Balancer v3

Findings · 21

1. 1 Lack of approval reset on buffer allows anyone to drain the Vault High
2. 2 Lack of reserve updates when collecting fees allows anyone to drain the Vault High
3. 3 Quote functions should not be payable Informational
4. 4 Pool registration and initialization can be front-run Low
5. 5 Buffer total supply can be reset Informational
6. 6 Vault can be drained by updating the buffer underlying token High
7. 7 Yield fees collected when exiting recovery mode will be lost Medium
8. 8 Risks with non-standard token implementations Informational
9. 9 Buffer can consider it has liquidity when it has none Informational
10. 10 Dynamic swap fee is not limited to 100% Informational
11. 11 Lack of slippage protection on liquidity buffer increase Low
12. 12 Reentrancy on pool initialization allows users to re-initialize pools Undetermined
13. 13 Insufficient event generation Informational
14. 14 Buffer _CONVERT_FACTOR can be avoided by providing unbalanced liquidity Low
15. 15 Buffer wrap and unwrap queries return incorrect results Informational
16. 16 Providing unbalanced liquidity to a buffer can mint more shares due to rounding Informational
17. 17 Permit signatures can be front-run to execute a temporary denial-of-service attack Low
18. 18 permitBatchAndCall will revert when non-payable functions are called with value Informational
19. 19 BalancerPoolToken permit signatures cannot be revoked Informational
20. 20 Single token liquidity provision and removal will not work on tokens that revert on zero value transfers Low
21. 21 The swap functions allows zero amountIn to be provided Undetermined

Findings extracted from the published report PDF. See the full report below for details and remediation.