High
11
Total
Medium
14
Total
$74.96K
Total Earnings
#110 All Time
3x
Payouts
1x
1st Places
1x
2nd Places
1x
3rd Places
All
Sherlock
Mar '25
MoreMarkets
Collaborative Audit • Sherlock • Obsidian
Feb '25
Findings not publicly available for private contests.
Aug '24
high
The owner of an NFT position that got liquidated will continue to earn rewards based on the amount supplied and borrowed pre-liquidation
high
Not converting user collateral from shares to assets in LiquidationLogic
high
getDebtBalance does not convert shares to asset
high
_accrueToTreasury (interest fee) does not increment total supply
high
Malicious attacker can inflate interest rate to steal funds from borrowers with no cost
high
Attacker can continually steal all the interest earned by suppliers in the vault
high
Malicious pool deployer can set a malicious interest rate contract to lock funds of vault depositors
high
Anyone can reduce interest rate to effectively zero instantly
high
When bad debt is accumulated, the loss is not shared amongst all suppliers, instead the last to withdraw will experience a huge loss
high
An attacker can sandwich liquidations by borrowing the collateral to ensure the liquidation reverts
medium
Repaying loans via NFT position manager will always revert. User collateral will be stuck forever.
medium
Incorrect handling of allocation.assets=0 in CuratedVault.reallocate()
medium
Inconsistent rounding of rayMul() leads to failed repayment of tokens
medium
getAssetPrice stale price threshold of 1800 is too small, this makes the protocol unusable
medium
executeMintToTreasury does not update interest rate
medium
getAssetPrice does not account for the decimals returned by chainlink, an attacker can use this to steal supplied funds
medium
A malicious attacker can frontrun and grief the deposit of the first depositor
high
By inflating the value of a pool share, a malicious actor can steal a large amount of funds
medium
ChainlinkOracle does not check if the returned price is outside the min/max range for the token
medium
Attacker can take advantage of high LTV tokens to create bad debt for the protocol
medium
The RedstoneCoreOracle has a constant stale price threshold, this is dangerous to use with tokens that have a smaller threshold as the oracle will report stale prices as valid
medium
SuperPool inherits pausable but none of the functions have the `whenNotPaused` modifier
medium
`deploySuperPool` will revert if the asset is USDT
medium
The `convertToShares()` function is not ERC 4626 compliant
medium
Liquidation fee is incorrectly calculated, leading to unprofitable liquidations