Lack checks if Pool deployed by the canonical UniswapV3Factory in uniswapV3SwapCallback

Lines of code Vulnerability details Impact Loss of deserved tokens or DoS when users use this contract. Proof of Concept According to the uniswap docs: The caller of this method must be checked to be a UniswapV3Pool deployed by the canonical UniswapV3Factory. However, there is no check in this...

Return values of weth.transfer() not checked

Lines of code Vulnerability details Impact Return values of weth.transfer not checked Proof of Concept The function weth.transfer has a boolean return value function transferaddress dst, uint wad public returns bool return transferFrommsg.sender, dst, wad; and they indicate errors that way instea...

Setting the slippage tolerance incorrectly can result in users losing funds

Lines of code JBXBuybackDelegate.solL156 Vulnerability details Impact Since the slippage parameter is also passed from the frontend, we need to validate the magnitude of the parameter value，if slippage == SLIPPAGEDENOMINATOR ，users may be vulnerable to sandwich attacks during the Uniswap swapping...

Delegate uses incorrect parameter for the token amount

Lines of code Vulnerability details Delegate uses incorrect parameter for the token amount The delegate implementation uses the incorrect "amount" parameter from the JBDidPayData struct that is sent to the didPay function. Impact The implementation of the pay function in the terminal builds the...

Delegate should check that terminal is operating with ETH as the terminal token

Lines of code Vulnerability details Delegate should check that terminal is operating with ETH as the terminal token The JBXBuybackDelegate implementation is only prepared to operate with ETH as the terminal token. The implementation should check that the JuiceBox terminal matches this case. Impac...

Missing "if (beneficiaryTokenCount < _minReturnedTokens) revert INADEQUATE_TOKEN_COUNT();" check in the _mint() function of the JBXBuybackDelegate.sol + DoS for the pay() function in the JBPayoutRedemptionPaymentTerminal3_1.sol (or the JBETHPaymentTerminal3_1.sol)

Lines of code Vulnerability details Impact The issue contains 2 parts: 1. The mint function has the "if beneficiaryTokenCount minReturnedTokens revert INADEQUATETOKENCOUNT;" check missing. This check is used to identify whether the beneficiaryTokenCount amount is greater than or equal to the...

DoS while calling pay() for the first time when the JBXBuybackDelegate.sol would not have any project's token

Lines of code Vulnerability details Impact 1. Let us assume a user calls the pay function in the JBPayoutRedemptionPaymentTerminal31.sol or the JBETHPaymentTerminal31.sol for the first time. By "for the first time", I mean that the JBXBuybackDelegate.sol does not have any of the project's tokens ...

Delegate doesn't verify payed ETH value matches amount in parameter

Lines of code Vulnerability details Delegate doesn't verify payed ETH value matches amount in parameter The JBXBuybackDelegate delegate fails to check that the sent ETH amount matches the value passed in the amount parameter. Impact The payable didPay function present in the delegate is called by...

Invalid conversion uint256 -> int256

Lines of code Vulnerability details Impact Invalid conversion uint256 - int256 in pool.swap.... The number may be incorrectly converted uint256 data.amount.value - int256 amountSpecified. As a result, number truncation may occur. Proof of Concept typeuint256.max =...

No guard for mintedAmount or reservedRate

Lines of code Vulnerability details Impact mintedAmount and reservedRate are supposed to have mutex functionality, based from the comments. Yet, those are set or used without any restrictions, without any mutex logic. Since mintedAmount designates the amount of tokens to mint and reservedRate...

No deadline for swaps

Lines of code Vulnerability details Impact No deadline for swaps allows transactions to be executed later, unfavourably or maliciously. Proof of Concept When tokens are to be swapped rather than minted, slippage is controlled in uniswapV3SwapCallback by minimumAmountReceived which is calculated...

arbitrary reservedRate value will result the next swap to be wrongly executed

Lines of code Vulnerability details Impact the function "payParams" will set the variable reservedRate without checking the effective value of that param,in fact if someone decides to call the "payParams" function passing as data.reservedRate a number 10k will result in the next swap that will...

Delegate architecture forces users to set zero slippage

Lines of code Vulnerability details Delegate architecture forces users to set zero slippage The design of the delegate forces users to set a zero value for the minReturnedTokens parameter when calling pay in the terminal. Technical details In order to implement the swap functionality, the...

JBXBuybackDelegate.didPay() allows for positive slippage theft

Lines of code Vulnerability details Impact The JBXBuybackDelegate.didPay calls swap which utilizes the Uniswap's swap function. JBXBuybackDelegate incorporates a negative slippage check in uniswapV3SwapCallback. However, it fails to consider the deadline parameter of the transaction. The deadline...

If, as a result of the calculation, _tokenCount = 0, then this may lead to incorrect execution of the _mint function(_data, _tokenCount).

Lines of code Vulnerability details Impact If the payParams function receives null values in data, then uint256 tokenCount = PRBMath.mulDivdata.amount.value, data.weight, 10 18 may result in a null value. Proof of Concept If, as a result of the calculation, tokenCount = 0, then this may lead to...

WETH transfer may fail silently in 'uniswapV3SwapCallback' function and execution may stop without any reverts or notification.

Lines of code Vulnerability details Impact WETH transfer may fail silently in 'uniswapV3SwapCallback' function and execution may stop without any reverts or notification. Proof of Concept In the 'uniswapV3SwapCallback' function There's no checks if the WETH transfer have failed or not . If the...

didPay() front-running

Lines of code Vulnerability details Impact The minting flow of tokens in JBXBuybackDelegate is divided into separate external functions: payParams and didPay. The didPay function can only be called by jbxTerminal, while payParams can be called by anyone without restrictions. The payParams functio...

transfer() method can lead to re-entrancy attack

Lines of code Vulnerability details Impact The contract in scope has a withdraw function namely ‘uniswapV3SwapCallback’ which sends funds to the calling address. The calling address can be a malicious contract. Currently transfer sends more gas than 2300 creating a potential attack vector for...

Invalid

Lines of code Vulnerability details Assessed type Other --- The text was updated successfully, but these errors were encountered: All reactions...

ETH CAN GET LOCKED IN THE CONTRACT DURING THE EXECUTION OF _swap() FUNCTION

Lines of code Vulnerability details Impact In the JBXBuybackDelegate delegate contract, if the swap option is selected after comparing the quote, the JBXBuybackDelegate.swap function will swap the data.amount.value amount of ETH in the following pool.swap call. try pool.swap recipient: addressthi...

Malicious user can Mint infinite amount of project tokens as anyone can call payParams function through malicious input and set the _tokenCount .

Lines of code Vulnerability details Impact Malicious user can Mint infinite amount of project tokens as anyone can call payParams function through malicious input and set the tokenCount. The payparams function calculates the tokenCount variable which refers to the amount of token to be minted or...

contract might not function due to lack of funds

Lines of code Vulnerability details Impact when the contract receives a Uniswap pool callback the contract performs some checks before it proceeds to call the weth.deposit with a msg.value that is equal to amountToSend to wrap eth and transfer it to the pool, however the contract is not guarantee...

M-01 Unmitigated

Lines of code L1 Vulnerability details Lines of code L1 Vulnerability details Confirmed --- The text was updated successfully, but these errors were encountered: All reactions...

Swap leftovers are locked in the JBXBuybackDelegate

Lines of code Vulnerability details Vulnerability details In case that the project JBToken address is bigger than WETH address, projectTokenIsZero is set to false. The test cases of buyback delegate only cover the situation, where the JBToken is lower than WETH. constructor IERC20 projectToken,...

JBXBuybackDelegate swap pathway always reverts unless slippage is set to 100%

Lines of code Vulnerability details Impact The swap pathway will never work and it will revert due to a validation error unless the user specifies a slippage of 100%. This would be extremely harmful as it would let users be targeted by MEV bots. Proof of Concept This is the pathway to payParams:...

Swaps in Uniswap V3 may be partial

Lines of code Vulnerability details Swaps in Uniswap V3 may be partial Uniswap V3 pools may execute a swap partially, in which case it may leave an unhandled amount of WETH in the JBXBuybackDelegate contract. Impact Swaps in Uniswap V3 can eventually be executed partially, if liquidity is not...

Anyone can front-rundidPay calling payParams to grief swaps and mints

Lines of code Vulnerability details Impact The payParams function in the IJBPayDelegate contract does not currently have any form of access control implemented. This could allow a malicious user to manipulate the mintedAmount and reservedRate state variable, which can interfere with the correct...

Some Functions Should Be Marked payable As They Handling ETH

Lines of code Vulnerability details Impact functions should be payable otherwise shows unintentional errors Proof of Concept These below functions are should be payable, function mintJBDidPayData calldata data, uint256 amount internal IJBController controller =...

If the controller for _data.projectId is not defined, it can lead to incorrect execution of _swap() and theft of funds by the beneficiary.

Lines of code Vulnerability details Impact If the controller is not defined in the swap function, then it becomes impossible to mint and burn tokens, which leads to incorrect execution of the function. IJBController controller = IJBControllerjbxTerminal.directory.controllerOfdata.projectId; Proof...

REENTRANCY IN THE ERC777 PROJECT TOKEN, CAN LEAD TO INCONSISTENT STATE OF THE CONTRACT DURING TRANSACTION

Lines of code Vulnerability details Impact In the JBXBuybackDelegate.swap function there is a possbile reentrancy vulnerability. If the projectToken is a ERC777 token then the data.beneficiary can reenter the contract by calling the JBXBuybackDelegate.payParams external function to mint more...

Verify the correspondence between trading pairs and pools

Lines of code Vulnerability details Impact It may cause the correct ProjectToken to be locked, and transfer the wrong ProjectToken to the beneficiary. Proof of Concept Add test USDC after line 78 in the test file. IERC20 usdc = IERC200xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48; Modify line 142...

Potential frozen projectTokens due to discrepancy in reservedRate

Lines of code Vulnerability details The handling of projectToken in swap follows 3 steps: Burn all the reserved token in the delegate 293: controller.burnTokensOf 294: holder: addressthis, 295: projectId: data.projectId, 296: tokenCount: reservedToken, 297: memo: "", 298: preferClaimedTokens: tru...

Amount of project token minted to beneficiary by JBXBuybackDelegate._mint function is not checked against an expected minimum number of project tokens to be minted to such beneficiary

Lines of code Vulnerability details Impact Calling the following JBPayoutRedemptionPaymentTerminal31.pay function executes fundingCycle, tokenCount, delegateAllocations, memo = store.recordPaymentFrompayer, bundledAmount, projectId, baseWeightCurrency, beneficiary, memo, metadata. File:...

MALICIOUS USER CAN USE LOCKED ETH OF THE CONTRACT TO MINT HIGHER NUMBER OF TOKENS OR SWAP AND RECIEVE MORE TOKENS THAN HE IS ELIGIBLE

Lines of code Vulnerability details Impact In the JBXBuybackDelegate contract, the terminal token is considered to be ETH as of now according to documentation. Hence both the mint and swap functionality uses the data.amount.value as the ETH amount for new token minting or swapping. In the...

Failure to check reservedRate can lead to a decrease in assets

Lines of code Vulnerability details Impact The payParams function takes the data parameter, which contains the reservedRate. If reservedRate exceeds MAXRESERVEDRATE, then this causes nonReservedToken to be incremented. This results in a decrease in assets and a larger mint. Proof of Concept...

eth is being sent to an arbitrary user

Lines of code Vulnerability details Impact unauthorized access to this function could lead to unauthorized balance modifications Dangerous calls: — jbxTerminal.addToBalanceOfvalue: data.amount.valuedata.projectId,data.amount.value,JBTokens.ETH,,new bytes0 Tools Used Slither Analysis Recommended...

Should check for _data.amount.value

Lines of code Vulnerability details Impact msg.value is not checked in didPay, if swap is not successful, the eth amount sent back to the terminal is data.amount.value, which is provided by the user. If there is leftover eth in the contract, the fund could be stolen. Proof of Concept Some eth cou...

Unsafe cast in swap and uniswapV3SwapCallback functions can lead to attack

Lines of code Vulnerability details Impact The swap and uniswapV3SwapCallback functions performs an unsafe cast of a uint256 type to a signed integer. amountReceived = uint256-projectTokenIsZero ? amount0 : amount1; Note that amount is chosen by the caller and when choosing amount = 2256 - 1, thi...

Minting exposes beneficiaries to unlimited slippage while minting the token out, sending back the token in the terminal.

Lines of code Vulnerability details Impact The amount of tokens minted/assets received when minting can be manipulated to an unlimited extent by manipulating the reserves of the pool. Proof of Concept Here the mint function mints the tokens out to the beneficiary. However the Delegate can't speci...

mintedAmount and reservedRate mutex not working

Lines of code Vulnerability details Impact File: JBXBuybackDelegate.sol 101 / 102 @notice The amount of token created if minted is prefered 103 104 @dev This is a mutex 1-x-1 105 / 106 uint256 private mintedAmount = 1; 107 108 / 109 @notice The current reserved rate 110 111 @dev This is a mutex...

Upgraded Q -> 2 from #597 [1684599709636]

Judge has assessed an item in Issue 597 as 2 risk. The relevant finding follows: L9 --- The text was updated successfully, but these errors were encountered: All reactions...

Always mint 1 wei when _data.preferClaimedTokens is false

Lines of code Vulnerability details Impact File: JBXBuybackDelegate.sol 183 function didPayJBDidPayData calldata data external payable override --skip-- 188 uint256 tokenCount = mintedAmount; 189 mintedAmount = 1; --skip-- 200 if data.preferClaimedTokens --skip-- 206 else 207 mintdata, tokenCount...

Upgraded Q -> 2 from #597 [1684599598059]

Judge has assessed an item in Issue 597 as 2 risk. The relevant finding follows: L4 --- The text was updated successfully, but these errors were encountered: All reactions...

Overflow in _swap() change the behavior of pool.swap()

Lines of code Vulnerability details Impact In swap, amountSpecified is set to int256data.amount.value. But data.amount.value is an uint256. If data.amount.value is bigger than typeint256.max, amountSpecified becomes a negative value due to overflow. And a negative amountSpecified means a complete...

The return value of an external transfer call is not checked on the function uniswapV3SwapCallback in the contract named JBXBuybackDelegate

Lines of code Vulnerability details Impact Several tokens do not revert in case of failure and return false. If one of these tokens is used in MyBank, deposit will not revert if the transfer fails, and an attacker can call deposit for free...

TEST-medium

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assessed...

TEST-high risk

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assessed...

New finding

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assessed...

Attacker can front-run didPay() by calling payParams() to set mintedAmount & reservedRate, reducing output amount

Lines of code Vulnerability details Impact Attacker can front-run didPay by calling payParams to set mintedAmount & reservedRate. This will reduce the output amount the caller to didPay was expecting to receive. Proof of Concept Anyone can call payParams and provide arbitrary input to set...

Upgraded Q -> 2 from #467 [1684434787599]

Judge has assessed an item in Issue 467 as 2 risk. The relevant finding follows: L-03 Anyone can memorialize other users' position if the owner approves PositionManager There isn't a check to ensure that the caller is the actual owner of the position, so anyone can memorialize a position if the...