9x
Payouts
2x
Top 10
2x
Top 25
8x
Top 50
All
Sherlock
Code4rena
Aug '23
Jul '23
high
Potential 99.5% loss in `emergencyWithdraw()` of two Yieldbox strategies
high
Attacker can prevent rewards from being issued to gauges for a given epoch in TapiocaOptionBroker
medium
Tapioca Bar: Unusable Market Add Functions in Penrose Contract
medium
all deposit and withdraw function in Convex and Curve nativeLP Strategy, apply slippage on internal pricing; which call real-time on chain price from Curve directly and subject to MEV
medium
The twTAP multiplier can be compromised with manipulated deposits of low value cost and high duration
medium
read-only reentrancy in Curve Eth pool can lead to funds being stolen from the Lido strategy
Feb '23
high
Anyone can execute certain functions that use cross chain messages and potentially cancel them with potential loss of funds.
medium
rebalanceXChain() can be called by anyone specifying a extreme high slippage
medium
Derby vault rebalance fails when exchange rate of protocol LP tokens decreases.
medium
Yearn withdrawal can revert making it impossible to rebalance the Derby vault
medium
maxTrainingDeposit can be trivially circumvented
medium
Aave Liquidity Pools do not count towards rewards
medium
DAI, USDT and USDC are assumed to have an 1 to 1 exchange rate in the Curve 3pool
Jan '23
Nov '22
medium
Seller's ability to decrypt bids before reveal could result in a much higher clearing price than anticpated and make buyers distrust the system
medium
Attacker may DOS auctions using invalid bid parameters
medium
Incompatibility with fee-on-transfer/inflationary/deflationary/rebasing tokens, on both base tokens and quote tokens, with varying impacts
Oct '22
