High
Total
Medium
Solo
Total
Total Earnings
#457 All Time
Payouts
2nd Places
3rd Places
Top 10
All
Sherlock
Code4rena
CodeHawks
May '25
high
Incorrect Debt Clearance During Cross-Chain Repayments Leading to Protocol Losses
high
Incorrect Cross-Chain Collateral Verification Leading to Over-Collateralization Requirement
high
Cross-Chain Borrowing State Corruption Due to Improper Mapping Updates
high
Incorrect Interest Accrual in Cross-Chain Borrow Update
high
Cross-Chain Debt Repayment Failure
high
Incorrect Liquidation Eligibility Check in Cross-Chain Lending Protocol
high
Cross-Chain Liquidation Debt Settlement Mismatch
high
Attackers Will Drain Collateral Reserves Through Faulty Liquidations
medium
Incorrect Application of Token-Specific borrowIndex on Aggregate Borrow Value
medium
Inefficient Liquidation Due to Close Factor Applied Only to Principal
Apr '25
Mar '25
Feb '25
high
Multiple Delegation by Double Spending Boosts and Lack of Delegation Tracking in BoostController Contract
high
Delegation Boost Not Usable by Delegatees
high
`BaseGauge` users can claim rewards without staking
high
Multiple issues from unnecessary balance increase calculation in DebtToken.mint
high
Incorrect Reward Claim Logic in FeeCollector::claimRewards Causes Denial of Service
high
Users can borrow more assets than they have deposited as collateral
high
Double Usage Index Scaling in StabilityPool Liquidation Inflates Required CRVUSD Balance
high
Attackers can double voting power and veToken amount by locking and increasing
high
Gauge Voting Misallocation Vulnerability
high
Gauge rewards are not transferred to gauge when distributeRewards() is called
high
Multiple calls to `BaseGauge::notifyRewardAmount()` override existing reward rate, causing loss of rewards for stakers
medium
`MAX_TOTAL_SUPPLY` Bypass in `veRAACToken` via `increase()` Function
medium
Gauge reward period can be extended indefinitely
medium
Incorrect DebtToken totalSupply Scaling Breaks Interest Rate Calculations
medium
Incorrect Return Values and Double Scaling in `RToken.burn` Function Leads to Denial of Service
medium
LendingPool deposits do not work with CurveVault due to lack of funds
medium
Multiple Critical Calculation And Logic Errors in `RToken::mint/burn` Function
medium
Workingsupply would always be overwritten in boostcontroller.sol impacting reward calculations
medium
Permanent boost inflation through delegation removal in Boostcontroller.sol
medium
Proposal Front-Running via Predictable Salt in `TimelockController::scheduleBatch`
medium
Flawed Boost Multiplier Calculation Always Yields Maximum Boost
medium
Incorrect rewardRate management in BaseGauge
medium
Missing Update of `lastUpdateTime` in `updatePeriod()
medium
Failure to Reset `rewardRate` in `updatePeriod()`
low
`mint` function in RToken contract doesn't return the correct expected values, leading to emission of ReserveLibrary `Deposit` event and LendingPool `Deposit` event with incorrect values.
low
Limited veRaac Token Supply Triggers DoS, Hampering Proper Governance Participation.
low
Unauthorized Vote Casting Vulnerability
low
Incorrect Initialization of minBoost in BaseGauge Constructor Breaks Core Contract Functionality
low
Missing Checkpoint Reset in `veRAACToken::emergencyWithdraw` Function
low
Insufficient ETH Forwarding in Governance Execution Mechanism Causes Proposal Failures
low
Missing `BaseGauge::distributionCap` validation leads to over-emission of rewards
low
Wrong event emitted in `LendingPool::_repay`
Jan '25
high
Incorrect Credit Capacity Validation in `VaultRouterBranch.redeem` Enables Locked Collateral Drainage
high
Vaults weth reward is not distributed correctly
high
Unclaimed Rewards Loss Due to Missing Validation in `VaultRouterBranch.stake()`
high
Incorrect Debt Check in `CreditDelegationBranch::settleVaultsDebt` Function
high
Incorrect calculation in CreditDelegationBranch::withdrawUsdTokenFromMarket allows attacker mint any amount of usdz
medium
Attacker can manipulate the amount of output tokens of users in ZlpVault
medium
Issue with Decimal Offset Calculation Leading to Weak Donation Protection
Sep '24
high
Boost Creators Unable to Retrieve Funds or Draw Raffle Winners Due to Missing Entry Points
high
Malicious Actor Can Block Incentive Claims for Legitimate Users
medium
Inability to Handle Fee-on-Transfer Tokens in Budget Allocation
medium
Unlimited Referral Fee Allows Boost Creator to Bypass Protocol Fee
medium
Vulnerable Randomness in drawRaffle() Allows Manipulation of Raffle Results by Malicious Actors
Aug '24
high
TokenManager - Unlimited withdraw
high
Native token withdrawal fails until manually approved
high
Formulaic Error Rounds Down Causing Total Loss Of Funds For Bid Takers During Abort
high
Malicious user can drain protocol by bypassing `ASK` offer abortion validation in `Turbo` mode
high
Token withdrawal fails until someone manually approves spending
high
Fund Withdrawal Flaw in preMarket Allows Users to Avoid Settlement Obligations
low
`listOffer` Unsafely References Fungible Identifiers