Adding a new derivate will splits new user's underlying shares in the new derivate to older users

Lines of code Vulnerability details Vulnerability details Impact After a derivate is added to the protocol. Older users will take some new user's share in the new derivate. The addDerivative function add a new derivate to the protocol. The newly added derivate has zero underlying balance. Users w...

Derivative Pool Issue can Lead to Loss User Funds when Unstaking

Lines of code Vulnerability details Impact In all withdraw functions of derivatives, there is no check for sending zero Ether back to the safEth contract. It is important to note that the addressmsg.sender.callvalue: 0"" function returns true even when transferring a zero value. On the other hand...

WstEth.withdraw() improper implementation of slippage check

Lines of code Vulnerability details Impact In the current implementation of withdraw, the amount is not controlled by minOut. Impact: Users can get rekt. Proof of Concept function withdrawuint256 amount external onlyOwner IWStETHWSTETH.unwrapamount; uint256 stEthBal =...

Incorrect minOut calculation in SfrxEth.withdraw()

Lines of code Vulnerability details Impact Final value of mintOut will be lower or higher according to the SFRXETH/FRXETH price ratio. This can result in higher slippage where user can loss funds. Else in other case the slippage will be low and transaction gets reverted unexpectedly Proof of...

A staker might be still be able to stake after staking is over.

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. A staker might be still be able to stake after staking is over. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrate...

sFrxEth may revert on redeeming non-zero amount

Lines of code Vulnerability details Impact Unstaking is blocked. Proof of Concept When unstaking the withdraw of each derivative is called. SfrxEth.withdraw calls IsFrxEthSFRXETHADDRESS.redeemamount, addressthis, addressthis;. This function may revert if amount is low due to the following line in...

First stake inflation attack

Lines of code Vulnerability details Impact The first staker can steal the next staked funds. Proof of Concept As the first one to stake, the attacker stakes minAmount ETH, for which minAmount or slightly less due to slippage SafEth tokens are minted. The attacker immediately unstakes the entire...

Division before multiplication truncate minOut and incurs heavy precision loss and result in insufficient slippage protection

Lines of code Vulnerability details Impact When Calcuting the minOut before doing trade, Division before multiplication truncate minOut and incurs heavy precision loss, then very sub-optimal amount of the trade output can result in loss of fund from user because of the insufficient slippage...

Zero value used for sqrtPriceLimitX96

Lines of code Vulnerability details Impact In swapExactInputSingleHop in Reth.sol the sqrtPriceLimitX96 parameter is set to 0 which is useful for testing but can lead to price manipulation attacks. From the uniswap docs: In production, this value can be used to set the limit for the price the swa...

MuteBond.sol: price discount can be manipulated which undermines its purpose of reflecting demand

Lines of code Vulnerability details Impact The bondPrice in the MuteBond contract increases linearly during the epochDuration from startPrice in the beginning to maxPrice in the end. The bondPrice determines how many MUTE tokens a user receives for bonding his LP tokens. The higher the bondPrice...

An attacker can front-run setMaxPayout() and freeze deposit() and the whole protocol from progressing in epochs.

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. When the owner calls setMaxPayout to decrease maxPayout to newMaxPayout, an attacker can front-run it and deposit so that termsepoch.payoutTotal newMaxPayout. This will freeze deposit and the whole...

Derivative Pool Issue can Lead to Loss User Funds when Unstaking

Lines of code Vulnerability details Impact In all withdraw functions of derivatives, there is no check for sending zero Ether back to the safEth contract. It is important to note that the addressmsg.sender.callvalue: 0"" function returns true even when transferring a zero value. On the other hand...

poolPrice in Reth.sol can overflow and revert

Lines of code Vulnerability details Impact To determine the value of sqrtPriceX96 that will cause an overflow, we need to analyze the calculation in the function: sqrtPriceX96 uintsqrtPriceX96 1e18 96 2 The maximum value for a uint256 is 2^256 - 1. An overflow occurs when the result of the...

Spot UniswapV3 pricing for rETH when staking in SafEth can lead to loss of user funds

Lines of code Vulnerability details Impact An attacker can craft a set of transactions so that when they are depositing funds in the SafEth contract, using the stake function, they can understate the value of existing deposits preDepositPrice value, while overstating the value of their deposit...

In stake() function shares increase exponentially for the same amount of deposit as the totalSupply() increases, causing the loss for the initial stakers relative to later ones.

Lines of code Vulnerability details Impact Stake function don not allocate the safEth according to the totalShares, instead as more user deposit, later depositers get higher share of the value as compared to ealy depositers. Proof of Concept Consider Alice, Bob and Jenny want to stake their eth...

Reth deposit conditionally relies on unreliable price source.

Lines of code Vulnerability details Impact Deposits are exposed to unnecessary risk by using Uni v3 Weth/Reth Pool as an oracle. It is also possible for staking to be inoperable due to over/underflow. Proof of Concept In the event of !poolCanDepositmsg.value in Reth.sol deposit, this derivative...

Swap deadline for Reth derivative cannot be specified and used for staking

Lines of code Vulnerability details Impact When calling the following Reth.deposit function, uint256 amountSwapped = swapExactInputSingleHopWETHADDRESS, rethAddress, 500, msg.value, minOut can be executed. Calling the Reth.swapExactInputSingleHop function below then calls...

User should be able to set the slippage amount willing to pay

Lines of code Vulnerability details Impact The impact of this finding is that users may be required to pay higher transaction fees than necessary due to the absence of an adjustable slippage feature. This could discourage users from using the SafEth contract and negatively impact its adoption...

SfrxEth slippage and fee stealing

Lines of code Vulnerability details Impact The SfrxEth derivative contract calculates the maximum slippage for buying SfrxEth from curve pool by using the current price in the pool at runtime, without considering the price at which the user submitted the transaction to the mempool: uint256 minOut...

Missing critical check of amount minted tokens in stake() -> deposit()

Lines of code Vulnerability details Impact No require to ensure that SfrxEth or WstEth is minted when calling in SafEth.sol stake - IDerivative.deposit function Proof of Concept In the deposit function in Reth.sol has a require statement to ensure that the token was actually minted. But there is ...

dMute.sol: Attacker can push lock items to victim's array such that redemptions are forever blocked

Lines of code Vulnerability details Impact This report deals with how an attacker can abuse the fact that he can lock MUTE tokens for any other user and thereby push items to the array of UserLockInfo structs of the user. There are two functions in the dMute contract that iterate over all items i...

Reth.poolCanDeposit checks only two out of three conditions

Lines of code Vulnerability details Impact Staking is blocked. Proof of Concept When staking the deposit of each derivative is called. Reth.deposit deposits in the Rocket Pool directly if possible. To decide if this is possible it uses Reth.poolCanDeposit which returns whether the deposit pool si...

Reth griefing

Lines of code Vulnerability details Impact The maximum slippage when buying rETH from the Uniswap V3 pool is calculated in Reth derivative contract by taking the current price in the Uniswap V3 pool at runtime, without taking into account the price at which the user sent the transaction to the...

DOS attack to RedeemTo() and GetUnderlyingTokens(), leading to loss of funds.

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. An attacker can launch a DOS attack to RedeemTo and GetUnderlyingTokens so that it will always fail for a particular account, say Bob. In this way, Bob will not be able to redeem the MuteToken locked...

Upgraded Q -> 3 from #74 [1679875886032]

Judge has assessed an item in Issue 74 as 3 risk. The relevant finding follows: Exchange Rate can be manipulated if positions are big enough for a long enough time --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #83 [1679850012658]

Judge has assessed an item in Issue 83 as 2 risk. The relevant finding follows: L-02 There is no way to disapprove a collateral --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #60 [1679803335439]

Judge has assessed an item in Issue 60 as 2 risk. The relevant finding follows: LiquidityPool.sol: If the fee recipient is not set then all LP operations such as deposits and withdrawals will fail. Consider making fee transfers optional depending on whether a fee recipient and percentage is set -...

Upgraded Q -> 3 from #88 [1679874647648]

Judge has assessed an item in Issue 88 as 3 risk. The relevant finding follows: L-2 Invalid and stale prices from Synthethix are not validated --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #98 [1679803209669]

Judge has assessed an item in Issue 98 as 2 risk. The relevant finding follows: QA-01 PauseModifier is implemented in the KangarooVault.sol contract but isn't used due to not being apart of core functionality --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #83 [1679850055838]

Judge has assessed an item in Issue 83 as 2 risk. The relevant finding follows: L-05 PauseModifier is not used in KangarooVault --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #179 [1679871876484]

Judge has assessed an item in Issue 179 as 2 risk. The relevant finding follows: L-14 Lack of access control in setVault function leave it vulnerable to frontrunning attack --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 3 from #60 [1679803414194]

Judge has assessed an item in Issue 60 as 3 risk. The relevant finding follows: LiquidityPool.sol: The deposit queue processing in processDeposits reads the price of the liquidity token only once at the start of the loop so this means that some queued deposits may not incur price slippage dependi...

Upgraded Q -> 3 from #88 [1679874652791]

Judge has assessed an item in Issue 88 as 3 risk. The relevant finding follows: L-3 KangarooVault.removeCollateral doesn't remove the collateral from the position --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #88 [1679874664641]

Judge has assessed an item in Issue 88 as 2 risk. The relevant finding follows: L-6 Spamming deposit and withdraw queues --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #88 [1679874611177]

Judge has assessed an item in Issue 88 as 2 risk. The relevant finding follows: L-1 Vault assignment in VaultToken can be frontrunned --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #99 [1679874011180]

Judge has assessed an item in Issue 99 as 2 risk. The relevant finding follows: 02 VaultToken.setVault FUNCTION IS CALLABLE BY ANYONE, AND DEV TEAM'S VaultToken.setVault TRANSACTION CAN BE FRONTRUN BY MALICIOUS ACTOR --- The text was updated successfully, but these errors were encountered: All...

Upgraded Q -> 2 from #215 [1679863603573]

Judge has assessed an item in Issue 215 as 2 risk. The relevant finding follows: L1 + L2 --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #215 [1679863647530]

Judge has assessed an item in Issue 215 as 2 risk. The relevant finding follows: NC1 --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #87 [1679862910687]

Judge has assessed an item in Issue 87 as 2 risk. The relevant finding follows: Uninitialized variables --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #39 [1679850456945]

Judge has assessed an item in Issue 39 as 2 risk. The relevant finding follows: N-05 Fees are not being set in the constructor --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #211 [1679800480796]

Judge has assessed an item in Issue 211 as 2 risk. The relevant finding follows: L-4 LiquidityPool processWithdraws overwrites returnedAmount for withdrawals processed in multiple steps The returnedAmount field in the QueuedWithdraw struct is incorrectly overwritten when the withdraw is processed...

Upgraded Q -> 2 from #229 [1679864317254]

Judge has assessed an item in Issue 229 as 2 risk. The relevant finding follows: L-05 VaultToken.setVault can be front-run --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #211 [1679804504433]

Judge has assessed an item in Issue 211 as 2 risk. The relevant finding follows: L-8 VaultToken setVault initialization can be front-runned --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #29 [1679672352018]

Judge has assessed an item in Issue 29 as 2 risk. The relevant finding follows: M-02 Division before multiplication incurs unnecessary precision loss 29 --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #773 [1679568911031]

Judge has assessed an item in Issue 773 as 2 risk. The relevant finding follows: LACK OF SLIPPAGE PROTECTIONS FOR EOA IN FUNCTIONS LIKE ReaperVaultERC4626.deposit, ReaperVaultERC4626.mint, ReaperVaultERC4626.withdraw, AND ReaperVaultERC4626.redeem --- The text was updated successfully, but these...

IRRETRIEABLE COLLATERAL FOLLOWING A COMPLETE SHORT TRADE CLOSE

Lines of code Vulnerability details Impact This may have been prevented in the UI, but users opting for external integrations might unintentionally input zero or inadequate amount of params.collateralAmount and end up having the collateral stuck in ShortCollateral.sol forever after completing a...

No access control in mint function

Lines of code Vulnerability details Impact Canto Bio Protocol: Should allow the association of a single biography to an identity address The mint function does not have any access control mechanism in place, allowing anyone to mint multiple Bio NFTs. This could lead unwanted minting of bios. Tool...

A user can override a namespace created by another user, using the same name

Lines of code Vulnerability details Impact Let's say: Julian, and Juliet minted separate trays of characters in the Tray contract Julian approves Alice to mint a Namespace subprotocol NFT with the name Ali😀 Juliet also approves Alite to mint a Namespace subprotocol NFT with the name Ali😀 If a...

Namespace: Fusing will only result in namespaces containing font class 0, irrelevant of fused tiles

Lines of code Vulnerability details H-02 Namespace: Fusing will only result in namespaces containing font class 0, irrelevant of fused tiles After minting trays, a user can fuse tiles from multiple trays into a namespace. A tray tile specifies a character font class, the character's index and the...

Fuse function only allows creation of emoji typed characters, and does not allow creation of other font classes like text.

Lines of code Vulnerability details Impact The fuse function only allows creation of emoji typed characters due to this line in the fuse function: bytes memory charAsBytes = Utils.characterToUnicodeBytes0, tileData.characterIndex, characterModifier;, which only accepts a fontClass of 0 as the fir...