WithdrawProxy calculation error for tokens with decimals != 18 leads to claim reverting

Lines of code Vulnerability details withdrawRatio has 18 decimals 314: s.liquidationWithdrawRatio = proxySupply 315: .mulDivDown1e18, totalSupply 316: .safeCastTo88; 317: 318: currentWithdrawProxy.setWithdrawRatios.liquidationWithdrawRatio; But in WithdrawProxy.claim, transferAmount divides...

FIRST ERC4626 DEPOSIT CAN BE EXPLOITED ON SHARE CALCULATION

Lines of code Vulnerability details Impact This is a common attack vector involving shares based liquidity pool contracts. An early user can manipulate the price per share and profit from late users' deposits because of the precision loss caused by the rather large value of price per share. Note:...

Infinite Loop Vulnerability in endIdForWithdraw() Function.

Lines of code Vulnerability details Impact While loop within the endIdForWithdraw function. while left time test = left + right / 2; // left test right because left right - 1 if queuetest.availableAt = time left = test; else right = test; This loop can cause an infinite loop if the loop invariant...

commitToLien() can pass in an illegal payment token

Lines of code Vulnerability details Impact Stealing vault assets Proof of Concept There are currently two ways to create new Liens in the system 1. user call AstariaRouter.commitToLiens, the internal implementation of this is through VaultImplementation.commitToLien to create 2. user can call...

ClearingHouse can pass in a malicious payment token

Lines of code Vulnerability details Impact vault loss assets Proof of Concept When the auction is successful the NFT is transferred to the bidder and seaport calls ClearingHouse.safeTransferFrom to trigger the repayment of the debt through the conduit mechanism ClearingHouse.safeTransferFrom -...

[M-02] Strategist has full control over Public Vault it can be risky for depositors

Lines of code Vulnerability details Impact The strategist has full control over all key functions. If the strategist is compromised or hacked he will be able to manipulate the vault. For example, increase the depositCap modifyDepositCapuint256 newCap, add a depositor to the whitelist...

Attacker can fake an ERC20 token as the paymentToken and call ClearingHouse.safeTransferFrom() to prematurely settle the auction, preventing the actual auction from completing

Lines of code Vulnerability details Impact ClearingHouses are deployed for each new loan and settle payments between Seaport auctions and Astaria Vaults if a liquidation occurs. However, due to the lack of proper data validation in the current implementation, anyone can fake a token and transfer ...

Manipulate the price per share value and unfair share of future users' deposits'

Lines of code Vulnerability details Impact Most of the share based vault implementation will face this issue. The vault is based on the ERC4626 where the shares are calculated based on the deposit value. By depositing large amount as initial deposit, initial depositor can influence the future...

First ERC4626 deposit can break share calculation

Lines of code Vulnerability details Impact ERC4626 vault share price can be maliciously inflated on the initial deposit, leading to the next depositor losing assets due to precision issues. Proof of Concept The first depositor of an ERC4626 vault can maliciously manipulate the share price by...

LienToken: Lender and liquidator can collude to block auction and seize collateral

Lines of code Vulnerability details If a lender offers a loan denominated in an ERC20 token that blocks transfers to certain addresses for example, the USDT and USDC blocklist, they may collude with a liquidator or act as the liquidator themselves to prevent loan payments, block all bids in the...

First ERC4626 deposit can break share calculation

Lines of code Vulnerability details Impact The first depositor of an ERC4626 vault can maliciously manipulate the share price by depositing the lowest possible amount 1 wei of liquidity and then artificially inflating ERC4626.totalAssets. This can inflate the base share price as high as 1:1e18...

Proper use of dependecy

Lines of code Vulnerability details Impact Using safeTransferFrom of solmate. There is no checking the token address is exist Proof of Concept After consulting the dev, the only check for making sure the token exist is a list on the UI/fontend side. A highly motivated attacker can easily disable...

ERC4626Cloned.previewMint() causes malicious users to can exclusive access to vault

Lines of code Vulnerability details Impact exclusive access to vault,Other users will not be able to mint Proof of Concept In the previewMint method, if the first user mint, no matter how many shares the user passes in, only 10e18 assets are needed function previewMintuint256 shares public view...

User can lose 10 ethers to Vault

Lines of code Vulnerability details Impact If a user or a contract that has a large allowance 10 ethers or max on an ERC4626Cloned based Vault that has not yet received any deposits, calls mint with 0 share argument, will have a 10 ethers of the asset transferred to the Vault with no way to recla...

Overflow/Underflow in interest calculation caused by lack of timestamp validation in _getInterest() & _getRemainingInterest() function

Lines of code Vulnerability details Impact An attacker could manipulate the last timestamp of a lien in the stack struct to cause an underflow or overflow in the interest calculation. This could result in an incorrect interest amount being calculated, which could lead to incorrect payments being...

Transfer of assets should come before deleting and burning the collateral id

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Clldata id is burnt and deleted before transfer Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept...

Interest is much lower than what it should be

Lines of code Vulnerability details Protocol interest calculation is said in the docs to be as follow: To convert a standard annualized simple interest rate to an Astaria-compatible interest per second value, divide by 3153600031536000 seconds per year and multiply by 10^18 This is not what is...

createLien() The first LienToken does not check for liquidationInitialAsk and maxPotentialDebt

Lines of code Vulnerability details Impact Illegal liquidationInitialAsk and maxPotentialDebt may result in bids amount do not cover the debt Proof of Concept With the current implementation, the first LienToken does not check liquidationInitialAsk and maxPotentialDebt function appendStack...

WithdrawProxy will break if there is a fee-on-transfer underlying

Lines of code Vulnerability details PublicVault.transferWithdrawReserve will increase WithdrawProxy.withdrawReserveReceived by withdrawBalance. The issue is that if the token has a fee-on-transfer, withdrawBalance will be greater than the amount received by withdrawProxy 384:...

A user can use the same proof for a commitment more than 1 time

Lines of code Vulnerability details Impact A user can use the same commitment signature and merkleData more than 1 time to obtain another loan. Proof of Concept A user needs to make some procedures to take a loan against an NFT. Normally the user calls commitToLiens in AstariaRouter.sol providing...

_buyoutLien() does not properly validate the liquidationInitialAsk

Lines of code Vulnerability details Impact Illegal liquidationInitialAsk, resulting in insufficient bids to cover the debt Proof of Concept buyoutLien will validate against liquidationInitialAsk, but incorrectly uses the old stack for validation function buyoutLien LienStorage storage s,...

PublicVault Contract Allows Minting Tokens to a Null Address

Lines of code Vulnerability details Impact The PublicVault contract allows the minting of tokens to a null address. When the redeemFutureEpoch function is called with a null address as the receiver, the function will still proceed with the minting of the underlying asset, but the tokens will not...

Front-run Initializer

Lines of code Vulnerability details Impact In function: function initialize Authority AUTHORITY, ICollateralToken COLLATERALTOKEN, ILienToken LIENTOKEN, ITransferProxy TRANSFERPROXY, address VAULTIMPL, address SOLOIMPL, address WITHDRAWIMPL, address BEACONPROXYIMPL, address CLEARINGHOUSEIMPL...

LienToken.transferFrom There is a possibility of malicious attack

Lines of code Vulnerability details Impact Corrupt multiple key properties of public vault, causing vault not to function properly Proof of Concept When LienToken.makePayment/buyoutLien/payDebtViaClearingHouse If it corresponds to PublicVault, it will make multiple changes to the vault, such as:...

makePayment() may increase the user's debt

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept makePayment will be called when the user needs to repay the money, in two cases. 1. If the repayment amount = borrowed amount + interest, then the loan is paid off and the corresponding...

IRREVERSIBLE SHUTDOWN FUNCTION

Lines of code Vulnerability details Impact The abstract contract VaultImplementation is inherited by Vault.sol and PublicVault.sol. Its shutdown can be called by the strategist to make loadVISlot.isShutdown = true. This will make the modifier whenNotPaused revert, rendering commitToLien and...

Basket range formula is inefficient, leading the protocol to unnecessary haircut

Lines of code Vulnerability details Impact The BackingManager.manageTokens function checks if there's any deficit in collateral, in case there is, if there's a surplus from another collateral token it trades it to cover the deficit, otherwise it goes for a 'haircut' and cuts the amount of basket...

totalStakes is not updated in seizeRSR()

Lines of code Vulnerability details Impact when RSR is seized in the function seizeRSR stakeRSR is update but totalStakes is not updated so after seizeRSR is called when stake is called the line 225 uint256 stakeAmount = newTotalStakes - totalStakes; will underflow and revert because totalStakes ...

Incorrect Trade Settlement in settleTrade() function

Lines of code Vulnerability details Impact /// Settle a single trade, expected to be used with multicall for efficient mass settlement /// @custom:refresher function settleTradeIERC20 sell external; This function takes in only a single IERC20 token as a parameter, with no other information about...

commitment.lienRequest.strategy.vault can be dffierent from the actual vault

Lines of code Vulnerability details Impact The protocol doesn't check that commitment.lienRequest.strategy.vault is equal to the actual vault. The problem with this is that commitment.lienRequest.strategy.vault and vault might be using 2 different tokens. The borrower gets the token of the actual...

ERC4626Cloned deposit and mint logic differ on first deposit

Lines of code Vulnerability details The ERC4626Cloned contract is an implementation of the ERC4626 used for vaults. The standard contains a deposit function to deposit a specific amount of the underlying asset, and a mint function that will calculate the amount needed of the underlying token to...

Comparison Of Different Types Might Lead to Inconsistent Behavior

Lines of code Vulnerability details Impact Comparison Of Different Types Might Lead to Inconsistent Behavior Proof of Concept The comparison here compares two different types , i.e. uint88 withdrawReserve and uint256 withdrawBalance. This type of mismatched might induce unwanted behavior If a bug...

[M-01] Public Vault cannot be reactivated after Shutdown.

Lines of code Vulnerability details Impact If the strategist who created the vault is compromised/hacked or accidentally/intentionally shutdown the vault by call shutdown the public vault cannot be resumed. There is no function that sets isShutdown = false. Unintentional shutdown of a large publi...

Potential issue with Vault.depost function

Lines of code Vulnerability details Impact Contract Vault is a private vault which only allows the owner also the strategist to deposit. However, Vault.deposit uses an unnecessary complicated logic requires.allowListmsg.sender && receiver == owner; to allow only owner to deposit actually the...

settleAuction() Check for status errors

Lines of code Vulnerability details Impact ClearingHouse.safeTransferFrom to execute successfully even if there is no bid Proof of Concept settleAuction is called at the end of the auction and will check if the status is legal function settleAuctionuint256 collateralId public if...

Reentrancy in safeTransferFrom() in ClearingHouse.sol allows the attacker to withdraw the collateral, while still owning the borrowed assets.

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Calling the function safeTransferFrom and passing in a custom, attacker controlled payment token allows the malicious actor to perform reentrancy. the following function clears the attacker of all debt,...

refPerTok() for one asset might revert and break the protocol

Lines of code Vulnerability details Impact It turns out that function refPerTok might revert for some assets. For example for CTokenFiatCollateral an external call might revert. As a result refPerTok also reverts. Function refPerTok is called in a loop for all assets inside...

Reentrancy Vulnerability in stake() and unstake() functions.

Lines of code Vulnerability details Impact An attacker can repeatedly call these functions and manipulate the state of the contract, potentially leading to a loss of funds for the users of the contract. For example, an attacker could repeatedly call the stake function, causing the attacker to...

Wrong implementations in ERC4626RouterBase contract

Lines of code Vulnerability details The ERC4626RouterBase contract contains a set of functions that act as wrappers for a ERC4626 contract, providing a base periphery functionality around a ERC4626 vault. There are a number of different flaws in the wrapped implementations of mint, deposit,...

INCORRECT FUNCTION CALLS

Lines of code Vulnerability details Impact In Vault.sol, WithdrawProxy.sol and PublicVault.sol, name is making an incorrect external call to return its output variable. Apparently, it is calling ERC20asset.symbol instead of ERC20asset.name. Devoid of an accurate name description, this could lead ...

Solmate's ERC20 does not check for token contract's existence

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Not checking for token existence is a know issue for Solmate. This can cause unexpected contract functionality for transfers implemented in the codes. Proof of Concept Provide direct links to all...

mintFee can be set to 100%

Lines of code Vulnerability details Impact The mintFee can be set to 100%. An amount of centralization over the usual is to be expected in a protocol that deals with RWAs and requires KYC but being able to set the fee to 100% is unnecessary, dangerous, and could harm Ondo's reputation. Proof of...

CASH token cannot be transferred among users and accounts

Lines of code Vulnerability details Impact Since the CASH token cannot be transferred unless it is explicitly allowed, the users cannot send tokens between accounts, trade it on DEXes, or integrate it into their protocols. This is a non-standard behavior that should be reported to them. Proof of...

setMintLimit and setRedeemLimit can result in DoS

Lines of code Vulnerability details Impact Due to the missing validation of mintLimit and redeemLimit this might result in unreasonably low limits, leading to a DoS of the requestMint and requestRedemption function. One user can simply call these functions with the upper limit, resulting in a DoS...

exchangeRateDeltaLimit can be exceeded with overrideExchangeRate() and remain unpaused

Lines of code Vulnerability details Impact The CashManger has a safety feature that limits the maximum change in the exchange rate between epochs. in setMintExchangeRate it is checked that this limit is not exceeded but there is no check in overrideExchangeRate. Proof of Concept An epoch could ha...

If requestMint() is called before mintFee is initially set via setMintFee(), the return of _getMintFees(collateralAmountIn) can be "underflow" , which results in the loss for the protocol and the unexpected-benefit for certain users

Lines of code Vulnerability details Impact This vulnerability lead to the loss for this protocol and the unexpected-benefit for certain users like this: The protocol cannot earn the fee in collateral feesInCollateral that is supposed to be earned unless the MANAGERADMIN set the certain amount of...

Loss of user funds when completing CASH redemptions

Lines of code Vulnerability details The function completeRedemptions present in the CashManager contract is used by the manager to complete redemptions requested by users and also to process refunds. function completeRedemptions address calldata redeemers, address calldata refundees, uint256...

Not resetting totalBurned in CashManger will break user redemptions

Lines of code Vulnerability details Not resetting totalBurned in CashManger will break user redemptions The current implementation in CashManager.completeRedemptions is not updating the totalBurned amount in an epoch if there was a refund. The problem is, that if not all user redemptions can be...

KYC signature can be reused to regain KYC status

Lines of code Vulnerability details The function addKYCAddressViaSignature of the KYCRegistry contract allows a user to be granted a KYC status using a signature provided by Ondo. The function validates that the signer has the corresponding role for the requirement group and adds the user to the...

Values in redemptions do not match, and fees are being overcharged

Lines of code Vulnerability details Impact The amount of collateral to distribute collateralAmountToDist does not need to match the sum of fees actually distributed the sum of collateralAmountDue in the events of processRedemption. The real distributed amount can be smaller. However, the fees are...