Payouts
2nd Places
3rd Places
Top 10
All
Sherlock
Code4rena
Cantina
Dec '24
Oct '24
high
Rewards might be lost due to the error that _updateRewardIndex() might advance lastBalance without advancing index for a token.
medium
PositionAction.decreaseLever() fails to consider the loan fee in Flashlender when calculating loanAmount, as a result, the functionanlity will not work when protocolFee != 0.
medium
Incorrect calculation of `newCumulativeIndex` in function `calcDecrease`
medium
WhenNotPaused modifier in the CDPVault can be bypassed by users
medium
DOS attack to SwapAction.transferAndSwap() when using an ERC20 permit transferFrom.
medium
CDPVault.liquidatePosition() does not scale ```takeCollateral``` with ```tokenScale``, therefore, it might send the wrong amount of collateral to the liquidator when tokenScale ! = 1 ether.
Aug '24
Jul '24
high
Rewards might be lost due to the error that _updateRewardIndex() might advance lastBalance without advancing index for a token.
medium
PositionAction.decreaseLever() fails to consider the loan fee in Flashlender when calculating loanAmount, as a result, the functionanlity will not work when protocolFee != 0.
medium
Incorrect calculation of `newCumulativeIndex` in function `calcDecrease`
medium
WhenNotPaused modifier in the CDPVault can be bypassed by users
medium
DOS attack to SwapAction.transferAndSwap() when using an ERC20 permit transferFrom.
medium
CDPVault.liquidatePosition() does not scale ```takeCollateral``` with ```tokenScale``, therefore, it might send the wrong amount of collateral to the liquidator when tokenScale ! = 1 ether.
Jun '24
607.41 USDC • 2 total findings • Sherlock • chaduke
#12
high
EthenaLib#_sellStakedUSDe() fails to enforce the slippage control using ```minPurchaseAmount``` when borrowToken is DAI. A user might receive less borrowToken than expected.
medium
_claimRewardToken() will update accountRewardDebt even when there is a failure during reward claiming, as a result, a user might lose rewards.
May '24
high
PositionMarginProcess.updatePositionFromBalanceMargin() returns the wrong ``changeAmount`` value for the case ``position.initialInUsdFromBalance <= addBorrowInUsd``.
medium
GasProcess.processExecutionFee() calculates ``lossFee`` wrongly (always zero), and keepers might oss some portion of execution fee.
medium
AssetsProcess.deposit() fails to check that the token balance of a user cannot exceed collateralUserCap.
Mar '24
Jan '24
Nov '23
high
71.8 USDC • 1 total finding • Code4rena • chaduke
#21
Oct '23
Sep '23
high
An allocator might allocate ``voiceCredits`` without any limit, exceeding ``maxVoiceCreditsPerAllocator`` due to forgetting to increase allocator.voiceCredits.
medium
QVBaseStrategy._qv_allocate() does not calculate _allocator.voiceCreditsCastToRecipient[_recipientId] correctly, as a result, the votes for each recipient and thus payout for each recipient will not be calculated correctly.
Aug '23
high
The settle feature will be broken if attacker arbitrarily transfer collateral tokens to the PerpetualAtlanticVaultLP
high
The peg stability module can be compromised by forcing lowerDepeg to revert.
high
Users can get immediate profit when deposit and redeem in `PerpetualAtlanticVaultLP`
high
`UniV3LiquidityAMO::recoverERC721` will cause `ERC721` tokens to be permanently locked in `rdpxV2Core`
medium
Change of `fundingDuration` causes "time travel" of `PerpetualAtlanticVault.nextFundingPaymentTimestamp()`
Jul '23
high
LMPVaultRouterBase.mint() will double charge a user when the user sends asset tokens using eth (msg.value > 0), and then a stealer can steal the extra payment.
high
AbstractRewarder.queueNewRewards() will transfer ``(newRewards + queuedRewards)`` instead of ``newRewards`` reward tokens, as a result, the extra ``queuedRewards`` tokens will not be accounted and lost to the contract forever.
medium
AbstractRewarder.notifyRewardAmount() does not calculate the leftover reward correctly when totalSupply() == 0 .
high
Collateral can be locked in BigBang contract when `debtStartPoint` is nonzero
high
A user with a TapiocaOFT allowance >0 could steal all the underlying ERC20 tokens of the owner
high
twTAP.claimAndSendRewards() will claim the wrong amount for each reward token due to the use of wrong index.
high
[HB02] `BalancerStrategy.sol`: `_withdraw` withdraws insufficient tokens
medium
`extractTAP()` function can allow minting an infinite amount in one week, leading to a DoS attack in `emitForWeek()`
medium
averageMagnitude in TapiocaOptionBroker is updated wrongly
medium
Potential loss of value in YieldBox's `depositETHAsset()`
May '23
Apr '23
high
MarketUtils.getPoolValueInfo() does not use !maximize when evaluating impactPoolUsd, leading to wrong logic of maximizing or minimizing the pool value.
medium
MarketUtils.getFundingAmountPerSizeDelta() has a rounding logical error.
medium
PositionUtils.validatePosition() uses ``isIncrease`` instead of ``false`` when calling isPositionLiquidatable(), making it not work properly for the case of ``isIncrease = true``.
high
setCollateralEscrowBeacon() has no access control, so anybody can change ``collateralEscrowBeacon``.
high
DOS attack to deployAndDeposit()
high
A malicous user can manipulate the amount of collateral for a borrower.
medium
There is a race condition between updateCommitment() and acceptCommitment().
medium
withdraw() has no access control, so a malicous user can use it to front-run repayLoanFull(), repay(), and liquidateLoanFull().
high
PrivatePool owner can steal all ERC20 and NFT from user via arbitrary execution
medium
Transaction revert if the baseToken does not support 0 value transfer when charging changeFee
medium
Loss of funds for traders due to accounting error in royalty calculations
medium
`changeFeeQuote` will fail for low decimal ERC20 tokens
medium
EthRouter can't perform multiple changes
Mar '23
high
_redeemMoneyMarketIfRequired() will always overwithdraw from money market tokens, leading to losing some opportunities to earn from the money markets (losing of funds).
medium
convertFromStorage() fails to use rounding-up when converting a negative storedCashBalance into signedPrimeSupplyValue.
medium
AccountAction#withdraw() might fail when one of the other money markets (Compound, Aave, or Euler) fails temporarily.
Feb '23
high
DOS attack to function ``_accruePremiumAndExpireProtections()`` due to iteration through all active protections.
high
A lender can bypass the protection amount limit check by buying more protections.
high
Front-running attack to lockCapital()
high
Sandwich attack to accruePremiumAndExpireProtections()
medium
Nobody can deposit anymore after ``_underlyingAmount`` becomes ZERO.
medium
Some protection buyers might not be able to renew their protections due to delayed expiration processing.
high
Some funds might be stuck in the bank contract forever, and nobody can withdraw them
high
A user who calls IchiVaultSpell.closePosition() might leave some ICHI vault LP tokens in the IchiVaultSpell for other users to steal (lose funds)
medium
A borrower might drain the vault by calling borrow() repeatedly with small borrow amount each time.
medium
IchiVaultSpell.openPosition() will always revert if ICHI Vault Lp Tokens are fees-on-transfer ERC20 tokens.
Jan '23
high
First vault depositor can steal other's assets
medium
Users lose their entire investment when making a deposit and resulting shares are zero
medium
DOS any Staking contract with Arithmetic Overflow
medium
`MultiRewardStaking.changeRewardSpeed()` breaks the distribution
medium
syncFeeCheckpoint() does not modify the highWaterMark correctly, sometimes it might even decrease its value, resulting charging more performance fees than it should
medium
Owner can collect management fees with a new increased fee for previous time period.
medium
`Vault.redeem` function does not use `syncFeeCheckpoint` modifier
medium
VaultController() Missing call DeploymentController.nominateNewDependencyOwner()
medium
`quitPeriod` is effectively always just `1 day`
high
The collect() function will always TRANSFER ZERO fees, losing _feesPositions without receiving fees!
medium
_ownedTokensIndex is SHARED by different owners, as a result, _removeTokenFromAllTokensEnumeration might remove the wrong tokenId.
medium
Burning a `ERC1155Enumerable` token doesn't remove it from the enumeration
high
When Public Vault A buys out Public Vault B's lien tokens, it does not increase Public Vault A's liensOpenForEpoch, which would result in the lien tokens not being repaid
high
Buying out corrupts the slope of a vault, reducing rewards of LPs
high
Deadlock in valuts with underlying token with less then 18 decimals
medium
Users are unable to mint shares from a public vault using `AstariaRouter` contract when share price is bigger than one
medium
_buyoutLien() does not properly validate the liquidationInitialAsk
Dec '22
medium
Bypass the delay security check to win risk free funds
medium
`_handleOpenFees` returns an incorrect value for `_feePaid`. This directly impacts margin calculations
medium
Centralization risks: owner can freeze withdraws and use timelock to steal all funds
medium
`_handleDeposit` and `_handleWithdraw` do not account for tokens with decimals higher than 18
Nov '22
Oct '22