18x
Payouts
3x
1st Places
1x
2nd Places
9x
Top 10
All
Sherlock
Code4rena
Cantina
CodeHawks
May '25
high
Finding not yet public.
medium
Finding not yet public.
medium
Finding not yet public.
medium
Finding not yet public.
high
Finding not yet public.
high
Finding not yet public.
high
Finding not yet public.
medium
Finding not yet public.
Apr '25
high
Finding not yet public.
medium
Finding not yet public.
medium
Finding not yet public.
Mar '25
medium
Finding not yet public.
Feb '25
Blend V2 Audit + Certora Formal Verification
6,232.06 USDC • 7 total findings • Code4rena • rscodes
#4
high
A reserve's `d_supply` is incorrectly updated and stored after flash loan execution
medium
Removal of pool from reward zone does not allow gulping emissions which were already distributed in the past
medium
Pools Outside of the Reward Zone can keep receiving Blend Tokens
medium
Malicious actors can repeatedly dilute emissions to a longer timeframe
medium
Sensitive disclosure affecting V1
medium
When code defaults on remaining liability, it does not delete remaining auction which is problematic if the user has called fill with a % less than 100
medium
Attackers can maliciously inflate total_supply temporarily to exceed utilization rate limit and push the pool towards 100% util rate, potentially causing a loss of lender funds
Jan '25
high
Finding not yet public.
medium
Finding not yet public.
medium
Finding not yet public.
medium
Finding not yet public.
medium
Finding not yet public.
medium
Finding not yet public.
high
Finding not yet public.
medium
Finding not yet public.
medium
Finding not yet public.
Dec '24
high
Finding not yet public.
high
Finding not yet public.
high
Finding not yet public.
high
Finding not yet public.
high
Finding not yet public.
high
Finding not yet public.
medium
Finding not yet public.
medium
Finding not yet public.
medium
Finding not yet public.
medium
Finding not yet public.
Nov '24
high
Finding not yet public.
Oct '24
high
Finding not yet public.
high
Finding not yet public.
high
Finding not yet public.
high
Finding not yet public.
high
Finding not yet public.
medium
Finding not yet public.
medium
Finding not yet public.
medium
Finding not yet public.
medium
Finding not yet public.
medium
Finding not yet public.
medium
Finding not yet public.
medium
Finding not yet public.
medium
Finding not yet public.
Sep '24
high
Finding not yet public.
high
Finding not yet public.
high
Finding not yet public.
high
Finding not yet public.
high
Finding not yet public.
medium
Finding not yet public.
Aug '24
high
Reentrancy Vulnerability Allows Bypass of Cooldown, Leading to Unfair Reward Extraction Through Flash Loan
high
Exposed `_removeCredIdPerAddress` & `_addCredIdPerAddress` allows anyone to cause issues to current holders as well as upcoming ones
high
`shareBalance` bloating eventually blocks curator rewards distribution
high
Signature replay in `createArt` allows to impersonate artist and steal royalties
medium
`PhiFactory:claim` Potentially Causing Loss of Funds If `mintFee` Changed Beforehand
medium
Attacker can DOS user from selling shares of a credId
medium
Lack of data validation when users are claiming their art allows malicious user to bypass signature/merkle hash to provide unapproved `ref_`, `artId_` and `imageURI`
Jul '24
high
`vestTokens` bug in MultiFeeDistribution.sol causes new incentives to erase previous incentives
medium
bug in `claim` allows users who are disqualified to claim their previously earned emissions
medium
Rewards may be spread out among the **wrong time period** due to the way the protocol calculates it
medium
`lastRPS` could be set to `0` accidentally
medium
Users of a vault can steal other user's rewards when one vault's `lastRewardTime` differs from another vault's `lastRewardTime`
Jun '24
