code-423n4 2024-02-althea-liquid-infrastructure-findings issues

code-423n4 / 2024-02-althea-liquid-infrastructure-findings

3 stars 1 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

Upgraded Q -> 2 from #132 [1709983798124]

#766 c4-judge closed 8 months ago
3
Upgraded Q -> 2 from #51 [1709971279347]

#765 c4-judge closed 8 months ago
2
Upgraded Q -> 3 from #308 [1709906778639]

#763 c4-judge closed 8 months ago
3
Upgraded Q -> 3 from #303 [1709905914484]

#762 c4-judge closed 8 months ago
3
Upgraded Q -> 2 from #670 [1709900942686]

#761 c4-judge closed 8 months ago
8
Upgraded Q -> 3 from #575 [1709558704768]

#760 c4-judge closed 8 months ago
3
Anyone can call withdrawFromManagedNFT() and deposit all tokens to the liquidInfrastructureERC20.sol

#759 c4-bot-8 closed 8 months ago
5
Use safeMint instead of mint for ERC721

#758 c4-bot-9 closed 8 months ago
5
Precision loss in calculation of entitlement

#757 c4-bot-9 closed 8 months ago
13
QA Report

#756 c4-bot-9 closed 8 months ago
3
`_withdrawBalancesTo()` - Either the owner but more likely approved `msg.sender` who didnt know any better, OR knows but is rogue, calls this internal function via the calling functions (`withdrawBalances` or `withdrawBalancesTo`) DURING an active distribution, which is not allowed, but possible here.

#755 c4-bot-8 closed 8 months ago
4
Loop can cause DoS - out of gas error

#754 c4-bot-5 closed 9 months ago
4
Reward tokens with less than 18 decimals will not be distributed due to precision loss.

#753 c4-bot-10 closed 9 months ago
5
Owner can block all withdrawals by partially removing ManagedNFTs

#752 c4-bot-5 closed 9 months ago
3
LiquidInfrastructureERC20:_afterTokenTransfer , This bug causes the loss of the original element at the last position of the array and duplicates the element at index i at the end before removing it, resulting in unintended data loss and duplication.

#751 c4-bot-5 closed 8 months ago
3
QA Report

#750 c4-bot-9 closed 9 months ago
1
zero address check

#749 c4-bot-2 closed 9 months ago
3
Malicious Nfts could be added !

#748 c4-bot-9 closed 8 months ago
5
`LiquidInfrastructureERC20::releaseManagedNFT()` - Currently the owner can release an incorrect/non-existent NFT address and not know any better because no error messages, it will seem successful.

#747 c4-bot-2 closed 9 months ago
4
Reentracy in '_withdrawBalancesTo' function in LiquidInfrastructureNFT.sol enables owner of account token to withdraw available balance mutiple times.

#746 c4-bot-6 closed 8 months ago
3
`addManagedNFT()` - Due to how the adding of new NFT contract instances works, can add same LI NFT contract address more than once to the `ManagedNFTs` array.

#745 c4-bot-2 closed 9 months ago
2
`LiquidInfrastructureERC20.sol::burnFromAndDistribute()` - L306: Tether (USDT)'s `approve()` function will revert if the current approval is not zero, to protect against front-running changes of approvals.

#744 c4-bot-6 closed 8 months ago
3
Malicious NFT account actors can still withdraw the contracts ERC20 balances after transferring ownership of the NFT to the LiquidInfrastructureERC20

#743 c4-bot-9 closed 8 months ago
3
Analysis

#742 c4-bot-3 opened 9 months ago
2
Malicious NFT account actors can still withdraw the contracts ERC20 balances after transferring ownership of the NFT to the LiquidInfrastructureERC20

#741 c4-bot-3 closed 9 months ago
1
It appears that `mint()`, `burn()` and `burnFrom()` will be executed DURING the minimum distribution period if distribution not completed yet and any of the following functions are called: `mintAndDistribute()`, `burnAndDistribute()`, `burnFromAndDistribute()`.

#740 c4-bot-3 closed 8 months ago
3
The `if (_isPastMinDistributionPeriod())` check will prevent the distribution from completing before `mint()`/`burn()`/`burnFrom()` is called in the case where `distribute()` was called directly but not enough times to complete the distribution.

#739 c4-bot-3 closed 8 months ago
3
User will get no rewards if liquidIntrastructureERC20 native balance is greater than its balance of the distribution token

#738 c4-bot-5 closed 9 months ago
6
wrong implementation of releaseManagedNFT

#737 c4-bot-8 closed 9 months ago
2
`LiquidInfrastructureERC20::_beginDistribution()` - L242: It seems `balance / supply` will round down to zero every time due to fact that `balance` is always smaller than `supply`, and there seems to be nothing in place to handle this risk.

#736 c4-bot-4 closed 9 months ago
6
`Owner` can make changes in `distributableERC20s` while distribution is running

#735 c4-bot-5 closed 9 months ago
3
`LiquidInfrastructureERC20::distribute()` - L195: Should use a `safeTransfer()` along with a require check instead due to the use of ERC20 `transfer()` which doesn't guarantee a boolean return value, therefore default `false` would skip the logic of this `if` statement, which would result in inaccurate values for the `receipts` array.

#734 c4-bot-8 closed 9 months ago
3
QA Report

#733 c4-bot-8 closed 8 months ago
3
`LiquidInfrastructureERC20::distribute90` - Should have checks to ensure zero values for `entitlement` and/or `this.balanceOf(recipient)` are not processed, to rather skip over these cases via use of `continue;` and `break;` respectively.

#732 c4-bot-8 closed 8 months ago
3
`LiquidInfrastructureERC20::mint()` - Combined with the fact that owner can make himself a holder, the fact that owner can mint as many LI ERC20 tokens as he wants to himself, enables a vulnerability where he can game the system and during distributions get the biggest share of the rewards, effectively taking rewards that belong to other holders, due to his unfair advantage in terms of total tokens held.

#731 c4-bot-10 closed 8 months ago
3
Analysis

#730 c4-bot-5 closed 8 months ago
3
Unbounded holders loop in `_afterTokenTransfer` leading to disruption token operations

#729 c4-bot-10 closed 8 months ago
12
`LiquidInfrastructureERC20::distributeToAllHolders()` - Gas griefing combo DoS attack vector: Due to lack of access control and/or lack of throttling/frequency-limiting mechanisms, an attacker can repeatedly call this function manually or via mempool bots and DoS contract/protocol functionality.

#728 c4-bot-10 closed 8 months ago
3
Potential DoS in minting

#727 c4-bot-5 closed 9 months ago
6
`LiquidInfrastructureERC20::_isPastMinDistributionPeriod()` - L220: should use `>` and not `>=`.

#726 c4-bot-5 closed 8 months ago
3
Anyone can call burnandDistribute

#725 c4-bot-5 closed 9 months ago
3
Holders unable to claim accurate revenue

#724 c4-bot-10 closed 8 months ago
16
Gas Optimizations

#723 c4-bot-10 opened 9 months ago
5
Gas Optimizations

#722 c4-bot-8 opened 9 months ago
4
QA Report

#721 c4-bot-8 opened 9 months ago
5
Calculation of entitlement is incorrect

#720 c4-bot-8 closed 8 months ago
7
check return value of transferfrom .

#719 c4-bot-1 closed 9 months ago
2
Gas Optimizations

#718 c4-bot-9 closed 9 months ago
1
QA Report

#717 c4-bot-2 closed 9 months ago
1
Analysis

#716 c4-bot-10 closed 8 months ago
2