Payouts
1st Places
2nd Places
3rd Places
All
Sherlock
Code4rena
Cantina
Jan '25
Collaborative Audit • Sherlock • g
Dec '24
Collaborative Audit • Sherlock • g
Oct '24
Sep '24
high
Transfers from the rebate manager's token vault always fail due to lack of bump seed
high
Quote pools are expected to have same base token and quote token but this is not enforced in swaps
medium
Attacker can control rebate managers for supported tokens since there is only 1 rebate manager per quote token
medium
Rebate authority is unable to claim fee due to incorrect constraint not allowing rebate manager admin authority
high
Attacker can relist a floor item and cancel the listing to underflow `listingCount` and block collection shutdown execution
high
Voters can not recover their collection tokens after shutdown is canceled
high
Non-existent checkpoint index is used when creating Protected Listings
high
Borrowers can bypass interest payments and pay off principal until 0.06 ether remains
medium
Fee exemptions do not work since incorrect value is packed in `feeOverrides` storage
medium
Admin can not set the pool fee since it is only set in memory
medium
Swaps will revert or unnecessarily cancel due to a mismatched comparison of fTokens with ETH specified amount
medium
AMM beneficiary can not collect fees when beneficiary is a pool
medium
FTokens are burned after `quorumVotes` are recorded making a portion of the shares unclaimable
Aug '24
Jul '24
Jun '24
high
Minting and batch minting auth can be bypassed by anyone
medium
Limited users are allowed access when not strict but instead fail due to underflow
medium
Expired blacklisting leads to greater access
medium
Permission checks will unnecessarily consume Limited uses
medium
Valid VFS paths with usernames can always fail validation
medium
Calculating tax amount does not include taxes in `WasmMsg::Execute` messages
Apr '24
Feb '24
high
Increase in exchange rate between queueing and rebalancing can break withdrawals
high
Undelegating Operator can break withdrawals and lead to insolvency
high
Eigenlayer withdrawals brick future withdrawals due to no update of current epoch
high
Deactivating an operator with a validator cap will always revert
high
Inflated operator utilization when out-of-order exits are reported can block ETH allocations
Jan '24
medium
medium
medium
Aug '23
high
The settle feature will be broken if attacker arbitrarily transfer collateral tokens to the PerpetualAtlanticVaultLP
high
Incorrect precision assumed from RdpxPriceOracle creates multiple issues related to value inflation/deflation
high
Users can get immediate profit when deposit and redeem in `PerpetualAtlanticVaultLP`
medium
reLP() mintokenAAmount the calculations are wrong.
medium
Can not withdraw RDPX if WETH withdrawn is zero
May '23
Mar '23
Feb '23
Jan '23
high
First vault depositor can steal other's assets
high
Attacker can steal 99% of total balance from any reward token in any Staking contract
high
Attacker can deploys vaults with a malicious Staking contract
high
Staking rewards can be drained
high
Modifier VaultController._verifyCreatorOrOwner does not work as intented
medium
DOS any Staking contract with Arithmetic Overflow
medium
`MultiRewardStaking.changeRewardSpeed()` breaks the distribution
medium
Faulty Escrow config will lock up reward tokens in Staking contract