High
Total
Medium
Solo
Total
Total Earnings
#125 All Time
Payouts
2nd Places
3rd Places
Top 10
All
Sherlock
Code4rena
Mar '24
Jan '24
high
LiquidationModule.liquidate updates global position data with stale price
high
The updatePythPrice modifier should add an empty array check
high
The owner of any position can close the position with the minimum tradeFee regardless of the additionalSize of the position
high
LimitOrder.cancelLimitOrder can be used to unlock position with LeverageClose order
high
LeverageModule.executeOpen doesn't apply Check-Effect-Interaction pattern
medium
Malicious users can obtain large amounts of FMP at a small cost
medium
In LeverageModule.executeOpen/executeAdjust, vault.checkSkewMax should be called after updating the global position data
medium
If the oracle from Pyth is down, OracleModule._getPrice will always revert
Dec '23
Oct '23
2,964.08 USDC • 1 total finding • Code4rena • nobody2018
#9
Sep '23
high
All tokens can be stolen from `VirtualAccount` due to missing access modifier
medium
Incorrect flag results to _hasFallbackToggled always set to false on createMultipleSettlement.
medium
If RootBridgeAgent.lzReceiveNonBlocking reverts internally, the native token sent by relayer to RootBridgeAgent is left in RootBridgeAgent
medium
BaseBranchRouter._transferAndApproveToken may revert in some cases
medium
When using BaseBranchRouter as a router on the 'Arbitrum' branch, we are unable to invoke the 'callOutAndBridge' function.
high
In DonationVotingMerkleDistributionBaseStrategy._registerRecipient, the status returned by _getUintRecipientStatus(recipientId) is always the status of the first recipient
high
allocator.voiceCredits is never accumulated throughout the QVSimpleStrategy._allocate flow
medium
Funds may be stuck in QVSimpleStrategy in some cases
medium
Allocator can significantly increase the number of votes of a certain recipient by calling Allo.allocate/batchAllocate multiple times
medium
The protocol cannot use transfer-on-fee token as pool.token
medium
RFPSimpleStrategy._distribute will revert in most cases
medium
If RFPSimpleStrategy wants to use the registry anchor, _registerRecipient will always revert
Aug '23
Jul '23
high
All rewardTokens may be stuck in BalancerAuraDestinationVault/CurveConvexDestinationVault
high
LiquidationRow._performLiquidation should delegatecall IAsyncSwapper.swap
high
LMPVaultRouterBase.mint/deposit will make the user's weth be stolen in some cases
high
IncentivePricingStats.updatePricingInfo updates fast/slow filters with the wrong average price
high
LMPVault._withdraw may cause some idleIncrease to be ignored, causing _baseAsset to get stuck in LMPVault
medium
ConvexRewardsAdapter._claimRewards will revert in some cases
medium
When DestinationVault is at loss, LMPVault._withdraw may revert in some cases due to underflow
677.54 USDC • Code4rena • nobody2018
#5
Jun '23
high
In specific case, PartyB that should not be liquidated is liquidated due to wrong allocation in AccountFacet.depositAndAllocateForPartyB
high
Malicious PartyA/PartyB can prevent themselves from being liquidated
medium
LiquidationFacetImpl.liquidatePartyB should call returnTradingFee to return the trading fee to PartyA when processing the quote whose status is LOCKED/CANCEL_PENDING
medium
When symbol manager modifies the tradingFee of a certain symbol via ControlFacet.setSymbolTradingFee, the value returned by LibQuote.returnTradingFee is not the original fee
medium
PartyBFacetImpl.lockQuote doesn't actually increment partyBNonces[partyB][partyA] by 1
medium
Quote that have already been liquidated can be liquidated again in some cases
medium
PartyA can front-run PartyBFacetImpl.emergencyClosePosition to prevent PartyB from closing position
May '23
high
StableOracleDAI/StableOracleWBGL.getPriceUSD will never succeed due to wrong DAIEthOracle/staticOracleUniV3
high
StableOracleDAI.getPriceUSD incorrectly uses the price returned by priceFeedDAIETH.latestRoundData()
high
USSDRebalancer.SellUSSDBuyCollateral will revert in certain case
high
USSD.UniV3SwapInput executes uniRouter.exactInput without slippage protection
high
Attacker can manipulate the return value of USSDRebalancer.getOwnValuation for profit
high
USSD.mintRebalancer/burnRebalancer lacks onlyBalancer modifier
high
Malicious user transfers USSD or DAI to uniPool to affect the return value of USSDRebalancer.getSupplyProportion
medium
StableOracleDAI/StableOracleWETH/StableOracleWBTC.getPriceUSD possible use stale price
Apr '23
high
CollateralManager.commitCollateral can not only block lender to accept any loan bids, but also make all collaterals of all loans stuck in the contract forever
medium
updateCommitmentBorrowers does not delete all existing users
medium
If the collateral is a fee-on-transfer token, repayment will be blocked
high
RubiconMarket batchOffer and batchRequote make offers as self; complete loss of funds for some types of tokens, for example WETH
high
Reward accounting is incorrect in BathBuddy contract
high
An attacker can steal all tokens of users that use `FeeWrapper`
medium
Fee inclusivity calculations are inaccurate in RubiconMarket
medium
Both buyAllAmountWithLeverage and sellAllAmountWithLeverage always revert
Mar '23
high
relayer can never successfully execute mintDepositInQueue and mintRollovers due to ERC1155's _doSafeTransferAcceptanceCheck
high
Due to rolloverQueue.pop(), mintRollovers may skip some users' QueueItem
high
If users won epoch he is rolling over, mintRollovers will cause these users to lose funds
medium
triggerDepeg and triggerEndEpoch will revert when the treasury of ControllerPeggedAssetV2 is different from the treasury of the new VaultV2
medium
Malicious user can make rolloverQueue never get processed
medium
ChangeTreasury does not correctly set the new treasury address and does not remove the old treasury address from whitelist
Feb '23
high
Attacker uses flashloan for arbitrage resulting in user interest loss
high
Attacker can prevent the system from entering step 5 during the rebalancing period
medium
User fund loss when rebalancingPeriod is not initialized
medium
Game users may lose this round of rewards if they call rebalanceBasket before the end of step 8
medium
At step 5 attacker can prevent xChainController from sending funds to vaults