High
Total
Medium
Total
Total Earnings
#563 All Time
Payouts
3rd Places
Top 10
Top 25
All
Sherlock
Code4rena
Cantina
Jan '25
medium
high
Incorrect period used to access an auction.
high
When redeeming levETH while collateral level is greater than the threshold the redeem rate is compared with bondETH's market rate.
high
Tokens are not refunded when using BalancerRouter.
high
Incorrect fee accounting.
medium
DoS of coupon claiming if one of the auction fails.
medium
Every auction can be DoS'ed.
medium
Some price feeds for tokens used in the protocol do not exist.
medium
Attacker can make Pool unusable by dropping totalSupply to 0.
Dec '24
high
`SecondSwap_Marketplace` vesting listing order affects how much the vesting buyers can claim at a given step
high
Users can claim more that their actual allotment
medium
`buyFee` And `sellFee` Should Be Known Before Purchase
medium
Tokens that has already been vested can be transferred from a user.
medium
Incorrect referral fee calculations
medium
Rounding error in stepDuration calculations.
medium
Users can prevent being reallocated by listing to marketplace
medium
Creator of one vesting plan can affect vesting plans created by other users.
Aug '24
Jul '24
high
Griefing attack on seller's airdrop benefits
high
Wrong minting logic based on total token count across generations
medium
Forger Entities can forge more times than intended
medium
Pause and unpause functions are inaccessible
medium
NFTs mature too slowly under default settings.
medium
Each generation should have 1 "Golden God" NFT, but there could be 0
medium
TraitForgeNft: Generations without a golden god are possible
Apr '24
high
Airdrop rewards for ITO pariticipants will be diluted.
high
Staking rewards in ZivoeRewards/ZivoeRewardsVesting can be delayed.
high
ZVE tokens will get stuck in ZivoeRewardsVesting due to an underflow.
medium
A user can escape paying interest for some of the payment intervals.
medium
OCL_ZVE uses 0% slippage tolerance when adding liquidity.
Mar '24
high
`claimProceeds()` will be DoS'ed for a fully filled auction if a baseToken reverts on 0 amount transfers.
high
`BlastGas` does not set gas fees to claimable resulting in a loss of revenue for the protocol.
high
`Auctioneer.auction()` is incorrectly accesing the routing in storage.
high
`_revertIfLotConcluded()` incorrectly checks if the lot has concluded.
medium
Permanent DoS of `claimBids()` and `settle()` functions for an auction lot with an expired `LinearVesting` derivative.
Feb '24
high
Since you can reroll with a different fighterType than the NFT you own, you can reroll bypassing maxRerollsAllowed and reroll attributes based on a different fighterType
high
Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributes
high
Player can mint more fighter NFTs during claim of rewards by leveraging reentrancy on the `claimRewards() function `
high
Fighters cannot be minted after the initial generation due to uninitialized `numElements` mapping
medium
NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)
medium
Can mint NFT with the desired attributes by reverting transaction
medium
DoS in `MergingPool::claimRewards` function and potential DoS in `RankedBattle::claimNRN` function if called after a significant amount of rounds passed.
medium
Fighter created by mintFromMergingPool can have arbitrary weight and element
Jan '24
high
Whitelised accounts can be forcefully DoSed from buying curveTokens during the presale
high
Attack to make ````CurveSubject```` to be a ````HoneyPot````
high
Unauthorized Access to setCurves Function
medium
Protocol and referral fee would be permanently stuck in the Curves contract when selling a token
medium
onBalanceChange causes previously unclaimed rewards to be cleared
medium
Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.
Dec '23
high
The userGaugeProfitIndex is not set correctly, allowing an attacker to receive rewards without waiting
high
Users staking via the `SurplusGuildMinter` can be immediately slashed when staking into a gauge that had previously incurred a loss
medium
Wrong ProfitManager in GuildToken, will always revert for other types of gauges leading to bad debt
medium
There is no way to liquidate a position if it breaches maxDebtPerCollateralToken value creating bad debt.
Nov '23
Oct '23
Sep '23
Aug '23
May '23