issues
search
Fujicracy
/
fuji-v2
Cross-chain money market aggregator
https://fuji-v2-frontend.vercel.app
15
stars
10
forks
source link
Macro findings critical high
#403
Closed
0xdcota
closed
1 year ago
0xdcota
commented
1 year ago
This pull request addresses Macro vulnerability findings:
Id
Level
Description
C-1
CRITICAL
Incorrect overloading of _spendAllowance allows the owner to use their allowance indefinitely.
C-2
CRITICAL
Using SWAP as an action, anyone can steal user's funds from Router.
C-3
CRITICAL
Using the user’s router allowance, anyone can steal user’s funds.
C-4
CRITICAL
Frontrunning Permit allows the user to do a different set of actions than the beneficiary intended and, in the worst case run away with funds.
C-5
CRITICAL
Reentrancy allows anyone to modify beneficiary between the bundle and steal assets.
H-1
HIGH
Someone can execute a Denial of Service on Fuji’s Borrowing vault.
H-2
HIGH
Partial Liquidations won't be possible for vaults with the collateral asset of decimals < 18.
H-3
HIGH
Setting fixed values for maxLTV and liqRatio initially exposes the vault to liquidation.
H-4
HIGH
Partial Liquidations may not be possible in some cases due to check in beforeTokenTransfer.
H-5
HIGH
Anyone can override the handler records.
H-6
HIGH
Executor of a bundle containing _crossTransfer can execute a sandwich attack on the destination.
H-7
HIGH
Incorrect handling of requesterCallData for Flashloan action inside _getBeneficiaryFromCalldataof the router.
This pull request addresses Macro vulnerability findings: