10190 matches found
Upgraded Q -> 2 from #404 [1684435083624]
Judge has assessed an item in Issue 404 as 2 risk. The relevant finding follows: Global Budget Constraint is said to be 2% in Docs But It Is 3% in The code Description: In the docs it is mentioned that Global Budget Constraint should be 2% but in the code here it is hardcoded to 3%. --- The text...
Upgraded Q -> 2 from #255 [1684436602164]
Judge has assessed an item in Issue 255 as 2 risk. The relevant finding follows: QA-03: Anyone can memorialize LP positions from another user Description The function PositionManager.memorializePositions contains no access control. This means anyone can memorialize other LP's positions, provided...
Upgraded Q -> 2 from #101 [1684391676051]
Judge has assessed an item in Issue 101 as 2 risk. The relevant finding follows: L-01 --- The text was updated successfully, but these errors were encountered: All reactions...
Upgraded Q -> 2 from #410 [1684435015507]
Judge has assessed an item in Issue 410 as 2 risk. The relevant finding follows: QA-2 Publicly Callable memorializePositions Function Allows Unauthorized memorization of User Positions memorializePositions function in positionManager.sol allows any caller to modify position information of any use...
Inconsistent check for LP balance in AMO
Lines of code Vulnerability details Inconsistent check for LP balance in AMO While pulling LP tokens from the CVXStaker contract, the AMO queries the current available balance using the staked balance, which is inconsistent with the implementation of the withdraw function. Impact Curve LP tokens...
It is possible to override pool params in PoolRegistry.sol since the creator field is never set for a venus pool
Lines of code Vulnerability details Proof of Concept PoolRegistry.createPoolRegistry will call PoolRegistry.registerPool which will make a check on the creator field for a pool. VenusPool memory venusPool = poolByComptrollercomptroller; requirevenusPool.creator == address0, "PoolRegistry: Pool...
Rebalancing may overshoot
Lines of code Vulnerability details Impact A rebalance operation may overshoot, bringing the percentage outside the thresholds. Proof of Concept There are contractual limitations on the rebalance operations. It is assumed that these are put in place to ensure that the Rebalance Defender bot is no...
Wrong WhitePaperInterestRateModel block per year calculations incur losses for users and the protocol
Lines of code Vulnerability details Vulnerability Details Blocks per year calculations in WhitePaperInterestRateModel improperly assume 15 seconds block time, while on Binance Smart Chain itās 3 seconds. This has grave consequences, because it is used in calculating borrowerās interest rate and...
Borrower can redeem there collateral without repaying debt completely
Lines of code Vulnerability details Impact A borrower can redeem token in a pool though it has been used as a collateral in another pool without repaying the debt. Borrower can redeem the token as underlying asset even if his/her loan position is in the situation of liquidation. Proof of Concept...
the blocksPerYear for the WhitePaperInterestRateModel is set incorrectly
Lines of code Vulnerability details Impact the blocksPerYear is set to 2102400 in the WhitePaperInterestRateModel this should be equal to number of blocks per year that is assumed by the interest rate model, but the number of block is set incorrectly and it's not equal to block per year. Proof of...
USDC blacklisted accounts can DOS the bidding system in Shortfall
Lines of code Vulnerability details Impact Shortfall contract is used to clear off any pool bad debt via auction. If the debt reached its mimimum value, anybody can start off the auction and place the bid. Attacker can bid with tokene.g. USDC, USDT that have a contract level admin controlled...
Using old oracle prices for estimation users assets before redeeming
Lines of code Vulnerability details Impact Users can avoid correct estimation of assets and redeem more tokens than would redeem in case of estimation with updated oracle prices. Proof of Concept exitMarket function doesn't call oracle.updatePrice before checkRedeemAllowed check at all...
First 1 wei deposit can produce lose of user xETH funds in wxETH
Lines of code Vulnerability details Description The present implementation of the wxETH::stake functions permits the sending of tokens to the contract, even if the quantity of wxETH is zero. This can result in users losing funds, particularly when the initial deposit is only 1 wei, and the extent...
MALICIOUS BORROWER CAN DELAY THE Comptroller.liquidateAccount() TRANSACTION BY REPAYING ONE OF HIS BORROWED ASSET SO THAT repayAmount > borrowBalance WILL OCCUR FOR THAT BORROWED ASSET, THUS REVERTING THE TRANSACTION
Lines of code Vulnerability details Impact In the Comptroller.liquidateAccount function, the liquidation orders are executed by calling the forceLiquidateBorrow function and setting the skipLiquidityCheck to true. Hence during the check for the preLiquidateHook, in the VToken.liquidateBorrowFresh...
Malicious actor can win auction unfavorably to the protocol by block stuffing
Lines of code Vulnerability details Vulnerability Details When protocolās bad debt is auctioned off with 10% incentive at the beginning. A user who gives the best bid, wins. The auction ends when at least one account placed a bid, and current block number is bigger than nextBidderBlockLimit:...
withdrawAllAndUnwrap() the clpToken transfer to AMO.sol may be locked in the contract
Lines of code Vulnerability details Impact in withdrawAllAndUnwrap the clpToken transfer to AMO.sol may be locked in the contract Proof of Concept withdrawAllAndUnwrap You can specify sendToOperator==true to transfer the clpToken to operator The code is as follows: function withdrawAllAndUnwrap...
Loans can be rolled an unlimited number of times
Lines of code Vulnerability details Impact Loans can be rolled an unlimited number of times, without letting the lender decide if has been done too many times already Proof of Concept It will cause the totalBorrow of the contract to increase infinitely, affecting the exchangeRate. Tools Used manu...
AMO2 doesn't add the lp balance of the CVXStaker to the withdrawable token amount
Lines of code Vulnerability details Impact The lp tokens held by CVXStaker can't be able to used or withdrew by AMO2. Although the jam is not permanent and the owner of the CVXStaker can use recoverToken function to withdraw them, it will cause the functions about removing liquidity break down in...
Wrong use of the deadline for the swapExactTokensForTokens function
Lines of code Vulnerability details Impact deadline: Unix timestamp after which the transaction will revert. uniswap api docs. Venus sets the deadline to block.timestamp, then the transaction will never revert. Proof of Concept Transactions may be blocked resulting in transactions using unintende...
Wrong blocksPerYear calculation in WhitePaperInterestRateModel.sol
Lines of code Vulnerability details Impact In WhitePaperInterestRateModel.sol, File: contracts/WhitePaperInterestRateModel.sol 17 uint256 public constant blocksPerYear = 2102400; There is wrong calculation of blocksPerYear and blocksPerYear is the approximate number of blocks per year that is...
Borrowers can be liquidated before default by being based on the borrowBalance from other pools
Lines of code Vulnerability details Impact Borrower can be liquidated before default based on the borrowBalance from other pools. In the liquidity snapshot, borrows from other pools are added as total borrow but the collateral that is used which might not be used as collateral for the poolfor the...
Incorrectly calculation of the total tokens to be seized because of the difference on the scale of magnitude for the prices of the underlying assets
Lines of code Vulnerability details Impact The total number of tokens to be seized could be wrongly calculated if the underlying assets of vTokenBorrowed & vTokenCollateral have a different decimals. Proof of Concept The price returned by the ChainlinkOracle contract of the Venus Protocol, the...
Comptroller.sol#_getHypotheticalLiquiditySnapshot assumes that all UnderlyingTokens have the same precision
Lines of code Vulnerability details Impact File: Comptroller.sol 1316 // Get the normalized price of the asset 1317 Exp memory oraclePrice = Exp mantissa: safeGetUnderlyingPriceasset ; 1318 1319 // Pre-compute conversion factors from vTokens - usd 1320 Exp memory vTokenPrice = mulExp mantissa:...
Inadequate checks for comptroller in PoolRegistry#addMarket allows malicious comptrollers to be added
Lines of code Vulnerability details Impact Malicious comptrollers will be available in the protocol Proof of Concept The addMarket function only checks that the input.comptroller is not the 0 address, but does not check if the comptroller was actually created by the PoolRegistry contract. A...
Incorrect decimal handling in _startAuction, resulting in wrong auction.startBidBps
Lines of code Vulnerability details Shortfall.startAuction uses the oracle price of the underlying tokens to price the pool bad debt: Shortfall.sol 389: for uint256 i; i the price returned by priceOracle.getUnderlyingPrice has a number of decimals equal to 36 - vToken decimals. This means the...
mint and burn can be attacked by sandwiches
Lines of code Vulnerability details Impact The rewards of mint and burn are calculated based on the ratio of uTokenincluding debt and vToken, so it can be sandwiched by attackers. Proof of Concept Tools Used manual Recommended Mitigation Steps It is recommended to add the minimum receiving quanti...
Bad debt biddersā funds are locked forever when Shortfall address is changed during ongoing debt auction
Lines of code Vulnerability details Vulnerability Details When the protocol accrues bad debt, it can be auctioned off to anyone who is willing to pay. Each user wanting to participate in the auction has to lock their bid in Shortfall contract: function placeBidaddress comptroller, uint256 bidBps...
# riskFund.poolReserves return the token amount & its compaired with the USD value (units are not same)
Lines of code Vulnerability details riskFund.poolReserves return the token amount & its compaired with the USD value units are not same poolReserves in RiskFund.sol returns the token amount. But its compaired with the incentivizedRiskFundBalance which is in USD value. Proof of Concept 403 uint256...
Potential Division by Zero in utilizationRate method
Lines of code Vulnerability details Impact In the case where cash + borrows - reserves equals 0, the function would try to divide by zero which will result in a runtime error. Proof of Concept An attacker might manipulate the state of the contract to where cash + borrows - reserves equals zero...
Comptroller.sol#liquidateCalculateSeizeTokens assumes the same precision for vTokenBorrowed and vTokenCollateral
Lines of code Vulnerability details Impact File: Comptroller.sol 1099 uint256 exchangeRateMantissa = VTokenvTokenCollateral.exchangeRateStored; // Note: reverts on error 1100 uint256 seizeTokens; 1101 Exp memory numerator; 1102 Exp memory denominator; 1103 Exp memory ratio; 1104 1105 numerator =...
Bad debt auctions can be DoSed forever
Lines of code Vulnerability details Vulnerability Details For function Shortfall::placeBid in shortfall contract on L183 and L190 , the previous highest bidderās funds stored in the shortfall contract has to be sent back to the bidder. This operation has to be successful before any new bid can be...
Rebalance amounts should be checked so that updated balances falls within thresholds
Lines of code Vulnerability details Rebalance amounts should be checked so that updated balances falls within thresholds Rebalance operations are allowed when the current percentage of xETH in the Curve pool is outside the defined thresholds. However, there is no check to ensure that the amount o...
All the lp tokens will be stuck in the AMO2 contract if CVXStaker.withdrawAllAndUnwrap is called with sendToOperator flag
Lines of code Vulnerability details Impact Loss all the stEth and xEth lp tokens. Proof of Concept The CVXStaker.withdrawAllAndUnwrap can be called by the admin. And if the sendToOperator param is true, all the lp tokens of the CVXStaker contract include lp tokens staked in the CVX and left in th...
Deflation bricking
Lines of code Vulnerability details Impact First staker can block staking by making exchangeRate == 0. Proof of Concept As can be seen function exchangeRate public view returns uint256 /// @dev if there are no tokens minted, return the initial exchange rate uint256 totalSupply = totalSupply; if...
Unfair handling of rewards for users with a high amount of rewards
Lines of code Vulnerability details Users can claim their rewards in RewardDistributor.claimRewardToken. The reward handling part is done in grantRewardToken: 416: function grantRewardTokenaddress user, uint256 amount internal returns uint256 417: uint256 rewardTokenRemaining =...
Every time borrow, the interest is treated as a loan to calculate the interest
Lines of code Vulnerability details Impact File: VToken.sol 896 uint256 accountBorrowsPrev = borrowBalanceStoredborrower; 897 uint256 accountBorrowsNew = accountBorrowsPrev + borrowAmount; After each loan, the original interest will be converted into the loan amount. This can cause interest to...
[H1] Incorrect constant set at WhitePaperInterestRateModel
Lines of code Vulnerability details Impact Incorrect calculation of critical parameters like baseRatePerBlock. Proof of Concept The constant blocksPerYear is incorrectly set uint256 public constant blocksPerYear = 2102400; // @audit 15 seconds per block However, for Binance Smart Chain the blocks...
PLACEBID() IN SHORTFALL.SOL MAY LEAD TO DENIAL OF SERVICE AND FRONT RUNNING ATTACKS
Lines of code Vulnerability details Impact The Shortfall.placeBid function in the Venus protocol exhibits potential vulnerabilities that may lead to denial-of-service DoS and front-running attacks. A malicious actor could exploit these vulnerabilities to disrupt the auction process, manipulate...
preBorrowHook and preRepayHook can call updateRewardTokenBorrowIndex with old borrowIndex
Lines of code Vulnerability details Impact Under normal circumstances, the user calls VToken.borrow, further calls accrueInterest to update borrowIndex, and then calls preBorrowHook to trigger updateRewardTokenBorrowIndex. But since preBorrowHook is an externl function, an attacker can directly...
Precision differences when calculating the _startAuction of funds accumulated in RiskFund
Lines of code Vulnerability details Impact When calculating startAuction uint256 usdValue in RiskFund, Auction state divides the value of each market in the vToken list in token list precision. This skew is fine for most tokens but will cause problems with certain token pairs. Proof of Concept Wh...
Lack of method to delete a rewardsDistributor in Comptroller.sol can break rewards distribution permanently
Lines of code Vulnerability details Proof of Concept The storage array rewardsDistributors will be used to distribute the rewards across the hooks in Comptroller.sol, namely preMintHook, preRedeemHook, preBorrowHook, preRepayHook, preSeizeHook and preTransferHook We can see addRewardsDistributor...
totalBorrows inflates faster than the sum of each position's debt
Lines of code Vulnerability details Impact File: VToken.sol 678 function accrueInterest public virtual override returns uint256 --skip-- 710 Exp memory simpleInterestFactor = mulExp mantissa: borrowRateMantissa , blockDelta; 711 uint256 interestAccumulated = mulScalarTruncatesimpleInterestFactor,...
Holders only get the rewards they Accrued for supplying when they claim rewards in the RewardsDistributor.sol .
Lines of code Vulnerability details Holders only get the rewards they Accrued for supplying when they claim rewards in the RewardsDistributor.sol . Summary The holder only gets rewards for supplying instead of getting the rewards for both borrowing and supplying in martkets because in the...
Comptroller.exitMarket() does not get an updated exchange rate causing inacurate exit validations
Lines of code Vulnerability details Impact The user can use the exitMarket function to remove an asset from the account liquidity calculation; disabling them as collateral. The problem is that the user can call exitMarket before the vToken updates their accrue interests via accrueInterest functio...
vTokenPrice used instead of weightedVTokenPrice when calculating snapshot.totalCollateral in _getHypotheticalLiquiditySnapshot
Lines of code Vulnerability details Impact In the getHypotheticalLiquiditySnapshot function when the value of snapshot.totalCollateral is calculated the vTokenPrice is used instead of weightedVTokenPrice, this will lead the function to return the wrong value for snapshot.totalCollateral resulting...
totalBorrows is not deducted properly when Comptroller#healAccount is called
Lines of code Vulnerability details Impact TotalBorrowed in VToken is not accounted properly when healAccount is called. Proof of Concept ComptrollerhealAccount intends to forgive the debt of the account if the debt goes far too underwater. When that happens, the collateral is seized, some of the...
Zero token transfer can cause a potential DoS in CVXStaker
Lines of code Vulnerability details Zero token transfer can cause a potential DoS in CVXStaker The CVXStaker contract doesn't check for zero amount while transferring rewards, which can end up blocking the operation. Impact The CVXStaker contract is in charge of handling interaction with the Conv...
wxETH.sol Inflation Attack
Lines of code Vulnerability details Impact The first staker may suffer an Inflation Attack and lose the funds Proof of Concept Currently wxETH still has the common ERC4626 'Inflation Attack' malicious users can front-run the first staker, raise exchange rates through donations, then achieve...
A user asset cannot be seized if the supplied market's collateral to seize(vTokenCollateral)is different than the pool(seizerContract) where the liquidateBorrow function is called.
Lines of code Vulnerability details Impact A user asset cannot be seized if the supplied market's collateral to seizevTokenCollateralis different than the poolseizerContract where the liquidateBorrow function is called. Proof of Concept A user asset cannot be seized if the supplied market's...
Shortfall.sol#updateNextBidderBlockLimit may cause the current auction to end immediately
Lines of code Vulnerability details Impact File: Shortfall.sol 293 function updateNextBidderBlockLimituint256 nextBidderBlockLimit external 294 checkAccessAllowed"updateNextBidderBlockLimituint256"; 295 requirenextBidderBlockLimit != 0, "nextBidderBlockLimit must not be 0"; 296 uint256...