Make calculation using 1e18 but protocol allows tokens with different scale

Lines of code Vulnerability details Impact Make calculation using 1e18 but protocol allows tokens with different scale. Proof of Concept Method: Calculation: Factory: Here in factory user can add tokens with scale from 6 to 18. Tools Used Static analytics Code reading Recommended Mitigation Steps...

No support non-18 decimals token

Lines of code Vulnerability details Impact The function is dependent on the token being of 18 decimals for correct calculation. If the project wants to use other tokens then it underlying native token. It would have to relaunch to accommodate this, or it can be forgotten and lead to future wrong...

Lack of slippage protection when swapping on Uniswap v2/v3

Lines of code Vulnerability details Impact Lack of slippage protection when swapping on Uniswap v2/v3. It'll create the potential to be sandwiched by MEV bots and result in user loss. Proof of Concept In the LendgineRouter.mint function, the contract would swap all the token0 to token1 in...

Loss of funds - User has control of the fallback function

Lines of code Vulnerability details Imapct: Lendengine check the balanceBefore and after of token1, after sending tokens via a mintFallback function. During this fallback the user has access to theses tokens so far as it's returned + collateral the fallback is satisfied. A attacker can take out...

Economical games that can be played to gain MEV

Lines of code Vulnerability details Disclaimer: Developers did an extremely good job writing the protocol, however, these are some aspects that I think are missed in the design stage and can be considered. Look at it as a food for thought in future designs. Impact How the invariant works The...

Possible Reentrance & Unexpected Behaviour Vulnerabilities

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. No protection against reentrancy attacks, for example, the pay function called in the mintCallback function does not check for reentrancy before performing an external call. No checking of return values...

DIVISION BEFORE MULTIPLICATION ERROR IN CALCULATING INTEREST CAN LEAD TO LARGER PRECISION LOSS

Lines of code Vulnerability details Impact There is a division before multiplication bug in accrueInterest method of Lendgine.sol which may result in loss of interest being accrued due to huge precision loss. There is same error in invariant method of Pair.sol as well which can cause larger...

Lendgine contract can be drained through mint() function due to lack of Access Control

Lines of code Vulnerability details Impact Anybody can call the mint function on lendgine.sol and enter any amount of collateral. This allows them to mint any number of tokens to their address for free. Proof of Concept The mint function in lendgine.sol is external with no additional modifiers or...

Anyone can withdraw contract funds

Lines of code Vulnerability details Impact There is a critical impact that an attacker could drain the entire eth balance of the contract by calling this refundETH function which lacks a modifier. The funds will go always to the caller of the function. Proof of Concept It is not a complex attack ...

Unchecked Return Values in SwapHelper.swap.

Lines of code Vulnerability details Impact SafeTransferLib.safeTransfertokenIn, msg.sender, amount0Delta 0 ? uint256amount0Delta : uint256amount1Delta; If the pool does not have enough liquidity, the UniswapV2Library functions will return a failure, but the SwapHelper.swap function does not...

ANYONE CAN STEAL ETH THROUGH METHODS IN Payment.sol

Lines of code Vulnerability details Impact In Payment.sol contract, there is no access control on unwrapWETH, sweepToken and refundETH. So anyone can call these method to steal the Eth. Proof of Concept File: src/periphery/Payment.sol function unwrapWETHuint256 amountMinimum, address recipient...

Unprotected payable functions in Payment.sol

Lines of code Vulnerability details Impact In Payment.sol contract unwrapWETH and sweepToken functions are without any access control. They are public and and doesn't validate that it's being called by any permissioned account. The result is that anyone can steal tokens. Proof of Concept 25:...

Mint function should have a pause

Lines of code Vulnerability details Impact Even if a market is paused due to insolvency/bugs, there will still be minting going on. This leaves no protection against mining in such case. Tools Used VS code Recommended Mitigation Steps Check in function mint that the market is not paused. For...

The LendgineRouter.burn() will always REVERT due to the callback function forgot to send the due token0 back.

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. The LendgineRouter.burn will always REVERT due to the callback function forgot to send the due token0 back. The callback function pairMintCallback is supposed to send back amount0 amount of token0 back ...

Successful get balance request to victim contract from attack contract and also costing the victim contract gas fees

Lines of code Vulnerability details Impact Successful get balance request to victim contract from attack contract and also costing the victim contract gas fees One can view the balance of the victim's contract without permission. URL:...

Anyone can transfer any tokens balance of Payment contract

Lines of code Vulnerability details Impact Anyone can transfer any tokens balance of Payment contract Proof of Concept 1. Someone send some tokens to Payment contract 2. Attacker will call sweepToken with token = token address, amountMinimum = Token balance of Payment contract and recipient = any...

ADDING UNBALANCED/MORE LIQUIDITY IS POSSIBLE TO MAKE INNOCENT USERS LOSS MONEY, AND BOTS CAN EARN FROM THE POOL

Lines of code Vulnerability details ADDING UNBALANCED/MORE LIQUIDITY IS POSSIBLE TO MAKE INNOCENT USERS LOSS MONEY, AND BOTS CAN EARN FROM THE POOL Impact In the linked file LendgineRouter.sol,the deposit function enable users to add liquidity at any proportion of token0 and token1. However, ther...

Anyone can withdraw all the ETH sent to Payment contract

Lines of code Vulnerability details Impact Anyone can withdraw all the ETH sent to Payment contract Proof of Concept 1. Someone send ETH to Payment contract 2. Attacker will call refundETH 3. Payment contract will transfer all ETH to attacker's address Tools Used Manual Analysis --- The text was...

Anyone can withdraw all the WETH sent to Payment contract

Lines of code Vulnerability details Impact Anyone can withdraw all the WETH sent to Payment contract Proof of Concept 1. Someone send WETH to Payment contract 2. Attacker will call unwrapWETH with amountMinimum = WETH balance of Payment contract and recipient = any attacker controlled address 3...

First depositer exploit can break share calculation

Lines of code Vulnerability details Impact A well known attack vector for almost all shares based liquidity pool contracts, where an early user can manipulate the price per share and profit from late users' deposits because of the precision loss caused by the rather large value of price per share...

Arbitrary payer in safeTransfer in Payment.sol

Lines of code Vulnerability details Impact The recipient can call function pay and specify as payer address and withdraw the fund of the payer. Proof of Concept Alice approves this contract to spend her ERC20 tokens. Bob can call pay and specify Alice's address as the payer parameter in...

Drips.sol: drips can be squeezed from before drips.updateTime which allows to drain ALL funds from the protocol

Lines of code Vulnerability details Impact The Drips.squeezeDrips function allows to receive drips from the currently running cycle from a single lender. Drips are configured via the Drips.setDrips function . A Drip can be configured to start at any time. The protocol caps the start time at the...

Modifier onlyMinter() implementation is faulty

Lines of code Vulnerability details The current implementation of the modifier onlyMinter will not revert because the "require" part is missing, therefore any user will be able to access the minting functions in RabbitHoleTickets.sol and RabbitHoleReceipt.sol. Impact Any user than the allowed...

withdrawFee should only be allowed to called once.

Lines of code Vulnerability details Impact In the current implementation, the function withdrawFee can be called multiple times. It should only be allowed to called once. Calling more than once would let owner steal from legit users as there won’t be enough funds left for legit users to claim...

Bad modifier definition

Lines of code Vulnerability details Impact The modifiers holding the name "onlyMinter", defined in the "contracts/RabbitHoleReceipt.sol" and "contracts/RabbitHoleTickets.sol" files do not implement an if or require checks. The lack of checking means that the modifiers do nothing about regulating...

Protocol fees can be withdrawn multiple times in Erc20Quest

Lines of code Vulnerability details The withdrawFee function present in the Erc20Quest contract can be used to withdraw protocol fees after a quest has ended, which are sent to the protocol fee recipient address: function withdrawFee public onlyAdminWithdrawAfterEnd...

Any user is able to mint a new receipt/ticket tokens

Lines of code Vulnerability details Impact In the RabbitHoleReceipt and RabbitHoleTickets contracts the minterAddress should be the only account allowed to mint a new token, but due to an error in the onlyMinter modifier all the users are able to mint new tokens without permission, the impact of...

Anyone can mint a receipt despite efforts of restricting it to onlyMinters

Lines of code Vulnerability details Impact Anyone can mint a receipt despite efforts of restricting it to onlyMinters. The onlyMinter modifer does not do anything to restrict calls to onlyMinters which would allow anyone to call the function mint. The require statement was ommited on the modifier...

User's claim can revert when attackers call withdrawFee several times

Lines of code Vulnerability details Impact withdrawFee can be called several times, so attackers can use this to drain Erc20Quest's balance. Proof of Concept When the admin calls withdrawRemainingTokens, protocolFee + unclaimedTokens left in the Erc20Quest contract. If unclaimedTokens =...

The onlyMinter modifier checks the wrong condition.

Lines of code Vulnerability details Impact In RabbitHoleReceipt.sol and RabbitHoleTicket.sol, receipts and tickets can be minted by anyone. Proof of Concept The first line inside the modifier can be passed without reverting for any callers. modifier onlyMinter msg.sender == minterAddress; ; Tools...

withdrawFee() can be called multiple times by any user when quest has ended making it possible to drain contract and leave users unable to claim rewards

Lines of code Vulnerability details Impact The withdrawFee function in the Erc20Quest contract can be called multiple times. The modifier onlyAdminWithdrawAfterEnd is applied to the function which only makes it possible to call it after the end time of a quest. It should be noted that any user is...

Minting can be called by anyone

Lines of code Vulnerability details Minting can be called by anyone Summary Modifier is wrongly implemented, so every function that uses onlyMinter will be callable by anyone. This affects: RabbitHoleTicketsmintBatch RabbitHoleTicketsmint RabbitHoleReceiptmint Vulnerability Detail Modifier has no...

Owner can stop user from claiming rewards in the Erc1155Quest

Lines of code Vulnerability details Impact After completing their tasks users can mint a new receipt token which they can later claim reward with it using the claim function, this function can not be called when the Quest contract is paused so the users can't claim when quest contract is paused...

Malicious user can send the quest reward tokens to the protocol fee contract preventing users from claiming their rewards.

Lines of code Vulnerability details Impact Malicious user can take advantage of the function withdrawFee after the quest end time and successfuly send the quest reward tokens to the protocol fee contract preventing users from claiming their rewards. Proof of Concept Every receipt minted should...

protocolFeeRecipient might take unclaimed reward token after quest ends.

Lines of code Vulnerability details Impact Since there is no code to check whether fee has been drawn, withdrawFee might be called multiple times. This allows protocolFeeRecipient to steal all of the unclaimed reward tokens after quest ended. Proof of Concept Provide direct links to all reference...

mintReceipt should not allow users to mint after the end of a quest

Lines of code Vulnerability details mintReceipt currently does not have any check that the questId passed as an argument corresponds to an active quest. As the signature will be valid without a deadline, a user can call mintReceipt after the end of a quest, when there is no more funds in the Ques...

withdrawRemainingTokens() in the Erc1155Quest withdraws all tokens and does not consider the amount of unclaimed tokens

Lines of code Vulnerability details Impact The withdrawRemainingTokens function in the Erc1155Quest contract does not consider the amount of unclaimed tokens. When the owner calls the function when the quest has ended, all tokens belonging to the contract will be withdrawn. Any user who has not y...

withdrawFee() can be called indefinitely

Lines of code Vulnerability details The function withdrawFee does not account whether the fees have already been collected or not, therefore it can be called multiple times or even indefinitely, until the contract balance reaches zero. All funds will be transferred to the protocolFeeRecipient, bu...

mintReceipt could mint receipt after endtime.

Lines of code Vulnerability details Impact mintReceipt could mint receipt after endtime. If owner execute withdrawRemainingTokens user’s receipt that mint after endtime can’t claim. Proof of Concept function withdrawRemainingTokensaddress to public override onlyOwner...

Immutable varibles should be checked to there default values

Lines of code Vulnerability details Impact It is very important to check whether the immutable variables are not equal to the default values because if Quest is created and when we pass a default value to a variable then it can't be changed and it can lead to a problem. Proof of Concept Suppose...

QuestFactory is suspicious of the reorg attack

Lines of code Vulnerability details Description The createQuest function deploys a quest contract using the create, where the address derivation depends only on the QuestFactory nonce. At the same time, some of the chains Polygon, Optimism, Arbitrum to which the QuestFactory will be deployed are...

## [H-02] Return value of 0 from ecrecover not checked

Lines of code Vulnerability details Impact The solidity function ecrecover is used, however the error result of 0 is not checked for. See documentation: "recover the address associated with the public key from elliptic curve signature or return zero on error. " Now you can supply invalid input...

tokens can be transfered to user when minting.

Lines of code Vulnerability details Impact the mint function makes an external call to the faulty burn function which has no check to ensure that only the user who locks collaterals can unlock it. underlying tokens and the balance of Lendgine.sol can be transfered when the mint function is called...

ONLYMINTER MODIFIER WILL NOT REVERT WHEN MSG.SENDER IS NOT MINTERADDRESS

Lines of code Vulnerability details Impact onlyMinter in RabbitHoleReceipt.sol and RabbitHoleTickets.sol is noted to be housing only msg.sender == minterAddress in its code logic. RabbitHoleReceipt.solL58-L61 RabbitHoleTickets.solL47-L50 modifier onlyMinter msg.sender == minterAddress; ; It will...

Wrongly implemented modifier allow everybody to mint Rabbit Hole tickets.

Lines of code Vulnerability details Impact As specified on RabbitHole C4 contest page, RabbitHoleTickets smart contract 'is an 1155 reward contract used by the RabbitHole team.' Meaning that the assets managed by this smart contract have value. Moreover this contract implements ERC-2981: NFT...

Wrong modifier

Lines of code Vulnerability details Impact H-01 The modifier that is declared in RabbitHoleReceipt.sol and RabbitHoleTickets.sol files has no impact and has not protection to methods that is used for. This modifier is used in 3 functions. Having no check would mean that this modifier will always ...

Config update happening in memory instead of at storage slot

Lines of code Vulnerability details Impact While adding configs in addConfig function, configs is updated in memory as shown at . It should accept configs parameter to a function as storage. Proof of Concept function addConfiguint256 memory configs, uint256 configsLen, DripsReceiver memory receiv...

withdraw() function uses faulty burn() function for transfer and it has no access control implemented.

Lines of code Vulnerability details Impact The withdraw function has no access control implemented and can be called by anyone. It also uses the burn function to transfer funds. A Malicious actor can withdraw the balance of Lendgine.sol. Proof of Concept Alice a malicious actor uses a contract to...

Quest owner can withdraw the reward for unclaimed receipt.

Lines of code Vulnerability details Impact Erc1155Quest.withdrawRemainingTokens will withdraw all tokens even if there are users who minted a receipt but didn't claimed their rewards before endTime Proof of Concept Whitelisted account creates a new ERC1155 quest. Whitelisted account becames the...

hash and signature_ can be obtained from the mempool when recoverSigner is executed

Lines of code Vulnerability details In the QuestFactory.sol contract, an attacker can monitor the mem pool and obtain the values of hash and signature which the other user has provided to the function Proof of Concept 210-213: function recoverSignerbytes32 hash, bytes memory signature public pure...