High
Total
Medium
Solo
Total Earnings
#341 All Time
Payouts
1st Places
2nd Places
3rd Places
All
Sherlock
Mar '25
77.25 USDC • 2 total findings • Sherlock • zraxx
#9
high
Most of the users' reward will be lost due to frequent calls to notifyRewardAmount and loss of precision.
medium
Incorrect checking logic in the function _resetVestingPlans will cause the addLiquidity function to fail.
Feb '25
283.95 USDC • 2 total findings • Sherlock • zraxx
#7
The function liquidatePosition incorrectly calculates borrowedValue, causing borrowedValue to be abnormally large.
Leverager#withdraw use the wrong repayFromWithdraw when `borrowed == up.token1`
Jan '25
1,333.92 USDC • 3 total findings • Sherlock • zraxx
#8
The pool contract will be drained by the attacker due to incorrect multiplier settings.
By splitting large purchases and redemptions into multiple smaller amounts, users can get more returns.
Potential Token Transfer Failure in _removeBid Function
Sep '24
607.29 USDC • 2 total findings • Sherlock • zraxx
#26
`relist` does not set the create time of the listing, so the attacker can set the create time to the future.
When relisting a floor item listing, listingCount is not increased, causing listingCount can be underflowed.
1,565.25 USDC • 2 total findings • Sherlock • zraxx
#12
When a staker is removed, the previous unclaimed commission rewards will not be available for claiming.
`getStakersFromBitmap` cannot reach stakerSet[254], resulting in the user being unable to be slashed
May '24
133.81 USDC • 1 total finding • Sherlock • zraxx
Users cannot set a deadline for earlyExitById/exitLateById, which may cause users to lose many assets.
1,309.31 USDC • 2 total findings • Sherlock • zraxx
#10
When the total Draw Auction Rewards exceeds availableRewards, `finishDraw` will fail.
By claiming prizes at the canary tiers, malicious users can reduce the claim fee at other tiers
Mar '24
1.18 USDC • 1 total finding • Sherlock • zraxx
The function _cancelAllBids does not check whether the bidder is the highestBidder
9,500 USDC • 1 total finding • Sherlock • zraxx
When the amout of token acquired by a flash loan exceeds the expected value, the callback function will fail.
127.48 USDC • 1 total finding • Sherlock • zraxx
In the function _handleERC20Received, the fee was incorrectly charged
Feb '24
5,538.46 USDC • 1 total finding • Sherlock • zraxx
When using the `borrow` function to update the `BorrowingInfo`, the previously accumulated fees were not distributed in time.
5.57 USDC • 1 total finding • Sherlock • zraxx
#31
The function `settleEpochFromEigenLayer` does not update `currentEpochsByAsset`, resulting in subsequent settlement failed.
Jan '24
17.38 USDC • 1 total finding • Sherlock • zraxx
In the function _depositETH, there is no check whether depositAmount is equal to 0, which allows malicious users to perform draws at a cost of 0 and maliciously increase the count of deposit.
1,894.28 USDC • 1 total finding • Sherlock • zraxx
In function `cancelVesting`, the variable `userVesting` is type of memory, which will cause the assignment to locked to be invalid.
Nov '23
21.94 USDC • 1 total finding • Sherlock • zraxx
The first founder's share will be lost by 1% when reservedUntilTokenId>=100
Oct '23
257.41 USDC • 1 total finding • Sherlock • zraxx
#14
In `takeOverDebt`, wrong parameter `borrowingKey` is used to call `_addKeysAndLoansInfo`