Payouts
Top 25
Top 50
All
Sherlock
CodeHawks
Jun '25
high
Asset confusion in `withdrawToNativeChain` allows swapping unauthorized funds
high
`GatewayCrossChain::claimRefund` allows anyone to steal Solana refunds
medium
`GatewaySend::onRevert` fails to handle refunds for native gas tokens
medium
`GatewayTransferNative::_doMixSwap` reverts when swapping from native gas token in `GatewayTransferNative::withdrawToNativeChain`
medium
Attacker can overwrite legitimate refundsInfo by triggering `GatewayCrossChain::onRevert`
medium
`GatewayCrossChain::claimRefund` sends refunded BTC to bitcoin address on ZetaChain, instead of a legitimate ZetaChain address.
medium
`GatewaySend::_handleERC20Deposit`approve` will revert for non-standard ERC20 tokens like USDT.
Apr '25
Feb '25
high
RAACNFT mint function receives funds to address(this) but has no way of withdrawing them
high
RToken's transfer function lead to loss of funds due to incorrect math
high
Users can borrow more assets than they have deposited as collateral
high
NFTs Get Permanently Locked in Stability Pool After Liquidation
high
Any attempt to liquidate a user will fail, because StabilityPool does not hold crvUSD during operational lifecycle
high
Treasury Balance Tracking Bypass in FeeCollector
high
Attackers can double voting power and veToken amount by locking and increasing
medium
Liquidation Cannot Be Closed Even With Healthy Position Due To Strict Debt Check
medium
LendingPool.getUserDebt returns outdated value and can lead to liquidation failure
medium
Emergency revoke in RAACReleaseOrchestrator will freeze revoked RAAC tokens in orchestrator
medium
Wrong access control in `RAACToken::setFeeCollector`, `RAACToken::setSwapTaxRate`, `RAACToken::setBurnTaxRate`
medium
`RAACReleaseOrchestrator::emergencyRevoke()` fails to update `categoryUsed`, leading to token lockup and incorrect accounting
medium
Proposal Front-Running via Predictable Salt in `TimelockController::scheduleBatch`
medium
StabilityVault can be drained of RTokens when LendingPool reserve.liquidityIndex >= 2 RAY
low
Emergency Timelock Bypass: No Enforced 1-Day Delay for Emergency Actions
low
`FeeCollector::updateFeeType` wrong fee share validation leads to impossible update for some fee types
Jan '25