In MuteBond.deposit(), users might deposit more LPs than they expected by a malicious user

Lines of code Vulnerability details Impact Users might deposit more LPs unexpectedly if a malicious user increases an epoch by frontrunning. Proof of Concept deposit has a maxbuy param to purchase all remaining amounts. function deposituint value, address depositor, bool maxbuy external returns...

Attacker can front-run Bond buyer and make them buy it for a lower payout than expected

Lines of code Vulnerability details The MuteBond contract contains a feature in which after each purchase the epochStart increases by 5% of the time passed since epochStart, this in most cases lowers the bond's price i.e. buyer gets less payout for future purchases. An attacker can exploit this...

Function takeBid() allows attacker to sell any collateral NFT that deposited through function borrowToBuy()

Lines of code Vulnerability details Impact Function borrowToBuy is used by the borrower to take a loan offer and uses the funds to purchase NFT. However, even though it sends ETH along when calling function execute to buy the requested NFT, it approves the collateral NFT to Blur for no reason. /...

MuteBond is susceptible to DOS

Lines of code Vulnerability details Proof of Concept Observe that if timeToTokens is called with locktime = 1 week, amount 52, it will return 0. function timeToTokensuint256 amount, uint256 locktime internal pure returns uint256 uint256 weektime = 1 weeks; uint256 maxlock = 52 weeks;...

Attacker can steal the locked NFT in protocol because of lacking check in function borrowToBuy()

Lines of code Vulnerability details Impact In function borrowToBuy, the borrower takes a loan offer and uses the funds to purchase NFT. / Take the loan offer. / takeLoanOfferoffer, signature, lienId, loanAmount, collateralTokenId; / Lock token. / offer.collection.transferFrommsg.sender,...

Logic for RescueTokens is incorrect for muteTokens

Lines of code Vulnerability details Proof of Concept The logic for RescueTokens doesn't take into account the reward remainders. I wanted to write a POC but I'm in a bit of a time crunch. So, imagine the following situation: totalRewards = 100, and staker A, B the only stakers staked for the firs...

A user can 'borrow' dMute balance for a single block to increase their amplifier APY

Lines of code Vulnerability details The amplifier's APY is calculated based on the user's dMute balance delegation balance to be more accurate - the more dMute the user holds the higher APY they get. However, the contract only checks the user's dMute balance at staking, the user doesn't have to...

Award is still distributed when there aren't any stakers, allowing users to get reward without staking

Lines of code Vulnerability details Proof of Concept Consider the update modifier for the amplifier. modifier update if mostRecentValueCalcTime == 0 mostRecentValueCalcTime = firstStakeTime; uint256 totalCurrentStake = totalStake; if totalCurrentStake 0 && mostRecentValueCalcTime endTime uint256...

MuteAmplifier.rescueTokens() checks the wrong condition for muteToken

Lines of code Vulnerability details Impact There will be 2 impacts. The reward system would be broken as the rewards can be withdrawn before starting staking. Some rewards would be locked inside the contract forever as it doesn't check totalReclaimed Proof of Concept rescueTokens checks the below...

Owner lowering max payout might break the MuteBonds contract

Lines of code Vulnerability details The maxPayout variable can be changed by the owner at any time. In case the owner lowers the maxPayout and the payoutTotal of the current epoch is greater than the new maxPayout the contract will be broken - no further deposit can be made, and most of the view...

An edge case in amplifier allows user to stake after end time, causing reward to be locked in the contract

Lines of code Vulnerability details Proof of Concept Observe that if nobody has staked after the period has ended, it's still possible for a single user to stake even though the period has ended. if firstStakeTime == 0 firstStakeTime = block.timestamp; else requireblock.timestamp if...

Amplifier users might not get all the LP fees they are entitled to

Lines of code Vulnerability details Proof of Concept Observe that there is only one place that the amplifier is calling claimFees, and it's inside an if statement of the update modifier, requiring mostRecentValueCalcTime modifier update if mostRecentValueCalcTime == 0 mostRecentValueCalcTime =...

A malicious frontrunner can make the Mutebond contract broken when the owner decreases maxPayout

Lines of code Vulnerability details Impact The Mutebond contract might stop working after the owner decreased maxPayout by a malicious frontrunner. Proof of Concept setMaxPayout can be used to reset maxPayout. function setMaxPayoutuint payout external requiremsg.sender == customTreasury.owner;...

Malicious user can force victims to waste a lot of gas when they redeem their dMute

Lines of code Vulnerability details Proof of Concept When redeeming, the user must iterate through all the elements of userLock to destroy any redeemed locks. foruint256 i = userLocksmsg.sender.length; i 0; i-- UserLockInfo memory lockinfo = userLocksmsg.senderi - 1; // recently redeemed lock,...

MuteAmplifier.rescueTokens() should check conditions for fee tokens(token0/token1) as well

Lines of code Vulnerability details Impact rescueTokens can be used to withdraw fee tokens without any validations. As a result, the reward logic would be broken due to the lack of fee tokens. Proof of Concept rescueTokens doesn't validate anything for the fee tokens. So if some fee tokens were...

Attacker can take a loan offer without providing the NFT from requested collection by using function borrowerRefinance()

Lines of code Vulnerability details Impact Function borrowerRefinance allows the borrower to repay the previous loan and take a different loan offer. In the codebase, there is no check to ensure that collateral collection of previous loan and new loan offer are the same. It can be abused by an...

The first stake is possible after endTime

Lines of code Vulnerability details Impact Users can stake after endTime due to the wrong check. Proof of Concept When a user stakes LP tokens using MuteAmplifier.stake, stake is not allowed after endTime which is set in initializeDeposit by an admin. requireblock.timestamp endTime,...

Bond max-buyer might end up buying the max buy of the next epoch

Lines of code Vulnerability details The MuteBond.deposit function allows users to specify the amount of value they want to purchase bonds for or to set maxbuy to true. If maxbuy is set to true the amount specified in the value parameter is ignored and instead the maximum amount available for...

MuteAmplifier.sol: multiplier calculation is incorrect which leads to loss of rewards for almost all stakers

Lines of code Vulnerability details Impact This report deals with how the calculation of the multiplier in the MuteAmplifier contract is not only different from how it is displayed in the documentation on the website but it is also different in a very important way. The calculation on the website...

MuteAmplifier.sol: rescueTokens function does not prevent fee tokens from being transferred

Lines of code Vulnerability details Impact The MuteAmplifier.rescueTokens function allows the owner to withdraw tokens that are not meant to be in this contract. The contract does protect tokens that ARE meant to be in the contract by not allowing them to be transferred: Link function...

There is a race condition betweeen MuteBond#setEpochDuration() and MuteBond#deposit()

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. There is a race condition between MuteBondsetEpochDuration and MuteBonddeposit. The issue is that when a new EpochDuration is set, it will take effect immediately, which will affect the bond price. As a...

An attacker can lower the price of another depositor() by frontrunning

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. The deposit function will bump bond price back by 5% after purchase based on current delta. However, this function can be executed unlimited number of times in the same block and as a result, one can...

MuteBond.sol: deposit function allows no control for payout and value which leads to unexpected purchases of bonds

Lines of code Vulnerability details Impact The MuteBond.deposit function allows the user to purchase a bond with LP tokens and receive MUTE tokens in return. The bondPrice increases linearly over time which I should mention means the bond gets cheaper; the naming is a bit confusing. There is...

No slippage control for deposit() with the impact that a user deposits with expected high bond price might end up a deposit with the lowest bond price.

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. There is no slippage control for deposit. Impact: a user deposits with expected high bond price might end up a deposit with the lowest bond price. Scenario: a depositor waits for the end of an epoch,...

MuteBond.sol: When maxPayout is lowered the contract can end up DOSed

Lines of code Vulnerability details Impact The maxPayout variable in the MuteBond contract specifies the amount of MUTE that is paid out in one epoch before the next epoch is entered. The variable is initialized in the constructor and can then be changed via the setMaxPayout function. The issue...

Incorrect parameter in withdraw function

Lines of code Vulnerability details Impact An incorrect parameter is used in the withdraw function in SfrxEth.sol. The amount variable is used when the frxEthBalance variable should be used to calculate minOut. The amount that gets swapped at the FRXETHCRVPOOLADDRESS is the frxEthBalance, not the...

Users might lose their stETH rebased reward due to the weights change

Lines of code Vulnerability details Vulnerability Details Let's consider the following scenario: Bob deposits 10eth with the weights: stETH: weights0 = 90e18, rETH: weights1 = 5e18. sfrxETH: weights2 = 5e18 Now, since the Lido has 80% of liquid staking market, Asymmetry Finance decides to adjust...

deposit function of WstEth not working correctly

Lines of code Vulnerability details Impact The deposit function doesnt seem to work at all, or correctly at all. Its missing some code, etc. Please see my natspec notes below for more clarity: Apologies, this is 10mins before contest ends, so I'm just going to copy my NatSpec notes here: function...

Ether trapped in contract if no derivates exist

Lines of code Vulnerability details Ether can get stuck in staking contract if there are no derivatives Impact If the SafEth contract is deployed and there are no derivatives added to the contract and a user tries to call the stake function, then this could result in a loss of funds for the user...

Hardcoded poolFee in deposit() Function Cause Liquidity Depth Issue for Swap

Lines of code Vulnerability details Impact In deposit function we are using the hardcoded value of poolFee as 500 which limits the ability of liquidity providers to select the appropriate fee tier, potentially reducing the returns for liquidity providers. IWETHWETHADDRESS.depositvalue: msg.value;...

Potential reentrancy in unstake function

Lines of code Vulnerability details Impact there is a potential reentrancy vulnerability in the unstake function. After the user's safETH tokens are burned, the function sends ETH to the user's address using the call method. If the receiving address is a contract and it has a fallback function th...

Reth flashloan attack

Lines of code Vulnerability details Impact Using a flashloan to manipulate rETH/ETH price a hacker can receive more SafEth shares for the same amount of ether, thus draining all three derivative contracts rETH, SfrxEth and WstEth. Proof of Concept Reth.poolPrice depends on UniswapV3 pool.slot0...

withdraw function of WstEth derivative contract probably sends wrong ETH amount back to owner contract/user

Lines of code Vulnerability details Impact Sends the wrong amount of ETH back to owner contract/user. In most cases, probably way too much, it sends the entire contract ETH balance. All the other calculations in the withdraw function seem correct, from what can be seen, but, as is the case with...

Hardcoded slippage can lead to user's transactions being front run

Lines of code Vulnerability details Vulnerability details Impact Since all the main function that the user execute implement slippage, attackers can front run any user transaction since the slippage amount is set to 1% on all the lines of code listed above. This can lead to sandwich attacks. Proo...

Ether Locked when Attempting to Call stake() during Setup

Lines of code Vulnerability details Impact During the period between the deployment of the SafEth contract and the addition of derivatives, there is a possibility for users to send Ether to the contract using the stake payable function. In this scenario, the funds will become locked and...

MuteBond.sol: deposit function reverts if remaining payout is very small due to >0 check in dMute.LockTo function

Lines of code Vulnerability details Impact I will show in this report how the MuteBond.deposit function can experience a temporary DOS. The attacker or just any other user by mistake or by not knowing about it can receive a payout from the deposit function that puts the payoutTotal of the current...

REth token price can be manipulated

Lines of code Vulnerability details Impact Currently, all deposit operations split the received ETH between derivatives. One of them is rETH, trading on Pool 0xa4e0faA58465A2D369aa21B3e42d43374c6F9613 with around 1500 ETH in liquidity for each side. The price calculation for splitting deposits in...

poolPrice() is vulnerable to price manipulation

Lines of code Vulnerability details Impact The output of poolPrice, which is used to determine the price of rETH, can be manipulated to become extremely small or large. An attacker abuse this to gain large amounts of SafETH during staking. Vulnerability Details In the Reth contract, poolPrice...

All the FRX_ETH tokens of SfrxEth contract can be drained by a malicious user.

Lines of code Vulnerability details Impact The impact of this finding is severe, as it can result in the complete loss of FRXETH tokens held by the SfrxEth contract. This could lead to a significant financial loss for the contract and its users. Proof of Concept For demonstration purpose, Alice i...

the depositor can get sanwich attack when call stake in SafEth and deposit in RETH

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. users who stake eth from call function stake in will get sandwich attack, which users will lose money Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or an...

sfrxETH.ethPerDerivative is incorrect, leading to incorrect minting amount of safETH

Lines of code Vulnerability details SafeETH.stake allows users to stake ETH and be minted an amount of safETH that corresponds to the ETH value of the derivatives that resulted from their deposit. The minting amount is based on: preDepositPrice, which is a function of the total safETH minted and...

All the STeth balance of WstEth contract can be drained by a malicious user.

Lines of code Vulnerability details Impact The impact of this finding is severe, as it can result in the complete loss of STeth tokens held by the WstEth contract. This could lead to a significant financial loss for the contract and its users. Proof of Concept For demonstration purpose, Alice is...

Reth slippage and fee stealing

Lines of code Vulnerability details Impact The Reth derivative contract calculates the maximum slippage for buying rETH from the Uniswap V3 pool by using the current price in the pool at runtime, without considering the price at which the user submitted the transaction to the mempool: uint...

Upgradeability completely breaks decentralization

Lines of code Vulnerability details Impact Owner of SafEth can steal all staked funds. Proof of Concept SafEth is an upgradeable ERC20 contract that handles the conversion between ETH and whatever derivatives that are implemented. But it also has access to the staked funds through the derivatives...

WstEth slippage and fee stealing

Lines of code Vulnerability details Impact The WstEth derivative contract calculates the maximum slippage for buying WstEth from curve pool by using the current price in the pool at runtime, without considering the price at which the user submitted the transaction to the mempool: uint256 minOut =...

And all this assembly shall know that the OWNER SafEth not with derivatives: for the derivative is the OWNER'S, and he will rebalanceToWeights it into his EOA.

Lines of code Vulnerability details Impact The owner of SafEth can at any time steal all staked funds. Proof of Concept SafEth.addDerivative allows the owner to add any derivative contract, such as one where he can withdraw all IDerivative.deposit-ed funds. SafEth.adjustWeights allows the owner t...

An attacker can manipulate the preDepositvePrice to steal from other users.

Lines of code Vulnerability details Impact The first user that stakes can manipulate the total supply of sfTokens and by doing so create a rounding error for each subsequent user. In the worst case, an attacker can steal all the funds of the next user. Proof of Concept When the first user enters...

[H-02] Front-running of first deposit allows attacker to steal funds

Lines of code Vulnerability details Impact Due to the way in which the SafEth share price is calculated, an attacker can front-run the first depositor's transaction and steal funds through an inflation attack. SafEth::stake calculates the share price by dividing the total asset amount by the tota...

[H-01] RETH oracle manipulation allows attacker to steal funds

Lines of code Vulnerability details Impact The Asymmetry SafEth protocol aims to help diversify and decentralize liquid staking derivatives, exchanging ether staked in the protocol for staked ether derivative tokens based on some relative weighting. A function exposed by these derivative wrapper...

Burning rETH at the unstake might revert

Lines of code Vulnerability details Impact Unstaking is blocked. Proof of Concept When unstaking the withdraw of each derivative is called. Reth.withdraw withdraws by calling RocketTokenRETHInterfacerethAddress.burnamount. But RocketTokenRETH.burn reverts if the ETH balance is insufficient for th...