Payouts
1st Places
2nd Places
Top 10
All
Sherlock
Code4rena
CodeHawks
Jan '25
high
The calculation of `totalAssets()` could be wrong if `operatorFeeAmount` > 0, this can cause potential loss for the new depositors
medium
User can earn rewards by frontrunning the new rewards accumulation in Ron staking without actually delegating his tokens
medium
Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions
Jul '24
high
`mintToken()`, `mintWithBudget()`, and `forge()` in the `TraitForgeNft` Contract Will Fail Due to a Wrong Modifier Used in `EntropyGenerator.initializeAlphaIndices()`
high
The maximum number of generations is infinite
high
Number of entities in generation can surpass the 10k number
high
Wrong minting logic based on total token count across generations
medium
There is no slippage check in the `nuke()` function.
medium
Pause and unpause functions are inaccessible
high
Market Disruption and Financial Loss Post-Liquidation
medium
Insufficient checks to confirm the correct status of the sequencerUptimeFeed
medium
A malicious User can DOS all offchain orders making them unexecutable and leaving the protocol in an insolvent state. Also all offchain Trades can also be DOSed for honest parties that do not meet the fillorder requirements (no try and catch)
medium
An Uninitialized Variable In The `MarketConfiguration::update` Function Causes The `PrepMarket::getIndexPrice` Function To Revert
medium
Incorrect liquidatable checking for market order creation
low
Functions calling `verifyReport` to verify offchain prices from chainlink will fail
low
Liquidation of accounts collateral not posible because some chainlink price feed doesn't exist or are marked as medium risk by chainlink
low
Attacker can abuse the system by modifying the collateral of pending orders
low
payable Modifier in TradingAccountBranch::createTradingAccountAndMulticall
low
UpgradeBranch.sol does not use _disableInitializers()
Jun '24
high
Users won't liquidate positions because the logic used to calculate the liquidator's profit is incorrect
medium
Borrower is not able to compensate his lenders if he is underwater
medium
Size uses wrong source to query available liquidity on Aave, resulting in borrow and lend operations being bricked upon mainnet deployment
medium
Users can not to buy/sell minimum credit allowed due to exactAmountIn condition
May '24
Apr '24
high
Incorrect withdraw queue balance in TVL calculation
high
Withdrawals of rebasing tokens can lead to insolvency and unfair distribution of protocol reserves
high
Withdrawals logic allows MEV exploits of TVL changes and zero-slippage zero-fee swaps
high
ETH withdrawals from EigenLayer always fail due to `OperatorDelegator`'s nonReentrant `receive()`
medium
Lack of slippage and deadline during withdraw and deposit
medium
`calculateTVL` may run out of gas for modest number of operators and tokens breaking deposits, withdrawals, and trades
medium
Fixed hearbeat used for price validation is too stale for some tokens
medium
Withdrawals and Claims are meant to be pausable, but it is not possible in practice
Mar '24
Jan '24
Oct '23