Payouts
1st Places
2nd Places
3rd Places
All
Sherlock
Code4rena
Nov '24
Mar '24
Feb '24
high
Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a win
high
A locked fighter can be transferred; leads to game server unable to commit transactions, and unstoppable fighters
high
Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributes
high
Player can mint more fighter NFTs during claim of rewards by leveraging reentrancy on the `claimRewards() function `
high
Fighters cannot be minted after the initial generation due to uninitialized `numElements` mapping
high
Non-transferable `GameItems` can be transferred with `GameItems::safeBatchTransferFrom(...)`
high
FighterFarm:: reroll won't work for nft id greator than 255 due to input limited to uint8
medium
NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)
medium
Can mint NFT with the desired attributes by reverting transaction
medium
Fighter created by mintFromMergingPool can have arbitrary weight and element
Dec '23
Nov '23
897.48 USDC • 2 total findings • Code4rena • immeas
#4
Oct '23
high
Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime
high
Attacker can reenter to mint all the collection supply
high
Adversary can block `claimAuction()` due to push-strategy to transfer assets to multiple bidders
medium
`MinterContract::payArtist` can result in double the intended payout
medium
Bidder Funds Can Become Unrecoverable Due to 1 second Overlap in `participateToAuction()` and `claimAuction()`
medium
Auction winner can prevent payments via `safeTransferFrom` callback
Aug '23
Jul '23
medium
Initial deploy won't succeed because of too high `initialMintAmount` for USDC market
medium
Proposals which intend to send native tokens to target addresses can't be executed
medium
`fastTrackProposalExecution` doesn't check `intendedRecipient`
medium
`TemporalGovernor` can be bricked by `guardian`
medium
only `guardian` can change `guardian`
medium
malicious `emissionToken` could poison rewards for a market
medium
`excuteProposal` can fail due to Wormhole guardian change
high
`expressReceiveToken` can be abused using reentry
medium
Multisig can execute the same proposal repeatedly
medium
Deployer wallet retains ability to spoof validated senders after ownership transfer
medium
Gas fees are refunded to a wrong address when transferring tokens via `InterchainToken.interchainTransferFrom`
medium
Proposal requiring native coin transfers cannot be executed
medium
`TokenManager`'s flow limit logic is broken for `ERC777` tokens
7,938.71 USDC • Code4rena • immeas
Jun '23
May '23
high
Wrong address used for uniswap static oracle
high
uniswap trades are done without slippage
high
`USSD::mintRebalancer` and `USSD::burnRebalancer` and callable by anyone
high
protocol uses uniswap spot price when rebalancing
high
rebalancing calculates wrong sell amount and can revert
high
`StableOracleDAI` uses wrong decimals for chainlink feed
medium
no oracle staleness validation
medium
removing collateral will lock tokens in contract
Apr '23
high
`CollateralManager::commitCollateral` has no access control
high
`LenderCommitmentForwarder::updateCommitment` allows lender to be changed
medium
defaulting doesn't change the state of the loan
medium
market owner and protocol can game borrowers
medium
market owner can front run bids and lower default duration
medium
bids can be created against markets that doesn't exist
medium
due date and defaulting doesn't align
medium
last repayments are calculated incorrectly for "irregular" loan durations
high
Wrong calculation of repayment amount in Position contract
high
Position doesn't distribute rewards to users
high
Some positions will get liquidated immediately
high
Reward accounting is incorrect in BathBuddy contract
high
DOS of market operations with malicious offers
medium
Low level calls to accounts with no code will succeed in `FeeWrapper`
medium
Incorrect fee handling in Position.sol's Market Buy/Sell functions
medium
A liquidated position possibly cannot be closed
medium
Incorrect calculations can occur when calling `Position._marketBuy` and `Position._marketSell` functions that do not include maker fee in `_fee`
medium
Calling `Position._marketBuy` and `Position._marketSell` functions that calculate `_fee` by dividing by `10000` can cause incorrect calculations
Mar '23
high
winnings for an epoch is lost when rolling over
high
changing an existing rollover updates the `ownerToRollOverQueueIndex` wrong
high
`depositFee` can be bypassed
high
executed rollovers can be delisted which trades places with last unexecuted one
high
malicious contract can DoS queues
medium
gas costs for minting rollovers is inflated by lost positions
medium
emissions for null epochs are lost
Feb '23
high
`Vault::claimTokens` uniswap swaps can be abused
medium
vault stakers and game players share the same reward pool
medium
multiple withdrawalRequest before the first rebalance will burn LPTokens but only give underlying for the last request
medium
`XChainController::sendFundsToVault` can be griefed and leave `XChainController` in a bad state
medium
calling `pushTotalUnderlyingToController` on an inactive vault will break rebalance
medium
`Vault::pullFunds` doesn't pull funds from underlying providers correctly
medium
allocations to a blacklisted protocol will stop rebalancing
medium
blacklisted protocol still accrues rewards
medium
`Swap::swapStableCoins` assumes 1:1 price
high
a protection seller can deposit and withdraw in the same cycle
high
a secondary market for sTokens is dangerous with how withdrawals work
high
a buyer of protection can overprotect their position
high
non claimed `unlockedFunds` are stuck in `ProtectionPool`
medium
secondary markets are problematic with how `lockCapital` works
Jan '23
high
First vault depositor can steal other's assets
high
Staking rewards can be drained
medium
The calculation of ````takeFees```` in ````Vault```` contract is incorrect
medium
Anyone can reset fees to 0 value when Vault is deployed
medium
`Vault::takeFees` can be front run to minimize `accruedPerformanceFee`
medium
`quitPeriod` is effectively always just `1 day`
Dec '22
high
Hijacking of node operators minipool causes loss of staked funds
high
node operator is getting slashed for full duration even though rewards are distributed based on a 14 day cycle
medium
any duration can be passed by node operator
medium
slashing fails when node operator doesn't have enough staked `GGP`
medium
MultisigManager may not be able to add a valid Multisig
medium
State Transition: Minipools can be created using other operator's AVAX deposit via recreateMinipool
medium
NodeOp funds may be trapped by a invalid state transition
Nov '22
high
Giant pools can be drained due to weak vault authenticity check
high
Old stakers can steal deposits of new stakers in `StakingFundsVault`
medium
Incorrect implementation of the ETHPoolLPFactory.sol#rotateLPTokens let user stakes ETH more than maxStakingAmountPerValidator in StakingFundsVault, and DOS the stake function in LiquidStakingManager
Oct '22
Sep '22
Aug '22
Jul '22