Payouts
2nd Places
3rd Places
Top 10
All
Sherlock
Code4rena
Cantina
CodeHawks
Apr '25
Findings not publicly available for private contests.
Mar '25
Feb '25
high
Wrong amount is minted to user when they deposit into the lending pool
high
Multiple Delegation by Double Spending Boosts and Lack of Delegation Tracking in BoostController Contract
high
`BaseGauge` users can claim rewards without staking
high
`GaugeController` does not send funds to FeeCollector disrupting fees distribution and causing loss of funds
high
Reward manipulation vulnerability in StabilityPool
high
Incorrect Reward Claim Logic in FeeCollector::claimRewards Causes Denial of Service
high
Attackers can get most of RAACToken rewards by withdrawing dust amount from StabilityPool multiple times
high
NFTs Get Permanently Locked in Stability Pool After Liquidation
high
Double Usage Index Scaling in StabilityPool Liquidation Inflates Required CRVUSD Balance
high
Ownership Parameter Mismatch in LendingPool’s Vault Withdrawal Logic
high
Lack of Access Control in BoostController::updateUserBoost Leading to Unauthorized Delegation Overwrite.
high
Treasury Balance Tracking Bypass in FeeCollector
high
Attackers can double voting power and veToken amount by locking and increasing
high
Gauge Voting Misallocation Vulnerability
high
The total voting power of all veRAAC tokens is wrongly assigned
high
Interest Accrual Failure Due to Incorrect Scaling in RToken Implementation
high
Incorrect Debt Token Accounting Due to Multiple Scaling Issues
high
Gauge rewards are not transferred to gauge when distributeRewards() is called
high
Untracked Direct Fee Transfers from RAACToken to FeeCollector Break Fee Distribution System
high
Ineffective Time-Weighted Average Implementation in Fee Distribution
medium
`MAX_TOTAL_SUPPLY` Bypass in `veRAACToken` via `increase()` Function
medium
Missing Boost Balance and other parameters Update in veRAACToken Functions. Incomplete Boost State Updates Result in Inaccurate Voting Power and Reward Distribution
medium
Incorrect utilization rate forces protocol to issue maximum rewards indefinitely
medium
RToken.transferFrom() Does Not Scale User Balances Due to Stale Liquidity Index
medium
LendingPool deposits do not work with CurveVault due to lack of funds
medium
Liquidation Cannot Be Closed Even With Healthy Position Due To Strict Debt Check
medium
Using balanceOf Instead of Voting Power
medium
There is no logic checking for RAACNFT price staleness before minting it
medium
Treasury Contract Deposit Function Can Be Frontrun To Deny Protocol Operations
medium
Workingsupply would always be overwritten in boostcontroller.sol impacting reward calculations
medium
Emergency revoke in RAACReleaseOrchestrator will freeze revoked RAAC tokens in orchestrator
medium
Insufficient Balance Validation in BaseGauge Can Lead to Reward Insolvency
medium
`veRAACToken::_updateBoostState` function sets individual user voting power instead of system-wide totals
medium
Missing Boost State Update in extend() and withdraw()
medium
Gauge emissions revert when emissions are higher than the leftover buffer instead of depositing the difference
medium
User may not be able to increase the amount of locked RAAC tokens
medium
`GaugeController::distributeRewards` can be called multiple times by anyone, leading to excessive reward distribution
medium
Lack of Time-Weighted Voting and Weight Decay in GaugeController
low
Limited veRaac Token Supply Triggers DoS, Hampering Proper Governance Participation.
low
Irreversible emission cap reduction in BaseGauge
low
Impossible to rescue funds from `RToken` contract
low
Incorrect Initialization of minBoost in BaseGauge Constructor Breaks Core Contract Functionality
low
Missing Checkpoint Reset in `veRAACToken::emergencyWithdraw` Function
low
Missing Pause Functionality in veRAACToken Contract Can Be Abused When Emergency Withdrawal Mechanism Is Activated
low
`FeeCollector::updateFeeType` wrong fee share validation leads to impossible update for some fee types
Jan '25
Dec '24
Sep '24
high
high
medium
medium
high
Malicious attacker can brick users claiming sale proceeds from collection shutdown by reclaiming vote
high
`ERC721Bridgable` cannot receive ETH for royalty payouts
high
Users cannot claim royalties for `ERC1155`
high
Users can create permanent protected listings and inflate interest rates
medium
If a collection has been shutdown but later re-initialized, it cannot be shutdown again
medium
Users can dodge `createListing` fees
medium
Users can sandwich unlocking their protected listings to pay less fees
Aug '24
high
Unrestricted Changes to Token Settings Allow Artists to Alter Critical Features
high
Exposed `_removeCredIdPerAddress` & `_addCredIdPerAddress` allows anyone to cause issues to current holders as well as upcoming ones
high
`shareBalance` bloating eventually blocks curator rewards distribution
high
Signature replay in `createArt` allows to impersonate artist and steal royalties
medium
Refunds sent to incorrect addresses in certain cases
medium
Incorrect Fee Handling Prevents Protocol from Updating Fees