getMerkleRoot() might return an unconfirmed root.

Lines of code Vulnerability details Impact Users might claim rewards using an unconfirmed merkle root. Proof of Concept getMerkleRoot returns the merkle root to claim the rewards. function getMerkleRoot public view returns bytes32 if block.timestamp = endOfDisputePeriod return tree.merkleRoot; el...

LibHelpers.piecewiseLinear will revert when the value is less than the first element of the array

Lines of code Vulnerability details Impact LibHelpers.piecewiseLinear reverts when the value is less than the first element of the array. This method is used in Redeemer contract and if the collateral ratio is below the first element of xRedemptionCurve, the redepmtion will revert. Proof of Conce...

Redeemer.redeem FUNCTION COULD REVERT DUE TO ARRAY LENGTH MISMATCH IN THE minAmountOuts ARRAY

Lines of code Vulnerability details Impact In the Redeemer.sol contract the Natspec comments are given how the minAmountOuts array is constructed when there are managed collaterals with sub-collaterals present. The comment is as follows: /// process and the minAmountOuts will be bigger than the...

Decimal is not correct in fee calculation

Lines of code Vulnerability details Impact The decimal doesn't match in the fee calculation, so this will break the fee calculation. Since fee calculation is very important in Mint/Burn actions, this problem can ruin the core functionality of transmuter. Proof of Concept This is the non-exact min...

ONLY THE LAST DISPUTE IS CONSIDERED UNRESOLVED IN THE Distributor CONTRACT

Lines of code Vulnerability details Impact The Distributor.disputeTree function is used to freeze the Merkle tree update until the dispute is resolved. This is done by setting the disputer state variable to msg.sender. disputeTree is an external function which can be called by anyone by providing...

Incorrect modification authorization amount

Lines of code Vulnerability details Impact In a specific scenario, the authorized transfer amount from N-M M0, N0 will cause the user to lose M+N money. This solution is to first change the authorized amount to N-0 and then to 0-M. This is not the best solution suggested by the article, and it is...

The first disputer might lose funds although his dispute is valid.

Lines of code Vulnerability details Impact The first disputer might lose funds although his dispute is valid. Proof of Concept Users can dispute the current tree using disputeTree and the governor refunds the dispute funds if the dispute is valid in resolveDispute. function disputeTreestring memo...

Disputer loses the deposit when someone disputes after them

Lines of code Vulnerability details Impact A disputer loses their deposited dispute tokens if someone disputes the tree after them. Proof of Concept The Distributor.disputeTree function is used to dispute a Merkle tree. The function requires the caller to deposit disputeAmount of disputeToken; th...

IF RETURNED DECIMAL VALUE IS ZERO, IT COULD BREAK THE FUNCTIONING OF THE PROTOCOL

Lines of code Vulnerability details Impact The LibOracle.readChainlinkFeed function is used to calculate the quotePrice for a collateral using the chainlink price feeds. The function uses the values received via the multiple arrays in the LibOracle.read function. One such array is the...

No check for active Arbitrum Sequencer

Lines of code Vulnerability details Impact If the Arbitrum sequencer goes down, the stale ratio will be used during the swap. Proof of Concept readChainlinkFeed gets the price from chainlink oracle and the ratio is used during the swap. function readChainlinkFeed uint256 quoteAmount,...

sellRewards() might be used to steal collaterals/rewards by malicious guardians or sellers.

Lines of code Vulnerability details Impact Malicious guardians or sellers might steal funds using sellRewards. Proof of Concept sellRewards is used to buy collaterals using rewardsagToken through 1inch router. function sellRewardsuint256 minAmountOut, bytes memory payload external returns uint256...

CRITICAL UPGRADES IN THE DIAMOND PROXY COULD BE MISSED DUE TO INVALID ACTIONS PASSED IN

Lines of code Vulnerability details Impact The LibDiamond.diamondCut function is used to modify the facets by passing in the FacetCut structs. The FacetCut struct contains the action to perform: add, replace and remove and the function selectors to use for them. Here the function implementation...

LACK OF deadline CHECK COULD PROMPT DELAYED EXECUTION OF swap OPERATION

Lines of code Vulnerability details Impact The RewardHandler.sellRewards function is used by governance and trusted sellers to sell reward tokens for collateral tokens. This function ensures that none of the collateral should be decreased after the swap by checking their respective balances befor...

ERC721 onERC721Received() reentrancy

Lines of code Vulnerability details Impact Reentrancy is an attack that can occur when a bug in a contract may allow a malicious contract to reenter the contract unexpectedly during execution of the original function. This can be used to drain funds from a smart contract if used maliciously...

Unsafe cast in getCollateralRatio()

Lines of code Vulnerability details Impact LibGetters.getCollateralRatio might return the incorrect ratio due to the unsafe cast. Proof of Concept getCollateralRatio outputs the collateral ratio using the total collaterals and issued agTokens. // The stablecoinsIssued value need to be rounded up...

SWAP TRADES COULD BE EXECUTED AT A LATER POINT IN TIME BY THE MINERS, IF deadline == 0

Lines of code Vulnerability details Impact The Swapper.swapExactInput external function, has the deadline parameter to control the execution time of the swap transaction. If the block.timestamp has elapsed the deadline given the transaction will revert as per the implementation in the...

uint128 changeAmount might overflow

Lines of code Vulnerability details Impact This issue is an edge case, that uint128 changeAmount could overflow, making the protocol fail for certain amount of swap. Proof of Concept Let's break down the changeAmount: 1. amountOut/amountIn 2. BASE27 3. normalizer File:...

DENIAL OF SERVICE COULD OCCUR IF CHAINLINK PRICE FEEDS ARE BLOCKED

Lines of code Vulnerability details Impact Protocol’s usability becomes very limited when access to Chainlink oracle data feed is blocked The LibOracle.readChainlinkFeed function calls the feed.latestRoundData on the chain link price feed to calculate the quotePrice and retrun it to the...

estimatedAPR() might return the wrong APR.

Lines of code Vulnerability details Impact estimatedAPR might return the wrong APR and it will make users confused. Proof of Concept SavingsVest.estimatedAPR returns the APR using the current vestingProfit and vestingPeriod. function estimatedAPR external view returns uint256 apr uint256...

Poor detection of disputed trees allows claiming tokens from a disputed tree

Lines of code Vulnerability details Targets Impact Users can claim rewards from a Merkle tree that's being disputed. This can potentially lead to loss of funds since a malicious trusted EOA can claim funds from a malicious tree while it's being disputed. Proof of Concept The...

The merkle tree might be revoked again after being used to claim rewards.

Lines of code Vulnerability details Impact The merkle tree might be revoked again after being used to claim rewards. Proof of Concept The governor can revoke the merkle tree using revokeTree. function revokeTree external onlyGovernorOrGuardian if disputer != address0 revert UnresolvedDispute;...

Read-only reentrancy is possible

Lines of code Vulnerability details Impact The agToken might be minted wrongly as rewards due to the reentrancy attack. Proof of Concept There are redeem/swap logics in the transmuter contract and all functions don't have a nonReentrant modifier. So the typical reentrancy attack is possible durin...

Interest is not accrued before parameters are updated in SavingsVest

Lines of code Vulnerability details Impact Stablecoin holders can receive wrongly calculated yield in the SavingsVest contract. Also, wrong vesting profit can be slashed when the protocol is under-collateralized. Proof of Concept The SavingsVest contract lets users deposit their stablecoins and...

ARBITARY USER CAN CALL THE SavingsVest.accrue FUNCTION MULTIPLE TIMES BEFORE THE updateDelay PERIOD HAS ELAPSED

Lines of code Vulnerability details Impact In the SavingsVest contract the updateDelay variable is defined. This variable is used to refer the minimum time between two calls to the accrue function. This is implemented in the SavingsVest.accrue function as follows: if block.timestamp - lastUpdate...

Possible reentrancy during redemption/swap

Lines of code Vulnerability details Impact Redeemers might charge more collaterals during redemption/swap by the reentrancy attack. Proof of Concept Redeemers can redeem the agToken for collaterals in Redeemer contract and redeem burns the agToken and transfers the collaterals. function redeem...

stealth of funds

Lines of code Vulnerability details CRITICAL Impact The LSP0ERC725Account contract executes calls to specified targets provided in the arguments, the contract can receive native coins using the payable functions or directly transfered since the contract implements a receive function. However, the...

LSP6KeyManagerCore reentrancy vulnerability

Lines of code Vulnerability details Impact Both LSP6KeyManager and LSP6KeyManagerInit inherit from LSP6KeyManagerCore. Consider our previous 3 contracts as A, B and C. We write a contract D, call the A.execute method, and let it execute D.execute. When executing D.execute, we can also execute...

Not using slippage parameter in swap() while swapping causes loss of funds

Lines of code Vulnerability details Impact While making a swap on UniswapV3 the caller should use the slippage parameter amountOutMinimum parameter to avoid losing funds. In swapToEqualAmounts does not use the slippage parameter amountOutMinimum. File: /src/talos/libraries/PoolActions.solL46-L52...

Calculation during rebalancing can overflow

Lines of code Vulnerability details Proof of Concept Rebalancing logic in TalosBaseStrategy will start by the strategy manager calling TalosBaseStrategy.rebalance to swap imbalanced tokens. This function will call TalosStrategySimple.doRebalance Next, PoolActions.swapEqualAmounts will be called...

Incorrect Use of Equality Operator in addPartner and addVault Functions

Lines of code Vulnerability details Impact The addPartner and addVault functions in the PartnerManagerFactory contract are intended to add new partner managers and vaults respectively. These functions also assign a unique ID to each new partner manager and vault by storing them in the partnerIds...

Incorrect usage of Comparison Operator(==) instead of Asignment Operator(=) in PartnerManagerFactory

Lines of code Vulnerability details Impact The incorrect usage of comparison operator instead of an assignment operator in addPartner and addVault functions could lead to undesirable behaviour. While the mapping partnerIds and vaultIds are supposed to keep track of the IDs, due to the error, thes...

## Significant roundoff error in depositToPort function (ArbitrumBranchBridgeAgent.sol )

Lines of code Vulnerability details Significant roundoff error in depositToPort function ArbitrumBranchBridgeAgent.sol This issue is caused with different decimals than 18. As an Eg USDC, WBTC. Let's consider the USDC as the case scenario. If User deposit USDC into the depositToPort function, He...

changeAdmin function does not have checks

Lines of code Vulnerability details Impact changeAdmin does not check for new address which should be different than the old one. Also newAdmin should not be same as the carrying out the transaction. Proof of Concept Tools Used VScode Recommended Mitigation Steps CEI to be placed in context of...

doRebalance in Talos is vulnerable to Flash loan Attacks resulting loss of funds

Lines of code Vulnerability details Impact Loss of funds due to MEV Sandwich attacks. Proof of Concept Rebalancing is done using doRebalance method in TalosStrategySimple. File: TalosStrategySimple.sol function doRebalance internal override returns uint256 amount0, uint256 amount1 int24...

Reward clarinets can claim rewards multiple times

Lines of code Vulnerability details Impact Reward claimers can call the get accrued reward function multiple times and maybe even drain the contract Proof of Concept As we can see there’s no check setting the accrued reward to zero after the rewards have been transferred Tools Used Manual review...

Potential Loss of Funds Due to Zero Slippage Hardcoding in TalosBaseStrategy#deposit

Lines of code Vulnerability details Impact In the deposit function within the TalosBaseStrategy contract, both slippage for two tokens amount0Min and amount1Min are hardcoded to zero. This can have severe implications as users may unintentionally accept a minimum of zero output tokens from a swap...

Missing deadline checks allow pending transactions to be maliciously executed

Lines of code Vulnerability details Impact In PoolActions.sol, swapToEqualAmounts function has no deadline check for the transaction when swapping. File: src/talos/libraries/PoolActions.sol function swapToEqualAmountsActionParams memory actionParams, int24 baseThreshold internal bool zeroForOne,...

Many create methods are suspicious of the reorg attack

Lines of code Vulnerability details Proof of Concept There are many instance of this, but to understand things better, taking the example of createTalosV3Strategy method. The createTalosV3Strategy function deploys a new TalosStrategyStaked contract using the create, where the address derivation...

BranchPort.toggleStrategyToken used on unregistered STRATEGY TOKEN will allow STRATEGIES to drain full token balance

Lines of code Vulnerability details Impact BranchPort.toggleStrategyToken may be called on a token not registered as a strategy token effectively registering it without setting a getMinimumTokenReserveRatio. In such a case minimumReserves will always return a value smaller than the current balanc...

The code uses arithmetic operations without explicitly checking for possible overflows or underflows

Lines of code Vulnerability details Impact The impact of the Integer Overflow/Underflow vulnerability can be summarized as follows: Data Inaccuracy: The vulnerability can lead to incorrect calculations and inaccurate data, potentially compromising the integrity of voting processes and other...

_normalizeDecimals() Wrong calculation formula

Lines of code Vulnerability details Impact Wrong decimal place conversion, resulting in wrong quantity Proof of Concept in callOutSignedAndBridge The number of tokens will be converted to 18 decimal when packedData is performed. function callOutSignedAndBridgebytes calldata params, DepositInput...

Bad accounting on ERC4626MultiToken.sol leads to user funds stuck in the contract

Lines of code Vulnerability details Summary Bad accounting on ERC4626MultiToken.sol leads to user funds stuck in the contract on deposit and withdraw logic. Vulnerability Detail The UlyssesToken unified liquidity tokens are derived from ERC4626Multitoken. This is an standard tokenized vault with...

Liquidity providers may lose funds when initialising a strategy

Lines of code Vulnerability details Summary Liquidity providers may lose funds when initialising a strategy Vulnerability Detail Liquidity providers may lose a portion of provided liquidity in either of the pair tokens when creating a new position. The init function on TalosBaseStrategy.sol does...

addLiquidity() unable to work

Lines of code Vulnerability details Impact missing the first transfer of the asset to router, addLiquidity unable to work Proof of Concept UlyssesRouter.addLiquidityuse for mint LP The code is as follows: function addLiquidityuint256 amount, uint256 minOutput, uint256 poolId external returns...

DENIAL OF SERVICE (DoS) WHEN DECREASING THE weight DUE TO UNDERFLOW IN THE UlyssesPool.setWeight FUNCTION

Lines of code Vulnerability details Impact The UlyssesPool.setWeight function is used to update the weight of a particular poolId in the current UlyssesPool. But when the weight of the respective poolId is decreased from the current value, the calculation underflows and thus DoS the reducing of...

_payFallbackGas is not being paid in case selector is 0x07 or 0x08

Lines of code Vulnerability details Impact payFallbackGas gas is not being paid for selectors 0x07 and 0x08 which causes a loss for protocol's execution gas budget. In case Execution budget is not enough then anyFallback will fail. Proof of Concept In payFallbackGas gas should always be paid in...

Slippage controls for calling bHermes contract's ERC4626DepositOnly.deposit and ERC4626DepositOnly.mint functions are missing

Lines of code Vulnerability details Impact mentions that "if implementors intend to support EOA account access directly, they should consider adding an additional function call for deposit/mint/withdraw/redeem with the means to accommodate slippage loss or unexpected deposit/withdrawal limits,...

Although ERC20Boost.decrementGaugesBoostIndexed function would require user to remove all of her or his boost from a deprecated gauge at once, such user can instead call ERC20Boost.decrementGaugeBoost function for multiple times to utilize such deprecated gauge and decrement its userGaugeBoost for multiple times

Lines of code Vulnerability details Impact When the gauge input corresponds to a deprecated gauge, calling the following ERC20Boost.decrementGaugeBoost function can still execute gaugeState.userGaugeBoost -= boost.toUint128 if boost = gaugeState.userGaugeBoost is false. function...

Functions don't update after being called

Lines of code Vulnerability details Impact Without updating the reserve or vault value of tokens after calling different functions, the contract may be prone to inconsistent state, security issues, financial implications, and bad user experience. It is important to review and update the reserve...

RootBridgeAgent.redeemSettlement can be front-run using RootBridgeAgent.retrySettlement causing redeem DoS

Lines of code Vulnerability details Impact Since RootBridgeAgent.retrySettlement... can be called by anyone for any settlement, a malicious actor can front-run an user trying to redeem his failed settlement via RootBridgeAgent.redeemSettlement... by calling RootBridgeAgent.retrySettlement... with...