
Payouts

1st Places

2nd Places

3rd Places
All
Sherlock
Code4rena
CodeHawks
Hats Finance
Jun '26
Collaborative Audit • Sherlock • deth
Collaborative Audit • Sherlock • deth
May '26
Collaborative Audit • Sherlock • deth
Apr '26
Collaborative Audit • Sherlock • deth
Mar '26
Findings not publicly available for private contests.
Feb '26
Collaborative Audit • Sherlock • deth
Jan '26
Collaborative Audit • Sherlock • deth
Collaborative Audit • Sherlock • deth
Dec '25
Collaborative Audit • Sherlock • EgisSecurity
Oct '25
Collaborative Audit • Sherlock • EgisSecurity
Collaborative Audit • Sherlock • EgisSecurity
Sep '25
Collaborative Audit • Sherlock • deth
Jul '25
Jun '25
high
Users can steal funds meant for refunds through `_doMixSwap`
high
Users can steal funds meant for refunds using a `decoded.targetZRC20`
high
Anyone can steal a refund from Solana
medium
Zeta Chain contracts doesn't check source sender, which results in compromised instructions
medium
`GatewayTransferNative::onCall` don't decrease `amount` when platform fee is deducted
medium
Revert transaction from BTC will refund funds to a random address
medium
`AccountEncoder::decompressAccounts` does not decode `isWritable` correctly
medium
GatewayTransferNative::withdraw - The function is public and can be called by anyone
medium
`_existsPairPool` has flawed design, which allows for an attacker to control
medium
`_swapAndSendERC20Tokens` has no slippage protection
Feb '25
Findings not publicly available for private contests.
Dec '24
high
borrowing::liquidate - `lastEventTime` isn't updated after `calculateCumulativeRate` is called
high
`GlobalVariables` may be compromised, if there are concurrent in-flight messages
medium
borrowing::depositTokens - `calculateCumulativeRate` is called after borrower has been added
medium
borrowing::_withdraw - `lastEventTime` is updated before calling `calculateCumulativeRate`
Nov '24
high
Attackers can force the rewards to be stuck in the contract with malicious `x/tokenfactory` denoms
high
Logical error in `validate_fees_are_paid` can cause a DoS or allow users to bypass fees if `denom_creation_fee` includes multiple coins including `pool_creation_fee` and the user attempts to pay all fees using only `pool_creation_fee`
medium
When a user single-side deposit into a pool, slippage protection is invalid
medium
`withdraw_liquidity` lacks slippage protection
medium
Single sided liquidity can't be used to lock LP tokens in the farm manager
medium
Penalty fees can be shared among future farms or expired farms, risks of exploits
Aug '24
high
Exploiter can always bypass `LIQUIDATION_DISCOUNT` and always seize all collateral
medium
Exploiter can force user into unhealthy condition and liquidate him
medium
SuperPoolFactory
medium
Under certain circumstances bad debt will cause first depositor to lose funds
medium
Pool::liquidate()
medium
`SuperPool` has a `togglePause` function, but lack `whenNotPaused` modifier
medium
Liquidators won't have incentive to repay positions under some conditions
medium
`SuperPool#convertToShares` violates ERC4626
medium
Use can grief `SuperPool#reallocate` for USDT because it doesn't use `forceApprove`
Jul '24
Jun '24
May '24
medium
Insufficient input validation on `SablierV2NFTDescriptor::safeAssetSymbol` allows an attacker to obtain stored XSS
medium
The overflow in the `_calculateStreamedAmount` function can lead to unexpected results.
medium
`SablierV2Lockup.sol` - The caller of withdraw and renounce can skip callbacks, by sending less gas
medium
Use of CREATE method is suspicious of reorg attack
Apr '24
high
`LenderCommitmentGroup_Smart.sol::burnSharesToWithdrawEarnings` steal previous depositors funds
high
TellerV2.sol
high
LenderCommitmentGroup_Smart.sol#liquidateDefaultedLoanWithIncentive()
high
LenderCommitmentGroup_Smart.sol
high
LenderCommitmentGroup_Smart.sol
high
LenderCommitmentGroup_Smart.sol#getCollateralRequiredForPrincipalAmount()
high
If `repayLoanCallback` address doesn't implement `repayLoanCallback` try/catch won't go into the catch and will revert the tx
high
Unchecked `transferFrom` value may lead to borrower falsy repaying loan
high
`LendderCommitmentGroup::_calculateCollateralTokensAmountEq` may be manipulated
high
LenderCommitmentGroup_Smart.sol#liquidateDefaultedLoanWithIncentive()
medium
User can easily DoS `FlashRolloverLoan_G5` for USDT loans
medium
__Ownable_init is missing in LenderCommitmentGroup_Smart and TellerV2
medium
TellerV2.sol#lenderAcceptBid()
medium
`FlashRolloverLoan_G5::_acceptCommitment` with `smartCommitmentAddress` uses wrong signature
medium
LenderCommitmentGroup_Smart.sol#_generateTokenNameAndSymbol()
medium
LenderCommitmentGroup_Smart.sol#__valueOfUnderlying()
high
Inability to perform partial liquidations allows huge positions to accrue bad debt in the system
high
Design flaw and mismanagement in vault licensing leads to double counting in collateral ratios and positions collateralized entirely with kerosine
high
Users can get their Kerosene stuck until TVL becomes greater than Dyad's supply
high
User can get their Kerosene stuck because of an invalid check on withdraw
high
Unable to withdraw Kerosene from `vaultmanagerv2::withdraw` as it expects a `vault.oracle()` method which is missing in Kerosene vaults
medium
`VaultManagerV2.sol::burnDyad` function is missing an `isDNftOwner` modifier, allowing a user to burn another user's minted DYAD
medium
Attacker can frontrun to prevent vaults from being removed from the dNFT owner's position
medium
No incentive to liquidate small positions could result in protocol going underwater
medium
Value of kerosene can be manipulated to force liquidate users
medium
Incorrect deployment / missing contract will break functionality
Feb '24
Jan '24
high
When `DecentBridgeExecutor.execute` fails, funds will be sent to a random address
high
Users will lose their cross-chain transaction if the destination router do not have enough WETH reserves.
high
Anyone can update the address of the Router in the DcntEth contract to any address they would like to set.
medium
DecentEthRouter.sol#_bridgeWithPayload() - Any refunded ETH (native token) will be refunded to the DecentBridgeAdapter, making them stuck
Dec '23
medium
The quorumVotes can be bypassed
medium
CultureIndex.sol#dropTopVotedPiece() - Malicious user can manipulate topVotedPiece to DoS the whole CultureIndex and AuctionHouse
medium
Bidder can use donations to get VerbsToken from auction that already ended.
medium
It may be possible to DoS AuctionHouse by specifying malicious creators
Nov '23
Collaborative Audit • Sherlock • EgisSecurity
Oct '23
high
Borrower has no way to update `maxTotalSupply` of `market` or close market.
high
Borrower can drain all funds of a sanctioned lender
medium
Function WildcatMarketController.setAnnualInterestBips allows for values outside the factory range
medium
`collectFees()` updates delinquency wrongly as `_writeState()` is called before assets are transferred
Sep '23
Aug '23
Jul '23
high
Sandwich attack to steal all ERC-20 tokens in the Fees contract
high
During refinance() new Pool balance debt is subtracted twice
high
[H-04] Lender#buyLoan - Malicious user could take over a loan for free without having a pool because of wrong access control
high
Using forged/fake lending pools to steal any loan opening for auction
medium
The `borrow` and `refinance` functions can be front-run by the pool lender to set high interest rates
medium
Single-step process for critical ownership transfer is risky
medium
Lender contract can be drained by re-entrancy in `seizeLoan`
medium
Rounding error leads to borrowing loans without paying interest
251.23 USDC • 2 total findings • CodeHawks • 0xdeth
#26