Fee on transfer tokens will not behave as expected

Lines of code Vulnerability details Impact In Numoen, it does not specifically restrict the type of ERC20 collateral used for borrowing. If fee on transfer tokens is/are entailed, it will specifically make mint revert in Lendgine.sol when checking if balanceAfter balanceBefore + collateral. Proof...

mint() function logic will break with fee-on-transfer(deflationary) tokens

Lines of code Vulnerability details Impact with deflationary token mint function never succeed Proof of Concept mint function checking if balanceAfter totalLiquidity revert CompleteUtilizationError; // next check is for the case when liquidity is borrowed but then was completely accrued if...

ERC20 TRANSFER AND TRANSFERFROM ARE NOT CHECKING FOR THE ZERO ADDRESS OF to AND from, DURING EXECUTION

Lines of code Vulnerability details Impact ERC20 standard tokens check for the != address0 condition in the transfer and transferFrom functions for the to address and from address in order to make sure funds are not transfered to zero address and balance is not updated in the balanceOf mapping fo...

First liquidity provider will suffer from revert or fund loss

Lines of code Vulnerability details Impact The first liquidity depositor should supply three input values amount0Min, amount1Min, liquidity via AddLiquidityParams but these three values should meet an accurate relationship, or else the depositor will suffer from revert or fund loss Proof of Conce...

Mint to without check for zero address

Lines of code Vulnerability details Impact Mint to without check for zero address. This can lead to lost of token Proof of Concept Tools Used Recommended Mitigation Steps add check to be sure that address to is not empty --- The text was updated successfully, but these errors were encountered: Al...

The LendgineRouter.burn() will always REVERT due to the callback function forgot to send the due token0 back.

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. The LendgineRouter.burn will always REVERT due to the callback function forgot to send the due token0 back. The callback function pairMintCallback is supposed to send back amount0 amount of token0 back ...

Unchecked that the to address is nto the address of the tokens

Lines of code Vulnerability details Impact In the swap function, it is unchecked that the to address is not the address of the tokens. This will not lead to a loss of funds because the flashloan will actually revert, but sanity checks like this one should be made following for instance uniswap...

Unprotected payable functions in Payment.sol

Lines of code Vulnerability details Impact In Payment.sol contract unwrapWETH and sweepToken functions are without any access control. They are public and and doesn't validate that it's being called by any permissioned account. The result is that anyone can steal tokens. Proof of Concept 25:...

Make calculation using 1e18 but protocol allows tokens with different scale

Lines of code Vulnerability details Impact Make calculation using 1e18 but protocol allows tokens with different scale. Proof of Concept Method: Calculation: Factory: Here in factory user can add tokens with scale from 6 to 18. Tools Used Static analytics Code reading Recommended Mitigation Steps...

TOKEN BALANCE OF A PARTICULAR ADDRESS IS NOT CHECKED AGAINST THE REQUESTED TRANSFER AMOUNT INSIDE TRANSFER AND TRANSFERFROM FUNCTIONS IN ERC20.sol CONTRACT

Lines of code Vulnerability details Impact transfer and transferFrom functions do not check for the available erc20 token balance of the from address and the msg.sender respectively against the requested transfer amount. Hence if the balanceOffrom and balanceOfmsg.sender in the transferFrom and...

No-check taht amounts are less than reserves

Lines of code Vulnerability details Impact There is no check that the amount for the flashloan is actually available in the contract. It is checked that it should be 0 but not than reserves. Eventually, the function will revert because the funds are not there and the funds are not in the contract...

Unchecked Return Values in SwapHelper.swap.

Lines of code Vulnerability details Impact SafeTransferLib.safeTransfertokenIn, msg.sender, amount0Delta 0 ? uint256amount0Delta : uint256amount1Delta; If the pool does not have enough liquidity, the UniswapV2Library functions will return a failure, but the SwapHelper.swap function does not...

No support non-18 decimals token

Lines of code Vulnerability details Impact The function is dependent on the token being of 18 decimals for correct calculation. If the project wants to use other tokens then it underlying native token. It would have to relaunch to accommodate this, or it can be forgotten and lead to future wrong...

ANYONE CAN STEAL ETH THROUGH METHODS IN Payment.sol

Lines of code Vulnerability details Impact In Payment.sol contract, there is no access control on unwrapWETH, sweepToken and refundETH. So anyone can call these method to steal the Eth. Proof of Concept File: src/periphery/Payment.sol function unwrapWETHuint256 amountMinimum, address recipient...

Anyone can withdraw all the WETH sent to Payment contract

Lines of code Vulnerability details Impact Anyone can withdraw all the WETH sent to Payment contract Proof of Concept 1. Someone send WETH to Payment contract 2. Attacker will call unwrapWETH with amountMinimum = WETH balance of Payment contract and recipient = any attacker controlled address 3...

Arbitrary payer in safeTransfer in Payment.sol

Lines of code Vulnerability details Impact The recipient can call function pay and specify as payer address and withdraw the fund of the payer. Proof of Concept Alice approves this contract to spend her ERC20 tokens. Bob can call pay and specify Alice's address as the payer parameter in...

Successful get balance request to victim contract from attack contract and also costing the victim contract gas fees

Lines of code Vulnerability details Impact Successful get balance request to victim contract from attack contract and also costing the victim contract gas fees One can view the balance of the victim's contract without permission. URL:...

Anyone can withdraw all the ETH sent to Payment contract

Lines of code Vulnerability details Impact Anyone can withdraw all the ETH sent to Payment contract Proof of Concept 1. Someone send ETH to Payment contract 2. Attacker will call refundETH 3. Payment contract will transfer all ETH to attacker's address Tools Used Manual Analysis --- The text was...

Anyone can transfer any tokens balance of Payment contract

Lines of code Vulnerability details Impact Anyone can transfer any tokens balance of Payment contract Proof of Concept 1. Someone send some tokens to Payment contract 2. Attacker will call sweepToken with token = token address, amountMinimum = Token balance of Payment contract and recipient = any...

First depositer exploit can break share calculation

Lines of code Vulnerability details Impact A well known attack vector for almost all shares based liquidity pool contracts, where an early user can manipulate the price per share and profit from late users' deposits because of the precision loss caused by the rather large value of price per share...

ADDING UNBALANCED/MORE LIQUIDITY IS POSSIBLE TO MAKE INNOCENT USERS LOSS MONEY, AND BOTS CAN EARN FROM THE POOL

Lines of code Vulnerability details ADDING UNBALANCED/MORE LIQUIDITY IS POSSIBLE TO MAKE INNOCENT USERS LOSS MONEY, AND BOTS CAN EARN FROM THE POOL Impact In the linked file LendgineRouter.sol,the deposit function enable users to add liquidity at any proportion of token0 and token1. However, ther...

Quest owner can withdraw the reward for unclaimed receipt.

Lines of code Vulnerability details Impact Erc1155Quest.withdrawRemainingTokens will withdraw all tokens even if there are users who minted a receipt but didn't claimed their rewards before endTime Proof of Concept Whitelisted account creates a new ERC1155 quest. Whitelisted account becames the...

Wrong modifier

Lines of code Vulnerability details Impact H-01 The modifier that is declared in RabbitHoleReceipt.sol and RabbitHoleTickets.sol files has no impact and has not protection to methods that is used for. This modifier is used in 3 functions. Having no check would mean that this modifier will always ...

withdraw() function uses faulty burn() function for transfer and it has no access control implemented.

Lines of code Vulnerability details Impact The withdraw function has no access control implemented and can be called by anyone. It also uses the burn function to transfer funds. A Malicious actor can withdraw the balance of Lendgine.sol. Proof of Concept Alice a malicious actor uses a contract to...

Replayable signature in the mintReceipt function

Lines of code Vulnerability details Description In the mintReceipt function there is a check of the claimSignerAddress signature: if keccak256abi.encodePackedmsg.sender, questId != hash revert InvalidHash; if recoverSignerhash, signature != claimSignerAddress revert AddressNotSigned; The signatur...

Anyone can mint a receipt despite efforts of restricting it to onlyMinters

Lines of code Vulnerability details Impact Anyone can mint a receipt despite efforts of restricting it to onlyMinters. The onlyMinter modifer does not do anything to restrict calls to onlyMinters which would allow anyone to call the function mint. The require statement was ommited on the modifier...

TEST

Lines of code L1 Vulnerability details THIS IS A TEST --- The text was updated successfully, but these errors were encountered: All reactions...

withdrawFee should only be allowed to called once.

Lines of code Vulnerability details Impact In the current implementation, the function withdrawFee can be called multiple times. It should only be allowed to called once. Calling more than once would let owner steal from legit users as there won’t be enough funds left for legit users to claim...

Bad modifier definition

Lines of code Vulnerability details Impact The modifiers holding the name "onlyMinter", defined in the "contracts/RabbitHoleReceipt.sol" and "contracts/RabbitHoleTickets.sol" files do not implement an if or require checks. The lack of checking means that the modifiers do nothing about regulating...

Modifier onlyMinter() implementation is faulty

Lines of code Vulnerability details The current implementation of the modifier onlyMinter will not revert because the "require" part is missing, therefore any user will be able to access the minting functions in RabbitHoleTickets.sol and RabbitHoleReceipt.sol. Impact Any user than the allowed...

Wrongly implemented modifier allow everybody to mint Rabbit Hole tickets.

Lines of code Vulnerability details Impact As specified on RabbitHole C4 contest page, RabbitHoleTickets smart contract 'is an 1155 reward contract used by the RabbitHole team.' Meaning that the assets managed by this smart contract have value. Moreover this contract implements ERC-2981: NFT...

Wrongly implemented modifier allow anybody to mint receipts.

Lines of code Vulnerability details Impact Quest rewards can be claimed by anybody without completing any task. RabbitHoleReceipt.onlyMinter modifier purpose is to allow only designated addresses to mint new receipts like QuestFactory smart contract. But since the input is not validated anybody c...

Minting can be called by anyone

Lines of code Vulnerability details Minting can be called by anyone Summary Modifier is wrongly implemented, so every function that uses onlyMinter will be callable by anyone. This affects: RabbitHoleTicketsmintBatch RabbitHoleTicketsmint RabbitHoleReceiptmint Vulnerability Detail Modifier has no...

User's claim can revert when attackers call withdrawFee several times

Lines of code Vulnerability details Impact withdrawFee can be called several times, so attackers can use this to drain Erc20Quest's balance. Proof of Concept When the admin calls withdrawRemainingTokens, protocolFee + unclaimedTokens left in the Erc20Quest contract. If unclaimedTokens =...

## [H-02] Return value of 0 from ecrecover not checked

Lines of code Vulnerability details Impact The solidity function ecrecover is used, however the error result of 0 is not checked for. See documentation: "recover the address associated with the public key from elliptic curve signature or return zero on error. " Now you can supply invalid input...

mintReceipt should not allow users to mint after the end of a quest

Lines of code Vulnerability details mintReceipt currently does not have any check that the questId passed as an argument corresponds to an active quest. As the signature will be valid without a deadline, a user can call mintReceipt after the end of a quest, when there is no more funds in the Ques...

mintReceipt could mint receipt after endtime.

Lines of code Vulnerability details Impact mintReceipt could mint receipt after endtime. If owner execute withdrawRemainingTokens user’s receipt that mint after endtime can’t claim. Proof of Concept function withdrawRemainingTokensaddress to public override onlyOwner...

QuestFactory is suspicious of the reorg attack

Lines of code Vulnerability details Description The createQuest function deploys a quest contract using the create, where the address derivation depends only on the QuestFactory nonce. At the same time, some of the chains Polygon, Optimism, Arbitrum to which the QuestFactory will be deployed are...

hash and signature_ can be obtained from the mempool when recoverSigner is executed

Lines of code Vulnerability details In the QuestFactory.sol contract, an attacker can monitor the mem pool and obtain the values of hash and signature which the other user has provided to the function Proof of Concept 210-213: function recoverSignerbytes32 hash, bytes memory signature public pure...

claim can run out of gas

Lines of code Vulnerability details Impact If the claim function runs out of gas, the caller can never claim any rewards without transferring the nfts to another address first Proof of Concept Currently, the claim function loops over the msg.senders NFT's. If this list ever becomes too large, the...

Config update happening in memory instead of at storage slot

Lines of code Vulnerability details Impact While adding configs in addConfig function, configs is updated in memory as shown at . It should accept configs parameter to a function as storage. Proof of Concept function addConfiguint256 memory configs, uint256 configsLen, DripsReceiver memory receiv...

Drips.sol: drips can be squeezed from before drips.updateTime which allows to drain ALL funds from the protocol

Lines of code Vulnerability details Impact The Drips.squeezeDrips function allows to receive drips from the currently running cycle from a single lender. Drips are configured via the Drips.setDrips function . A Drip can be configured to start at any time. The protocol caps the start time at the...

tokens can be transfered to user when minting.

Lines of code Vulnerability details Impact the mint function makes an external call to the faulty burn function which has no check to ensure that only the user who locks collaterals can unlock it. underlying tokens and the balance of Lendgine.sol can be transfered when the mint function is called...

Owner can stop user from claiming rewards in the Erc1155Quest

Lines of code Vulnerability details Impact After completing their tasks users can mint a new receipt token which they can later claim reward with it using the claim function, this function can not be called when the Quest contract is paused so the users can't claim when quest contract is paused...

withdrawRemainingTokens() in the Erc1155Quest withdraws all tokens and does not consider the amount of unclaimed tokens

Lines of code Vulnerability details Impact The withdrawRemainingTokens function in the Erc1155Quest contract does not consider the amount of unclaimed tokens. When the owner calls the function when the quest has ended, all tokens belonging to the contract will be withdrawn. Any user who has not y...

Protocol fees can be withdrawn multiple times in Erc20Quest

Lines of code Vulnerability details The withdrawFee function present in the Erc20Quest contract can be used to withdraw protocol fees after a quest has ended, which are sent to the protocol fee recipient address: function withdrawFee public onlyAdminWithdrawAfterEnd...

Any user is able to mint a new receipt/ticket tokens

Lines of code Vulnerability details Impact In the RabbitHoleReceipt and RabbitHoleTickets contracts the minterAddress should be the only account allowed to mint a new token, but due to an error in the onlyMinter modifier all the users are able to mint new tokens without permission, the impact of...

Bad implementation in minter access control for RabbitHoleReceipt and RabbitHoleTickets contracts

Lines of code Vulnerability details Both RabbitHoleReceipt and RabbitHoleTickets contracts define a mint function that is protected by a onlyMinter modifier: RabbitHoleReceipt: function mintaddress to, string memory questId public onlyMinter tokenIds.increment; uint newTokenID = tokenIds.current;...

withdrawFee() can be called indefinitely

Lines of code Vulnerability details The function withdrawFee does not account whether the fees have already been collected or not, therefore it can be called multiple times or even indefinitely, until the contract balance reaches zero. All funds will be transferred to the protocolFeeRecipient, bu...

protocolFeeRecipient might take unclaimed reward token after quest ends.

Lines of code Vulnerability details Impact Since there is no code to check whether fee has been drawn, withdrawFee might be called multiple times. This allows protocolFeeRecipient to steal all of the unclaimed reward tokens after quest ended. Proof of Concept Provide direct links to all reference...