Payouts
1st Places
2nd Places
3rd Places
All
Sherlock
Code4rena
Cantina
Feb '25
Jan '25
high
In the create() and redeem() functions, the lastFeeClaimTime is not updated, which leads to incorrect fee calculations.
high
The joinBalancerPool() function does not return the remaining assets to the user.
medium
bid() will result in a denial of service (DoS) attack if the bidder address is on the blacklist.
medium
In the joinBalancerAndPredeposit() function, the remaining Balancer Pool Tokens are not returned to the user.
medium
It is possible to manipulate the price of the BondToken by constructing a dexPool.
Findings not publicly available for private contests.
Dec '24
high
Using LayerZero for synchronizing global states between two chains may lead to overwriting of global states.
high
In redeemUSDT(), users can arbitrarily set the price parameters.
high
In the liquidate() function, the remaining gas fee should be allocated to the caller (admin) instead of the user.
medium
The position of calculateCumulativeRate in the depositTokens() and withDraw() functions is incorrect.
Nov '24
Oct '24
Sep '24
high
high
There is a logical error inside the ProtectedListings::adjustPosition() function, which could lead to manipulation of users’ interest.
high
There is a calculation error inside the calculateCompoundedFactor() function, causing users to overpay interest.
high
The relist() function lacks a check on listing.created, which allows borrowing money from the listing without incurring interest.
high
Due to the delay in converting token1 fees into token0 (WETH) fees in beforeSwap(), an attacker can execute a sandwich attack to gain risk-free profits.
high
InfernalRiftBelow.thresholdCross verify the wrong msg.sender
high
InfernalRiftBelow.claimRoyalties no verification msg.sender
high
Users with more than 50% of the voting rights can steal other users' tokens.
high
The shutdown can still be canceled after execute, causing users to fail to claim tokens.
high
The tokens (collectionTokens and WETH) used for initializeCollection() to create a liquidity position are permanently locked in Uniswap V4.
medium
The fee set by the setFee() function will not take effect.
medium
The unused tokens from the user’s initialization of UniswapV4‘s pool will be locked in the UniswapImplementation contract.
medium
There is a logical error in the removeFeeExemption() function.
medium
There is a calculation error inside the modifyListings() function.
medium
There is a logical error in the _distributeFees() function, resulting in an unfair distribution of fees.
medium
An attacker can block the execution of CollectionShutdown.execute
medium
In the unlockProtectedListing() function, the interest that was supposed to be distributed to LP holders was instead burned.
medium
Malicious users can exploit createListings() and liquidateProtectedListing() functions in the ProtectedListings contract to replace Listings::createListings() in order to evade paying the tax fee.”
Aug '24
high
high
medium
medium
medium
medium
medium
The liquidate() function requires that after liquidation, the position must be in a healthy state. This may result in certain positions never being liquidated if they cannot reach a healthy state, potentially leaving them in limbo.
medium
The getValueInEth function should include a price refresh mechanism to prevent outdated prices from causing financial losses for users.
medium
The liquidationFee should be applied to the profit from the liquidation, rather than to all the assets obtained by the liquidator.
medium
Using forceApprove instead of approve
medium
The issue regarding the missing pause functionality has not been resolved.
Jul '24
high
There is a calculation error in AuraVault::redeem().
high
AuraVault inherits AccessControl BUT does not call the _setupRole() function in it's constructor to set the initial roles, this leads to a complete DOS of the important claim function rendering the contract unable to claim rewards
high
`Flashlender.sol#flashLoan()` should use `mintProfit()` to mint fees. The current implemetation may lead to locked up WETH in PoolV3.
medium
Discrepency b/w the `lastRewadTime` and the `lastAllPoolUpdate` can allow for incorrect reward distribution to pools if `registerRewardDeposit` deposits less assets
medium
The debt in EligibilityDataProvider::requiredUsdValue() needs to be converted into USD; otherwise, it is not a correct value comparison.
medium
In `PositionActionPendle::_onDecreaseLever`, `tokenOut` is implemented incorrectly.
medium
Because of the Asset:Share 1:1 Conversion, if Vault Incur a Loss, the Last User to Withdraw Will Take The Entire Loss
medium
In CDPVault::liquidatePositionBadDebt(), the calculation of `loss` is incorrect.
medium
PositionAction.decreaseLever() fails to consider the loan fee in Flashlender when calculating loanAmount, as a result, the functionanlity will not work when protocolFee != 0.
medium
Malicious actor can abuse the minimum shares check in `StakingLPEth` and cause DoS or locked funds for the last user that withdraws
medium
`PositionAction.sol#onCreditFlashLoan` may have leftover tokens after conducting `leverParams.auxSwap`.
high
AuraVault inherits AccessControl BUT does not call the _setupRole() function in it's constructor to set the initial roles, this leads to a complete DOS of the important claim function rendering the contract unable to claim rewards
medium
Malicious actor can abuse the minimum shares check in `StakingLPEth` and cause DoS or locked funds for the last user that withdraws
Jun '24
high
Malicious Reputer cause emissions/msgserver/InsertBulkReputerPayload to fail
high
RemoveDelegateStake/RemoveStake can write negative value
high
InsertBulkReputerPayload can be DoS
high
emissions/keeper/GetIdsOfActiveTopics may always return empty array []
medium
When a single node(blockless server) is attacked, the entire chain is attacked.
medium
The malicious node may not execute the http request
medium
The issue of SLOW ABCI METHODS has not been resolved.
medium
The SelectTopNWorkerNonces function lacks a sorting algorithm internally.
medium
topic_rewards/SafeApplyFuncOnAllActiveEpochEndingTopics used the wrong parameters
5,104.26 USDC • 8 total findings • Sherlock • ZeroTrust
high
In the _splitWithdrawRequest() function, there exists an issue that causes both the from and to requestId to be 0
high
`EtherFiLib::_initiateWithdrawImpl` will revert because rebase tokens transfer 1-2 less wei
high
The lack of slippage protection in `EthenaLib::_sellStakedUSDe()` could lead to sandwich attacks.
high
The _redeemPT function lacks slippage protection.
high
The withdrawValue calculation in _calculateValueOfWithdrawRequest is incorrect.
medium
After a liquidator liquidates someone else’s position, it could cause a Denial of Service (DoS) when their own position also needs to be liquidated.
medium
The _getValueOfWithdrawRequest function uses different methods for selecting assets in various vaults.
medium
A failed rewardToken transfer results in a loss for the user
May '24
high
Logical error in the _executeRedeemStakeToken function in RedeemProcess.sol
high
Logical error in the getPoolIntValue function in LpPoolQueryProcess.sol
high
The `executeUpdateLeverageRequest` function is missing the operation to update the borrowing fee
high
When a user opens a short position, there is a lack of checks on the liquidity pool, which can result in the user being unable to realize their profits if they succeed.
high
In Cross Margin mode, the user’s profit calculation is incorrect.
medium
Logical error in the processExecutionFee function GasProcess.sol
medium
Using the .call() method to refund the refundFee In processExecutionFee may result in excessive gas consumption and potential reentrancy attacks.
medium
Missing executionFee in the function `createWithdrawRequest`
medium
The check for the user’s collateralUserCap is missing params.amount in AssetsProcess::deposit()
medium
The balance.unsettledAmount is missing in the calculations for `getMaxWithdraw` and `isSubAmountAllowed` in UsdPool.sol
medium
Using deprecated interfaces `PUFFER_DEPOSITOR.depositStETH()` causes DOS
medium
Invalid check for repayAmount in `MetapoolRouter::receiveFlashLoan` cause DOS
medium
Checking `RSETH_DEPOSIT_POOL.minAmountToDeposit()` in `RsETHAdapter::_stake()` causes Dos
medium
Checking return share in `_stake()` causes Dos
Apr '24
high
Burning shares token before calculating in `burnSharesToWithdrawEarnings()` causing error result
high
Use safeTransferFrom() instead of transferFrom()
high
Checking for Collateral required in LenderCommitmentGroup_Smart::acceptFundsForAcceptBid is incorrect
high
`TellerV2::repayLoan()` can be frontrun to profit from an increase in share price
high
Missing interest when calculating Amount owed for a bid in `LenderCommitmentGroup_Smart::liquidateDefaultedLoanWithIncentive()`
high
The collateral Token is mistakenly given to the lender when the liquidator call liquidateDefaultedLoanWithIncentive()
medium
`sharesExchangeRate()` may be zero causing Users mint zero shares token in `lenderCommitmentGroupSmart.addPrincipalToCommitmentGroup()`
medium
Calling the wrong function name in `FlashRolloverLoan_G5::_acceptCommitment()` resulted in a Denial of Service (DOS)
high
Kerosene collateral is not being moved on liquidation, exposing liquidators to loss
high
Users can get their Kerosene stuck until TVL becomes greater than Dyad's supply
high
Flash loan protection mechanism can be bypassed via self-liquidations
medium
Incorrect deployment / missing contract will break functionality
Mar '24
Feb '24
Jan '24
high
User can evade `liquidation` by depositing the minimum of tokens and gain time to not be liquidated
high
First depositor can break staking-rewards accounting
high
First Liquidity provider can claim all initial pool rewards
medium
DOS of proposals by abusing ballot names without important parameters
medium
SALT staker can get extra voting power by simply unstaking their xSALT
medium
Reusing a SALT that has already been used for voting can allow a malicious proposal to pass and compromise the protocol.
medium
Creation of token whitelisting proposals can be DOS'd
high
Attack to make ````CurveSubject```` to be a ````HoneyPot````
high
Unrestricted claiming of fees due to missing balance updates in `FeeSplitter`
high
Unauthorized Access to setCurves Function
medium
A subject creator within a single block can claim holder fees without holding due to unprotected reentrancy path
medium
onBalanceChange causes previously unclaimed rewards to be cleared
medium
Theft of holder fees when `holderFeePercent` was positive and is set to zero
Dec '23
Nov '23
high
Broken `NonceVoter` Allows Observer to Halt the Chain
medium
Possible index out of range in GetVoterIndex could cause ballot to never finalize due to panic
medium
An already executed InTxTracker can still be added
medium
Arbitrary destination gas limit for `CoinType_Zeta` cctxs results in paying lower gas fees
medium
Funds from reverted transaction may be lost/locked
medium
User not refunded for failed Zeta gas payment in cross chain transaction
medium
Limited Voting Options Allow Ballot Creation Spam
5.45 USDC • 1 total finding • Code4rena • zhaojie
#29
Collaborative Audit • Sherlock • ZeroTrust
Oct '23
Sep '23
Aug '23
Jul '23