Partial fill when swapping can cause ETH amount that is difference between _delegateAllocation.amount and _amountToSend to be locked in JBXBuybackDelegate contract

Lines of code Vulnerability details Impact When calling the following JBPayoutRedemptionPaymentTerminal31.pay function, if delegateAllocations.length != 0 is true, delegateAllocation.delegate.didPayvalue: payableValuedata can be executed, which sends delegateAllocation.amount as msg.value to the...

Check if the token of projectId matches the projectToken of the JBXBuybackDelegate

Lines of code Vulnerability details Impact At line 202, the amountReceived returned by the swap function is based on the projectToken defined in JBXBuybackDelegate. This will incorrectly trigger the mint function and because there is no verification of projectToken, it will mistakenly mint...

arbitrary reservedRate value will result the next swap to be wrongly executed

Lines of code Vulnerability details Impact the function "payParams" will set the variable reservedRate without checking the effective value of that param,in fact if someone decides to call the "payParams" function passing as data.reservedRate a number 10k will result in the next swap that will...

Setting the slippage tolerance incorrectly can result in users losing funds

Lines of code JBXBuybackDelegate.solL156 Vulnerability details Impact Since the slippage parameter is also passed from the frontend, we need to validate the magnitude of the parameter value，if slippage == SLIPPAGEDENOMINATOR ，users may be vulnerable to sandwich attacks during the Uniswap swapping...

[M-01] Access control in *payParams* function

Lines of code Vulnerability details Impact Anyone can call this function and change mutex parameters. In this case we have a potential risk that malicious user can try to send several transactions: one from terminal and parallel one from other address and try front-run them to play for example wi...

TEST Med

Lines of code L1 Vulnerability details test medium Assessed type Access Control --- The text was updated successfully, but these errors were encountered: All reactions...

M-01 Unmitigated

Lines of code L1 Vulnerability details Lines of code L1 Vulnerability details Confirmed --- The text was updated successfully, but these errors were encountered: All reactions...

DoS while calling pay() for the first time when the JBXBuybackDelegate.sol would not have any project's token

Lines of code Vulnerability details Impact 1. Let us assume a user calls the pay function in the JBPayoutRedemptionPaymentTerminal31.sol or the JBETHPaymentTerminal31.sol for the first time. By "for the first time", I mean that the JBXBuybackDelegate.sol does not have any of the project's tokens ...

Failure to check reservedRate can lead to a decrease in assets

Lines of code Vulnerability details Impact The payParams function takes the data parameter, which contains the reservedRate. If reservedRate exceeds MAXRESERVEDRATE, then this causes nonReservedToken to be incremented. This results in a decrease in assets and a larger mint. Proof of Concept...

Verify the correspondence between trading pairs and pools

Lines of code Vulnerability details Impact It may cause the correct ProjectToken to be locked, and transfer the wrong ProjectToken to the beneficiary. Proof of Concept Add test USDC after line 78 in the test file. IERC20 usdc = IERC200xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48; Modify line 142...

If, as a result of the calculation, _tokenCount = 0, then this may lead to incorrect execution of the _mint function(_data, _tokenCount).

Lines of code Vulnerability details Impact If the payParams function receives null values in data, then uint256 tokenCount = PRBMath.mulDivdata.amount.value, data.weight, 10 18 may result in a null value. Proof of Concept If, as a result of the calculation, tokenCount = 0, then this may lead to...

Invalid conversion uint256 -> int256

Lines of code Vulnerability details Impact Invalid conversion uint256 - int256 in pool.swap.... The number may be incorrectly converted uint256 data.amount.value - int256 amountSpecified. As a result, number truncation may occur. Proof of Concept typeuint256.max =...

Lack checks if Pool deployed by the canonical UniswapV3Factory in uniswapV3SwapCallback

Lines of code Vulnerability details Impact Loss of deserved tokens or DoS when users use this contract. Proof of Concept According to the uniswap docs: The caller of this method must be checked to be a UniswapV3Pool deployed by the canonical UniswapV3Factory. However, there is no check in this...

Incorrect setting of sqrtPriceLimitX96 in protocol

Lines of code Vulnerability details Impact The pool.swap function in the swap attempts to execute a swap. As the code below ,The sqrtPriceLimitX96 is set based on the value of projectTokenIsZero. If projectTokenIsZero is true, sqrtPriceLimitX96 is set to TickMath.MAXSQRTRATIO - 1; otherwise, it i...

Return values of weth.transfer() not checked

Lines of code Vulnerability details Impact Return values of weth.transfer not checked Proof of Concept The function weth.transfer has a boolean return value function transferaddress dst, uint wad public returns bool return transferFrommsg.sender, dst, wad; and they indicate errors that way instea...

Improper configuration in JBXBuybackDelegate can cause swaps to fail everytime

Lines of code Vulnerability details Impact Improperly configured direction of swap in JBXBuybackDelegate can cause the calls to swap tokens in Uniswap V3 pool to fail everytime. So if the ideal path is token swap over minting, swaps will fail and new project token will be minted instead Proof of...

No guard for mintedAmount or reservedRate

Lines of code Vulnerability details Impact mintedAmount and reservedRate are supposed to have mutex functionality, based from the comments. Yet, those are set or used without any restrictions, without any mutex logic. Since mintedAmount designates the amount of tokens to mint and reservedRate...

Swap leftovers are locked in the JBXBuybackDelegate

Lines of code Vulnerability details Vulnerability details In case that the project JBToken address is bigger than WETH address, projectTokenIsZero is set to false. The test cases of buyback delegate only cover the situation, where the JBToken is lower than WETH. constructor IERC20 projectToken,...

Mutexes can be tampered with to increase gas costs

Lines of code Vulnerability details Impact An attacker can set mintedAmount and reservedRate to 0 which incurs greater gas fees when calling payParams. In the worst case this might cause the transaction to revert if the gas limit was tightly set to the expected gas cost. Proof of Concept...

REENTRANCY IN THE ERC777 PROJECT TOKEN, CAN LEAD TO INCONSISTENT STATE OF THE CONTRACT DURING TRANSACTION

Lines of code Vulnerability details Impact In the JBXBuybackDelegate.swap function there is a possbile reentrancy vulnerability. If the projectToken is a ERC777 token then the data.beneficiary can reenter the contract by calling the JBXBuybackDelegate.payParams external function to mint more...

didPay() front-running

Lines of code Vulnerability details Impact The minting flow of tokens in JBXBuybackDelegate is divided into separate external functions: payParams and didPay. The didPay function can only be called by jbxTerminal, while payParams can be called by anyone without restrictions. The payParams functio...

Delegate uses incorrect parameter for the token amount

Lines of code Vulnerability details Delegate uses incorrect parameter for the token amount The delegate implementation uses the incorrect "amount" parameter from the JBDidPayData struct that is sent to the didPay function. Impact The implementation of the pay function in the terminal builds the...

Delegate architecture forces users to set zero slippage

Lines of code Vulnerability details Delegate architecture forces users to set zero slippage The design of the delegate forces users to set a zero value for the minReturnedTokens parameter when calling pay in the terminal. Technical details In order to implement the swap functionality, the...

Some Functions Should Be Marked payable As They Handling ETH

Lines of code Vulnerability details Impact functions should be payable otherwise shows unintentional errors Proof of Concept These below functions are should be payable, function mintJBDidPayData calldata data, uint256 amount internal IJBController controller =...

Delegate doesn't verify payed ETH value matches amount in parameter

Lines of code Vulnerability details Delegate doesn't verify payed ETH value matches amount in parameter The JBXBuybackDelegate delegate fails to check that the sent ETH amount matches the value passed in the amount parameter. Impact The payable didPay function present in the delegate is called by...

ETH CAN GET LOCKED IN THE CONTRACT DURING THE EXECUTION OF _swap() FUNCTION

Lines of code Vulnerability details Impact In the JBXBuybackDelegate delegate contract, if the swap option is selected after comparing the quote, the JBXBuybackDelegate.swap function will swap the data.amount.value amount of ETH in the following pool.swap call. try pool.swap recipient: addressthi...

Delegate should check that terminal is operating with ETH as the terminal token

Lines of code Vulnerability details Delegate should check that terminal is operating with ETH as the terminal token The JBXBuybackDelegate implementation is only prepared to operate with ETH as the terminal token. The implementation should check that the JuiceBox terminal matches this case. Impac...

Amount of project token minted to beneficiary by JBXBuybackDelegate._mint function is not checked against an expected minimum number of project tokens to be minted to such beneficiary

Lines of code Vulnerability details Impact Calling the following JBPayoutRedemptionPaymentTerminal31.pay function executes fundingCycle, tokenCount, delegateAllocations, memo = store.recordPaymentFrompayer, bundledAmount, projectId, baseWeightCurrency, beneficiary, memo, metadata. File:...

transfer() method can lead to re-entrancy attack

Lines of code Vulnerability details Impact The contract in scope has a withdraw function namely ‘uniswapV3SwapCallback’ which sends funds to the calling address. The calling address can be a malicious contract. Currently transfer sends more gas than 2300 creating a potential attack vector for...

Potential frozen projectTokens due to discrepancy in reservedRate

Lines of code Vulnerability details The handling of projectToken in swap follows 3 steps: Burn all the reserved token in the delegate 293: controller.burnTokensOf 294: holder: addressthis, 295: projectId: data.projectId, 296: tokenCount: reservedToken, 297: memo: "", 298: preferClaimedTokens: tru...

Swaps in Uniswap V3 may be partial

Lines of code Vulnerability details Swaps in Uniswap V3 may be partial Uniswap V3 pools may execute a swap partially, in which case it may leave an unhandled amount of WETH in the JBXBuybackDelegate contract. Impact Swaps in Uniswap V3 can eventually be executed partially, if liquidity is not...

Contributors will be unable to fund a project if UNISWAP token swapping is recommended over minting in JBXBuybackDelegate data source

Lines of code Vulnerability details Impact A core function of the juice-buyback contract, which is to maximise the project tokens received by the contributor, won't work whenever a swap from Uniswap V3 pool provides more tokens over minting because the transaction will revert. This can cause the...

Anyone can front-rundidPay calling payParams to grief swaps and mints

Lines of code Vulnerability details Impact The payParams function in the IJBPayDelegate contract does not currently have any form of access control implemented. This could allow a malicious user to manipulate the mintedAmount and reservedRate state variable, which can interfere with the correct...

MALICIOUS USER CAN USE LOCKED ETH OF THE CONTRACT TO MINT HIGHER NUMBER OF TOKENS OR SWAP AND RECIEVE MORE TOKENS THAN HE IS ELIGIBLE

Lines of code Vulnerability details Impact In the JBXBuybackDelegate contract, the terminal token is considered to be ETH as of now according to documentation. Hence both the mint and swap functionality uses the data.amount.value as the ETH amount for new token minting or swapping. In the...

Malicious user can Mint infinite amount of project tokens as anyone can call payParams function through malicious input and set the _tokenCount .

Lines of code Vulnerability details Impact Malicious user can Mint infinite amount of project tokens as anyone can call payParams function through malicious input and set the tokenCount. The payparams function calculates the tokenCount variable which refers to the amount of token to be minted or...

eth is being sent to an arbitrary user

Lines of code Vulnerability details Impact unauthorized access to this function could lead to unauthorized balance modifications Dangerous calls: — jbxTerminal.addToBalanceOfvalue: data.amount.valuedata.projectId,data.amount.value,JBTokens.ETH,,new bytes0 Tools Used Slither Analysis Recommended...

Should check for _data.amount.value

Lines of code Vulnerability details Impact msg.value is not checked in didPay, if swap is not successful, the eth amount sent back to the terminal is data.amount.value, which is provided by the user. If there is leftover eth in the contract, the fund could be stolen. Proof of Concept Some eth cou...

Minting exposes beneficiaries to unlimited slippage while minting the token out, sending back the token in the terminal.

Lines of code Vulnerability details Impact The amount of tokens minted/assets received when minting can be manipulated to an unlimited extent by manipulating the reserves of the pool. Proof of Concept Here the mint function mints the tokens out to the beneficiary. However the Delegate can't speci...

Unsafe cast in swap and uniswapV3SwapCallback functions can lead to attack

Lines of code Vulnerability details Impact The swap and uniswapV3SwapCallback functions performs an unsafe cast of a uint256 type to a signed integer. amountReceived = uint256-projectTokenIsZero ? amount0 : amount1; Note that amount is chosen by the caller and when choosing amount = 2256 - 1, thi...

Always mint 1 wei when _data.preferClaimedTokens is false

Lines of code Vulnerability details Impact File: JBXBuybackDelegate.sol 183 function didPayJBDidPayData calldata data external payable override --skip-- 188 uint256 tokenCount = mintedAmount; 189 mintedAmount = 1; --skip-- 200 if data.preferClaimedTokens --skip-- 206 else 207 mintdata, tokenCount...

The return value of an external transfer call is not checked on the function uniswapV3SwapCallback in the contract named JBXBuybackDelegate

Lines of code Vulnerability details Impact Several tokens do not revert in case of failure and return false. If one of these tokens is used in MyBank, deposit will not revert if the transfer fails, and an attacker can call deposit for free...

Upgraded Q -> 2 from #597 [1684599709636]

Judge has assessed an item in Issue 597 as 2 risk. The relevant finding follows: L9 --- The text was updated successfully, but these errors were encountered: All reactions...

mintedAmount and reservedRate mutex not working

Lines of code Vulnerability details Impact File: JBXBuybackDelegate.sol 101 / 102 @notice The amount of token created if minted is prefered 103 104 @dev This is a mutex 1-x-1 105 / 106 uint256 private mintedAmount = 1; 107 108 / 109 @notice The current reserved rate 110 111 @dev This is a mutex...

Upgraded Q -> 2 from #597 [1684599598059]

Judge has assessed an item in Issue 597 as 2 risk. The relevant finding follows: L4 --- The text was updated successfully, but these errors were encountered: All reactions...

Overflow in _swap() change the behavior of pool.swap()

Lines of code Vulnerability details Impact In swap, amountSpecified is set to int256data.amount.value. But data.amount.value is an uint256. If data.amount.value is bigger than typeint256.max, amountSpecified becomes a negative value due to overflow. And a negative amountSpecified means a complete...

TEST-high risk

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assessed...

New finding

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assessed...

TEST-medium

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assessed...

Attacker can front-run didPay() by calling payParams() to set mintedAmount & reservedRate, reducing output amount

Lines of code Vulnerability details Impact Attacker can front-run didPay by calling payParams to set mintedAmount & reservedRate. This will reduce the output amount the caller to didPay was expecting to receive. Proof of Concept Anyone can call payParams and provide arbitrary input to set...

Upgraded Q -> 2 from #404 [1684435083624]

Judge has assessed an item in Issue 404 as 2 risk. The relevant finding follows: Global Budget Constraint is said to be 2% in Docs But It Is 3% in The code Description: In the docs it is mentioned that Global Budget Constraint should be 2% but in the code here it is hardcoded to 3%. --- The text...