Payouts
1st Places
2nd Places
3rd Places
All
Sherlock
Code4rena
Nov '24
Sep '24
Aug '24
Jun '24
May '24
high
The ````PortfolioVault```` could be drained
medium
The keeper will suffer continuing losses due to miss compensation for L1 rollup fees
medium
Missing compensation for the ````21,000```` intrinsic gas cost
medium
A significant ````105,983```` gas cost of ````processExecutionFee()```` execution is not accounted in the keeper's compensation
medium
Call of ````revokeAllRole()```` would fail silently
Apr '24
high
````depositReward()```` with zero amount to get reward tokens stuck in ````ZivoeRewards```` contracts
high
````_totalSupply```` and ````_totalSupplyCheckpoints```` are wrongly updated while ````revokeVestingSchedule()````
high
Users' votes are not correctly removed while ````revokeVestingSchedule()````
medium
Users can't ````getRewards()```` if any one of reword tokens is paused
Mar '24
Feb '24
Jan '24
high
When borrowers repay USDS, it is sent to the wrong address, allowing anyone to burn Protocol Owned Liquidity and build bad debt for USDS
high
User can evade `liquidation` by depositing the minimum of tokens and gain time to not be liquidated
medium
Unwhitelisting does not clear _arbitrageProfits, so re-whitelisting may result in an unfair distribution of liquidity rewards.
high
Whitelised accounts can be forcefully DoSed from buying curveTokens during the presale
high
Attack to make ````CurveSubject```` to be a ````HoneyPot````
high
Unauthorized Access to setCurves Function
medium
Single token purchase restriction on curve creation enables sniping
medium
onBalanceChange causes previously unclaimed rewards to be cleared
medium
If a user sets their curve token symbol as the default one plus the next token counter instance it will render the whole default naming functionality obsolete
Dec '23
Nov '23
Sep '23
high
The ````Anchor```` contract is broken entirely and any funds sent to it would be locked for ever
medium
Wrongly updating ````voiceCreditsCastToRecipient```` in ````_qv_allocate()```` of ````QVBaseStrategy```` contract
medium
````_registerRecipient()```` of ````RFPSimpleStrategy```` always reverts while ````useRegistryAnchor```` enabled
medium
````_distribute()```` of ````RFPSimpleStrategy```` would revert with ````NOT_ENOUGH_FUNDS()```` even if their is enough ````poolAmount```` remaining
Aug '23
Jul '23
May '23
Apr '23
Mar '23
Feb '23
high
````userRewardDebts```` is wrongly updated while ```` _claimInternalRewards()```` and ````_claimExternalRewards()````
high
````cachedUserRewards```` has never been cleared
high
Flashloan attack to get lots of OHM at very low cost
medium
Users may be unable to claim rewards due to removal of reward token
Jan '23
Dec '22
high
Bypass the maximum PnL check to take extra profit
high
Incorrect calculation of new price while adding position
high
reentrancy attack during mint() function in Position contract which can lead to removing of the other user's limit orders or stealing contract funds because initId is set low value
high
Not enough margin pulled or burned from user when adding to a position
medium
Bypass the delay security check to win risk free funds
medium
Trading will not work on ethereum if USDT is used
medium
`executeLimitOrder()` modifies open-interest with a wrong position value
medium
Governance NFT holder, whose NFT was minted before `Trading._handleOpenFees` function is called, can lose deserved rewards after `Trading._handleOpenFees` function is called
Nov '22
Oct '22