10190 matches found
addRewardToken() does note remove old entries before adding new ones
Lines of code 455, 280, 378, 411 Vulnerability details Each time addRewardToken is called, new entries are added to the array, but doing so does not remove any old entries. By calling the function multiple times, an attacker can can increase their voting power indefinitely, without having to...
Fee-on-transfer/rebasing tokens will have problems when swapping
Lines of code 110 Vulnerability details Uniswap v3 does not support rebasing or fee-on-transfer tokens so using these tokens with it will result funds getting stuck. With fee-on-transfer tokens, if the balance isn't checked, the wrong amount may be transferred out. With rebasing tokens, the...
The owner is a single point of failure and a centralization risk
Lines of code 56, 109, 127, 172, 219, 250, 115, 131, 154, 116, 131https://github.com/Tapioca-DAO/tapiocaz-audit/blob/bcf61f79464cfdc0484aa272f9f6e28d...
test
Lines of code L14 Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps lemme...
plsss
Lines of code L12 Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps...
Compute Type Determination
Lines of code Vulnerability details Impact The determineComputeType function reverts if the input and output tokens do not match expected pairs. This could lead to failed transactions if new token pairs are introduced without updating the function. Proof of Concept Provide direct links to all...
Lack of Validation and Potential Overflow in _fetchInteractionId Function
Lines of code Vulnerability details Impact The lack of validation on interactionType could allow invalid values, potentially leading to unexpected interaction IDs. Additionally, if interactionType exceeds 8 bits, it could cause an overflow issue, potentially altering the token address within the...
Users can add 6 decimal token funds for free
Lines of code Vulnerability details There is a logic error in convertDecimals function which means wrapping interactions for tokens with less than 18 decimals are processed incorrectly. The below is triggered in convertDecimals where the input parameter decimals is less than 18. If amountToConver...
Users can unwrap assets in batches and avoid paying fees to protocol
Lines of code Vulnerability details Impact Users can unwrap their assets from The Ocean and evade paying fees to the protocol when the requested amount is smaller than the fee divisor. This happens due to a truncation of the result in the fee calculation. Proof of Concept This affects the...
Issue with Decimal Conversion in Shell Protocol
Lines of code Vulnerability details Impact The identified issue within the convertDecimals function in the Shell Protocol could lead to a loss of value due to decimal truncation during token conversions. This situation is particularly critical in the context of Shell Protocol's operations, which...
Lack of Slippage Protection in CurveTricryptoAdapter::primitiveOutputAmount and Curve2PoolAdapter::primitiveOutputAmount
Lines of code Vulnerability details Impact Due to the lack of slippage protection in the CurveTricryptoAdapter::primitiveOutputAmountand Curve2PoolAdapter::primitiveOutputAmount, user deposits and withdrawals are vulnerable to being sandwich attacked. Proof of Concept...
convertedAmount set to zero because of bad math arithmetic
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. The pool will be able to give an outputAmount corresponding to the rawInputAmount = 0 Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant...
Funds are lost when Curve pool is killed (paused)
Lines of code Vulnerability details Vulnerability Details If self.iskilled in the curve pool contract becomes true, users will be unable to close their position because removeliquidityonecoinwill revert. Users will be unable to exit their position. if outputToken == zToken uint256 wethBalance =...
Insecure and Inflexible Forwarder Approval Mechanism (Full Access Grant)
Lines of code Vulnerability details Impact The current implementation of the onlyApprovedForwarder modifier in the Ocean smart contract has several negative impacts: 1. Security Risk: Users are exposed to a significant security risk if their forwarder is compromised. An attacker can exploit full...
OverInflation or OverDeflation of Value of ERC20 tokens with unequal Wrap and Unwrap Token Decimal
Lines of code Vulnerability details Impact Due to wrong parameter arrangement of convertDecimals... function call during the course of wrap and unwrap of erc20 token function call, OverInflation or OverDeflation of Value of ERC20 tokens with unequal Wrap and Unwrap Token Decimal which would cause...
owner can brick unwrapping by setting unwrap devisor = 0
Lines of code Vulnerability details Impact The protocol does not handle when Ocean.changeUnwrapFee sets unwrapFeeDivisor = 0 gracefully. When setting unwrapFeeDevisor = 0, the function Ocean.calculateUnwrapFee will revert due to a division by 0. This function is used in the callstacks related to:...
Incorrect Condition for Validating Input and Output Tokens in CurveTricryptoAdapter::_determineComputeType Function
Lines of code Vulnerability details Impact The contract contains a bug in the determineComputeType function, where the condition for checking if the input and output tokens are valid for swapping is incorrect. This bug may lead to unexpected behavior and incorrect computation of the compute type...
CurveTricryptAdapter::primitiveOutputAmount & Curve2PoolAdapter::primitiveOutputAmount can swap without slippage tolerance
Lines of code Vulnerability details Impact While there is a “Slippage protection” implementation in the contract if uint256minimumOutputAmount outputAmount revert SLIPPAGELIMITEXCEEDED; There is no validation that minimumOutputAmount is not set to 0. This can result in lost of funds. Although Oce...
Front-Running
Lines of code Vulnerability details Impact Visible computed input amounts could be susceptible to front-running by malicious actors. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used...
The protocol is susceptible to reentrancy attacks.
Lines of code Vulnerability details Reentrancy is a well know bug in smart contract and the protocol is not handling it, The safeMint function in ERC721 make a callback to the receiver checking if they can hold a nft, this can be used to a receiver to take control of the execution of the call. in...
Potential Gas and Overflow Issues with Decimal Shift Left in _convertDecimals Function
Lines of code Vulnerability details Impact The exponentiation operation in the decimal shift left scenario can lead to high gas consumption and potential integer overflow. The gas cost and risk of overflow increase with the value of the exponent, which could make the function expensive or even...
Upgraded Q -> 3 from #534 [1702060375162]
Judge has assessed an item in Issue 534 as 3 risk. The relevant finding follows: L-03 Consider use stETH/UDS oracle Issue Description: The sponsor has confirmed their choice of Chainlink as an oracle to fetch prices. Since all other LST price feeds are 18 decimal places, they will most likely use...
Missing onlyOwner Modifier Will Give Access To Any Malicious User To Change UnwrapFee Immediately
Lines of code Vulnerability details Impact Any address can call the function changeUnwrapFee and modify or influence the unwrap fee, compromising the intended governance structure and allowing malicious users or entities to favourably adjust fees to their advantage for token unwrapping. Proof of...
Unrestricted Unwrap Fee Changes: Instability, Market Disruption, and Loss of Trust
Lines of code Vulnerability details Impact The current changeUnwrapFee function in the Ocean smart contract allows the owner to change the unwrap fee divisor with no restrictions, leading to several negative impacts: 1. Unstable Unwrap Fees: Frequent changes in the divisor can cause instability a...
ERC721 and ERC1155 Reentrancy Guard is Incomplete and Wrongly Implemented
Lines of code Vulnerability details Impact Whether there is a ERC721 and ERC1155 Interaction clash or not, or if there is an inadequate transfer callback, all this would not matter as reversion would not occur due to absence of proper validation during wrap of ERC721 and ERC1155 in the Ocean.sol...
_doMultipleInteractions - User can use more wrapped tokens than they own
Lines of code Vulnerability details Impact User can use more wrapped tokens than they own. Proof of Concept When wrapped tokens are used by an Adaptor or Primitive through computeOutputAmount, it does not check if the user has enough tokens. Therefore, when calling computeOutputAmount, you need t...
Replay Attack because EIP712 DOMAIN_SEPARATOR stored as immutable
Lines of code Vulnerability details Impact Loss of fund due to replay attacks. Approvals made on one chain could be replayed when there is a fork without owner's consent. Proof of Concept The issue is in the ERC1155PermitSignatureExtension.sol which is inherited by the OceanERC1155.sol and...
Invalid WETH inclusion for Curve's Tricrypto pools.
Lines of code Vulnerability details Impact For some of Curve's Tricrypto pools, CurveTricryptoAdapter will not be working. Proof of Concept address wethAddress = ICurveTricryptoprimitive.coins2; zToken = calculateOceanIdaddress0x4574686572, 0; // hexadecimalascii"Ether" indexOfzToken = 2;...
Custom Ether Address Representation in Shell Protocol's Constructor
Lines of code Vulnerability details Impact The hardcoded custom representation of Ether in the Shell Protocol's adapter for the Curve Tricrypto pool using address0x4574686572, deviates from standard Ethereum practices and introduces the risk of address collisions. This could potentially lead to...
Reentrancy in mint function leads to various problems
Lines of code Mint function in minter contract: Mint function in core contract: Vulnerability details Bug Description When minting NFTs, users will using the mint function. This function will mint a NFT using the safeMint function. The problem is that this mint will be done before crucial variabl...
Unbounded Approval
Lines of code Vulnerability details Impact The adapter may approve an unlimited amount of tokens to be spent by the Ocean protocol and the Curve pool, which could be risky if those contracts are compromised. Proof of Concept The adapter may approve an unlimited amount of tokens to be spent by the...
Limited functionality due to Primitive's balance being decreased before it is called
Lines of code Vulnerability details Impact In the current implementation, the balance of a primitive is decreased burned before it is called. This requires the primitive to hold outputAmount of outputToken before a transaction, which severely restricts the functionality it can provide and has no...
REDUNDANT ERC1155 OCEAN TOKEN BALANCE UPDATE OF THE OceanAdapter CONTRACT COULD LEAD TO DoS OF THE Ocean._computeOutputAmount TRANSACTION
Lines of code Vulnerability details Impact The Ocean.computeOutputAmount function is used to compute the output amount of an output token when the input token and input token amount is given. The Ocean.computeOutputAmount function mutates the ERC1155 token ledger amounts for the primitives and al...
Unverified Primitives
Lines of code Vulnerability details Impact Interacting with unverified or malicious Ocean primitives could result in loss of funds or incorrect computations. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates...
Core function of Ocean contract like doInteraction | doMultipleInteractions | forwardedDoInteraction may revert under certain conditions
Lines of code Vulnerability details Impact Core functions like doInteraction, forwardedDoInteraction, doMultipleInteractions, forwardedDoMultipleInteractions etc, will always revert under certain conditions due to overflow in calculations. Proof of Concept Core external functions like doInteracti...
Potential Issues with Address Casting and Validation in _calculateOceanId Function
Lines of code Vulnerability details Impact The use of abi.encodePacked without padding might introduce ambiguity in situations where input lengths are not fixed. Additionally, assuming tokenId can be any uint256 value without enforcing constraints could lead to unexpected behavior if constraints...
[H-02] The Ocean contract and the onERC721Received function is vulnerable to read-only re-entrancy
Lines of code Vulnerability details Impact The contract.function called Ocean.onERC721Received is vulnerable to read-only re-entrancy. The read-only re-entrancy is possible if the contract function is called externally from another contract. What follows are the functions that are traversed throu...
Reentrancy issue. User can easily mint more than allowed presale, bypassing merkle root limit
Lines of code Vulnerability details Impact Lack of reentrancy protection and code not follow Checks, Effects, Interactions pattern guideline. Here are the Effects stuff happen after Interactions affected by reentrancy: tokensMintedAllowlistAddress: tracking presale minted NFT per address...
Withdraws will be bricked if the curve pool gets killed
Lines of code Vulnerability details Impact Liquidity will be locked forever since there is no interface to remove it. Proof of Concept Curve pools have a killed parameter that allows an admin to kill the pool, suspend all deposits, swaps, and single token withdrawals, and then only allow for taki...
Potential Gas Inefficiency due to Unnecessary abi.encode Usage
Lines of code Vulnerability details Impact The function unnecessarily uses abi.encode to convert a uint256 to bytes32, incurring additional gas costs. This doesn't affect correctness but may lead to suboptimal gas usage. Proof of Concept By modifying the fetchInteractionId function to directly ca...
Upgraded Q -> 2 from #677 [1702060237936]
Judge has assessed an item in Issue 677 as 2 risk. The relevant finding follows: L-04 Deposited amounts in the EigenLayer strategy should be checked before updating the strategy for the asset Users deposit in this protocol and the protocol deposits these funds to EigenLayer strategy contracts...
No slippage check while removing liquidity from Curve Pool
Lines of code Vulnerability details Impact The hardcoded value of 0 for the minamount parameter in the removeliquidityonecoin function of the Curve pool can have significant effects on user funds. When users are removing liquidity from the curve pool, the minamount parameter represents the minimu...
Unwrapping function emits event with incorrect values.
Lines of code Vulnerability details Impact The etherUnwrap function in the smart contract does not correctly emit the EtherUnwrap event. The issue arises when calculating and emitting the fee and transfer amounts. The current implementation deducts the fee, transfers the calculated amount, and...
[H-01] Ocean contract and onERC1155Received function is vulnerable to read only reentrancy
Lines of code Vulnerability details Impact The Ocean contract and onERC1155Received function is vulnerable to read only reentrancy when read from another contract. The order of function execution when called externally from the onERC1155Received function in the Ocean contract is as follows. The...
Division by Zero and Precision Loss in computeOutputAmount Function
Lines of code Vulnerability details Impact The vulnerability can cause a runtime exception due to division by zero, leading to contract execution reverting. Additionally, precision loss may occur in calculations due to truncation of remainders, Proof of Concept When unwrapFeeDivisor unexpectedly...
doInteraction() won't mint tokens to user if interaction.specifiedAmount less than 10**12 and has certain conditions
Lines of code Vulnerability details Impact If the user calls doInteraction and executes Interaction with specifiedAmount less than 10 12 and a big difference in token decimals, the user won't get any tokens. Proof of Concept Core external functions like doInteraction will call the internal...
_determineTransferAmount does't support low decimal tokens.
Lines of code Vulnerability details Impact determineTransferAmount does't support low decimal tokens. Transfer amount will be force set to incorrect amount. Proof of Concept In process of erc20Wrap,in order to support different decimal tokens, the contract use determineTransferAmount to get...
Incorrect Decimals Conversion in Curve2PoolAdapter::primitiveOutputAmount Function
Lines of code Vulnerability details Impact The bug in the primitiveOutputAmount function can lead to incorrect decimal conversions when calculating the rawInputAmount. The rawInputAmount is calculated using the convertDecimals function, but the decimals parameter passed to convertDecimals is...
Event Emission
Lines of code Vulnerability details Impact Events such as Swap, Deposit, and Withdraw are emitted with the primitive address as the user parameter, which might not be the actual user msg.sender initiating the transaction. Proof of Concept Provide direct links to all referenced code in GitHub. Add...
High risk in integrating Ocean with Curve TriCrypto pool on Arbitrum
Lines of code Vulnerability details Impact The Curve TriCrypto adapter contract enables swapping, adding liquidity, and removing liquidity for the USDT-WBTC-ETH pool on Arbitrum. However, this pool has been flagged for potential exploit risks. Curve Finance issued a warning: This pool might be at...