to potentially deposit tokens, get liquidity that is slightly higher than what they should base...

Incorrect Import Path Directories

Lines of code Vulnerability details Impact Wrong Import Path Directories of LiquidationPair.sol contract would affect the functionality of the contract as this contract relies of the implementation of this imports Proof of Concept 4. import ILiquidationSource from...

swapExactAmountOut() does not have deadline which allows pending transactions to be maliciously executed

Lines of code Vulnerability details Impact In LiquidationRouter.sol, swapExactAmountOut function has no deadline for the transaction when swapping. File: src/LiquidationRouter.sol function swapExactAmountOut LiquidationPair liquidationPair, address receiver, uint256 amountOut, uint256 amountInMax...

Owner of _liquidationPair can add malicious liquidation source and insufficient input parameter validations

Lines of code Vulnerability details Impact Malicious liquidationPair owner can deploy liquidationPair using malicious sourceliquidation source that the pair will use and other insufficient input validations that can put users' funds at risk. File: src/LiquidationPairFactory.sol function createPai...

deadline using swap functions does not verify that the deadline has passed/expired

Lines of code Vulnerability details Impact In V3Proxy.sol contract, deadline is used in functions like swapExactTokensForTokens, swapTokensForExactTokens, swapExactETHForTokens, swapETHForExactTokens, swapTokensForExactETH and swapExactTokensForETH etc to ensure that the transaction can be execut...

removeFromAllTicks() withdraws all tick assets before deposit and withdraw and re-deposit them creates reentrancy attacks.

Lines of code Vulnerability details Impact reentrancy attacks can result to stolen funds Proof of Concept The key issue is that removeFromAllTicks calls removeFromTickindex in a loop, which calls lendingPool.withdraw and tr.withdraw. These external calls could trigger a reentrant call back into t...