Payouts
1st Places
2nd Places
3rd Places
All
Sherlock
Code4rena
Cantina
Hats Finance
Oct '24
medium
medium
Sep '24
high
Aug '24
high
high
high
high
medium
medium
medium
medium
medium
medium
medium
medium
medium
medium
medium
medium
medium
medium
medium
medium
medium
medium
medium
medium
medium
medium
medium
Jul '24
Jun '24
high
high
high
high
high
high
high
high
high
high
medium
medium
12,998.29 USDC • 8 total findings • Sherlock • J4X_
medium
Attacker can freeze users first rewards
medium
Un-bonding will lead to staked tokens getting stuck
medium
Rewards will get stuck if `withdrawaddrenabled` is set to false on the target chain
medium
Changes of the `UnbondingTime` are not accounted for
medium
Slashing allows users to bypass the lockup period of vestings
medium
Slashing of Unbondings is not accounted for and can lead to DOS of withdrawals
medium
Staked tokens will get stuck after claim
medium
Batch creation will break if vestings are opened to recipients
May '24
high
medium
medium
medium
medium
Feb '24
high
high
high
medium
medium
medium
medium
medium
medium
medium
medium
Malicious liquidity provider can put pool into highly manipulatable state
medium
Users can MAKE EMA-Oracle price outdated with direct transfers to StableSwap
medium
a huge loss of funds for all the users who try to remove liquidity after swapping got disabled at manipulated price .
medium
Missing hook call will lead to incorrect oracle results
medium
Storage can be bloated with low value liquidity positions
medium
[M02] Complete liquidity removals fail from stableswap pools
medium
[M09] No slippage check in `remove_liquidity` function in omnipool can lead to slippage losses during liquidity withdrawal.
Jan '24
high
User can evade `liquidation` by depositing the minimum of tokens and gain time to not be liquidated
high
The use of spot price by CoreSaltyFeed can lead to price manipulation and undesired liquidations
high
First Liquidity provider can claim all initial pool rewards
medium
THE USER WHO WITHDRAWS LIQUIDITY FROM A PARTICULAR POOL IS ABLE TO CLAIM MORE REWARDS THAN HE DULY DESERVES BY CAREFULLY SELECTING A `decreaseShareAmount` VALUE SUCH THAT THE `virtualRewardsToRemove` IS ROUNDED DOWN TO ZERO
medium
Chainlink price feed uses BTC, not WBTC. In case of depegging, oracles will become easier to manipulate.
medium
DOS of proposals by abusing ballot names without important parameters
medium
SALT staker can get extra voting power by simply unstaking their xSALT
medium
Remove Liquidity has missing reserve1 DUST check, which can make reserve1 to be less than DUST
medium
Impossible to change managed wallets with `proposeWallets` after first rejection
medium
Reusing a SALT that has already been used for voting can allow a malicious proposal to pass and compromise the protocol.
medium
If there is only one USDS borrower, he can never be liquidated
medium
Creation of token whitelisting proposals can be DOS'd
Nov '23
medium
medium
Oct '23
Sep '23
medium
Investors claiming their maxDeposit by using the LiquidityPool.deposit() will cause that other users won't be able to claim their maxDeposit/maxMint
medium
The Restriction Manager does not completely implement ERC1404 which leads to account that are supposed to be restricted actually have access to do with their tokens as they see fit