code-423n4 2023-09-centrifuge-findings issues

code-423n4 / 2023-09-centrifuge-findings

16 stars 14 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

Gas Optimizations

#802 c4-submissions closed 1 year ago
2
Analysis

#801 c4-submissions closed 1 year ago
2
Signature malleability in permit function

#800 c4-submissions closed 1 year ago
3
Analysis

#799 c4-submissions closed 1 year ago
3
`LiquidityPool.sol` doesn't respect fully EIP 4626

#798 c4-submissions closed 1 year ago
7
Analysis

#797 c4-submissions closed 1 year ago
2
QA Report

#796 c4-submissions closed 1 year ago
2
transferIn() is susceptible to a front-running attack

#795 c4-submissions closed 1 year ago
5
There is no concept of a requestDeposit, requestRedeem receipt made on the source chain, resulting in no recovery proces escrowed funds in the event of bridge or Centrifuge fall.

#794 c4-submissions closed 1 year ago
3
Analysis

#793 c4-submissions closed 1 year ago
2
Restriction Manager does not check the source address

#792 c4-submissions closed 1 year ago
7
Analysis

#791 c4-submissions closed 1 year ago
2
QA Report

#790 c4-submissions closed 1 year ago
2
Not enough valid checks in the Factory.sol

#789 c4-submissions closed 1 year ago
3
Owners having valid permits might not be able to deposit or redeem assets/shares due to incorrect order of address validation in `_isValidSignature`

#788 c4-submissions closed 1 year ago
6
QA Report

#787 c4-submissions closed 1 year ago
2
Assumptions are currently made that prices would forever be positive

#786 c4-submissions closed 1 year ago
4
Already allowed pool currency can not be removed

#785 c4-submissions closed 1 year ago
3
QA Report

#784 c4-submissions opened 1 year ago
2
Gas Optimizations

#783 c4-submissions closed 1 year ago
2
Analysis

#782 c4-submissions opened 1 year ago
2
Security Flaw in withApproval Modifier

#781 c4-submissions closed 1 year ago
3
Contract lacks proper error handling. Without meaningful error messages, it becomes difficult to identify the exact reasons for failures or unexpected behavior. Often leading end user astray.

#780 c4-submissions closed 1 year ago
3
The Restriction Manager does not completely implement ERC1404 which leads to account that are supposed to be restricted actually have access to do with their tokens as they see fit

#779 c4-submissions opened 1 year ago
12
The price update timestamp doesn't get checked, allowing for the use of stale prices

#778 c4-submissions closed 1 year ago
5
Unchecked Minting

#777 c4-submissions closed 1 year ago
3
SafeTransferLib's safeApprove() does not set allowance 0 first which would lead to the escrow encountering issues when dealing with tether's USDT or tokens like it.

#776 c4-submissions closed 1 year ago
5
Expired members can lose their tranche tokens if they call `transferTrancheTokensToCentrifuge` or `transferTrancheTokensToEVM` in `PoolManager.sol`

#775 c4-submissions closed 1 year ago
3
previewWithdraw doesn't round up the asset amount leading to confusion when external protocols integrate with the vaults of the protocol

#774 c4-submissions closed 1 year ago
3
User's tokens can get locked in UserEscrow.sol for an unknown duration of time... potentially forever.

#773 c4-submissions opened 1 year ago
3
addPauser should be a two-step process in PauseAdmin.sol

#772 c4-submissions closed 1 year ago
3
possibility of reentrancy attack when `poolManger.sol#Transfer` called with malicious recipient contract address

#771 c4-submissions closed 1 year ago
3
QA Report

#770 c4-submissions opened 1 year ago
2
requestDeposit and requestRedeem do not allow for any price guarantee, opening users to sandwich attacks and other losses

#769 c4-submissions closed 1 year ago
3
QA Report

#768 c4-submissions closed 1 year ago
2
QA Report

#767 c4-submissions opened 1 year ago
2
Contract may consume excessive gas, potentially leading to transaction failures or expensive transactions

#766 c4-submissions closed 1 year ago
3
QA Report

#765 c4-submissions opened 1 year ago
2
Some Outgoing functions are not supported on the gateway

#764 c4-submissions closed 1 year ago
3
potential overflow in max.Deposit&maxMint and max.redeem&max.withdraw

#763 c4-submissions closed 1 year ago
4
Incorrent approval for escrow tokens, not allowing to burn on redeem

#762 c4-submissions closed 1 year ago
7
Wards cannot intervene on liquidity pools

#761 c4-submissions opened 1 year ago
5
permit and `_isValidSignature` would fail to validate signatures from counterfactual wallets

#760 c4-submissions opened 1 year ago
13
lack of failsafe mechanism to replay the failed transaction between source chain and destination chain. This would lead to loss of funds to user when transaction is failed.

#759 c4-submissions closed 1 year ago
3
`LiquidityPool.sol` is not ERC-4626 compatible at few functions

#758 c4-submissions closed 1 year ago
5
The executeScheduledRely function in the code allows any external caller to execute it without proper access control checks. This means that anyone can make themselves a ward on a contract without authorization, which poses a security risk.

#757 c4-submissions closed 1 year ago
3
missing invariant check _updateLiquidityPoolPrice in handleTransferTrancheTokens function

#756 c4-submissions closed 1 year ago
1
The maxMint check should be cumulatively applied to ensure it's effectiveness

#755 c4-submissions closed 1 year ago
4
QA Report

#754 c4-submissions closed 1 year ago
1
The current axelar router's implementation can't interact with any calls that requires native tokens

#753 c4-submissions closed 1 year ago
4