Payouts
2nd Places
Top 10
Top 25
All
Sherlock
Code4rena
Jun '23
May '23
Apr '23
high
Reward accounting is incorrect in BathBuddy contract
high
DOS of market operations with malicious offers
high
Some offers can't be cancelled
medium
Use of `block.number` leads to incorrect interest calculations
medium
Fee inclusivity calculations are inaccurate in RubiconMarket
medium
Incorrect fee handling in Position.sol's Market Buy/Sell functions
medium
Zero reward rate calculation impedes low-decimals token distributions
medium
Attack on rounding errors to get risk free profit
medium
Calling `Position._marketBuy` and `Position._marketSell` functions that calculate `_fee` by dividing by `10000` can cause incorrect calculations
Mar '23
Feb '23
high
Incorrect update of `cachedUserRewards` breaks tracking of rewards, leading to users able to claim more than expected
medium
If a reward token is added with distribution starting in the future, the vault is broken until that point.
medium
Wrong update of `ohmRemoved` in `withdraw()` means users can bypass `LIMIT`
high
Incorrect check in `claimCollateral` leads to the function always reverting
medium
Incorrect adjusted amount calculation in `getAdjustedLongAndShortTokenAmounts()` always reverts
medium
Variable subtracted where it should be assigned leads to `getAdjustedLongAndShortTokenAmounts()` reverting.
medium
Incorrect funding amount due to precision loss in `getNextFundingAmountPerSize()` for markets with low open interest
Jan '23
high
Any user can drain the entire reward fund in MultiRewardStaking due to incorrect calculation of `supplierDelta`
medium
DOS any Staking contract with Arithmetic Overflow
medium
Accrued perfomance fee calculation takes wrong assumptions for share decimals, leading to loss of shares or hyperinflation
medium
Fee on transfer token not supported
Dec '22
Nov '22
high
Protocol insolvent - Permanent freeze of funds
medium
Dao admin in LiquidStakingManager.sol can rug the registered node operator by stealing their fund in the smart wallet via arbitrary execution.
medium
Node runners can lose all their stake rewards due to how the DAO commissions can be set to a 100%
medium
Freezing of funds - Hacker can prevent users withdraws in giant pools
medium
Adding non EOA representative
high
Borrower can close a credit without repaying debt
medium
Reentrancy bug allows lender to steal other lenders funds
medium
Mistakenly sent eth could be locked
medium
address.call{value:x}() should be used instead of payable.transfer()
medium
Borrower/Lender excessive ETH not refunded and permanently locked in protocol
Oct '22
Sep '22
medium
Centralization risk: admin have privileges: admin can set address to mint any amount of frxETH, can set any address as validator, and change important state in frxETHMinter and withdraw fund from frcETHMinter
medium
`recoverEther` not updating `currentWithheldETH` breaks calculation of withheld amount for further deposits
Aug '22
medium
NFT of NFT collection or NFT drop collection can be locked when calling _mint or mintCountTo function to mint it to a contract that does not support ERC721 protocol
medium
Malicious Creator can steal from collectors upon minting with a custom NFT contract
medium
`mintFromFixedPriceSale` for a custom contract can lead to users losing funds
Jul '22
Jun '22
May '22
Apr '22