Payouts
1st Places
2nd Places
Top 10
All
Sherlock
Blackthorn
Mar '25
Collaborative Audit • Blackthorn • 0x37
Jan '25
Findings not publicly available for private contests.
Dec '24
high
Missing lastEventTime update in liquidate()
high
Incorrect liqIndex in sendForLiquidation function
high
Option expiry time does not work
high
odosAssembledData can be manipulated
high
Borrowers can earn more profit via manipulating the strikePrice
high
downsideProtected does not work for borrowers
high
Abond holders can lose their liquidation gain
high
Missing totalAvailableLiquidationAmount update when cds owner withdraw.
high
Lack of access control for function updateDownsideProtected()
high
USDT token can be drain via manipulating the usdt/usda price
high
cds owners can withdraw more than expected via manipulating excessProfitCumulativeValue
high
Lack of lastEthPrice sync between different chains
high
Missing usdaCollectedFromCdsWithdraw update in withdrawUserWhoNotOptedForLiq
high
Incorrect usdaToTransfer calculation when cds owners withdraw
high
Incorrect deducted cds deposit amount in withdrawUser
high
Liquidated position by liquidation type 2 can be withdrawn
high
Some liquidated collateral will be locked
high
Possible failure to sync global data
medium
Borrowers can manipulate volatility to pay less option fees
medium
Borrowers will get more normalizedAmount than expected.
medium
Lack of Ether refund to users
medium
Borrowers can pay less borrow interest because of `lastEventTime` early update in _withdraw
medium
Liquidation may be reverted when LTV is high
medium
Missing lastEthprice update in depositTokens
medium
Incorrect totalVolumeOfBorrowersAmountinWei update in withdraw()
medium
Lack of transfer Ether from the treasury to borrowLiquidation
medium
Non-functional wrapper in BorrowLiquidation
medium
Incorrect margin calculation in liquidationType2
medium
Incorrect short position sizeDelta calculation
medium
sUSD will be locked in the borrowLiquidation
medium
One part of protocol profit will be locked in the treasury
medium
cds owners may fail to withdraw
medium
Lack of access control for executeSetterFunction function.
medium
Missing cds deposit amount in swapCollateralForUSDT
Nov '24
high
Auction can not work well with TaxTokensReceipt because of TaxTokensReceipt's transfer limitation
high
BuyOrder can not work well with TaxTokensReceipt
high
wantedToken NFT will be locked in buyOrder
medium
Incentivized token may be locked in the DebitaIncentive contract
medium
Lenders or borrowers may lose their expected bribe rewards
medium
Lend offer can be deleted multiple times
medium
Lend offer can be deleted multiple times
medium
Borrowers need to pay more interest than expected because of precision loss
medium
Lenders may lose some interest when borrowers extend their loan.
medium
Borrowers may fail to extend their loan in some cases.
medium
Incorrect feeOfMaxDeadline calculation in extendLoan
medium
Borrowers may fail to extend loans because of the incorrect minFEE
medium
Lenders or borrowers may fail to claim collateral after the auction is finished
medium
buyOrder can be deleted twice
Oct '24
Sep '24
high
Lack of delete `_listings[_collection][_tokenId]` in reserve
high
Incorrect index return in _createCheckpoint
high
Users may lose their ERC721 token if they unlockProtectedListing token with _withdraw = false
high
users can sandwich rewards because of unused donateThresholdMax
high
The initial liquidity provider will lose their position
high
Incorrect compound factor calculation
high
Missing update `_isLiquidation` in relist
high
The liquidation list owner may receive some tax refund
high
Borrowers can avoid paying borrowing interest via adjustPosition
high
Users' voting token in CollectionShutdown will be locked when we cancel this shutdown flow
medium
Refund does not work in initializeCollection
medium
Fail to start one shut down flow if the collection was shut down before.
Aug '24