10190 matches found
In LlamaRelativeQuorum, actionApprovalSupply/actionDisapprovalSupply can be changed anytime.
Lines of code Vulnerability details Impact The governance result might be manipulated seriously because the approval/disapproval supplies can be changed anytime by an attacker. Proof of Concept The LlamaRelativeQuorum uses approval/disapproval thresholds that are specified as percentages of total...
Incorrect validation in LlamaRelativeQuorum results in improper approvals/disapprovals
Lines of code Vulnerability details Impact The LlamaRelativeQuorum contract is intended to allow for approvals/disapprovals to be configured such that, for example, an approval is triggered when a certain percentage of the total quantity for a role with this quantity being fixed at the creation o...
Missing Role Validation in LlamaAbsoluteStrategyBase.sol
Lines of code Vulnerability details Bug Description: The LlamaAbsoluteStrategyBase contract serves as a base contract for Llama strategies and implements various functions for action creation, approval, disapproval, and cancellation. However, it fails to validate the roles used in some critical...
Role might be granted and revoked at the same block to manipulate the role supply and result in incorrect behavior of relative strategy
Lines of code Vulnerability details Impact There is a potential issue where a role can be granted, votes can be cast, and then the role can be revoked in the same block. This can lead to incorrect behavior of relative strategy in manipulating the vote supply. The problem arises because the role...
LlamaAccount can be tricked to selfdestruct with an upgradable contract
Lines of code Vulnerability details Impact The LlamaAccount contract will be destroyed and all the assets can be lost. Proof of Concept In execute, we use readSlot0 to prevent a malicious or buggy target from taking ownership of this contract. But the malicious target can send all the assets and...
The initial total supply of the role can be miscalculated in some cases
Lines of code Vulnerability details Impact Due to miscalculations during LlamaPolicy contract deployment the initial supply of the role can be set wrongly. And most of strategies will not work as intended. Moreover users will not be able to start an Action for some strategies as well. Proof of...
Centralization risk for trusted owners
Lines of code Vulnerability details Description: Contracts have owners that have privileged rights to perform admin tasks. These owners need to be trusted to not perform malicious updates or drain funds. Having a single Externally Owned Account EOA as the sole owner represents a significant...
VaultProxy can be selfdestructed using delegatecall
Lines of code Vulnerability details Impact Attacker can selfdestruct VaultProxy deployment. constructor //initialise the vault proxy with data function initialise bool isValidatorWithdrawalVault, uint8 poolId, uint256 id, address staderConfig external if isInitialized revert AlreadyInitialized;...
The incorrect check implemented in the UserWithdrawalManager undermines the effectiveness of the timelock for claiming ETH
Lines of code Vulnerability details high Title: The incorrect check implemented in the UserWithdrawalManager undermines the effectiveness of the timelock for claiming ETH. Links: Impact Any malicious users can bypass the timelock mechanism for claiming ETH. The issue lies in the claim function,...
Oracle data is not sufficiently validated
Lines of code Vulnerability details Impact The retrieved price from the oracle can be stale value or outdated and used anyways as a valid data. The usage of such data can impact on how the further logics of that price are implemented. Proof of Concept File: StaderOracle.sol function getPORFeedDat...
Users who stake at the end of a freeze would get rewards as if they've staked before the freeze
Lines of code Vulnerability details This one was reported in the first contest, it was mitigated but a code change that was made since then brings it back again. Impact Users who stake while frozen would get a share of the rewards for the period since the last call to payoutRewards. This means th...
LES (Light Ethereum Subprotocol) doesn't forward the transaction to the sequencer
Lines of code Vulnerability details Impact LES Light Ethereum Subprotocol doesn't forward the transaction to the sequencer when receiving it over RPC. Proof of Concept When a user submits a transaction to op-geth node validator/verfier mode, the node sends the transaction to the sequencer, if no...
Problem with ValiodatorStatus.INITIALIZED
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. The default value for Enums in solidity are always the first parameters in them. In the ValidatorStatus Enum however, INITIALIZED is the first value and therefore the default value of the ValidatorStatu...
Individual nodes can manipluate sdPriceInETH to be any value inside StaderOracle#submitSDPrice
Lines of code Vulnerability details Trusted nodes can submit their attested ethereum price by calling StaderOraclesubmitSDPrice. Once a 66% majority of nodes submit a price for a specific block number, the new sdPriceData will be set to the median of the submitted prices. function...
A lot with a lots.sdAmount less than the bidIncrement cannot be bid on
Lines of code Vulnerability details M-01 A lot with a lots.sdAmount less than the bidIncrement cannot be bid on Impact Everyone can create a lot by calling Auction.createLot with any arbitrary amount they specify. However, creating a lot with a low sdAmount can result in two potential issues: Whe...
There is no check to see if eth was successfully sent from ValidatorWithdrawalVault to StaderStakePoolsManager.
Lines of code Vulnerability details Impact Eth may not complete successfully. As a result, the user will not receive their share from the validator. Tools Used Manual audit Recommended Mitigation Steps Add to StaderStakePoolManager.receiveWithdrawVaultUserShare function. ifmsg.value == 0 revert...
There is no check to see if eth was successfully sent from PermissionlessNodeRegistry to StaderInsuranceFund.
Lines of code Vulnerability details Impact Eth may not complete successfully. As a result, StaderInsuranceFund will not receive collateral. Tools Used Manual audit Recommended Mitigation Steps Add to StaderInsuranceFund.depositFund function: ifmsg.value == 0 revert Error Assessed type ETH-Transfe...
UNJUSTIFIED ZERO INDEX VALIDATION HINDERS INDEX VALUE OF 0
Lines of code Vulnerability details Impact SocializingPool.verifyProof currently incorporates a zero index check which blocks the entry of an index value of 0. While this check is designed to prevent the use of invalid index values, it inadvertently prohibits the valid index value of 0. This may...
Both consensus layer rewards and "32 bonded ETH" will be distributed via ValidatorWithdrawalVault.distributeRewards() as rewards
Lines of code Vulnerability details Impact totalRewards can be a value than staderConfig.getRewardsThreshold in ValidatorWithdrawalVault.distributeRewards. As a result both ETH balances belonging to rewards and staked ETH will be distributed. Proof of Concept Both consensus layer rewards and "32...
pause/unpause functionnalities not implemented in many pausable contracts
Lines of code Vulnerability details Impact The following contracts : SocializingPool, StaderOracle, OperatorRewardsCollector and Auction are supposed to be pausable as they all inherit from PausableUpgradeable but they don't implement the external pause/unpause functionalities which means it will...
Challenger can change the output root or delete output root arbitrarily to authorize invalid withdrawal or block withdrawal infinitely
Lines of code Vulnerability details Impact Challenger can change the output root or delete output root arbitrarily Proof of Concept In the OptimismPortal.sol, when prove and finalize the transaction the output root needs to be verificated // Grab the OutputProposal from the L2OutputOracle, will...
Chainlink's latestRoundData might return stale or incorrect results
Lines of code Vulnerability details Impact The getPORFeedData function in the contract StaderOracle.sol fetches the asset price from a Chainlink aggregator using the latestRoundData function. However, there are no checks on roundID, resulting in stale prices. The oracle wrapper calls out to a...
Lack of Event Signature Verification
Lines of code Vulnerability details Impact The functions submitExchangeRateData, submitSDPrice, and submitValidatorStats emit events without verifying the signature of the calling contract. Malicious contracts can exploit this by emitting events with misleading information, potentially deceiving...
cancelUnstake lack payoutRewards before mint shares
Lines of code Vulnerability details cancelUnstake will cancel the withdrawal request in the queue can mint shares as the current stakeRate. But it doesn't payoutRewards before mintStakes. Therefor it will mint stRsr as a lower rate, which means it will get more rsr. Impact Withdrawers in the...
Lack of expiration time for cross-chain message passing
Lines of code Vulnerability details Lack of expiration time for cross-chain message passing Summary Lack of expiration time for cross-chain message passing Vulnerability Detail In the current implementation, the L1CrossDomainMessagern.sol inherits from CrossDomainMessager.sol and...
Manager and DEFAULT_ADMIN_ROLE can create a scenario where user deposits more than he is permitted to withdraw
Lines of code Vulnerability details Impact manager and DEFAULTADMINROLE can update conflicting values as max deposit limit and max withdrawal limit, where maxDepositAmount is than maxWithdrawAmount. Users will be able to deposit more than they are permitted to withdraw. considering the extremes i...
Legacy version check should be removed to avoid double relaying message in CrossDomainMessager.sol
Lines of code Vulnerability details Impact Legacy version check should be removed to avoid double relaying message Proof of Concept In Optimism bedrock implementation, to handle the pre-bedrock migration, there is code check to make sure the transaction that finalized and relayed in pre-bedrock...
Unauthorized Access and Control in Proxy Contract
Lines of code Vulnerability details Summary: The code contains a bug that can lead to unauthorized access and control over the contract. This bug allows any caller, even those who are not the owner or address0, to bypass the intended access control mechanisms and execute arbitrary code on the...
Loss of airdropped Token or NFT in NFT Bridge
Lines of code Vulnerability details Impact Loss of airdropped Token or NFT in NFT Bridge and Token Bridge Proof of Concept Contract L1ERC721Bridge is for bridging NFTs from L1 to L2 and it holds all the bridged NFTs. Most of the NFT projects would airdrop new NFTs for previous owners or drop ERC2...
The owner is a single point of failure and a centralization risk.
Lines of code Vulnerability details Impact & Vunerability Details. Having a single EOA as the only owner of contracts is a large centralization risk and a single point of failure, as this contract's owner can perform roles of high importance to the protocol. A single private key may be taken in a...
When deploying a contract in PermissionlessNodeRegistry.deployNodeELRewardVault(), an attacker can find out in advance the address of the future deployed contract and deploy his own at this address
Lines of code Vulnerability details Impact The address of the new contract depends solely on the salt parameter, which is calculated from user-provided data. Once a user's create transaction is broadcast, the parameters for calculating salt can be viewed by anyone viewing the public mempool. This...
User with large stacked ETH can deny other stacker from withdrawing.
Lines of code Vulnerability details Description The withdraw flow of Stader splitted in two steps, first the user has to requestWithdraw by passing his owned ETHx amount which add a new record to userWithdrawRequestsnextRequestId, second, finalizeUserWithdrawalRequest got called by any user to...
MISSING ACCESS CONTROL AND MISSING LOGICAL CHECKS IN PENALTY.sol
Lines of code Vulnerability details Impact In the penalty.sol contract anyone can call the markValidatorSettled... function to clear the penalty of an erring validator. Proof of Concept Anyone can clear the penalty of an erring validator without by calling markValidatorSettled... as the function...
Insecure State settleFunds function, state update
Lines of code Vulnerability details Impact The impact of this finding is that an unauthorized party can manipulate the state of the vaultSettleStatus variable before executing critical operations related to penalty marking, fund distribution, and reward deposits. This can potentially disrupt the...
Missing Return Statement in the poolAllocationForExcessETHDeposit function
Lines of code contracts/PoolSelector.solL76-L111 Vulnerability details Impact The poolAllocationForExcessETHDeposituint256 excessETHAmount function is declared to return two arrays, but it does not contain a return statement. As a result, this function will always return two empty arrays regardle...
FRONT-RUNNING SUSCEPTIBILITY IN ADDBID()
Lines of code Vulnerability details Impact Auction.addBid is susceptible to front-running attacks. This vulnerability presents a significant risk as participants with adequate knowledge or skill could manipulate Ethereum transaction ordering to gain undue advantage, potentially compromising the...
The admin address used in initialize function, can behave maliciously
Lines of code Vulnerability details N.B : This bug is different that the other one titled "Risk of losing admin access if updateAdmin set with same current admin address". Both issues are related to access control, but the impact, root cause and bug fix are different, so DO NOT mark it as dupliat...
Tokens can be lost when trying to deposit in SDCaollateral.depositSDAsCollateral() or trying to withdraw SDCaollateral.withdraw()
Lines of code Vulnerability details Impact Some tokens do not return the success of the token submission. Because Since we don’t know for sure how the SD token is implemented, we need to take this into account. Proof of Concept A detailed example is listed in: Tools Used Manual audit Recommended...
getPORFeedData() doesn't validate price feed answers (totalETHBalanceInInt and totalETHXSupplyInInt) before casting to uint256
Lines of code Vulnerability details Impact If a negative value is returned 0 from chainlink oracle and the value is cast to type uint256, the resulting value will be the unsigned representation of that value which will be an inaccurate price. Also, cases where sdprice can't be less than 0 will...
The claim() function has a reentrancy vulnerability
Lines of code Vulnerability details Impact The claim function has a reentrancy vulnerability . In the function, the UtilLib.sendValue function is called before emitting the Claimed event. This violates the "check-effect-interaction" model, which is a best practice for secure smart contract...
No stale data check on data being read from POR feed
Lines of code Vulnerability details Impact Stale data of exchange rate data being used protocol, resulting in loss in terms of ETHX being minted at stale exchange rate which won't have accounted for new reward Recommended Mitigation Steps Check lastUpdatedAt timestamp and that it is within...
accountsMap[ADMIN] not set in initialize function of StaderConfig contract
Lines of code Vulnerability details Impact When initializing the StaderConfig contract with the initialize function, the admin address is not set in accountsMapADMIN variable, so the getAdmin function will return address0. This will cause the loss of the ownership of the VaultProxy contract as it...
Stader OPERATOR is single point of failure
Lines of code Vulnerability details Impact The OPERATOR role holds a lot of power within the system, which can compromise the both the system integrity and it's permission-less nature. Proof of Concept The OPERATOR key is responsible for confirming marking each validator submitted key as either...
Oracle timeout at rebalance will result in a sell-off of all RSRs at 0 price
Lines of code Vulnerability details When creating the trade for rebalance, the RecollateralizationLibP1.nextTradePair uses uint192 low, uint192 high = rsrAsset.price; // UoA/tok to get the rsr sell price. And the rsr assert is a pure Assert contract, which price function will just return 0, FIXMA...
stake before unfreeze can take away most of rsr rewards in the freeze period
Lines of code Vulnerability details If the system is frozen, the only allowed operation is stRST.stake. And the payoutRewards is not called during freeze period: if !main.frozen payoutRewards; function payoutRewards external requireNotFrozen; payoutRewards; So the payoutLastPaid stays before the...
No way out of the loop if operator not active
Lines of code Vulnerability details Impact There is no way out of the loop if operator not active. do if !operatorStructByIdi.active continue; uint256 remainingCapacity = validatorPerOperatorGreaterThanZero ? remainingOperatorCapacityi : getOperatorQueuedValidatorCounti; uint256 newSelectedCapaci...
ERC20 token bridge does not support token with different decimals
Lines of code Vulnerability details ERC20 token bridge does not support token with different decimals Summary ERC20 token bridge does not support token with different decimals Vulnerability Detail In the current implementation: User can perform ERC20 cross-chain transfer via token bridge. Let us...
Technically the seven days period is not guaranteed and it's possible for the challenger to delete a withdrawal even if it hasn't been challenged during the seven days
Lines of code Vulnerability details Proof of Concept There's an existing logic to prevent the CHALLENGER from deleting a l2Output after the finalization period has ended. This is done to prevent having user withdrawals blocked after the finalization period has elapsed without challenges. The...
Lack of claimRewards when manageToken in RevenueTrader
Lines of code Vulnerability details There is a dev comment in the Assert.sol: DEPRECATED: claimRewards will be removed from all assets and collateral plugins The claimRewards is moved to the TradingP1.claimRewards/claimRewardsSingle. But when the RevenueTraderP1 trade and distribute revenues by...
Problem with Day values
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. In solidity, block.timestamp makes use of seconds in calculating time but in the highlighted codes, the stated period and their comments was miscalculated. 7200 was referred to as 24 hours and was used...