TRANSFERING KIBToken TO YOURSELF INCREASES YOUR BALANCE

Lines of code Vulnerability details Impact using temporary variables to update balances is a dangerous construction. If transferred to yourself, it will cause your balance to increase, thus growing the token balance infinitely Proof of Concept KIBToken overrides transfer to perform the transfer o...

SwingTraderManager.addSwingTrader() shouldn't push the traderId to activeTraders array if active = false.

Lines of code Vulnerability details Impact After adding an inactive trader using addSwingTrader, activeTraders array will contain an inactive trader. Furthermore, if the inactive trader is toggled to active using toggleTraderActive, activeTraders array will contain the trader twice and the main...

RewardThrottle: If an epoch does not have any profit, then there may not be rewards for that epoch at the start of the next epoch.

Lines of code Vulnerability details Impact In RewardThrottle, both checkRewardUnderflow and fillInEpochGaps call fillInEpochGaps to fill the state of the previous epoch without profit, the difference being that checkRewardUnderflow will request the reward from the overflowPool and distribute the...

Manipulation of livePrice to receive defaultIncentive in 2 consecutive blocks

Lines of code Vulnerability details Impact In StabilizerNode, the default behaviour when twap is below the lower peg threshold all transfers to the amm pool are blocked. However when usePrimedWindow = true, it will only block transfers for primedWindow = 10 blocks. After 10 blocks, the block...

An early check logic in StabilizerNode.stabilize prevents possible stabilization.

Lines of code Vulnerability details Impact An early check logic in StabilizerNode.stabilize prevents possible stabilization. Proof of Concept In StabilizerNode.stabilize, there is an early check logic for exchangeRate and auction state. If shouldAdjustSupply returns false, stabilize will end...

StabilizerNode.stabilize may use undistributed rewards in the overflowPool as collateral

Lines of code Vulnerability details Impact In StabilizerNode.stabilize, globalIC.collateralRatio is used to calculate SwingTraderEntryPrice and ActualPriceTarget, with collateralRatio indicating the ratio of the current global collateral to the malt supply. function collateralRatio public view...

SwingTraderManager.swingTraders() shoudn't contain duplicate traderContracts.

Lines of code Vulnerability details Impact If SwingTraderManager.swingTraders contains duplicate traderContracts, several functions like buyMalt and sellMalt wouldn't work as expected as they work according to traders' balances. Proof of Concept During the swing trader addition, there is no...

RewardThrottle.checkRewardUnderflow() might track the cumulative APRs wrongly.

Lines of code Vulnerability details Impact RewardThrottle.checkRewardUnderflow might calculate the cumulative APRs for epochs wrongly. As a result, cashflowAverageApr will be calculated incorrectly in updateDesiredAPR, and targetAPR would be changed unexpectedly. Proof of Concept In...

LinearDistributor.declareReward can revert due to dependency of balance

Lines of code Vulnerability details Impact LinearDistributor.declareReward will revert and it can cause permanent DOS. Proof of Concept In LinearDistributor.declareReward, if the balance is greater than the bufferRequirement, the rest will be forfeited. if balance bufferRequirement // We have mor...

Unnecessary precision loss in redeemKIBT()

Lines of code Vulnerability details Impact Unnecessary precision loss in redeemKIBT Proof of Concept If enter Deprecated mode, user can switch back to StableCoin by percentage with redeemKIBT The redeemKIBT implementation code is as follows: function redeemKIBTuint256 amount external override...

RewardThrottle._sendToDistributor() reverts if one distributor is inactive.

Lines of code Vulnerability details Impact RewardThrottle.sendToDistributor reverts if one distributor is inactive. Proof of Concept RewardThrottle.sendToDistributor distributes the rewards to several distributors according to their allocation ratios. File:...

LinearDistributor.declareReward() might revert after changing vestingDistributor.

Lines of code Vulnerability details Impact LinearDistributor.declareReward might revert after changing vestingDistributor due to uint underflow. Proof of Concept In LinearDistributor.sol, there is a setVestingDistributor function to update vestingDistributor. And in declareReward, it calculates t...

RewardThrottle.checkRewardUnderflow can't distribute rewards because fillInEpochGaps updates activeEpoch when RewardThrottle is inactive

Lines of code Vulnerability details Impact RewardThrottle.checkRewardUnderflow can't distribute rewards because activeEpoch can be updated to a new one. Proof of Concept RewardThrottle.checkRewardUnderflow distributes rewards only when RewardThrottle is active. function checkRewardUnderflow publi...

Repository._removeContract() removes the contract wrongly.

Lines of code Vulnerability details Impact After removing the contract, the contracts array would contain the wrong contract names. Proof of Concept Repository.removeContract removes the contract name from contracts array. File: 2023-02-malt\contracts\Repository.sol 223: function...

Value of totalProfit might be wrong because of wrong logic in function sellMalt()

Lines of code Vulnerability details Impact Contract SwingTraderManager has a totalProfit variable. It keeps track of total profit swing traders maded during sellMalt. However, the logic for accounting it is wrong so it will not have the correct value. As the results, it can affect other contracts...

RewardThrottle.setTimekeeper: If changing the timekeeper causes the epoch to change, it will mess up the system

Lines of code Vulnerability details Impact RewardThrottle.setTimekeeper allows POOLUPDATERROLE to update the timekeeper when RewardThrottle is active, function setTimekeeperaddress timekeeper external onlyRoleMaltPOOLUPDATERROLE, "Must have pool updater privs" requiretimekeeper != address0, "Not...

Artificial Inflation of Interest-Bearing Balances

Lines of code Vulnerability details Impact It is possible to artificially inflate one's balance, compromising the integrity of the KIB token entirely. The vulnerability arises from how the balances are updated and utilize "stale" values that were loaded into memory. As such, a self-transfer would...

StabilizerNode.stabilize() should update lastTracking as well to avoid an unnecessary incentive.

Lines of code Vulnerability details Impact StabilizerNode.stabilize should update lastTracking as well to avoid an unnecessary incentive. Current logic pays unnecessary incentives to track the pool. Proof of Concept trackPool pays an incentive per trackingBackoff in order to ensure pool...

SwingTraderManager.sellMalt() doesn't update totalProfit for some cases.

Lines of code Vulnerability details Impact SwingTraderManager.totalProfit would be less than the real amount and the impact might be low as this amount isn't used elsewhere. After the second look, I think the SwingTraderManager itself might be used as a swing trader againI am not sure the protoco...

TRANSFERING KIBToken TO YOURSELF INCREASES YOUR BALANCE

Lines of code Vulnerability details Impact using temporary variables to update balances is a dangerous construction. If transferred to yourself, it will cause your balance to increase, thus growing the token balance infinitely Proof of Concept KIBToken overrides transfer to perform the transfer o...

priceTarget is inconsistent in StabilizerNode.stabilize

Lines of code Vulnerability details Impact priceTarget is inconsistent in StabilizerNode.stabilize so stabilize can do auction instead of selling malt and vice versa. Proof of Concept In StabilizerNode.stabilize, there is an early check using shouldAdjustSupply function. if...

Function stabilize() might always revert because of overflow since Malt contract use solidity 0.8

Lines of code Vulnerability details Impact MaltDataLab fetched priceCumulative directly from Uniswap V2 pool to calculate price of Malt token. However, it is noticed that Uniswap V2 pool use Solidity 0.5.16, which does not revert when overflow happen. In addition, it is actually commented in...

_distributeProfit will use the stale globalIC.swingTraderCollateralDeficit()/swingTraderCollateralRatio(), which will result in incorrect profit distribution

Lines of code Vulnerability details Impact The distributeProfit called by handleProfit will use globalIC.swingTraderCollateralDeficit/swingTraderCollateralRatio when distributing profits, and the latest globalIC.swingTraderCollateralDeficit/swingTraderCollateralRatio needs to be used to ensure th...

SwingTraderManager.addSwingTrader will push traderId with active = false to activeTraders

Lines of code Vulnerability details Impact In SwingTraderManager.addSwingTrader, if active = false, the traderId is also pushed to activeTraders. function addSwingTrader uint256 traderId, address swingTrader, bool active, string calldata name external onlyRoleMaltADMINROLE, "Must have admin privs...

StabilizerNode.stabilize uses stale GlobalImpliedCollateralService data, which will make stabilize incorrect

Lines of code Vulnerability details Impact In StabilizerNode.stabilize, impliedCollateralService.syncGlobalCollateral is called only at the end of the function to synchronize the GlobalImpliedCollateralService data. if !shouldAdjustSupplyexchangeRate, stabilizeToPeg lastStabilize = block.timestam...

RewardThrottle.populateFromPreviousThrottle may be exposed to front-run attack

Lines of code Vulnerability details Impact RewardThrottle.populateFromPreviousThrottle allows ADMINROLE to use epochData from previousThrottle to populate state from activeEpoch to epoch in current RewardThrottle. function populateFromPreviousThrottleaddress previousThrottle, uint256 epoch extern...

LinearDistributor.declareReward: previouslyVested may update incorrectly, which will cause some rewards to be lost

Lines of code Vulnerability details Impact In LinearDistributor.declareReward , distributed represents the reward to distribute and is calculated using netVestcurrentlyVested - previouslyVested. At the same time, distributed cannot exceed balance, which means that if balance linearBondedValue...

Users can't remove liquidity while malt price is below peg defend threshold

Lines of code Vulnerability details Impact The protocol is designed to limit buys while malt price is below peg defend threshold. But it is implemented by blocking any malt token transfer which is originated from the target pool. So it unexpectedly blocks users from removing liquidity too...

Mitigation of M-05: Issue not fully mitigated

Lines of code Vulnerability details Original issue: M-05: early user can call issue and then melt to increase basketsNeeded to supply ratio to its maximum value and then melt won't work and contract contract features like issue won't work Not mitigated - attacker can still manipulate the...

Mitigation of M-03: Issue not fully mitigated

Lines of code Vulnerability details Original issue: M-03: Baited by redemption during undercollateralization no issuance, just transfer Explanation This is basically a dupe of M-04 as commented by the judge, I elaborated on this on the M-04 mitigation. TL;DR - using a boolean parameter to agree t...

Unspent RSR can be stolen

Lines of code Vulnerability details Impact The BackingManager.handoutExcessAssets function sends all rsr that the BackingManager holds to the StRSR contract. This is done so that the rsr which is held by the BackingManager due to seizure from the StRSR contract can be sent back entirely to the...

MaltRepository._revokeRole may not work correctly

Lines of code Vulnerability details Impact MaltRepository inherits from AccessControl and adds validation of validRoles to the hasRole function, which means that even if super.hasRolerole, account == true, if validRolesrole == false hasRole will return false, which will cause revokeRole to not wo...

Incompatibilty of BackingManager with some tokens.

Lines of code Vulnerability details Impact The BackingManager contains a grantRTokenAllowance function which is used to grant token allowances to the RToken contract. function grantRTokenAllowanceIERC20 erc20 external notFrozen requireassetRegistry.isRegisterederc20, "erc20 unregistered"; // ==...

Unsafe typecasting

Lines of code Vulnerability details Impact In the RToken.issueTo function unsafe typecasting of uint256 to int256 is performed while invoking the Throttle.useAvailable function. function issueToaddress recipient, uint256 amount public notPausedOrFrozen exchangeRateIsValidAfter requireamount 0,...

Mitigation of H-02: Issue not fully mitigated

Lines of code Vulnerability details Mitigation of H-02: Issue not fully mitigated Original issue: H-02: Basket range formula is inefficient, leading the protocol to unnecessary haircut Not mitigated - top range can still be too high, leading to unnecessary haircut The applied mitigation follows t...

Governance can cap the outflow of funds significantly preventing user redemptions

Lines of code Vulnerability details Impact The Reserve protocol always intends to allows free outflow of rToken collaterals. The redemption of rToken is allowed even when the protocol is paused. A Throttle mechanism is in place to just limit the outflow of funds from the contract. However the...

Early staker can disable staking by issuing and sending a bit to Furance

Lines of code Vulnerability details This one is caused by mitigation to issue M-05 Impact Early issuer can issue less than one wad e.g. 9e17 wei and send it to the Furnace contract, then whenever anyone is trying to issue more RTokens melt would be called, since there’s less than 1 wad in total...

Attacker can temporary deplete available redemption/issuance by running issuance then redemption or vice versa

Lines of code Vulnerability details Impact Attacker can deplete available issuance or redemption by first issuing and then redeeming in the same tx or vice versa. The available redemption/issuance will eventually grow back, but this temporary reduces the available amount. This can also use to fro...

sellMalt has a calculation error that can lead to excessive profits

Lines of code Vulnerability details Impact SwingTraderManager.sellMalt will call SwingTrader.sellMalt to sell the Malt purchased earlier and give the profit to profitDistributor to distribute. uint256 basis, = costBasis; if maxAmount totalMaltBalance maxAmount = totalMaltBalance;...

Upgraded Q -> 2 from #154 [1676532286167]

Judge has assessed an item in Issue 154 as 2 risk. The relevant finding follows: Quest.claim can risk gas exhaustion on large receipt claims due to multiple mandatory loops function claim public virtual onlyQuestActive if isPaused revert QuestPaused; uint256 memory tokens =...

Upgraded Q -> 2 from #206 [1676531414343]

Judge has assessed an item in Issue 206 as 2 risk. The relevant finding follows: Issue 2: receipts are not burned upon claiming reward. In my opinion, current system of just claiming some tokens to be "used" has some downsides: in any claim check, users spend gas to iterate over these tokens too...

Attacker can cause loss to rToken holders and stakers by running BackingManager._manageTokens before rewards are claimed

Lines of code Vulnerability details Impact The assets that back the rTokens are held by the BackingManager and can earn rewards. The rewards can be claimed via the TradingP1.claimRewards and TradingP1.claimRewardsSingle function. The BackingManager inherits from TradingP1 and therefore the above...

recreateMinipool may not be called

Lines of code Vulnerability details Impact recreateMinipool may not be called Proof of Concept To resolve M-09, the fix is that: function recordStakingEndThenMaybeCycle address nodeID, uint256 endTime, uint256 avaxTotalRewardAmt external payable whenNotPaused int256 minipoolIndex =...

There is no way to recover from error state

Lines of code Vulnerability details Impact There is no way to recover from error state Proof of Concept To address report M-3, in PR, The finishFailedMinipoolByMultisig method removed, while this does not block user from withdraw the fund in the error state in the current implementation. I think...

Slashed amount may not be cover the staker reward payout

Lines of code Vulnerability details Impact Slashed amount may not be cover the staker reward payout Proof of Concept In the current fix, If the staked balance cannot cover the slashed amount, seize the staked balance. Staking staking = StakinggetContractAddress"Staking"; if staking.getGGPStakeown...

RewardsStartTime should be reset when decreaseAVAXAssigned is called

Lines of code Vulnerability details Impact Proof of Concept The fix for M-19 is to get rid of the miniCount code-423n4/2022-12-gogopool-findings235 in calculateAndDistributeRewards function, however, the logic below is added: // check if their rewards time should be reset if...

Transferring the allotAmount reward to MultisigManager leads to the loss of reward when no wallet is enabled in the RewardsPool

Lines of code Vulnerability details Impact Transferring the allotAmount reward to MultisigManager leads to the loss of reward Proof of Concept If we refers to the original M-21 finding: code-423n4/2022-12-gogopool-findings143 Division by zero error can block RewardsPoolstartRewardCycle if all...

amountAvailableForStaking() not fully utilized with compoundedAvaxNodeOpAmt easily forfeited

Lines of code Vulnerability details Impact The mitigated step is implemented at the expense of economic loss to both the node operators and the liquid stakers if compoundedAvaxNodeOpAmt ggAVAX.amountAvailableForStaking after all due to situations like liquid stakers have been actively calling...

Minipool whose multisig has been disabled cannot be reassigned a valid one

Lines of code Vulnerability details Impact The likelihood of startRewardsCycle reverting due to division by zero is practically not going to happen. This is because disableAllMultisigs is only reasonably invoked when pauseEverything is called by the defender. At his point, startRewardsCycle will...

The node operators are likely to be slashed in an unfair way

Lines of code Vulnerability details C4 issue H-04: Hijacking of node operators minipool causes loss of staked funds Comments In the original implementation, the protocol had some unnecessary state transitions and it was possible for node operators to interfere the recreation process. The main...