Payouts
2nd Places
3rd Places
Top 10
All
Sherlock
Code4rena
Dec '24
high
Attacker can use outdated API data in CDS.withdraw()
high
BorrowLib.withdraw() ignores the downside protection when transferring the repayment
medium
`CDSLib.withdrawUser()` will underflow if collateral price decreases after liquidation
medium
Treasury will run out of liquidated funds to give to withdrawing users causing withdrawals to fail
medium
user will pay more debt because cumulative rate isn't updated before their deposit
Oct '24
Sep '24
high
Casting the quorum votes to uint88 causes the value to be smaller than expected for high decimal collection tokens.
high
Attacker can cancel an executed shutdown
high
User can't claim royalties for bridged ERC1155 tokens
high
Reserved listing can be cancelled by the owner
medium
User will pay more taxes than they should when they modify an existing listings floor multiple
medium
Moongate uses universal royalty for all the bridged tokens of an ERC721 contract
Aug '24
Jul '24
high
The maximum number of generations is infinite
high
Number of entities in generation can surpass the 10k number
high
Wrong minting logic based on total token count across generations
medium
Discrepancy between nfts minted, price of nft when a generation changes & position of `_incrementGeneration()` inside `_mintInternal()` & `_mintNewEntity()`
Apr '24
high
Attacker can decrease reward rate in ZivoeRewards and ZivoeRewardsVesting
high
ZivoeRewardsVesting's totalSupply breaks when a user's vesting schedule is revoked
high
ZivoeRewardsVesting leaves a user voting power after their token allocation was revoked
medium
OCL_ZVE can fail to provide liquidity to Uni v2 pool
Nov '23
Oct '23
high
Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime
high
Attacker can reenter to mint all the collection supply
high
Adversary can block `claimAuction()` due to push-strategy to transfer assets to multiple bidders
medium
Vulnerability in burnToMint function allowing double use of NFT
Jul '23
high
Attacker can prevent rewards from being issued to gauges for a given epoch in TapiocaOptionBroker
medium
`emitForWeek` will lose `emissionForWeek` if one week is skipped
medium
CompoundStrategy `_currentBalance` uses `exchangeRateStored` which is leaks value
medium
all deposit and withdraw function in Convex and Curve nativeLP Strategy, apply slippage on internal pricing; which call real-time on chain price from Curve directly and subject to MEV
medium
tOLP tokens that are not unlocked after they have expired cause the reward distribution to be flawed
medium
[HB09] `emergencyWithdraw` on all strategy contracts useless without a pause mechanism
Jun '23
high
Party A can prevent a position from being emergency closed
high
LiquidationFacet allows `setPrice` to be called with outdated prices
medium
`openPosition()` doesn't check the solvency of both parties properly
medium
Liquidator should always be rewarded for liquidations
medium
Liquidating pending quotes doesn't return trading fee to party A
medium
FeeCollector withdrawing funds can prevent pending quotes from being canceled
May '23
Apr '23
high
PrivatePool owner can steal all ERC20 and NFT from user via arbitrary execution
medium
`PrivatePool.flashLoan()` takes fee from the wrong address
medium
Malicious royalty recipient can steal excess eth from buy orders
medium
Royalty recipients will not get fair share of royalties
medium
EthRouter can't perform multiple changes
Mar '23
high
User can bypass Carousel's depositFee using the deposit queue
high
attacker can cause user's rollover to not be executed
high
Attacker can block deposit & rollover queue
medium
Controller doesn't send treasury funds to the vault's treasury address
medium
Attacker can DOS user's deposit by spamming the queue
Feb '23
high
User can receive more rewards through a mistake in the withdrawal logic
high
`cachedUserRewards` aren't reset after the user claimed them
medium
`cachedUserRewards` can cause subsequent reward claims to revert because of an underflow
medium
Any unclaimed rewards will be lost when the admin removes a reward token
medium
Creating an internal reward token with a start timestamp in the future will cause deposits & withdrawals to revert
Jan '23
high
First vault depositor can steal other's assets
high
Incorrect Reward Duration After Change in Reward Speed in MultiRewardStaking
medium
Vault creator can't change feeRecipient after deployment
medium
Vault creator can't change quitPeriod
medium
`MultiRewardStaking.changeRewardSpeed()` breaks the distribution
medium
cool down time period is not properly respected for the `harvest` method
medium
Anyone can reset fees to 0 value when Vault is deployed
Dec '22
high
Lock.sol: assets deposited with Lock.extendLock function are lost
high
Incorrect Assumption of Stablecoin Market Stability
medium
Trading will not work on ethereum if USDT is used
medium
Centralization risks: owner can freeze withdraws and use timelock to steal all funds
medium
Unreleased locks cause the reward distribution to be flawed in BondNFT
Nov '22
high
WETH.sol computes the wrong totalSupply()
high
Anyone can create Proposal Unigov Proposal-Store.sol
high
It's not possible to execute governance proposals through the GovernorBravoDelegate contract
high
Comptroller uses the wrong address for the WETH contract
high
Accountant can't be initialized
high
User can redirect fees by using a proxy contract
Oct '22
Sep '22
Aug '22
Jul '22
high
```migrateFractions``` may be called more than once by the same user which may lead to loss of tokens for other users
medium
A VAULT OWNER CAN BE ALSO THE CONTROLLER AND ARBITRARILY SET THE SECONDARY MARKET ROYALTIES
medium
An attacker can DoS vault's buyout with as little as 1 wei per 4 days
medium
Use of `payable.transfer()` may lock user funds
Jun '22
high
WETH.sol computes the wrong totalSupply()
high
Anyone can create Proposal Unigov Proposal-Store.sol
high
It's not possible to execute governance proposals through the GovernorBravoDelegate contract
high
Comptroller uses the wrong address for the WETH contract
high
Accountant can't be initialized
high
User can redirect fees by using a proxy contract
high
Overpayment of native ETH is not refunded to buyer
high
Calling `unstake()` can cause locked funds
medium
Protocol fee rate can be arbitrarily modified by the owner and the new rate will apply to all existing orders
medium
InfinityExchange computes gas refunds in a way where the first order's buyer pays less than the later ones
May '22
high
RubiconRouter.swapEntireBalance() doesn't handle the slippage check properly
medium
Strategists can't be removed
medium
RubiconRouter: Excess ether did not return to the user
medium
No cap on fees can result in a DOS in BathToken.withdraw()
medium
Use `safeTransfer()`/`safeTransferFrom()` instead of `transfer()`/`transferFrom()`
medium
`RubiconMarket.sol#isClosed()` always returns false, making the market can not be stopped as designed
medium
Early funds withdrawers can get bonus in multiples of vested bonus tokens (e.g. 2-times, 3-times, etc.)
medium
Strategist can transfer user funds to themselves
medium
BathBuddy locks up Ether it receives
medium
Use `call()` instead of `transfer()` when transferring ETH in RubiconRouter
Apr '22
Mar '22
Feb '22
Jan '22
Dec '21
Nov '21