Malicious user can send the quest reward tokens to the protocol fee contract preventing users from claiming their rewards.

Lines of code Vulnerability details Impact Malicious user can take advantage of the function withdrawFee after the quest end time and successfuly send the quest reward tokens to the protocol fee contract preventing users from claiming their rewards. Proof of Concept Every receipt minted should...

ONLYMINTER MODIFIER WILL NOT REVERT WHEN MSG.SENDER IS NOT MINTERADDRESS

Lines of code Vulnerability details Impact onlyMinter in RabbitHoleReceipt.sol and RabbitHoleTickets.sol is noted to be housing only msg.sender == minterAddress in its code logic. RabbitHoleReceipt.solL58-L61 RabbitHoleTickets.solL47-L50 modifier onlyMinter msg.sender == minterAddress; ; It will...

The onlyMinter modifier checks the wrong condition.

Lines of code Vulnerability details Impact In RabbitHoleReceipt.sol and RabbitHoleTicket.sol, receipts and tickets can be minted by anyone. Proof of Concept The first line inside the modifier can be passed without reverting for any callers. modifier onlyMinter msg.sender == minterAddress; ; Tools...

withdrawFee() can be called multiple times by any user when quest has ended making it possible to drain contract and leave users unable to claim rewards

Lines of code Vulnerability details Impact The withdrawFee function in the Erc20Quest contract can be called multiple times. The modifier onlyAdminWithdrawAfterEnd is applied to the function which only makes it possible to call it after the end time of a quest. It should be noted that any user is...

Immutable varibles should be checked to there default values

Lines of code Vulnerability details Impact It is very important to check whether the immutable variables are not equal to the default values because if Quest is created and when we pass a default value to a variable then it can't be changed and it can lead to a problem. Proof of Concept Suppose...

Mitigation of H-02: See comments

Lines of code Vulnerability details The PR applies the recommended mitigation from the finding, but doesn't take into account the rounding issue identified in M-09 Impact If the price the NFT is bought for is not an exact multiple of the filledQuantities, there will be a loss of precision, and...

Mitigation of M-08: See comments

Lines of code Vulnerability details The PR applies the recommended mitigation from the finding, but the original finding's mitigation suggestion seems to indicated that the If two users place bids at the same price but with different quantities, the queue will pull from the bid with a higher...

Mitigation of M-02: Issue not mitigated

Lines of code Vulnerability details The sponsor appears to confirm Medium severity, but did not provide any PRs addressing it, so the same issue remains in the new code. --- The text was updated successfully, but these errors were encountered: All reactions...

Mitigation of M-07: Issue not mitigated

Lines of code Vulnerability details Mitigation of M-07: Issue not mitigated --- The text was updated successfully, but these errors were encountered: All reactions...

Integer Overflow Vulnerability in _addSplittable Function.

Lines of code Vulnerability details Impact splitsStorage.splitsStatesuserId.balancesassetId.splittable += amt; This vulnerability, if exploited, would allow an attacker to add a large amount of funds to a user's splittable balance, causing it to exceed the maximum value that the uint128 type can...

Mitigation of M-05: Issue not mitigated

Lines of code Vulnerability details The sponsor disputes the issue, but never follows up after judge's comments, so the same issue remains in the new code. --- The text was updated successfully, but these errors were encountered: All reactions...

User might not be able to claim refund when the NFT is bought for less than the minimum reserve price

Lines of code Vulnerability details Impact User might not be able to claim refund when the NFT is bought for less than the minimum reserve price because the minReservePrices is rounded down, which make the contract refund sightly more eth to each user. In most case, the last user will not be able...

Mitigation of M-02: Issue not mitigated

Lines of code Vulnerability details Mitigation of M-02: Issue not mitigated --- The text was updated successfully, but these errors were encountered: All reactions...

Mitigation of M-04: See comments

Lines of code Vulnerability details The PR does NOT fix the issue described in the finding, and instead addresses issue 45. The change breaks out of the loop, which solves the case where the price is the same as the lowest bid, but doesn't address the case where the price is higher than the lowes...

Mitigation of M-01: Issue not mitigated

Lines of code Vulnerability details The sponsor appears to confirm with no-fix and did not provide any PRs addressing it, so the same issue remains in the new code. --- The text was updated successfully, but these errors were encountered: All reactions...

Mitigation of H-05: Issue not mitigated

Lines of code Vulnerability details Mitigation of H-05: Issue not mitigated --- The text was updated successfully, but these errors were encountered: All reactions...

Mitigation of M-06: Issue not mitigated

Lines of code Vulnerability details Mitigation of M-06: Issue not mitigated --- The text was updated successfully, but these errors were encountered: All reactions...

Mitigation of M-05: Issue not mitigated

Lines of code Vulnerability details Mitigation of M-05: Issue not mitigated --- The text was updated successfully, but these errors were encountered: All reactions...

Mitigation of M-01: Issue not mitigated

Lines of code Vulnerability details Mitigation of M-01: Issue not mitigated --- The text was updated successfully, but these errors were encountered: All reactions...

Mitigation of M-07: Issue not mitigated

Lines of code Vulnerability details The sponsor confirmed but disputed Medium severity, and did not provide any PRs addressing it, so the same issue remains in the new code. --- The text was updated successfully, but these errors were encountered: All reactions...

Mitigation of M-06: Issue not mitigated

Lines of code Vulnerability details The sponsor disputes the issue, but never follows up after judge's comments, so the same issue remains in the new code. --- The text was updated successfully, but these errors were encountered: All reactions...

Mitigation of M-03: See comments

Lines of code Vulnerability details The PR does not follow the recommended mitigation from the finding, and instead still allows under-priced bids to be added if the total value being added is at least a multiple of the minimum reserve price. Impact If, for example, the reserve price is 10 Eth,...

Lack of flexibility in updating cycle length leading to potential contract redeployment.

Lines of code Vulnerability details Impact function cycleOfuint32 timestamp private view returns uint32 cycle unchecked return timestamp / cycleSecs + 1; and function currCycleStart private view returns uint32 timestamp uint32 currTimestamp = currTimestamp; // slither-disable-next-line weak-prng...

driverID can make same userID registered under different different driverID's leading to loss of funds and ultimately the trust of people.

Lines of code Vulnerability details Impact driverID can make same userID registered under different different driverID's leading to loss of funds and ultimately the trust of people. Proof of Concept In contract dripsHub their is no mechanism to check a user already registered under driverID or no...

Incorrect calculation

Lines of code Vulnerability details Impact On line 119, the result of the conversion is always going to be zero. Therefore, functions that apply onlyDriver modifier will never be executed. Proof of Concept Please deploy the code below to test the modifier's broken implementation. //...

Incorrect calculation

Lines of code Vulnerability details Impact On line 119, the result of the conversion is always going to be zero. Therefore, functions that apply onlyDriver modifier will never be executed. Proof of Concept Please deploy the code below to test the modifier's broken implementation. //...

Mitigation of H-05: Issue not mitigated

Lines of code Vulnerability details The sponsor confirmed the issue, but did not provide any PRs addressing it, so the same issue remains in the new code. --- The text was updated successfully, but these errors were encountered: All reactions...

Unpacking the "0x1626ba7e" Mystery: The Risks of Unidentified Fixed Values in Smart Contracts - loss of funds

Lines of code Vulnerability details Impact The use of a fixed value in the require statement without understanding its significance creates a security vulnerability in the contract. An attacker could manipulate the returned value to bypass the require statement and execute malicious code. This ca...

Attacker can steal the NFT bought by sending it to another vault he control

Lines of code Vulnerability details Impact The mitigation of H-08 try to validate the vault returned by market with the VaultRegistry. However, it only validated if the vault exists, but not if it is the correct vault. A similar attack described in code-423n4/2022-12-tessera-findings47 can be...

Attacker can DOS OptimisticListing with very low cost

Lines of code Vulnerability details The issue that is described in code-423n4/2022-12-tessera-findings25 was not mitigated and still applies like it is described there. --- The text was updated successfully, but these errors were encountered: All reactions...

Overflow Vulnerability in Splits Contract Due to Maximum Splits Receivers Limitation (_MAX_SPLITS_RECEIVERS = 200)

Lines of code Vulnerability details Impact If more than 200 splits receivers are added for a single user, the constant MAXSPLITSRECEIVERS will be exceeded, causing unexpected behavior in the contract uint256 internal constant MAXSPLITSRECEIVERS = 200; Proof of Concept a. Create an array of splits...

Loss of ETH for proposer when it is a contract that doesn't have fallback function.

Lines of code Vulnerability details The issue that is described in code-423n4/2022-12-tessera-findings40 was not mitigated and still applies like it is described there. --- The text was updated successfully, but these errors were encountered: All reactions...

Orders may not be fillable due to missing approvals

Lines of code Vulnerability details The issue that is described in code-423n4/2022-12-tessera-findings36 was not mitigated and still applies like it is described there. --- The text was updated successfully, but these errors were encountered: All reactions...

Attacker can delay proposal rejection

Lines of code Vulnerability details The issue that is described in code-423n4/2022-12-tessera-findings24 was not mitigated and still applies like it is described there. --- The text was updated successfully, but these errors were encountered: All reactions...

Only one GroupBuy can ever use USDT or similar tokens with front-running approval protections

Lines of code Vulnerability details The issue that is described in code-423n4/2022-12-tessera-findings37 was not mitigated and still applies like it is described there. --- The text was updated successfully, but these errors were encountered: All reactions...

Enormous tokens can be minted by malicious user via reentrancy

Lines of code Vulnerability details Impact The function safeMInt that is used to mint new tokens, makes an external call to ERC721.sol's safeMint which contains a callback to the "to" address argument. checkOnERC721Receivedaddress0, to, tokenId, data safeMint lacks a reentrancy guard, a malicious...

GroupBuy may purchase NFT not in the allowed list

Lines of code Vulnerability details The issue that is described in code-423n4/2022-12-tessera-findings14 was not mitigated and still applies like it is described there. --- The text was updated successfully, but these errors were encountered: All reactions...

Rebalance logic is wrong and this distorts the pool's important states

Lines of code Vulnerability details Impact The important states including long0Balance, long1Balance, long1FeeGrowth, long1ProtocolFees are wrongly calculated and it breaks the pool's invariant. Proof of Concept The protocol provides a rebalancing functionality and the main logic is implemented i...

sqrtDiscriminant can be calculated wrong

Lines of code Vulnerability details Impact Due to the wrong calculation of short and long tokens during the leverage and deleverage process, the users can suffer financial loss while the protocol will lose fees Proof of Concept The protocol uses leverage function to deposit short tokens and recei...

All Transfer Hooks have incomplete checks which might lead to transactions reverting

Lines of code Vulnerability details Impact Due to not checking that the ids array and amounts array are same , if given the two arraya of non-equal length it might lead to incorrect token transfers and unwanted transaction reverts. Proof of Concept According to the EIP specification the ids array...

User receives lesser number of Long Tokens on burning Pool liquidity resulting in loss of user funds

Lines of code Vulnerability details Impact Protocol currently uses 2 levels of callbacks for burning Pool liquidity: Inner callback - timeswapV2PoolBurnChoiceCallback function in Line 438 of Pool.sol allows user to specify long0 & long1 amount such that long0 + long1 longAmount. longAmount here...

Using V2-Pool, user can loose money after minting, then burn due to duration calculation

Lines of code Vulnerability details Impact Users loose money over time after mint using V2-Pool due to the protocol duration calculation. The current duration calculation is calculated from now to maturity. So when the user mint, then burn the liquidity, with time the amount of short he get is...

TOKEN CAN BE LOCKED WHEN THE _mint function is called to mint token to a contract that does not support the ERC1155

Lines of code Vulnerability details Impact Use safeMint intead of mint. The mint function of the TimeswapV2Token.solL110 calls the mint function of the ERC1155. If the token receiver is a contract that does not support ERC1155, the token is locked. Proof of Concept see: If the recipient contract...

Anyone Can Collect The Transaction Fees

Lines of code Vulnerability details Impact collectTransactionFees is a function that should be only calles by the liquidity providers , but the the flow of the function no restriction , lets anyone collect the fees. Proof of Concept 1. Alice decides to collect the fees of pool A for example 2...

QA Report

See the markdown file with the details of this report here. --- The text was updated successfully, but these errors were encountered: All reactions...

Incorrect totalSupply() function design

Lines of code Vulnerability details Impact In ERC1155Enumerable.solL36-L37 line, totalsuppyl of ERC1155 is calculated packages/v2-token/src/base/ERC1155Enumerable.sol: 34 35: /// @inheritdoc IERC1155Enumerable 36: function totalSupply public view override returns uint256 37: return...

Gas Optimizations

See the markdown file with the details of this report here. --- The text was updated successfully, but these errors were encountered: All reactions...

Burning a ERC1155Enumerable token doesn't remove it from the enumeration

Lines of code Vulnerability details The ERC1155Enumerable base contract used in the TimeswapV2Token and TimeswapV2LiquidityToken tokens provides a functionality to enumerate all token ids that have been minted in the contract. The logic to remove the token from the enumeration if the last token i...

ATTACKER CAN STEAL FUNDS BECAUSE OF REENTRANCY VULNERABILITY IN burn METHOD

Lines of code Vulnerability details Impact In burn method of TimeswapV2Option contract, there is no Reentrancy guard. The method allows a Callback function before updating the State variable, which makes method vulnerable for Reentrancy which can lead to steal of funds. Proof of Concept File:...

Fee on transfer tokens will not behave as expected

Lines of code Vulnerability details Impact According to Whitepaper 1.1 Permissionless: "In Timeswap, liquidity providers can create pools for any ERC20 pair, without permission. It is designed to be generalized and works for any pair of tokens, at any time frame, and at any market state ... If fe...