findings

AVS

October 28, 2024

Build secure Uniswap V4 Hooks in AVS

In recent months, both Uniswap V4 and EigenLayer’s Actively Validated Services (AVS) have gained significant attention – not without reason. Uniswap V4 introduced a […]

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

Renzo – Inability to deposit funds due to incorrect filling the withdraw buffer

Under specific conditions, user deposits will always revert. Vulnerability Details When a user deposits funds through RestakeManager, the function checks the withdraw buffer and […]

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

Renzo – Enabling stETH deposits causes miscalculations and permanent losses for users as rebase tokens are not supported

Loss of capital of users who withdraw stETH. Their LST rewards will be miscalculated. Vulnerability Details The general questions section in the readme.md states […]

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

Renzo – users will suffer from other projects LST price fluctuations

Holders of wBETH and other tokens that will be accepted by Renzo can compensate for their losses resulting from price drop (e.g. slashing) using […]

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

Mento – Voting power remains despite withdrawal

Full withdrawals do not decrease user voting power when the Locking contract is stopped. Vulnerability Details Under specific conditions, the owner may stop the […]

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

Tapioca – OFT can be impersonated through _lzCompose with multiple compose messages

This vulnerability allows anyone to make a cross-chain calls with multiple compose messages, and execute the messages (all except the first one) as the […]

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

Tapioca – Nesting remote transfer messages to steal tokens

The user can use a nested MSG_REMOTE_TRANSFER message in a valid MSG_REMOTE_TRANSFER to execute back the remote transfer as the owner of tokens (stealing […]

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

Tapioca – Unprotected executeModule function allows to steal the tokens

The executeModule function allows anyone to execute any module with any params. That allows attacker to execute operations on behalf of other users. Vulnerability […]

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

Tapioca – Unverified _srcChainSender parameter allows to impersonate the sender

The function executes modules depending on the _msgType parameter and some of them do not accept the _srcChainSender parameter. Vulnerability Details The _toeComposeReceiver function is called […]

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

Ethena – SOFT_RESTRICTED_STAKER_ROLE can withdraw stUSDe for USDe

When a holder has the SOFT_RESTRICTED_STAKER_ROLE, they can exchange theirstUSDe for USDe using StakedUSDeV2 despite the protocol requirement. Vulnerability Details The Ethena readme has […]

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

Join the newsletter now

Please wait...

Thank you for sign up!

Let us help

Get throughly tested by the creators of Smart Contract Security Verification Standard

Request audit