depositAndTrade function is incomplete & does not use returnValue of UniswapV3 router

Lines of code Vulnerability details Impact depositAndTrade function seems to be incomplete - the tokenOutput from swapRouter is currently owned by DepositTradeHelper account and needs to be transferred back to msg.sender who initiated this transaction. Since this contract doesn't seem to be part ...

position's wrong profit and loss or incorrect distribution of funds in contract PrePoMarket because it doesn't consider expiryTime for setting the value of finalLongPayout and calculating redeem amounts based on positions and Markets never expire

Lines of code Vulnerability details Impact according to the docs: "The expiry date of the market. If a market has not settled by its expiry date, it will automatically settle at the lower bound of its Valuation Range." but Contract PrePOMarket doesn't consider expiryTime in its logic and...

Missing modifiers in the functions of several parent contracts

Lines of code Vulnerability details Impact The value can be set by everyone Proof of Concept All these functions can be overridden by the child contracts. If all these functions are called from the child contracts, there are modifiers restricting everyone to call the functions. However, all these...

Misconfigured or malicious MANAGER Can drain, lose or steal ALL of the collateral.

Lines of code Vulnerability details Impact Collateral.sol allows withdrawal of funds to an arbitrary manager account. There are no inherent limitation to: 1. identity of manager address 2. withdrawable amount Details of 1. : manager setter is access controlled still may be misconfigured or a...

Attacker can make any function that relies on _satisfiesScoreRequirement reverts

Lines of code Vulnerability details Impact The NFTScoreRequirement contract have a function that checks the user score which diff it with the requiredScore variable, if it's higher then the function will continues, however the function that sets the requiredScore variable is made public with no...

Permanent freeze of yield when TokenSender rewards bank is depleted and deposit or withdraw is called.

Lines of code Vulnerability details Description In collateral deposit and withdraw flow, a fee is calculated as a percentage of user's requested amount. It is passed to the DepositHook and WithdrawHook, for example in deposit: uint256 amountAfterFee = amount - fee; if addressdepositHook != addres...

Unsafe usage of ERC20 methods

Lines of code Vulnerability details There are many weird ERC20 tokens that don't follow the standard ERC20 interface. Depending on the ERC20 token, some transfer errors may result in passing unnoticed, or some successful transfers may be treated as failed. The current implementation assumes that...

Admin can call claim fee multiple times with no restriction

Lines of code Vulnerability details Impact Admin can call claim fee multiple times to drain the fund in the pool Proof of Concept Admin can perform certain actions in the Pool.sol function adminActionuint256 action, uint16 val, address recipient external checkReentrancytrue, true; // reentrancy...

A finding that cannot be disclosed at the moment

Lines of code Vulnerability details This finding couldn't be disclosed at the time when the contest was running. After consulting with CloudEllie, it was decided to create a stub report so the finding could be submitted after the contest is over. A checksum of the report:...

TWA Price should be updated in addLiquidity, removeLiqudity and swap and migrateBinsUpStack and transferLiquidity

Lines of code Vulnerability details Impact TWA Price should be updated in addLiquidity, removeLiqudity and swap and transferLiquidity Proof of Concept I want to quote from the documentation: In Maverick, the AMM smart contract tracks the time-weighted average price TWAP with a configurable lookba...

User may be blocked from market withdrawal for extended period of time

Lines of code Vulnerability details Impact WithdrawalHook::lastUserPeriodReset is global for all users, which means that each time that lastUserPeriodReset + userPeriodLength it'is able to block user from withdrawal', async = let previousResetTimestamp = await getLastTimestampethers.provider //...

In WithdrawHook.hook(), withdraw limits can be bypassed.

Lines of code Vulnerability details Impact In WithdrawHook.hook, withdraw limits can be bypassed. As a result, users might withdraw more amount of the base token at a time than they should. Proof of Concept WithdrawHook.hook checks the withdraw limits like below. if lastGlobalPeriodReset +...

PrePOMarket.redeem() business logic may raise users' concerns of their assets

Lines of code Vulnerability details Impact When a user tries to redeem assets, current business logic may fail and pop the error msg fee = 0 repeatedly. Users may not understand what's happening behind, thus raise concers about the safety of their assets since it looks like their assets are out o...

WithdrawHook.hook doesn't validate amount when lastUserPeriodReset + userPeriodLength < block.timestamp

Lines of code Vulnerability details Impact WithdrawHook.hook doesn't validate amount when lastUserPeriodReset + userPeriodLength block.timestamp. As result user can withdraw more than he is allowed. Proof of Concept Function WithdrawHook.hook should not allow users to withdraw more than is allowe...

Permit should not approve type(uint256).max

Lines of code Vulnerability details Impact The design of permits should not be allowed to approve typeuint256.max. If not, depositAndTrade can be called many times until the allowance value becomes 0. Proof of Concept We should only allow baseTokenAmount only for baseToken and...

PrePOMarket.sol : a sender who is not included in the account list can front run and mint prior to setting the _mintHook

Lines of code Vulnerability details Impact a sender who is not included in the account list can front run and mint prior to setting the mintHook. Proof of Concept The contract says, Minting will only be done by the team, and thus relies on the mintHook to enforce access controls. This is also why...

Pool cannot recover from the emergency mode

Lines of code Vulnerability details Impact Pool cannot recover from the emergency mode. If the admin turn on the emergency mode, the user cannot swap or addLiqudity in the pool any more. Proof of Concept In the Pool Contract, the admin factory owner can set the status of the pool to ermergency:...

userToDeposits is always increasing, can eventually reach cap

Lines of code Vulnerability details Impact In contract DepositRecord when a deposit is recorded through function recordDeposit: function recordDepositaddress sender, uint256 amount external override onlyAllowedHooks requireamount + globalNetDepositAmount amount globalNetDepositAmount -= amount;...

Changes not being stored in Delta.sol

Lines of code Vulnerability details Changes not being stored in Delta.sol Impact Functions working without proper storage dealing into unexpected behaviors Proof of Concept function combineInstance memory self, Instance memory delta internal pure if !self.skipCombine self.deltaInBinInternal +=...

Attacker can make anyone as allowedMsgSender

Lines of code Vulnerability details Impact The contract AllowedMsgSenders have a role allowedMsgSender, and the function to set that role is made public with no access control allowing the attacker to set anyone and escalate his privileges to that role Proof of Concept truffle console --networkId...

Access control for hook function in RedeemHook Contract is inconsistent with the implementation.

Lines of code Vulnerability details Impact Access control for hook function in RedeemHook Contract is inconsistent with the implementation. Since the function involves a transfer of fees to Treasury, I've marked it as MEDIUM RISK RedeemHook checks if sender is in a list of pre-approved accounts i...

limits are not correctly enforced in withdrawHook contract

Lines of code Vulnerability details Impact withdrawHook contract checks that inside a specified length of time only certain amount of withdrawal are possible per user and globally. But on every period reset the allowed withdraw limit check is missing. And a user can withdraw more that is allowed...

Lack of access control for sweepToken, refundETH, unwrapWETH9 in Router.sol

Lines of code Vulnerability details Impact Lack of access control for sweepToken, refundETH, unwrapWETH9 in Router.sol, any WETH token, ETH and ERC20 sent to Router.sol is lost and claimable to anyone. Proof of Concept the function unwrapWETH9 and sweepToken and refundETH has no access control an...

user can loose ETH when using Router::multicall

Lines of code Vulnerability details Impact When using Router multicall function user must not forgot to append to the multicall data array calls for unwrapWETH9 or refundETH. If the user forgets to do this a MEV bot can see the missed tokens and take them out because anyone can call the mentioned...

POSSIBLE FRONTRUNNING ATTACK ON MINTING LONG/SHORT POSITIONS

Lines of code Vulnerability details Impact createMarket function in PrePOMarketFactory.sol contract creates a new PrePOMarket contract. Salt is used for creating the contract which is computed from createPairTokens function. Variables passed to this function are visible from anyone they are input...

unsafe transfer/TransferFrom breaks functionality of Collateral.sol

Lines of code Vulnerability details Description The ERC20 specification does not demand implementations to revert when the transfer and transferFrom functions fail. They may use the return value to signal the success code. Some tokens, like ZRX, indeed don't revert. In Collateral deposit and...

[NAZ-M2] Usage of send() Can Result In Revert

Lines of code Vulnerability details Impact Several functions are sendusing is used by the across several functions to transfer ETH/WETH. send uses a fixed amount of gas, which was used to prevent reentrancy. However this limit your protocol to interact with others contracts that need more than th...

WithdrawHook doesn't check that userWithdrawLimitPerPeriod is less than globalWithdrawLimitPerPeriod

Lines of code Vulnerability details Impact WithdrawHook doesn't check that userWithdrawLimitPerPeriod is less than globalWithdrawLimitPerPeriod. It allows to user withdraw more then globalWithdrawLimitPerPeriod per period. Proof of Concept Function WithdrawHook.hook should not allow to withdraw...

exactInput allows stealing of funds via a malicious pool contract

Lines of code Vulnerability details Impact Users can lose funds during swapping. Proof of Concept The Router contract is a higher level contract that will be used by the majority of the users. The contract implements the exactInput functions that users call to perform multiple swaps in a single...

Upgraded Q -> M from #34 [1670783427149]

Judge has assessed an item in Issue 34 as M risk. The relevant finding follows: Selfdestruct is prone to being changed in a future hard fork --- The text was updated successfully, but these errors were encountered: All reactions...

Pool: The EMERGENCY state cannot be recovered

Lines of code Vulnerability details Impact The owner can call Pool.adminAction to set the Pool contract state to EMERGENCY, and in the EMERGENCY state, no liquidity can be added or transferred, and no swaps can be made. However, the Pool contract does not have a function to recover the EMERGENCY...

Upgraded Q -> M from #268 [1670783513081]

Judge has assessed an item in Issue 268 as M risk. The relevant finding follows: Use of selfdestruct in FixedPrice.sol and OpenEdition.sol --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from #506 [1670783534926]

Judge has assessed an item in Issue 506 as M risk. The relevant finding follows: selfDestruct will probably be deactivated soon --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> M from #81 [1670783437328]

Judge has assessed an item in Issue 81 as M risk. The relevant finding follows: After carefully reading all submissions related to the use of selfdestruct, I will change my stance on this kind of issue. Changing the severity back to Medium. --- The text was updated successfully, but these errors...

Re-entrancy issue when executing safeTransfer in sweepToken function

Lines of code Vulnerability details Impact In the sweepToken function, we don't have a re-Entrancy check which will introduce the token lost by calling sweepToken multiple times during one request. Proof of Concept We don't have any check for the token and the token itself may call back into the...

Value can be extracted from LPs

Lines of code Vulnerability details Impact Maverick allow liquidity to be moved based on TWAP to increase capital efficiency. However, the increased capital efficiency is not free. Consider a "right" move, the LP sell at lower price and move their liquidity to higher price, thus buying at higher...

The buy() function on Last Price Dutch Auction Sale doesn't check if auction ended, may lead to user loss asset

Lines of code Vulnerability details Impact The buy function on Last Price Dutch Auction Sale doesn't check if auction is ended, may lead to user loss asset if user call with amount 0 with msg.value 0 Proof of Concept Ideally if the max id finalId is reached, then the auction will end, so no user...

Rewards are not accounted for properly in NTokenApeStaking contracts, limiting user's collateral.

Lines of code Vulnerability details Description ApeStakingLogic.sol implements the logic for staking ape coins through the NTokenApeStaking NFT. getTokenIdStakingAmount is an important function which returns the entire stake amount mapping for a specific BAYC / MAYC NFT. function...

underflow in the getPrice() function can block the buy and refund in the LPDA sale

Lines of code Vulnerability details Impact In the LPDA sale the price decrease in values after each second, and when creating the sale the value of the lowest price possible is not checked, so the price could go below zero at a given timestamp which will lead to an underflow in the getPrice...

LPDA.sol and FixedPrice.sol will lock the funds forever

Lines of code Vulnerability details Impact Possibility of IDs collision The ether will be locked on FixedPrice or LPDA Proof of Concept On the same Escher721 Let’s say the first collection start from id = 0 and end on id = 10 So the next collection of the same Escher721 We can say the next part o...

Unsafe casting from uint256 to uint8 cause wrong index of asset and feeder in NFTFloorOracle

Lines of code Vulnerability details Impact In NFTFloorPrice, it has a set of feeders and a set of assets. Feeders will set price for assets. Of coursers, with the growing NFT space, number of assets collection could be much more than 256 and because Paraspace uses median price from keepers so...

finalise() lacks authenticate calls to this method as anyone can access it.

Lines of code Vulnerability details Impact Unprotected call to a function sending Ether to an arbitrary address. This can be exploited by attackers . Proof of Concept function finalize public Sale memory temp = sale; requireblock.number = temp.endTime, "TOO SOON";...

Dutch auction getPrice() formula can lead to price reaching 0 and eventually reverting and locking the function.

Lines of code Vulnerability details Impact In the function getPrice the current price is calculated by taking the start price and subtracting the product of dropPersecond and time elapsed. start price - dropPreSecond timeElapsed. The issue with this is that given the right inputs for dropPerSecon...

saleReceiver and feeReceiver can steal refunds after sale has ended

Lines of code Vulnerability details First, lets go over how a buy happens. A buyer can buy NFTs at a higher price and then once the auction ends they can use refund to return the over payments. The effect is that they bought the NFTs at the lowest price Lowest Price Dutch Auction. Now, let's move...

User can pass auction recovery health check easily with flashloan

Lines of code Vulnerability details Description ParaSpace features an auction mechanism to liquidate user's NFT holdings and receive fair value. User has the option, before liquidation actually happens but after auction started, to top up their account to above recovery factor 1.5 instead of 1 an...

Malicious feeReceiver or saleReceiver can steal the user's refund ETH by calling the buy function multiple times in LPDA

Lines of code Vulnerability details Impact In the LPDA contract, the fee is transfered to feeReceiver and the totalSale to saleReceiver when newId == temp.finalId, meaning that the amount of tokens that were minted has been reached. However, the call to the internal end function only emits an eve...

MarketplaceLogic.sol doesn't support ERC20 Tokens with fee on transfer

Lines of code Vulnerability details MarketplaceLogic.sol doesn't support ERC20 Tokens with fee on transfer Summary There are ERC20 tokens with transfer at fees. For checking if the transferred amount is the same as expected, code already compares balanceOf before and balanceOf after transfer...

PoolApeStaking#withdrawApeCoin compares health factor to incorrect value and allows user to take out large loans that expected

Lines of code Vulnerability details Impact BAYC, MAYC and BAKC can be leveraged past max LTV and up to the liquidation factor Proof of Concept function withdrawApeCoin address nftAsset, ApeCoinStaking.SingleNft calldata nfts external nonReentrant DataTypes.PoolStorage storage ps = poolStorage;...

overflow in buy function

Lines of code Vulnerability details Impact the function doesn't check if the input is more the supply Proof of Concept the function doesn't have any condition check of amount Tools Used manually Recommended Mitigation Steps check the input for maximum or requirement for max supply --- The text wa...

transfer is used on address payable

Lines of code Vulnerability details Proof of Concept The codebase makes heavy use of the deprecated transfer function of address payable. Its will inevitably make the transaction fail when: 1. The receiver smart contract does not implement a payable function. 2. The receiver smart contract does...