Payouts
1st Places
2nd Places
3rd Places
All
Sherlock
Code4rena
Cantina
CodeHawks
Immunefi
May '25
high
Findings not publicly available for private contests.
Findings not publicly available for private contests.
Apr '25
Findings not publicly available for private contests.
Mar '25
high
high
Feb '25
high
high
Faulty Gauge Weight Update Formula: Voting Power Delta Not Considered Leading to Arithmetic Underflow and Vote Weight Inconsistency
high
RAACNFT mint function receives funds to address(this) but has no way of withdrawing them
high
Users Can Overwrite Existing Locks in veRAACToken Resulting in Permanent Loss of Funds
high
Reward manipulation vulnerability in StabilityPool
high
Incorrect Reward Claim Logic in FeeCollector::claimRewards Causes Denial of Service
high
RToken's transfer function lead to loss of funds due to incorrect math
high
Users can borrow more assets than they have deposited as collateral
high
NFTs Get Permanently Locked in Stability Pool After Liquidation
high
Double Usage Index Scaling in StabilityPool Liquidation Inflates Required CRVUSD Balance
high
Ownership Parameter Mismatch in LendingPool’s Vault Withdrawal Logic
high
Attackers can double voting power and veToken amount by locking and increasing
high
Ineffective Time-Weighted Average Implementation in Fee Distribution
medium
Incorrect utilization rate forces protocol to issue maximum rewards indefinitely
medium
LendingPool deposits do not work with CurveVault due to lack of funds
medium
Multiple Critical Calculation And Logic Errors in `RToken::mint/burn` Function
medium
There is no logic checking for RAACNFT price staleness before minting it
medium
`RToken::calculateDustAmount` are incorrectly calculated, leading to not be able to transfer the accrued dust amount
medium
Missing Liquidity Rebalancing in Repayments and Liquidations Leading to Inefficient Liquidity Management
medium
hardcoded baseamount in Updateuserboost fucntion causes users with small token holdings to receive higher boosts relative to their holdings t
medium
Permanent boost inflation through delegation removal in Boostcontroller.sol
medium
FeeCollector stakeholders may receive less fee distribution due to unnecessarily precision loss
medium
Usage rate is increased even when no debt is present in `LendingPool`
medium
Proposal Front-Running via Predictable Salt in `TimelockController::scheduleBatch`
medium
When the prime rate is updated by the oracle, the values of the sub-rates are not ajdusted accordingly, which can cause loss of assets for borrowers
medium
Portion of revenue to be distributed for gauges remains undistributed
low
Canceled vote still get voted on and accumulate voting power in Goverance.sol
low
Impossible to rescue funds from `RToken` contract
low
`FeeCollector::updateFeeType` wrong fee share validation leads to impossible update for some fee types
low
Boost Delegation Allows Invalid Recipients on BoostController
low
Incorrect Mint() Event Emission in RToken#mint()
low
Wrong event emitted in `LendingPool::_repay`
Jan '25
high
Findings not publicly available for private contests.
Findings not publicly available for private contests.
Dec '24
Findings not publicly available for private contests.
high
Replay attack vulnerability in `withdraw` function due to nonce mismanagement, in `CDS` contract
high
Arbitrary price manipulation in `redeemUSDT` function enables treasury drain
high
Missing access control in `updateDownsideProtected` allows arbitrary manipulation
high
Exploitable high `strikePrice` input allows borrowers to minimize withdrawals
medium
Incorrect borrower count and withdrawal issues due to improper flag handling in `treasury` contract
medium
Inconsistent `lastEthprice` updates impact omnichain data calculations
medium
`calculateCumulativeRate` always returns `lastCumulativeRate` due to incorrect `lastEventTime` update
medium
Excess ether not refunded to users in `depositTokens` function
Nov '24
high
Fee calculation vulnerability will overcharge users during vote purchases
high
Attacker can gain a advantage by manipulating the order in which votes are bought and sold.
medium
`slash` function lacks 24-hour lock mechanism for accused staking and withdrawals
medium
Multiple fee miscalculation leads to inaccurate implementation of the fee model
high
high
Missing NFT claim mechanism prevents buy order owners from accessing transferred NFTs
medium
Valid lenders and borrowers may not receive their incentives due to sequence of `lenders`
medium
Lack of handling for unclaimed incentives causes permanent lockup of funds
medium
Loan extension miscalculation will cause reversion of extendLoan
medium
Borrowers will face excessive principal loss due to incorrect fee calculation(`feeOfMaxDeadline`) in loan extension
medium
Inconsistent `isActive` state in `DLOImplementation` enables repeated exploitation of `changePerpetual` to clear factory lend orders
medium
Incorrect calculation of extended loan days leads to unfair borrower fees
medium
Incorrect interest handling after loan extension leads to lender losses
medium
Attacker manipulates precision loss to overcharge borrower on APR
Oct '24
high
Subtraction in `variance()` will revert due to underflow
high
Potential underflow vulnerability in score range calculation of `LLMOracleCoordinator::finalizeValidation`, leading to DoS.
medium
Platform fees withdrawal will sweep oracle agents earned fees
medium
Request responses and validations can be mocked leading to extraction of fees and/or forcing other generators to lose their fees by making them outliers
medium
Phase calculation inaccuracy will always extend sell phase and cut withdrawal phase time
low
high
high
high
high
medium
high
medium
Sep '24
high
high
medium