11x
Payouts
1x
2nd Places
1x
3rd Places
6x
Top 10
All
Sherlock
Jul '24
Findings not publicly available for private contests.
May '24
high
`PositionMarginProcess::updateAllPositionFromBalanceMargin()` error, users can update `position.initialMarginInUsdFromBalance` in all positions by depositing a small amount of funds
high
`AccountFacet::batchUpdateAccountToken()` lacks calling permission. Anyone can call this method to add any number of tokens to the account.
Apr '24
high
`Edition::mintBatch()-0x904868b2`, the attacker can mint token for free
medium
`Edition::mint()` does not check and process user input, `_refundExcess()` is invalid, and an attacker can tail the transaction and consume the ETH in the contract to mint tokens for free
medium
`Edition::mintBatch()-0x1f7fdffa` design error, batch minting tokens does not work as expected
high
liquidity providers can maliciously burn tokens, causing the final result of `ZivoeITO::claimAirdrop()` to deviate significantly from expectations.
high
Every time you call `ZivoeRewards::depositReward()` to deposit a reward, after the reward is vested, there will almost always be some dust left behind, and the amount will expand infinitely.
high
Anyone can call `ZivoeRewardsVesting::depositReward()` to deposit the corresponding token, lower the `rewardRate` and postpone `periodFinish` indefinitely
Mar '24
high
`Auctioneer::auction()` using wrong lotId value to get `Routing storage routing` failed to save data as expected.
high
Calling `AuctionHouse::claimProceeds()` will modify `Auction.Status`, causing `AuctionHouse::claimBids()` to revert and the buyer cannot withdraw the token.
high
Repeated calculation of `routing.funding` resulted in `AuctionHouse::claimProceeds()::prefundingRefund` error, and the seller could not normally get the proceeds (quote tokens) and refund (base tokens)
Feb '24
Jan '24
