Potential Integer Overflow/Underflow

Lines of code Vulnerability details Impact The functions insertSDPrice and getMedianValue manipulate arrays of uint256 values without explicitly checking for integer overflow or underflow. If the array lengths or calculations exceed the maximum or minimum values of uint256, it can result in...

VaultProxy implementation can be initialized by anyone and self-destructed

Lines of code Vulnerability details Impact When the VaultFactory contract is deployed and initialized, the initialise method on the newly created VaultProxy implementation contract is never called. As such, anyone can call that method and pass in whatever values they want as arguments. One...

Risk of losing admin access if updateAdmin set with same current admin address

Lines of code Vulnerability details N.B : This bug is different that the other one titled "The admin address used in initialize function, can behave maliciously". Both issues are related to access control, but the impact, root cause and bug fix are different, so DO NOT mark it as dupliate of the...

Using transferFrom on ERC20 tokens transfer

Lines of code Vulnerability details Impact The transferFrom method is used instead of safeTransferFrom which is not recommended. OpenZeppelin’s documentation discourages the use of transferFrom, use safeTransferFrom whenever possible Some tokens do not implement the ERC20 standard properly but ar...

The utilization of a hardcoded time value is incorrect when deployed to blockchains other than Ethereum

Lines of code Vulnerability details Medium Title: The utilization of a hardcoded time value is incorrect when deployed to blockchains other than Ethereum Impact The hardcoded value of the MINAUCTIONDURATION constant in the Auction contract becomes problematic when deploying the contracts on faste...

When deploying contracts in PermissionedNodeRegistry.deployWithdrawVault(), PermissionlessNodeRegistry.deployWithdrawVault(), an attacker can find out in advance the address of the future deployed contract and deploy his own at this address

Lines of code Vulnerability details Impact The address of the new contract depends solely on the salt parameter, which is calculated from user-provided data. Once a user's create transaction is broadcast, the parameters for calculating salt can be viewed by anyone viewing the public mempool. This...

sell reward rTokens at low price because of skiping furnace.melt

Lines of code Vulnerability details Impact The reward rToken sent to RevenueTrader will be sold at a low price. RSR stakers will lose some of their profits. Proof of Concept RevenueTraderP1.manageToken function is used to launch auctions for any erc20 tokens sent to it. For the RevenueTrader of t...

EVENT EMITTED WITHOUT ACTION

Lines of code Vulnerability details Impact A malicious validator can remain in the system after exceeding it's exit penalty threshold. This poses a risk to users and a possible reputation risk to the protocol. Proof of Concept In the updateTotalPenaltyAmount... function, when the validators...

Attacker can steal CrossDomainMessenger and OptimismPortal token balances or tokens of anyone give approval for those contracts

Lines of code Vulnerability details Impact Contracts CrossDomainMessenger and OptimismPortal are part of the bridge protocol and they are responsible for sending messages between two network. they both call arbitrary address with arbitrary data that user specified and it would give attacker to...

selfdestruct(self) does not clear balance

Lines of code Vulnerability details Impact Balance is stored in OVMETH contract, function opSuicide increments it, then Sucide does not change it, at the end of function it will be decremented. Which means it will not be changed. Proof of Concept // SPDX-License-Identifier: GPL-3.0 pragma solidit...

The _poolId and _id values are not within the expected range and not performing appropriate bounds checking in the VAULTPROXY contract

Lines of code Vulnerability details Impact When the poolId and id values are not within the expected range and appropriate bounds checking is not performed in the contract, it can result in high risk and vulnerabilities. Here are some potential risks and vulnerabilities that can arise: 1. Invalid...

Exchange rate is stale for deposit to calculate shares

Lines of code Vulnerability details Impact The attacker can take profit with the delayed exchange rate updating mechanism. He can deposit to the protocol to take a share of large mev reward generated by the protocol before the exchange rate update. Proof of Concept The getExchangeRate function is...

Aunction DOS

Lines of code Vulnerability details Impact All auction functions are under a potential DOS or exploitability vulnerability A 2 day duration is added to the current block.number when creating a lot. This introduces a critical flaw, Adding 2 86400correct value of 2 days / 27200wrong value used in...

Cross contract reentrancy attack through changing the xDomainMsgSender

Lines of code Vulnerability details Impact The use of the guaranteed safe CrossDomainMessenger for withdrawals can result in permanent blockages when the recipient address interacts with external addresses, which is an important feature for interoperability and is expected to be widely utilized...

Bug on e handling of excess ETH deposits

Lines of code Vulnerability details The StaderStakePoolsManager contract contains a critical bug that could lead to financial loss and system instability. The bug is related to the handling of excess ETH deposits and the calculation of available ETH for new deposits. Bug Description: In the...

Lack of Access Control

Lines of code Vulnerability details Impact The contract does not enforce proper access control mechanisms for critical functions such as deployWithdrawVault, deployNodeELRewardVault, updateStaderConfig, and updateVaultProxyAddress. As a result, any address can call these functions and potentially...

Incorrect Handling of Return Value in onlyWhenNotPaused Modifier

Lines of code Vulnerability details Description: contract named "L1ChugSplashProxy" which is a proxy contract with additional functionality for code and storage modification. However, there is a bug in the code that needs to be addressed. Bug: The bug is in the modifier onlyWhenNotPaused function...

A trusted node has the ability to submit the ExchangeRate multiple times for a single reportingBlockNumber.

Lines of code Vulnerability details Impact In this code, a trusted node can submit data several times. The trusted node can submit ExchangeRateData and then it can submit different data again about same reportingBlockNumber. This will occur mess of staderOracle contract, so it will be needed to b...

The increaseTotalValidatorActiveCount in PermissionedPool incorrectly adds requiredValidators instead of validatorToDeposit

Lines of code Vulnerability details Impact When the Stader Stake Pools Manager calls stakeUserETHToBeacon chain, it does so calculating the requiredValidators that can be added to the pool. The function internally also uses the allocateValidatorsAndUpdaterOperatorId to compute each operator's...

Recipient address is not appropriately validated or sanitized in the BaseFeeVault contract (loss of funds)

Lines of code Vulnerability details Impact If the recipient address is not properly validated, an attacker could supply a malicious address as the recipient. This could result in the accumulated fees being sent to an unintended or unauthorized party. It could lead to financial loss or disruption ...

The owner is a single point of failure and a centralization risk

Lines of code Vulnerability details Impact Having a single EOA as the only owner of contracts is a large centralization risk and a single point of failure. A single private key may be taken in a hack, or the sole holder of the key may become unable to retrieve the key when necessary. Similar...

PoolSelector.computePoolAllocationForDeposit could return an unfair value.

Lines of code Vulnerability details Impact When calling StaderStakePoolsManager.validatorBatchDeposit, it calls PoolSelector.computePoolAllocationForDeposit to get the validator count to deposit for the pool. It calculates the count based on the capacity and the weight of the pool. However,...

depositERC20To() and withdrawTo() is missing onlyEOA() modifier - Leading to loss of user funds

Lines of code Vulnerability details Impact StandardBridge.sol contract has a modifier called onlyEOA. The comment says 132 / 133 @notice Only allow EOAs to call the functions. Note that this is not safe against contracts 134 calling code within their constructors, but also doesn't really matter...

Anyone Can selfdestruct The VaultProxy Contract.

Lines of code Vulnerability details Vulnerability Details -Since the initialise function is missing initializer modifier as it's inteded to be not protected as per ETHx smart contract functions documentation , And Since VaultFactory contract doesn't initialize the VaultProxy upon its initializati...

NodeOperator will steal other NodeOperators' validators through frontrunning

Lines of code Vulnerability details Impact People that want to earn staking rewards, but do not have the resources to run validators, will see Stader as an avenue where they can easily steal and use others validators and they will actually earn Operator rewards from Stader. This could lead to two...

Underpaying Optimism l2gas(_minGasLimit) may lead to loss of funds

Lines of code Vulnerability details Impact The contract L1StandardBridge.sol is susceptible to a vulnerability where underpaying the l2Gashere in all contract, it used as "minGasLimit" value provided by users can result in a potential loss of funds. This vulnerability exists in the depositERC20 a...

Lack of reentrancy protection in L1ERC721Bridge.sol

Lines of code Vulnerability details Summary Calling IERC721.transferFrom in the L1ERC721Bridge.initiateBridgeERC721 after writing the deposit makes a reentrancy attack possible if there is a callback before transfer in the localToken contract we will name such a contract ERC721Callback...

Adding Block.number to Block.timestamp

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. In the highlighted functions, the lastExcessETHDepositBlock is updated every time the function depositETHOverTargetWeight is called because it is set to the last block.number. If the function is called...

The owner is a single point of failure and a centralization risk (06 Instances)

Lines of code Vulnerability details Impact Having a single EOA as the only owner of contracts is a large centralization risk and a single point of failure. A single private key may be taken in a hack, or the sole holder of the key may become unable to retrieve the key when necessary. Tools Used...

An oracle deprecation might lead the protocol to sell assets for a low price

Lines of code Vulnerability details During a Dutch Auction, if a user places a bid, the trade is settled in the same transaction. As part of this process, the backing manager tries to call the rebalance function again. The call to rebalance is wrapped in a try-catch block, if an error occurs and...

Upgraded Q -> 2 from #28 [1686212158430]

Judge has assessed an item in Issue 28 as 2 risk. The relevant finding follows: L-9 Griefer can DoS lender NFT withdrawals --- The text was updated successfully, but these errors were encountered: All reactions...

Custom redemption might revert if old assets were unregistered

Lines of code Vulnerability details quoteCustomRedemption works under the assumption that the maximum size of the erc20sAll should be assetRegistry.size, however there can be cases where an asset was unregistered but still exists in an old basket, making the size of the old basket greater than...

Attacker can disable basket during un-registration, which can cause an unnecessary trade in some cases

Lines of code Vulnerability details At the mitigation contest there was an issue regarding the basketHandler.quantity call at the unregistration process taking up all gas. As a mitigation to that issue the devs set aside some gas and use the remaining to do that call. This opens up to a new kind ...

Upgraded Q -> 2 from #240 [1686228586164]

Judge has assessed an item in Issue 240 as 2 risk. The relevant finding follows: L-04 --- The text was updated successfully, but these errors were encountered: All reactions...

Use of wrong Library file directory

Lines of code Vulnerability details Impact Importing the wrong library file path in the Vault Factory contract can pose several risks: Functionality Issues: If you import the wrong library, the functions and features you expect to use may not be available or may behave differently. This can lead ...

cancelUnstake() doesn't payout rewards first

Lines of code Vulnerability details The new cancelUnstake function allows users to cancel their unstaking, by taking the user's drafts and minting it again. However, since the payoutRewards isn't being called this means that the user would get rewards for the period between the last time...

Custom redemption can be used to get more than RToken value, when an upwards depeg occurs

Lines of code Vulnerability details Custom redemption allows to redeem RToken in exchange of a mix of previous baskets as long as it's not more than the prorata share of the redeemer. The assumption is that previous baskets aren't worth more than the target value of the basket. However, a previou...

Upgraded Q -> 2 from #240 [1686228552856]

Judge has assessed an item in Issue 240 as 2 risk. The relevant finding follows: L-02 --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 3 from #240 [1686228527253]

Judge has assessed an item in Issue 240 as 3 risk. The relevant finding follows: L-01 --- The text was updated successfully, but these errors were encountered: All reactions...

Pausing Optimism Portal only pauses withdrawals, can result in locked or lost funds

Lines of code Vulnerability details The comment over OptimismPortal.pause indicates pause should affect both deposits and withdrawls. Currently, only finalizeWithdrawalTransaction and proveWithdrawlTransaction implement the whenNotPaused modifier. Both depositTransaction and donateETH do not...

Withdrawal with gas limit more than 28_750_517 can never be executed with CrossDomainMessenger

Lines of code Vulnerability details Impact Withdrawal with gas limit more than 28750517 can never be executed with CrossDomainMessenger. User that will initiate such withdrawal will loose his funds and will not be able to execute the withdrawal, because of reaching maximum block gas limit. Proof ...

Upgraded Q -> 2 from #48 [1686129354989]

Judge has assessed an item in Issue 48 as 2 risk. The relevant finding follows: CALLING transfer FUNCTION TO SEND ETH CAN REVERT --- The text was updated successfully, but these errors were encountered: All reactions...

A new era might be triggered despite a significant value being held in the previous era

Lines of code Vulnerability details When RSR seizure occurs the staking and drafting rate is adjusted accordingly, if any of those rates is above some threshold then a new era begins draft or staking era accordingly, wiping out all of the holdings of the current era. The assumption is that if the...

Upgraded Q -> 2 from #23 [1686021624118]

Judge has assessed an item in Issue 23 as 2 risk. The relevant finding follows: rageQuit cannot transfer ERC1155 fungible tokens --- The text was updated successfully, but these errors were encountered: All reactions...

onlyEOA modifier can be bypassed and leads to loss of user funds(Openzeppelin removed isContract function check)

Lines of code Vulnerability details Impact The onlyEOA modifier is extensively used in L1 as well as L2 smart contracts. It is designed to restict certain operations to Externally Owned accountEOA. However, the vulnerability exist that may allow the malicious contract to bypass this restriction...

[M-01] Unprotected function in Constructor

Lines of code Vulnerability details Impact anyone can deploy the contract, potentially with malicious intent. Proof of Concept The constructor is not protected by any access control mechanism. Recommended Mitigation Steps Add access control to the constructor, such as an Ownable pattern, to ensur...

Loss of user funds due to gas Limit set to zero on L2StandardBridge

Lines of code Vulnerability details Impact User loss of funds in the event a deposit fails. Proof of Concept In L2StandardBridge.finalizeDeposit, there exists an issue related to the gas limit setting. In the event of a failed transfer, it attempts to create a return transaction to refund the use...

Upgraded Q -> 2 from #9 [1685982867794]

Judge has assessed an item in Issue 9 as 2 risk. The relevant finding follows: Users might lose funds after calling rageQuit by malicious frontrunners. --- The text was updated successfully, but these errors were encountered: All reactions...

[M-02] Not having Self-Destruct Functions

Lines of code Vulnerability details Impact The contract does not have a self-destruct function, making it impossible to remove the contract from the blockchain once it's deployed. Recommended Mitigation Steps add a self-destruct function with proper access control to allow the contract to be...

Upgraded Q -> 2 from #17 [1685982856814]

Judge has assessed an item in Issue 17 as 2 risk. The relevant finding follows: Ragequit can be frontrun by distribute call to cause losses to user who is ragequitting --- The text was updated successfully, but these errors were encountered: All reactions...