No permission checks defined to endpoints
Days in Operation:
100 pts each
Enzyme Finance is an Ethereum-based protocol for decentralized on-chain asset management. It allows users and investors to create and invest in various funds. A fund owner configures the rules of their fund: fees and policies, the denomination asset by which share price and performance are measured, the time-lock between shares actions (buying or redeeming shares) for a given user, etc.
Whitehat setuid0 of SSLab at Georgia Tech reported a critical vulnerability in the way Enzyme Finance calculated the prices of Idle tokens when buying shares. Using a flashloan from IdleTokenGovernance.sol affected the totalSupply of the Idle tokens, which was used to calculate the price of the token. Price calculations were based on the totalNav / totalSupply of the tokens. It’s worth noting the initial Idle Token integration was with v4, which did not have any flashloan logic. That was later added in v5, thus unintentionally introducing a bug into Enzyme’s Finance protocol.
Enzyme issued a payout of $90,000 to setuid0 the same week.
DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.