High
Solo
Total
Medium
Solo
Total
Total Earnings
#13 All Time
Payouts
1st Places
2nd Places
3rd Places
All
Sherlock
Code4rena
Cantina
Mar '25
medium
Jan '25
high
high
high
high
high
high
high
Nov '24
Findings not publicly available for private contests.
medium
Oct '24
medium
medium
medium
Sep '24
medium
medium
medium
Jun '24
medium
medium
medium
medium
medium
medium
May '24
Apr '24
high
`OCY_Convex_C::claimRewards` will trap extra rewards in the contract instead of transferring them to `OCT_YDL`
high
ZivoeRewards::depositReward anybody can reset remaining rewards duration
medium
OCL_ZVE.sol::forwardYield relies on manipulable Uniswap V2 pool reserves leading to theft of funds
medium
ZivoeYDL::distributeYield yield distribution is flash-loan manipulatable
medium
Attacker can DoS OCL_ZVE contract by calling OCL_ZVE::forwardYield before nextYieldDistribution is initialized
medium
OCL_ZVE::pushToLockerMulti will fail when the liquidity is not added exactly at UniV2 pool's ratio
medium
OCC_Modular::applyCombine will round APR down
Mar '24
Feb '24
high
BBLeverage::buyCollateral Malicious operator can abuse _allowedBorrow approval on Big bang market
high
BBLiquidation/SGLLiquidation::_updateBorrowAndCollateralShare liquidator can bypass bad debt handling to ensure whole liquidation reward
high
BBLiquidation::_liquidateUser liquidator can bypass protocol fee on liquidation by returning returnedShare == borrowShare
high
BigBang/Singularity::_updateBorrowAndCollateralShare totalBorrow variable is never updated and breaks a few core mechanics
high
Market::_computeClosingFactor wrong collateralization calculation can cause liquidatee solvency to become worse
high
BaseTOFTReceiver::_toeComposeReceiver some compose calls are not authenticated
high
UsdoMarketReceiverModule::removeAssetReceiver msg_.externalData.marketHelper is unchecked enabling arbitrary market actions from magnetar
medium
BBLeverage/SGLLeverage::sellCollateral excess asset stays in contract
medium
Singularity::removeAsset share can become zero due to rounding down, and any user can be extracted some amount of asset
medium
BBCommon::_accrue wrong value is used to prevent overflow
medium
BBLeverage::sellCollateral is unusable due to wrong asset deposit attempt in YieldBox
medium
Penrose::_depositFeesToTwTap can unexpectedly revert due to amount rounded down
medium
BBLeverage::sellCollateral relies on outdated interface for leverageExecutor
medium
BaseLeverageExecutor::_swapAndTransferToSender will return wrong amount if TOFT wrapping has fees
medium
TOFTMarketReceiverModule::leverageUpReceiver Incorrect approval handling
Jan '24
high
high
medium
medium
medium
medium
OperationalStaking::rewardValidators Rewards distribution can be sandwiched to extract most of the rewards from honest validators
medium
OperationalStaking::_unstake Delegators can bypass 28 days unstaking cooldown when enough rewards have accumulated
medium
BlockSpecimenProofChain::submitBlockSpecimenProof Block specimen producer can greatly reduce session duration by submitting fake block specimen in the future
medium
OperationalStaking::setValidatorAddress Validator can bypass validatorMaxStake threshold by setting address to an existing delegator
medium
LibUbiquityPool::mintDollar/redeemDollar reliance on outdated TWAP oracle may be inefficient for preventing depeg
medium
UbiquityPool::mintDollar/redeemDollar collateral depeg will encourage using UbiquityPool to swap for better collateral
medium
LibUbiquityPool::mintDollar/redeemDollar reliance on arbitrarily short TWAP oracle may be inefficient for preventing depeg
medium
LibTWAPOracle::update Providing large liquidity will manipulate TWAP, DOSing redeem of uADs
Dec '23
Nov '23
medium
medium
medium
medium
high
LockingPositionDelegate::manageOwnedAndDelegated unchecked duplicate tokenId allow metaGovernance manipulation
medium
Division by Zero in CvgRewards::_distributeCvgRewards leads to locked funds
medium
A user which is the only $CVG locker for YS during a TDE, can steal rewards from other TDEs
medium
CvgRewards::_checkpoints Timing Inaccuracy Causes Extended Lock Durations Beyond Expected Cycle
medium
LockPositionService::increaseLockTime Incorrect Calculation Extends Lock Duration Beyond Intended Period
Oct '23
high
An agent wounded-healed-wounded during ROUNDS_TO_BE_WOUNDED_BEFORE_DEAD rounds can be unjustly killed
high
A participant with enough agents can force win while some opponents' agents are healing
high
Winning agent id may be uninitialized when game is over, locking grand prize
medium
Weak randomness in _woundRequestFulfilled can be slightly manipulated
Jul '23
high
TOFT and USDO Modules Can Be Selfdestructed
high
Refund mechanism for failed cross-chain transactions does not work
high
`LidoEthStrategy._currentBalance` is subject to price manipulation, allows overborrowing and liquidations
high
Usage of `BalancerStrategy.updateCache` will cause single sided Loss, discount to Depositor and to OverBorrow from Singularity
high
Ability to steal user funds and increase collateral share infinitely in BigBang and Singularity
high
twAML::participate - reentrancy via _safeMint can be used to brick reward distribution
high
Tokens can be stolen from other users who have approved Magnetar
high
Accounted balance of GlpStrategy does not match withdrawable balance, allowing for attackers to steal unclaimed rewards
medium
`totalCollateralShare` state variable not updated in `Singularity` market upon liquidation, resulting in an error on `addCollateral` with skim functionality
medium
SGLLeverage/BigBang `buyCollateral` Can Be Exploited to Steal Asset Approvals & Collateral
medium
`ARBTriCryptoOracle` is vulnerable to read-only reentrancy
medium
all deposit and withdraw function in Convex and Curve nativeLP Strategy, apply slippage on internal pricing; which call real-time on chain price from Curve directly and subject to MEV
medium
The twTAP multiplier can be compromised with manipulated deposits of low value cost and high duration
medium
User can exercise oTAP options for 3 weeks from a 1 week lock
medium
BigBang/Singularity::sellCollateral - Surplus of collateral with regards to repay amount is never returned to user
medium
MagnetarMarketModule::_exitPositionAndRemoveCollateral - Impossible to exitPosition without unlocking tOlp
medium
TapiocaOptionBroker::newEpoch - An epoch can be skipped leading for unclaimed tap to distribute to be lost
medium
oTAP::participate - Call will always revert if msg.sender is approved but not owner
medium
mTapiocaOFT can't be rebalanced because the Balancer in tapiocaz-audit calls swapETH() or swap() of the RouterETH but does not forward ether for the message fee
Jun '23
high
PartyB nonce is not incremented during liquidation and can lead to signature reuse
high
Price signature reuse in setSymbolsPrice can heavily influence liquidation outcome
high
A partyA/B can Dos own liquidation because liquidation relies on a nonced signature
high
A partyA liquidation may be impossible to conclude if UPNL for one quote exceeds partyB's allocated funds
medium
Liquidator can get liquidation fee two times for the same quote
medium
A party B can open a short position for a limit quote in a way which makes party A liquidatable
medium
Liquidation of a partyB be stuck, definitely bricking allocated funds
medium
Nonce for partyB is not correctly incremented in `lockQuote`
high
Pool deviation check in SimpleManager on rebalance can be bypassed
medium
Lack of rebalance rate limiting allow operators to drain vaults
medium
Min deposit protection during rebalancing can be bypassed if multiple fee tiers
medium
ChainLinkOraclePivot uses the same heartbeat for both underlying feeds
May '23
high
Consecutive stale epochs may lead to incorrect redeeming of balanced vault shares
medium
Leveraged trader with small collateral can create a riskless position until settlement
medium
Malicious trader can bypass utilization buffer
medium
A trader close to liquidation risks being liquidated by trying to reduce her position
high
Previous owner of a club can extract assets of a Footium escrow, through unrevoked approvals
medium
A club with a crafted id can be used to mint free players from the academy
medium
FootiumClub safeMint method is misleadingly unsafe and can lead to stuck NFTs
medium
Claiming rewards may fail because transfer result is unchecked
Feb '23
high
claimTokens function can be sandwiched to steal rewards
high
Rounding error in storePriceAndRewards leads to loss of rewards
high
pushVaultAmounts can be called multiple times if in the right state
medium
No slippage control on rebalanceXChain
medium
sendFundsToVault can be called multiple times for the same chainID
medium
Aave rewards are never distributed
high
User can call reducePosition with wrong strategyId and abuse LTV limits
high
User never receive the interest on lending to the protocol
high
Vault shares can be left in spell during withdrawInternal
high
Ichi vault LP oracle is vulnerable to price manipulation with flashloan
medium
High slippage tolerance when swapping on uniswapV3 can lead to frontrunning
Jan '23