SOLMATE SAFETRANSFER AND SAFETRANSFERFROM DOES NOT CHECK THE CODESIZE OF THE TOKEN ADDRESS, WHICH MAY LEAD TO FUND LOSS

Lines of code Vulnerability details Impact Reference from a previous Contrest : In uniswapV3SwapCallback and sendPaprFromAuctionFees the safetransfer and safetransferfrom doesn’t check the existence of code at the token address. This is a known issue while using solmate’s libraries. Hence this ma...

Underlying With Non-Standard Decimals Not Supported

Lines of code Vulnerability details Impact Arithmetic operations are performed with the assumption that the token always has 18 decimals. Proof of Concept It would not be possible without using 18 decimal places of the base capital. Tools Used vscode Recommended Mitigation Steps Consider whether...

incorrect message signer check in ecrecover() and no validation for oracleSigner which would cause all the unsigned messagess to be considered asvalid ones

Lines of code Vulnerability details Impact address oracleSigner has been used to verify signed messages by comparing the return value of ecrecover by oracleSigner. but the return value of ecrecover would be 0x0 and code doesn't check that return value is not 0x0. if owner set oracleSigner as 0x0 ...

Oracle may return a stale price that is not resistant to flash crashes

Lines of code Vulnerability details Impact Oracle may return a stale price in the event of a flash crash which will affect protocol calculation of maxDebt and affect protocol. Proof of Concept Protocol uses the time weighted average pricing of 30 days to check the price of the NFT. uint256 consta...

fundingRate formula and _multiplier()

Lines of code Vulnerability details Impact The formula used formultiplier will not work as expected. The target price update will be inaccurate and all the borrow/repay/liquidation functions will use the inaccurate target price. The impacts might be: Target price and mark price track will not wor...

Faulty fee handling in buyAndReduceDebt

Lines of code Vulnerability details Impact When passing fee params to buyAndReduceDebt with swapFeeTo and swapFeeBips, the PaprController will try to send the underlying token on the following line: underlying.transferparams.swapFeeTo, amountIn params.swapFeeBips / BIPSONE; But in a normal state,...

Malicious user able to start auction to any NFT

Lines of code Vulnerability details Impact Any address can start an auction for an NFT, regardless of whether they are the actual owner of the NFT. This vulnerability could allow an attacker to start auctions for NFTs that they do not own, potentially leading to financial losses for the true owne...

setPlotsAvailablePerSize does not work correctly

Lines of code Vulnerability details Impact The function setPlotsAvailablePerSize can be used for two things: 1. Decreasing the number of plots that is available for a certain size 2. Increase the number of plots that is available for a certain size However, in both cases it can introduce errors...

There is no way to extract fees when someones wants to reduce a debt by paying with underlying tokens

Lines of code Vulnerability details Impact When a user is buying the debt of an account or its own debt, it either have the choice to use the reduceDebt function in order to pay with PAPR tokens, or by paying in underlying tokens can be USDC, WETH, .... A protocol that would choose to...

Collateral NFT deposited to a wrong address, when transferred directly to PaprController

Lines of code Vulnerability details Impact Users will lose collateral NFTs when they are transferred to PaprController by an approved address or an operator. Proof of Concept The PaprController allows users to deposit NFTs as collateral to borrow Papr tokens. One of the way of depositing is by...

A BETTER APPROACH TO REVERTING CODE LINES ON _ADDCOLLATERALTOVAULT() AND _REMOVECOLLATERAL()

Lines of code Vulnerability details Impact In PaperControl.sol, callers would have to deal with function pre-maturely reverting upon encountering an element in collateralArr failing to pass the if statement in the function logic of addCollateralToVault and removeCollateral. The amount of gas wast...

Initial value of auction starter discount is set wrong

Lines of code Vulnerability details Impact The protocol offers a discount for auction starters when purchasing the liquidated NFT as an incentive for users to start an auction. I believe the intended discount should be 10%, but is currently implemented at 90%. 90% is too massive a discount for th...

Liquidations force users into bigger debts

Lines of code Vulnerability details Impact User's uncovered debt increases when auction starts on their collateral token. The increased debt may be too big for a user and they might not be able to repay it, which forces them to wait for the auctioned token to be sold and accrue more debt due to t...

Extensive permissions for owner

Lines of code Vulnerability details Impact & Proof Of Concepts / Implications Some privileged functions are often unavoidable in smart contracts. However, in these contracts, the privileges are unnecessarily very extensive and without checks on the smart contract side: 1. He can use ownerMint or...

if msg.sender != account, then msg.sender double pays in buyAndReduceDebt

Lines of code Vulnerability details Impact If msg.sender chooses to pay for some other account's debt, then he has to pay double. Proof of Concept msg.sender first has to pay the underlying tokens the paprToken from the swap goes to account controller then burns the papr tokens from msg.sender...

ownerMintUsingTokenId can brick the whole contract

Lines of code Vulnerability details Impact With the function ownerMintUsingTokenId, it is possible for the owner to mint a token with an arbitrary token ID. However, this can brick the whole contract and cause a situation where no more mints / buys are possible. This happens when a token ID is...

attacker can create un collateralized debt by reentrancy attack during _removeCollateral() by removing all collaterals and liquidating the last one which would set debt to zero. unfair liquidation can happen with reentrancy too

Lines of code Vulnerability details Impact Function removeCollateral removes collateral from msg.senders vault and code allows for onReceive hook to sell and repay debt before the debt check. during the hook function user can call other function of the PaprController contract, it's possible for...

Contract owner can drain all NFT collateral

Lines of code Vulnerability details Impact To add NFTs as collateral to the protocol and it to create debt, the owner has to approve each NFT contract address first. As anyone can create their own papr vaults with arbitrary allowed NFTs by design, this opens the possibility for malicious actors t...

PaprController.onERC721Received() assigns collateral to operator's vault instead of the nft owner's one

Lines of code Vulnerability details Impact The collateral is assigned to the operator's vault because of a parameter mismatch. This impacts the ability of third parties to integrate the PaprController contract. You're not able to create an intermediary contract that adds collateral to a user's...

PaprController should not pay the swap fee in buyAndReduceDebt

Lines of code Vulnerability details Impact The best case scenario is that the paprController doesn't have any underlying tokens, in which case, buyAndReduceDebt won't work when there is a swapFee. Otherwise, paprController ends up paying for the swapFee. Even if there isn't a swap fee, the user c...

Misunderstanding operator with from

Lines of code Vulnerability details Author: rotcivegaf Impact The owner of the ERC721 token could approve an operator to manage his tokens With the misunderstanding of operator with from in the onERC721Received function the benefits of this function goes to the operator instead of the fromowner:...

code doesn't check that the Uniswap pool is not exist and if attacker creates the uniswap pool before hand with calculatable papr address and underlying address and exact fee amount, then the deployment transaction would fail always

Lines of code Vulnerability details Impact attacker can perform DOS and prevent contract from getting deployed. the address of papr can be calculate by attacker before its deployment and the address of the underlyingUSDC and the fee is known, attacker can create uniswap pool before-hand and cause...

Stealing fund by applying reentrancy attack on removeCollateral, startLiquidationAuction, and purchaseLiquidationAuctionNFT

Lines of code Vulnerability details Impact By applying reentrancy attack involving the functions removeCollateral, startLiquidationAuction, and purchaseLiquidationAuctionNFT, an Attacker can steal large amount of fund. Proof of Concept Bob a malicious user deploys a contract to apply the attack...

Borrowers may earn auction proceeds without filling the debt shortfall

Lines of code Vulnerability details Impact The proceeds from the collateral auctions will not be used to fill the debt shortfall, but be transferred directly to the borrower. Proof of Concept Assume N is an allowed NFT, B is a borrower, the vault V is vaultInfoBN: 1. B add two NFTsN-1 and N-2 as...

Upgraded Q -> M from #27 [1671522165760]

Judge has assessed an item in Issue 27 as M risk. The relevant finding follows: Dup of 45. The effect is severe enough IMO to warrant a med severity although I initially intepreted it as a spec mismatch. --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from #22 [1671528533640]

Judge has assessed an item in Issue 22 as M risk. The relevant finding follows: NC-2 Return values of approve not checked --- The text was updated successfully, but these errors were encountered: All reactions...

Insufficient Timestamp Validation for Signed Messages

Lines of code Vulnerability details Impact A message can be signed by the oracle for any future point in time, and it will be valid for 20 minutes. If messages with invalid timestamps pointing to the future get signed, there is no way of invalidating them. A compromised or malfunctioning oracle...

setFundingPeriod leads to Price control

Lines of code Vulnerability details Impact Attacker can use two different addresses to borrow from himself at different interest rates. Proof of Concept AS the papr interest rates and the papr trading price are in a constant feedback loop. Interest rates are programmatically updated on chain as a...

The patch is not sufficient: there is another insidious exploit that can cause the same critical consequences

Lines of code Vulnerability details Status Has been reported to and confirmed by Jeff ENS team Note to the Judge I am not sure whether I should label this as a newly-identified High or a mitigation hard error. The root cause of this issue seems as same as the original report, but this requires us...

Upgraded Q -> M from #4 [1671527898955]

Judge has assessed an item in Issue 4 as M risk. The relevant finding follows: GroupBuy.contribute does not set pendingBalances for unused capital, leading to locked up money --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from #22 [1671528877220]

Judge has assessed an item in Issue 22 as M risk. The relevant finding follows: minBidPrices is rounded down --- The text was updated successfully, but these errors were encountered: All reactions...

Pair.sol has payable functions with no way of withdrawing that ether

Lines of code Vulnerability details Pair.sol has payable functions with no way of withdrawing that ether Summary Value is deposited on the contract using payable functions but later can't be taken out Impact Locked ether Proof of Concept Pair.adduint256,uint256,uint256 Pair.buyuint256,uint256...

Users that send funds at a price lower than the current low bid have the funds locked

Lines of code Vulnerability details If a user contributes funds after there is no more supply left, and they don't provide a price higher than the current minimum bid, they will be unable to withdraw their funds while the NFT remains unbought. Impact Ether becomes stuck until and unless the NFT i...

Invalid tokens can be added to the pair

Lines of code Vulnerability details Impact merkleRoot is a bytes32 and it is compared to bytes230 which makes it possible for a non-zero merkleRoot to be set in the constructor and yet still all tokens will be declared as valid Proof of Concept Tools Used Manual Audit Recommended Mitigation Steps...

Stealing liquidity provider's fund by manipulating the reserve

Lines of code Vulnerability details Impact An attacker can steal liquidity provider's fund by manipulating the reserve. During adding a liquidity, the amount of lpToken to be minted will be calculated in the function addQuote. function addQuoteuint256 baseTokenAmount, uint256 fractionalTokenAmoun...

Proposal can be infinitely DOSed with no additional conditions

Lines of code Vulnerability details Description OptimisticListingSeaport.sol is easily DOSable due to the following conditions: 1. A new proposal overrides the existing proposal 2. The deposited collateral can be any non-zero amount 3. Only requirement is that pricePerToken is lower than before. ...

A malicious early user/attacker can manipulate the lpToken's pricePerShare to take an unfair share of future users' deposits

Lines of code Vulnerability details Impact A well known attack vector for almost all shares based liquidity pool contracts, where an early user can manipulate the price per share and profit from late users' deposits because of the precision loss caused by the rather large value of price per share...

Not supporting fee-on-transfer token as base token

Lines of code Vulnerability details Impact In Caviar protocol, all calculations in functions add, remove, buy, sell is done using token balance of Pair contract directly. In function add, it calculates and mints LP token to sender first before transferring baseToken in. function adduint256...

Reentrancy issue #1: Functions buy() and add() are vulnerable to reentrancy attack through tokensToSend() hook of ERC777

Lines of code Vulnerability details It is important to be aware that I have reported two reentrancy bugs. Each of these have different ways of being activated and can be found in separate functions. Impact All calculations done in Caviar Pair are using token balance directly. For example, when...

Reentrancy issue #2: Functions remove() and sell() are vulnerable to reentrancy attack if baseToken implement a call to receiver in _beforeTokenTransfer().

Lines of code Vulnerability details It is important to be aware that I have reported two reentrancy bugs. Each of these have different ways of being activated and can be found in separate functions. Impact All calculations done in Caviar Pair are using token balance directly. For example, when...

Tokens are expected to have 18 decimals but not all have them

Lines of code Vulnerability details Tokens are expected to have 18 decimals but not all have them Summary Pairs doesn't consider tokens with less or more than 18 decimals Impact Tokens not compatible Proof of Concept Mitigation Don't use hardcoded 18 decimals --- The text was updated successfully...

Possible Reentrancy Vulnerability

Lines of code Vulnerability details Impact In Add function, in case of non Eth Base Token, LP Tokens are minted for LP Provider before transferring the Base Token from Provider to Contract. In remove function, Fractional Tokens are Transferred to LP Provider before Burning the LP Token. In wrap...

LP's ERC20 tokens cannot be rescued when owner closes the pair

Lines of code Vulnerability details Impact LP cannot be rescued when owner closes the pair. Aside from the NFT which can be salvaged through Pair.withdraw, the ERC20 token amounts cannot be rescued, resulting in fund loss. Proof of Concept In case of any malicious attempt to grief the protocol, t...

Attacker can steal the amount collected so far in the GroupBuy for NFT purchase.

Lines of code Vulnerability details Description purchase in GroupBuy.sol executes the purchase call for the group. After safety checks, the NFT is bought with market's execute function. Supposedly it deploys a vault which owns the NFT. The code makes sure the vault is the new owner of the NFT and...

rejectProposal/rejectActive/cancel did not update pendingBalances

Lines of code Vulnerability details Impact In the OptimisticListingSeaport contract, pendingBalances represents the number of Rae tokens sent to the contract by the user when creating the proposal, which can be withdrawn in the withdrawCollateral function. function withdrawCollateraladdress vault...

User will often overpay when adding liquidity

Lines of code Vulnerability details Impact One of the assets either baseTokens or fractionalTokens will likely be overpaid when the user calls Pair.add liquidity. Proof of Concept The Pair.add function takes baseTokenAmount, fractionalTokenAmount and minLpTokenAmount as inputs. The first two...

GroupBuy does not properly refund users

Lines of code Vulnerability details Impact On a successful purchase, users can call claim on the GroupBuy contract to mint and refund. The refunded amount is userContributions - summinReservePricesqty - pendingBalances. In case of the actual purchase price minReservePrices, the difference is not...

Protocol's fractional token assumes that each NFT in a collection has the same value

Lines of code Vulnerability details Impact User can cheat the system by wrapping getting fractional tokens a low value NFT and unwrapping a high value NFT selling the same fractional tokens. Pair creator might lose out. Proof of Concept Pair.wrap takes in an array of tokenIds and an array of...

GroupBuy can be drained of all ETH.

Lines of code Vulnerability details Description purchase in GroupBuy faciilitates the purchasing of an NFT after enough contributions were gathered. Another report titled "Attacker can steal the amount collected so far in the GroupBuy for NFT purchase" describes a high impact bug in purchase. It ...

Pair.sol can be manipulated to affect small liquidity providers.

Lines of code Vulnerability details Impact The first minter can manipulate the supply of LP tokens and baseToken-fractional ratio, hindering small liquidity providers from interacting with the pair. A malicious actor can mint 1wei of LP token from a new pair, then proceed to transfer baseToken to...