NOT CONFIRMED

Lines of code L1 Vulnerability details NOT CONFIRMED Assessed type Decimal --- The text was updated successfully, but these errors were encountered: All reactions...

An expired parameter is required because there may be slippage in the calculation.

Lines of code Vulnerability details Impact Due to changes in interest rates, failure to process transactions in a timely manner may result in missing out on ideal rewards. Proof of Concept The calculation of the clainRewards function involves interest rates, which are variable. If...

Standard voting favors proposals which ask for lower GBC

Lines of code Vulnerability details Impact Proposals which ask for higher % of the GBC have a serious disadvantage. Proof of Concept For simplicity, let's say there are only 3 projects in the screening stage. Project A asks for 90% GBC and projects B and C ask for 40% GBC each. Therefore, project...

Expiration Time Not Checked in moveStakedLiquidity Function

Lines of code Vulnerability details Impact Liquidity moves are time-sensitive operations and the duration within which they are executed is crucial. If a user sets the expiry time to 0, it means that there is no expiration time set for the liquidity move. This can potentially allow the liquidity...

It is possible to steal the unallocated part of every delegation period budget

Lines of code Vulnerability details Attacker can monitor the standard proposals distribution and routinely steal each low activity period remainder by submitting a transfer to self proposal and voting a dust amount for it. Since the criteria for the final slate update is that any increase in tota...

_updateBucketExchangeRates could possibly revert

Lines of code Vulnerability details Impact updateBucketExchangeRates will not work correctly and would revert in case totalBurnedLatest totalBurnedAtBlock causing DOS for the users when they try to claimRewards, moveStakedLiquidity, stake or unstake. Proof of Concept When the curBurnEpoch doesn't...

Integer Overflow in ScreeningVote Function of StandardFunding.sol.

Lines of code Vulnerability details Impact In the screeningVote function of StandardFunding.sol contract, specifically in the line where the votes parameter is converted to a uint128 using the SafeCast.toUint128 function. The issue is that the votes parameter is not limited to 128 bits, which can...

Lack of Access Control in GrantFund Smart Contract's fundTreasury Function

Lines of code Vulnerability details Impact The fundTreasury function in the GrantFund.sol contract allows anyone to add funds to the contract's treasury without any access control, which can lead to unauthorized access to the contract's funds. The problem with this function is that it doesn't hav...

Failure to Check for Existence Before Removal

Lines of code Vulnerability details Impact The moveLiquidity function as described. If the positionIndex.removeparams.fromIndex function call returns false, it means that the specified index was not present in the positionIndex set, and the RemovePositionFailed error is not actually applicable in...

mint() function: an attacker can mint multiple position NFTs for one or more legit Ajna users who have LP in Ajna pools. This should not be possible.

Lines of code Vulnerability details Impact The current implementation of the mint function does not ensure that only the owner of a liquidity pool LP deposit can mint position NFTs. As a result, an attacker can mint multiple position NFTs on behalf of legitimate Ajna users who have LP in Ajna...

Contracts are vulnerable to fee-on-transfer-token-related accounting issues

Lines of code Vulnerability details Vulnerability details Impact Without measuring the balance before and after the transfer, there's no way to ensure that enough tokens were transferred, in the cases where the token has a fee-on-transfer mechanic. If there are latent funds in the contract,...

Imprecise block calculation

Lines of code Vulnerability details Vulnerability details Impact @dev Roughly equivalent to the number of blocks in 7 days. @dev Roughly equivalent to the number of blocks in 90 days. @dev Roughly equivalent to the number of blocks in 10 days. As described in the NatSpec comment above these are...

_transferAjnaRewards doesn't save the remaining rewards of a staker for the next transfer

Lines of code Vulnerability details Impact Staker will earn less than expected Proof of Concept On claimRewards function at transferAjnaRewards is being called to claim rewardsEarned for staker according to the tokenId, the issue here drop at if rewardsEarned ajnaBalance rewardsEarned =...

Integer Overflow/Underflow in function fundTreasury.

Lines of code Vulnerability details Impact fundTreasury function in the GrantFund.sol contract is vulnerable to integer overflow if the value of treasury variable is close to the maximum value of a uint256 integer, which is 2^256-1, and a large value of fundingAmount is added to it. It is possibl...

the protocol using 3% GBC instead of 2%

Lines of code Vulnerability details Impact the protocol using 3% GBC instead of 2% as they mentioned in their docs, this may cause problem in the code implementation because the logic is based on 2% but the protocol allowing to use 3% of GBC. Proof of Concept the line that it mentioned that the...

mint() function: Rogue lenders/attackers could mint multiple/endless position NFTs for their SAME Ajna pool deposits/LPs, when they're supposed to be able to mint only one position NFT per lender per LP per pool.

Lines of code Vulnerability details Impact The current implementation of the mint function allows a lender to mint multiple position NFTs for the same Ajna pool deposit. This could lead to an inflation of NFTs and potentially disrupt the system's reward distribution, as the lender could stake the...

Attacker can DoS create a extraordinary proposals

Lines of code Vulnerability details Impact An attacker can prevent the creation of proposals in ExtraordinaryFunding.solproposeExtraordinary by front-running the proposal, which will give him the same hash as the correct user desired, and setting endBlock to the past, which will invalidate the...

Upgraded Q -> 2 from #279 [1683710498041]

Judge has assessed an item in Issue 279 as 2 risk. The relevant finding follows: L-06 EllipticCurve.validateSignature has wrong and needless code blocks if P2 == 0 return false; uint256 Px = inverseModP2, p; Px = mulmodP0, mulmodPx, Px, p, p; Px = p0 inverseP2^2 is not correct here. Fortunately, ...

Upgraded Q -> 2 from #298 [1683710120837]

Judge has assessed an item in Issue 298 as 2 risk. The relevant finding follows: L-03 Redundant and dangerous len parameter in readKeyValue Links Impact If the len is not set to input.length minus the offset, there may be unpredictable results due how the algorithm works. Proof of Concept Let's...

Upgraded Q -> 2 from #298 [1683709930306]

Judge has assessed an item in Issue 298 as 2 risk. The relevant finding follows: L-01 Valid hex string is not decoded correctly by hexStringToBytes32 and reads memory out-of-boundary Links Impact Valid hexadecimal strings are not decoded correctly. Decoding reads out-of-bounds memory returning...

Upgraded Q -> 2 from #49 [1683711003164]

Judge has assessed an item in Issue 49 as 2 risk. The relevant finding follows: QA9. hexStringToBytes32 fails to check that range idx, lastIdx is within 32 bytes range and thus the returned r will fit into bytes32. Mitigation: Introduce the check: function hexStringToBytes32 bytes memory str,...

Upgraded Q -> 2 from #49 [1683711080406]

Judge has assessed an item in Issue 49 as 2 risk. The relevant finding follows: QA10. readKeyValue fails to enforce the constraint offset+len Mitigation: make sure offset+len input.length revert outOfBoundAccess; uint256 separator = input.findoffset, len, "="; if separator == typeuint256.max retu...

Test Submission

Lines of code Vulnerability details Test issue content Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute...

Upgraded Q -> 2 from #99 [1683646958313]

Judge has assessed an item in Issue 99 as 2 risk. The relevant finding follows: 03 ALLOWING ShortCollateral.refresh FUNCTION TO BE CALLABLE BY ANYONE CAN BE DANGEROUS --- The text was updated successfully, but these errors were encountered: All reactions...

high risk issue

Lines of code Vulnerability details Submitting a high risk issue! Assessed type ERC4626 --- The text was updated successfully, but these errors were encountered: All reactions...

Mitigation of M-01: Issue NOT fully mitigated

Mitigated issue M-01: Division before multiplication truncate minOut and incurs heavy precision loss and result in insufficient slippage protection The issue was a loss of precision of three different kinds. 1 a/bc = ac/b in the calculation of mintAmount in SafEth.stake. Mitigation review The...

Mitigation of M-10: Issue not mitigated

MITIGATION IS NOT CONFIRMED MITIGATION IS NOT CONFIRMED Mitigation of M-10: Issue not mitigated Link to Issue: code-423n4/2023-03-asymmetry-findings363 Comments Even though the protocol team applied the warden's recommendation in M-10, the feature to enable/disable derivatives added as a mitigati...

Mitigation Confirmed for H-06

MITIGATION IS NOT CONFIRMED MITIGATION IS NOT CONFIRMED Mitigation of H-06: Issue not mitigated Link to Issue: code-423n4/2023-03-asymmetry-findings588 Comments Issue H-06 describes the potential problems of assuming a peg of stETH to ETH. The sponsor proposed a mitigation to fetch the price of...

Mitigation Confirmed for Mitigation of M-05: See comments

Mitigated issue M-05: Missing derivative limit and deposit availability checks will revert the whole stake function The issue was that stake calls deposit on each derivative without considering certain conditions under which some deposit might revert. There is an overlap between this issue and...

Mitigation Confirmed for NEW

Note: Issue has not actually been resolved but for some reason I can't get my issues to submit without "Mitigation confirmed no new vulnerabilities detected" checked so I am doing this as a work around Severity Medium Lines of code Impact Contract still assumes 1:1 peg for stETH in WstETHwithdraw...

Mitigation Confirmed for Mitigation of M-10: Issue mitigated

Mitigated issue M-10: Stuck ether when use function stake with empty derivativesderivativeCount = 0 The issue was that stake will accept payment but not issue safETH when derivativeCount == 0 or when all weightsi == 0. Mitigation review The proposed mitigation simply adds a requirederivativeCount...

Mitigation of M-08: Issue NOT mitigated

Mitigated issue M-08: Possible DoS on unstake The issue is that a potential time-lock in Rocket Pool may cause RocketTokenRETHInterfacerethAddress.burnamount to revert, which prevents frequent withdrawals and unstakes. Mitigation review Reth.withdraw still calls...

Mitigation of M-12: Issue NOT mitigated

Mitigated issue M-12: No slippage protection on stake in SafEth.sol There were issues with either a lack of slippage protection or a hard set slippage. Slippage protection was missing in deposit for Reth.deposit only if depositing in the Rocket Pool and in Reth.withdraw, as well as in stake becau...

Mitigation of M-12: mitigation error, see comments

MITIGATION IS NOT CONFIRMED MITIGATION IS NOT CONFIRMED Mitigation of M-12: mitigation error, see comments Link to Issue: code-423n4/2023-03-asymmetry-findings150 Comments While the proposed change correctly mitigates the issue, in the sense that it introduces a user controlled slippage for stake...

Mitigation Confirmed for M-01

MITIGATION IS NOT CONFIRMED MITIGATION IS NOT CONFIRMED Mitigation of M-01: Issue not mitigated Link to Issue: code-423n4/2023-03-asymmetry-findings1078 Comments While the "division before multiplication" issues described in M-01 have been mitigated in the proposed changeset, there are other case...

Mitigation of M-09: Issue not mitigated

MITIGATION IS NOT CONFIRMED MITIGATION IS NOT CONFIRMED Mitigation of M-09: Issue not mitigated Link to Issue: code-423n4/2023-03-asymmetry-findings673 Even though the contest repository revision 431a4b751fb7e184b847a41509b97e4d67971d2f doesn't mention a changeset for M-09, I assume the...

Mitigation of M-06: See comments

Mitigation of M-06: See comments Link to Issue: code-423n4/2023-03-asymmetry-findings770 Comments Sponsor decided not to mitigate the issue with the following comment: This is as expected I agree that the issue is TOO broad and some of the described scenarios don't make sense at all e.g. the...

Mitigation of M-04: Mitigation error

MITIGATION IS NOT CONFIRMED MITIGATION IS NOT CONFIRMED Mitigation of M-04: Mitigation error Link to Issue: code-423n4/2023-03-asymmetry-findings932 Comments Even though the original issue is mitigated, as the exchange through Uniswap V3 has been completely removed in favor of using...

Reappearance of M-02 in SafEth.unstake()

Reappearance of M-02 in SafEth.unstake Description The changes in SafEth.unstake has introduced a new issue parallel to the one present in SfrxEth.withdraw which was reported in M-02: sFrxEth may revert on redeeming non-zero amount, i.e. SafEth.unstake may revert as a consequence of a valid call ...

Mitigation Confirmed for M-02

MITIGATION IS NOT CONFIRMED MITIGATION IS NOT CONFIRMED Mitigation of M-02: Issue not mitigated Link to Issue: code-423n4/2023-03-asymmetry-findings1049 Comment Issue M-02 describes an edge case in which the SfrxEth derivative may revert under an scenario where the calculation of the redeem amoun...

Reappearance of M-02 in WstEth.withdraw()

Reappearance of M-02 in WstEth.withdraw Description The changes in WstEth.withdraw has introduced a new issue exactly parallel to the one present in SfrxEth.withdraw which was reported in M-02: sFrxEth may revert on redeeming non-zero amount, i.e. WstEth.withdrawamount may revert when amount 0. F...

Chainlink price feed responses are not validated

NEW ISSUE - MITIGATION IS NOT CONFIRMED NEW ISSUE - MITIGATION IS NOT CONFIRMED adriro-NEW-H-02 Chainlink price feed responses are not validated Link to changesets: Impact The protocol team introduced Chainlink price feeds for the Reth and WstEth derivatives in order to mitigate price manipulatio...

Hard slippage in Reth.withdraw()

Hard slippage in Reth.withdraw Description A hard slippage has been introduced in Reth.withdraw. This is a new occurrence of part of M-12 not the main report, but e.g. this duplicate, namely that the slippage can be changed only by the owner, which under volatile market conditions or a depegging...

Mitigation of M-05: Issue not mitigated, mitigation errors

MITIGATION IS NOT CONFIRMED MITIGATION IS NOT CONFIRMED Mitigation of M-05: Issue not mitigated, mitigation errors Link to Issue: code-423n4/2023-03-asymmetry-findings812 Comments The issue describes missing checks associated with staking requirements for the WstEth and Reth derivative. The...

Mitigation of M-08: Issue not mitigated

MITIGATION IS NOT CONFIRMED MITIGATION IS NOT CONFIRMED Mitigation of M-08: Issue not mitigated Link to Issue: code-423n4/2023-03-asymmetry-findings685 Comments First, there is a clear error in the associated description of mitigation: "Use Chainlink to get rETH". Using Chainlink to obtain the...

Mitigation of M-11: Issue not mitigated, mitigation error

MITIGATION IS NOT CONFIRMED MITIGATION IS NOT CONFIRMED Mitigation of M-11: Issue not mitigated, mitigation error Link to Issue: code-423n4/2023-03-asymmetry-findings152 Comments Even though the sponsor followed the warden's recommendation in issue M-11, I don't think the proposed change properly...

Mitigation of M-02: Issue perhaps NOT sufficiently mitigated

Mitigation of M-02: Issue perhaps NOT sufficiently mitigated Mitigated issue M-02: sFrxEth may revert on redeeming non-zero amount The issue was that SfrxEth.withdrawamount may revert when called in unstake, blocking unstaking, if amount is low most realistically if amount == 1. Mitigation review...

Mitigation Confirmed for NEW

H-02, H-05, H-06, H-08 mitigation error: No sanity check on Chainlink price feed Description and recommendation The mitigation of issues H-02, H-05, H06 and H-08 have introduced a Chainlink price feed. In all of those instances there are no sanity checks on the Chainlink return data, especially...

Protocol assumes a 1:1 peg of frxETH to ETH

NEW ISSUE - MITIGATION IS NOT CONFIRMED NEW ISSUE - MITIGATION IS NOT CONFIRMED adriro-NEW-H-01 Protocol assumes a 1:1 peg of frxETH to ETH Link to changeset: Impact The ethPerDerivative function in the SfrxEth now assumes a peg of frxETH to ETH, and reverts if the price difference queried throug...

Rounding loss in and with approxPrice()

Rounding loss in and with approxPrice Description SafEth.approxPrice contains a rounding loss of the form a/k + b/k = ac/b. We would...