High
Total
Medium
Solo
Total
Total Earnings
#747 All Time
Payouts
Top 10
Top 25
Top 50
All
Sherlock
Code4rena
Cantina
Apr '25
Findings not publicly available for private contests.
Mar '25
high
Jan '25
medium
Dec '24
high
In `Borrowing::depositTokens`, `strikePrice` is introduced by the user but it should be calculated based on `strikePercent` to avoid manipulation
high
`Borrowing::redeemYields` debits `ABOND` from `msg.sender` but redeems to `user` using `ABOND.State` data from `user`
high
Downside protection never ends, so renewing options is useless and `CDS` depositors are unfairly rewarded.
high
Liquidation type 2 does not update the deposit as liquidated
high
`usdaPrice` and `usdtPrice` are parameters used to calculate redeemable amount of `USDT` that allow anyone to drain the vault
high
Race condition when updating `GlobalVariables` data across chains
high
`LiquidationType.TWO` incorrectly updates `liquidationInfo` as empty in `CDS` of the other chain in an index that was already used
high
Liquidation type 1 incorrectly refunds to `user` instead of `msg.sender` allowing `user` to DoS liquidations of his positions
high
`ABONDToken::transferFrom` does not work as intended and allows theft of ETH funds from `Treasury`
high
`usdaGainedFromLiquidation` is not increased in the liquidation flow leading to stuck funds
medium
In `Borrowing::depositTokens`, `ethVolatility` is introduced by user and hasn't sanity checks leading to incorrect option fees pricing
medium
`noOfBorrowers` in `Treasury` can be manipulated affecting cumulative rate calculation and DOSing exit of users from the system
medium
ETH sent to cover Layer Zero execution fees is not refunded
medium
Liquidation type 2 will always revert because never gets from `Treasury` the `amount` of `ETH` needed to deposit in `synthetix`
medium
Looping over unbounded `omniChainCDSLiqIndexToInfo` can lead to permanent DoS and frozen funds
medium
Lack of access control in `MultiSig::executeSetterFunction` allows DoS of setter functions in `Borrowing` and `CDS`
medium
Reentrant call in `Treasury::withdrawFromExternalProtocol` during the `Borrowing::redeemYields` flow allows theft of `Treasury` ETH
Nov '24
Jul '24
Apr '24
Mar '24
Feb '24
Jan '24