10190 matches found
Use of slot0 to get sqrtPriceLimitX96 can lead to price manipulation.
Lines of code Vulnerability details Impact In the RootBrigdeAgent.sol the function's gasSwapOut and gasSwapIn uses UniswapV3.slot0 to get the value of sqrtPriceX96 which it use to perform the swap, however the sqrtPriceX96 gotten from Uniswap.slot0 is the most recent data point and can be...
Reactivated gauges have incorrect accounting for the last cycle’s rewards
Lines of code Vulnerability details Impact reactivated gauges that previously had queued up rewards have a mismatch between their storedCycle and contract’s gaugeCycle state variable. Due to this mismatch, there is also a resulting issue with the accounting logic for its completed rewards: Proof ...
doRebalance in Talos is vulnerable to Flash loan Attacks resulting loss of funds
Lines of code Vulnerability details Impact Loss of funds due to MEV Sandwich attacks. Proof of Concept Rebalancing is done using doRebalance method in TalosStrategySimple. File: TalosStrategySimple.sol function doRebalance internal override returns uint256 amount0, uint256 amount1 int24...
FlywheelAcummulatedRewards/FlywheelBribeRewards gains are instantaneous and can be frontrun
Lines of code Vulnerability details Impact FlywheelAcummulatedRewards/FlywheelBribeRewards gains are instantaneous and can be frontrun. The user only needs to frontrun the delegate before each incentive is distributed to get the incentive, and there is no way to prevent the user from undelegating...
Not using slippage parameter when interacting with AMMs
Lines of code Vulnerability details Impact The slippage parameters are hardcoded to 0, meaning the minimum amount can be 0. The absence of slippage protection causes transactions to be vulnerable to front running. This can result in users potentially losing their funds. Proof of Concept...
The code uses arithmetic operations without explicitly checking for possible overflows or underflows
Lines of code Vulnerability details Impact The impact of the Integer Overflow/Underflow vulnerability can be summarized as follows: Data Inaccuracy: The vulnerability can lead to incorrect calculations and inaccurate data, potentially compromising the integrity of voting processes and other...
Functions don't update after being called
Lines of code Vulnerability details Impact Without updating the reserve or vault value of tokens after calling different functions, the contract may be prone to inconsistent state, security issues, financial implications, and bad user experience. It is important to review and update the reserve...
Reactivated gauges can’t queue up rewards
Lines of code Vulnerability details Impact Reactivated gauges can’t queue up rewards Proof of Concept Active gauges as set by authorised users get their rewards queued up in the FlywheelGaugeRewards.queueRewards function. As part of it, their associated struct QueuedRewards updates its storedCycl...
Calculation during rebalancing can overflow
Lines of code Vulnerability details Proof of Concept Rebalancing logic in TalosBaseStrategy will start by the strategy manager calling TalosBaseStrategy.rebalance to swap imbalanced tokens. This function will call TalosStrategySimple.doRebalance Next, PoolActions.swapEqualAmounts will be called...
changeAdmin function does not have checks
Lines of code Vulnerability details Impact changeAdmin does not check for new address which should be different than the old one. Also newAdmin should not be same as the carrying out the transaction. Proof of Concept Tools Used VScode Recommended Mitigation Steps CEI to be placed in context of...
BranchPort.toggleStrategyToken used on unregistered STRATEGY TOKEN will allow STRATEGIES to drain full token balance
Lines of code Vulnerability details Impact BranchPort.toggleStrategyToken may be called on a token not registered as a strategy token effectively registering it without setting a getMinimumTokenReserveRatio. In such a case minimumReserves will always return a value smaller than the current balanc...
Behaviour of Distributor when user appears in multiple merkle trees
Lines of code Vulnerability details Impact To avoid that a user can claim the same amount multiple times, the following code is used: uint256 toSend = amount - claimedusertoken.amount; However, the Distributor contract supports updating the merkle tree via updateTree. But because the claimed...
DENIAL OF SERVICE (DoS) WHEN DECREASING THE weight DUE TO UNDERFLOW IN THE UlyssesPool.setWeight FUNCTION
Lines of code Vulnerability details Impact The UlyssesPool.setWeight function is used to update the weight of a particular poolId in the current UlyssesPool. But when the weight of the respective poolId is decreased from the current value, the calculation underflows and thus DoS the reducing of...
No target price check performed for external oracles
Lines of code Vulnerability details Impact readMint and readBurn do not check the price of returned assets against the target price, this check is only performed for Chainlink Oracles. Therefore, external oracles can report an arbitrarily price that will be accepted by the protocol and any oracle...
Incorrect usage of Comparison Operator(==) instead of Asignment Operator(=) in PartnerManagerFactory
Lines of code Vulnerability details Impact The incorrect usage of comparison operator instead of an assignment operator in addPartner and addVault functions could lead to undesirable behaviour. While the mapping partnerIds and vaultIds are supposed to keep track of the IDs, due to the error, thes...
In VirtualAccount.sol.withdrawERC20(), Transaction revert if the Token does not support 0 value transfer
Lines of code Vulnerability details Impact In VirtualAccount.sol.withdrawERC20, Transaction revert if the Token does not support 0 value transfer when transferring tokens to recipient address. File: src/ulysses-omnichain/VirtualAccount.sol 31 function withdrawERC20address token, uint256 amount...
If a STRATEGY TOKEN is "Toggled off" STRATEGIES will still be able to withdraw but returning of tokens with replenishReserves will be disabled.
Lines of code Vulnerability details Impact BranchPort.manage allows a registered Strategy to withdraw certain amounts of enabled strategy tokens. It validates access rights ie. if called by a strategy registered for the requested token. It however doesn't check if the token itself is currently...
Potential Loss of Funds Due to Zero Slippage Hardcoding in TalosBaseStrategy#deposit
Lines of code Vulnerability details Impact In the deposit function within the TalosBaseStrategy contract, both slippage for two tokens amount0Min and amount1Min are hardcoded to zero. This can have severe implications as users may unintentionally accept a minimum of zero output tokens from a swap...
Although ERC20Boost.decrementGaugesBoostIndexed function would require user to remove all of her or his boost from a deprecated gauge at once, such user can instead call ERC20Boost.decrementGaugeBoost function for multiple times to utilize such deprecated gauge and decrement its userGaugeBoost for multiple times
Lines of code Vulnerability details Impact When the gauge input corresponds to a deprecated gauge, calling the following ERC20Boost.decrementGaugeBoost function can still execute gaugeState.userGaugeBoost -= boost.toUint128 if boost = gaugeState.userGaugeBoost is false. function...
User can manipulate totalRewardUnclaimed and steal pool incentives
Lines of code Vulnerability details Impact In the UniswapV3Staker.sol contract, a user can drain the incentives by repeatedly staking and unstaking. Proof of Concept During staking, the stakeToken... function checks that incentives is not zero this would later become insufficient but does not in...
## Significant roundoff error in depositToPort function (ArbitrumBranchBridgeAgent.sol )
Lines of code Vulnerability details Significant roundoff error in depositToPort function ArbitrumBranchBridgeAgent.sol This issue is caused with different decimals than 18. As an Eg USDC, WBTC. Let's consider the USDC as the case scenario. If User deposit USDC into the depositToPort function, He...
Incorrect Use of Equality Operator in addPartner and addVault Functions
Lines of code Vulnerability details Impact The addPartner and addVault functions in the PartnerManagerFactory contract are intended to add new partner managers and vaults respectively. These functions also assign a unique ID to each new partner manager and vault by storing them in the partnerIds...
User may get less tokens than expected when collateral list order changes
Lines of code Vulnerability details Impact The order of ts.collateralList is not stable: Whenever LibSetters.revokeCollateral is used to revoke a collateral, it may change because of the swap that is performed. However, the function Redeemer.redeem relies on this order, as the user has to provide...
Reentry restrictions are not properly released
Lines of code Vulnerability details Impact After LSP6KeyManagerCore.execute or LSP6KeyManagerCore.executeRelayCall is executed, non-isSetData methods that call these two methods without re-entry permission cannot be called normally Proof of Concept Tools Used manual review Recommended Mitigation...
_normalizeDecimals() Wrong calculation formula
Lines of code Vulnerability details Impact Wrong decimal place conversion, resulting in wrong quantity Proof of Concept in callOutSignedAndBridge The number of tokens will be converted to 18 decimal when packedData is performed. function callOutSignedAndBridgebytes calldata params, DepositInput...
_payFallbackGas is not being paid in case selector is 0x07 or 0x08
Lines of code Vulnerability details Impact payFallbackGas gas is not being paid for selectors 0x07 and 0x08 which causes a loss for protocol's execution gas budget. In case Execution budget is not enough then anyFallback will fail. Proof of Concept In payFallbackGas gas should always be paid in...
Id not saved when adding a vault with addVault or partner with addPartner
Lines of code Vulnerability details Impact In the PartnerManagerFactory contract when adding a new vault with the addVault or adding a new partner with addPartner function, both functions does not save the id of the added vault or partner, this will cause function like migratePartnerVault to reve...
Unable to check state() if proposalId == 0
Lines of code Vulnerability details Impact state function cannot be called to view proposal state if proposalId == 0. Proof of Concept There is no check to prevent queueing a proposalId with a value of 0 via the queue function. However, in the state function there is a check preventing using a...
Contracts are vulnerable to rebasing accounting-related issues
Lines of code Vulnerability details Impact Rebasing tokens are tokens that have each holder's balanceof increase over time. Aave aTokens are an example of such tokens. If rebasing tokens are used, rewards accrue to the contract holding the tokens, and cannot be withdrawn by the original depositor...
Wrong validation when setting BadCollateralRatio
Lines of code Vulnerability details Impact Setting of BadCollateralRatio has a slight bug //@audit-issue bug here, should be - 1e19 function setBadCollateralRatioaddress pool, uint256 newRatio external onlyRoleDAO requirenewRatio = 130 1e18 && newRatio = 160 1e18, "eUSD vault safe...
Voting Delay set to 1 block, would not allow users enough time to buy tokens, or delegate their votes before the voting starts
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. With a voting delay set to 1 block, users would not have enough time to buy tokens, or delegate their votes. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs...
proposals view function returns wrong voting results
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Even though, the votes are calculated correctly, the proposals view function returns wrong voting results returning forVotes results as againstVotes amount. This would negatively impact the users...
Owner will be address(0) because it is not initialized
Lines of code Vulnerability details Impact Owner will be address0 making the functions which use the onlyOwner modifier insolvable Proof of Concept There are contracts in the protocol which use the Ownable from OZ: esLBRBoost.sol, EUSDMiningIncentives.sol, ProtocolRewardsPool.sol,...
Token transfer is not handled properly in stakerewardV2pool.sol.
Lines of code Vulnerability details Impact Token transfer is not handled properly in stakerewardV2pool.sol. Many stakingtokens return a bool as transfer success , best practice is receiving the output as a boolean and revert the transaction if it is false. If it is not handled properly then it ma...
Incorrect poolTotalEUSDCirculation Calculation
Lines of code Vulnerability details Impact poolTotalEUSDCirculation calculated incorerctly so it can effect reward distribution Proof of Concept The following line of code deduces repaid amount from poolTotalEUSDCirculation while the fee that is part of repaid amount will be distribute as rewards...
Keepers are allowed to use the full EUSD balance of any provider to liquidate funds
Lines of code Vulnerability details Impact Keepers are allowed to use the full EUSD balance of any provider to liquidate funds. Normally, the keeper should only be allowed to use max of the amount that the provider approves to LybraStETHVault. But the check only checks if the provider gives an...
maxSupply in esLBR.sol is wrong
Lines of code Vulnerability details Impact Proof of Concept As mentioned in the docs in line 6 in esLBR.sol contract , the maximum supply will be 55 million . - The maximum amount that can be minted through the esLBRMinter contract is 55 million. But the maximum supply is hardcoded 100 million in...
[H] Users can withdraw more tokens than they have staked
Lines of code Vulnerability details Impact Users can withdraw more tokens than they have staked from the contract. In stakerewardV2pool, there is no check to stop a user from withdrawing more tokens than they have staked. The tokens are simply subtracted from the user's balance and from the total...
The _spendAllowance function in EUSD contract is labeled as virtual which can be overriden as malicious code
Lines of code Vulnerability details Impact The spendAllowance function is labeled as virtual which can be overriden by some malicious code Proof of Concept The attacker could modify the spendAllowance function to only call approve function of same contract which is internal and can pass max...
Withdraw fee discounting using self rigidRedemption
Lines of code Vulnerability details Description There is no restriction for self rigidRedemption so that allows one to repay and withdraw instantly part of the collateral. That allows us to instantly withdraw with less fee paid. Impact It may be used for malicious scenarios with flashloan for...
Potential Unauthorized Flash Loan Execution and Share Burning due to Lack of Permission Checks
Lines of code Vulnerability details Impact The executeFlashloan function in the provided contract allows any user to execute a flash loan on behalf of another user without explicit permission. This could potentially lead to an unauthorized execution of flash loans and unexpected share burnings if...
An attacker can burn shares of other users by calling executeFlashloan()
Lines of code Vulnerability details The executeFlashloan in PeUSDMainnetStableVision.sol allows users to execute flash loans but the problem is that the receiver doesnt have to be the msg.sender so an attacker can do 2 things: 1. Execute other users flash loans 2. If a user is a smart contract th...
_voteSucceeded and proposals give opposite result
Lines of code Vulnerability details Impact In the LybraGovernance contract, the voteSucceeded function returns true if supportVotes1 supportVotes0. At the same time in the proposals function supportVotes0 is returned as forVotes and supportVotes1 is returned as againstVotes. This could suggest,...
Users with bad collateralization ratio from either rebase/nonrebasevault can bypassliquidation
Lines of code Vulnerability details Impact users with an unsafe collateralization ratio who are supposed to be liquidated can manipulate the rigidRedemption feature to bypass the liquidation. From the code above its noted that being a rigidRedemption provider one can can put their collateral amou...
Wrong proposalThreshold amount in LybraGovernance.sol
Lines of code Vulnerability details Impact The proposal can be created with only 100000 esLBR delegated instead of 10000000. Proof of Concept According to LybraV2Docs, a proposal can only be created if the sender has at least 10 million esLBR tokens delegated to his address to meet the proposal...
stETHs rebase profit stealing
Lines of code Vulnerability details Description It's possible with flashloan from AAVE to capture a big shares amount of eUSD, after each stETH rebase exploiter will buy excessive income, which leads to eUSD rebase due to shares burning, so the exploiter will have most of burned eUSD because they...
A minimum of 1/3 of total esLBR supply required for the proposal to pass
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. If a quorum is set too high, the minimum number of cast voted required for a proposal to be successful would be harder to reach. Proof of Concept Provide direct links to all referenced code in GitHub. A...
Calls to rigidRedemption can fail due to an underflow when collateralAsset price falls.
Lines of code Vulnerability details Impact When the collateralAsset price falls drastically a wrong collateralAmount is calculated in the line below from the eusdAmount. The collateralAmount calculated can be greater than the amount deposited by the provider in the rigidRedemption. Which leads to...
[H] Users can lose funds if they call depositEtherToMint
Lines of code Vulnerability details Impact Due to only an interface implementation of function submit in Lido contract, users will lose funds due to non-existent implementation. Proof of Concept The comments in the code suggest that when users deposit ETH, it should be directly deposited into the...
[M] Mining rewards are not distributed to users
Lines of code Vulnerability details Impact Expected mining rewards in distributeRewards are not distributed due to a revert in purchaseOtherEarnings. Proof of Concept A missing mintVault implementation in transferFrom will inevitably cause a revert in purchaseOtherEarnings. This means expected...