Payouts
1st Places
2nd Places
3rd Places
All
Sherlock
Code4rena
Cantina
CodeHawks
Jan '24
high
Whitelised accounts can be forcefully DoSed from buying curveTokens during the presale
high
Unrestricted claiming of fees due to missing balance updates in `FeeSplitter`
medium
onBalanceChange causes previously unclaimed rewards to be cleared
medium
Theft of holder fees when `holderFeePercent` was positive and is set to zero
Dec '23
high
swap fees going to the liquidation pool manager contract will be accounted for as part of the liquidation amount
medium
Fees are hardcoded to 3000 in ExactInputSingleParams
medium
Wrong Implementation of `LiquidationPool::empty` excludes holder with pending stakes when decreasing a position, resulting in exclusion from asset distribution
medium
Incorrect calculation of amount of EURO to burn during liquidation
high
A user can steal an already transfered and bridged reSDL lock because of approval
medium
Attacker can exploit lock update logic on secondary chains to increase the amount of rewards sent to a specific secondary chain
low
Updates from the `secondary pool` to the `primary pool` may not be sent because there are `no rewards` for the secondary pool
high
`ArtPiece.totalVotesSupply` and `ArtPiece.quorumVotes` are incorrectly calculated due to inclusion of the inaccessible voting powers of the NFT that is being auctioned at the moment when an art piece is created
medium
Once EntropyRateBps is set too high, can lead to denial-of-service (DoS) due to an invalid ETH amount
medium
`ERC20TokenEmitter::buyToken` function mints more tokens to users than it should do
medium
Since buyToken function has no slippage checking, users can get less tokens than expected when they buy tokens directly
medium
The quorumVotes can be bypassed
medium
CultureIndex.sol#dropTopVotedPiece() - Malicious user can manipulate topVotedPiece to DoS the whole CultureIndex and AuctionHouse
medium
`encodedData` argument of `hashStruct` is not calculated perfectly for EIP712 singed messages in `CultureIndex.sol`
medium
Re-triggering the `canOffboard[term]` flag to bypass the DAO vote of the lending term offboarding mechanism
medium
ProfitManager's "creditMultiplier" calculation does not count undistributed rewards; this can cause value losses to users
medium
LendingTerm debtCeiling function uses creditMinterBuffer incorrectly
Nov '23
medium
medium
medium
medium
medium
208.9 USDC • 2 total findings • Code4rena • rvierdiiev
#15
high
Oct '23
high
Block of GMXVault by using GMX UI fee
high
`GMXVault` can be blocked by a malicious actor
high
Incorrect Execution Fee Refund address on Failed Deposits or withdrawals in Strategy Vaults
high
Withdraw function provides more funds to withdrawer
medium
The protocol will mint unnecessary fees if the vault is paused and reopened later.
medium
Missing minimum token amounts in the emergency contract functions allows MEV bots to take advantage of the protocols emergency situation
medium
Incorrect state transition may cause vault in stuck
medium
GMXVault can stop working in case if GMX will change `Keys.MAX_CALLBACK_GAS_LIMIT` to smaller than 2 millions
medium
Rewards from GMX are sent to Trove only in deposit and withdraw functions
medium
In case if withdraw has failed, then processWithdrawFailure will decrease exchange rate of GMXVault shares
medium
All functions that burn or mint shares for user's should mintFee for protocol before
medium
Inaccurate Fee Due to missing lastFeeCollected Update Before feePerSecond Modification
low
ChainlinkARBOracle.consult will revert phase id was increased for chainlink aggregator
4,217.14 USDC • 1 total finding • Code4rena • rvierdiiev
#7
high
Lenders can escape the blacklisting of their accounts because they can move their MarketTokens to different accounts and gain the WithdrawOnly Role on any account they want
high
Borrower has no way to update `maxTotalSupply` of `market` or close market.
high
Borrowers can escape from paying half of the penalty fees by closing the market, and those remaining penalty fees will be covered by the lender who withdraws last
high
Borrower can drain all funds of a sanctioned lender
medium
`setAnnualInterestBips()` can be abused to keep a market's reserve ratio at 90%
medium
Blocked accounts keep earning interest contrary to the WhitePaper
Sep '23
high
All tokens can be stolen from `VirtualAccount` due to missing access modifier
medium
ArbitrumCoreBranchRouter.executeNoSettlement can't handle 0x07 function
medium
Incorrect source address decoding in RootBridgeAgent and BranchBridgeAgent's _requiresEndpoint breaks LayerZero communication
medium
If RootBridgeAgent.lzReceiveNonBlocking reverts internally, the native token sent by relayer to RootBridgeAgent is left in RootBridgeAgent
medium
No deposit cross-chain calls/communication can still originate from a removed branch bridge agent
medium
`ArbitrumBranchBridgeAgent::_performFallbackCall` Function Does Not Refund Users Their Excess Native Gas Deposit
high
User can frontrun RFPSimpleStrategy._allocate in order to increase his bid
high
Anyone can call RFPSimpleStrategy.setPoolActive
high
QVSimpleStrategy allows allocator to use as many votes as he wishes
medium
Protocol isn't compatible with fee on transfer tokens
medium
RFPSimpleStrategy will not work when useRegistryAnchor is set
medium
Allocator who allocates additional votes to same recipient can provide more votes
medium
In case if QVSimpleStrategy pool will be funded after some user's already received payment, then distribution will be incorrect
high
Users Lose Funds and Market Functionality Breaks When Market Reachs 65k Id
high
Owner of a bad ShortRecord can front-run flagShort calls AND liquidateSecondary and prevent liquidation
high
Previous NFT owner can burn NFT from the new owner
medium
Possible DOS on deposit(), withdraw() and unstake() for BridgeReth, leading to user loss of funds
medium
User can create small position after exit with bid
Aug '23
high
The settle feature will be broken if attacker arbitrarily transfer collateral tokens to the PerpetualAtlanticVaultLP
high
Put settlement can be anticipated and lead to user losses and bonding DoS
high
The peg stability module can be compromised by forcing lowerDepeg to revert.
high
Users can get immediate profit when deposit and redeem in `PerpetualAtlanticVaultLP`
high
`UniV3LiquidityAMO::recoverERC721` will cause `ERC721` tokens to be permanently locked in `rdpxV2Core`
medium
Can not withdraw RDPX if WETH withdrawn is zero
medium
Change of `fundingDuration` causes "time travel" of `PerpetualAtlanticVault.nextFundingPaymentTimestamp()`
Jul '23
high
Sandwich attack to steal all ERC-20 tokens in the Fees contract
high
Borrower can use Refinance to cancel auctions so they can extend their loan indefinitely
high
During refinance() new Pool balance debt is subtracted twice
high
[H-04] Lender#buyLoan - Malicious user could take over a loan for free without having a pool because of wrong access control
high
Fee on transfer tokens will cause users to lose funds
high
Forcing a borrower to pay a huge debt via the giveLoan()
high
Hardcoded Router Address May Cause Token Lockup in Non-Standard Networks
medium
No expiration deadline leads to losing a lot of funds
medium
Fixed fee level is used when swap tokens on Uniswap
1,499.02 USDC • 7 total findings • CodeHawks • rvierdiiev
high
Theft of collateral tokens with fewer than 18 decimals
high
There is no incentive to liquidate small positions
medium
DSC protocol can consume stale price data or cannot operate on some EVM chains
medium
Chainlink oracle will return the wrong price if the aggregator hits `minAnswer`
medium
Too many DSC tokens can get minted for fee-on-transfer tokens.
medium
`liquidate` does not allow the liquidator to liquidate a user if the liquidator HF < 1
medium
Protocol can break for a token with a proxy and implementation contract (like `TUSD`)
41.06 USDC • 2 total findings • CodeHawks • rvierdiiev
#50
high
Resetting delegation will result in user funds being lost forever
high
`Vault.mintYieldFee` FUNCTION CAN BE CALLED BY ANYONE TO MINT `Vault Shares` TO ANY RECIPIENT ADDRESS
high
Vault is not compatible with some erc4626 vaults
medium
depositWithPermit and mintWithPermit are allowed to be called by permit creator only
medium
Claimer.claimPrizes can be frontrunned in order to make losses for the claim bot
medium
`VaultFactory` allows deployment of vaults with non-authentic `TwabController` and `PrizePool`
medium
Unintended or Malicious Use of Prize Winners' Hooks
high
`_liquidateUser()` should not re-use the same minimum swap amount out for multiple liquidation
high
Liquidated USDO from BigBang not being burned after liquidation inflates USDO supply and can threaten peg permanently
high
`LidoEthStrategy._currentBalance` is subject to price manipulation, allows overborrowing and liquidations
high
Ability to steal user funds and increase collateral share infinitely in BigBang and Singularity
high
Tokens can be stolen from other users who have approved Magnetar
high
twTAP.claimAndSendRewards() will claim the wrong amount for each reward token due to the use of wrong index.
high
Anybody can buy collateral on behalf of other users without having any allowance using the multiHopBuyCollateral()
high
The BigBang contract take more fees than it should
high
Rewards compounded in AaveStrategy are unredeemable
high
[HB10] `AaveStrategy.sol`: Changing swapper breaks the contract
medium
`totalCollateralShare` state variable not updated in `Singularity` market upon liquidation, resulting in an error on `addCollateral` with skim functionality
medium
SGLLeverage/BigBang `buyCollateral` Can Be Exploited to Steal Asset Approvals & Collateral
medium
Tapioca Bar: Unusable Market Add Functions in Penrose Contract
medium
BigBang and Singularity should not pause repay() and liquidate()
medium
Incorrect `eligibleAmount` for `AirdropBroker` Phase 3
medium
`emitForWeek` will lose `emissionForWeek` if one week is skipped
medium
`extractTAP()` function can allow minting an infinite amount in one week, leading to a DoS attack in `emitForWeek()`
medium
TOFT `exerciseOption` fails due to not passing `msg.value` properly
medium
Using `setBigBangEthMarketDebtRate` or `setBigBangConfig` cause incorrect interest calculation due to retroactively applying the interest rate
medium
Missing deadline checks allow pending transactions to be maliciously executed
medium
There is no mechanism to track and resolve bad debt
medium
`MagnetarV2#burst` double counts `msg.value` for `TOFT_WRAP` operation, making the transaction revert unless the user overpays
medium
all deposit and withdraw function in Convex and Curve nativeLP Strategy, apply slippage on internal pricing; which call real-time on chain price from Curve directly and subject to MEV
medium
SGLLeverage.multiHopSellCollateral checks swapper on wrong chain
medium
USDOOptionsModule.exercise doesn't send refund to user
medium
Some actions inside MagnetarV2.burst will not work because msg.value is used inside delegate call
medium
Loss of COMP reward in CompoundStragety.sol
medium
Rebalancing mTapiocaOFT of native token forces admin to pay for rebalance amount
medium
Potential loss of value in YieldBox's `depositETHAsset()`
medium
`SGLBorrow::repay` and `BigBang::repay` uses `allowedBorrow` with the asset amount, whereas other functions use it with share of collateral
medium
[HB09] `emergencyWithdraw` on all strategy contracts useless without a pause mechanism
677.54 USDC • Code4rena • rvierdiiev
#5
Jun '23
Findings not publicly available for private contests.
high
partyA can block partyB from opening position when it's not favorable for it
high
LiquidationFacetImpl.liquidatePositionsPartyB doesn't check provided signature timestamp correctly
high
LibMuon.verifyPrices doesn't check user's nonce, which allows to provide old values
medium
PartyBFacetImpl.openPosition can open position that is not solvent
medium
Some liquidations will not be attractive for liquidators
medium
Fees are not returned for locked or cancel_pending quote, when partyB is liquidated
medium
In case if symbol is not valid it should be not possible to open position
medium
PartyBFacetImpl.acceptCancelRequest function doesn't increase nonce for partyA
medium
In case if trading fee will be changed then refund will be done with wrong amount
medium
Suspended account still can do partyB actions
medium
Payment for liquidation is not fair
May '23
medium
Comptroller.healAccount doesn't distribute rewards for healed borrower
medium
ShortFall contract might transfer incorrect amount of tokens to the highest bidder.
medium
Borrower can cause a DoS by frontrunning a liquidation and repaying as low as 1 wei of the current debt
medium
It's possible to borrow, redeem, transfer tokens and exit markets with outdated collateral prices and borrow interest
high
User can avoid bankrupting by calling PositionManager.moveLiquidity where to index is bankrupted index
high
Position NFT can be spammed with insignificant positions by anyone until rewards DoS
medium
Governance attack on Extraordinary Proposals
medium
Calling `StandardFunding.screeningVote` function and `ExtraordinaryFunding.voteExtraordinary` function when `block.number` equals respective start block and when `block.number` is bigger than respective start block can result in different available votes
Apr '23
high
Position doesn't distribute rewards to users
high
Reward accounting is incorrect in BathBuddy contract
high
RubiconMarket checks slippage incorrectly
medium
Fee inclusivity calculations are inaccurate in RubiconMarket
medium
Incorrect fee handling in Position.sol's Market Buy/Sell functions
medium
Zero reward rate calculation impedes low-decimals token distributions
medium
Position._borrowLimit doesn't use exisiting collateral in case if user doesn't have any `_bathToken`
medium
Position contract allows to interact with positions that are liquidated
medium
Incorrect calculations can occur when calling `Position._marketBuy` and `Position._marketSell` functions that do not include maker fee in `_fee`
Mar '23
high
A temporary issue shows in the staking functionality which leads to the users receiving less minted tokens.
high
Staking, unstaking and rebalanceToWeight can be sandwiched (Mainly rETH deposit )
high
`WstEth` derivative assumes a ~1=1 peg of stETH to ETH
high
Users can fail to unstake and lose their deserved ETH because malfunctioning or untrusted derivative cannot be removed
medium
Possible DoS on `unstake()`
Feb '23
high
Malicious user can trigger XProvider calls with small or 0 relayerFee in order to make txs stuck waiting while someone will execute them
high
Vault.pullFunds decreases `savedTotalUnderlying` param incorrectly sometimes
medium
Game.rebalanceBasket can be called by user, when rewards are not sent yet for the period, in order to avoid slashing dervy token for negative rewards
medium
Vault.rebalance calculates rewards per locked token incorrectly
medium
MainVault.rebalanceXChain doesn't check that savedTotalUnderlying >= reservedFunds
medium
Game doesn't accrued rewards for previous rebalance period in case if rebalanceBasket is called in next period
medium
Rewards per locked token are calculated incorrectly
medium
Vault.claim should be called before `pushTotalUnderlyingToController`
medium
Vault thinks that all stable coins have same cost
medium
exchangeRate is not up to date in case if vault that is off is changed to on
medium
Vault.blacklistProtocol can revert in emergency
medium
Vault.blacklistProtocol doesn't claim rewards
medium
Players are not guaranteed to receive rewards
medium
User should not receive rewards for the rebalance period, when protocol was blacklisted, because of unpredicted behaviour of protocol price
high
User can claim all balance of reward tokens, because of issue in calculations
high
User can claim more rewards, because incorrect order in calculation
high
cachedUserRewards variable is never reset, so user can steal all rewards
medium
SingleSidedLiquidityVault._accumulateInternalRewards will revert with underflow error if rewardToken.lastRewardTime is bigger than current time
medium
When reward token is being removed it should send rewards to users
medium
ohmRemoved is calculated incorrectly inside SingleSidedLiquidityVault.withdraw function
Findings not publicly available for private contests.
high
GasUtils.estimateExecuteWithdrawalGasLimit calculates gas amount incorrectly
high
No slippage for withdrawal without swapping path
high
MarketUtils.claimCollateral implemented incorrectly
high
PositionPricingUtils.getPositionFees takes more fees than should
high
DecreaseOrderUtils.processOrder doesn't have slippage protection, when `order.swapPath().length == 0`
medium
Oracle._setPricesFromPriceFeeds can get stale price from oracle
medium
Oracle._setPricesFromPriceFeeds will set incorrect price for stable coins in case of deppeging
medium
ExecuteDepositUtils.getAdjustedLongAndShortTokenAmounts works incorrectly
medium
When executeDeposit or executeWithdraw feature is disabled, keeper can execute orders in order to cancel them and burn part of execution fee
high
User can buy protection for 0 amount for free in order to be able to renew it with not 0 amount when they think pool will default
high
Lending pool state transition will be broken when pool is expired in late state
high
Attacker can withdraw in same or next epoch when he deposited
high
ProtectionPool._accruePremiumAndExpireProtections will stop working when lendingPool will have big number of protections
medium
ProtectionPool.lockCapital doesn't check if protection is already expired
medium
defaultStateManager.getLendingPoolStatus can be stale which allows user to buy/renew protection when he should not
high
BlueBerryBank doesn't poke all position debt tokens, before checking getDebtValue
high
In case if user withdrawLend in withdrawVaultFee window, his position.underlyingAmount is not updated correctly
high
Position owner lose ichi farm rewards when he calls openPositionFarm and collateral already exists
high
User lose WERC20 when close position and provides amountLpWithdraw that is not 0
high
BlueBerryBank.liquidate supposes that only 1 token can be borrowed for the position
medium
BlueBerryBank.getPositionRisk shows risk 0, when underlying price is 0
medium
IchiVaultSpell.strategy.maxPositionSize can be bypassed
medium
Fee on transfer tokens are not supported
medium
No ability to provide slippage when closing position
medium
BasicSpell.doCutRewardsFee uses depositFee instead of withdraw fee
high
DepositManagerV1.refundDeposit will revert when big number of deposits will be created in bounty
high
ClaimManagerV1 will not be able to claim for user if he is blocked by any reward token
high
Attacker can block user from claiming AtomicBountyV1 by depositing token that doesn't support 0 transfer and then refunding
high
BountyCore.claimNft doesn't check that nft is not refunded
medium
DepositManagerV1.fundBountyNFT doesn't check if address limit is reached
medium
TieredFixedBountyV1.setPayoutScheduleFixed will fail in case issuer wants to make less amount of tiers
Jan '23
high
Anyone who uses same adapter have ability to pause it
high
Staking rewards can be drained
high
BeefyAdapter() malicious vault owner can use malicious _beefyBooster to steal the adapter's token
high
Protocol loses fees because highWaterMark is updated every time someone deposit, withdraw, mint
medium
DOS any Staking contract with Arithmetic Overflow
medium
`MultiRewardStaking.changeRewardSpeed()` breaks the distribution
medium
Faulty Escrow config will lock up reward tokens in Staking contract
medium
AdpaterBase.harvest should be called before deposit and withdraw
medium
Strategy can't earn yields for user as underlyingBalance is not updated when strategy deposits
medium
Malicious Users Can Drain The Assets Of Vault. (Due to not being ERC4626 Complaint)
medium
[H-01] Management Fee for a vault is charged even when there is no assets under management and subject to manipulation.
medium
cool down time period is not properly respected for the `harvest` method
medium
Anyone can reset fees to 0 value when Vault is deployed
medium
`Vault::takeFees` can be front run to minimize `accruedPerformanceFee`
high
PublicVault.processEpoch calculates withdrawReserve incorrectly. Users can lose funds.
high
Liquidation will fail if value set as `liquidationInitialAsk` > 2**88-1, causing collateral to be permanently locked
high
Buying out corrupts the slope of a vault, reducing rewards of LPs
high
Deadlock in valuts with underlying token with less then 18 decimals
medium
Adversary can game the liquidation flow by transfering a dust amount of the payment token to ClearingHouse contract to settle the auction if no one buy the auctioned NFT
medium
PublicVault.processEpoch updates YIntercept incorrectly when totalAssets() <= expected
medium
Lack of support for ERC20 token that is not 18 decimals
medium
Approved operator of collateral owner can't liquidate lien
medium
WithdrawProxy allows redeem() to be called before withdraw reserves are transferred in
medium
Users are unable to mint shares from a public vault using `AstariaRouter` contract when share price is bigger than one
medium
LienToken._payment function increases users debt
medium
PerpDepository._rebalanceNegativePnlWithSwap doesn't approve spotSwapper before swap
medium
PerpDepository._rebalanceNegativePnlWithSwap doesn't approve vault before deposit
medium
PerpDepository supposes that `clearingHouse.openPosition` returns quoteAmount in e18
medium
PerpDepository calculates fees incorrectly
medium
PerpDepository.netAssetDeposits variable can prevent users to withdraw with underflow error
Dec '22
high
Inflation of ggAVAX share price by first depositor
high
Hijacking of node operators minipool causes loss of staked funds
high
ProtocolDAO lacks a method to take out GGP
medium
Division by zero error can block RewardsPool#startRewardCycle if all multisig wallet are disabled.
medium
MinipoolManager: recordStakingError function does not decrease minipoolCount leading to too high GGP rewards for staker
medium
Users may not be able to redeem their shares due to underflow
medium
wrong reward distribution between early and late depositors because of the late syncRewards() call in the cycle, syncReward() logic should be executed in each withdraw or deposits (without reverting)
medium
Functions cancelMinipool() doesn't reset the value of the RewardsStartTime for user when user's minipoolcount is zero
medium
Inflation rate can be reduce by half at most if it get called every 1.99 interval.
medium
Bypass `whenNotPaused` modifier
medium
NodeOp funds may be trapped by a invalid state transition
Findings not publicly available for private contests.
high
Malicious user can steal all assets in BondNFT
high
Lock.sol: assets deposited with Lock.extendLock function are lost
high
Not enough margin pulled or burned from user when adding to a position
medium
Must approve 0 first
medium
Approved operators of Position token can't call Trading.initiateCloseOrder
medium
`_handleDeposit` and `_handleWithdraw` do not account for tokens with decimals higher than 18
medium
Unreleased locks cause the reward distribution to be flawed in BondNFT
medium
Chainlink price feed is not sufficiently validated and can return stale price
Nov '22
high
Vault_Lyra doesn't allow to close loan if Lyra collateral is not active and accrues more fees
medium
CollateralBook.CHANGE_COLLATERAL_DELAY variable is mistakenly set to 200 sec instead of 2 days
medium
Isomorph.ISOUSD_TIME_DELAY uses 3 sec delay instead of 3 days
medium
Vault_Base_ERC20._updateVirtualPrice allows to skip some price updates
medium
Vault_Lyra will continue calculate interests when contract is paused
medium
Vault_Lyra.increaseCollateralAmount doesn't allow borrower to add collateral if total collateral is less than liquidation amount
high
The 'redeem' related functions are likely to be blocked
high
Malicious Users Can Drain The Assets Of Auto Compound Vault
high
Underlying assets stealing in `AutoPxGmx` and `AutoPxGlp` via share price manipulation
medium
Assets may be lost when calling unprotected `AutoPxGlp::compound` function
medium
Deposit Feature Of The Vault Will Break If Update To A New Platform
medium
PirexGmx.initiateMigration can be blocked
medium
Seller's ability to decrypt bids before reveal could result in a much higher clearing price than anticpated and make buyers distrust the system
medium
Attacker may DOS auctions using invalid bid parameters
medium
Incompatibility with fee-on-transfer/inflationary/deflationary/rebasing tokens, on both base tokens and quote tokens, with varying impacts
high
Repaying a line of credit with a higher than necessary claimed revenue amount will force the borrower into liquidation
medium
Borrower can by mistake add own money to credit if credit is in ETH
medium
Whitelisted functions aren't scoped to revenue contracts and may lead to unnoticed calls due to selector clashing
medium
Mutual consent cannot be revoked and stays valid forever
medium
Variable balance ERC20 support
medium
address.call{value:x}() should be used instead of payable.transfer()
medium
Borrower/Lender excessive ETH not refunded and permanently locked in protocol
Oct '22
medium
Avoidable misconfiguration could lead to INVEscrow contract not minting xINV tokens
medium
Two day low oracle used in `Market.liquidate()` makes the system highly at risk in an oracle attack
medium
Oracle assumes token and feed decimals will be limited to 18 decimals
medium
Chainlink oracle data feed is not sufficiently validated and can return stale `price`
high
Redeemer.autoRedeem and Redeemer.authRedeem can be called when paused
medium
ERC5095.deposit doesn't check if received shares is less then provided amount
medium
ERC5095.mint function calculates slippage incorrectly
medium
Redeemer.setFee function will always revert
medium
Marketplace.setPrincipal funtion approves allowance for Notional incorrectly
medium
Marketplace.setPrincipal do not approve needed allowance for Element vault and APWine router
high
AstariaRouter.commitToLiens function will always revert
high
ASTARIA_ROUTER.getProtocolFee will always revert
high
Possible to pass signature check and borrow from any Vault for a dummy NFT
high
Potential debt is calculated incorrectly when taking a new borrow
high
LienToken.buyoutLien do not set lienData[lienId].payee to address 0
high
Possible to fully block PublicVault.processEpoch function. No one will be able to receive their funds
high
LiquidationAccountant.claim function can be called any time
medium
CollateralToken should allow to execute token owner's action to approved addresses also
medium
AuctionHouse.createBid will revert when bid is took when `auctions[tokenId].maxDuration - auctions[tokenId].duration < timeBuffer' with oferflow error
medium
Strategist nonce is not checked
medium
LienToken.createLien doesn't check if user should be liquidated and provides new loan
medium
Manipulation of share price by first depositor of IVault
medium
LienToken._payment function do not return overpaid amount to msg.sender
medium
LienToken._payment function increases users debt
Sep '22
high
Multiple vote checkpoints per block will lead to incorrect vote accounting
medium
Auction parameters can be changed during ongoing auction
medium
Tokens without properties can be minted and cannot be rendered
medium
Proposals can be bricked and Auctions stalled by bad settings
medium
Compromised or malicious vetoer can veto any proposals with unrestricted power
medium
Owners receive more percentage of total nft if some nfts were burned(because were not sold)
Aug '22