Deposits would revert

Lines of code Vulnerability details Impact When the margin asset is USDT, after the first deposit all following ones would revert allowing no more trades. Proof of Concept The handleDeposit function in Trading.sol's Trading contract is calling approve inconditionally at every deposit. The USDT...

Chainlink price feed is not sufficiently validated and can return stale price

Lines of code Vulnerability details Impact As mentioned by , "Prices provided by the oracle network are also compared to Chainlink's public price feeds for additional security. If prices have more than a 2% difference the transaction is reverted." The Chainlink price verification logic in the...

Attacker can disable contract functionality

Lines of code Vulnerability details Impact Current setup of the protocol is vulnerable to a DoS attack. This can be achieved by anyone calling initialize on the implementation VRFNFTRandomDraw contract. With the implementation contract initialized the created clones cannot be re-initialized and...

Lack of access control

Lines of code Vulnerability details The 'createReferralCode' function in the 'Referrals' contract allows any address to create a referral code. This could potentially lead to spam or misuse of the system. Impact If an attacker is able to create a large number of referral codes, they could...

Malicious ChainLink's VRF manager can decide to not whitelist VRFNFTRandomDraw or brick ongoing raffles

Lines of code Vulnerability details Impact ChainLinks VRF manager has priviledged position, as all VRFNFTRandomDraw instances share the same VRFCoordinatorV2 address, and have to be whitelisted in order to be able to send requestRandomWords function. There is centralization risk in this case, tha...

[NAZ-H1] Reentrancy From Use of _safeMint()

Lines of code Vulnerability details Impact The mint function is used to mint a new position NFT and is only callable by minter. This function uses safeMint to mint these position NFTs which has been known in the past to have Reentrancy issues. Proof of Concept The dangers of surprising code by...

IERC20.transfer does not support all ERC20 token

Lines of code Vulnerability details Impact Proof of Concept Token like USDT known for using non-standard ERC20. Missing return boolean on transfer. Contract function handleDeposit will always revert when try to transferfrom this kind of tokens. Tools Used manual review Recommended Mitigation Step...

The NFT can be transferred to the owner immediately after startDraw()

Lines of code Vulnerability details lastResortTimelockOwnerClaimNFT as the name says is used in case the winning user doesn't retrieve the won NFT token and in such case the owner can rescue the NFT from the contract. The mentioned function can be only called after a certain period is passed: if...

Use of resignOwnership can lead to stuck NFT in contract

Lines of code Vulnerability details Impact Contract OwnableUpgradeable has a resignOwnership function that, if called, can potentially cause the loss of the NFT after a draw has been started. Proof of Concept These are the steps/conditions that make this issue happen: When the owner calls...

ERC20 can be mistakenly used instead of ERC721

Lines of code Vulnerability details Impact // Attempt to transfer token into this address try IERC721EnumerableUpgradeablesettings.token.transferFrom // @audit could use ERC20 here msg.sender, addressthis, settings.tokenId catch revert TOKENNEEDSTOBEAPPROVEDTOCONTRACT; Both ERC20 and ERC721 has t...

DoS after creating 100 raffles under one subscriptionID

Lines of code Vulnerability details Impact If a user adds new consumer, function VRFCoordinatorV2::addConsumer is called: function addConsumeruint64 subId, address consumer external override onlySubOwnersubId nonReentrant // Already maxed, cannot add any more consumers. if...

_priceData.price is not verified in _limitClose

Lines of code Vulnerability details Impact In the function limitClose from the TradingExtension contract the priceData.price is not verified with the getVerifiedPrice function instead its value is directly used, and because the the getVerifiedPrice internally calls the function...

Minter privilege escalation vulnerability

Lines of code Vulnerability details Impact The contract owner could potentially abuse their privileges to manipulate the token supply and undermine the integrity of the token economy. Proof of Concept The 'setMinter' function in the contract allows the contract owner to set the minter status for...

The transferFrom() method is used instead of safeTransferFrom(), which I assume is a gas-saving measure. I however argue that this isn’t recommended because:

Lines of code Vulnerability details Vulnerability Detail OpenZeppelin’s documentation discourages the use of transferFrom; use safeTransferFrom whenever possible The recipient could have logic in the startDraw, fwinnerClaimNFT, lastResortTimelockOwnerClaimNFT, function src/VRFNFTRandomDraw.sol-18...

Users can bypass the maxWinPercent limit using a partially closing

Lines of code Vulnerability details Impact Users can bypass the maxWinPercent limit using a partial closing. As a result, users can receive more funds than their upper limit from the protocol. Proof of Concept As we can see from the documentation, there is limitation of a maximum PnL. Maximum PnL...

Owners can delay the call to startDraw to reject the draw result

Lines of code Vulnerability details Impact Owners can call lastResortTimelockOwnerClaimNFT to reclaim NFT back if settings.recoverTimelock block.timestamp // Stop the withdraw revert RECOVERYISNOTYETPOSSIBLE; ... If an owner delays the startDraw until settings.recoverTimelock, the owner can call...

The parameters in the setting of the draw are in consistent

Lines of code Vulnerability details Impact When initializing a draw, parameters in settings can be easily set to inconsistent, which can lead to the winner cannot claim the NFT even before reaching the drawBufferTime – time until a re-drawing can occur if the selected user cannot or does not clai...

GovNFT contract's owner can stop Governance NFT holders from receiving more rewards from trades' DAO fees, and such reward amounts can remain in Trading contract without belonging to anyone

Lines of code Vulnerability details Impact According to , "Profits from trading fees are paid out to Governance NFT holders in real-time...Rewards are paid out in Tigris stablecoins." However, for some legitimate reasons, such as if the corresponding Tigris stablecoin has a bug, or if the owner o...

Prize token can overlap with drawingToken and prize tokens from other draws.

Lines of code Vulnerability details Impact Creators can create multiple draws with the same prize, but only the first draw to call startDraw will have the prize. This can trick users into entering raffle pools that does not have a prize. Furthermore, the prize token can also be one of the tokens ...

Functions of Trading contract can be reentered by Position.sol#mint

Lines of code Vulnerability details Impact Both the contracts of Position and Trading may not work correctly. Proof of Concept The Position.solmint calls safeMint will trigger a checkOnERC721Received callback, which can be used to reenter. Crackers can use this vulnerability to attack the protoco...

In consistent parameters settings can break the business logic

Lines of code Vulnerability details Impact The usual business logic of the raffle should be that: If a user wins a raffle, he can always claim the NFT before a redraw can be initialized. However, the settings parameters can be set to inconsistent so that a winner may not be able to claim the NFT...

Admin can withdraw the NFT before the winner timelock ends

Lines of code Vulnerability details Impact The admin could set recoverTimelock before drawBufferTime , thus he can withdraw the NFT before the winner Draw buffer time ends. Proof of Concept The drawBufferTime need to be more then an hour and less then a month and the recoverTimelock need to be at...

The raffle could be slightly unfair as the owner of NFT ID which is closer to drawingTokenStartId could have more chance to win

Lines of code Vulnerability details Impact The raffle could be slightly unfair as the owner of NFT ID which is closer to drawingTokenStartId could have more chance to win. Proof of Concept As written in , "We want to raffle away a single NFT token based off of another NFT collection or drawingTok...

reentrancy

Lines of code Vulnerability details Impact If an attacker were able to successfully exploit a reentrancy vulnerability in this contract, they could potentially cause the contract to enter an infinite loop, consuming all available gas and rendering it unusable. This could result in financial losse...

Use safeTransferFrom instead of transferFrom for ERC721 transfers

Lines of code Vulnerability details Impact In the contract VRFNFTRandomDraw.sol every transfer of ERC721 are done with the transferFrom instead of the recommended safeTransferFrom. This transferFrom does not check whether the receiver is capable of proper handling of NFTs. Proof of Concept If the...

Draw can be configured without uncancellable-redraw mechanism

Lines of code Vulnerability details Description RandomDraw initialize contains several checks for the range of drawBufferTime and recoveryTimelock. redraw buffer time can be between 1 hour and 1 month, while recoveryTimelock is between 1 week and 1 year from now. The issue is that the relative...

integer overflow or underflow

Lines of code Vulnerability details Impact If an integer overflow or underflow occurs in the contract, it could lead to incorrect calculations and potentially unintended consequences, such as the transfer of incorrect amounts of tokens or the allocation of incorrect amounts of rewards. This could...

If the subscription does not have enough funds the winner can not be chosen

Lines of code Vulnerability details Impact VRF's subscriptionId can be chosen by the drawer, and it is the drawer's responsibility to fund the subscription. If the drawer, maliciously or not, fails to do so, the draw will result in no winners, and the drawer can re-claim the offered NFT...

Draw admin/owner can rug the winner after recoverTimelock expires.

Lines of code Vulnerability details Impact The admin/owner of VRFNFTRandomDraw can wait for recoverTimelock to expire before making the draw. This way he can use lastResortTimelockOwnerClaimNFT to take back the reward NFT from the contract without any time to allow for the winner to claim. He cou...

A compromised owner of VRFNFTRandomDraw can claim the NFT to another accomplice addresss

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. A compromised owner of VRFNFTRandomDraw can claim the NFT to another accomplice addresss Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other...

Transfering GovNFT does not update mapping userDebt

Lines of code Vulnerability details Impact Because of not updating the mapping userDebt for receiver userDebtfor on the transfer of GovNFT token, the receiver may be harmed, because of not getting collected fees. Proof of Concept Function transfer... is not updated for userDebtfor, here. Tools Us...

Pending owner can front-run current owner when current owner wants to cancel the ownership transfer.

Lines of code Vulnerability details Impact OwnableUpgradable contract has been modified to transfer ownership in a two-step ownership transfer way. This introduces an issue of front-run when admin adds a pendingOwner but later on decides to cancel the ownership transfer. Pending owner can become...

Extending period in Lock contract will block user funds

Lines of code Vulnerability details Impact Extending lock will block users' funds. Contract: Lock.sol Proof of Concept Locking tokens with function lock... will update mapping mapping totalLocked for given asset with value of amount, here: totalLockedasset += amount. However, when extending lock...

Malicious drawingToken can make bad actor claim the raffle NFT

Lines of code Vulnerability details Description Malicious drawingToken address passed into factory.makeNewDraw can claim the raffle NFT. It can be exploited via a social engineering attack or another scenario is that a malicious owner can pretend to make a raffle with a malicious drawingToken and...

Miners Can Re-Roll the VRF Output to Game the Protocol

Lines of code Vulnerability details Impact Miners are able to rewrite a chain's history if they dislike the VRF output used by the protocol. Consider the following example: A miner or well-funded user is participating in the PoolTogether protocol. A VRF request is made and fulfilled in the same...

Truncate of values can be avoided

Lines of code Vulnerability details Truncate of values can be avoided Summary Solidity integer division might truncate. As a result, performing multiplication before division can sometimes avoid loss of precision. Details In general, this is a problem due to precision. In this case, it also affec...

owner can withdraw the NFT at any time if they wait with starting the draw until after recoverTimelock

Lines of code Vulnerability details Description When creating a random draw the owner specifices a recoverTimelock which is a last resort option to recover the raffled NFT if the draw fails. There are some validations that this is between a week and a year in the future but there's no guarantee...

In case the winner is the address(0)

Lines of code Vulnerability details Impact Temporary freezing NFT this can be more than one period Proof of Concept On VRFNFTRandomDraw.fulfillRandomWords 254 request.currentChosenTokenId = 255 randomWords0 % tokenRange + 256 settings.drawingTokenStartId; In case ownerOfrequest.currentChosenToken...

The recoverTimelock does not sufficiently protect against an admin withdrawing the NFT before a user is able to claim it

Lines of code Vulnerability details Impact When a VRFNFTRandomDraw contract is initialized, the recoverTimelock variable is set. The variable should be used to prevent the admin from calling the lastResortTimelockOwnerClaimNFT function before a certain amount of time has passed to ensure that the...

Lack of Input Validation

Lines of code Vulnerability details Impact Without proper input validation, it is possible for attackers to pass malicious input to the contract, potentially causing unintended behavior or even allowing the attacker to exploit the contract. Proof of Concept an attacker could pass a negative value...

ERC20 approvals may need to be set to 0 beforehand

Lines of code Vulnerability details Impact There are some instances where there is an ERC20 approval for a max uint256 amount. ERC20 tokens such as USDT require the address allowance to be set to 0 beforehand, so this would cause reverts for those tokens. Proof of Concept -Token such as USDT gets...

Draw organizer can rig the draw to favor certain participants such as their own account.

Lines of code Vulnerability details Description In RandomDraw, the host initiates a draw using startDraw or redraw if the redraw draw expiry has passed. Actual use of Chainlink oracle is done in requestRoll: request.currentChainlinkRequestId = coordinator.requestRandomWords keyHash:...

Unreleased locks cause the reward distribution to be flawed in BondNFT

Lines of code Vulnerability details Impact After a lock has expired, it doesn't get any rewards distributed to it. But, unreleased locks cause other existing bonds to not receive the full amount of tokens either. The issue is that as long as the bond is not released, the totalShares value isn't...

Potential race condition when claiming prize

Lines of code Vulnerability details Impact To determine whether a caller has won the raffle, the hasUserWon function of the VRFNFTRandomDraw contract queries the ownerOf function of the drawingToken contract, passing the currentChosenTokenId as argument. In essence, the function is only checking...

After the redrawing the winner can lose his NFT for the Admin

Lines of code Vulnerability details Impact The owner can manipulate the raffle by deprivation of a specific address winner Proof of Concept Please copy the following POC on VRFNFTRandomDraw.t.sol function testadminRedrawingandReclaimnft public address winner = address0x1337; address winner2 =...

winnerClaimNFT() does not check if recipient can receive ERC721

Lines of code Vulnerability details Impact In src\VRFNFTRandomDraw.sol winnerClaimNFT, you should use safeTransferFrom to protect against the case that the recipient cannot receive the ERC721 tokens, and thus will lose the tokens. This is more-so the case when we expect that normal users will be...

Bad actor can burn VRFCoordinatorV2 LINK's balance

Lines of code Vulnerability details Impact All VRFNFTRandomDraw instances share the same VRFCoordinatorV2 address, and LINK fees are deducted from this smart contract. There are a couple of issues that may be exploited by malicious actor to overinflate calls to VRF and in lead to griefing, e.g. B...

Choosing a cheap gas lane may result in no winners

Lines of code Vulnerability details Impact The drawer can choose whichever gas lanekeyHash they like. Giving this choice to the drawer may result in no winners if the network is congested and the drawer chooses a cheap gas lane. Recommended Mitigation Steps Check the options of keyHashes that can...

Draw organizer can time draws so that user's have the illusion of fair random, but draw can be cancelled.

Lines of code Vulnerability details Description In RandomDraw, host can call startDraw or redraw to request a Chainlink random number, which will be used to select the winning user. They may then collect the prize NFT using winnerClaimNFT. The issue is that in the two draw functions, it is never...

User can abuse tight stop losses and high leverage to make risk free trades

Lines of code Vulnerability details Impact User can abuse how stop losses are priced to open high leverage trades with huge upside and very little downside Proof of Concept function limitClose uint id, bool tp, PriceData calldata priceData, bytes calldata signature external checkDelayid, false;...