# Immunefi Audit Competitions ## Immunefi Audit Competitions - [README](https://reports.immunefi.com/readme.md) - [Alchemix](https://reports.immunefi.com/alchemix.md) - [30555 - \[SC - Low\] Precision loss when calculating the FLUX amount...](https://reports.immunefi.com/alchemix/30555-sc-low-precision-loss-when-calculating-the-flux-amount....md) - [30556 - \[SC - Low\] Past defeated proposals may become executable i...](https://reports.immunefi.com/alchemix/30556-sc-low-past-defeated-proposals-may-become-executable-i....md) - [30565 - \[SC - Low\] veALCX does not comply with ERC breaking compos...](https://reports.immunefi.com/alchemix/30565-sc-low-vealcx-does-not-comply-with-erc-breaking-compos....md) - [30584 - \[SC - Insight\] Invalid check to make sure Minter is already in...](https://reports.immunefi.com/alchemix/30584-sc-insight-invalid-check-to-make-sure-minter-is-already-in....md) - [30592 - \[SC - Medium\] DOS attack by delegating tokens at MAX\_DELEGATE...](https://reports.immunefi.com/alchemix/30592-sc-medium-dos-attack-by-delegating-tokens-at-max_delegate....md) - [30598 - \[SC - Low\] Access Control Flaw in \_burn Function Leads to ...](https://reports.immunefi.com/alchemix/30598-sc-low-access-control-flaw-in-_burn-function-leads-to-....md) - [30613 - \[SC - Medium\] malicious user can front run any call to the sw...](https://reports.immunefi.com/alchemix/30613-sc-medium-malicious-user-can-front-run-any-call-to-the-sw....md) - [30634 - \[SC - Critical\] Unauthorized minting of unlimited FLUX in tran...](https://reports.immunefi.com/alchemix/30634-sc-critical-unauthorized-minting-of-unlimited-flux-in-tran....md) - [30650 - \[SC - Critical\] Infinite minting of FLUX through voterpoke](https://reports.immunefi.com/alchemix/30650-sc-critical-infinite-minting-of-flux-through-voterpoke.md) - [30651 - \[SC - Critical\] Insolvency in RevenueHandlersol because unclaim...](https://reports.immunefi.com/alchemix/30651-sc-critical-insolvency-in-revenuehandlersol-because-unclaim....md) - [30655 - \[SC - Critical\] Binary search does not correctly handle duplica...](https://reports.immunefi.com/alchemix/30655-sc-critical-binary-search-does-not-correctly-handle-duplica....md) - [30667 - \[SC - Medium\] Unlimited gauge numbers can DoS users distribut...](https://reports.immunefi.com/alchemix/30667-sc-medium-unlimited-gauge-numbers-can-dos-users-distribut....md) - [30671 - \[SC - Critical\] Reward token permanent freeze due to bulk call ...](https://reports.immunefi.com/alchemix/30671-sc-critical-reward-token-permanent-freeze-due-to-bulk-call-....md) - [30682 - \[SC - Critical\] Insufficient slippage control in RevenueHandler...](https://reports.immunefi.com/alchemix/30682-sc-critical-insufficient-slippage-control-in-revenuehandler....md) - [30683 - \[SC - Critical\] User can increase their unclaimed Flux token wi...](https://reports.immunefi.com/alchemix/30683-sc-critical-user-can-increase-their-unclaimed-flux-token-wi....md) - [30685 - \[SC - Medium\] The proposer can be impeded from submitting a p...](https://reports.immunefi.com/alchemix/30685-sc-medium-the-proposer-can-be-impeded-from-submitting-a-p....md) - [30694 - \[SC - Low\] Users approved for a single token id cannot wit...](https://reports.immunefi.com/alchemix/30694-sc-low-users-approved-for-a-single-token-id-cannot-wit....md) - [30699 - \[SC - High\] Permanent freezing of unclaimed ALCX yield when...](https://reports.immunefi.com/alchemix/30699-sc-high-permanent-freezing-of-unclaimed-alcx-yield-when....md) - [30704 - \[SC - Medium\] Griefing an account from getting votes delegate...](https://reports.immunefi.com/alchemix/30704-sc-medium-griefing-an-account-from-getting-votes-delegate....md) - [30708 - \[SC - Low\] treasuryPct can be exceeded than BPS due to inc...](https://reports.immunefi.com/alchemix/30708-sc-low-treasurypct-can-be-exceeded-than-bps-due-to-inc....md) - [30710 - \[SC - Insight\] The execution of the proposal has no expiration](https://reports.immunefi.com/alchemix/30710-sc-insight-the-execution-of-the-proposal-has-no-expiration.md) - [30711 - \[SC - Low\] The result of the AggregatorVInterface is not v...](https://reports.immunefi.com/alchemix/30711-sc-low-the-result-of-the-aggregatorvinterface-is-not-v....md) - [30781 - \[SC - Low\] It is possible to lower the quorum requirements...](https://reports.immunefi.com/alchemix/30781-sc-low-it-is-possible-to-lower-the-quorum-requirements....md) - [30788 - \[SC - Critical\] User can increase their unclaimed Flux token wi...](https://reports.immunefi.com/alchemix/30788-sc-critical-user-can-increase-their-unclaimed-flux-token-wi....md) - [30800 - \[SC - Critical\] Stealing FLUX by claiming then merging position...](https://reports.immunefi.com/alchemix/30800-sc-critical-stealing-flux-by-claiming-then-merging-position....md) - [30814 - \[SC - Critical\] Wrong calculation of boost amount in Voterpoke](https://reports.immunefi.com/alchemix/30814-sc-critical-wrong-calculation-of-boost-amount-in-voterpoke.md) - [30818 - \[SC - Low\] division before multiplication in theamountToRa...](https://reports.immunefi.com/alchemix/30818-sc-low-division-before-multiplication-in-theamounttora....md) - [30825 - \[SC - Critical\] Users can get unlimited amounts of Flux tokens](https://reports.immunefi.com/alchemix/30825-sc-critical-users-can-get-unlimited-amounts-of-flux-tokens.md) - [30826 - \[SC - High\] ALCK rewards are lost when merging tokens becau...](https://reports.immunefi.com/alchemix/30826-sc-high-alck-rewards-are-lost-when-merging-tokens-becau....md) - [30860 - \[SC - Critical\] Wrong timestamp for totalVoting](https://reports.immunefi.com/alchemix/30860-sc-critical-wrong-timestamp-for-totalvoting.md) - [30886 - \[SC - Medium\] Wrong totalWeight in Votersol](https://reports.immunefi.com/alchemix/30886-sc-medium-wrong-totalweight-in-votersol.md) - [30898 - \[SC - Critical\] Call the deposit function before the distribute...](https://reports.immunefi.com/alchemix/30898-sc-critical-call-the-deposit-function-before-the-distribute....md) - [30906 - \[SC - Critical\] Voterpoke can be called at will leading to a us...](https://reports.immunefi.com/alchemix/30906-sc-critical-voterpoke-can-be-called-at-will-leading-to-a-us....md) - [30910 - \[SC - High\] Processing of voting results is not implemented...](https://reports.immunefi.com/alchemix/30910-sc-high-processing-of-voting-results-is-not-implemented....md) - [30918 - \[SC - Insight\] Incorrect implementation of ownerOf makes veALC...](https://reports.immunefi.com/alchemix/30918-sc-insight-incorrect-implementation-of-ownerof-makes-vealc....md) - [30919 - \[SC - Critical\] Front running of pokeTokens could lead to loss ...](https://reports.immunefi.com/alchemix/30919-sc-critical-front-running-of-poketokens-could-lead-to-loss-....md) - [30920 - \[SC - Low\] User loses access to claims after merging of to...](https://reports.immunefi.com/alchemix/30920-sc-low-user-loses-access-to-claims-after-merging-of-to....md) - [30921 - \[SC - Low\] Referential assignment causes incorrect block i...](https://reports.immunefi.com/alchemix/30921-sc-low-referential-assignment-causes-incorrect-block-i....md) - [30922 - \[SC - High\] DOS of withdrawals through filling the userPoin...](https://reports.immunefi.com/alchemix/30922-sc-high-dos-of-withdrawals-through-filling-the-userpoin....md) - [30925 - \[SC - Critical\] Manipulation of governance voting result by unl...](https://reports.immunefi.com/alchemix/30925-sc-critical-manipulation-of-governance-voting-result-by-unl....md) - [30926 - \[SC - Low\] AlchemixGovernor updates to quorum can affect p...](https://reports.immunefi.com/alchemix/30926-sc-low-alchemixgovernor-updates-to-quorum-can-affect-p....md) - [30939 - \[SC - Critical\] Misuse of curve pool calls results for precisio...](https://reports.immunefi.com/alchemix/30939-sc-critical-misuse-of-curve-pool-calls-results-for-precisio....md) - [30951 - \[SC - Low\] Incorrect ownerOf implementation makes veALCX n...](https://reports.immunefi.com/alchemix/30951-sc-low-incorrect-ownerof-implementation-makes-vealcx-n....md) - [30959 - \[SC - Insight\] Immutable gauges can break the state of the vot...](https://reports.immunefi.com/alchemix/30959-sc-insight-immutable-gauges-can-break-the-state-of-the-vot....md) - [30972 - \[SC - Critical\] Theft of unclaimed yield of the revenue in the ...](https://reports.immunefi.com/alchemix/30972-sc-critical-theft-of-unclaimed-yield-of-the-revenue-in-the-....md) - [30973 - \[SC - Low\] Incorrect Validation of treasuryPct in the Reve...](https://reports.immunefi.com/alchemix/30973-sc-low-incorrect-validation-of-treasurypct-in-the-reve....md) - [30985 - \[SC - Medium\] Griefing attack prevents admins from disabling ...](https://reports.immunefi.com/alchemix/30985-sc-medium-griefing-attack-prevents-admins-from-disabling-....md) - [30990 - \[SC - Critical\] Users can use Voterpoke to accrue Flux tokens i...](https://reports.immunefi.com/alchemix/30990-sc-critical-users-can-use-voterpoke-to-accrue-flux-tokens-i....md) - [30992 - \[SC - Insight\] Inconsistent State Missing Event Emission in Fl...](https://reports.immunefi.com/alchemix/30992-sc-insight-inconsistent-state-missing-event-emission-in-fl....md) - [30999 - \[SC - Critical\] An edge-case mints times more FLUX than it should](https://reports.immunefi.com/alchemix/30999-sc-critical-an-edge-case-mints-times-more-flux-than-it-should.md) - [31008 - \[SC - High\] Alcx rewards are permanently frozen when two to...](https://reports.immunefi.com/alchemix/31008-sc-high-alcx-rewards-are-permanently-frozen-when-two-to....md) - [31042 - \[SC - High\] Claiming alchemic-token rewards can fail for so...](https://reports.immunefi.com/alchemix/31042-sc-high-claiming-alchemic-token-rewards-can-fail-for-so....md) - [31071 - \[SC - Critical\] User can steal bribes and prevent other users f...](https://reports.immunefi.com/alchemix/31071-sc-critical-user-can-steal-bribes-and-prevent-other-users-f....md) - [31076 - \[SC - Critical\] checkpointTotalSupply can checkpoint before a t...](https://reports.immunefi.com/alchemix/31076-sc-critical-checkpointtotalsupply-can-checkpoint-before-a-t....md) - [31077 - \[SC - Critical\] RevenueHandler counts unclaimed tokens as new r...](https://reports.immunefi.com/alchemix/31077-sc-critical-revenuehandler-counts-unclaimed-tokens-as-new-r....md) - [31078 - \[SC - High\] withdraw doesnt claim all rewards before burnin...](https://reports.immunefi.com/alchemix/31078-sc-high-withdraw-doesnt-claim-all-rewards-before-burnin....md) - [31079 - \[SC - Critical\] Claiming bribes for epochs you didnt vote for l...](https://reports.immunefi.com/alchemix/31079-sc-critical-claiming-bribes-for-epochs-you-didnt-vote-for-l....md) - [31080 - \[SC - Insight\] DoS in startCooldown when users want start cool...](https://reports.immunefi.com/alchemix/31080-sc-insight-dos-in-startcooldown-when-users-want-start-cool....md) - [31082 - \[SC - Critical\] Expired locks can be used to claim rewards](https://reports.immunefi.com/alchemix/31082-sc-critical-expired-locks-can-be-used-to-claim-rewards.md) - [31085 - \[SC - Critical\] Malicious users can front-run the distribution ...](https://reports.immunefi.com/alchemix/31085-sc-critical-malicious-users-can-front-run-the-distribution-....md) - [31087 - \[SC - Low\] Colition between approve and \_isApprovedOrOwner...](https://reports.immunefi.com/alchemix/31087-sc-low-colition-between-approve-and-_isapprovedorowner....md) - [31112 - \[SC - Critical\] Bribesolwithdraw doesnt update the totalVotings...](https://reports.immunefi.com/alchemix/31112-sc-critical-bribesolwithdraw-doesnt-update-the-totalvotings....md) - [31141 - \[SC - Critical\] Permanent freezing of unclaimed yield of reward...](https://reports.immunefi.com/alchemix/31141-sc-critical-permanent-freezing-of-unclaimed-yield-of-reward....md) - [31149 - \[SC - Critical\] Manipulation of governance voting result by unl...](https://reports.immunefi.com/alchemix/31149-sc-critical-manipulation-of-governance-voting-result-by-unl....md) - [31151 - \[SC - Medium\] Delegation Saturation Leading to Asset Freezing...](https://reports.immunefi.com/alchemix/31151-sc-medium-delegation-saturation-leading-to-asset-freezing....md) - [31163 - \[SC - Critical\] Malicious actor can acquire bribe rewards by bl...](https://reports.immunefi.com/alchemix/31163-sc-critical-malicious-actor-can-acquire-bribe-rewards-by-bl....md) - [31184 - \[SC - Critical\] Deflating the total amount of votes in a checkp...](https://reports.immunefi.com/alchemix/31184-sc-critical-deflating-the-total-amount-of-votes-in-a-checkp....md) - [31189 - \[SC - High\] Voting algorithm does not apply maximum availab...](https://reports.immunefi.com/alchemix/31189-sc-high-voting-algorithm-does-not-apply-maximum-availab....md) - [31196 - \[SC - Critical\] Voterpoke does not check lastVoted resulting in...](https://reports.immunefi.com/alchemix/31196-sc-critical-voterpoke-does-not-check-lastvoted-resulting-in....md) - [31198 - \[SC - Critical\] VotingEscrowmerge does not check whether the \_f...](https://reports.immunefi.com/alchemix/31198-sc-critical-votingescrowmerge-does-not-check-whether-the-_f....md) - [31199 - \[SC - Critical\] Users might receive less rewars token after Vot...](https://reports.immunefi.com/alchemix/31199-sc-critical-users-might-receive-less-rewars-token-after-vot....md) - [31211 - \[SC - Critical\] Inflation Of Total Votes and Potential Freeze o...](https://reports.immunefi.com/alchemix/31211-sc-critical-inflation-of-total-votes-and-potential-freeze-o....md) - [31222 - \[SC - Critical\] Unlimited Flux minting](https://reports.immunefi.com/alchemix/31222-sc-critical-unlimited-flux-minting.md) - [31223 - \[SC - Critical\] Disproportionate Rewards Manipulation in Bribesol](https://reports.immunefi.com/alchemix/31223-sc-critical-disproportionate-rewards-manipulation-in-bribesol.md) - [31226 - \[SC - Insight\] Missing Revert Message in require statement lea...](https://reports.immunefi.com/alchemix/31226-sc-insight-missing-revert-message-in-require-statement-lea....md) - [31234 - \[SC - Medium\] Alchemix BlockSlope variable in checkpoint rou...](https://reports.immunefi.com/alchemix/31234-sc-medium-alchemix-blockslope-variable-in-checkpoint-rou....md) - [31242 - \[SC - Critical\] RevenueHandlercheckpoint allows users to claim ...](https://reports.immunefi.com/alchemix/31242-sc-critical-revenuehandlercheckpoint-allows-users-to-claim-....md) - [31249 - \[SC - Critical\] malicious user can back-run Voterdistribute to ...](https://reports.immunefi.com/alchemix/31249-sc-critical-malicious-user-can-back-run-voterdistribute-to-....md) - [31253 - \[SC - Critical\] RevenueHandlercheckpoint isnt correctly](https://reports.immunefi.com/alchemix/31253-sc-critical-revenuehandlercheckpoint-isnt-correctly.md) - [31258 - \[SC - High\] Loss of Unclaimed Bribes After Burning veALCX T...](https://reports.immunefi.com/alchemix/31258-sc-high-loss-of-unclaimed-bribes-after-burning-vealcx-t....md) - [31263 - \[SC - Critical\] RevenueHandlercheckpoint counts unclaimed rewar...](https://reports.immunefi.com/alchemix/31263-sc-critical-revenuehandlercheckpoint-counts-unclaimed-rewar....md) - [31264 - \[SC - Insight\] Multiple Reports QALowOOS Medium](https://reports.immunefi.com/alchemix/31264-sc-insight-multiple-reports-qalowoos-medium.md) - [31272 - \[SC - Low\] Approved user cant merge tokens not approved fo...](https://reports.immunefi.com/alchemix/31272-sc-low-approved-user-cant-merge-tokens-not-approved-fo....md) - [31276 - \[SC - High\] BPT can be locked for only week resulting in u...](https://reports.immunefi.com/alchemix/31276-sc-high-bpt-can-be-locked-for-only-week-resulting-in-u....md) - [31277 - \[SC - Insight\] The user can propose with less voting power tha...](https://reports.immunefi.com/alchemix/31277-sc-insight-the-user-can-propose-with-less-voting-power-tha....md) - [31280 - \[SC - Critical\] Malicious user can mint unlimited flux tokens](https://reports.immunefi.com/alchemix/31280-sc-critical-malicious-user-can-mint-unlimited-flux-tokens.md) - [31281 - \[SC - Low\] Approved spender cannot withdraw or merge](https://reports.immunefi.com/alchemix/31281-sc-low-approved-spender-cannot-withdraw-or-merge.md) - [31284 - \[SC - Insight\] cancel should allow to cancel the proposal of t...](https://reports.immunefi.com/alchemix/31284-sc-insight-cancel-should-allow-to-cancel-the-proposal-of-t....md) - [31293 - \[SC - High\] Voters who withdraw veLACX tokens risk losing g...](https://reports.immunefi.com/alchemix/31293-sc-high-voters-who-withdraw-velacx-tokens-risk-losing-g....md) - [31295 - \[SC - High\] Newly created gauge may missed out on its rewards](https://reports.immunefi.com/alchemix/31295-sc-high-newly-created-gauge-may-missed-out-on-its-rewards.md) - [31298 - \[SC - Medium\] Anyone can let users delegates reach the upper ...](https://reports.immunefi.com/alchemix/31298-sc-medium-anyone-can-let-users-delegates-reach-the-upper-....md) - [31309 - \[SC - Critical\] slippage protection is inaccurate](https://reports.immunefi.com/alchemix/31309-sc-critical-slippage-protection-is-inaccurate.md) - [31326 - \[SC - High\] Precision loss causes minor loss of FLUX when c...](https://reports.immunefi.com/alchemix/31326-sc-high-precision-loss-causes-minor-loss-of-flux-when-c....md) - [31329 - \[SC - Critical\] Attacker can gain infinitive FLUX by repeating ...](https://reports.immunefi.com/alchemix/31329-sc-critical-attacker-can-gain-infinitive-flux-by-repeating-....md) - [31335 - \[SC - High\] getActualSupply should be used instead of total...](https://reports.immunefi.com/alchemix/31335-sc-high-getactualsupply-should-be-used-instead-of-total....md) - [31355 - \[SC - Low\] Past Defeated Proposals Can Be Executed in the ...](https://reports.immunefi.com/alchemix/31355-sc-low-past-defeated-proposals-can-be-executed-in-the-....md) - [31375 - \[SC - Critical\] Lack of Access control in poke function allows ...](https://reports.immunefi.com/alchemix/31375-sc-critical-lack-of-access-control-in-poke-function-allows-....md) - [31377 - \[SC - Critical\] Stucked yield tokens upon withdrawal of votes f...](https://reports.immunefi.com/alchemix/31377-sc-critical-stucked-yield-tokens-upon-withdrawal-of-votes-f....md) - [31380 - \[SC - High\] FluxTokencalculateBPT uses wrong algorithm caus...](https://reports.immunefi.com/alchemix/31380-sc-high-fluxtokencalculatebpt-uses-wrong-algorithm-caus....md) - [31381 - \[SC - Low\] Alchemix Incorrect Initialisation of struct in...](https://reports.immunefi.com/alchemix/31381-sc-low-alchemix-incorrect-initialisation-of-struct-in....md) - [31382 - \[SC - High\] VotingEscrowupdateUnlockTime - Its possible for...](https://reports.immunefi.com/alchemix/31382-sc-high-votingescrowupdateunlocktime-its-possible-for....md) - [31383 - \[SC - Low\] price feeds sanity checks isnt correct in funct...](https://reports.immunefi.com/alchemix/31383-sc-low-price-feeds-sanity-checks-isnt-correct-in-funct....md) - [31385 - \[SC - Low\] RewardsDistributortokensPerWeek might be zero i...](https://reports.immunefi.com/alchemix/31385-sc-low-rewardsdistributortokensperweek-might-be-zero-i....md) - [31386 - \[SC - Critical\] Malicious user can steal FLUX token by abusing ...](https://reports.immunefi.com/alchemix/31386-sc-critical-malicious-user-can-steal-flux-token-by-abusing-....md) - [31388 - \[SC - Critical\] Vulnerability in the poke function of Voting co...](https://reports.immunefi.com/alchemix/31388-sc-critical-vulnerability-in-the-poke-function-of-voting-co....md) - [31390 - \[SC - High\] Precision Loss in FluxTokensolgetClaimableFlux](https://reports.immunefi.com/alchemix/31390-sc-high-precision-loss-in-fluxtokensolgetclaimableflux.md) - [31397 - \[SC - Critical\] In Bribesol \_writeVotingCheckpoint isnt called ...](https://reports.immunefi.com/alchemix/31397-sc-critical-in-bribesol-_writevotingcheckpoint-isnt-called-....md) - [31399 - \[SC - High\] RewardDistributor claims can be DoSed through e...](https://reports.immunefi.com/alchemix/31399-sc-high-rewarddistributor-claims-can-be-dosed-through-e....md) - [31407 - \[SC - Insight\] Alchemist is given over Allowance through Reven...](https://reports.immunefi.com/alchemix/31407-sc-insight-alchemist-is-given-over-allowance-through-reven....md) - [31408 - \[SC - Critical\] Killed Gauge continue to accrue and steal rewar...](https://reports.immunefi.com/alchemix/31408-sc-critical-killed-gauge-continue-to-accrue-and-steal-rewar....md) - [31409 - \[SC - Critical\] Users can grief Bribe rewards forcing them to b...](https://reports.immunefi.com/alchemix/31409-sc-critical-users-can-grief-bribe-rewards-forcing-them-to-b....md) - [31410 - \[SC - Medium\] Griefing Attack using delegate will expose User...](https://reports.immunefi.com/alchemix/31410-sc-medium-griefing-attack-using-delegate-will-expose-user....md) - [31413 - \[SC - Medium\] DOS attack by delegating tokens at MAX\_DELEGATES](https://reports.immunefi.com/alchemix/31413-sc-medium-dos-attack-by-delegating-tokens-at-max_delegates.md) - [31416 - \[SC - Insight\] Impossible to set boostMultiplier to MIN\_BOOST](https://reports.immunefi.com/alchemix/31416-sc-insight-impossible-to-set-boostmultiplier-to-min_boost.md) - [31417 - \[SC - Insight\] Compound claiming transactions will revert if u...](https://reports.immunefi.com/alchemix/31417-sc-insight-compound-claiming-transactions-will-revert-if-u....md) - [31418 - \[SC - Critical\] the killed gauge collect claim amount](https://reports.immunefi.com/alchemix/31418-sc-critical-the-killed-gauge-collect-claim-amount.md) - [31420 - \[SC - Insight\] No array lengths check in VotersolclaimBribes](https://reports.immunefi.com/alchemix/31420-sc-insight-no-array-lengths-check-in-votersolclaimbribes.md) - [31425 - \[SC - Medium\] Users can call reset on their token even if the...](https://reports.immunefi.com/alchemix/31425-sc-medium-users-can-call-reset-on-their-token-even-if-the....md) - [31430 - \[SC - Insight\] QA](https://reports.immunefi.com/alchemix/31430-sc-insight-qa.md) - [31435 - \[SC - High\] ALCX rewards arent claimed for from token when ...](https://reports.immunefi.com/alchemix/31435-sc-high-alcx-rewards-arent-claimed-for-from-token-when-....md) - [31443 - \[SC - Insight\] Incorrect values of votingDelay and votingPerio...](https://reports.immunefi.com/alchemix/31443-sc-insight-incorrect-values-of-votingdelay-and-votingperio....md) - [31444 - \[SC - Critical\] Manipulation of ve voting mechanism unlimited b...](https://reports.immunefi.com/alchemix/31444-sc-critical-manipulation-of-ve-voting-mechanism-unlimited-b....md) - [31447 - \[SC - High\] veALCX holders are able to withdraw rewards and...](https://reports.immunefi.com/alchemix/31447-sc-high-vealcx-holders-are-able-to-withdraw-rewards-and....md) - [31448 - \[SC - Medium\] Bypassing the Governances proposal threshold to...](https://reports.immunefi.com/alchemix/31448-sc-medium-bypassing-the-governances-proposal-threshold-to....md) - [31449 - \[SC - Low\] BribegetRewardForOwner should not revert if the...](https://reports.immunefi.com/alchemix/31449-sc-low-bribegetrewardforowner-should-not-revert-if-the....md) - [31451 - \[SC - Insight\] MAX\_PROPOSAL\_NUMERATOR is incorrectly set](https://reports.immunefi.com/alchemix/31451-sc-insight-max_proposal_numerator-is-incorrectly-set.md) - [31453 - \[SC - Critical\] The balance of RevenueHandler can be drained](https://reports.immunefi.com/alchemix/31453-sc-critical-the-balance-of-revenuehandler-can-be-drained.md) - [31458 - \[SC - Critical\] Invalid handling of epochs revenue for tokens t...](https://reports.immunefi.com/alchemix/31458-sc-critical-invalid-handling-of-epochs-revenue-for-tokens-t....md) - [31460 - \[SC - Insight\] supportsInterface does not return typeIERCRecei...](https://reports.immunefi.com/alchemix/31460-sc-insight-supportsinterface-does-not-return-typeiercrecei....md) - [31461 - \[SC - Critical\] veALCX holder can mint Unlimited FLUX tokens](https://reports.immunefi.com/alchemix/31461-sc-critical-vealcx-holder-can-mint-unlimited-flux-tokens.md) - [31462 - \[SC - Medium\] Alchemix addReward access control can be bypas...](https://reports.immunefi.com/alchemix/31462-sc-medium-alchemix-addreward-access-control-can-be-bypas....md) - [31466 - \[SC - Critical\] Wrong reward calculation leads to rewards being...](https://reports.immunefi.com/alchemix/31466-sc-critical-wrong-reward-calculation-leads-to-rewards-being....md) - [31470 - \[SC - Critical\] Bribing protocols pay bribes but dont get emiss...](https://reports.immunefi.com/alchemix/31470-sc-critical-bribing-protocols-pay-bribes-but-dont-get-emiss....md) - [31472 - \[SC - Critical\] Stealing all revenue from the Alchemix protocol](https://reports.immunefi.com/alchemix/31472-sc-critical-stealing-all-revenue-from-the-alchemix-protocol.md) - [31478 - \[SC - High\] calculateBPT doesnt divide by basis points infl...](https://reports.immunefi.com/alchemix/31478-sc-high-calculatebpt-doesnt-divide-by-basis-points-infl....md) - [31479 - \[SC - High\] alchemechNFT holder will get too little FLUX be...](https://reports.immunefi.com/alchemix/31479-sc-high-alchemechnft-holder-will-get-too-little-flux-be....md) - [31480 - \[SC - High\] Miscalculation of global bias](https://reports.immunefi.com/alchemix/31480-sc-high-miscalculation-of-global-bias.md) - [31481 - \[SC - Critical\] Undound FLUX accrual through reset and merge](https://reports.immunefi.com/alchemix/31481-sc-critical-undound-flux-accrual-through-reset-and-merge.md) - [31483 - \[SC - Critical\] Users can vote multiple times in one epoch](https://reports.immunefi.com/alchemix/31483-sc-critical-users-can-vote-multiple-times-in-one-epoch.md) - [31484 - \[SC - High\] Rewards for the first epoch at rewards distribu...](https://reports.immunefi.com/alchemix/31484-sc-high-rewards-for-the-first-epoch-at-rewards-distribu....md) - [31485 - \[SC - Critical\] Miscalculation of distributed tokens at revenue...](https://reports.immunefi.com/alchemix/31485-sc-critical-miscalculation-of-distributed-tokens-at-revenue....md) - [31486 - \[SC - High\] getClaimableFlux miscalculates claimable FLUX f...](https://reports.immunefi.com/alchemix/31486-sc-high-getclaimableflux-miscalculates-claimable-flux-f....md) - [31487 - \[SC - Low\] Wrong condition check on RevenueHandlerconstruc...](https://reports.immunefi.com/alchemix/31487-sc-low-wrong-condition-check-on-revenuehandlerconstruc....md) - [31488 - \[SC - Critical\] Merging tokens allows multiple Flux accruals wi...](https://reports.immunefi.com/alchemix/31488-sc-critical-merging-tokens-allows-multiple-flux-accruals-wi....md) - [31494 - \[SC - High\] Alchemix The first epochs ALCX emissions of vo...](https://reports.immunefi.com/alchemix/31494-sc-high-alchemix-the-first-epochs-alcx-emissions-of-vo....md) - [31495 - \[SC - Critical\] Users cannot claim rewards from RevenueHandler ...](https://reports.immunefi.com/alchemix/31495-sc-critical-users-cannot-claim-rewards-from-revenuehandler-....md) - [31497 - \[SC - Low\] executeBatch lacks payable so ethers can not be...](https://reports.immunefi.com/alchemix/31497-sc-low-executebatch-lacks-payable-so-ethers-can-not-be....md) - [31498 - \[SC - High\] Alchemix ALCX rewards are currently subject to...](https://reports.immunefi.com/alchemix/31498-sc-high-alchemix-alcx-rewards-are-currently-subject-to....md) - [31503 - \[SC - Insight\] Incorrect value of MAX\_PROPOSAL\_NUMERATOR in Al...](https://reports.immunefi.com/alchemix/31503-sc-insight-incorrect-value-of-max_proposal_numerator-in-al....md) - [31507 - \[SC - Critical\] Malicious user could flash-loan the veALCX to i...](https://reports.immunefi.com/alchemix/31507-sc-critical-malicious-user-could-flash-loan-the-vealcx-to-i....md) - [31512 - \[SC - Critical\] Infinite minting of FLUX through Merge](https://reports.immunefi.com/alchemix/31512-sc-critical-infinite-minting-of-flux-through-merge.md) - [31514 - \[SC - Medium\] Malicious users can cause pokeTokens to revert](https://reports.immunefi.com/alchemix/31514-sc-medium-malicious-users-can-cause-poketokens-to-revert.md) - [31519 - \[SC - Low\] Lack of revert statement in Votersolpoke result...](https://reports.immunefi.com/alchemix/31519-sc-low-lack-of-revert-statement-in-votersolpoke-result....md) - [31520 - \[SC - Critical\] Incorrect accounting of totalVoting leads to pe...](https://reports.immunefi.com/alchemix/31520-sc-critical-incorrect-accounting-of-totalvoting-leads-to-pe....md) - [31521 - \[SC - Medium\] Early return in RewardsDistributorclaim can cau...](https://reports.immunefi.com/alchemix/31521-sc-medium-early-return-in-rewardsdistributorclaim-can-cau....md) - [31523 - \[SC - Low\] USDT Approval will cause function failure](https://reports.immunefi.com/alchemix/31523-sc-low-usdt-approval-will-cause-function-failure.md) - [31524 - \[SC - High\] Rounding down in getClaimableFlux leads to less...](https://reports.immunefi.com/alchemix/31524-sc-high-rounding-down-in-getclaimableflux-leads-to-less....md) - [31526 - \[SC - Critical\] A user is able to claim more bribes than they h...](https://reports.immunefi.com/alchemix/31526-sc-critical-a-user-is-able-to-claim-more-bribes-than-they-h....md) - [31527 - \[SC - Critical\] No accounting for totalVoting in Bribesolwithdr...](https://reports.immunefi.com/alchemix/31527-sc-critical-no-accounting-for-totalvoting-in-bribesolwithdr....md) - [31539 - \[SC - Medium\] The Voterdistribute function can continue to fail](https://reports.immunefi.com/alchemix/31539-sc-medium-the-voterdistribute-function-can-continue-to-fail.md) - [31540 - \[SC - Insight\] Expired Token Locks Impacting Vote Weight Calcu...](https://reports.immunefi.com/alchemix/31540-sc-insight-expired-token-locks-impacting-vote-weight-calcu....md) - [31541 - \[SC - Critical\] FluxTokens unlimited mint and Exploitation of g...](https://reports.immunefi.com/alchemix/31541-sc-critical-fluxtokens-unlimited-mint-and-exploitation-of-g....md) - [31542 - \[SC - Low\] Bribeearned - L Its potentially possible to ear...](https://reports.immunefi.com/alchemix/31542-sc-low-bribeearned-l-its-potentially-possible-to-ear....md) - [31544 - \[SC - High\] Certain small amount of tokens are not accounte...](https://reports.immunefi.com/alchemix/31544-sc-high-certain-small-amount-of-tokens-are-not-accounte....md) - [31552 - \[SC - Insight\] Lack of the validation for a Flash token protec...](https://reports.immunefi.com/alchemix/31552-sc-insight-lack-of-the-validation-for-a-flash-token-protec....md) - [31555 - \[SC - Low\] RewardsDistributoramountToCompound - L The stal...](https://reports.immunefi.com/alchemix/31555-sc-low-rewardsdistributoramounttocompound-l-the-stal....md) - [31556 - \[SC - Critical\] Unfair Revenue Distribution in Non-Alchemix Rev...](https://reports.immunefi.com/alchemix/31556-sc-critical-unfair-revenue-distribution-in-non-alchemix-rev....md) - [31558 - \[SC - Insight\] Discrepancy in MAX\_PROPOSAL\_NUMERATOR Value in ...](https://reports.immunefi.com/alchemix/31558-sc-insight-discrepancy-in-max_proposal_numerator-value-in-....md) - [31559 - \[SC - Low\] Minter UpdatePeriod after weeks causes Rewards...](https://reports.immunefi.com/alchemix/31559-sc-low-minter-updateperiod-after-weeks-causes-rewards....md) - [31562 - \[SC - Medium\] Every consecutive epoch will have same number o...](https://reports.immunefi.com/alchemix/31562-sc-medium-every-consecutive-epoch-will-have-same-number-o....md) - [31563 - \[SC - Low\] Oracle days staleThreshold for priceTimestamp ...](https://reports.immunefi.com/alchemix/31563-sc-low-oracle-days-stalethreshold-for-pricetimestamp-....md) - [31566 - \[SC - Medium\] Checkpoints wont update block number in point b...](https://reports.immunefi.com/alchemix/31566-sc-medium-checkpoints-wont-update-block-number-in-point-b....md) - [31567 - \[SC - Critical\] VotingEscrowsolcheckpoint is completely broken](https://reports.immunefi.com/alchemix/31567-sc-critical-votingescrowsolcheckpoint-is-completely-broken.md) - [31575 - \[SC - Medium\] depositIntoRewardPool and withdrawFromRewardPo...](https://reports.immunefi.com/alchemix/31575-sc-medium-depositintorewardpool-and-withdrawfromrewardpo....md) - [31579 - \[SC - Critical\] Infinite mint of FLUX using poke](https://reports.immunefi.com/alchemix/31579-sc-critical-infinite-mint-of-flux-using-poke.md) - [31583 - \[SC - Insight\] Off by one error while adding reward pool token](https://reports.immunefi.com/alchemix/31583-sc-insight-off-by-one-error-while-adding-reward-pool-token.md) - [31584 - \[SC - Critical\] Loss Of Boosted Weight When Poking In The Same ...](https://reports.immunefi.com/alchemix/31584-sc-critical-loss-of-boosted-weight-when-poking-in-the-same-....md) - [31588 - \[SC - Low\] Users could start cooldown period for their wit...](https://reports.immunefi.com/alchemix/31588-sc-low-users-could-start-cooldown-period-for-their-wit....md) - [31592 - \[SC - Insight\] Collection of other important issues](https://reports.immunefi.com/alchemix/31592-sc-insight-collection-of-other-important-issues.md) - [31594 - \[SC - Insight\] RewardPoolManager can only add RewardPoolToken ...](https://reports.immunefi.com/alchemix/31594-sc-insight-rewardpoolmanager-can-only-add-rewardpooltoken-....md) - [31597 - \[SC - High\] Loss of precision while calculating claimable f...](https://reports.immunefi.com/alchemix/31597-sc-high-loss-of-precision-while-calculating-claimable-f....md) - [BadgerDAO (eBTC)](https://reports.immunefi.com/badgerdao-ebtc.md) - [28546 - \[SC - Insight\] FlashLoan can be taken with no fee to be paid](https://reports.immunefi.com/badgerdao-ebtc/28546-sc-insight-flashloan-can-be-taken-with-no-fee-to-be-paid.md) - [28605 - \[SC - Insight\] Reentrancy on ActivePool allows users to borrow...](https://reports.immunefi.com/badgerdao-ebtc/28605-sc-insight-reentrancy-on-activepool-allows-users-to-borrow....md) - [28659 - \[SC - Insight\] Reentrancy in BorrowerOperationsflashLoan enabl...](https://reports.immunefi.com/badgerdao-ebtc/28659-sc-insight-reentrancy-in-borroweroperationsflashloan-enabl....md) - [28713 - \[SC - Insight\] Reentrancy on BorrowerOperations allows users t...](https://reports.immunefi.com/badgerdao-ebtc/28713-sc-insight-reentrancy-on-borroweroperations-allows-users-t....md) - [28791 - \[SC - Low\] The system protects from any rounding issues wh...](https://reports.immunefi.com/badgerdao-ebtc/28791-sc-low-the-system-protects-from-any-rounding-issues-wh....md) - [28823 - \[SC - Insight\] Lido slashing can negatively affect the whole l...](https://reports.immunefi.com/badgerdao-ebtc/28823-sc-insight-lido-slashing-can-negatively-affect-the-whole-l....md) - [28828 - \[SC - Low\] Use of deprecated Chainlink API can lead contra...](https://reports.immunefi.com/badgerdao-ebtc/28828-sc-low-use-of-deprecated-chainlink-api-can-lead-contra....md) - [28843 - \[SC - Low\] Canceled partial redeeming syncs the accounting...](https://reports.immunefi.com/badgerdao-ebtc/28843-sc-low-canceled-partial-redeeming-syncs-the-accounting....md) - [28849 - \[SC - Low\] Using batchRedemption even if the TCR becomes s...](https://reports.immunefi.com/badgerdao-ebtc/28849-sc-low-using-batchredemption-even-if-the-tcr-becomes-s....md) - [28853 - \[SC - Insight\] Trycatch will not function with internal type](https://reports.immunefi.com/badgerdao-ebtc/28853-sc-insight-trycatch-will-not-function-with-internal-type.md) - [28858 - \[SC - Insight\] Execution of SortedCpds while command may cause...](https://reports.immunefi.com/badgerdao-ebtc/28858-sc-insight-execution-of-sortedcpds-while-command-may-cause....md) - [28862 - \[SC - Insight\] Static MIN\_CHANGE threshold and lack of relativ...](https://reports.immunefi.com/badgerdao-ebtc/28862-sc-insight-static-min_change-threshold-and-lack-of-relativ....md) - [28864 - \[SC - Insight\] Unfair Liquidation when ICR equals TCR in redee...](https://reports.immunefi.com/badgerdao-ebtc/28864-sc-insight-unfair-liquidation-when-icr-equals-tcr-in-redee....md) - [28890 - \[SC - Insight\] EBTCTokensol mint function lack of checks allow...](https://reports.immunefi.com/badgerdao-ebtc/28890-sc-insight-ebtctokensol-mint-function-lack-of-checks-allow....md) - [28916 - \[SC - Insight\] Liquidation Abuse More than half of all assets ...](https://reports.immunefi.com/badgerdao-ebtc/28916-sc-insight-liquidation-abuse-more-than-half-of-all-assets-....md) - [28967 - \[SC - Insight\] When fallback oracle is frozen fetchPrice can r...](https://reports.immunefi.com/badgerdao-ebtc/28967-sc-insight-when-fallback-oracle-is-frozen-fetchprice-can-r....md) - [28973 - \[SC - Insight\] Users CDPs can be removed unintentionally by CD...](https://reports.immunefi.com/badgerdao-ebtc/28973-sc-insight-users-cdps-can-be-removed-unintentionally-by-cd....md) - [28980 - \[SC - Insight\] Ther is an invariant Check Failure in flashLoan...](https://reports.immunefi.com/badgerdao-ebtc/28980-sc-insight-ther-is-an-invariant-check-failure-in-flashloan....md) - [29000 - \[SC - Insight\] Potential for Denial-of-Service in the redeemCo...](https://reports.immunefi.com/badgerdao-ebtc/29000-sc-insight-potential-for-denial-of-service-in-the-redeemco....md) - [29002 - \[SC - Insight\] Incorrect implementation of EIP- domain separat...](https://reports.immunefi.com/badgerdao-ebtc/29002-sc-insight-incorrect-implementation-of-eip-domain-separat....md) - [DeGate](https://reports.immunefi.com/degate.md) - [25882 - \[SC - Insight\] Freezing of funds from the Default Deposit Cont...](https://reports.immunefi.com/degate/25882-sc-insight-freezing-of-funds-from-the-default-deposit-cont....md) - [25885 - \[SC - Insight\] Prevent the operator from submitting blocks to L](https://reports.immunefi.com/degate/25885-sc-insight-prevent-the-operator-from-submitting-blocks-to-l.md) - [25886 - \[SC - Insight\] registerToken can be front-run causing token ca...](https://reports.immunefi.com/degate/25886-sc-insight-registertoken-can-be-front-run-causing-token-ca....md) - [25892 - \[SC - Insight\] A malicious user can DoS force withdraw request...](https://reports.immunefi.com/degate/25892-sc-insight-a-malicious-user-can-dos-force-withdraw-request....md) - [25903 - \[SC - Insight\] Possible loss of user funds by front-runing the...](https://reports.immunefi.com/degate/25903-sc-insight-possible-loss-of-user-funds-by-front-runing-the....md) - [25906 - \[SC - Insight\] setDelay function doesnt revert even when the d...](https://reports.immunefi.com/degate/25906-sc-insight-setdelay-function-doesnt-revert-even-when-the-d....md) - [25917 - \[SC - Insight\] Timelock can call transferProxyOwnership of Dep...](https://reports.immunefi.com/degate/25917-sc-insight-timelock-can-call-transferproxyownership-of-dep....md) - [25921 - \[SC - Insight\] Flaw in upgradeToAndCall leads to the proxy cal...](https://reports.immunefi.com/degate/25921-sc-insight-flaw-in-upgradetoandcall-leads-to-the-proxy-cal....md) - [25927 - \[SC - Insight\] MultiSig Owners can set malicious implementatio...](https://reports.immunefi.com/degate/25927-sc-insight-multisig-owners-can-set-malicious-implementatio....md) - [25930 - \[SC - Insight\] Malicious owner can update the DepositParams st...](https://reports.immunefi.com/degate/25930-sc-insight-malicious-owner-can-update-the-depositparams-st....md) - [25933 - \[SC - Insight\] The last person to confirm can control the exec...](https://reports.immunefi.com/degate/25933-sc-insight-the-last-person-to-confirm-can-control-the-exec....md) - [25935 - \[SC - Insight\] Permissive Fallback Function](https://reports.immunefi.com/degate/25935-sc-insight-permissive-fallback-function.md) - [25952 - \[SC - Insight\] The smart contract could be inoperable due to w...](https://reports.immunefi.com/degate/25952-sc-insight-the-smart-contract-could-be-inoperable-due-to-w....md) - [26012 - \[SC - Insight\] getTransactionIds will break at some point runn...](https://reports.immunefi.com/degate/26012-sc-insight-gettransactionids-will-break-at-some-point-runn....md) - [26017 - \[SC - Insight\] getTransactionCount will break at some point ru...](https://reports.immunefi.com/degate/26017-sc-insight-gettransactioncount-will-break-at-some-point-ru....md) - [26039 - \[SC - Insight\] Proxy contract deployments can be front-run to ...](https://reports.immunefi.com/degate/26039-sc-insight-proxy-contract-deployments-can-be-front-run-to-....md) - [26066 - \[SC - Insight\] Timelock eta variable can be set further than i...](https://reports.immunefi.com/degate/26066-sc-insight-timelock-eta-variable-can-be-set-further-than-i....md) - [26073 - \[SC - Insight\] The implementation upgrade must be done by call...](https://reports.immunefi.com/degate/26073-sc-insight-the-implementation-upgrade-must-be-done-by-call....md) - [26095 - \[SC - Insight\] ID Uniqueness Violations](https://reports.immunefi.com/degate/26095-sc-insight-id-uniqueness-violations.md) - [26104 - \[SC - Insight\] Governance mechanism could be exploited to free...](https://reports.immunefi.com/degate/26104-sc-insight-governance-mechanism-could-be-exploited-to-free....md) - [26110 - \[SC - Insight\] All the funds from the DepositProxy contracts c...](https://reports.immunefi.com/degate/26110-sc-insight-all-the-funds-from-the-depositproxy-contracts-c....md) - [26116 - \[SC - Insight\] The MultiSigWalletgetTransactionIds function co...](https://reports.immunefi.com/degate/26116-sc-insight-the-multisigwalletgettransactionids-function-co....md) - [26124 - \[SC - Insight\] Some owners of the MultiSigWallet can bring the...](https://reports.immunefi.com/degate/26124-sc-insight-some-owners-of-the-multisigwallet-can-bring-the....md) - [26189 - \[SC - Insight\] Malicious Exchange Owner can sandwich-attack Et...](https://reports.immunefi.com/degate/26189-sc-insight-malicious-exchange-owner-can-sandwich-attack-et....md) - [26204 - \[SC - Insight\] DeGate Operator has capability to disable balan...](https://reports.immunefi.com/degate/26204-sc-insight-degate-operator-has-capability-to-disable-balan....md) - [26236 - \[SC - Insight\] Malicious DeGate Operator EOA can irreversibly ...](https://reports.immunefi.com/degate/26236-sc-insight-malicious-degate-operator-eoa-can-irreversibly-....md) - [26259 - \[SC - Insight\] txHash collision is possible](https://reports.immunefi.com/degate/26259-sc-insight-txhash-collision-is-possible.md) - [26275 - \[SC - Insight\] Bad implementation of executeTransaction functi...](https://reports.immunefi.com/degate/26275-sc-insight-bad-implementation-of-executetransaction-functi....md) - [26286 - \[SC - Insight\] Potential Signature Validation Bypass](https://reports.immunefi.com/degate/26286-sc-insight-potential-signature-validation-bypass.md) - [26422 - \[SC - Insight\] there is no explicit gas limit in external call...](https://reports.immunefi.com/degate/26422-sc-insight-there-is-no-explicit-gas-limit-in-external-call....md) - [26423 - \[SC - Insight\] Timelock executeTransaction function will succe...](https://reports.immunefi.com/degate/26423-sc-insight-timelock-executetransaction-function-will-succe....md) - [26431 - \[SC - Insight\] High Risk in transfer of proxyOwnership](https://reports.immunefi.com/degate/26431-sc-insight-high-risk-in-transfer-of-proxyownership.md) - [26446 - \[SC - Insight\] Consider implementing a two step process in tra...](https://reports.immunefi.com/degate/26446-sc-insight-consider-implementing-a-two-step-process-in-tra....md) - [26468 - \[SC - Insight\] Fee-on-transfer tokens can be used to steal oth...](https://reports.immunefi.com/degate/26468-sc-insight-fee-on-transfer-tokens-can-be-used-to-steal-oth....md) - [26479 - \[SC - Insight\] ExchangeV cannot be reinitialized after an upgrade](https://reports.immunefi.com/degate/26479-sc-insight-exchangev-cannot-be-reinitialized-after-an-upgrade.md) - [26501 - \[SC - Insight\] Timelock should handle queuing transactions and...](https://reports.immunefi.com/degate/26501-sc-insight-timelock-should-handle-queuing-transactions-and....md) - [26502 - \[SC - Insight\] DeGate Exodus mode forcing study](https://reports.immunefi.com/degate/26502-sc-insight-degate-exodus-mode-forcing-study.md) - [26509 - \[SC - Insight\] Exodus Mode Force](https://reports.immunefi.com/degate/26509-sc-insight-exodus-mode-force.md) - [26516 - \[SC - Insight\] Gnosis Multisig Contract can become unusable](https://reports.immunefi.com/degate/26516-sc-insight-gnosis-multisig-contract-can-become-unusable.md) - [26519 - \[SC - Insight\] Consider introducing the ability to change requ...](https://reports.immunefi.com/degate/26519-sc-insight-consider-introducing-the-ability-to-change-requ....md) - [26520 - \[SC - Insight\] Multisig Contract onChain can be bricked](https://reports.immunefi.com/degate/26520-sc-insight-multisig-contract-onchain-can-be-bricked.md) - [26521 - \[SC - Insight\] ChainId is missing](https://reports.immunefi.com/degate/26521-sc-insight-chainid-is-missing.md) - [26527 - \[SC - Insight\] Possible emission of wrong data in cancelTransa...](https://reports.immunefi.com/degate/26527-sc-insight-possible-emission-of-wrong-data-in-canceltransa....md) - [26529 - \[SC - Insight\] Mitigate Griefing Attacks Theft of Gas by Impl...](https://reports.immunefi.com/degate/26529-sc-insight-mitigate-griefing-attacks-theft-of-gas-by-impl....md) - [26530 - \[SC - Insight\] Inefficiency in upgradeToAndCall](https://reports.immunefi.com/degate/26530-sc-insight-inefficiency-in-upgradetoandcall.md) - [Firedancer v0.1](https://reports.immunefi.com/firedancer-v0.1.md) - [Boost \_ Firedancer v0.1 33347 - \[Blockchain\_DLT - Medium\] Integer underflow leading to memory corrup](https://reports.immunefi.com/firedancer-v0.1/boost-_-firedancer-v0.1-33347-blockchain_dlt-medium-integer-underflow-leading-to-memory-corruption-i.md) - [Boost \_ Firedancer v0.1 33348 - \[Blockchain\_DLT - Medium\] Integer underflow leading to memory corrup](https://reports.immunefi.com/firedancer-v0.1/boost-_-firedancer-v0.1-33348-blockchain_dlt-medium-integer-underflow-leading-to-memory-corruption-i.md) - [Boost \_ Firedancer v0.1 33378 - \[Blockchain\_DLT - Medium\] OOB Write leading to memory corruption in](https://reports.immunefi.com/firedancer-v0.1/boost-_-firedancer-v0.1-33378-blockchain_dlt-medium-oob-write-leading-to-memory-corruption-in-fd_mem.md) - [Boost \_ Firedancer v0.1 33586 - \[Blockchain\_DLT - Insight\] fd\_ebpf\_static\_link - possible disclosure](https://reports.immunefi.com/firedancer-v0.1/boost-_-firedancer-v0.1-33586-blockchain_dlt-insight-fd_ebpf_static_link-possible-disclosure-of-stac.md) - [Boost \_ Firedancer v0.1 33669 - \[Blockchain\_DLT - Medium\] fd\_quic\_process\_packet out of bounds read](https://reports.immunefi.com/firedancer-v0.1/boost-_-firedancer-v0.1-33669-blockchain_dlt-medium-fd_quic_process_packet-out-of-bounds-read.md) - [Boost \_ Firedancer v0.1 33717 - \[Blockchain\_DLT - Medium\] Memory corruption caused by fully controll](https://reports.immunefi.com/firedancer-v0.1/boost-_-firedancer-v0.1-33717-blockchain_dlt-medium-memory-corruption-caused-by-fully-controllable-s.md) - [Boost \_ Firedancer v0.1 33718 - \[Blockchain\_DLT - Medium\] The malicious fd\_shred\_t data passed betwe](https://reports.immunefi.com/firedancer-v0.1/boost-_-firedancer-v0.1-33718-blockchain_dlt-medium-the-malicious-fd_shred_t-data-passed-between-fd_.md) - [Boost \_ Firedancer v0.1 33774 - \[Blockchain\_DLT - Medium\] The malicious fd\_txn\_p\_t data passed betwe](https://reports.immunefi.com/firedancer-v0.1/boost-_-firedancer-v0.1-33774-blockchain_dlt-medium-the-malicious-fd_txn_p_t-data-passed-between-fd_.md) - [Boost \_ Firedancer v0.1 33862 - \[Blockchain\_DLT - Insight\] Discord Server Vulnerable to Takeover in](https://reports.immunefi.com/firedancer-v0.1/boost-_-firedancer-v0.1-33862-blockchain_dlt-insight-discord-server-vulnerable-to-takeover-in-fireda.md) - [Boost \_ Firedancer v0.1 33936 - \[Blockchain\_DLT - Medium\] shred tile fails to process zero sized udp](https://reports.immunefi.com/firedancer-v0.1/boost-_-firedancer-v0.1-33936-blockchain_dlt-medium-shred-tile-fails-to-process-zero-sized-udp-packe.md) - [Boost \_ Firedancer v0.1 34064 - \[Blockchain\_DLT - Medium\] bank tile possible code execution](https://reports.immunefi.com/firedancer-v0.1/boost-_-firedancer-v0.1-34064-blockchain_dlt-medium-bank-tile-possible-code-execution.md) - [Boost \_ Firedancer v0.1 34234 - \[Blockchain\_DLT - Insight\] Setting the variable shred\_cnt in the shr](https://reports.immunefi.com/firedancer-v0.1/boost-_-firedancer-v0.1-34234-blockchain_dlt-insight-setting-the-variable-shred_cnt-in-the-shred-obj.md) - [Boost \_ Firedancer v0.1 34272 - \[Blockchain\_DLT - Medium\] Remote memory corruption in Shred tile](https://reports.immunefi.com/firedancer-v0.1/boost-_-firedancer-v0.1-34272-blockchain_dlt-medium-remote-memory-corruption-in-shred-tile.md) - [Boost \_ Firedancer v0.1 34290 - \[Blockchain\_DLT - Medium\] bank tile overflow](https://reports.immunefi.com/firedancer-v0.1/boost-_-firedancer-v0.1-34290-blockchain_dlt-medium-bank-tile-overflow.md) - [Boost \_ Firedancer v0.1 34501 - \[Blockchain\_DLT - Medium\] DoS in shreds validation](https://reports.immunefi.com/firedancer-v0.1/boost-_-firedancer-v0.1-34501-blockchain_dlt-medium-dos-in-shreds-validation.md) - [Boost \_ Firedancer v0.1 34564 - \[Blockchain\_DLT - Medium\] shred tile overflow](https://reports.immunefi.com/firedancer-v0.1/boost-_-firedancer-v0.1-34564-blockchain_dlt-medium-shred-tile-overflow.md) - [Boost \_ Firedancer v0.1 34682 - \[Blockchain\_DLT - Medium\] DoS in shreds validation](https://reports.immunefi.com/firedancer-v0.1/boost-_-firedancer-v0.1-34682-blockchain_dlt-medium-dos-in-shreds-validation.md) - [Folks Finance](https://reports.immunefi.com/folks-finance.md) - [Boost \_ Folks Finance 33258 - \[Smart Contract - Insight\] Usage of floating pragma](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33258-smart-contract-insight-usage-of-floating-pragma.md) - [Boost \_ Folks Finance 33269 - \[Smart Contract - Critical\] Logic flaw in UserLoanincreaseCollateral l](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33269-smart-contract-critical-logic-flaw-in-userloanincreasecollateral-leads-t.md) - [Boost \_ Folks Finance 33272 - \[Smart Contract - Medium\] FrontRunning Attack on createAccount](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33272-smart-contract-medium-frontrunning-attack-on-createaccount.md) - [Boost \_ Folks Finance 33280 - \[Smart Contract - Low\] NodeManagersupportsInterface doesnt follow EIP-](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33280-smart-contract-low-nodemanagersupportsinterface-doesnt-follow-eip.md) - [Boost \_ Folks Finance 33311 - \[Smart Contract - Critical\] Infinite Interest rate bug](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33311-smart-contract-critical-infinite-interest-rate-bug.md) - [Boost \_ Folks Finance 33353 - \[Smart Contract - Low\] Incorrect implementation of Time-Weighted Avera](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33353-smart-contract-low-incorrect-implementation-of-time-weighted-average-pri.md) - [Boost \_ Folks Finance 33356 - \[Smart Contract - Low\] All data in \_userLoans mapping will not be dele](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33356-smart-contract-low-all-data-in-_userloans-mapping-will-not-be-deleted-af.md) - [Boost \_ Folks Finance 33376 - \[Smart Contract - Insight\] BridgeRouterreceiveMessage Allows Message R](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33376-smart-contract-insight-bridgerouterreceivemessage-allows-message-replay.md) - [Boost \_ Folks Finance 33441 - \[Smart Contract - Insight\] Protocol uses Pyth to fetch price which is](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33441-smart-contract-insight-protocol-uses-pyth-to-fetch-price-which-is-a-pull.md) - [Boost \_ Folks Finance 33443 - \[Smart Contract - Low\] StalenessCircuitBreakerNode checks if the last](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33443-smart-contract-low-stalenesscircuitbreakernode-checks-if-the-last-update.md) - [Boost \_ Folks Finance 33454 - \[Smart Contract - Low\] unsafe casting will lead to break of PythNode O](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33454-smart-contract-low-unsafe-casting-will-lead-to-break-of-pythnode-oracle.md) - [Boost \_ Folks Finance 33526 - \[Smart Contract - Insight\] Need to check returnAdapterId](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33526-smart-contract-insight-need-to-check-returnadapterid.md) - [Boost \_ Folks Finance 33533 - \[Smart Contract - Critical\] depositDatainterestRate is not correct](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33533-smart-contract-critical-depositdatainterestrate-is-not-correct.md) - [Boost \_ Folks Finance 33534 - \[Smart Contract - Medium\] denial of service vulnerability and possible](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33534-smart-contract-medium-denial-of-service-vulnerability-and-possible-grief.md) - [Boost \_ Folks Finance 33540 - \[Smart Contract - Low\] ChainlinkNode uses cached decimals in the calcu](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33540-smart-contract-low-chainlinknode-uses-cached-decimals-in-the-calculation.md) - [Boost \_ Folks Finance 33542 - \[Smart Contract - Medium\] Attacker can create loan before users tx is](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33542-smart-contract-medium-attacker-can-create-loan-before-users-tx-is-comple.md) - [Boost \_ Folks Finance 33546 - \[Smart Contract - Medium\] Adversaries can manipulate victims stable ra](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33546-smart-contract-medium-adversaries-can-manipulate-victims-stable-rate-to.md) - [Boost \_ Folks Finance 33566 - \[Smart Contract - Low\] RepayWithCollateral will almost always fail in](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33566-smart-contract-low-repaywithcollateral-will-almost-always-fail-in-partia.md) - [Boost \_ Folks Finance 33568 - \[Smart Contract - Medium\] Front-running vulnerability in cross-chain l](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33568-smart-contract-medium-front-running-vulnerability-in-cross-chain-loan-cr.md) - [Boost \_ Folks Finance 33588 - \[Smart Contract - Insight\] The liquidator can make the protocol incur](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33588-smart-contract-insight-the-liquidator-can-make-the-protocol-incur-bad-de.md) - [Boost \_ Folks Finance 33589 - \[Smart Contract - Medium\] Anyone can call the BridgeRouter Recieve fun](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33589-smart-contract-medium-anyone-can-call-the-bridgerouter-recieve-function.md) - [Boost \_ Folks Finance 33596 - \[Smart Contract - Low\] Incorrect rounding direction in HubPoolLogicupd](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33596-smart-contract-low-incorrect-rounding-direction-in-hubpoollogicupdatewit.md) - [Boost \_ Folks Finance 33609 - \[Smart Contract - Medium\] Account creation can be frontrun making the](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33609-smart-contract-medium-account-creation-can-be-frontrun-making-the-users.md) - [Boost \_ Folks Finance 33611 - \[Smart Contract - Medium\] Adversary can perform a DoS on users createL](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33611-smart-contract-medium-adversary-can-perform-a-dos-on-users-createloan-an.md) - [Boost \_ Folks Finance 33614 - \[Smart Contract - Medium\] Front-Running Vulnerability in createAccount](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33614-smart-contract-medium-front-running-vulnerability-in-createaccount-metho.md) - [Boost \_ Folks Finance 33630 - \[Smart Contract - High\] Incorrect calculation of loanBorrowbalance](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33630-smart-contract-high-incorrect-calculation-of-loanborrowbalance.md) - [Boost \_ Folks Finance 33631 - \[Smart Contract - Low\] Wrong implementation of chainLink getTwapPrice](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33631-smart-contract-low-wrong-implementation-of-chainlink-gettwapprice-can-le.md) - [Boost \_ Folks Finance 33643 - \[Smart Contract - Low\] PriceFeed from PythNode will always revert for](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33643-smart-contract-low-pricefeed-from-pythnode-will-always-revert-for-some-p.md) - [Boost \_ Folks Finance 33644 - \[Smart Contract - Insight\] Insufficient msgvalue validation for Wormho](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33644-smart-contract-insight-insufficient-msgvalue-validation-for-wormhole-ada.md) - [Boost \_ Folks Finance 33645 - \[Smart Contract - Medium\] Griefing an user from creating an account](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33645-smart-contract-medium-griefing-an-user-from-creating-an-account.md) - [Boost \_ Folks Finance 33652 - \[Smart Contract - Insight\] BridgeRouters Unprotected Reversal Function](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33652-smart-contract-insight-bridgerouters-unprotected-reversal-function-compr.md) - [Boost \_ Folks Finance 33665 - \[Smart Contract - Critical\] Collateral Inflation Exploit via Zero-Amou](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33665-smart-contract-critical-collateral-inflation-exploit-via-zero-amount-dep.md) - [Boost \_ Folks Finance 33670 - \[Smart Contract - Insight\] Violator can deny his liquidation by front](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33670-smart-contract-insight-violator-can-deny-his-liquidation-by-front-runnin.md) - [Boost \_ Folks Finance 33675 - \[Smart Contract - Low\] PythNodeprocess can revert because of incorrect](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33675-smart-contract-low-pythnodeprocess-can-revert-because-of-incorrect-casti.md) - [Boost \_ Folks Finance 33684 - \[Smart Contract - Critical\] Lack of available liquidity check when sen](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33684-smart-contract-critical-lack-of-available-liquidity-check-when-sending-t.md) - [Boost \_ Folks Finance 33687 - \[Smart Contract - Medium\] Loan creation can be frontrun preventing the](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33687-smart-contract-medium-loan-creation-can-be-frontrun-preventing-the-users.md) - [Boost \_ Folks Finance 33694 - \[Smart Contract - Medium\] stableBorrowRates are manipulatable through](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33694-smart-contract-medium-stableborrowrates-are-manipulatable-through-flashl.md) - [Boost \_ Folks Finance 33695 - \[Smart Contract - Critical\] Attacker can borrow more than the collater](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33695-smart-contract-critical-attacker-can-borrow-more-than-the-collateral-dep.md) - [Boost \_ Folks Finance 33713 - \[Smart Contract - Insight\] Some transactions can revert when nodetype](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33713-smart-contract-insight-some-transactions-can-revert-when-nodetype-is-pri.md) - [Boost \_ Folks Finance 33746 - \[Smart Contract - Insight\] Rounding down to zero leads to liquidate fu](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33746-smart-contract-insight-rounding-down-to-zero-leads-to-liquidate-function.md) - [Boost \_ Folks Finance 33778 - \[Smart Contract - Medium\] The loan creation process can be griefed](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33778-smart-contract-medium-the-loan-creation-process-can-be-griefed.md) - [Boost \_ Folks Finance 33779 - \[Smart Contract - Medium\] The account creation process can be griefed](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33779-smart-contract-medium-the-account-creation-process-can-be-griefed.md) - [Boost \_ Folks Finance 33780 - \[Smart Contract - Critical\] Zero deposits can be used to artificially](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33780-smart-contract-critical-zero-deposits-can-be-used-to-artificially-inflat.md) - [Boost \_ Folks Finance 33787 - \[Smart Contract - Low\] Function PythNodeprocess doesnt handle correctl](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33787-smart-contract-low-function-pythnodeprocess-doesnt-handle-correctly-prec.md) - [Boost \_ Folks Finance 33807 - \[Smart Contract - Low\] updateInterestRate uses incorrect reference of](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33807-smart-contract-low-updateinterestrate-uses-incorrect-reference-of-borrow.md) - [Boost \_ Folks Finance 33816 - \[Smart Contract - Critical\] Attacker can get unlimited loan for some m](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33816-smart-contract-critical-attacker-can-get-unlimited-loan-for-some-minimum.md) - [Boost \_ Folks Finance 33817 - \[Smart Contract - High\] Incorrect calculation of effective borrow valu](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33817-smart-contract-high-incorrect-calculation-of-effective-borrow-value-in-g.md) - [Boost \_ Folks Finance 33852 - \[Smart Contract - Insight\] Small positions will not get liquidated](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33852-smart-contract-insight-small-positions-will-not-get-liquidated.md) - [Boost \_ Folks Finance 33869 - \[Smart Contract - Medium\] loanIds are easy to reproduce and front-runn](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33869-smart-contract-medium-loanids-are-easy-to-reproduce-and-front-running-en.md) - [Boost \_ Folks Finance 33870 - \[Smart Contract - Low\] convToRepayBorrowAmount calculation is incorrec](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33870-smart-contract-low-convtorepayborrowamount-calculation-is-incorrect-caus.md) - [Boost \_ Folks Finance 33880 - \[Smart Contract - Medium\] Front-Running Vulnerability in createUserLoa](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33880-smart-contract-medium-front-running-vulnerability-in-createuserloan-meth.md) - [Boost \_ Folks Finance 33885 - \[Smart Contract - Low\] Incorrect prices will be returned if the NodeTy](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33885-smart-contract-low-incorrect-prices-will-be-returned-if-the-nodetype-is.md) - [Boost \_ Folks Finance 33893 - \[Smart Contract - Medium\] Malicious users can DoS loan creations and d](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33893-smart-contract-medium-malicious-users-can-dos-loan-creations-and-deposit.md) - [Boost \_ Folks Finance 33923 - \[Smart Contract - Low\] Function HubPoolLogicupdateWithWithdraw doesnt](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33923-smart-contract-low-function-hubpoollogicupdatewithwithdraw-doesnt-round.md) - [Boost \_ Folks Finance 33935 - \[Smart Contract - Insight\] Liquidations dont ensure the violator loan](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33935-smart-contract-insight-liquidations-dont-ensure-the-violator-loan-become.md) - [Boost \_ Folks Finance 33947 - \[Smart Contract - Low\] During liquidations when borrowToRepay collater](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33947-smart-contract-low-during-liquidations-when-borrowtorepay-collateral-the.md) - [Boost \_ Folks Finance 33950 - \[Smart Contract - Low\] pythnode oracle unexpected revert](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33950-smart-contract-low-pythnode-oracle-unexpected-revert.md) - [Boost \_ Folks Finance 33953 - \[Smart Contract - Low\] Calling process function will not revert even i](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33953-smart-contract-low-calling-process-function-will-not-revert-even-if-two.md) - [Boost \_ Folks Finance 33970 - \[Smart Contract - Medium\] User deposits can be blocked](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33970-smart-contract-medium-user-deposits-can-be-blocked.md) - [Boost \_ Folks Finance 33978 - \[Smart Contract - Critical\] Attacker can Inflate effectiveCollateralVa](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33978-smart-contract-critical-attacker-can-inflate-effectivecollateralvalue.md) - [Boost \_ Folks Finance 33981 - \[Smart Contract - Low\] The PythNode library process function implement](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33981-smart-contract-low-the-pythnode-library-process-function-implementation.md) - [Boost \_ Folks Finance 33987 - \[Smart Contract - Medium\] Incorrect access control in receiveMessage l](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33987-smart-contract-medium-incorrect-access-control-in-receivemessage-leads-t.md) - [Boost \_ Folks Finance 34025 - \[Smart Contract - Medium\] Malicious user can DoS the creation of every](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34025-smart-contract-medium-malicious-user-can-dos-the-creation-of-every-accou.md) - [Boost \_ Folks Finance 34028 - \[Smart Contract - Medium\] Denial of Service DoS vulnerability in UserL](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34028-smart-contract-medium-denial-of-service-dos-vulnerability-in-userloan-cr.md) - [Boost \_ Folks Finance 34029 - \[Smart Contract - Medium\] Contract fails to mitigate potential critica](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34029-smart-contract-medium-contract-fails-to-mitigate-potential-critical-stat.md) - [Boost \_ Folks Finance 34030 - \[Smart Contract - Low\] Incorrect rounding down in HubPoolLogicupdateWi](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34030-smart-contract-low-incorrect-rounding-down-in-hubpoollogicupdatewithwith.md) - [Boost \_ Folks Finance 34047 - \[Smart Contract - Low\] Adversaries can create a position that is nearl](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34047-smart-contract-low-adversaries-can-create-a-position-that-is-nearly-impo.md) - [Boost \_ Folks Finance 34050 - \[Smart Contract - High\] Vulnerability in getLoanLiquidity leads to und](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34050-smart-contract-high-vulnerability-in-getloanliquidity-leads-to-undervalu.md) - [Boost \_ Folks Finance 34052 - \[Smart Contract - Low\] withdraw doesnt round in favour of protocol for](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34052-smart-contract-low-withdraw-doesnt-round-in-favour-of-protocol-for-isfam.md) - [Boost \_ Folks Finance 34054 - \[Smart Contract - Low\] In liquidation loanPoolcollateralUsed doesnt ge](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34054-smart-contract-low-in-liquidation-loanpoolcollateralused-doesnt-get-redu.md) - [Boost \_ Folks Finance 34066 - \[Smart Contract - Medium\] Account Creation Front-Running Vulnerability](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34066-smart-contract-medium-account-creation-front-running-vulnerability-leadi.md) - [Boost \_ Folks Finance 34069 - \[Smart Contract - Low\] repayWithCollateral may revert when repay samll](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34069-smart-contract-low-repaywithcollateral-may-revert-when-repay-samll-amoun.md) - [Boost \_ Folks Finance 34074 - \[Smart Contract - Critical\] Hub missing check for available liquidity](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34074-smart-contract-critical-hub-missing-check-for-available-liquidity-could.md) - [Boost \_ Folks Finance 34076 - \[Smart Contract - Low\] Wrong way of deriving message keys using destin](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34076-smart-contract-low-wrong-way-of-deriving-message-keys-using-destination.md) - [Boost \_ Folks Finance 34085 - \[Smart Contract - Low\] partial repayment with collaterals will revert](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34085-smart-contract-low-partial-repayment-with-collaterals-will-revert-due-to.md) - [Boost \_ Folks Finance 34122 - \[Smart Contract - High\] Wrong borrow balance calculation in the getLoa](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34122-smart-contract-high-wrong-borrow-balance-calculation-in-the-getloanliqui.md) - [Boost \_ Folks Finance 34124 - \[Smart Contract - Low\] Smart contract cannot be accessed during the no](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34124-smart-contract-low-smart-contract-cannot-be-accessed-during-the-normal-l.md) - [Boost \_ Folks Finance 34127 - \[Smart Contract - Low\] Liquidator gets more debt than usual](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34127-smart-contract-low-liquidator-gets-more-debt-than-usual.md) - [Boost \_ Folks Finance 34132 - \[Smart Contract - Low\] Liquidation bonus incorrectly inflates repayBor](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34132-smart-contract-low-liquidation-bonus-incorrectly-inflates-repayborrowamo.md) - [Boost \_ Folks Finance 34148 - \[Smart Contract - Low\] Full liquidations will fail for certain unhealt](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34148-smart-contract-low-full-liquidations-will-fail-for-certain-unhealthy-pos.md) - [Boost \_ Folks Finance 34150 - \[Smart Contract - Low\] Failed messages never expire and can be replaye](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34150-smart-contract-low-failed-messages-never-expire-and-can-be-replayed-by-a.md) - [Boost \_ Folks Finance 34153 - \[Smart Contract - Low\] TWAP query by chainlink is wrong according to c](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34153-smart-contract-low-twap-query-by-chainlink-is-wrong-according-to-chainli.md) - [Boost \_ Folks Finance 34158 - \[Smart Contract - Low\] NodeManagersupportsInterface returns false for](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34158-smart-contract-low-nodemanagersupportsinterface-returns-false-for-typeie.md) - [Boost \_ Folks Finance 34161 - \[Smart Contract - Medium\] Denial of Service via Front-Running in Loan](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34161-smart-contract-medium-denial-of-service-via-front-running-in-loan-creati.md) - [Boost \_ Folks Finance 34169 - \[Smart Contract - Low\] Potential revert in PythNode library due to inc](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34169-smart-contract-low-potential-revert-in-pythnode-library-due-to-incorrect.md) - [Boost \_ Folks Finance 34174 - \[Smart Contract - Low\] Bug in liquidation logic leads to stealing fund](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34174-smart-contract-low-bug-in-liquidation-logic-leads-to-stealing-funds-from.md) - [Boost \_ Folks Finance 34179 - \[Smart Contract - High\] Incorrect Updates to pooldepositDatatotalAmoun](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34179-smart-contract-high-incorrect-updates-to-pooldepositdatatotalamount-and.md) - [Boost \_ Folks Finance 34183 - \[Smart Contract - Insight\] rebalanceUp could be used to lower the user](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34183-smart-contract-insight-rebalanceup-could-be-used-to-lower-the-userloanst.md) - [Boost \_ Folks Finance 34188 - \[Smart Contract - Insight\] BridgeRouterHub can add address adapter](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34188-smart-contract-insight-bridgerouterhub-can-add-address-adapter.md) - [Boost \_ Folks Finance 34190 - \[Smart Contract - Critical\] Liquidated users can mix and manipulate st](https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34190-smart-contract-critical-liquidated-users-can-mix-and-manipulate-stable-a.md) - [Fuel Network | Attackathon](https://reports.immunefi.com/fuel-network-or-attackathon.md) - [Attackathon \_ Fuel Network 32269 - \[Smart Contract - High\] Incorrect fuel dce optimization register](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32269-smart-contract-high-incorrect-fuel-dce-optimization-register-usage.md) - [Attackathon \_ Fuel Network 32270 - \[Smart Contract - Low\] Inappropriate fuel dce on side affects](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32270-smart-contract-low-inappropriate-fuel-dce-on-side-affects.md) - [Attackathon \_ Fuel Network 32271 - \[Blockchain\_DLT - Medium\] Incorrect state range access helper](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32271-blockchain_dlt-medium-incorrect-state-range-access-helper.md) - [Attackathon \_ Fuel Network 32275 - \[Smart Contract - Medium\] Various Sway Libs Bugs](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32275-smart-contract-medium-various-sway-libs-bugs.md) - [Attackathon \_ Fuel Network 32276 - \[Smart Contract - Insight\] wrong implementation in gt and lt func](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32276-smart-contract-insight-wrong-implementation-in-gt-and-lt-functions.md) - [Attackathon \_ Fuel Network 32291 - \[Blockchain\_DLT - Insight\] Profiling is incorrect for dependent g](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32291-blockchain_dlt-insight-profiling-is-incorrect-for-dependent-gas-cos.md) - [Attackathon \_ Fuel Network 32302 - \[Smart Contract - Low\] Src ContractConfigurables hash collision](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32302-smart-contract-low-src-contractconfigurables-hash-collision.md) - [Attackathon \_ Fuel Network 32314 - \[Smart Contract - Insight\] Missing \_disableInitializers in FuelER](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32314-smart-contract-insight-missing-_disableinitializers-in-fuelercgatew.md) - [Attackathon \_ Fuel Network 32327 - \[Websites and Applications - Low\] REVISED Malicious Downtime via](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32327-websites-and-applications-low-revised-malicious-downtime-via-missin.md) - [Attackathon \_ Fuel Network 32378 - \[Smart Contract - Insight\] Missing Zero-Check for Recipient Addre](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32378-smart-contract-insight-missing-zero-check-for-recipient-address-in.md) - [Attackathon \_ Fuel Network 32388 - \[Smart Contract - Low\] Buffer overflow in EncodeBufferAppend intr](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32388-smart-contract-low-buffer-overflow-in-encodebufferappend-intrinsic.md) - [Attackathon \_ Fuel Network 32390 - \[Smart Contract - Low\] Unchecked Virtual Immediate Construction O](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32390-smart-contract-low-unchecked-virtual-immediate-construction-overflo.md) - [Attackathon \_ Fuel Network 32412 - \[Smart Contract - Insight\] the IFP divide functions does not have](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32412-smart-contract-insight-the-ifp-divide-functions-does-not-have-check.md) - [Attackathon \_ Fuel Network 32438 - \[Smart Contract - Low\] Unhandled Bailout During AbstractInstructi](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32438-smart-contract-low-unhandled-bailout-during-abstractinstructionset.md) - [Attackathon \_ Fuel Network 32439 - \[Smart Contract - Low\] Missing Alignment Check During AbstractIns](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32439-smart-contract-low-missing-alignment-check-during-abstractinstructi.md) - [Attackathon \_ Fuel Network 32453 - \[Smart Contract - Low\] Unhandled Side Effect During AbstractInstr](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32453-smart-contract-low-unhandled-side-effect-during-abstractinstruction.md) - [Attackathon \_ Fuel Network 32459 - \[Websites and Applications - Low\] URGENT WEB funds drained using](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32459-websites-and-applications-low-urgent-web-funds-drained-using-url-pa.md) - [Attackathon \_ Fuel Network 32465 - \[Blockchain\_DLT - High\] Abuse of CCP instruction to do cheap memo](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32465-blockchain_dlt-high-abuse-of-ccp-instruction-to-do-cheap-memory-cle.md) - [Attackathon \_ Fuel Network 32486 - \[Blockchain\_DLT - Medium\] Public RPC node craches via GraphQL API](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32486-blockchain_dlt-medium-public-rpc-node-craches-via-graphql-api.md) - [Attackathon \_ Fuel Network 32491 - \[Smart Contract - Low\] Incorrect PushA PopA Mask Calculation](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32491-smart-contract-low-incorrect-pusha-popa-mask-calculation.md) - [Attackathon \_ Fuel Network 32536 - \[Smart Contract - Insight\] The control flow graph is incorrectly](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32536-smart-contract-insight-the-control-flow-graph-is-incorrectly-constr.md) - [Attackathon \_ Fuel Network 32537 - \[Smart Contract - Low\] Different data types can be used when init](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32537-smart-contract-low-different-data-types-can-be-used-when-initializi.md) - [Attackathon \_ Fuel Network 32548 - \[Smart Contract - Low\] Uncaught Integer Overflow During AbstractI](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32548-smart-contract-low-uncaught-integer-overflow-during-abstractinstruc.md) - [Attackathon \_ Fuel Network 32612 - \[Smart Contract - Low\] Lack of slot hashing at adminsw can cause](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32612-smart-contract-low-lack-of-slot-hashing-at-adminsw-can-cause-storag.md) - [Attackathon \_ Fuel Network 32628 - \[Blockchain\_DLT - Medium\] A GraphQL query crashes core process](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32628-blockchain_dlt-medium-a-graphql-query-crashes-core-process.md) - [Attackathon \_ Fuel Network 32673 - \[Smart Contract - Low\] Missing array length check for non constan](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32673-smart-contract-low-missing-array-length-check-for-non-constant-eval.md) - [Attackathon \_ Fuel Network 32695 - \[Blockchain\_DLT - Insight\] increasing processing for public nodes](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32695-blockchain_dlt-insight-increasing-processing-for-public-nodes-with.md) - [Attackathon \_ Fuel Network 32696 - \[Smart Contract - High\] incorrect setting of non\_negative value i](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32696-smart-contract-high-incorrect-setting-of-non_negative-value-in-ceil.md) - [Attackathon \_ Fuel Network 32700 - \[Smart Contract - High\] double increasing underlying value in cei](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32700-smart-contract-high-double-increasing-underlying-value-in-ceil-func.md) - [Attackathon \_ Fuel Network 32703 - \[Smart Contract - Low\] Unexpected variable shadowing during ir ge](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32703-smart-contract-low-unexpected-variable-shadowing-during-ir-generati.md) - [Attackathon \_ Fuel Network 32706 - \[Smart Contract - High\] the function subtract in signed libs like](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32706-smart-contract-high-the-function-subtract-in-signed-libs-like-isw-d.md) - [Attackathon \_ Fuel Network 32728 - \[Smart Contract - Low\] Incorrect literal type inference](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32728-smart-contract-low-incorrect-literal-type-inference.md) - [Attackathon \_ Fuel Network 32730 - \[Smart Contract - Low\] The Sway compiler currently disallows read](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32730-smart-contract-low-the-sway-compiler-currently-disallows-read-acces.md) - [Attackathon \_ Fuel Network 32768 - \[Blockchain\_DLT - Medium\] WDCM and WQCM doesnt respect the fuel-s](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32768-blockchain_dlt-medium-wdcm-and-wqcm-doesnt-respect-the-fuel-specs.md) - [Attackathon \_ Fuel Network 32786 - \[Smart Contract - Low\] incorrect set of i bits to which it should](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32786-smart-contract-low-incorrect-set-of-i-bits-to-which-it-should-be-bi.md) - [Attackathon \_ Fuel Network 32812 - \[Smart Contract - Low\] Sway-libSRC- Buffer overflow in swap\_confi](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32812-smart-contract-low-sway-libsrc-buffer-overflow-in-swap_configurable.md) - [Attackathon \_ Fuel Network 32825 - \[Blockchain\_DLT - High\] Consensus between -bit and -bit system ca](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32825-blockchain_dlt-high-consensus-between-bit-and-bit-system-can-fail-f.md) - [Attackathon \_ Fuel Network 32835 - \[Smart Contract - Insight\] sway compiler doesnt prevent function](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32835-smart-contract-insight-sway-compiler-doesnt-prevent-function-select.md) - [Attackathon \_ Fuel Network 32849 - \[Smart Contract - Low\] Insufficient array construction element ty](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32849-smart-contract-low-insufficient-array-construction-element-type-che.md) - [Attackathon \_ Fuel Network 32854 - \[Smart Contract - Low\] Sway-libstd-libcompiler Storage collision](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32854-smart-contract-low-sway-libstd-libcompiler-storage-collision-betwee.md) - [Attackathon \_ Fuel Network 32859 - \[Smart Contract - Low\] Incorrect argument pointer creation](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32859-smart-contract-low-incorrect-argument-pointer-creation.md) - [Attackathon \_ Fuel Network 32860 - \[Blockchain\_DLT - Insight\] Resource Abuse CCP instruction is load](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32860-blockchain_dlt-insight-resource-abuse-ccp-instruction-is-loading-th.md) - [Attackathon \_ Fuel Network 32872 - \[Smart Contract - High\] Incorrect load\_store\_to\_memcopy optimizat](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32872-smart-contract-high-incorrect-load_store_to_memcopy-optimization.md) - [Attackathon \_ Fuel Network 32884 - \[Smart Contract - Medium\] Compilerstd-lib storage collison betwee](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32884-smart-contract-medium-compilerstd-lib-storage-collison-between-vari.md) - [Attackathon \_ Fuel Network 32886 - \[Smart Contract - Medium\] Incorrect function purity check](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32886-smart-contract-medium-incorrect-function-purity-check.md) - [Attackathon \_ Fuel Network 32924 - \[Smart Contract - Insight\] sways legacy storage namespacing is br](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32924-smart-contract-insight-sways-legacy-storage-namespacing-is-broken-a.md) - [Attackathon \_ Fuel Network 32935 - \[Smart Contract - Insight\] Insufficient trait duplication check](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32935-smart-contract-insight-insufficient-trait-duplication-check.md) - [Attackathon \_ Fuel Network 32937 - \[Smart Contract - Insight\] Fallback function can be directly call](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32937-smart-contract-insight-fallback-function-can-be-directly-called-wit.md) - [Attackathon \_ Fuel Network 32938 - \[Smart Contract - Insight\] Insufficient declaration shadowing che](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32938-smart-contract-insight-insufficient-declaration-shadowing-check.md) - [Attackathon \_ Fuel Network 32965 - \[Blockchain\_DLT - Critical\] Messages to L included even on revert](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32965-blockchain_dlt-critical-messages-to-l-included-even-on-reverts-allo.md) - [Attackathon \_ Fuel Network 32973 - \[Smart Contract - Medium\] Impl block dependency overwriting](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32973-smart-contract-medium-impl-block-dependency-overwriting.md) - [Attackathon \_ Fuel Network 32978 - \[Blockchain\_DLT - Insight\] isolating the node from the networkcau](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32978-blockchain_dlt-insight-isolating-the-node-from-the-networkcausing-o.md) - [Attackathon \_ Fuel Network 32979 - \[Smart Contract - Low\] operations with StorageVec incorrectly rev](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32979-smart-contract-low-operations-with-storagevec-incorrectly-revert-du.md) - [Attackathon \_ Fuel Network 32987 - \[Blockchain\_DLT - Insight\] Sending a message with ETH and data to](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32987-blockchain_dlt-insight-sending-a-message-with-eth-and-data-to-the-f.md) - [Attackathon \_ Fuel Network 33039 - \[Smart Contract - High\] The subtraction function is not correctly](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33039-smart-contract-high-the-subtraction-function-is-not-correctly-imple.md) - [Attackathon \_ Fuel Network 33045 - \[Smart Contract - Low\] Compiler Dead Code Elimination inconsisten](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33045-smart-contract-low-compiler-dead-code-elimination-inconsistently-re.md) - [Attackathon \_ Fuel Network 33101 - \[Smart Contract - Insight\] Associated functions that were impleme](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33101-smart-contract-insight-associated-functions-that-were-implemented-f.md) - [Attackathon \_ Fuel Network 33139 - \[Smart Contract - Insight\] Unreachable panic in sway compiler whe](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33139-smart-contract-insight-unreachable-panic-in-sway-compiler-when-pars.md) - [Attackathon \_ Fuel Network 33140 - \[Smart Contract - Insight\] Sway compiler crash when compile malic](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33140-smart-contract-insight-sway-compiler-crash-when-compile-malicious-c.md) - [Attackathon \_ Fuel Network 33168 - \[Smart Contract - High\] Incorrect Sign Determination In Multiply](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33168-smart-contract-high-incorrect-sign-determination-in-multiply-divide.md) - [Attackathon \_ Fuel Network 33170 - \[Smart Contract - Medium\] UFP Exp In Sway-lib Logic Vulnerability](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33170-smart-contract-medium-ufp-exp-in-sway-lib-logic-vulnerability.md) - [Attackathon \_ Fuel Network 33171 - \[Smart Contract - Insight\] panic on unwrapping in decl\_to\_type\_in](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33171-smart-contract-insight-panic-on-unwrapping-in-decl_to_type_info.md) - [Attackathon \_ Fuel Network 33172 - \[Smart Contract - Insight\] OOB in type\_check\_analyze of ImplTrait](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33172-smart-contract-insight-oob-in-type_check_analyze-of-impltrait.md) - [Attackathon \_ Fuel Network 33175 - \[Smart Contract - High\] Sway-lib Subtract i Logic Vulnerability](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33175-smart-contract-high-sway-lib-subtract-i-logic-vulnerability.md) - [Attackathon \_ Fuel Network 33181 - \[Smart Contract - Insight\] users messages might encode incorrect](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33181-smart-contract-insight-users-messages-might-encode-incorrect-data-w.md) - [Attackathon \_ Fuel Network 33186 - \[Smart Contract - Medium\] \_compute\_bytecode\_root goes to an infin](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33186-smart-contract-medium-_compute_bytecode_root-goes-to-an-infinite-lo.md) - [Attackathon \_ Fuel Network 33191 - \[Smart Contract - Insight\] Sway Formatting Behaves Differently Ba](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33191-smart-contract-insight-sway-formatting-behaves-differently-based-on.md) - [Attackathon \_ Fuel Network 33193 - \[Blockchain\_DLT - Medium\] Fuel SDKs ABI Decoder Behaves Different](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33193-blockchain_dlt-medium-fuel-sdks-abi-decoder-behaves-differently-bas.md) - [Attackathon \_ Fuel Network 33195 - \[Smart Contract - High\] Incorrect Calculations in Subtraction Fun](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33195-smart-contract-high-incorrect-calculations-in-subtraction-functions.md) - [Attackathon \_ Fuel Network 33203 - \[Smart Contract - Insight\] function inlining doesnt consider asm](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33203-smart-contract-insight-function-inlining-doesnt-consider-asm-blocks.md) - [Attackathon \_ Fuel Network 33207 - \[Smart Contract - Insight\] users created message when withdrawing](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33207-smart-contract-insight-users-created-message-when-withdrawing-from.md) - [Attackathon \_ Fuel Network 33227 - \[Smart Contract - High\] Lack of overflow protection in the pow fu](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33227-smart-contract-high-lack-of-overflow-protection-in-the-pow-function.md) - [Attackathon \_ Fuel Network 33233 - \[Smart Contract - Medium\] Incorrect Implementation of Unsigned -b](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33233-smart-contract-medium-incorrect-implementation-of-unsigned-bit-fixe.md) - [Attackathon \_ Fuel Network 33239 - \[Smart Contract - Low\] Incorrect Implementation of IFP Min Functi](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33239-smart-contract-low-incorrect-implementation-of-ifp-min-functions.md) - [Attackathon \_ Fuel Network 33240 - \[Smart Contract - Insight\] Incorrect Bitness in IFP Types](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33240-smart-contract-insight-incorrect-bitness-in-ifp-types.md) - [Attackathon \_ Fuel Network 33242 - \[Smart Contract - High\] Incorrect Implementation of IFP Multiply](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33242-smart-contract-high-incorrect-implementation-of-ifp-multiply-and-di.md) - [Attackathon \_ Fuel Network 33248 - \[Smart Contract - High\] Incorrect Implementation of IFP Floor and](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33248-smart-contract-high-incorrect-implementation-of-ifp-floor-and-ceil.md) - [Attackathon \_ Fuel Network 33267 - \[Smart Contract - High\] Bug in Multiply and Divide function](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33267-smart-contract-high-bug-in-multiply-and-divide-function.md) - [Attackathon \_ Fuel Network 33286 - \[Smart Contract - Insight\] panic on unwrapping in type\_check\_trai](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33286-smart-contract-insight-panic-on-unwrapping-in-type_check_trait_impl.md) - [Attackathon \_ Fuel Network 33295 - \[Smart Contract - Low\] Bug in array decoding can lead to critical](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33295-smart-contract-low-bug-in-array-decoding-can-lead-to-critical-secur.md) - [Attackathon \_ Fuel Network 33302 - \[Smart Contract - Medium\] Exp function does not work correctly](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33302-smart-contract-medium-exp-function-does-not-work-correctly.md) - [Attackathon \_ Fuel Network 33303 - \[Smart Contract - Medium\] Incorrect sign change](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33303-smart-contract-medium-incorrect-sign-change.md) - [Attackathon \_ Fuel Network 33331 - \[Smart Contract - High\] Overflow in Types Less Than u](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33331-smart-contract-high-overflow-in-types-less-than-u.md) - [Attackathon \_ Fuel Network 33346 - \[Blockchain\_DLT - Low\] Incorrect error handling when executing bl](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33346-blockchain_dlt-low-incorrect-error-handling-when-executing-block-ca.md) - [Attackathon \_ Fuel Network 33351 - \[Smart Contract - Critical\] ABI supertraits methods are available](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33351-smart-contract-critical-abi-supertraits-methods-are-available-exter.md) - [Attackathon \_ Fuel Network 33360 - \[Blockchain\_DLT - Medium\] The typescript SDK has no awareness of](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33360-blockchain_dlt-medium-the-typescript-sdk-has-no-awareness-of-to-be.md) - [Attackathon \_ Fuel Network 33401 - \[Smart Contract - Insight\] insight compiler crash - trait dummy m](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33401-smart-contract-insight-insight-compiler-crash-trait-dummy-method-wa.md) - [Attackathon \_ Fuel Network 33407 - \[Smart Contract - Insight\] Missing Zero-Check for to Address in w](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33407-smart-contract-insight-missing-zero-check-for-to-address-in-withdra.md) - [Attackathon \_ Fuel Network 33433 - \[Smart Contract - Low\] Self-append in Bytes data structure causes](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33433-smart-contract-low-self-append-in-bytes-data-structure-causes-memor.md) - [Attackathon \_ Fuel Network 33444 - \[Smart Contract - Insight\] Sway compiler crash for access out-of-](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33444-smart-contract-insight-sway-compiler-crash-for-access-out-of-bound.md) - [Attackathon \_ Fuel Network 33450 - \[Blockchain\_DLT - Insight\] fuel\_gas\_price\_algorithm AlgorithmV ma](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33450-blockchain_dlt-insight-fuel_gas_price_algorithm-algorithmv-may-pani.md) - [Attackathon \_ Fuel Network 33451 - \[Smart Contract - Medium\] Incorrect code size estimation can bypa](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33451-smart-contract-medium-incorrect-code-size-estimation-can-bypass-pro.md) - [Attackathon \_ Fuel Network 33487 - \[Smart Contract - Insight\] Flags Do Not Affect Types Less Than u](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33487-smart-contract-insight-flags-do-not-affect-types-less-than-u.md) - [Attackathon \_ Fuel Network 33488 - \[Smart Contract - Medium\] Insecure implementation of StorageMap c](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33488-smart-contract-medium-insecure-implementation-of-storagemap-could-l.md) - [Attackathon \_ Fuel Network 33519 - \[Smart Contract - Critical\] Silent Stack overflow on variables be](https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33519-smart-contract-critical-silent-stack-overflow-on-variables-between.md) - [IDEX](https://reports.immunefi.com/idex.md) - [Boost \_ IDEX 34239 - \[Smart Contract - Insight\] Dont validate stale price in Pyth Network](https://reports.immunefi.com/idex/boost-_-idex-34239-smart-contract-insight-dont-validate-stale-price-in-pyth-network.md) - [Boost \_ IDEX 34428 - \[Smart Contract - Insight\] Incorrect Condition in validateExitQuoteQuantityAndC](https://reports.immunefi.com/idex/boost-_-idex-34428-smart-contract-insight-incorrect-condition-in-validateexitquotequantityandcoercei.md) - [Boost \_ IDEX 34437 - \[Smart Contract - Insight\] User positions could be unfairly liquidated due to s](https://reports.immunefi.com/idex/boost-_-idex-34437-smart-contract-insight-user-positions-could-be-unfairly-liquidated-due-to-stale-i.md) - [Boost \_ IDEX 34494 - \[Smart Contract - High\] Tokens deposit in ExchangeStargateVAdapterlzCompose is](https://reports.immunefi.com/idex/boost-_-idex-34494-smart-contract-high-tokens-deposit-in-exchangestargatevadapterlzcompose-is-not-pr.md) - [Boost \_ IDEX 34566 - \[Smart Contract - Insight\] Withdrawingsolwithdraw\_delegatecall - Its possible f](https://reports.immunefi.com/idex/boost-_-idex-34566-smart-contract-insight-withdrawingsolwithdraw_delegatecall-its-possible-for-users.md) - [Immunefi Arbitration](https://reports.immunefi.com/immunefi-arbitration.md) - [29318 - \[SC - Insight\] Timelock contract should use canExecuteTransact...](https://reports.immunefi.com/immunefi-arbitration/29318-sc-insight-timelock-contract-should-use-canexecutetransact....md) - [29341 - \[SC - Insight\] Unsafe Downcast vulnerability this can lead to ...](https://reports.immunefi.com/immunefi-arbitration/29341-sc-insight-unsafe-downcast-vulnerability-this-can-lead-to-....md) - [29347 - \[SC - Insight\] Chainlinks latestRoundData might return stale o...](https://reports.immunefi.com/immunefi-arbitration/29347-sc-insight-chainlinks-latestrounddata-might-return-stale-o....md) - [29348 - \[SC - Insight\] Token price returned by PriceConsumer may be in...](https://reports.immunefi.com/immunefi-arbitration/29348-sc-insight-token-price-returned-by-priceconsumer-may-be-in....md) - [29384 - \[SC - Insight\] Malicious project can remove the ImmunefiGuard ...](https://reports.immunefi.com/immunefi-arbitration/29384-sc-insight-malicious-project-can-remove-the-immunefiguard-....md) - [29432 - \[SC - Low\] Malicious project can grief reward payouts from...](https://reports.immunefi.com/immunefi-arbitration/29432-sc-low-malicious-project-can-grief-reward-payouts-from....md) - [29445 - \[SC - Insight\] latestRoundData Call May Result Stale](https://reports.immunefi.com/immunefi-arbitration/29445-sc-insight-latestrounddata-call-may-result-stale.md) - [29467 - \[SC - Low\] RewardTimelockexecuteRewardTransaction - L Inco...](https://reports.immunefi.com/immunefi-arbitration/29467-sc-low-rewardtimelockexecuterewardtransaction-l-inco....md) - [29483 - \[SC - Insight\] RewardTimelockcanExecuteTransaction - Reward tr...](https://reports.immunefi.com/immunefi-arbitration/29483-sc-insight-rewardtimelockcanexecutetransaction-reward-tr....md) - [29484 - \[SC - Insight\] Potential Loss of Precision in Conversion from ...](https://reports.immunefi.com/immunefi-arbitration/29484-sc-insight-potential-loss-of-precision-in-conversion-from-....md) - [29513 - \[SC - Insight\] Critical reentrancy vulnerability in executeRew...](https://reports.immunefi.com/immunefi-arbitration/29513-sc-insight-critical-reentrancy-vulnerability-in-executerew....md) - [29604 - \[SC - Insight\] VaultDelegatesendReward - Token fees not subtra...](https://reports.immunefi.com/immunefi-arbitration/29604-sc-insight-vaultdelegatesendreward-token-fees-not-subtra....md) - [29738 - \[SC - Low\] Missing Chainlink circuit breaker check allows ...](https://reports.immunefi.com/immunefi-arbitration/29738-sc-low-missing-chainlink-circuit-breaker-check-allows-....md) - [29744 - \[SC - Insight\] Projects can pay rewards at up to below market...](https://reports.immunefi.com/immunefi-arbitration/29744-sc-insight-projects-can-pay-rewards-at-up-to-below-market....md) - [29760 - \[SC - Insight\] Enforcing Multiple Rewards During Arbitration B...](https://reports.immunefi.com/immunefi-arbitration/29760-sc-insight-enforcing-multiple-rewards-during-arbitration-b....md) - [Lido: Mellow Vault](https://reports.immunefi.com/lido-mellow-vault.md) - [Boost \_ Lido\_ Mellow Vault 34756 - \[Smart Contract - Insight\] Missing calldata forwarding in Vaultde](https://reports.immunefi.com/lido-mellow-vault/boost-_-lido_-mellow-vault-34756-smart-contract-insight-missing-calldata-forwarding-in-vaultdeposit.md) - [Mitigation Audit | Folks Finance](https://reports.immunefi.com/mitigation-audit-or-folks-finance.md) - [Mitigation Audit \_ Folks Finance 34929 - \[Smart Contract - Critical\] Accounting Discrepancy in Fee R](https://reports.immunefi.com/mitigation-audit-or-folks-finance/mitigation-audit-_-folks-finance-34929-smart-contract-critical-accounting-discrepancy-in-fee-retenti.md) - [Mitigation Audit \_ Folks Finance 34942 - \[Smart Contract - Insight\] In function function getTwapPric](https://reports.immunefi.com/mitigation-audit-or-folks-finance/mitigation-audit-_-folks-finance-34942-smart-contract-insight-in-function-function-gettwapprice-if-l.md) - [Mitigation Audit \_ Folks Finance 35089 - \[Smart Contract - Insight\] Malicious actor can control inte](https://reports.immunefi.com/mitigation-audit-or-folks-finance/mitigation-audit-_-folks-finance-35089-smart-contract-insight-malicious-actor-can-control-interest-r.md) - [Puffer Finance](https://reports.immunefi.com/puffer-finance.md) - [28612 - \[SC - Insight\] EigenLayers share rate can be massively inflate...](https://reports.immunefi.com/puffer-finance/28612-sc-insight-eigenlayers-share-rate-can-be-massively-inflate....md) - [28613 - \[SC - Medium\] User will lose funds](https://reports.immunefi.com/puffer-finance/28613-sc-medium-user-will-lose-funds.md) - [28623 - \[SC - Low\] Timelock transaction that consume more then \_ g...](https://reports.immunefi.com/puffer-finance/28623-sc-low-timelock-transaction-that-consume-more-then-_-g....md) - [28625 - \[SC - Insight\] Gas griefing is possible on external call](https://reports.immunefi.com/puffer-finance/28625-sc-insight-gas-griefing-is-possible-on-external-call.md) - [28629 - \[SC - Insight\] Missing restricted modifier on claimWithdrawalF...](https://reports.immunefi.com/puffer-finance/28629-sc-insight-missing-restricted-modifier-on-claimwithdrawalf....md) - [28630 - \[SC - Insight\] Improper Validation for Partial Filling of INCH...](https://reports.immunefi.com/puffer-finance/28630-sc-insight-improper-validation-for-partial-filling-of-inch....md) - [28632 - \[SC - Insight\] Setting delay at MINIMUM\_DELAY in timelock fails](https://reports.immunefi.com/puffer-finance/28632-sc-insight-setting-delay-at-minimum_delay-in-timelock-fails.md) - [28645 - \[SC - Insight\] Attacker Prevents All Users From Withdrawing Fu...](https://reports.immunefi.com/puffer-finance/28645-sc-insight-attacker-prevents-all-users-from-withdrawing-fu....md) - [28646 - \[SC - Insight\] Resubmission with Pause Bypass Potential Exploi...](https://reports.immunefi.com/puffer-finance/28646-sc-insight-resubmission-with-pause-bypass-potential-exploi....md) - [28650 - \[SC - Insight\] Protocol Insolvency due to the over inflated ca...](https://reports.immunefi.com/puffer-finance/28650-sc-insight-protocol-insolvency-due-to-the-over-inflated-ca....md) - [28656 - \[SC - Insight\] Blocking redeemwithdraw from vault](https://reports.immunefi.com/puffer-finance/28656-sc-insight-blocking-redeemwithdraw-from-vault.md) - [28660 - \[SC - Insight\] pufETHsrcTimelock\_setDelay - L State constant M...](https://reports.immunefi.com/puffer-finance/28660-sc-insight-pufethsrctimelock_setdelay-l-state-constant-m....md) - [28663 - \[SC - Low\] Deposit of stETH fails due to LIDOs - wei corno...](https://reports.immunefi.com/puffer-finance/28663-sc-low-deposit-of-steth-fails-due-to-lidos-wei-corno....md) - [28665 - \[SC - Low\] Underflow risk in receive function due to discr...](https://reports.immunefi.com/puffer-finance/28665-sc-low-underflow-risk-in-receive-function-due-to-discr....md) - [28687 - \[SC - Low\] Timelocks executeTransaction incorrectly delete...](https://reports.immunefi.com/puffer-finance/28687-sc-low-timelocks-executetransaction-incorrectly-delete....md) - [28688 - \[SC - Insight\] Unhandled Failure of \_executeTransaction Call i...](https://reports.immunefi.com/puffer-finance/28688-sc-insight-unhandled-failure-of-_executetransaction-call-i....md) - [28689 - \[SC - Medium\] incorrect lidoLockedETH value can block full re...](https://reports.immunefi.com/puffer-finance/28689-sc-medium-incorrect-lidolockedeth-value-can-block-full-re....md) - [28695 - \[SC - Insight\] pufETHsrcTimelockexecuteTransaction - L The tim...](https://reports.immunefi.com/puffer-finance/28695-sc-insight-pufethsrctimelockexecutetransaction-l-the-tim....md) - [28698 - \[SC - Insight\] User can frontrun claim transaction to make cla...](https://reports.immunefi.com/puffer-finance/28698-sc-insight-user-can-frontrun-claim-transaction-to-make-cla....md) - [28702 - \[SC - Insight\] Malicious users can frontrun permits to DoS swaps](https://reports.immunefi.com/puffer-finance/28702-sc-insight-malicious-users-can-frontrun-permits-to-dos-swaps.md) - [28729 - \[SC - Insight\] MINIMUM\_DELAY uses incorrect value of days ins...](https://reports.immunefi.com/puffer-finance/28729-sc-insight-minimum_delay-uses-incorrect-value-of-days-ins....md) - [28732 - \[SC - Insight\] External Call from Eigen Layer can fail silentl...](https://reports.immunefi.com/puffer-finance/28732-sc-insight-external-call-from-eigen-layer-can-fail-silentl....md) - [28773 - \[SC - Insight\] The function claimWithdrawalFromEigenLayer can ...](https://reports.immunefi.com/puffer-finance/28773-sc-insight-the-function-claimwithdrawalfromeigenlayer-can-....md) - [28775 - \[SC - Insight\] pufETHsrcTimelocksolexecuteTransaction - This b...](https://reports.immunefi.com/puffer-finance/28775-sc-insight-pufethsrctimelocksolexecutetransaction-this-b....md) - [28777 - \[SC - Low\] pufETHsrcTimelocksolexecuteTransaction - This b...](https://reports.immunefi.com/puffer-finance/28777-sc-low-pufethsrctimelocksolexecutetransaction-this-b....md) - [28779 - \[SC - Insight\] Missing sender address check in receive may lea...](https://reports.immunefi.com/puffer-finance/28779-sc-insight-missing-sender-address-check-in-receive-may-lea....md) - [28788 - \[SC - Critical\] Slash during a withdrawal from EigenLayer will ...](https://reports.immunefi.com/puffer-finance/28788-sc-critical-slash-during-a-withdrawal-from-eigenlayer-will-....md) - [28789 - \[SC - Low\] Return value of call is not checked causing fai...](https://reports.immunefi.com/puffer-finance/28789-sc-low-return-value-of-call-is-not-checked-causing-fai....md) - [28792 - \[SC - Low\] Return value of low level isnt checked executio...](https://reports.immunefi.com/puffer-finance/28792-sc-low-return-value-of-low-level-isnt-checked-executio....md) - [28796 - \[SC - Low\] The PufferVaultgetPendingLidoETHAmount will ret...](https://reports.immunefi.com/puffer-finance/28796-sc-low-the-puffervaultgetpendinglidoethamount-will-ret....md) - [28813 - \[SC - Insight\] PufferVaultclaimWithdrawalFromLido according to...](https://reports.immunefi.com/puffer-finance/28813-sc-insight-puffervaultclaimwithdrawalfromlido-according-to....md) - [28827 - \[SC - Insight\] Multi requestid claims can trigger DOS](https://reports.immunefi.com/puffer-finance/28827-sc-insight-multi-requestid-claims-can-trigger-dos.md) - [28833 - \[SC - Insight\] Missing slippage protection in functions deposi...](https://reports.immunefi.com/puffer-finance/28833-sc-insight-missing-slippage-protection-in-functions-deposi....md) - [28852 - \[SC - Insight\] Reverting permit transactions caught in the cat...](https://reports.immunefi.com/puffer-finance/28852-sc-insight-reverting-permit-transactions-caught-in-the-cat....md) - [28921 - \[SC - Medium\] Possibly protocol insolvency during a LIDO slas...](https://reports.immunefi.com/puffer-finance/28921-sc-medium-possibly-protocol-insolvency-during-a-lido-slas....md) - [28934 - \[SC - Insight\] TimelockcancelTransaction does not check asser...](https://reports.immunefi.com/puffer-finance/28934-sc-insight-timelockcanceltransaction-does-not-check-asser....md) - [28942 - \[SC - Insight\] Self Destruction of inchRouter can lead to loss...](https://reports.immunefi.com/puffer-finance/28942-sc-insight-self-destruction-of-inchrouter-can-lead-to-loss....md) - [28946 - \[SC - Low\] The assets accounting of the vault can become o...](https://reports.immunefi.com/puffer-finance/28946-sc-low-the-assets-accounting-of-the-vault-can-become-o....md) - [28947 - \[SC - Insight\] Info](https://reports.immunefi.com/puffer-finance/28947-sc-insight-info.md) - [28964 - \[SC - Insight\] Claiming withdrawals from Lido can lead to unbo...](https://reports.immunefi.com/puffer-finance/28964-sc-insight-claiming-withdrawals-from-lido-can-lead-to-unbo....md) - [28971 - \[SC - Low\] Double spending or double execution of transact...](https://reports.immunefi.com/puffer-finance/28971-sc-low-double-spending-or-double-execution-of-transact....md) - [28991 - \[SC - Insight\] Contract uint delay variable cannot be set to i...](https://reports.immunefi.com/puffer-finance/28991-sc-insight-contract-uint-delay-variable-cannot-be-set-to-i....md) - [29006 - \[SC - Medium\] Lack of Success check of the Timelock executeT...](https://reports.immunefi.com/puffer-finance/29006-sc-medium-lack-of-success-check-of-the-timelock-executet....md) - [29015 - \[SC - Low\] Boolean return value of addresscall function no...](https://reports.immunefi.com/puffer-finance/29015-sc-low-boolean-return-value-of-addresscall-function-no....md) - [29017 - \[SC - Insight\] Timelock is not capable of performing payable t...](https://reports.immunefi.com/puffer-finance/29017-sc-insight-timelock-is-not-capable-of-performing-payable-t....md) - [29033 - \[SC - High\] Queued data will be lost if Tx is unsuccessful ...](https://reports.immunefi.com/puffer-finance/29033-sc-high-queued-data-will-be-lost-if-tx-is-unsuccessful-....md) - [29054 - \[SC - Medium\] Lido discounted withdrawals are not accounted for](https://reports.immunefi.com/puffer-finance/29054-sc-medium-lido-discounted-withdrawals-are-not-accounted-for.md) - [29060 - \[SC - Medium\] initiateETHWithdrawalsFromLido decreases totalA...](https://reports.immunefi.com/puffer-finance/29060-sc-medium-initiateethwithdrawalsfromlido-decreases-totala....md) - [29067 - \[SC - Low\] Puffer Finance Missing Verification of Externa...](https://reports.immunefi.com/puffer-finance/29067-sc-low-puffer-finance-missing-verification-of-externa....md) - [29073 - \[SC - Insight\] excuteTransaction in timelock contract will una...](https://reports.immunefi.com/puffer-finance/29073-sc-insight-excutetransaction-in-timelock-contract-will-una....md) - [29080 - \[SC - Insight\] Uninitialized uups upgradeable can lead to loss...](https://reports.immunefi.com/puffer-finance/29080-sc-insight-uninitialized-uups-upgradeable-can-lead-to-loss....md) - [29081 - \[SC - Insight\] No constructor should be used to set in upgrade...](https://reports.immunefi.com/puffer-finance/29081-sc-insight-no-constructor-should-be-used-to-set-in-upgrade....md) - [29082 - \[SC - Insight\] Restricted modifier should not be used with int...](https://reports.immunefi.com/puffer-finance/29082-sc-insight-restricted-modifier-should-not-be-used-with-int....md) - [29099 - \[SC - Insight\] Actual amount of stETH deposited is less than t...](https://reports.immunefi.com/puffer-finance/29099-sc-insight-actual-amount-of-steth-deposited-is-less-than-t....md) - [29106 - \[SC - High\] Insufficient Handling of Partial Failures in Wi...](https://reports.immunefi.com/puffer-finance/29106-sc-high-insufficient-handling-of-partial-failures-in-wi....md) - [29110 - \[SC - Insight\] Insecure Token Allowance Management in PufferDe...](https://reports.immunefi.com/puffer-finance/29110-sc-insight-insecure-token-allowance-management-in-pufferde....md) - [29111 - \[SC - Insight\] Silent Failure of ERC Permit Calls in PufferDep...](https://reports.immunefi.com/puffer-finance/29111-sc-insight-silent-failure-of-erc-permit-calls-in-pufferdep....md) - [29116 - \[SC - Low\] Using deposit results in more shares for the sa...](https://reports.immunefi.com/puffer-finance/29116-sc-low-using-deposit-results-in-more-shares-for-the-sa....md) - [Shardeum Ancillaries](https://reports.immunefi.com/shardeum-ancillaries.md) - [Boost \_ Shardeum\_ Ancillaries 33040 - \[Websites and Applications - Low\] API CSRF protection bypass l](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33040-websites-and-applications-low-api-csrf-protection-bypass-leading.md) - [Boost \_ Shardeum\_ Ancillaries 33392 - \[Websites and Applications - Insight\] Validator GUI password b](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33392-websites-and-applications-insight-validator-gui-password-brutefo.md) - [Boost \_ Shardeum\_ Ancillaries 33490 - \[Websites and Applications - Insight\] Abusing blacklist functi](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33490-websites-and-applications-insight-abusing-blacklist-functionalit.md) - [Boost \_ Shardeum\_ Ancillaries 33522 - \[Websites and Applications - Insight\] Exposed Redis Service Vu](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33522-websites-and-applications-insight-exposed-redis-service-vulnerab.md) - [Boost \_ Shardeum\_ Ancillaries 33558 - \[Websites and Applications - Insight\] In some instances the so](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33558-websites-and-applications-insight-in-some-instances-the-socket-c.md) - [Boost \_ Shardeum\_ Ancillaries 33571 - \[Websites and Applications - Medium\] Taking down the websocket](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33571-websites-and-applications-medium-taking-down-the-websocket-serve.md) - [Boost \_ Shardeum\_ Ancillaries 33577 - \[Websites and Applications - Insight\] Taking down the HTTP ser](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33577-websites-and-applications-insight-taking-down-the-http-server-vi.md) - [Boost \_ Shardeum\_ Ancillaries 33692 - \[Websites and Applications - Low\] Reflected XSS in validator n](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33692-websites-and-applications-low-reflected-xss-in-validator-node-en.md) - [Boost \_ Shardeum\_ Ancillaries 33809 - \[Websites and Applications - Insight\] Blocking the user from i](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33809-websites-and-applications-insight-blocking-the-user-from-interac.md) - [Boost \_ Shardeum\_ Ancillaries 34298 - \[Websites and Applications - Medium\] archive-server can be kil](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34298-websites-and-applications-medium-archive-server-can-be-killed-by.md) - [Boost \_ Shardeum\_ Ancillaries 34367 - \[Websites and Applications - Low\] CSRF vulnerability due to mi](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34367-websites-and-applications-low-csrf-vulnerability-due-to-missing.md) - [Boost \_ Shardeum\_ Ancillaries 34392 - \[Websites and Applications - Medium\] JSON-RPC Complete Passwor](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34392-websites-and-applications-medium-json-rpc-complete-password-reco.md) - [Boost \_ Shardeum\_ Ancillaries 34473 - \[Websites and Applications - Low\] Insight XSS in json rpc serv](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34473-websites-and-applications-low-insight-xss-in-json-rpc-server-wit.md) - [Boost \_ Shardeum\_ Ancillaries 34474 - \[Websites and Applications - Insight\] SQL injection in json-rp](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34474-websites-and-applications-insight-sql-injection-in-json-rpc-serv.md) - [Boost \_ Shardeum\_ Ancillaries 34475 - \[Websites and Applications - Low\] CSRF in Json RPC Server allo](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34475-websites-and-applications-low-csrf-in-json-rpc-server-allows-req.md) - [Boost \_ Shardeum\_ Ancillaries 34492 - \[Websites and Applications - Insight\] DoS via unbounded tx id](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34492-websites-and-applications-insight-dos-via-unbounded-tx-id-list-p.md) - [Boost \_ Shardeum\_ Ancillaries 34508 - \[Websites and Applications - Critical\] Malicious archiver can](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34508-websites-and-applications-critical-malicious-archiver-can-overwt.md) - [Shardeum Core](https://reports.immunefi.com/shardeum-core.md) - [32942 - \[BC - Low\] The ChainID and URL parameters that can modify ...](https://reports.immunefi.com/shardeum-core/32942-bc-low-the-chainid-and-url-parameters-that-can-modify-....md) - [32982 - \[BC - Critical\] Crashing all Validators Vulnerability in eth\_g...](https://reports.immunefi.com/shardeum-core/32982-bc-critical-crashing-all-validators-vulnerability-in-eth_g....md) - [32993 - \[BC - Critical\] Crashing Validators by triggering an uncaught e...](https://reports.immunefi.com/shardeum-core/32993-bc-critical-crashing-validators-by-triggering-an-uncaught-e....md) - [33044 - \[BC - Medium\] Preventing the network from loading by disconne...](https://reports.immunefi.com/shardeum-core/33044-bc-medium-preventing-the-network-from-loading-by-disconne....md) - [33086 - \[BC - Critical\] Complete shutdown of the transaction processing...](https://reports.immunefi.com/shardeum-core/33086-bc-critical-complete-shutdown-of-the-transaction-processing....md) - [33151 - \[BC - Critical\] Front running initial account data distribution](https://reports.immunefi.com/shardeum-core/33151-bc-critical-front-running-initial-account-data-distribution.md) - [33222 - \[BC - Critical\] An attacker can control which nodes can and can...](https://reports.immunefi.com/shardeum-core/33222-bc-critical-an-attacker-can-control-which-nodes-can-and-can....md) - [33254 - \[BC - Medium\] The signature used to Gossip an UnjoinRequest h...](https://reports.immunefi.com/shardeum-core/33254-bc-medium-the-signature-used-to-gossip-an-unjoinrequest-h....md) - [33277 - \[BC - Critical\] Validators can be crashed via GET](https://reports.immunefi.com/shardeum-core/33277-bc-critical-validators-can-be-crashed-via-get.md) - [33278 - \[BC - Critical\] Improper input validation leads to DOS and tota...](https://reports.immunefi.com/shardeum-core/33278-bc-critical-improper-input-validation-leads-to-dos-and-tota....md) - [33395 - \[BC - Insight\] DoS attack on peer nodes through gossip-valid-j...](https://reports.immunefi.com/shardeum-core/33395-bc-insight-dos-attack-on-peer-nodes-through-gossip-valid-j....md) - [33424 - \[BC - Critical\] Improper input validation in safeJsonParse lead...](https://reports.immunefi.com/shardeum-core/33424-bc-critical-improper-input-validation-in-safejsonparse-lead....md) - [33428 - \[BC - Critical\] Validators can be crashed via pp](https://reports.immunefi.com/shardeum-core/33428-bc-critical-validators-can-be-crashed-via-pp.md) - [33473 - \[BC - High\] Cross-chain replay attacks are possible due to ...](https://reports.immunefi.com/shardeum-core/33473-bc-high-cross-chain-replay-attacks-are-possible-due-to-....md) - [33483 - \[BC - Critical\] shardeum validator bypass loop breaking increme...](https://reports.immunefi.com/shardeum-core/33483-bc-critical-shardeum-validator-bypass-loop-breaking-increme....md) - [33520 - \[BC - Insight\] Inconsistent consensus issue for BlakeF precomp...](https://reports.immunefi.com/shardeum-core/33520-bc-insight-inconsistent-consensus-issue-for-blakef-precomp....md) - [33576 - \[BC - High\] Lack of deduplication in joinarchiver requests ...](https://reports.immunefi.com/shardeum-core/33576-bc-high-lack-of-deduplication-in-joinarchiver-requests-....md) - [33632 - \[BC - Critical\] Signature forgery on behalf of other nodes lead...](https://reports.immunefi.com/shardeum-core/33632-bc-critical-signature-forgery-on-behalf-of-other-nodes-lead....md) - [33637 - \[BC - Critical\] In get\_tx\_timestamp a prototype pollution bri...](https://reports.immunefi.com/shardeum-core/33637-bc-critical-in-get_tx_timestamp-a-prototype-pollution-bri....md) - [33638 - \[BC - Critical\] In remove\_timestamp\_cache a prototype polluti...](https://reports.immunefi.com/shardeum-core/33638-bc-critical-in-remove_timestamp_cache-a-prototype-polluti....md) - [33655 - \[BC - Critical\] Complete shutdown of the transaction processing...](https://reports.immunefi.com/shardeum-core/33655-bc-critical-complete-shutdown-of-the-transaction-processing....md) - [33696 - \[BC - Critical\] Failure to validate golden ticket admin cert](https://reports.immunefi.com/shardeum-core/33696-bc-critical-failure-to-validate-golden-ticket-admin-cert.md) - [33735 - \[BC - Insight\] Network split due to the sync issue in PP modul...](https://reports.immunefi.com/shardeum-core/33735-bc-insight-network-split-due-to-the-sync-issue-in-pp-modul....md) - [33745 - \[BC - Critical\] A math quirk in Javascript allows anyone to tak...](https://reports.immunefi.com/shardeum-core/33745-bc-critical-a-math-quirk-in-javascript-allows-anyone-to-tak....md) - [33750 - \[BC - Critical\] Abusing setCertTime Transactions to drain node ...](https://reports.immunefi.com/shardeum-core/33750-bc-critical-abusing-setcerttime-transactions-to-drain-node-....md) - [33766 - \[BC - Critical\] Improper input validation in TransactionConsenu...](https://reports.immunefi.com/shardeum-core/33766-bc-critical-improper-input-validation-in-transactionconsenu....md) - [33813 - \[BC - Insight\] Double slashing of validators](https://reports.immunefi.com/shardeum-core/33813-bc-insight-double-slashing-of-validators.md) - [33848 - \[BC - High\] For the first cycles of the network a maliciou...](https://reports.immunefi.com/shardeum-core/33848-bc-high-for-the-first-cycles-of-the-network-a-maliciou....md) - [33872 - \[BC - Critical\] Infinite loop in shardeum](https://reports.immunefi.com/shardeum-core/33872-bc-critical-infinite-loop-in-shardeum.md) - [33922 - \[BC - Critical\] Steal Rewards and Take over Network by Faking A...](https://reports.immunefi.com/shardeum-core/33922-bc-critical-steal-rewards-and-take-over-network-by-faking-a....md) - [33925 - \[BC - Critical\] Improper input validation in fixDeserializedWra...](https://reports.immunefi.com/shardeum-core/33925-bc-critical-improper-input-validation-in-fixdeserializedwra....md) - [33941 - \[BC - Critical\] A missing check for the type of a variable allo...](https://reports.immunefi.com/shardeum-core/33941-bc-critical-a-missing-check-for-the-type-of-a-variable-allo....md) - [33946 - \[BC - Critical\] Lack of voter deduplication in sync\_trie\_hashes...](https://reports.immunefi.com/shardeum-core/33946-bc-critical-lack-of-voter-deduplication-in-sync_trie_hashes....md) - [33963 - \[BC - Critical\] Crashing the network by filling timestamp cache...](https://reports.immunefi.com/shardeum-core/33963-bc-critical-crashing-the-network-by-filling-timestamp-cache....md) - [33972 - \[BC - Critical\] Inflating the votes of the hash for a malicious...](https://reports.immunefi.com/shardeum-core/33972-bc-critical-inflating-the-votes-of-the-hash-for-a-malicious....md) - [34012 - \[BC - Critical\] Improper input validation in repair\_oos\_account...](https://reports.immunefi.com/shardeum-core/34012-bc-critical-improper-input-validation-in-repair_oos_account....md) - [34019 - \[BC - Critical\] Lack of vote validation in sync\_trie\_hashes lea...](https://reports.immunefi.com/shardeum-core/34019-bc-critical-lack-of-vote-validation-in-sync_trie_hashes-lea....md) - [34020 - \[BC - Critical\] An alternative entry point with a separated but...](https://reports.immunefi.com/shardeum-core/34020-bc-critical-an-alternative-entry-point-with-a-separated-but....md) - [34053 - \[BC - Critical\] Malicious HTTP responses allow systemic applica...](https://reports.immunefi.com/shardeum-core/34053-bc-critical-malicious-http-responses-allow-systemic-applica....md) - [34093 - \[BC - Critical\] lib-net can be used to force oom reap of shardu...](https://reports.immunefi.com/shardeum-core/34093-bc-critical-lib-net-can-be-used-to-force-oom-reap-of-shardu....md) - [34201 - \[BC - Critical\] Prototype pollution vulnerability in remove\_tim...](https://reports.immunefi.com/shardeum-core/34201-bc-critical-prototype-pollution-vulnerability-in-remove_tim....md) - [34252 - \[BC - Critical\] Bypass Certificate Signing Validation](https://reports.immunefi.com/shardeum-core/34252-bc-critical-bypass-certificate-signing-validation.md) - [34349 - \[BC - High\] Archiver Join Limit Logic Error](https://reports.immunefi.com/shardeum-core/34349-bc-high-archiver-join-limit-logic-error.md) - [34353 - \[BC - Critical\] Killing nodes by polluting tx timestamp cache o...](https://reports.immunefi.com/shardeum-core/34353-bc-critical-killing-nodes-by-polluting-tx-timestamp-cache-o....md) - [34364 - \[BC - Insight\] pp deserialization denial of service issue](https://reports.immunefi.com/shardeum-core/34364-bc-insight-pp-deserialization-denial-of-service-issue.md) - [34422 - \[BC - High\] Forcing the new POQo system to fail preventing ...](https://reports.immunefi.com/shardeum-core/34422-bc-high-forcing-the-new-poqo-system-to-fail-preventing-....md) - [34456 - \[BC - Critical\] Lack of consensus validation in repair\_oos\_acco...](https://reports.immunefi.com/shardeum-core/34456-bc-critical-lack-of-consensus-validation-in-repair_oos_acco....md) - [34476 - \[BC - Critical\] remove\_timestamp\_cache prototype pollution lead...](https://reports.immunefi.com/shardeum-core/34476-bc-critical-remove_timestamp_cache-prototype-pollution-lead....md) - [34481 - \[BC - Critical\] Bypassing sender verification in gossip-final-s...](https://reports.immunefi.com/shardeum-core/34481-bc-critical-bypassing-sender-verification-in-gossip-final-s....md) - [34484 - \[BC - Critical\] Tricking legit node to signed maliciously contr...](https://reports.immunefi.com/shardeum-core/34484-bc-critical-tricking-legit-node-to-signed-maliciously-contr....md) - [34489 - \[BC - Insight\] ActivetsValidateRecordTypes do not check all th...](https://reports.immunefi.com/shardeum-core/34489-bc-insight-activetsvalidaterecordtypes-do-not-check-all-th....md) - [34500 - \[BC - Critical\] Prototype pollution vulnerability in get\_tx\_tim...](https://reports.immunefi.com/shardeum-core/34500-bc-critical-prototype-pollution-vulnerability-in-get_tx_tim....md) - [ThunderNFT | IOP](https://reports.immunefi.com/thundernft-or-iop.md) - [IOP \_ ThunderNFT 34455 - \[Smart Contract - Low\] Double Token Vulnerability leads to drain funds](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34455-smart-contract-low-double-token-vulnerability-leads-to-drain-funds.md) - [IOP \_ ThunderNFT 34496 - \[Smart Contract - High\] Users cant withdraw their funds for removed assets](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34496-smart-contract-high-users-cant-withdraw-their-funds-for-removed-assets.md) - [IOP \_ ThunderNFT 34519 - \[Smart Contract - High\] users cant withdraw their tokens when specific asse](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34519-smart-contract-high-users-cant-withdraw-their-tokens-when-specific-asset-remo.md) - [IOP \_ ThunderNFT 34522 - \[Smart Contract - Low\] Self-transfer would inflate the balance](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34522-smart-contract-low-self-transfer-would-inflate-the-balance.md) - [IOP \_ ThunderNFT 34534 - \[Smart Contract - Critical\] Maker will always only get token even if specif](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34534-smart-contract-critical-maker-will-always-only-get-token-even-if-specifying-a.md) - [IOP \_ ThunderNFT 34542 - \[Smart Contract - Insight\] Not Handling Balance Entries Properly in the Wit](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34542-smart-contract-insight-not-handling-balance-entries-properly-in-the-withdraw.md) - [IOP \_ ThunderNFT 34545 - \[Smart Contract - Low\] Smart contract can be taken over by malicious user b](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34545-smart-contract-low-smart-contract-can-be-taken-over-by-malicious-user-by-back.md) - [IOP \_ ThunderNFT 34560 - \[Smart Contract - Critical\] Updating sell-maker-orders does not provide ref](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34560-smart-contract-critical-updating-sell-maker-orders-does-not-provide-refunds.md) - [IOP \_ ThunderNFT 34565 - \[Smart Contract - High\] Selling maker cant cancel to retrieve his funds whe](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34565-smart-contract-high-selling-maker-cant-cancel-to-retrieve-his-funds-when-stra.md) - [IOP \_ ThunderNFT 34567 - \[Smart Contract - Medium\] users with current bid order can not update their](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34567-smart-contract-medium-users-with-current-bid-order-can-not-update-their-order.md) - [IOP \_ ThunderNFT 34578 - \[Smart Contract - Insight\] unds Not Locked During Order Placement](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34578-smart-contract-insight-unds-not-locked-during-order-placement.md) - [IOP \_ ThunderNFT 34585 - \[Smart Contract - High\] Permanent freezing of NFTS that seller deposit into](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34585-smart-contract-high-permanent-freezing-of-nfts-that-seller-deposit-into-thund.md) - [IOP \_ ThunderNFT 34587 - \[Smart Contract - High\] Users might temporarily get their funds locked in P](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34587-smart-contract-high-users-might-temporarily-get-their-funds-locked-in-pool-co.md) - [IOP \_ ThunderNFT 34605 - \[Smart Contract - Critical\] ERC tokens can be stolen because the amount is](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34605-smart-contract-critical-erc-tokens-can-be-stolen-because-the-amount-is-not-va.md) - [IOP \_ ThunderNFT 34629 - \[Smart Contract - Critical\] Theft of Deposited Funds](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34629-smart-contract-critical-theft-of-deposited-funds.md) - [IOP \_ ThunderNFT 34630 - \[Smart Contract - Critical\] Incorrect Token Sale Amount](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34630-smart-contract-critical-incorrect-token-sale-amount.md) - [IOP \_ ThunderNFT 34636 - \[Smart Contract - Critical\] The amount is set to when creating the Executio](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34636-smart-contract-critical-the-amount-is-set-to-when-creating-the-executionresul.md) - [IOP \_ ThunderNFT 34642 - \[Smart Contract - High\] strategy de-listing causes sellers NFTs locked on T](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34642-smart-contract-high-strategy-de-listing-causes-sellers-nfts-locked-on-thunder.md) - [IOP \_ ThunderNFT 34659 - \[Smart Contract - Low\] Pool Balance Inflation](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34659-smart-contract-low-pool-balance-inflation.md) - [IOP \_ ThunderNFT 34677 - \[Smart Contract - Insight\] NFTs can not be canceled since the cancel\_order](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34677-smart-contract-insight-nfts-can-not-be-canceled-since-the-cancel_order-functi.md) - [IOP \_ ThunderNFT 34702 - \[Smart Contract - Low\] the function register\_royalty\_info does not allow to](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34702-smart-contract-low-the-function-register_royalty_info-does-not-allow-to-be-ca.md) - [IOP \_ ThunderNFT 34714 - \[Smart Contract - Medium\] owner of NFT who have sell orderlisting NFT can n](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34714-smart-contract-medium-owner-of-nft-who-have-sell-orderlisting-nft-can-not-acc.md) - [IOP \_ ThunderNFT 34736 - \[Smart Contract - Critical\] ERC tokens are stuck on the contract if more th](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34736-smart-contract-critical-erc-tokens-are-stuck-on-the-contract-if-more-than-sup.md) - [IOP \_ ThunderNFT 34760 - \[Smart Contract - Low\] Off-by-one error in get\_supported\_asset](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34760-smart-contract-low-off-by-one-error-in-get_supported_asset.md) - [IOP \_ ThunderNFT 34761 - \[Smart Contract - Low\] Off-by-one error in get\_whitelisted\_strategy](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34761-smart-contract-low-off-by-one-error-in-get_whitelisted_strategy.md) - [IOP \_ ThunderNFT 34791 - \[Smart Contract - Low\] Incompatibility with SRC might lead to inability of](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34791-smart-contract-low-incompatibility-with-src-might-lead-to-inability-of-royalt.md) - [IOP \_ ThunderNFT 34800 - \[Smart Contract - Critical\] Improper input validation in order update funct](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34800-smart-contract-critical-improper-input-validation-in-order-update-function-le.md) - [IOP \_ ThunderNFT 34816 - \[Smart Contract - High\] users cant call update\_order to update the strategy](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34816-smart-contract-high-users-cant-call-update_order-to-update-the-strategy-which.md) - [IOP \_ ThunderNFT 34839 - \[Smart Contract - Low\] Royalty Fee limit is not enforced for registered col](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34839-smart-contract-low-royalty-fee-limit-is-not-enforced-for-registered-collectio.md) - [IOP \_ ThunderNFT 34848 - \[Smart Contract - Low\] Incorrect verification of deposit asset leads to cre](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34848-smart-contract-low-incorrect-verification-of-deposit-asset-leads-to-creation.md) - [IOP \_ ThunderNFT 34906 - \[Smart Contract - Low\] Existing Sell order can be executed despite payment](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34906-smart-contract-low-existing-sell-order-can-be-executed-despite-payment-asset.md) - [IOP \_ ThunderNFT 34930 - \[Smart Contract - Critical\] User can only trade token when ERC is used](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34930-smart-contract-critical-user-can-only-trade-token-when-erc-is-used.md) - [IOP \_ ThunderNFT 34934 - \[Smart Contract - Critical\] thunder\_exchangeupdate\_order can be abused to s](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34934-smart-contract-critical-thunder_exchangeupdate_order-can-be-abused-to-steal-e.md) - [IOP \_ ThunderNFT 34943 - \[Smart Contract - High\] User cant withdraw asset from pool after asset\_mana](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34943-smart-contract-high-user-cant-withdraw-asset-from-pool-after-asset_managerrem.md) - [IOP \_ ThunderNFT 34949 - \[Smart Contract - Critical\] Missing proper validation when updating order](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34949-smart-contract-critical-missing-proper-validation-when-updating-order.md) - [IOP \_ ThunderNFT 34955 - \[Smart Contract - Critical\] Nfts of type may be stolen by updating an order](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34955-smart-contract-critical-nfts-of-type-may-be-stolen-by-updating-an-orders-amou.md) - [IOP \_ ThunderNFT 34957 - \[Smart Contract - Critical\] executionResults always returns an amount of le](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34957-smart-contract-critical-executionresults-always-returns-an-amount-of-leading.md) - [IOP \_ ThunderNFT 34958 - \[Smart Contract - Critical\] Incorrect Setting of Amount in ExecutionResult](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34958-smart-contract-critical-incorrect-setting-of-amount-in-executionresult.md) - [IOP \_ ThunderNFT 34962 - \[Smart Contract - Low\] tranfer\_from function have critical issue which lead](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34962-smart-contract-low-tranfer_from-function-have-critical-issue-which-lead-to-do.md) - [IOP \_ ThunderNFT 34963 - \[Smart Contract - Insight\] Invalid orders persist in storage maps with no i](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34963-smart-contract-insight-invalid-orders-persist-in-storage-maps-with-no-indicat.md) - [IOP \_ ThunderNFT 34964 - \[Smart Contract - Low\] Faulty Index out of Bounds](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34964-smart-contract-low-faulty-index-out-of-bounds.md) - [IOP \_ ThunderNFT 34966 - \[Smart Contract - High\] Royalty or protocol fee of will DoS executing order](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34966-smart-contract-high-royalty-or-protocol-fee-of-will-dos-executing-orders-in-t.md) - [IOP \_ ThunderNFT 34967 - \[Smart Contract - Insight\] Insights Report](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34967-smart-contract-insight-insights-report.md) - [IOP \_ ThunderNFT 34973 - \[Smart Contract - Low\] royalty\_managerregister\_royalty\_info might not work](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34973-smart-contract-low-royalty_managerregister_royalty_info-might-not-work-in-som.md) - [IOP \_ ThunderNFT 34975 - \[Smart Contract - Low\] Read out of index](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34975-smart-contract-low-read-out-of-index.md) - [IOP \_ ThunderNFT 34980 - \[Smart Contract - Critical\] Order side manipulation can lead to theft of NF](https://reports.immunefi.com/thundernft-or-iop/iop-_-thundernft-34980-smart-contract-critical-order-side-manipulation-can-lead-to-theft-of-nfts.md) - [ZeroLend](https://reports.immunefi.com/zerolend.md) - [28875 - \[SC - Medium\] Unauthorized minting of vested NFTs](https://reports.immunefi.com/zerolend/28875-sc-medium-unauthorized-minting-of-vested-nfts.md) - [28885 - \[SC - Medium\] Lack of check for Lockend in merge LockerToken ...](https://reports.immunefi.com/zerolend/28885-sc-medium-lack-of-check-for-lockend-in-merge-lockertoken-....md) - [28892 - \[SC - Medium\] ZeroLockermerge can make a voting lock last lon...](https://reports.immunefi.com/zerolend/28892-sc-medium-zerolockermerge-can-make-a-voting-lock-last-lon....md) - [28910 - \[SC - High\] Bool check wrong in registerGauge](https://reports.immunefi.com/zerolend/28910-sc-high-bool-check-wrong-in-registergauge.md) - [28912 - \[SC - Critical\] Attackers can control the vote result and ampli...](https://reports.immunefi.com/zerolend/28912-sc-critical-attackers-can-control-the-vote-result-and-ampli....md) - [28938 - \[SC - Medium\] Attacker can invalidate users supplyWithPermit ...](https://reports.immunefi.com/zerolend/28938-sc-medium-attacker-can-invalidate-users-supplywithpermit-....md) - [28943 - \[SC - Medium\] DoS when user want to supply repay asset using...](https://reports.immunefi.com/zerolend/28943-sc-medium-dos-when-user-want-to-supply-repay-asset-using....md) - [28955 - \[SC - High\] Malicious user can transfer all unclaimed rewar...](https://reports.immunefi.com/zerolend/28955-sc-high-malicious-user-can-transfer-all-unclaimed-rewar....md) - [28970 - \[SC - Medium\] Attacker can grief a user by making his supplyW...](https://reports.immunefi.com/zerolend/28970-sc-medium-attacker-can-grief-a-user-by-making-his-supplyw....md) - [28987 - \[SC - Medium\] Manipulation of governance is possible by minti...](https://reports.immunefi.com/zerolend/28987-sc-medium-manipulation-of-governance-is-possible-by-minti....md) - [28988 - \[SC - High\] Mechanism for distributing extra reward tokens ...](https://reports.immunefi.com/zerolend/28988-sc-high-mechanism-for-distributing-extra-reward-tokens-....md) - [28992 - \[SC - High\] Permanent freezing of additional reward tokens](https://reports.immunefi.com/zerolend/28992-sc-high-permanent-freezing-of-additional-reward-tokens.md) - [29012 - \[SC - High\] Votes manipulation in PoolVoter](https://reports.immunefi.com/zerolend/29012-sc-high-votes-manipulation-in-poolvoter.md) - [29019 - \[SC - High\] The ZeroLendToken contract in the Governance mo...](https://reports.immunefi.com/zerolend/29019-sc-high-the-zerolendtoken-contract-in-the-governance-mo....md) - [29026 - \[SC - High\] Hackers can steal the unclaimed yield to get th...](https://reports.immunefi.com/zerolend/29026-sc-high-hackers-can-steal-the-unclaimed-yield-to-get-th....md) - [29031 - \[SC - Critical\] VestedZeroNFT tokens can be directly stolen thr...](https://reports.immunefi.com/zerolend/29031-sc-critical-vestedzeronft-tokens-can-be-directly-stolen-thr....md) - [29047 - \[SC - Insight\] Reward is lost when totalSupply](https://reports.immunefi.com/zerolend/29047-sc-insight-reward-is-lost-when-totalsupply.md) - [29052 - \[SC - Medium\] Pool funds could be locked due to Division by zero](https://reports.immunefi.com/zerolend/29052-sc-medium-pool-funds-could-be-locked-due-to-division-by-zero.md) - [29059 - \[SC - Medium\] Race condition in StakingBonus will result in s...](https://reports.immunefi.com/zerolend/29059-sc-medium-race-condition-in-stakingbonus-will-result-in-s....md) - [29062 - \[SC - Critical\] Attacker can steal locked balance of staked nft...](https://reports.immunefi.com/zerolend/29062-sc-critical-attacker-can-steal-locked-balance-of-staked-nft....md) - [29068 - \[SC - Medium\] AaveOracle contract does not verify price stale...](https://reports.immunefi.com/zerolend/29068-sc-medium-aaveoracle-contract-does-not-verify-price-stale....md) - [29069 - \[SC - Medium\] Ability to deny users from repaying and supplyi...](https://reports.immunefi.com/zerolend/29069-sc-medium-ability-to-deny-users-from-repaying-and-supplyi....md) - [29078 - \[SC - High\] Theft of unclaimed yield due to the wrong calcu...](https://reports.immunefi.com/zerolend/29078-sc-high-theft-of-unclaimed-yield-due-to-the-wrong-calcu....md) - [29095 - \[SC - High\] The lockers supply can be arbitrarily inflated ...](https://reports.immunefi.com/zerolend/29095-sc-high-the-lockers-supply-can-be-arbitrarily-inflated-....md) - [29101 - \[SC - High\] Staking in BaseLocker is broken](https://reports.immunefi.com/zerolend/29101-sc-high-staking-in-baselocker-is-broken.md) - [29103 - \[SC - Critical\] Omnichain Stakers can permanently lose access t...](https://reports.immunefi.com/zerolend/29103-sc-critical-omnichain-stakers-can-permanently-lose-access-t....md) - [29120 - \[SC - High\] Bug in reward distribution logic leads to theft...](https://reports.immunefi.com/zerolend/29120-sc-high-bug-in-reward-distribution-logic-leads-to-theft....md) - [29121 - \[SC - High\] Any rewards sent to the PoolVoter will be undis...](https://reports.immunefi.com/zerolend/29121-sc-high-any-rewards-sent-to-the-poolvoter-will-be-undis....md) - [29122 - \[SC - High\] All reward tokens can be stolen by an attacker ...](https://reports.immunefi.com/zerolend/29122-sc-high-all-reward-tokens-can-be-stolen-by-an-attacker-....md) - [29123 - \[SC - Medium\] Griefing attack for VestedZeroNFT](https://reports.immunefi.com/zerolend/29123-sc-medium-griefing-attack-for-vestedzeronft.md) - [29130 - \[SC - Medium\] Unlimited Minting of VestedZeroNFT](https://reports.immunefi.com/zerolend/29130-sc-medium-unlimited-minting-of-vestedzeronft.md) - [29135 - \[SC - Critical\] OmnichainStakingsolunstakeLP and OmnichainStaki...](https://reports.immunefi.com/zerolend/29135-sc-critical-omnichainstakingsolunstakelp-and-omnichainstaki....md) - [29137 - \[SC - High\] ZeroLend token is not behaving properly while c...](https://reports.immunefi.com/zerolend/29137-sc-high-zerolend-token-is-not-behaving-properly-while-c....md) - [29139 - \[SC - Medium\] Griefing attack to cause users to suffer penalt...](https://reports.immunefi.com/zerolend/29139-sc-medium-griefing-attack-to-cause-users-to-suffer-penalt....md) - [29145 - \[SC - High\] zeroLendToken is bricked to use for whitelisted...](https://reports.immunefi.com/zerolend/29145-sc-high-zerolendtoken-is-bricked-to-use-for-whitelisted....md) - [29149 - \[SC - Insight\] DoS in Zero Registry configuration updation](https://reports.immunefi.com/zerolend/29149-sc-insight-dos-in-zero-registry-configuration-updation.md) - [29170 - \[SC - Medium\] DoS by front-runnable externall call](https://reports.immunefi.com/zerolend/29170-sc-medium-dos-by-front-runnable-externall-call.md) - [29175 - \[SC - Insight\] Granting DEFAULT\_ADMIN\_ROLE to the deployer in ...](https://reports.immunefi.com/zerolend/29175-sc-insight-granting-default_admin_role-to-the-deployer-in-....md) - [29181 - \[SC - High\] Tautology in PoolVoterregisterGauge makes it im...](https://reports.immunefi.com/zerolend/29181-sc-high-tautology-in-poolvoterregistergauge-makes-it-im....md) - [29186 - \[SC - Insight\] ValidationLogicvalidateBorrow - L-L Incorrect i...](https://reports.immunefi.com/zerolend/29186-sc-insight-validationlogicvalidateborrow-l-l-incorrect-i....md) - [29188 - \[SC - Insight\] StakingBonuscalculateBonus wrongly utilizes BPS](https://reports.immunefi.com/zerolend/29188-sc-insight-stakingbonuscalculatebonus-wrongly-utilizes-bps.md) - [29189 - \[SC - High\] ZeroLendToken doesnt allow whitelisted users to...](https://reports.immunefi.com/zerolend/29189-sc-high-zerolendtoken-doesnt-allow-whitelisted-users-to....md) - [29190 - \[SC - Insight\] Permanent freezing of up to wei of yield each ...](https://reports.immunefi.com/zerolend/29190-sc-insight-permanent-freezing-of-up-to-wei-of-yield-each-....md) - [29198 - \[SC - Medium\] Griefing attack to cause the rewards of a user ...](https://reports.immunefi.com/zerolend/29198-sc-medium-griefing-attack-to-cause-the-rewards-of-a-user-....md) - [29204 - \[SC - Critical\] Direct theft of Users VestedZeroNFT by using sp...](https://reports.immunefi.com/zerolend/29204-sc-critical-direct-theft-of-users-vestedzeronft-by-using-sp....md) - [29211 - \[SC - Critical\] Voting manipulation cause by the possibility to...](https://reports.immunefi.com/zerolend/29211-sc-critical-voting-manipulation-cause-by-the-possibility-to....md) - [29213 - \[SC - High\] The function always revert if \_stakeNFT True d...](https://reports.immunefi.com/zerolend/29213-sc-high-the-function-always-revert-if-_stakenft-true-d....md) - [29225 - \[SC - Insight\] EarlyZEROVesting is having a rounding issue and...](https://reports.immunefi.com/zerolend/29225-sc-insight-earlyzerovesting-is-having-a-rounding-issue-and....md) - [29244 - \[SC - Insight\] Using permit inside the function can lead to Do...](https://reports.immunefi.com/zerolend/29244-sc-insight-using-permit-inside-the-function-can-lead-to-do....md) - [29249 - \[SC - Insight\] Using permit inside the function can lead to Do...](https://reports.immunefi.com/zerolend/29249-sc-insight-using-permit-inside-the-function-can-lead-to-do....md) - [29262 - \[SC - Insight\] Some users can get more rewards than others whi...](https://reports.immunefi.com/zerolend/29262-sc-insight-some-users-can-get-more-rewards-than-others-whi....md) - [29267 - \[SC - High\] Wrong implementation causing some functions in ...](https://reports.immunefi.com/zerolend/29267-sc-high-wrong-implementation-causing-some-functions-in-....md) - [29270 - \[SC - High\] The main functionality of the contract EarlyZER...](https://reports.immunefi.com/zerolend/29270-sc-high-the-main-functionality-of-the-contract-earlyzer....md) - [29286 - \[SC - Medium\] MultiSigWalletremoveOwner - L The bug allows th...](https://reports.immunefi.com/zerolend/29286-sc-medium-multisigwalletremoveowner-l-the-bug-allows-th....md) - [29288 - \[SC - Critical\] all NFTs can be stolen by calling VestedZeroNFT...](https://reports.immunefi.com/zerolend/29288-sc-critical-all-nfts-can-be-stolen-by-calling-vestedzeronft....md) - [29322 - \[SC - Insight\] Use safeTransfer instead of transfer](https://reports.immunefi.com/zerolend/29322-sc-insight-use-safetransfer-instead-of-transfer.md) - [29328 - \[SC - Insight\] zkSync ACLManager EOA as EMERGENCY\_ADMIN](https://reports.immunefi.com/zerolend/29328-sc-insight-zksync-aclmanager-eoa-as-emergency_admin.md) - [29329 - \[SC - Insight\] Manta ACLManager EOA as EMERGENCY\_ADMIN](https://reports.immunefi.com/zerolend/29329-sc-insight-manta-aclmanager-eoa-as-emergency_admin.md) - [29331 - \[SC - Insight\] Manta ACLManager EOA as RISK\_ADMIN](https://reports.immunefi.com/zerolend/29331-sc-insight-manta-aclmanager-eoa-as-risk_admin.md) - [29332 - \[SC - Insight\] Manta ReservesSetupHelper EOA as owner](https://reports.immunefi.com/zerolend/29332-sc-insight-manta-reservessetuphelper-eoa-as-owner.md) - [29342 - \[SC - Insight\] Lack of chainID validation allows reuse of sign...](https://reports.immunefi.com/zerolend/29342-sc-insight-lack-of-chainid-validation-allows-reuse-of-sign....md) - [29344 - \[SC - Insight\] Price assets deposited manipulation](https://reports.immunefi.com/zerolend/29344-sc-insight-price-assets-deposited-manipulation.md) - [Swaylend | IOP](https://reports.immunefi.com/swaylend_iop.md) - [#35853 \[SC-Medium\] permissonless constructor always for front-running owner initialization.](https://reports.immunefi.com/swaylend_iop/35853-sc-medium-permissonless-constructor-always-for-front-running-owner-initialization..md) - [#36034 \[SC-Medium\] truncation in the \`present\_value\_borrow()\` can lead to loss of accrued borrow int](https://reports.immunefi.com/swaylend_iop/36034-sc-medium-truncation-in-the-present_value_borrow-can-lead-to-loss-of-accrued-borrow-interests..md) - [#35908 \[SC-Low\] If the collateral token''s decimal is <= the base token decimal in a market, \`collat](https://reports.immunefi.com/swaylend_iop/35908-sc-low-if-the-collateral-token-s-decimal-is-less-than-the-base-token-decimal-in-a-market-colla.md) - [#35732 \[SC-Low\] Withdrawals can not be paused which could lead to protocol insolvency in case of iss](https://reports.immunefi.com/swaylend_iop/35732-sc-low-withdrawals-can-not-be-paused-which-could-lead-to-protocol-insolvency-in-case-of-issues.md) - [#35768 \[SC-Insight\] \`Market.set\_pyth\_contract\_id\` should emit an event](https://reports.immunefi.com/swaylend_iop/35768-sc-insight-market.set_pyth_contract_id-should-emit-an-event.md) - [#35831 \[SC-High\] By bypassing base\_borrow\_min limitation borrows can create inabsorbable loans](https://reports.immunefi.com/swaylend_iop/35831-sc-high-by-bypassing-base_borrow_min-limitation-borrows-can-create-inabsorbable-loans.md) - [#35684 \[SC-Critical\] Incorrect Pyth Oracle Price Feed Process Leads to Wrong Collateral Value Calcul](https://reports.immunefi.com/swaylend_iop/35684-sc-critical-incorrect-pyth-oracle-price-feed-process-leads-to-wrong-collateral-value-calculati.md) - [#36158 \[SC-Low\] \`Market.collateral\_value\_to\_sell\` will always revert if collateral\_configuration](https://reports.immunefi.com/swaylend_iop/36158-sc-low-market.collateral_value_to_sell-will-always-revert-if-collateral_configuration.md) - [#36138 \[SC-Insight\] \`Market.update\_collateral\_asset\` should reuse old configuration's \`asset\_id\`](https://reports.immunefi.com/swaylend_iop/36138-sc-insight-market.update_collateral_asset-should-reuse-old-configurations-asset_id.md) - [#36137 \[SC-Medium\] \`absorb\_internal\` might be DOSed](https://reports.immunefi.com/swaylend_iop/36137-sc-medium-absorb_internal-might-be-dosed.md) - [#36117 \[SC-High\] Permanent freezing of tokens when user sends extra tokens as update fee](https://reports.immunefi.com/swaylend_iop/36117-sc-high-permanent-freezing-of-tokens-when-user-sends-extra-tokens-as-update-fee.md) - [#36108 \[SC-Insight\] \`recipient\` with a NULL address will lead to permanent loss of minted coins](https://reports.immunefi.com/swaylend_iop/36108-sc-insight-recipient-with-a-null-address-will-lead-to-permanent-loss-of-minted-coins.md) - [#35724 \[SC-Low\] Users can withdraw collateral even when the admin pauses the contract.](https://reports.immunefi.com/swaylend_iop/35724-sc-low-users-can-withdraw-collateral-even-when-the-admin-pauses-the-contract..md) - [#36065 \[SC-Insight\] \`Market.update\_market\_configuration\` should reuse old configuration's \`base\_toke](https://reports.immunefi.com/swaylend_iop/36065-sc-insight-market.update_market_configuration-should-reuse-old-configurations-base_token.decim.md) - [#35815 \[SC-Medium\] \`Market.present\_value\_borrow\` should be roundUp](https://reports.immunefi.com/swaylend_iop/35815-sc-medium-market.present_value_borrow-should-be-roundup.md) - [#35760 \[SC-Low\] \`market::available\_to\_borrow()\` compares the collateral in USD against the borrow in](https://reports.immunefi.com/swaylend_iop/35760-sc-low-market-available_to_borrow-compares-the-collateral-in-usd-against-the-borrow-in-base-un.md) - [#35758 \[SC-Critical\] Loss of yield to the protocol due to incorrect interest rate applied](https://reports.immunefi.com/swaylend_iop/35758-sc-critical-loss-of-yield-to-the-protocol-due-to-incorrect-interest-rate-applied.md) - [#35999 \[SC-Insight\] Incorrect event name](https://reports.immunefi.com/swaylend_iop/35999-sc-insight-incorrect-event-name.md) - [#35750 \[SC-High\] User loss due to Pyth oracle update fee being smaller than the msg amount sent](https://reports.immunefi.com/swaylend_iop/35750-sc-high-user-loss-due-to-pyth-oracle-update-fee-being-smaller-than-the-msg-amount-sent.md) - [#35794 \[SC-Insight\] \`Market.absorb\` can be called when \`Market.supply\_collateral\` is paused](https://reports.immunefi.com/swaylend_iop/35794-sc-insight-market.absorb-can-be-called-when-market.supply_collateral-is-paused.md) - [#35767 \[SC-Critical\] constanct value is used to check \`price.confidence\`](https://reports.immunefi.com/swaylend_iop/35767-sc-critical-constanct-value-is-used-to-check-price.confidence.md) - [#35876 \[SC-High\] Users will lose funds on calls to critical functions if the prices are not updated](https://reports.immunefi.com/swaylend_iop/35876-sc-high-users-will-lose-funds-on-calls-to-critical-functions-if-the-prices-are-not-updated.md) - [#35793 \[SC-High\] \`src-20.burn\` should use "==" instead of ">="](https://reports.immunefi.com/swaylend_iop/35793-sc-high-src-20.burn-should-use-instead-of-greater-than.md) - [#35761 \[SC-Low\] Unhandled smaller base decimals than 6 or bigger than the collateral's decimals](https://reports.immunefi.com/swaylend_iop/35761-sc-low-unhandled-smaller-base-decimals-than-6-or-bigger-than-the-collaterals-decimals.md) - [#35708 \[SC-Insight\] Adding too many collaterals will halt the protocol operation](https://reports.immunefi.com/swaylend_iop/35708-sc-insight-adding-too-many-collaterals-will-halt-the-protocol-operation.md) - [Acre](https://reports.immunefi.com/acre.md) - [#34836 \[SC-Medium\] Malicious party can make it impossible for debt to be completely repaid by donati](https://reports.immunefi.com/acre/34836-sc-medium-malicious-party-can-make-it-impossible-for-debt-to-be-completely-repaid-by-donating.md) - [#34959 \[SC-Low\] \`mintDebt\` returns a wrong value](https://reports.immunefi.com/acre/34959-sc-low-mintdebt-returns-a-wrong-value.md) - [#35014 \[SC-Low\] incorrect rounding in mintdebt function might allow minimal shares dilution](https://reports.immunefi.com/acre/35014-sc-low-incorrect-rounding-in-mintdebt-function-might-allow-minimal-shares-dilution.md) - [#34978 \[SC-Low\] protocol runs insolvent due to incorrect reliance on depositbalance which doesn t ma](https://reports.immunefi.com/acre/34978-sc-low-protocol-runs-insolvent-due-to-incorrect-reliance-on-depositbalance-which-doesn-t-match.md) - [#35026 \[SC-Low\] \`repayDebt\` in stbtc returns a worng value](https://reports.immunefi.com/acre/35026-sc-low-repaydebt-in-stbtc-returns-a-worng-value.md) - [#34995 \[SC-Low\] \`mintDebt()\` and \`repayDebt()\` should return \`assets\` and not \`shares\`](https://reports.immunefi.com/acre/34995-sc-low-mintdebt-and-repaydebt-should-return-assets-and-not-shares.md) - [#34712 \[SC-Medium\] Malicious users can block repay debt transactions with no cost](https://reports.immunefi.com/acre/34712-sc-medium-malicious-users-can-block-repay-debt-transactions-with-no-cost.md) - [#34998 \[SC-Insight\] Deposited assets in an old dispatcher may be lost when swapping to a new dispatc](https://reports.immunefi.com/acre/34998-sc-insight-deposited-assets-in-an-old-dispatcher-may-be-lost-when-swapping-to-a-new-dispatcher.md) - [#34672 \[SC-Low\] Protocol runs insolvent due to incorrect reliance on depositBalance which doesn't ma](https://reports.immunefi.com/acre/34672-sc-low-protocol-runs-insolvent-due-to-incorrect-reliance-on-depositbalance-which-doesnt-match.md) - [#34999 \[SC-Low\] The tBTC in the MezoAllocator itself is not considered in the withdrawal function](https://reports.immunefi.com/acre/34999-sc-low-the-tbtc-in-the-mezoallocator-itself-is-not-considered-in-the-withdrawal-function.md) - [#34748 \[SC-Low\] Last withdrawer can be prevented from withdrawing their assets](https://reports.immunefi.com/acre/34748-sc-low-last-withdrawer-can-be-prevented-from-withdrawing-their-assets.md) - [#34729 \[SC-Low\] \`releaseDeposit\` will likely fail, putting funds in MezoAllocator at risk of being p](https://reports.immunefi.com/acre/34729-sc-low-releasedeposit-will-likely-fail-putting-funds-in-mezoallocator-at-risk-of-being-permane.md) - [#34851 \[SC-Low\] Adversary can freeze users' fund in stBTC using donation attack on MezoAllocator](https://reports.immunefi.com/acre/34851-sc-low-adversary-can-freeze-users-fund-in-stbtc-using-donation-attack-on-mezoallocator.md) - [Shardeum Core II](https://reports.immunefi.com/shardeum-core-ii.md) - [#36029 \[BC-Insight\] Node.js crash on counterMap overflow](https://reports.immunefi.com/shardeum-core-ii/36029-bc-insight-node.js-crash-on-countermap-overflow.md) - [#35696 \[BC-Critical\] Specifically crafted penalty TX may cause total network shutdown.](https://reports.immunefi.com/shardeum-core-ii/35696-bc-critical-specifically-crafted-penalty-tx-may-cause-total-network-shutdown..md) - [#35694 \[BC-Critical\] Consensus can be bypassed by single validator node from transaction execution g](https://reports.immunefi.com/shardeum-core-ii/35694-bc-critical-consensus-can-be-bypassed-by-single-validator-node-from-transaction-execution-grou.md) - [#35601 \[BC-Critical\] Consensus algorithm doesn't deduplicate votes, allowing a malicious validator t](https://reports.immunefi.com/shardeum-core-ii/35601-bc-critical-consensus-algorithm-doesnt-deduplicate-votes-allowing-a-malicious-validator-to-com.md) - [#35695 \[BC-Critical\] validateTxnFields check for internal transactions can be bypassed](https://reports.immunefi.com/shardeum-core-ii/35695-bc-critical-validatetxnfields-check-for-internal-transactions-can-be-bypassed.md) - [#35531 \[BC-Critical\] Absence of signature deduplication for receipt in the binary\_repair\_oos\_account](https://reports.immunefi.com/shardeum-core-ii/35531-bc-critical-absence-of-signature-deduplication-for-receipt-in-the-binary_repair_oos_accounts-p.md) - [#36024 \[BC-Insight\] Use of Vulnerable function results in prediction of archivers](https://reports.immunefi.com/shardeum-core-ii/36024-bc-insight-use-of-vulnerable-function-results-in-prediction-of-archivers.md) - [#35965 \[BC-Insight\] Unverified data in safety sync](https://reports.immunefi.com/shardeum-core-ii/35965-bc-insight-unverified-data-in-safety-sync.md) - [#35707 \[BC-Critical\] Reusing old transaction receipt to rollback account balance](https://reports.immunefi.com/shardeum-core-ii/35707-bc-critical-reusing-old-transaction-receipt-to-rollback-account-balance.md) - [#35415 \[BC-Insight\] \[Informational\] debugMiddleware query parameters can be partially modified by re](https://reports.immunefi.com/shardeum-core-ii/35415-bc-insight-informational-debugmiddleware-query-parameters-can-be-partially-modified-by-request.md) - [#35839 \[BC-Critical\] Slash avoidance: Ineffective controls on unstaking allow unstaking before takin](https://reports.immunefi.com/shardeum-core-ii/35839-bc-critical-slash-avoidance-ineffective-controls-on-unstaking-allow-unstaking-before-taking-an.md) - [#35526 \[BC-Critical\] An attacker can change the account balance after the transaction has been proce](https://reports.immunefi.com/shardeum-core-ii/35526-bc-critical-an-attacker-can-change-the-account-balance-after-the-transaction-has-been-processe.md) - [#35641 \[BC-Insight\] node p2p remote denial of service](https://reports.immunefi.com/shardeum-core-ii/35641-bc-insight-node-p2p-remote-denial-of-service.md) - [#35697 \[BC-Insight\] \[Informational\] Code logic contains potential risk of full network shutdown](https://reports.immunefi.com/shardeum-core-ii/35697-bc-insight-informational-code-logic-contains-potential-risk-of-full-network-shutdown.md) - [#35710 \[BC-Insight\] addressToPartition input is unsanitized, allowing to take whole network down](https://reports.immunefi.com/shardeum-core-ii/35710-bc-insight-addresstopartition-input-is-unsanitized-allowing-to-take-whole-network-down.md) - [Shardeum Ancillaries II](https://reports.immunefi.com/shardeum-ancillaries-ii.md) - [#35598 \[W\&A-Insight\] Access to debug endpoints without any protection](https://reports.immunefi.com/shardeum-ancillaries-ii/35598-w-and-a-insight-access-to-debug-endpoints-without-any-protection.md) - [#35351 \[W\&A-Insight\] Password Length Bypass in Shardeum Authentication System](https://reports.immunefi.com/shardeum-ancillaries-ii/35351-w-and-a-insight-password-length-bypass-in-shardeum-authentication-system.md) - [#35537 \[W\&A-Insight\] json rpc server websocket remote crash](https://reports.immunefi.com/shardeum-ancillaries-ii/35537-w-and-a-insight-json-rpc-server-websocket-remote-crash.md) - [#35996 \[W\&A-Insight\] malicious explorer can cause denial of service in json rpc server and even cras](https://reports.immunefi.com/shardeum-ancillaries-ii/35996-w-and-a-insight-malicious-explorer-can-cause-denial-of-service-in-json-rpc-server-and-even-cra.md) - [#35979 \[W\&A-High\] malicious archiver malicious validator can overwrite data on any active archiver](https://reports.immunefi.com/shardeum-ancillaries-ii/35979-w-and-a-high-malicious-archiver-malicious-validator-can-overwrite-data-on-any-active-archiver.md) - [#36025 \[W\&A-Critical\] A malicious validator can overwrite the account data of any archive server con](https://reports.immunefi.com/shardeum-ancillaries-ii/36025-w-and-a-critical-a-malicious-validator-can-overwrite-the-account-data-of-any-archive-server-co.md) - [#35452 \[W\&A-High\] Admin Panel Accessed](https://reports.immunefi.com/shardeum-ancillaries-ii/35452-w-and-a-high-admin-panel-accessed.md) - [#36005 \[W\&A-Insight\] Reflected URL Manipulation and Phishing Risk](https://reports.immunefi.com/shardeum-ancillaries-ii/36005-w-and-a-insight-reflected-url-manipulation-and-phishing-risk.md) - [#35972 \[W\&A-Insight\] Operator-GUI Weak JWT Token Generation Led To Generate same JWT Tokens Even if](https://reports.immunefi.com/shardeum-ancillaries-ii/35972-w-and-a-insight-operator-gui-weak-jwt-token-generation-led-to-generate-same-jwt-tokens-even-if.md) - [#35447 \[W\&A-High\] Zero Click Full Account Takeover](https://reports.immunefi.com/shardeum-ancillaries-ii/35447-w-and-a-high-zero-click-full-account-takeover.md) - [#35446 \[W\&A-Insight\] IDOR Able to change other user information](https://reports.immunefi.com/shardeum-ancillaries-ii/35446-w-and-a-insight-idor-able-to-change-other-user-information.md) - [#35903 \[W\&A-High\] SQL Injection Allows a Malicious Archiver to Overwrite Receipt/originalTxData Data](https://reports.immunefi.com/shardeum-ancillaries-ii/35903-w-and-a-high-sql-injection-allows-a-malicious-archiver-to-overwrite-receipt-originaltxdata-dat.md) - [#35824 \[W\&A-Medium\] \`/set-config\` replay attack is possible in production mode after archiver restar](https://reports.immunefi.com/shardeum-ancillaries-ii/35824-w-and-a-medium-set-config-replay-attack-is-possible-in-production-mode-after-archiver-restart.md) - [#35157 \[W\&A-Insight\] Unauthorized Access to Shardeum Config Store using default credentials](https://reports.immunefi.com/shardeum-ancillaries-ii/35157-w-and-a-insight-unauthorized-access-to-shardeum-config-store-using-default-credentials.md) - [#35709 \[W\&A-Critical\] Potential DoS of archiver-server during network restoration via get\_account\_da](https://reports.immunefi.com/shardeum-ancillaries-ii/35709-w-and-a-critical-potential-dos-of-archiver-server-during-network-restoration-via-get_account_d.md) - [#35534 \[W\&A-Insight\] json rpc server remote crash](https://reports.immunefi.com/shardeum-ancillaries-ii/35534-w-and-a-insight-json-rpc-server-remote-crash.md) - [Anvil](https://reports.immunefi.com/anvil.md) - [#36303 \[SC-Medium\] attackers can cause griefing attack to cause stake transactions of timebasedcolla](https://reports.immunefi.com/anvil/36303-sc-medium-attackers-can-cause-griefing-attack-to-cause-stake-transactions-of-timebasedcolla.md) - [#36501 \[SC-Medium\] Signature Front-Running Vulnerability in CollateralVault](https://reports.immunefi.com/anvil/36501-sc-medium-signature-front-running-vulnerability-in-collateralvault.md) - [#36268 \[SC-Medium\] stake with signature can be front-run lead to user's stake failed](https://reports.immunefi.com/anvil/36268-sc-medium-stake-with-signature-can-be-front-run-lead-to-users-stake-failed.md) - [#36267 \[SC-Insight\] tokens can be stuck forever in uniswapliquidator because function retrievetokens](https://reports.immunefi.com/anvil/36267-sc-insight-tokens-can-be-stuck-forever-in-uniswapliquidator-because-function-retrievetokens.md) - [#36136 \[SC-Insight\] Fee calculation error in withdraw function of collateralVault contract](https://reports.immunefi.com/anvil/36136-sc-insight-fee-calculation-error-in-withdraw-function-of-collateralvault-contract.md) - [#36092 \[SC-Insight\] Collateralizable Contracts May Retain Status Unconditionally](https://reports.immunefi.com/anvil/36092-sc-insight-collateralizable-contracts-may-retain-status-unconditionally.md) - [#36540 \[SC-Insight\] users can withdraw funds at incorrect fee rate](https://reports.immunefi.com/anvil/36540-sc-insight-users-can-withdraw-funds-at-incorrect-fee-rate.md) - [#36567 \[SC-Insight\] Anyone can cancel anyone's LOC](https://reports.immunefi.com/anvil/36567-sc-insight-anyone-can-cancel-anyones-loc.md) - [#36554 \[SC-Critical\] Time Based Collateral Pool Users can release more than their due share of the p](https://reports.immunefi.com/anvil/36554-sc-critical-time-based-collateral-pool-users-can-release-more-than-their-due-share-of-the-pool.md) - [#36552 \[SC-Medium\] DoS for the user's calling \`stake\` and \`stakeReleasableTokensFrom\` function](https://reports.immunefi.com/anvil/36552-sc-medium-dos-for-the-users-calling-stake-and-stakereleasabletokensfrom-function.md) - [#36532 \[SC-Medium\] Frontrun to invalidate collateralizable approval signature](https://reports.immunefi.com/anvil/36532-sc-medium-frontrun-to-invalidate-collateralizable-approval-signature.md) - [#36306 \[SC-Insight\] Incorrect nonce value emitted in \`TimeBasedCollateralPool::\_resetPool\` event](https://reports.immunefi.com/anvil/36306-sc-insight-incorrect-nonce-value-emitted-in-timebasedcollateralpool-_resetpool-event.md) - [#36475 \[SC-Medium\] Token allowance signature can be front-run](https://reports.immunefi.com/anvil/36475-sc-medium-token-allowance-signature-can-be-front-run.md) - [#36450 \[SC-Low\] contract timebasedcollateralpool will be unable to process new user transactions](https://reports.immunefi.com/anvil/36450-sc-low-contract-timebasedcollateralpool-will-be-unable-to-process-new-user-transactions.md) - [#36346 \[SC-Insight\] Typehash Discrepancy in CollateralizableTokenAllowanceAdjustment](https://reports.immunefi.com/anvil/36346-sc-insight-typehash-discrepancy-in-collateralizabletokenallowanceadjustment.md) - [#36340 \[SC-Insight\] TimeBasedCollateralPool::\_resetAccountTokenStateIfApplicable does not adjust tok](https://reports.immunefi.com/anvil/36340-sc-insight-timebasedcollateralpool-_resetaccounttokenstateifapplicable-does-not-adjust-tokenep.md) - [#36309 \[SC-Low\] TimeBasedCollateralPool: After \_resetPool gets called (internally) a depositor can b](https://reports.immunefi.com/anvil/36309-sc-low-timebasedcollateralpool-after-_resetpool-gets-called-internally-a-depositor-can-break-m.md) - [Anvil: Letters of Credit](https://reports.immunefi.com/anvil-letters-of-credit.md) - [#36807 \[SC-Critical\] attackers can create dynamic loc with any credited amount with very small co...](https://reports.immunefi.com/anvil-letters-of-credit/36807-sc-critical-attackers-can-create-dynamic-loc-with-any-credited-amount-with-very-small-co....md) - [#36931 \[SC-Critical\] critical creators can modifyloccollateral of dynamic loc to release ....](https://reports.immunefi.com/anvil-letters-of-credit/36931-sc-critical-critical-creators-can-modifyloccollateral-of-dynamic-loc-to-release-.....md) - [#36910 \[SC-Critical\] LoC: The creator can withdraw the entire collateral of a Dynamic LoC making it](https://reports.immunefi.com/anvil-letters-of-credit/36910-sc-critical-loc-the-creator-can-withdraw-the-entire-collateral-of-a-dynamic-loc-making-it-inso.md) - [#36970 \[SC-Insight\] Missing \`\_disableInitializer()\` implementation](https://reports.immunefi.com/anvil-letters-of-credit/36970-sc-insight-missing-_disableinitializer-implementation.md) - [#36999 \[SC-Insight\] Incomplete Adjustment of \`globalAmountInDynamicUse\` During LOC Liquidation Cause](https://reports.immunefi.com/anvil-letters-of-credit/36999-sc-insight-incomplete-adjustment-of-globalamountindynamicuse-during-loc-liquidation-causes-acc.md) - [Fluid Protocol](https://reports.immunefi.com/fluid-protocol.md) - [#36922 \[SC-Insight\] the function claim\_collateral in borrowOperation have read only attribute while](https://reports.immunefi.com/fluid-protocol/36922-sc-insight-the-function-claim_collateral-in-borrowoperation-have-read-only-attribute-while-the.md) - [#37056 \[SC-Insight\] \`require\_at\_least\_min\_net\_debt\` did not emit correct error message](https://reports.immunefi.com/fluid-protocol/37056-sc-insight-require_at_least_min_net_debt-did-not-emit-correct-error-message.md) - [#37139 \[SC-Insight\] insight inefficient use of storage reentrancy locks](https://reports.immunefi.com/fluid-protocol/37139-sc-insight-insight-inefficient-use-of-storage-reentrancy-locks.md) - [#37192 \[SC-Low\] Trove that under MCR might be redeemed.](https://reports.immunefi.com/fluid-protocol/37192-sc-low-trove-that-under-mcr-might-be-redeemed..md) - [#37276 \[SC-Medium\] Redstone's price feed is used incorrectly.](https://reports.immunefi.com/fluid-protocol/37276-sc-medium-redstones-price-feed-is-used-incorrectly..md) - [#37202 \[SC-Insight\] some checks can be removed since its not required(best practice report, not an i](https://reports.immunefi.com/fluid-protocol/37202-sc-insight-some-checks-can-be-removed-since-its-not-required-best-practice-report-not-an-issue.md) - [#37283 \[SC-Low\] Improper Trove Validation Check Allows Low-Cost Griefing Attack to Block Protocol Re](https://reports.immunefi.com/fluid-protocol/37283-sc-low-improper-trove-validation-check-allows-low-cost-griefing-attack-to-block-protocol-redem.md) - [#37343 \[SC-Insight\] inaccurate check leading to debt miscalculation](https://reports.immunefi.com/fluid-protocol/37343-sc-insight-inaccurate-check-leading-to-debt-miscalculation.md) - [#37323 \[SC-Critical\] Permanent dead Lock in internal\_redeem\_collateral\_from\_trove](https://reports.immunefi.com/fluid-protocol/37323-sc-critical-permanent-dead-lock-in-internal_redeem_collateral_from_trove.md) - [#37354 \[SC-Low\] Single below MCR trove temporarily blocks redemptions](https://reports.immunefi.com/fluid-protocol/37354-sc-low-single-below-mcr-trove-temporarily-blocks-redemptions.md) - [#37382 \[SC-Insight\] Inconsistent Collateral Ratio Checks in Stability Pool Withdrawals Lead to Fund-](https://reports.immunefi.com/fluid-protocol/37382-sc-insight-inconsistent-collateral-ratio-checks-in-stability-pool-withdrawals-lead-to-fund-loc.md) - [#37409 \[SC-Low\] Can not redeem when all \`current\_cr\` less than \`MCR\`.](https://reports.immunefi.com/fluid-protocol/37409-sc-low-can-not-redeem-when-all-current_cr-less-than-mcr-..md) - [#37425 \[SC-Insight\] redeem collateral does not redeem collateral from riskiest trove but wrongly red](https://reports.immunefi.com/fluid-protocol/37425-sc-insight-redeem-collateral-does-not-redeem-collateral-from-riskiest-trove-but-wrongly-redeem.md) - [#37452 \[SC-Critical\] \`trove-manager-contract.redeem\_collateral\_from\_trove\` can be locked forever](https://reports.immunefi.com/fluid-protocol/37452-sc-critical-trove-manager-contract.redeem_collateral_from_trove-can-be-locked-forever.md) - [#37595 \[SC-Insight\] \`require\_caller\_is\_bo\_or\_tm\_or\_sp\_or\_pm\` did not emit correct message](https://reports.immunefi.com/fluid-protocol/37595-sc-insight-require_caller_is_bo_or_tm_or_sp_or_pm-did-not-emit-correct-message.md) - [#37607 \[SC-Low\] bricking redeem function](https://reports.immunefi.com/fluid-protocol/37607-sc-low-bricking-redeem-function.md) - [#37624 \[SC-Critical\] lock issue bricks the redeem functionality](https://reports.immunefi.com/fluid-protocol/37624-sc-critical-lock-issue-bricks-the-redeem-functionality.md) - [#37650 \[SC-Low\] redeem functionality partially failing](https://reports.immunefi.com/fluid-protocol/37650-sc-low-redeem-functionality-partially-failing.md) - [#37668 \[SC-Low\] Incorrect Scale Factor value leads to early scale change](https://reports.immunefi.com/fluid-protocol/37668-sc-low-incorrect-scale-factor-value-leads-to-early-scale-change.md) - [#37671 \[SC-Critical\] CRITICAL-02 / The contract could be permanently locked due to not reseting the](https://reports.immunefi.com/fluid-protocol/37671-sc-critical-critical-02-the-contract-could-be-permanently-locked-due-to-not-reseting-the-boole.md) - [Folks: Liquid Staking](https://reports.immunefi.com/folks-liquid-staking.md) - [#37660 \[SC-High\] incorrect tracking of \`TOTAL\_ACTIVE\_STAKE\` leads to permanent freezing of funds](https://reports.immunefi.com/folks-liquid-staking/37660-sc-high-incorrect-tracking-of-total_active_stake-leads-to-permanent-freezing-of-funds.md) - [#37661 \[SC-High\] Incorrect \`total\_active\_stake\` reduction causes loss of funds for the users and exc](https://reports.immunefi.com/folks-liquid-staking/37661-sc-high-incorrect-total_active_stake-reduction-causes-loss-of-funds-for-the-users-and-excessiv.md) - [#37768 \[SC-Insight\] Missing Event Emission when proposer are added prevents safe retrieval of index](https://reports.immunefi.com/folks-liquid-staking/37768-sc-insight-missing-event-emission-when-proposer-are-added-prevents-safe-retrieval-of-index-for.md) - [#37775 \[SC-High\] Accounting Discrepancy in \`consensus\_v2.py::burn()\`can potentially cause underflow](https://reports.immunefi.com/folks-liquid-staking/37775-sc-high-accounting-discrepancy-in-consensus_v2.py-burn-can-potentially-cause-underflow-and-lea.md) - [#37791 \[SC - Insight\] consensus contract distributes algo for proposers that are offline that cause](https://reports.immunefi.com/folks-liquid-staking/37791-sc-insight-consensus-contract-distributes-algo-for-proposers-that-are-offline-that-cause-losin.md) - [#37807 \[SC-Insight\] Truncation of mint\_amount to zero leading to potential stake loss](https://reports.immunefi.com/folks-liquid-staking/37807-sc-insight-truncation-of-mint_amount-to-zero-leading-to-potential-stake-loss.md) - [#37852 \[SC-High\] The accumulation of rewards is being decreased from the active stake which could le](https://reports.immunefi.com/folks-liquid-staking/37852-sc-high-the-accumulation-of-rewards-is-being-decreased-from-the-active-stake-which-could-leave.md) - [#37854 \[SC-Insight\] Missing state validation upon Upgrade](https://reports.immunefi.com/folks-liquid-staking/37854-sc-insight-missing-state-validation-upon-upgrade.md) - [#37864 \[SC-Insight\] Over-charging users on delayed mint](https://reports.immunefi.com/folks-liquid-staking/37864-sc-insight-over-charging-users-on-delayed-mint.md) - [#37863 \[SC-High\] Underflow in burn method prevents all xALGO from being burnt](https://reports.immunefi.com/folks-liquid-staking/37863-sc-high-underflow-in-burn-method-prevents-all-xalgo-from-being-burnt.md) - [#37867 \[SC-Low\] Contract upgrade failing due to SHA256 failing because of AVM byte width limits](https://reports.immunefi.com/folks-liquid-staking/37867-sc-low-contract-upgrade-failing-due-to-sha256-failing-because-of-avm-byte-width-limits.md) - [#37889 \[SC-High\] Underflow in \`burn()\` function will cause user funds to partially frozen](https://reports.immunefi.com/folks-liquid-staking/37889-sc-high-underflow-in-burn-function-will-cause-user-funds-to-partially-frozen.md) - [#37903 \[SC-High\] "Potential Underflow Vulnerability in burn Function for total\_active\_stake\_key"](https://reports.immunefi.com/folks-liquid-staking/37903-sc-high-potential-underflow-vulnerability-in-burn-function-for-total_active_stake_key.md) - [#37893 \[SC-Insight\] inflation attack in xalgo](https://reports.immunefi.com/folks-liquid-staking/37893-sc-insight-inflation-attack-in-xalgo.md) - [#37940 \[SC-High\] freezing of user funds when reward accumulated or added](https://reports.immunefi.com/folks-liquid-staking/37940-sc-high-freezing-of-user-funds-when-reward-accumulated-or-added.md) - [Jito Restaking](https://reports.immunefi.com/jito-restaking.md) - [#36675 \[SC-Insight\] Missing revoke instruction leads to Old delegate accounts have unlimited number](https://reports.immunefi.com/jito-restaking/36675-sc-insight-missing-revoke-instruction-leads-to-old-delegate-accounts-have-unlimited-number-of.md) - [#37315 \[SC-High\] Theft of Unclaimed Yields Due to Improper Reward Distribution in Vault Program](https://reports.immunefi.com/jito-restaking/37315-sc-high-theft-of-unclaimed-yields-due-to-improper-reward-distribution-in-vault-program.md) - [#36787 \[SC-Insight\] The vault program don't support token2022 transfer](https://reports.immunefi.com/jito-restaking/36787-sc-insight-the-vault-program-dont-support-token2022-transfer.md) - [#36903 \[SC-High\] The vault reward mechanism can be sandwiched by MEV](https://reports.immunefi.com/jito-restaking/36903-sc-high-the-vault-reward-mechanism-can-be-sandwiched-by-mev.md) - [#37079 \[SC-Insight\] Withdrawals can be DOSed by reviving tickets in the same burn tx](https://reports.immunefi.com/jito-restaking/37079-sc-insight-withdrawals-can-be-dosed-by-reviving-tickets-in-the-same-burn-tx.md) - [#37311 \[SC-High\] Attackers can steal rewards by depositing, updating vault balance and withdrawing i](https://reports.immunefi.com/jito-restaking/37311-sc-high-attackers-can-steal-rewards-by-depositing-updating-vault-balance-and-withdrawing-immed.md) - [#37295 \[SC-High\] Rewards can be stolen by depositing immediately after reward tokens get sent to vau](https://reports.immunefi.com/jito-restaking/37295-sc-high-rewards-can-be-stolen-by-depositing-immediately-after-reward-tokens-get-sent-to-vault.md) - [#37314 \[SC-High\] Vault creators can not withdraw their fees without being recursively charged (vault](https://reports.immunefi.com/jito-restaking/37314-sc-high-vault-creators-can-not-withdraw-their-fees-without-being-recursively-charged-vault-and.md) - [SwayLend frontend](https://reports.immunefi.com/swaylend-frontend.md) - [#37822 \[W\&A-Insight\] insight incorrect amounts displayed to foreign users](https://reports.immunefi.com/swaylend-frontend/37822-w-and-a-insight-insight-incorrect-amounts-displayed-to-foreign-users.md) - [#37196 \[W\&A-Insight\] DOS due to Misleading 'CircularProgressBar' Display Due to Rounding of 'supplyU](https://reports.immunefi.com/swaylend-frontend/37196-w-and-a-insight-dos-due-to-misleading-circularprogressbar-display-due-to-rounding-of-supplyuse.md) - [Celo](https://reports.immunefi.com/celo.md) - [#37058 \[SC-High\] Theft of remuneration through claims processing loops.](https://reports.immunefi.com/celo/37058-sc-high-theft-of-remuneration-through-claims-processing-loops..md) - [#37010 \[SC-High\] Rollback of the incorrect state interferes with the progress of the epoch process,](https://reports.immunefi.com/celo/37010-sc-high-rollback-of-the-incorrect-state-interferes-with-the-progress-of-the-epoch-process-prev.md) - [#37206 \[SC-Medium\] Overflow due to lack of checks leading to incorrect price calculation](https://reports.immunefi.com/celo/37206-sc-medium-overflow-due-to-lack-of-checks-leading-to-incorrect-price-calculation.md) - [#37251 \[SC-Critical\] Fraudulent padding of governance voting power](https://reports.immunefi.com/celo/37251-sc-critical-fraudulent-padding-of-governance-voting-power.md) - [#37285 \[SC-Critical\] Incorrect Delegation State After Slashing in LockedGold Contract](https://reports.immunefi.com/celo/37285-sc-critical-incorrect-delegation-state-after-slashing-in-lockedgold-contract.md) - [#37391 \[SC-High\] Early Reward Accrual Undermines Validator Group Performance Incentives](https://reports.immunefi.com/celo/37391-sc-high-early-reward-accrual-undermines-validator-group-performance-incentives.md) - [#37443 \[SC-Insight\] Race Condition in KeyedBroadcaster Implementation](https://reports.immunefi.com/celo/37443-sc-insight-race-condition-in-keyedbroadcaster-implementation.md) - [#37427 \[SC-Critical\] Delegation is not updated on slash and unlock](https://reports.immunefi.com/celo/37427-sc-critical-delegation-is-not-updated-on-slash-and-unlock.md) - [Stacks I Attackathon](https://reports.immunefi.com/stacks-i-attackathon.md) - [#38516 \[BC-High\] Signer can censor transactions and halt the network by providing an invalid nonce o](https://reports.immunefi.com/stacks-i-attackathon/38516-bc-high-signer-can-censor-transactions-and-halt-the-network-by-providing-an-invalid-nonce-or-t.md) - [#37545 \[BC-Medium\] Deposits with a lock\_time of 16 cannot be processed](https://reports.immunefi.com/stacks-i-attackathon/37545-bc-medium-deposits-with-a-lock_time-of-16-cannot-be-processed.md) - [#38003 \[BC-Medium\] A malicious coordinator calling \`Emily::update\_deposits\` can make the entire Sign](https://reports.immunefi.com/stacks-i-attackathon/38003-bc-medium-a-malicious-coordinator-calling-emily-update_deposits-can-make-the-entire-signers-ne.md) - [#37479 \[BC-High\] A single signer can lock users' funds by not notifying other signers of the execute](https://reports.immunefi.com/stacks-i-attackathon/37479-bc-high-a-single-signer-can-lock-users-funds-by-not-notifying-other-signers-of-the-executed-sw.md) - [#38398 \[BC-High\] Malicious Signers can initiate repeated contract calls to cause the multi-sign wall](https://reports.immunefi.com/stacks-i-attackathon/38398-bc-high-malicious-signers-can-initiate-repeated-contract-calls-to-cause-the-multi-sign-wallet.md) - [#37530 \[BC-Insight\] Deposits can be completely DoSed due to incorrect transaction construction](https://reports.immunefi.com/stacks-i-attackathon/37530-bc-insight-deposits-can-be-completely-dosed-due-to-incorrect-transaction-construction.md) - [#38160 \[BC-Insight\] Governance calling \`sbtc-registry.update-protocol-contract\` may cause Stacks' ev](https://reports.immunefi.com/stacks-i-attackathon/38160-bc-insight-governance-calling-sbtc-registry.update-protocol-contract-may-cause-stacks-events-t.md) - [#37500 \[BC-Low\] Blocklist can be circumvented due to incorrect blocking logic in \`request\_decider::c](https://reports.immunefi.com/stacks-i-attackathon/37500-bc-low-blocklist-can-be-circumvented-due-to-incorrect-blocking-logic-in-request_decider-can_ac.md) - [#38690 \[BC-Insight\] A malicious coordinator can run multiple DKG coordination in parallel and manipu](https://reports.immunefi.com/stacks-i-attackathon/38690-bc-insight-a-malicious-coordinator-can-run-multiple-dkg-coordination-in-parallel-and-manipulat.md) - [#38270 \[BC-Medium\] A signer can send a large number of junk \`WstsNetMessage::NonceRequest\` through P](https://reports.immunefi.com/stacks-i-attackathon/38270-bc-medium-a-signer-can-send-a-large-number-of-junk-wstsnetmessage-noncerequest-through-p2p-to.md) - [#38223 \[BC-Insight\] Attackers can disrupt the tag order of gossip messages to bypass signature verif](https://reports.immunefi.com/stacks-i-attackathon/38223-bc-insight-attackers-can-disrupt-the-tag-order-of-gossip-messages-to-bypass-signature-verifica.md) - [#37470 \[BC-Medium\] SBTC Signers do not page through pending deposit requests making it trivially eas](https://reports.immunefi.com/stacks-i-attackathon/37470-bc-medium-sbtc-signers-do-not-page-through-pending-deposit-requests-making-it-trivially-easy-t.md) - [#38551 \[BC-Medium\] A signer can request stacks tx nonces in batches in advance and then DoS other si](https://reports.immunefi.com/stacks-i-attackathon/38551-bc-medium-a-signer-can-request-stacks-tx-nonces-in-batches-in-advance-and-then-dos-other-signe.md) - [#38111 \[BC-High\] Attackers can send a very large event in a Stacks block so that the Signer can neve](https://reports.immunefi.com/stacks-i-attackathon/38111-bc-high-attackers-can-send-a-very-large-event-in-a-stacks-block-so-that-the-signer-can-never-g.md) - [#38477 \[BC-High\] A single signer can abort every attempted signing round by providing an invalid pac](https://reports.immunefi.com/stacks-i-attackathon/38477-bc-high-a-single-signer-can-abort-every-attempted-signing-round-by-providing-an-invalid-packet.md) - [#38460 \[BC-Low\] The coordinator can set a higher BTC tx fee than the current network to make users t](https://reports.immunefi.com/stacks-i-attackathon/38460-bc-low-the-coordinator-can-set-a-higher-btc-tx-fee-than-the-current-network-to-make-users-to-p.md) - [#37384 \[BC-Medium\] Attacker can front-run call to emily api with incorrect data, preventing legit us](https://reports.immunefi.com/stacks-i-attackathon/37384-bc-medium-attacker-can-front-run-call-to-emily-api-with-incorrect-data-preventing-legit-user-f.md) - [#38133 \[BC-Medium\] A rogue Signer can censor any deposit request from being processed and fullfilled](https://reports.immunefi.com/stacks-i-attackathon/38133-bc-medium-a-rogue-signer-can-censor-any-deposit-request-from-being-processed-and-fullfilled-on.md) - [#38053 \[BC-High\] A single signer can continuously prevent signatures from being finalized, halting n](https://reports.immunefi.com/stacks-i-attackathon/38053-bc-high-a-single-signer-can-continuously-prevent-signatures-from-being-finalized-halting-netwo.md) - [#38740 \[BC-High\] The missing check in Deposits::DepositScriptInputs::parse() permits losing funds by](https://reports.immunefi.com/stacks-i-attackathon/38740-bc-high-the-missing-check-in-deposits-depositscriptinputs-parse-permits-losing-funds-by-sendin.md) - [#38030 \[BC-Insight\] Coordinator can be crashed by signers on DKG](https://reports.immunefi.com/stacks-i-attackathon/38030-bc-insight-coordinator-can-be-crashed-by-signers-on-dkg.md) - [#38028 \[BC-Low\] There is a Partial Network Degradation Due to DynamoDB GSI Throttling Under High Tra](https://reports.immunefi.com/stacks-i-attackathon/38028-bc-low-there-is-a-partial-network-degradation-due-to-dynamodb-gsi-throttling-under-high-traffi.md) - [#38458 \[BC-Critical\] The coordinator can submit empty BTC transactions to drain BTC tokens in the mu](https://reports.immunefi.com/stacks-i-attackathon/38458-bc-critical-the-coordinator-can-submit-empty-btc-transactions-to-drain-btc-tokens-in-the-multi.md) - [#38671 \[BC-Insight\] Signer key rotation is not possible due to deadlock between submitting key rotat](https://reports.immunefi.com/stacks-i-attackathon/38671-bc-insight-signer-key-rotation-is-not-possible-due-to-deadlock-between-submitting-key-rotation.md) - [#38392 \[BC-High\] Signer can steal STX tokens in multi-sign wallet by setting a high stacks tx fee](https://reports.immunefi.com/stacks-i-attackathon/38392-bc-high-signer-can-steal-stx-tokens-in-multi-sign-wallet-by-setting-a-high-stacks-tx-fee.md) - [#37861 \[BC-Critical\] SBTC Signer WSTS implementation allows nonce replays such that a malicious sign](https://reports.immunefi.com/stacks-i-attackathon/37861-bc-critical-sbtc-signer-wsts-implementation-allows-nonce-replays-such-that-a-malicious-signer.md) - [#38605 \[BC-Low\] Lack of fee\_rate/last\_fees validation in handle\_bitcoin\_pre\_sign\_request ebables rog](https://reports.immunefi.com/stacks-i-attackathon/38605-bc-low-lack-of-fee_rate-last_fees-validation-in-handle_bitcoin_pre_sign_request-ebables-rogue.md) - [#38582 \[BC-High\] The \`BitcoinCoreClient::get\_tx\_info\` does not support coinbase transactions, which](https://reports.immunefi.com/stacks-i-attackathon/38582-bc-high-the-bitcoincoreclient-get_tx_info-does-not-support-coinbase-transactions-which-may-cau.md) - [#37814 \[BC-High\] Signers can crash other signers by sending an invalid \`DkgPrivateShares\` due to mis](https://reports.immunefi.com/stacks-i-attackathon/37814-bc-high-signers-can-crash-other-signers-by-sending-an-invalid-dkgprivateshares-due-to-missing.md) - [#37777 \[BC-Medium\] \`Emily.create\_deposit\` can overwrite any deposit to the Pending state](https://reports.immunefi.com/stacks-i-attackathon/37777-bc-medium-emily.create_deposit-can-overwrite-any-deposit-to-the-pending-state.md) - [#37811 \[BC-High\] Missing length check when parsing \`SignatureShareRequest\` in the signers allows the](https://reports.immunefi.com/stacks-i-attackathon/37811-bc-high-missing-length-check-when-parsing-signaturesharerequest-in-the-signers-allows-the-coor.md) - [#37718 \[BC-High\] Key rotations bricks the system due to incorrect \`aggregate\_key\` being used to spen](https://reports.immunefi.com/stacks-i-attackathon/37718-bc-high-key-rotations-bricks-the-system-due-to-incorrect-aggregate_key-being-used-to-spend-the.md) - [Lombard](https://reports.immunefi.com/lombard.md) - [#38012 \[SC-Insight\] Unused Function in CLAdapter Contract](https://reports.immunefi.com/lombard/38012-sc-insight-unused-function-in-cladapter-contract.md) - [#38066 \[SC-Medium\] \`ProxyFactory\` is vulnerable to DoS/Address Hijacking](https://reports.immunefi.com/lombard/38066-sc-medium-proxyfactory-is-vulnerable-to-dos-address-hijacking.md) - [#38102 \[SC-Insight\] Due to incorrect design in \`BasculeV2::validateWithdrawal\` valid transactions wi](https://reports.immunefi.com/lombard/38102-sc-insight-due-to-incorrect-design-in-basculev2-validatewithdrawal-valid-transactions-will-be.md) - [#38116 \[SC-Insight\] Partner vaults don't account for FireBridge fees, forcing LBTC burn to never wor](https://reports.immunefi.com/lombard/38116-sc-insight-partner-vaults-dont-account-for-firebridge-fees-forcing-lbtc-burn-to-never-work.md) - [#38137 \[SC-Low\] \`RateLimits\` library incorrectly reset the consumed amount when the limit is updated](https://reports.immunefi.com/lombard/38137-sc-low-ratelimits-library-incorrectly-reset-the-consumed-amount-when-the-limit-is-updated.md) - [#38148 \[SC-Insight\] Unnecessary Storage Pointer Declaration batchMintWithFee](https://reports.immunefi.com/lombard/38148-sc-insight-unnecessary-storage-pointer-declaration-batchmintwithfee.md) - [#38154 \[SC-Medium\] The offchain data provided to the CLAdapter isn’t properly validated and can be f](https://reports.immunefi.com/lombard/38154-sc-medium-the-offchain-data-provided-to-the-cladapter-isnt-properly-validated-and-can-be-from.md) - [#38189 \[SC-Insight\] Attacker can grief calls to \`lbtc.mintWithFee()\`](https://reports.immunefi.com/lombard/38189-sc-insight-attacker-can-grief-calls-to-lbtc.mintwithfee.md) - [#38231 \[SC-Low\] Due to incorrect design in \`Consortium::setNextValidatorSet\` the validator set could](https://reports.immunefi.com/lombard/38231-sc-low-due-to-incorrect-design-in-consortium-setnextvalidatorset-the-validator-set-could-not-b.md) - [#38225 \[SC-Insight\] user funds will get stuck if \`removeDestination\` executes before notarization an](https://reports.immunefi.com/lombard/38225-sc-insight-user-funds-will-get-stuck-if-removedestination-executes-before-notarization-and-wit.md) - [38286 \[SC-Low\] bitcoinutils getdustlimitforoutput calculate wrongly the dust limit for a given bitco](https://reports.immunefi.com/lombard/38286-sc-low-bitcoinutils-getdustlimitforoutput-calculate-wrongly-the-dust-limit-for-a-given-bitcoin.md) - [#38257 \[SC-Insight\] Freezing of msg.value passed in Bridge.deposit() if adapter is address zero](https://reports.immunefi.com/lombard/38257-sc-insight-freezing-of-msg.value-passed-in-bridge.deposit-if-adapter-is-address-zero.md) - [#38341 \[SC-Insight\] Suboptimal gas usage and ambiguous behavior during fee estimation](https://reports.immunefi.com/lombard/38341-sc-insight-suboptimal-gas-usage-and-ambiguous-behavior-during-fee-estimation.md) - [38335 \[SC-Medium\] attacker can exploit partnervault mint small amount to cause lbtc depeg or protoco](https://reports.immunefi.com/lombard/38335-sc-medium-attacker-can-exploit-partnervault-mint-small-amount-to-cause-lbtc-depeg-or-protocol.md) - [#38342 \[SC-Medium\] Interchanging \`offchainTokenData\` between two valid messages](https://reports.immunefi.com/lombard/38342-sc-medium-interchanging-offchaintokendata-between-two-valid-messages.md) - [#38363 \[SC-Medium\] LBTC cross-chain transfer can be DOSed](https://reports.immunefi.com/lombard/38363-sc-medium-lbtc-cross-chain-transfer-can-be-dosed.md) - [#38344 \[SC-Low\] Old validated messages can not pass proof check when new validators are set](https://reports.immunefi.com/lombard/38344-sc-low-old-validated-messages-can-not-pass-proof-check-when-new-validators-are-set.md) - [#38634 \[SC-Medium\] Insufficient validation on offchainTokenData in TokenPool.releaseOrMint allows CC](https://reports.immunefi.com/lombard/38634-sc-medium-insufficient-validation-on-offchaintokendata-in-tokenpool.releaseormint-allows-ccip.md) - [#38370 \[SC-Insight\] Issue Between Comment and Code in Consortium](https://reports.immunefi.com/lombard/38370-sc-insight-issue-between-comment-and-code-in-consortium.md) - [#38644 \[SC-Insight\] Q\&A](https://reports.immunefi.com/lombard/38644-sc-insight-q-and-a.md) - [Butter](https://reports.immunefi.com/butter.md) - [#39181 \[SC-Insight\] Bond Fund will be Lost When Question is Asked Again](https://reports.immunefi.com/butter/39181-sc-insight-bond-fund-will-be-lost-when-question-is-asked-again.md) - [#39153 \[SC-Insight\] Unauthorized Token Creation and Minting Vulnerability](https://reports.immunefi.com/butter/39153-sc-insight-unauthorized-token-creation-and-minting-vulnerability.md) - [#39243 \[SC-Insight\] Misleading Comment in merge Function Regarding Token Transfers to wrapped1155Fac](https://reports.immunefi.com/butter/39243-sc-insight-misleading-comment-in-merge-function-regarding-token-transfers-to-wrapped1155factor.md) - [#39271 \[SC-Insight\] Check \`numericAnswer\` before external call to check answer is valid or not](https://reports.immunefi.com/butter/39271-sc-insight-check-numericanswer-before-external-call-to-check-answer-is-valid-or-not.md) - [#39487 \[SC-Insight\] flatCfmImplementation and conditionalScalarMarketImplementation contracts can be](https://reports.immunefi.com/butter/39487-sc-insight-flatcfmimplementation-and-conditionalscalarmarketimplementation-contracts-can-be-in.md) - [39495 \[SC-Low\] flatcfm cannot be resolved in case answer of questionid are in greater or equal to 2](https://reports.immunefi.com/butter/39495-sc-low-flatcfm-cannot-be-resolved-in-case-answer-of-questionid-are-in-greater-or-equal-to-2-ou.md) - [#39528 \[SC-Insight\] Lack of Validation for Min and Max Values in FlatCFMFactory leads to wrong payou](https://reports.immunefi.com/butter/39528-sc-insight-lack-of-validation-for-min-and-max-values-in-flatcfmfactory-leads-to-wrong-payouts.md) - [#39524 \[SC-Insight\] Incorrect Outcome Formatting in Reality Adapter Leads to Wrong Number of Outcome](https://reports.immunefi.com/butter/39524-sc-insight-incorrect-outcome-formatting-in-reality-adapter-leads-to-wrong-number-of-outcomes.md) - [#39539 \[SC-Insight\] Insufficient validation of tokens when created in \`PlayCollateralTokenFactory::c](https://reports.immunefi.com/butter/39539-sc-insight-insufficient-validation-of-tokens-when-created-in-playcollateraltokenfactory-create.md) - [Zano IOP](https://reports.immunefi.com/zano-iop.md) - [#41027 \[BC-Insight\] Breaking asset surjection proof assumptions](https://reports.immunefi.com/zano-iop/41027-bc-insight-breaking-asset-surjection-proof-assumptions.md) - [#40530 \[W\&A-High\] JWT Salt Expiration isn't entirely correct in wallet\_rpc\_server::auth\_http\_request](https://reports.immunefi.com/zano-iop/40530-w-and-a-high-jwt-salt-expiration-isnt-entirely-correct-in-wallet_rpc_server-auth_http_request.md) - [#40990 \[BC-Insight\] Security best practices](https://reports.immunefi.com/zano-iop/40990-bc-insight-security-best-practices.md) - [#40970 \[BC-Insight\] Double spending by using 0-point stealth address and signature elements in CLSAG](https://reports.immunefi.com/zano-iop/40970-bc-insight-double-spending-by-using-0-point-stealth-address-and-signature-elements-in-clsag-gg.md) - [#40794 \[W\&A-Insight\] Unsecured Wallet Voting Configuration Allows Unauthorized Vote Manipulation Des](https://reports.immunefi.com/zano-iop/40794-w-and-a-insight-unsecured-wallet-voting-configuration-allows-unauthorized-vote-manipulation-de.md) - [Shardeum Ancillaries III](https://reports.immunefi.com/shardeum-ancillaries-iii.md) - [#39360 \[W\&A-Insight\] getRandomActiveNodes may return inconsistent results](https://reports.immunefi.com/shardeum-ancillaries-iii/39360-w-and-a-insight-getrandomactivenodes-may-return-inconsistent-results.md) - [#39993 \[W\&A-Low\] node-fetch without response limit](https://reports.immunefi.com/shardeum-ancillaries-iii/39993-w-and-a-low-node-fetch-without-response-limit.md) - [39829 \[W\&A-Critical\] dos archiver via data subscription channel due to broken safestringfy](https://reports.immunefi.com/shardeum-ancillaries-iii/39829-w-and-a-critical-dos-archiver-via-data-subscription-channel-due-to-broken-safestringfy.md) - [#40004 \[W\&A-Critical\] Multiple vulnerabilities in signature verification during receipt processing o](https://reports.immunefi.com/shardeum-ancillaries-iii/40004-w-and-a-critical-multiple-vulnerabilities-in-signature-verification-during-receipt-processing.md) - [#39942 \[W\&A-Medium\] Archiver is still vulnerable to replay attack to \`/set-config\`](https://reports.immunefi.com/shardeum-ancillaries-iii/39942-w-and-a-medium-archiver-is-still-vulnerable-to-replay-attack-to-set-config.md) - [#39980 \[W\&A-Critical\] Malicious validator can inject its own cycle record into connected archiver](https://reports.immunefi.com/shardeum-ancillaries-iii/39980-w-and-a-critical-malicious-validator-can-inject-its-own-cycle-record-into-connected-archiver.md) - [#39434 \[W\&A-Critical\] Improper serialization can create an out-of-memory (OOM) issue on the archive](https://reports.immunefi.com/shardeum-ancillaries-iii/39434-w-and-a-critical-improper-serialization-can-create-an-out-of-memory-oom-issue-on-the-archive-s.md) - [39944 \[W\&A-Insight\] incorrect default configuration leading to dead code](https://reports.immunefi.com/shardeum-ancillaries-iii/39944-w-and-a-insight-incorrect-default-configuration-leading-to-dead-code.md) - [39893 \[W\&A-Critical\] malicious validator can modify txid in global transactions](https://reports.immunefi.com/shardeum-ancillaries-iii/39893-w-and-a-critical-malicious-validator-can-modify-txid-in-global-transactions.md) - [#39910 \[W\&A-Medium\] Numerous replay attacks (with arbitrary data) to protected endpoints are possibl](https://reports.immunefi.com/shardeum-ancillaries-iii/39910-w-and-a-medium-numerous-replay-attacks-with-arbitrary-data-to-protected-endpoints-are-possible.md) - [39872 \[W\&A-Critical\] bypass receipt signing validation](https://reports.immunefi.com/shardeum-ancillaries-iii/39872-w-and-a-critical-bypass-receipt-signing-validation.md) - [#39814 \[W\&A-Low\] Prevent new validators from joining the network by a DOS of the archiver](https://reports.immunefi.com/shardeum-ancillaries-iii/39814-w-and-a-low-prevent-new-validators-from-joining-the-network-by-a-dos-of-the-archiver.md) - [#39284 \[W\&A-Medium\] Arbitrarily set any archiver config and remotely turning it off](https://reports.immunefi.com/shardeum-ancillaries-iii/39284-w-and-a-medium-arbitrarily-set-any-archiver-config-and-remotely-turning-it-off.md) - [#39109 \[W\&A-Insight\] syncStateDataGlobals will not work, effectively DoS'ing nodes](https://reports.immunefi.com/shardeum-ancillaries-iii/39109-w-and-a-insight-syncstatedataglobals-will-not-work-effectively-dosing-nodes.md) - [#39623 \[W\&A-Low\] Blocking the victim's account address from sending transactions via JSON-RPC](https://reports.immunefi.com/shardeum-ancillaries-iii/39623-w-and-a-low-blocking-the-victims-account-address-from-sending-transactions-via-json-rpc.md) - [39626 \[W\&A-Critical\] malicious validator can overwrite any cycle data](https://reports.immunefi.com/shardeum-ancillaries-iii/39626-w-and-a-critical-malicious-validator-can-overwrite-any-cycle-data.md) - [#39820 \[W\&A-Medium\] Blocking all users from interacting with particular contracts/protocols via JSON](https://reports.immunefi.com/shardeum-ancillaries-iii/39820-w-and-a-medium-blocking-all-users-from-interacting-with-particular-contracts-protocols-via-jso.md) - [Yeet](https://reports.immunefi.com/yeet.md) - [#41132 \[SC-Insight\] NFT Boost Lookup values not adhere to docs](https://reports.immunefi.com/yeet/41132-sc-insight-nft-boost-lookup-values-not-adhere-to-docs.md) - [#41145 \[SC-Insight\] Incorrect Inheritance of Ownership in \`Manager\` Contract Leading to Inconsistent Use of \`Ownable2Step\`](https://reports.immunefi.com/yeet/41145-sc-insight-incorrect-inheritance-of-ownership-in-manager-contract-leading-to-inconsistent-use.md) - [#41215 \[SC-Critical\] StakeV2: Inconsistencies in totalSupply computation, can lead to protocol insolvency](https://reports.immunefi.com/yeet/41215-sc-critical-stakev2-inconsistencies-in-totalsupply-computation-can-lead-to-protocol-insolvency.md) - [#41256 \[SC-Insight\] Contradictory Documentation and actual function](https://reports.immunefi.com/yeet/41256-sc-insight-contradictory-documentation-and-actual-function.md) - [#41272 \[SC-Insight\] Unnecessary precision loss due to division before multiplication in \`getDistribution()\`](https://reports.immunefi.com/yeet/41272-sc-insight-unnecessary-precision-loss-due-to-division-before-multiplication-in-getdistribution.md) - [#41270 \[SC-Medium\] Harvest timing exploit enables theft of unclaimed yield](https://reports.immunefi.com/yeet/41270-sc-medium-harvest-timing-exploit-enables-theft-of-unclaimed-yield.md) - [#41280 \[SC-High\] Permanent freezing of yield due to incorrect reward handling in \`StakeV2\` claim functions](https://reports.immunefi.com/yeet/41280-sc-high-permanent-freezing-of-yield-due-to-incorrect-reward-handling-in-stakev2-claim-function.md) - [#41283 \[SC-Low\] Contract fails to deliver promised returns, due to changed \`MAX\_CAP\_PER\_WALLET\_PER\_EPOCH\_FACTOR\`](https://reports.immunefi.com/yeet/41283-sc-low-contract-fails-to-deliver-promised-returns-due-to-changed-max_cap_per_wallet_per_epoch_.md) - [#41286 \[SC-Critical\] \`accumulatedDeptRewardsYeet()\` accounts for tokens under unstaking process](https://reports.immunefi.com/yeet/41286-sc-critical-accumulateddeptrewardsyeet-accounts-for-tokens-under-unstaking-process.md) - [#41289 \[SC-Critical\] StakeV2 Contract Insolvency Issue](https://reports.immunefi.com/yeet/41289-sc-critical-stakev2-contract-insolvency-issue.md) - [#41345 \[SC-Critical\] Calculation of accumulatedDeptRewardsYeet is incorrect lead to user lost of fund](https://reports.immunefi.com/yeet/41345-sc-critical-calculation-of-accumulateddeptrewardsyeet-is-incorrect-lead-to-user-lost-of-fund.md) - [41291 sc insight winner selection vulnerability in yeetback contract allows multiple reward for the same lucky winner](https://reports.immunefi.com/yeet/41291-sc-insight-winner-selection-vulnerability-in-yeetback-contract-allows-multiple-reward-for-the.md) - [#41359 \[SC-Insight\] Remove Manager of Address 0 is irrelevant and will never be reached](https://reports.immunefi.com/yeet/41359-sc-insight-remove-manager-of-address-0-is-irrelevant-and-will-never-be-reached.md) - [#41365 \[SC-Critical\] Vested tokens are counted as accumulated revenue](https://reports.immunefi.com/yeet/41365-sc-critical-vested-tokens-are-counted-as-accumulated-revenue.md) - [#41374 \[SC-Insight\] Incorrect NFT Boost Value in Lookup Array](https://reports.immunefi.com/yeet/41374-sc-insight-incorrect-nft-boost-value-in-lookup-array.md) - [#41377 \[SC-Low\] Retroactive Reward Cap Manipulation Allows Theft/Loss of Unclaimed Yield](https://reports.immunefi.com/yeet/41377-sc-low-retroactive-reward-cap-manipulation-allows-theft-loss-of-unclaimed-yield.md) - [#41419 \[SC-Insight\] Miscalculation of \`maxClaimable\` variable leads to users being able to claim too many or too few reward tokens](https://reports.immunefi.com/yeet/41419-sc-insight-miscalculation-of-maxclaimable-variable-leads-to-users-being-able-to-claim-too-many.md) - [#41432 \[SC-High\] Attacker can DoS \`StakeV2\`'s rewards distribution by repeatedly inflating Zapper's approval for whitelisted Kodiak Vault tokens](https://reports.immunefi.com/yeet/41432-sc-high-attacker-can-dos-stakev2-s-rewards-distribution-by-repeatedly-inflating-zappers-approv.md) - [#41456 \[SC-Critical\] \`executeRewardDistributionYeet\` will count user withdraws as rewards](https://reports.immunefi.com/yeet/41456-sc-critical-executerewarddistributionyeet-will-count-user-withdraws-as-rewards.md) - [#41487 \[SC-Critical\] Updates totalSupply before transferring the tokens which causes calculating more reward tokens](https://reports.immunefi.com/yeet/41487-sc-critical-updates-totalsupply-before-transferring-the-tokens-which-causes-calculating-more-r.md) - [#41488 \[SC-Insight\] In \`StakeV2.sol\` there exists a critical flaw that allows adversaries to earn more rewards than should be possible for a period of having staked minimal tokens.](https://reports.immunefi.com/yeet/41488-sc-insight-in-stakev2.sol-there-exists-a-critical-flaw-that-allows-adversaries-to-earn-more-re.md) - [#41492 \[SC-Insight\] Incorrect Reward Value Emitted in \`executeRewardDistributionYeet\` Function](https://reports.immunefi.com/yeet/41492-sc-insight-incorrect-reward-value-emitted-in-executerewarddistributionyeet-function.md) - [#41511 \[SC-Low\] The contract calculates the \`minimumYeetPoint\` using the Pot going to the winner instead of the whole Pot.](https://reports.immunefi.com/yeet/41511-sc-low-the-contract-calculates-the-minimumyeetpoint-using-the-pot-going-to-the-winner-instead.md) - [#41521 \[SC-Critical\] Unstaked tokens incorrectly counted as rewards during vesting period](https://reports.immunefi.com/yeet/41521-sc-critical-unstaked-tokens-incorrectly-counted-as-rewards-during-vesting-period.md) - [#41524 \[SC-Critical\] Incorrect Reward Calculation in accumulatedDeptRewardsYeet() Function Leads to Loss of User Funds During Vesting Period](https://reports.immunefi.com/yeet/41524-sc-critical-incorrect-reward-calculation-in-accumulateddeptrewardsyeet-function-leads-to-loss.md) - [#41526 \[SC-Medium\] MoneyBrinter::compound can be vulnerable to sandwich attacks](https://reports.immunefi.com/yeet/41526-sc-medium-moneybrinter-compound-can-be-vulnerable-to-sandwich-attacks.md) - [#41528 \[SC-High\] When claiming rewards in native Bera via \`StakeV2.claimRewardsInNative\`, excess \`token0Debt\` or/and \`token1Debt\` is not returned to the kodiak vault but stuck in \`StakeV2\` contract.](https://reports.immunefi.com/yeet/41528-sc-high-when-claiming-rewards-in-native-bera-via-stakev2.claimrewardsinnative-excess-token0deb.md) - [#41542 \[SC-Insight\] The 20% charged as a \`yeetback\` is not considered as part of \`addYeetVolume\` and \`boostedValue\`](https://reports.immunefi.com/yeet/41542-sc-insight-the-20-charged-as-a-yeetback-is-not-considered-as-part-of-addyeetvolume-and-boosted.md) - [#41549 \[SC-Critical\] users funds can get lost when the executeRewardDistributionYeet function invoked after users unstake](https://reports.immunefi.com/yeet/41549-sc-critical-users-funds-can-get-lost-when-the-executerewarddistributionyeet-function-invoked-a.md) - [#41570 \[SC-Insight\] Code Insights Report](https://reports.immunefi.com/yeet/41570-sc-insight-code-insights-report.md) - [#41559 \[SC-Critical\] Incorrect Calculation of Accumulated Rewards Due to Unstaked Tokens](https://reports.immunefi.com/yeet/41559-sc-critical-incorrect-calculation-of-accumulated-rewards-due-to-unstaked-tokens.md) - [#41624 \[SC-Medium\] Reward sandwich is possible in \`MoneyBrinter\` vault by frontrunning \`compound\`.](https://reports.immunefi.com/yeet/41624-sc-medium-reward-sandwich-is-possible-in-moneybrinter-vault-by-frontrunning-compound-..md) - [#41633 \[SC-High\] Users might lose some of the rewards they’re supposed to get.](https://reports.immunefi.com/yeet/41633-sc-high-users-might-lose-some-of-the-rewards-theyre-supposed-to-get..md) - [#41635 \[SC-Low\] MoneyBrinter contract is EIP-4626 incompliant](https://reports.immunefi.com/yeet/41635-sc-low-moneybrinter-contract-is-eip-4626-incompliant.md) - [#41639 \[SC-Insight\] Cross-Vault Reward Arbitrage in StakeV2 Allows Yield Theft](https://reports.immunefi.com/yeet/41639-sc-insight-cross-vault-reward-arbitrage-in-stakev2-allows-yield-theft.md) - [#41640 \[SC-High\] Stuck Rewards in StakeV2 Contract Due to Improper Handling of Leftover Tokens](https://reports.immunefi.com/yeet/41640-sc-high-stuck-rewards-in-stakev2-contract-due-to-improper-handling-of-leftover-tokens.md) - [#41638 \[SC-Medium\] Sandwich Attack on \`compound()\` Function Allows Value Extraction from Honest Depositors](https://reports.immunefi.com/yeet/41638-sc-medium-sandwich-attack-on-compound-function-allows-value-extraction-from-honest-depositors.md) - [#41644 \[SC-High\] \`\_clearUserDebt\` in zapOut function sends the remaining tokens to \`msg.sender\` instead of receiver.](https://reports.immunefi.com/yeet/41644-sc-high-_clearuserdebt-in-zapout-function-sends-the-remaining-tokens-to-msg.sender-instead-of.md) - [#41647 \[SC-High\] Unused tokens after zapping can be stuck and not entitled to users](https://reports.immunefi.com/yeet/41647-sc-high-unused-tokens-after-zapping-can-be-stuck-and-not-entitled-to-users.md) - [#41660 \[SC-Insight\] Yeet will be permanently DOSED if the entropyProvider runs out of randome numbers or gets blacklisted](https://reports.immunefi.com/yeet/41660-sc-insight-yeet-will-be-permanently-dosed-if-the-entropyprovider-runs-out-of-randome-numbers-o.md) - [#41659 \[SC-Insight\] Previous owner still hold manager role after ownership transfer](https://reports.immunefi.com/yeet/41659-sc-insight-previous-owner-still-hold-manager-role-after-ownership-transfer.md) - [#41664 \[SC-Low\] Users may receive fewer rewards due to the change in reward limits](https://reports.immunefi.com/yeet/41664-sc-low-users-may-receive-fewer-rewards-due-to-the-change-in-reward-limits.md) - [41672 sc insight permanent loss risk of user funds due to inflexible function design in claim ](https://reports.immunefi.com/yeet/41672-sc-insight-permanent-loss-risk-of-user-funds-due-to-inflexible-function-design-in-claim.md) - [#41682 \[SC-Insight\] Code can be optimized to use save a lot of gas.](https://reports.immunefi.com/yeet/41682-sc-insight-code-can-be-optimized-to-use-save-a-lot-of-gas..md) - [#41689 \[SC-Insight\] Blacklisting a Kodiak vault unintentionally whitelists a previously blacklisted token](https://reports.immunefi.com/yeet/41689-sc-insight-blacklisting-a-kodiak-vault-unintentionally-whitelists-a-previously-blacklisted-tok.md) - [#41688 \[SC-Insight\] Code can be optimized to to save a significant amount of gas.](https://reports.immunefi.com/yeet/41688-sc-insight-code-can-be-optimized-to-to-save-a-significant-amount-of-gas..md) - [#41695 \[SC-Critical\] StakeV2 leaks user tokens as rewards and eventually will become insolvent.](https://reports.immunefi.com/yeet/41695-sc-critical-stakev2-leaks-user-tokens-as-rewards-and-eventually-will-become-insolvent..md) - [#41699 \[SC-Insight\] Silent Transfer Failures in Native Token Handling](https://reports.immunefi.com/yeet/41699-sc-insight-silent-transfer-failures-in-native-token-handling.md) - [#41707 \[SC-Insight\] Code differs from documentation in \`Reward::getClaimableAmount\` function](https://reports.immunefi.com/yeet/41707-sc-insight-code-differs-from-documentation-in-reward-getclaimableamount-function.md) - [#41741 \[SC-Insight\] Improper Input Validation in zapInNative Leads to Theft of Residual Funds](https://reports.immunefi.com/yeet/41741-sc-insight-improper-input-validation-in-zapinnative-leads-to-theft-of-residual-funds.md) - [#41758 \[SC-Insight\] The code comment to \`BOOSTRAP\_PHASE\_DURATION\` is incorrect](https://reports.immunefi.com/yeet/41758-sc-insight-the-code-comment-to-boostrap_phase_duration-is-incorrect.md) - [#41765 \[SC-Insight\] Storage slots only set in constructor should be declared \`immutable\`](https://reports.immunefi.com/yeet/41765-sc-insight-storage-slots-only-set-in-constructor-should-be-declared-immutable.md) - [#41766 \[SC-Insight\] In \`Yeet.sol\`, storage slots only set in constructor should be declared \`immutable\`.](https://reports.immunefi.com/yeet/41766-sc-insight-in-yeet.sol-storage-slots-only-set-in-constructor-should-be-declared-immutable-..md) - [#41823 \[SC-Low\] Changing the reward settings has a retroactive impact](https://reports.immunefi.com/yeet/41823-sc-low-changing-the-reward-settings-has-a-retroactive-impact.md) - [#41788 \[SC-Medium\] Yield theft because of compound function design](https://reports.immunefi.com/yeet/41788-sc-medium-yield-theft-because-of-compound-function-design.md) - [#41841 \[SC-Low\] Risk of Reward Loss and Gain Manipulation Due to Untimely Claims and Reward Cap Adjustments](https://reports.immunefi.com/yeet/41841-sc-low-risk-of-reward-loss-and-gain-manipulation-due-to-untimely-claims-and-reward-cap-adjustm.md) - [#41831 \[SC-Critical\] Miscalculation of excess rewards via external token transfers leads to contract insolvency and incomplete withdrawals](https://reports.immunefi.com/yeet/41831-sc-critical-miscalculation-of-excess-rewards-via-external-token-transfers-leads-to-contract-in.md) - [#41873 \[SC-Insight\] Protocol fee loss due to incorrect fee calculation in MoneyBrinter.sol](https://reports.immunefi.com/yeet/41873-sc-insight-protocol-fee-loss-due-to-incorrect-fee-calculation-in-moneybrinter.sol.md) - [#41875 \[SC-High\] Permanent Lock of User Funds in StakeV2 Due to Incorrect token Debt Handling](https://reports.immunefi.com/yeet/41875-sc-high-permanent-lock-of-user-funds-in-stakev2-due-to-incorrect-token-debt-handling.md) - [#41876 \[SC-Insight\] User may receive boosted values which are non-concave](https://reports.immunefi.com/yeet/41876-sc-insight-user-may-receive-boosted-values-which-are-non-concave.md) - [#41885 \[SC-Insight\] Bypass token whitelist](https://reports.immunefi.com/yeet/41885-sc-insight-bypass-token-whitelist.md) - [#41890 \[SC-Insight\] MoneyBrinter vault does not consider Farm's staking cap](https://reports.immunefi.com/yeet/41890-sc-insight-moneybrinter-vault-does-not-consider-farms-staking-cap.md) - [#41886 \[SC-Low\] Full or Large WBERA reward collects can be blocked by small amounts](https://reports.immunefi.com/yeet/41886-sc-low-full-or-large-wbera-reward-collects-can-be-blocked-by-small-amounts.md) - [#41894 \[SC-Critical\] Incorrect calculation of deposited rewards yeet leads to Staker's not being able to get their staked amount back](https://reports.immunefi.com/yeet/41894-sc-critical-incorrect-calculation-of-deposited-rewards-yeet-leads-to-stakers-not-being-able-to.md) - [#41895 \[SC-Medium\] Potential loss of token0, token1 in the MoneyBrinter contract](https://reports.immunefi.com/yeet/41895-sc-medium-potential-loss-of-token0-token1-in-the-moneybrinter-contract.md) - [#41907 \[SC-High\] Unused debt is not send to Reward Claimer](https://reports.immunefi.com/yeet/41907-sc-high-unused-debt-is-not-send-to-reward-claimer.md) - [#41911 \[SC-Critical\] Unstake amount can be zapped before user withdrawal](https://reports.immunefi.com/yeet/41911-sc-critical-unstake-amount-can-be-zapped-before-user-withdrawal.md) - [#41938 \[SC-Critical\] Unstake process manipulation and reward distribution vulnerability](https://reports.immunefi.com/yeet/41938-sc-critical-unstake-process-manipulation-and-reward-distribution-vulnerability.md) - [#41949 \[SC-Insight\] Optimize StakeV2::startUnstake with \`unchecked\` block to reduce gas costs](https://reports.immunefi.com/yeet/41949-sc-insight-optimize-stakev2-startunstake-with-unchecked-block-to-reduce-gas-costs.md) - [#41952 \[SC-Insight\] Reduce storage costs by eliminating stakedTimes in StakeV2::startUnstake](https://reports.immunefi.com/yeet/41952-sc-insight-reduce-storage-costs-by-eliminating-stakedtimes-in-stakev2-startunstake.md) - [#41974 \[SC-Critical\] Reducing \`totalSupply\` in \`startUnstake\` leads to protocol insolvency](https://reports.immunefi.com/yeet/41974-sc-critical-reducing-totalsupply-in-startunstake-leads-to-protocol-insolvency.md) - [#41981 \[SC-Critical\] Loss of user funds during unstaking, while under the lockup period](https://reports.immunefi.com/yeet/41981-sc-critical-loss-of-user-funds-during-unstaking-while-under-the-lockup-period.md) - [#42008 \[SC-Low\] Incorrect Application of MAX\_CAP\_PER\_WALLET\_PER\_EPOCH\_FACTOR on Historical Epochs](https://reports.immunefi.com/yeet/42008-sc-low-incorrect-application-of-max_cap_per_wallet_per_epoch_factor-on-historical-epochs.md) - [#42020 \[SC-Critical\] Inaccurate calculation in \`accumulatedDeptRewardsYeet()\` causes double counting of vesting tokens as excess, leading to permanent loss of user funds](https://reports.immunefi.com/yeet/42020-sc-critical-inaccurate-calculation-in-accumulateddeptrewardsyeet-causes-double-counting-of-ves.md) - [#42033 \[SC-Insight\] MoneyBrinter contract does not consider farm's pausing status](https://reports.immunefi.com/yeet/42033-sc-insight-moneybrinter-contract-does-not-consider-farms-pausing-status.md) - [#42039 \[SC-High\] When calling \`StakeV2::claimRewardsInNative()\` surplus $YEET are send to the StakeV2 contract instead of the user](https://reports.immunefi.com/yeet/42039-sc-high-when-calling-stakev2-claimrewardsinnative-surplus-usdyeet-are-send-to-the-stakev2-cont.md) - [#42113 \[SC-High\] yeetOut function in Zapper.sol sends tokens back to StakeV2 contract instead of user](https://reports.immunefi.com/yeet/42113-sc-high-yeetout-function-in-zapper.sol-sends-tokens-back-to-stakev2-contract-instead-of-user.md) - [#42123 \[SC-Critical\] Insufficient Token Reservation in \`startUnstake\` Leads to Permanent Freezing of Vested Funds](https://reports.immunefi.com/yeet/42123-sc-critical-insufficient-token-reservation-in-startunstake-leads-to-permanent-freezing-of-vest.md) - [#42127 \[SC-Insight\] Redundant Fee Calculation in addYeetback() function](https://reports.immunefi.com/yeet/42127-sc-insight-redundant-fee-calculation-in-addyeetback-function.md) - [#42152 \[SC-Critical\] \`StakeV2::accumulatedDeptRewardsYeet\` fails to account for pending vesting withdrawals which could cause contract insolvency](https://reports.immunefi.com/yeet/42152-sc-critical-stakev2-accumulateddeptrewardsyeet-fails-to-account-for-pending-vesting-withdrawal.md) - [#42158 \[SC-High\] Users can DoS \`Zapper::zapIn\` functionality for a token](https://reports.immunefi.com/yeet/42158-sc-high-users-can-dos-zapper-zapin-functionality-for-a-token.md) - [#42166 \[SC-Low\] Modification of MAX\_CAP\_PER\_WALLET\_PER\_EPOCH\_FACTOR Leads to Unjust Loss of Promised Rewards for Users](https://reports.immunefi.com/yeet/42166-sc-low-modification-of-max_cap_per_wallet_per_epoch_factor-leads-to-unjust-loss-of-promised-re.md) - [#42189 \[SC-High\] User rewards incorrectly transferred to \`StakeV2\` instead of claimant](https://reports.immunefi.com/yeet/42189-sc-high-user-rewards-incorrectly-transferred-to-stakev2-instead-of-claimant.md) - [#42214 \[SC-High\] Leftover \`WBERA\` and \`YEET\` sent to \`StakeV2\` instead of to user who is claiming rewards](https://reports.immunefi.com/yeet/42214-sc-high-leftover-wbera-and-yeet-sent-to-stakev2-instead-of-to-user-who-is-claiming-rewards.md) - [42292 sc high zapper wrong convertion of assets in zapout functions leads to partial loss of staking rewards](https://reports.immunefi.com/yeet/42292-sc-high-zapper-wrong-convertion-of-assets-in-zapout-functions-leads-to-partial-loss-of-staking.md) - [#42333 \[SC-Medium\] compound MoneyBrinter.sol can be sandwiched to extract value from other depositors](https://reports.immunefi.com/yeet/42333-sc-medium-compound-moneybrinter.sol-can-be-sandwiched-to-extract-value-from-other-depositors.md) - [#42345 \[SC-Critical\] Theft of User Funds in executeRewardDistributionYeet During Vesting Period](https://reports.immunefi.com/yeet/42345-sc-critical-theft-of-user-funds-in-executerewarddistributionyeet-during-vesting-period.md) - [#42351 \[SC-Insight\] Yeetback complex rewards system](https://reports.immunefi.com/yeet/42351-sc-insight-yeetback-complex-rewards-system.md) - [#42355 \[SC-Medium\] Compounding can be sandwich attacked](https://reports.immunefi.com/yeet/42355-sc-medium-compounding-can-be-sandwich-attacked.md) - [#42382 \[SC-Critical\] Calling \`StakeV2::executeRewardDistributionYeet\` by manager during an ongoing unstaking period for stakers can result in them being unable to unstake permanently](https://reports.immunefi.com/yeet/42382-sc-critical-calling-stakev2-executerewarddistributionyeet-by-manager-during-an-ongoing-unstaki.md) - [#42388 \[SC-Insight\] Discrepancy between number of Yeetback winners in contract and documentation](https://reports.immunefi.com/yeet/42388-sc-insight-discrepancy-between-number-of-yeetback-winners-in-contract-and-documentation.md) - [#42407 \[SC-Low\] Updating MAX\_CAP\_PER\_WALLET\_PER\_EPOCH\_FACTOR impacts unclaimed rewards of past epochs](https://reports.immunefi.com/yeet/42407-sc-low-updating-max_cap_per_wallet_per_epoch_factor-impacts-unclaimed-rewards-of-past-epochs.md) - [42439 sc insight insight report for stakev2 contract](https://reports.immunefi.com/yeet/42439-sc-insight-insight-report-for-stakev2-contract.md) - [#42443 \[SC-Critical\] Vested \`$YEET\` are susceptible of being impossible to unstake](https://reports.immunefi.com/yeet/42443-sc-critical-vested-usdyeet-are-susceptible-of-being-impossible-to-unstake.md) - [#42462 \[SC-Low\] Potential loss of unclaimed rewards due to updating setting \`MAX\_CAP\_PER\_WALLET\_PER\_EPOCH\_FACTOR\`](https://reports.immunefi.com/yeet/42462-sc-low-potential-loss-of-unclaimed-rewards-due-to-updating-setting-max_cap_per_wallet_per_epoc.md) - [#42487 \[SC-Insight\] Redundant Slippage Check in \`compound\` Function](https://reports.immunefi.com/yeet/42487-sc-insight-redundant-slippage-check-in-compound-function.md) - [#42469 \[SC-Critical\] Incorrect computation of excess rewards leads to permanent freezing of user funds](https://reports.immunefi.com/yeet/42469-sc-critical-incorrect-computation-of-excess-rewards-leads-to-permanent-freezing-of-user-funds.md) - [#42518 \[SC-Critical\] Incorrect handling of total staked funds will lead to protocol insolvency](https://reports.immunefi.com/yeet/42518-sc-critical-incorrect-handling-of-total-staked-funds-will-lead-to-protocol-insolvency.md) - [#42525 \[SC-High\] Misallocation of leftover token1 in StakeV2.claimRewardsInToken0](https://reports.immunefi.com/yeet/42525-sc-high-misallocation-of-leftover-token1-in-stakev2.claimrewardsintoken0.md) - [#42527 \[SC-Critical\] Critical Balance/Supply Desynchronization Leading to Protocol Insolvency and Loss of User Funds](https://reports.immunefi.com/yeet/42527-sc-critical-critical-balance-supply-desynchronization-leading-to-protocol-insolvency-and-loss.md) - [#42532 \[SC-High\] Compound function in MoneyBrinter can lead to loss of yield](https://reports.immunefi.com/yeet/42532-sc-high-compound-function-in-moneybrinter-can-lead-to-loss-of-yield.md) - [#42538 \[SC-Insight\] Incorrect value in events emitted in StakeV2](https://reports.immunefi.com/yeet/42538-sc-insight-incorrect-value-in-events-emitted-in-stakev2.md) - [#42539 \[SC-Low\] Incorrect \`maxWithdraw()\` returns lead to user failed withdrawals of returned maximum amount](https://reports.immunefi.com/yeet/42539-sc-low-incorrect-maxwithdraw-returns-lead-to-user-failed-withdrawals-of-returned-maximum-amoun.md) - [#42548 \[SC-High\] Remaining token0 and token1 sent from Zapper to StakeV2 will be permanently locked in StakeV2 forever.](https://reports.immunefi.com/yeet/42548-sc-high-remaining-token0-and-token1-sent-from-zapper-to-stakev2-will-be-permanently-locked-in.md) - [#42553 \[SC-Medium\] Sandwich attack on \`MoneyBrinter\_compound\` allows extracting rewards intended for LPs](https://reports.immunefi.com/yeet/42553-sc-medium-sandwich-attack-on-moneybrinter_compound-allows-extracting-rewards-intended-for-lps.md) - [#42598 \[SC-High\] When claiming rewards from \`StakeV2\` left-over debt is sent to \`StakeV2\` instead of the user](https://reports.immunefi.com/yeet/42598-sc-high-when-claiming-rewards-from-stakev2-left-over-debt-is-sent-to-stakev2-instead-of-the-us.md) - [#42581 \[SC-Critical\] Miscalculated Balances Lead to Protocol Insolvency](https://reports.immunefi.com/yeet/42581-sc-critical-miscalculated-balances-lead-to-protocol-insolvency.md) - [#42602 \[SC-Medium\] Some of the Compounded Reward Island token can be stolen by sandwiching the compound() function call](https://reports.immunefi.com/yeet/42602-sc-medium-some-of-the-compounded-reward-island-token-can-be-stolen-by-sandwiching-the-compound.md) - [#42623 \[SC-Critical\] Potential Loss of Staked Tokens During Unstaking, Incorrect calculation of excess tokens in\`accumulatedDeptRewardsYeet\`](https://reports.immunefi.com/yeet/42623-sc-critical-potential-loss-of-staked-tokens-during-unstaking-incorrect-calculation-of-excess-t.md) - [#42604 \[SC-Low\] \`MoneyBrinter\` vault does not conform to ERC4626](https://reports.immunefi.com/yeet/42604-sc-low-moneybrinter-vault-does-not-conform-to-erc4626.md) - [#42637 \[SC-Insight\] When there is sufficient liquidity for executing reward distribution, token swapping should be skipped to avoid slippage loss](https://reports.immunefi.com/yeet/42637-sc-insight-when-there-is-sufficient-liquidity-for-executing-reward-distribution-token-swapping.md) - [#42682 \[SC-Critical\] Loss of funds during the reward distribution in executeRewardDistributionYeet() of StakeV2 contract](https://reports.immunefi.com/yeet/42682-sc-critical-loss-of-funds-during-the-reward-distribution-in-executerewarddistributionyeet-of-s.md) - [#42710 \[SC-Medium\] Modulo opation introduces bias during the winning yeet calculation](https://reports.immunefi.com/yeet/42710-sc-medium-modulo-opation-introduces-bias-during-the-winning-yeet-calculation.md) - [#42718 \[SC-High\] zapOut methods in zapper contract incorrectly use \_msgSender() instead of receiver when sending back remainder tokens](https://reports.immunefi.com/yeet/42718-sc-high-zapout-methods-in-zapper-contract-incorrectly-use-_msgsender-instead-of-receiver-when.md) - [#42711 \[SC-Insight\] Incorrect Index Handling in \`unstake\` and \`rageQuit\` Leading to Potential Fund Loss](https://reports.immunefi.com/yeet/42711-sc-insight-incorrect-index-handling-in-unstake-and-ragequit-leading-to-potential-fund-loss.md) - [#42723 \[SC-Critical\] Unstaked Tokens Included in Excess Reward Calculation Can Cause DoS for Unstaking Users](https://reports.immunefi.com/yeet/42723-sc-critical-unstaked-tokens-included-in-excess-reward-calculation-can-cause-dos-for-unstaking.md) - [#42725 \[SC-Critical\] startUnstake() Reduces Total Supply, but StakingToken Balance in contract Remains Constant, Leading to Inflated accumulatedDeptRewardsYeet()](https://reports.immunefi.com/yeet/42725-sc-critical-startunstake-reduces-total-supply-but-stakingtoken-balance-in-contract-remains-con.md) - [#42732 \[SC-High\] Incomplete token return whena user claim his rewards leads to rewards fund loss](https://reports.immunefi.com/yeet/42732-sc-high-incomplete-token-return-whena-user-claim-his-rewards-leads-to-rewards-fund-loss.md) - [Shardeum Core III](https://reports.immunefi.com/shardeum-core-iii.md) - [#39811 \[BC-Critical\] inducing large memory allocation via join endpoint](https://reports.immunefi.com/shardeum-core-iii/39811-bc-critical-inducing-large-memory-allocation-via-join-endpoint.md) - [#39873 \[BC-Critical\] Lack of validation of node activation time in \`InitRewardTimes\` allows to steal rewards](https://reports.immunefi.com/shardeum-core-iii/39873-bc-critical-lack-of-validation-of-node-activation-time-in-initrewardtimes-allows-to-steal-rewa.md) - [#39921 \[BC-Critical\] accountDeserializer isn't type safe](https://reports.immunefi.com/shardeum-core-iii/39921-bc-critical-accountdeserializer-isnt-type-safe.md) - [#39913 \[BC-Medium\] No rate Limiting in resource-intensive endpoint](https://reports.immunefi.com/shardeum-core-iii/39913-bc-medium-no-rate-limiting-in-resource-intensive-endpoint.md) - [#39885 \[BC-Critical\] Signature forgery on behalf of network nodes using binary\_sign\_app\_data endpoint](https://reports.immunefi.com/shardeum-core-iii/39885-bc-critical-signature-forgery-on-behalf-of-network-nodes-using-binary_sign_app_data-endpoint.md) - [#39871 \[BC-Critical\] Lack of consensus voting in best cycle calculation allows a malicious validator to fake cycle data and crash all nodes](https://reports.immunefi.com/shardeum-core-iii/39871-bc-critical-lack-of-consensus-voting-in-best-cycle-calculation-allows-a-malicious-validator-to.md) - [#39876 \[BC-Critical\] Receiving rewards multiple times for the same period](https://reports.immunefi.com/shardeum-core-iii/39876-bc-critical-receiving-rewards-multiple-times-for-the-same-period.md) - [#39838 \[BC-Critical\] Bypass certificate signing validation by double counting signatures due to signature malleability](https://reports.immunefi.com/shardeum-core-iii/39838-bc-critical-bypass-certificate-signing-validation-by-double-counting-signatures-due-to-signatu.md) - [#39813 \[BC-Critical\] Bypass \`SetCertTime\` transaction signature check #2](https://reports.immunefi.com/shardeum-core-iii/39813-bc-critical-bypass-setcerttime-transaction-signature-check-2.md) - [#39791 \[BC-Critical\] Filling the queue with "setCertTime" stop the network from processing new transactions](https://reports.immunefi.com/shardeum-core-iii/39791-bc-critical-filling-the-queue-with-setcerttime-stop-the-network-from-processing-new-transactio.md) - [#39103 \[BC-Insight\] Unchecked data size in "getStakeTxBlobFromEVMTx()" can use lots of CPU resources](https://reports.immunefi.com/shardeum-core-iii/39103-bc-insight-unchecked-data-size-in-getstaketxblobfromevmtx-can-use-lots-of-cpu-resources.md) - [#39679 \[BC-Critical\] bypass certificate signing validation by double counting signatures](https://reports.immunefi.com/shardeum-core-iii/39679-bc-critical-bypass-certificate-signing-validation-by-double-counting-signatures.md) - [#39678 \[BC-Critical\] Bypass certificate signing validation by double counting signatures due to capitalization](https://reports.immunefi.com/shardeum-core-iii/39678-bc-critical-bypass-certificate-signing-validation-by-double-counting-signatures-due-to-capital.md) - [#39675 \[BC-Critical\] Reward Exploitation via Unvalidated Node Status in "initRewardTX"](https://reports.immunefi.com/shardeum-core-iii/39675-bc-critical-reward-exploitation-via-unvalidated-node-status-in-initrewardtx.md) - [#39164 \[BC-Insight\] service point exhaustion](https://reports.immunefi.com/shardeum-core-iii/39164-bc-insight-service-point-exhaustion.md) - [#39875 \[BC-Critical\] Lack of validation of node deactivation time in \`ClaimRewards\` allows to steal rewards](https://reports.immunefi.com/shardeum-core-iii/39875-bc-critical-lack-of-validation-of-node-deactivation-time-in-claimrewards-allows-to-steal-rewar.md) - [#39027 \[BC-Insight\] abusive join request handler node](https://reports.immunefi.com/shardeum-core-iii/39027-bc-insight-abusive-join-request-handler-node.md) - [#39149 \[BC-High\] EIP-2930 transactions with 20k-address overload the nodes and force the network into "safety" mode](https://reports.immunefi.com/shardeum-core-iii/39149-bc-high-eip-2930-transactions-with-20k-address-overload-the-nodes-and-force-the-network-into-s.md) - [#39850 \[BC-Medium\] Bypass TransferFromSecureAccount transaction validations](https://reports.immunefi.com/shardeum-core-iii/39850-bc-medium-bypass-transferfromsecureaccount-transaction-validations.md) - [#39364 \[BC-Critical\] Trusting heavily on "appData" enables infinite SHM duplication through double-spend exploit](https://reports.immunefi.com/shardeum-core-iii/39364-bc-critical-trusting-heavily-on-appdata-enables-infinite-shm-duplication-through-double-spend.md) - [#39882 \[BC-Insight\] data unsubscribe same node replay](https://reports.immunefi.com/shardeum-core-iii/39882-bc-insight-data-unsubscribe-same-node-replay.md) - [#39812 \[BC-Critical\] Bypass \`SetCertTime\` transaction signature check #1](https://reports.immunefi.com/shardeum-core-iii/39812-bc-critical-bypass-setcerttime-transaction-signature-check-1.md) - [#39507 \[BC-Critical\] Insufficient validation on ClaimReward transaction allows attacker to claim an inflated reward OR prevent all nodes from being rewarded](https://reports.immunefi.com/shardeum-core-iii/39507-bc-critical-insufficient-validation-on-claimreward-transaction-allows-attacker-to-claim-an-inf.md) - [#39355 \[BC-Critical\] tricking legit node to sign their own apoptosis request payload](https://reports.immunefi.com/shardeum-core-iii/39355-bc-critical-tricking-legit-node-to-sign-their-own-apoptosis-request-payload.md) - [#39994 \[BC-Critical\] Tricking nodes into signing nearly-arbitrary data](https://reports.immunefi.com/shardeum-core-iii/39994-bc-critical-tricking-nodes-into-signing-nearly-arbitrary-data.md) - [#40005 \[BC-Critical\] removal of node out of network via remove by app gossip and signature](https://reports.immunefi.com/shardeum-core-iii/40005-bc-critical-removal-of-node-out-of-network-via-remove-by-app-gossip-and-signature.md) - [#39973 \[BC-Critical\] Standard node rewarding flow can be blocked](https://reports.immunefi.com/shardeum-core-iii/39973-bc-critical-standard-node-rewarding-flow-can-be-blocked.md) - [#40000 \[BC-Critical\] Improper input validation in fixDeserializedWrappedEVMAccount leads to DOS and total network shutdown](https://reports.immunefi.com/shardeum-core-iii/40000-bc-critical-improper-input-validation-in-fixdeserializedwrappedevmaccount-leads-to-dos-and-tot.md) - [#39511 \[BC-Critical\] malicious node can drain balance of other node s nominator evm address](https://reports.immunefi.com/shardeum-core-iii/39511-bc-critical-malicious-node-can-drain-balance-of-other-node-s-nominator-evm-address.md) - [#39463 \[BC-Insight\] \`multiSendWithHeader\` and \`sendWithHeader\` have JSON injection vulnerability](https://reports.immunefi.com/shardeum-core-iii/39463-bc-insight-multisendwithheader-and-sendwithheader-have-json-injection-vulnerability.md) - [#39465 \[BC-Critical\] Lack of authorization on InitClaimReward transaction allows attacker to prevent all nodes from being rewarded](https://reports.immunefi.com/shardeum-core-iii/39465-bc-critical-lack-of-authorization-on-initclaimreward-transaction-allows-attacker-to-prevent-al.md) - [#39395 \[BC-Medium\] got.get without response limit](https://reports.immunefi.com/shardeum-core-iii/39395-bc-medium-got.get-without-response-limit.md) - [#39752 \[BC-Insight\] There is an issue related to incorrect version parsing and comparison logic lead to incorrect node validation,](https://reports.immunefi.com/shardeum-core-iii/39752-bc-insight-there-is-an-issue-related-to-incorrect-version-parsing-and-comparison-logic-lead-to.md) - [#39191 \[BC-Critical\] JoinRoute: Attacker reachable input serialization](https://reports.immunefi.com/shardeum-core-iii/39191-bc-critical-joinroute-attacker-reachable-input-serialization.md) - [#39979 \[BC-Critical\] Total network shutdown via fixDeserializedWrappedEVMAccount call through binary\_repair\_oos\_accounts endpoint](https://reports.immunefi.com/shardeum-core-iii/39979-bc-critical-total-network-shutdown-via-fixdeserializedwrappedevmaccount-call-through-binary_re.md) - [#40007 \[BC-Critical\] Drain node staking account due to improper validation of SetCertTime internal transaction](https://reports.immunefi.com/shardeum-core-iii/40007-bc-critical-drain-node-staking-account-due-to-improper-validation-of-setcerttime-internal-tran.md) - [Ethereum Protocol | Attackathon](https://reports.immunefi.com/ethereum-protocol-or-attackathon.md) - [#38146 \[BC-Medium\] nimbus-eth2 remote crash](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38146-bc-medium-nimbus-eth2-remote-crash.md) - [#37577 \[BC-Insight\] \`tx.origin\` Usage in Group Management Contract Allows Phishing Attack for Unauthorized Actions](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37577-bc-insight-tx.origin-usage-in-group-management-contract-allows-phishing-attack-for-unauthorize.md) - [#38318 \[BC-Low\] nimbus-eth2: Gossipsub misconfiguration allows malicious peers gossip malformed data without penalization](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38318-bc-low-nimbus-eth2-gossipsub-misconfiguration-allows-malicious-peers-gossip-malformed-data-wit.md) - [#38693 \[SC-Insight\] BytesM to Bytes conversion does not match the reference implementation](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38693-sc-insight-bytesm-to-bytes-conversion-does-not-match-the-reference-implementation.md) - [#38278 \[BC-Low\] Potential DoS to Mempool Due to Missing Gas Limit Check](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38278-bc-low-potential-dos-to-mempool-due-to-missing-gas-limit-check.md) - [#37153 \[BC-Insight\] Malicious validator can bring down honest nodes](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37153-bc-insight-malicious-validator-can-bring-down-honest-nodes.md) - [#37594 \[SC-Insight\] Nimbus incorrectly rejects non-minimally encoded snappy data length's due to spec. ambiguity](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37594-sc-insight-nimbus-incorrectly-rejects-non-minimally-encoded-snappy-data-lengths-due-to-spec.-a.md) - [#38319 \[BC-Insight\] Edge case difference for GETH and NETHERMIND when calculating memory expansion gas](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38319-bc-insight-edge-case-difference-for-geth-and-nethermind-when-calculating-memory-expansion-gas.md) - [#37186 \[BC-Insight\] Missing Validation for Fixed-Size bytes Types in ABI Parsing](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37186-bc-insight-missing-validation-for-fixed-size-bytes-types-in-abi-parsing.md) - [#38015 \[BC-Insight\] Violation of EIP-2681 in Create Transaction](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38015-bc-insight-violation-of-eip-2681-in-create-transaction.md) - [#38948 \[BC-Low\] lighthouse remote DoS](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38948-bc-low-lighthouse-remote-dos.md) - [#37104 \[BC-Insight\] Reth RPC is vulnerable to DNS rebinding attacks](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37104-bc-insight-reth-rpc-is-vulnerable-to-dns-rebinding-attacks.md) - [#37350 \[BC-Insight\] \`null\` Is Not Unmarshalled Correctly Into json.RawMessage](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37350-bc-insight-null-is-not-unmarshalled-correctly-into-json.rawmessage.md) - [#37210 \[BC-Insight\] Missing Check of HTTP Batch Response Length](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37210-bc-insight-missing-check-of-http-batch-response-length.md) - [#38902 \[BC-Low\] No check on the maximum size of the encoded ENR on ENR\_RESPONSE packet](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38902-bc-low-no-check-on-the-maximum-size-of-the-encoded-enr-on-enr_response-packet.md) - [#38581 \[SC-Insight\] Incorrect unwrap on Bytes and String](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38581-sc-insight-incorrect-unwrap-on-bytes-and-string.md) - [#38427 \[BC-Low\] Discrepancy in Intrinsic Gas Calculation between Txpool and EVM Execution](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38427-bc-low-discrepancy-in-intrinsic-gas-calculation-between-txpool-and-evm-execution.md) - [#37584 \[SC-Insight\] Nonpayable Not Respected For Internal Function](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37584-sc-insight-nonpayable-not-respected-for-internal-function.md) - [#38557 \[BC-Insight\] Function \`IsPush()\` Misses Opcode PUSH0](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38557-bc-insight-function-ispush-misses-opcode-push0.md) - [#37148 \[BC-Insight\] \`wantedPeerDials()\` branch will never be executed](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37148-bc-insight-wantedpeerdials-branch-will-never-be-executed.md) - [#38920 \[BC-Medium\] teku remote DoS](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38920-bc-medium-teku-remote-dos.md) - [#38733 \[BC-Medium\] nibmus-eth2 remote crash](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38733-bc-medium-nibmus-eth2-remote-crash.md) - [#37634 \[SC-Low\] Incorrect Builtin ERC4626 Call Signature](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37634-sc-low-incorrect-builtin-erc4626-call-signature.md) - [#37246 \[BC-Low\] lodestar snappy checksum issue](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37246-bc-low-lodestar-snappy-checksum-issue.md) - [#37286 \[SC-Insight\] Elimination of Security Checks in ForkCreator Class](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37286-sc-insight-elimination-of-security-checks-in-forkcreator-class.md) - [#38459 \[BC-Low\] erigon remote DoS](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38459-bc-low-erigon-remote-dos.md) - [#37113 \[BC-Low\] https://github.com/erigontech/erigon ), though it does not seem to be exploitable at](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37113-bc-low-https-github.com-erigontech-erigon-though-it-does-not-seem-to-be-exploitable-at.md) - [#38682 \[SC-Medium\] AugAssign evaluation order causing OOB write within the object](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38682-sc-medium-augassign-evaluation-order-causing-oob-write-within-the-object.md) - [#38828 \[BC-Low\] Decode RLP of Legacy Transaction Allows Tailing Bytes](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38828-bc-low-decode-rlp-of-legacy-transaction-allows-tailing-bytes.md) - [#39018 \[BC-Insight\] Rate Limiting Under-Specification and Consequences](https://reports.immunefi.com/ethereum-protocol-or-attackathon/39018-bc-insight-rate-limiting-under-specification-and-consequences.md) - [#38292 \[SC-Medium\] Incorrect Sqrt Calculation Result](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38292-sc-medium-incorrect-sqrt-calculation-result.md) - [#38958 \[BC-Low\] EELS cant handle overflow gas calculation in modexp precompile](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38958-bc-low-eels-cant-handle-overflow-gas-calculation-in-modexp-precompile.md) - [#38908 \[BC-Insight\] Missing Failed Subcalls in Erigon Tracers When Encountering \`ErrInsufficientBalance\` Error](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38908-bc-insight-missing-failed-subcalls-in-erigon-tracers-when-encountering-errinsufficientbalance.md) - [#37300 \[BC-Insight\] Incorrect Encoding of Negative \*big.Int Values in MakeTopics](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37300-bc-insight-incorrect-encoding-of-negative-big.int-values-in-maketopics.md) - [#38277 \[BC-Insight\] Potential Out-of-Range Panic in \`UnmarshalJSON()\` of \`HexOrDecimal256\`](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38277-bc-insight-potential-out-of-range-panic-in-unmarshaljson-of-hexordecimal256.md) - [#37583 \[SC-Low\] Incorrect For Annotation Parsing](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37583-sc-low-incorrect-for-annotation-parsing.md) - [#37582 \[SC-Low\] Incorrect HexString Parsing Leads To Compilation Error Or Type Confusion](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37582-sc-low-incorrect-hexstring-parsing-leads-to-compilation-error-or-type-confusion.md) - [#38275 \[BC-Low\] Evil-client P2P headers-traversal leads to D/DoS and total peer removal](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38275-bc-low-evil-client-p2p-headers-traversal-leads-to-d-dos-and-total-peer-removal.md) - [#38894 \[BC-Low\] Missing expiration check for Pong and Neighbors packets and not refreshing the endpoint proof](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38894-bc-low-missing-expiration-check-for-pong-and-neighbors-packets-and-not-refreshing-the-endpoint.md) - [#37568 \[BC-Insight\] missing specification logic](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37568-bc-insight-missing-specification-logic.md) - [#38855 \[SC-Low\] Evaluation order is not respected in \`log\` function](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38855-sc-low-evaluation-order-is-not-respected-in-log-function.md) - [#37505 \[BC-Insight\] Remotely spamming 1 byte leads to full peer removal and desync in both execution and consensus clients](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37505-bc-insight-remotely-spamming-1-byte-leads-to-full-peer-removal-and-desync-in-both-execution-an.md) - [#38850 \[BC-Low\] Remote P2P OOM Crash (GetBlockHeaders) / Reth](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38850-bc-low-remote-p2p-oom-crash-getblockheaders-reth.md) - [#37483 \[BC-Insight\] There is a trace discrepancy for Nethermind when handling EOF from PUSH opcode](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37483-bc-insight-there-is-a-trace-discrepancy-for-nethermind-when-handling-eof-from-push-opcode.md) - [#38169 \[SC-Insight\] Deferred Evaluation Of \`Default\_Return\_Value\` May Skip Side Effect Execution](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38169-sc-insight-deferred-evaluation-of-default_return_value-may-skip-side-effect-execution.md) - [#37462 \[BC-Low\] Invalid RLP decoding for single bytes](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37462-bc-low-invalid-rlp-decoding-for-single-bytes.md) - [#37442 \[BC-Insight\] Potential Address Collision with Precompile Contract During Contract Deployment](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37442-bc-insight-potential-address-collision-with-precompile-contract-during-contract-deployment.md) - [#38807 \[BC-Low\] DoS any reth node via ban logic exploit](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38807-bc-low-dos-any-reth-node-via-ban-logic-exploit.md) - [#38766 \[BC-Insight\] Nil Pointer Dereference Panics in encodePayload() of Blob Tx’s Encoding](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38766-bc-insight-nil-pointer-dereference-panics-in-encodepayload-of-blob-txs-encoding.md) - [#37351 \[BC-Insight\] Resubscribe Deadlocks When Unsubscribing Within An Unblock Channel](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37351-bc-insight-resubscribe-deadlocks-when-unsubscribing-within-an-unblock-channel.md) - [#37359 \[BC-Insight\] Failure to Generate ABI Binding in Golang](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37359-bc-insight-failure-to-generate-abi-binding-in-golang.md) - [#37352 \[BC-Insight\] Missing Liveness Check in \`collectTableNodes()\`](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37352-bc-insight-missing-liveness-check-in-collecttablenodes.md) - [#37466 \[BC-Medium\] Evil-client OOM crash (fast P2P crash)](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37466-bc-medium-evil-client-oom-crash-fast-p2p-crash.md) - [#37593 \[BC-Insight\] Inconsistent Address Collision Check Against Precompile Contracts During Contract Deployment](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37593-bc-insight-inconsistent-address-collision-check-against-precompile-contracts-during-contract-d.md) - [#38598 \[BC-Insight\] GetReceiptsMsg abuse leads to the DoS and/or crash of every EL client in the Ethereum network](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38598-bc-insight-getreceiptsmsg-abuse-leads-to-the-dos-and-or-crash-of-every-el-client-in-the-ethere.md) - [#37985 \[SC-Low\] Incorrectly Eliminate Code With Side Effect In Slice Args](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37985-sc-low-incorrectly-eliminate-code-with-side-effect-in-slice-args.md) - [#38686 \[BC-Low\] Nodes with trusted peers vulnerable to pending peer flooding and DoS](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38686-bc-low-nodes-with-trusted-peers-vulnerable-to-pending-peer-flooding-and-dos.md) - [#37199 \[BC-Low\] Potential Chain Fork Due to Shallow Copy of Byte Slice](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37199-bc-low-potential-chain-fork-due-to-shallow-copy-of-byte-slice.md) - [#37191 \[BC-Insight\] Unvalidated Field Names in Tuple ABI Parsing Causes Runtime Panic via reflect.StructOf](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37191-bc-insight-unvalidated-field-names-in-tuple-abi-parsing-causes-runtime-panic-via-reflect.struc.md) - [#37120 \[BC-Insight\] Remote handshake-based TCP/30303 flooding leads to an out-of-memory crash](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37120-bc-insight-remote-handshake-based-tcp-30303-flooding-leads-to-an-out-of-memory-crash.md) - [#37695 \[BC-Insight\] Executing transaction that has a wrong nonce might triggered a chain split due to mismatch stateroot](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37695-bc-insight-executing-transaction-that-has-a-wrong-nonce-might-triggered-a-chain-split-due-to-m.md) - [#37134 \[BC-Insight\] Improper secp256k sanitization](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37134-bc-insight-improper-secp256k-sanitization.md) - [#38554 \[BC-Low\] Incorrect Transaction Fee Check in \`SendRawTransaction()\`](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38554-bc-low-incorrect-transaction-fee-check-in-sendrawtransaction.md) - [#38530 \[SC-Low\] Incorrectly Eliminated Code With Side Effect In Concat Args](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38530-sc-low-incorrectly-eliminated-code-with-side-effect-in-concat-args.md) - [#38505 \[SC-Low\] IRNode Multi-Evaluation In For List Iter](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38505-sc-low-irnode-multi-evaluation-in-for-list-iter.md) - [#38502 \[BC-Low\] Pending pool subtraction overflow causes node halt/shutdown](https://reports.immunefi.com/ethereum-protocol-or-attackathon/38502-bc-low-pending-pool-subtraction-overflow-causes-node-halt-shutdown.md) - [#37646 \[BC-Insight\] No implementation of BLOB\_SIDECAR\_SUBNET\_COUNT with no issue and no PR in the GitHub](https://reports.immunefi.com/ethereum-protocol-or-attackathon/37646-bc-insight-no-implementation-of-blob_sidecar_subnet_count-with-no-issue-and-no-pr-in-the-githu.md) - [Stacks II Attackathon](https://reports.immunefi.com/stacks-ii-attackathon.md) - [#40692 \[BC-High\] Calling multiple withdrawals on a single transaction causes Signers to halt and the network to stop](https://reports.immunefi.com/stacks-ii-attackathon/40692-bc-high-calling-multiple-withdrawals-on-a-single-transaction-causes-signers-to-halt-and-the-ne.md) - [#40655 \[BC-Medium\] Malicious signers can give different votes to other Signers to prevent sBTC withdrawal](https://reports.immunefi.com/stacks-ii-attackathon/40655-bc-medium-malicious-signers-can-give-different-votes-to-other-signers-to-prevent-sbtc-withdraw.md) - [#40731 \[BC-Medium\] A malicious signer can force a panic in the coordinator by sending \`DkgFailure::BadPrivateShares\` with an invalid signer ID](https://reports.immunefi.com/stacks-ii-attackathon/40731-bc-medium-a-malicious-signer-can-force-a-panic-in-the-coordinator-by-sending-dkgfailure-badpri.md) - [#40770 \[BC-Low\] Unvalidated withdrawal events allow data manipulation and denial of service in Emily](https://reports.immunefi.com/stacks-ii-attackathon/40770-bc-low-unvalidated-withdrawal-events-allow-data-manipulation-and-denial-of-service-in-emily.md) - [#41014 \[BC-Low\] The signer can submit multi-tx first to make the coordinator's submission fail](https://reports.immunefi.com/stacks-ii-attackathon/41014-bc-low-the-signer-can-submit-multi-tx-first-to-make-the-coordinators-submission-fail.md) - [#40806 \[BC-High\] Users can submit deposits containing large \`reclaim\_scripts\` to DoS Emily and Signers](https://reports.immunefi.com/stacks-ii-attackathon/40806-bc-high-users-can-submit-deposits-containing-large-reclaim_scripts-to-dos-emily-and-signers.md) - [#41111 \[BC-Medium\] A malicious signer could manipulate withdrawal decisions preventing accepted and rejected withdrawals from getting confirmed on Stacks chain](https://reports.immunefi.com/stacks-ii-attackathon/41111-bc-medium-a-malicious-signer-could-manipulate-withdrawal-decisions-preventing-accepted-and-rej.md) - [#41202 \[BC-Insight\] A malicious signer can force a failure of the signature round by providing a key ID they don't own](https://reports.immunefi.com/stacks-ii-attackathon/41202-bc-insight-a-malicious-signer-can-force-a-failure-of-the-signature-round-by-providing-a-key-id.md) - [#41340 \[BC-Insight\] There is insecure Exposure of TRUSTED\_REORG\_API\_KEY in Lambda and is can lead to Potential sBTC Withdrawal Manipulation](https://reports.immunefi.com/stacks-ii-attackathon/41340-bc-insight-there-is-insecure-exposure-of-trusted_reorg_api_key-in-lambda-and-is-can-lead-to-po.md) - [#41597 \[BC-Insight\] Emily server can crash their connected Stacks node when processing a large number of events](https://reports.immunefi.com/stacks-ii-attackathon/41597-bc-insight-emily-server-can-crash-their-connected-stacks-node-when-processing-a-large-number-o.md) - [#42404 \[BC-Medium\] A signer can OOM kill other signers during DKG verification](https://reports.immunefi.com/stacks-ii-attackathon/42404-bc-medium-a-signer-can-oom-kill-other-signers-during-dkg-verification.md) - [#42747 \[BC-High\] Large BTC transactions with many sbtc deposits can permanently crash/halt all signers](https://reports.immunefi.com/stacks-ii-attackathon/42747-bc-high-large-btc-transactions-with-many-sbtc-deposits-can-permanently-crash-halt-all-signers.md) - [#42750 \[BC-Insight\] Subtraction overflow risk in WSTS FIRE coordinator](https://reports.immunefi.com/stacks-ii-attackathon/42750-bc-insight-subtraction-overflow-risk-in-wsts-fire-coordinator.md) - [#42752 \[BC-High\] Signer can be DOSed through their libp2p component](https://reports.immunefi.com/stacks-ii-attackathon/42752-bc-high-signer-can-be-dosed-through-their-libp2p-component.md) - [#42764 \[BC-Low\] A BTC wallet on signer blocklists can cause network DoS](https://reports.immunefi.com/stacks-ii-attackathon/42764-bc-low-a-btc-wallet-on-signer-blocklists-can-cause-network-dos.md) - [#42773 \[BC-Medium\] Signers can be compromised by a libp2p DoS attack](https://reports.immunefi.com/stacks-ii-attackathon/42773-bc-medium-signers-can-be-compromised-by-a-libp2p-dos-attack.md) - [Movement Labs Attackathon](https://reports.immunefi.com/movement-labs-attackathon.md) - [#41023 \[BC-Insight\] Incomplete transaction decrementing leading to undesired behaviour](https://reports.immunefi.com/movement-labs-attackathon/41023-bc-insight-incomplete-transaction-decrementing-leading-to-undesired-behaviour.md) - [#41012 \[BC-Critical\] Unintended Chain Split in Movement Full Node](https://reports.immunefi.com/movement-labs-attackathon/41012-bc-critical-unintended-chain-split-in-movement-full-node.md) - [#41235 \[BC-Insight\] Incorrect celestia bridge keyring flag causes network partition in data availability layer](https://reports.immunefi.com/movement-labs-attackathon/41235-bc-insight-incorrect-celestia-bridge-keyring-flag-causes-network-partition-in-data-availabilit.md) - [#41255 \[BC-Medium\] Blocking sleep in async context leads to thread pool exhaustion and DoS](https://reports.immunefi.com/movement-labs-attackathon/41255-bc-medium-blocking-sleep-in-async-context-leads-to-thread-pool-exhaustion-and-dos.md) - [#41243 \[BC-Insight\] The mempool garbage collector doesn't fully execute garbage collection on each iteration](https://reports.immunefi.com/movement-labs-attackathon/41243-bc-insight-the-mempool-garbage-collector-doesnt-fully-execute-garbage-collection-on-each-itera.md) - [#41324 \[BC-Insight\] Celestia auth tokens can be stolen by sniffing websocket requests](https://reports.immunefi.com/movement-labs-attackathon/41324-bc-insight-celestia-auth-tokens-can-be-stolen-by-sniffing-websocket-requests.md) - [#41334 \[BC-Critical\] Attacker can publish a blob that cannot be deserialized and shut down the movement chain](https://reports.immunefi.com/movement-labs-attackathon/41334-bc-critical-attacker-can-publish-a-blob-that-cannot-be-deserialized-and-shut-down-the-movement.md) - [#41337 \[BC-Insight\] Channel buffer size in block proposer is too low leading to network delays and resource exhaustion](https://reports.immunefi.com/movement-labs-attackathon/41337-bc-insight-channel-buffer-size-in-block-proposer-is-too-low-leading-to-network-delays-and-reso.md) - [#41368 \[BC-High\] RPC server takedown](https://reports.immunefi.com/movement-labs-attackathon/41368-bc-high-rpc-server-takedown.md) - [#41373 \[BC-High\] Premature transaction acceptance to mempool/DA without signature validation](https://reports.immunefi.com/movement-labs-attackathon/41373-bc-high-premature-transaction-acceptance-to-mempool-da-without-signature-validation.md) - [41437 \[BC-High\] an edge case allows duplicate transactions to be added to the mempool of the sequencer](https://reports.immunefi.com/movement-labs-attackathon/41437-bc-high-an-edge-case-allows-duplicate-transactions-to-be-added-to-the-mempool-of-the-sequencer.md) - [#41466 \[BC-Medium\] Incorrect sequence number tracking in mempool commit](https://reports.immunefi.com/movement-labs-attackathon/41466-bc-medium-incorrect-sequence-number-tracking-in-mempool-commit.md) - [#41489 \[BC-Critical\] Blob sizes remain unchecked leading to chain halt](https://reports.immunefi.com/movement-labs-attackathon/41489-bc-critical-blob-sizes-remain-unchecked-leading-to-chain-halt.md) - [#41516 \[BC-High\] The attacker exceeds the number of transactions TOO\_NEW\_TOLERANCE and performs a DoS attack.](https://reports.immunefi.com/movement-labs-attackathon/41516-bc-high-the-attacker-exceeds-the-number-of-transactions-too_new_tolerance-and-performs-a-dos-a.md) - [#41518 \[BC-High\] The transaction to modify the gas price was not processed.](https://reports.immunefi.com/movement-labs-attackathon/41518-bc-high-the-transaction-to-modify-the-gas-price-was-not-processed..md) - [#41531 \[BC-Critical\] Attackers can drain the sequencer’s wallet and DoS network by submitting transactions from unfunded accounts](https://reports.immunefi.com/movement-labs-attackathon/41531-bc-critical-attackers-can-drain-the-sequencers-wallet-and-dos-network-by-submitting-transactio.md) - [#41560 \[BC-Insight\] BlobType of BlobResponse can never be SequencedBlobBlock](https://reports.immunefi.com/movement-labs-attackathon/41560-bc-insight-blobtype-of-blobresponse-can-never-be-sequencedblobblock.md) - [#41594 \[BC-Insight\] Invalid URL format in TcpListener binding prevents REST API from starting](https://reports.immunefi.com/movement-labs-attackathon/41594-bc-insight-invalid-url-format-in-tcplistener-binding-prevents-rest-api-from-starting.md) - [#41618 \[BC-Insight\] Timestamp unit doesn't match in GcCounter which causes premature transaction eviction](https://reports.immunefi.com/movement-labs-attackathon/41618-bc-insight-timestamp-unit-doesnt-match-in-gccounter-which-causes-premature-transaction-evictio.md) - [#41669 \[BC-Medium\] Incorrect Gas Cost Used for BLS12381 Subgroup Check Causes ~70% Undercharge](https://reports.immunefi.com/movement-labs-attackathon/41669-bc-medium-incorrect-gas-cost-used-for-bls12381-subgroup-check-causes-70-undercharge.md) - [#41678 \[BC-Medium\] Transactions directly sent to the passthrough will cause the mempool to accept more transactions than the \`inflight\_limit\`](https://reports.immunefi.com/movement-labs-attackathon/41678-bc-medium-transactions-directly-sent-to-the-passthrough-will-cause-the-mempool-to-accept-more.md) - [#41686 \[BC-High\] The passthrough DA light node streams transactions instead of blocks which means that the block cannot be deserialized](https://reports.immunefi.com/movement-labs-attackathon/41686-bc-high-the-passthrough-da-light-node-streams-transactions-instead-of-blocks-which-means-that.md) - [41714 \[BC-High\] tampering the id of signed transactions to prevent others from executing](https://reports.immunefi.com/movement-labs-attackathon/41714-bc-high-tampering-the-id-of-signed-transactions-to-prevent-others-from-executing.md) - [41715 \[BC-High\] manipulating the sequence number of signed transactions to reorder them or prevent their execution](https://reports.immunefi.com/movement-labs-attackathon/41715-bc-high-manipulating-the-sequence-number-of-signed-transactions-to-reorder-them-or-prevent-the.md) - [#41722 \[BC-High\] The passthrough DA light node does not prevalidate transactions which leads to non-deserializable transactions that prevent execution](https://reports.immunefi.com/movement-labs-attackathon/41722-bc-high-the-passthrough-da-light-node-does-not-prevalidate-transactions-which-leads-to-non-des.md) - [#41731 \[BC-Insight\] Race Condition in try\_to\_sign can lead to unverifiable blocks and/or blobs](https://reports.immunefi.com/movement-labs-attackathon/41731-bc-insight-race-condition-in-try_to_sign-can-lead-to-unverifiable-blocks-and-or-blobs.md) - [#41794 \[BC-High\] Not having any whitelisted account completely disables the prevalidator leading to transactions that cannot be deserialized](https://reports.immunefi.com/movement-labs-attackathon/41794-bc-high-not-having-any-whitelisted-account-completely-disables-the-prevalidator-leading-to-tra.md) - [#41811 \[BC-Insight\] Configuration data loss in configfile's \`try\_set\_with\_guard\` due to missing file cursor reset](https://reports.immunefi.com/movement-labs-attackathon/41811-bc-insight-configuration-data-loss-in-configfiles-try_set_with_guard-due-to-missing-file-curso.md) - [#41855 \[SC-Insight\] User is able to circumvent blocklist check by utilizing Solidity's implementation](https://reports.immunefi.com/movement-labs-attackathon/41855-sc-insight-user-is-able-to-circumvent-blocklist-check-by-utilizing-soliditys-implementation.md) - [#41864 \[BC-Medium\] When Memseq selects a transaction from a particular user to include in a block, it does not remove transactions from Memseq that have a sequence\_number less than or equal to the t...](https://reports.immunefi.com/movement-labs-attackathon/41864-bc-medium-when-memseq-selects-a-transaction-from-a-particular-user-to-include-in-a-block-it-do.md) - [41878 \[BC-High\] edge case allows replaying user transactions to fill the mempool](https://reports.immunefi.com/movement-labs-attackathon/41878-bc-high-edge-case-allows-replaying-user-transactions-to-fill-the-mempool.md) - [#41945 \[BC-Insight\] Optimization in \`to\_eip55\_checksumed\_address()\` in \`aptos\_framework::ethereum::()\` module](https://reports.immunefi.com/movement-labs-attackathon/41945-bc-insight-optimization-in-to_eip55_checksumed_address-in-aptos_framework-ethereum-module.md) - [#41899 \[BC-Insight\] NatSpec of several functions in \`ethereum.move\` is wrong](https://reports.immunefi.com/movement-labs-attackathon/41899-bc-insight-natspec-of-several-functions-in-ethereum.move-is-wrong.md) - [#41978 \[BC-Insight\] Values of the current gc\_slot can be garbage collected in edge case](https://reports.immunefi.com/movement-labs-attackathon/41978-bc-insight-values-of-the-current-gc_slot-can-be-garbage-collected-in-edge-case.md) - [#41980 \[BC-Insight\] Full nodes panic in read-only mode whenever a transaction is sent](https://reports.immunefi.com/movement-labs-attackathon/41980-bc-insight-full-nodes-panic-in-read-only-mode-whenever-a-transaction-is-sent.md) - [#41985 \[BC-Insight\] Using the test keyring backend is insecure](https://reports.immunefi.com/movement-labs-attackathon/41985-bc-insight-using-the-test-keyring-backend-is-insecure.md) - [41987 bc critical oversized blocks split the chain](https://reports.immunefi.com/movement-labs-attackathon/41987-bc-critical-oversized-blocks-split-the-chain.md) - [#42011 \[BC-High\] Duplicate tx IDs in blockchain blocks are possible](https://reports.immunefi.com/movement-labs-attackathon/42011-bc-high-duplicate-tx-ids-in-blockchain-blocks-are-possible.md) - [#42102 \[BC-High\] uncontrolled resource consumption is resulting in OOM via RPC (public one)](https://reports.immunefi.com/movement-labs-attackathon/42102-bc-high-uncontrolled-resource-consumption-is-resulting-in-oom-via-rpc-public-one.md) - [#42112 \[BC-Critical\] Using \`blob.GetAll\` instead of \`blob.Get\` for Celestia DA opens full nodes to fraudulent block attacks](https://reports.immunefi.com/movement-labs-attackathon/42112-bc-critical-using-blob.getall-instead-of-blob.get-for-celestia-da-opens-full-nodes-to-fraudule.md) - [#42143 \[BC-Critical\] Decompressing a maliciously crafted blob leads to shutting down all Movement DA Light Nodes in a Movement based network which using a centralized Sequencer.](https://reports.immunefi.com/movement-labs-attackathon/42143-bc-critical-decompressing-a-maliciously-crafted-blob-leads-to-shutting-down-all-movement-da-li.md) - [42153 \[BC-Critical\] attackers can exploit bug in blob verification to execute replay attack by re executing blobs](https://reports.immunefi.com/movement-labs-attackathon/42153-bc-critical-attackers-can-exploit-bug-in-blob-verification-to-execute-replay-attack-by-re-exec.md) - [#42222 \[BC-Insight\] Garbage Collector can fail to run in a timely manner if building\_time\_ms is set to a low value](https://reports.immunefi.com/movement-labs-attackathon/42222-bc-insight-garbage-collector-can-fail-to-run-in-a-timely-manner-if-building_time_ms-is-set-to.md) - [42233 \[BC-Critical\] critical dos vulnerability in movement network s da layer due to zstd bomb blob exploit ](https://reports.immunefi.com/movement-labs-attackathon/42233-bc-critical-critical-dos-vulnerability-in-movement-network-s-da-layer-due-to-zstd-bomb-blob-ex.md) - [#42234 \[BC-Insight\] Missing Match Arm in to\_single\_key\_authenticators() Allows WebAuthn Signatures Despite WEBAUTHN\_SIGNATURE Being Disabled](https://reports.immunefi.com/movement-labs-attackathon/42234-bc-insight-missing-match-arm-in-to_single_key_authenticators-allows-webauthn-signatures-despit.md) - [#42395 \[BC-High\] Movement does not allow overwriting transactions with a higher priority, breaking Aptos mempool logic](https://reports.immunefi.com/movement-labs-attackathon/42395-bc-high-movement-does-not-allow-overwriting-transactions-with-a-higher-priority-breaking-aptos.md) - [#42298 \[BC-Critical\] Blocks from Celestia are not executed in order which breaks sequencer logic and application priorities](https://reports.immunefi.com/movement-labs-attackathon/42298-bc-critical-blocks-from-celestia-are-not-executed-in-order-which-breaks-sequencer-logic-and-ap.md) - [#42430 \[BC-Insight\] \`add\_mempool\_transaction()\` does not check if the transaction already exist in the mempool](https://reports.immunefi.com/movement-labs-attackathon/42430-bc-insight-add_mempool_transaction-does-not-check-if-the-transaction-already-exist-in-the-memp.md) - [#42480 \[BC-Medium\] Unable to deposit the gas fee into the \`governed\_gas\_pool\` when using \`deposit\_from\_fungible\_store\`](https://reports.immunefi.com/movement-labs-attackathon/42480-bc-medium-unable-to-deposit-the-gas-fee-into-the-governed_gas_pool-when-using-deposit_from_fun.md) - [#42495 \[BC-High\] The Tonic Request/Response Size Limit prevents data from being submitted to the da\_light\_node](https://reports.immunefi.com/movement-labs-attackathon/42495-bc-high-the-tonic-request-response-size-limit-prevents-data-from-being-submitted-to-the-da_lig.md) - [42513 \[BC-High\] users might loose storage gas fee refund due to governed gas pool feature of movement logic bug ](https://reports.immunefi.com/movement-labs-attackathon/42513-bc-high-users-might-loose-storage-gas-fee-refund-due-to-governed-gas-pool-feature-of-movement.md) - [#42535 \[BC-High\] Garbage collecting in flight transactions can lead to spiraling network delays](https://reports.immunefi.com/movement-labs-attackathon/42535-bc-high-garbage-collecting-in-flight-transactions-can-lead-to-spiraling-network-delays.md) - [#42557 \[BC-Low\] Remote signing methods can fail which will turn off the light node block proposer](https://reports.immunefi.com/movement-labs-attackathon/42557-bc-low-remote-signing-methods-can-fail-which-will-turn-off-the-light-node-block-proposer.md) - [#42648 \[BC-High\] Altering the application\_priority to fill a block, temporary freezing user transactions](https://reports.immunefi.com/movement-labs-attackathon/42648-bc-high-altering-the-application_priority-to-fill-a-block-temporary-freezing-user-transactions.md) - [#42761 \[BC-High\] Memseq does not verify client-specified expiration for transactions before including them in DA (Data Availability).](https://reports.immunefi.com/movement-labs-attackathon/42761-bc-high-memseq-does-not-verify-client-specified-expiration-for-transactions-before-including-t.md) - [#42749 \[BC-Critical\] Attacker can send digests directly to Celestia to reorder block execution](https://reports.immunefi.com/movement-labs-attackathon/42749-bc-critical-attacker-can-send-digests-directly-to-celestia-to-reorder-block-execution.md) - [42762 \[BC-High\] new accounts break the pipe mempool invariant that prevents duplicate transactions from filling the mempool](https://reports.immunefi.com/movement-labs-attackathon/42762-bc-high-new-accounts-break-the-pipe-mempool-invariant-that-prevents-duplicate-transactions-fro.md) - [#42837 \[BC-Critical\] total network shutdown](https://reports.immunefi.com/movement-labs-attackathon/42837-bc-critical-total-network-shutdown.md) - [#42859 \[BC-Insight\] Pub key format mismatch in \`InKnownSignersVerifier\`](https://reports.immunefi.com/movement-labs-attackathon/42859-bc-insight-pub-key-format-mismatch-in-inknownsignersverifier.md) - [#42895 \[BC-Insight\] Misuse of error](https://reports.immunefi.com/movement-labs-attackathon/42895-bc-insight-misuse-of-error.md) - [#42896 \[BC-High\] attackers can exploit sequence number tolerance mechanism to to cause movement network da lightnode loose money for submitting failed blocks to celestia ](https://reports.immunefi.com/movement-labs-attackathon/42896-bc-high-attackers-can-exploit-sequence-number-tolerance-mechanism-to-to-cause-movement-network.md) - [#42903 \[BC-High\] Attackers are able to submit multiple dupplicate transactions due to mismatched Mempool Implementation](https://reports.immunefi.com/movement-labs-attackathon/42903-bc-high-attackers-are-able-to-submit-multiple-dupplicate-transactions-due-to-mismatched-mempoo.md) - [#42925 \[BC-Insight\] Transactions won't be included on Celestia when the gas price is high, and the transactions on Movement will be forgotten](https://reports.immunefi.com/movement-labs-attackathon/42925-bc-insight-transactions-wont-be-included-on-celestia-when-the-gas-price-is-high-and-the-transa.md) - [#42930 \[BC-High\] Users are unable to increase their gas resulting in stuck funds](https://reports.immunefi.com/movement-labs-attackathon/42930-bc-high-users-are-unable-to-increase-their-gas-resulting-in-stuck-funds.md) - [#42928 \[BC-Medium\] Depositing gas fees into the governed gas pool does not work when the CoinStore is frozen](https://reports.immunefi.com/movement-labs-attackathon/42928-bc-medium-depositing-gas-fees-into-the-governed-gas-pool-does-not-work-when-the-coinstore-is-f.md) - [#42933 \[BC-Medium\] Integer Underflow in Garbage Collection Logic of UsedSequenceNumberPool disrupting transaction processing](https://reports.immunefi.com/movement-labs-attackathon/42933-bc-medium-integer-underflow-in-garbage-collection-logic-of-usedsequencenumberpool-disrupting-t.md) - [#42934 \[BC-High\] Improper input validation in KeylessSignature causes full-node panic](https://reports.immunefi.com/movement-labs-attackathon/42934-bc-high-improper-input-validation-in-keylesssignature-causes-full-node-panic.md) - [#42936 \[BC-Critical\] Potential Deadlock or Panic Due to Concurrent Lock Acquisition in \`TransactionPipe\`](https://reports.immunefi.com/movement-labs-attackathon/42936-bc-critical-potential-deadlock-or-panic-due-to-concurrent-lock-acquisition-in-transactionpipe.md) - [#42937 \[BC-Insight\] Public Exposure of Validator Signer Private Key in Executor Struct](https://reports.immunefi.com/movement-labs-attackathon/42937-bc-insight-public-exposure-of-validator-signer-private-key-in-executor-struct.md) - [#42938 \[BC-Insight\] Inefficient Garbage Collection Implementation in \`UsedSequenceNumberPool\`](https://reports.immunefi.com/movement-labs-attackathon/42938-bc-insight-inefficient-garbage-collection-implementation-in-usedsequencenumberpool.md) - [#42939 \[BC-Insight\] Transaction expiration is not validated correctly in mempool and sequencer](https://reports.immunefi.com/movement-labs-attackathon/42939-bc-insight-transaction-expiration-is-not-validated-correctly-in-mempool-and-sequencer.md) - [#42940 \[BC-Medium\] Suboptimal Lock Holding During Logging in \`decrement\_transactions\_in\_flight\`](https://reports.immunefi.com/movement-labs-attackathon/42940-bc-medium-suboptimal-lock-holding-during-logging-in-decrement_transactions_in_flight.md) - [#42991 \[BC-High\] User can reuse sequence number causing DOS & breaking core invariant](https://reports.immunefi.com/movement-labs-attackathon/42991-bc-high-user-can-reuse-sequence-number-causing-dos-and-breaking-core-invariant.md) - [#42941 \[BC-Critical\] \[Critical\] Network-Wide Denial of Service Through Unrecoverable Block Execution Failures](https://reports.immunefi.com/movement-labs-attackathon/42941-bc-critical-critical-network-wide-denial-of-service-through-unrecoverable-block-execution-fail.md) - [#43017 \[BC-High\] Prevalidation does not validate application priority, sequence number and ID](https://reports.immunefi.com/movement-labs-attackathon/43017-bc-high-prevalidation-does-not-validate-application-priority-sequence-number-and-id.md) - [#43014 \[BC-Critical\] finite Deadlock of Transactions (No Automatic Timeout + Sequential Execution) on multisig implementation](https://reports.immunefi.com/movement-labs-attackathon/43014-bc-critical-finite-deadlock-of-transactions-no-automatic-timeout-+-sequential-execution-on-mul.md) - [#43054 \[BC-High\] malicious light node can dos the full node](https://reports.immunefi.com/movement-labs-attackathon/43054-bc-high-malicious-light-node-can-dos-the-full-node.md) - [#43038 \[BC-Insight\] There is a permanent operator lockout came from an unsafe key rotation](https://reports.immunefi.com/movement-labs-attackathon/43038-bc-insight-there-is-a-permanent-operator-lockout-came-from-an-unsafe-key-rotation.md) - [#43108 \[BC-Critical\] attackers can front run transactions in celestia mempool to cause transactions of many users revert unexpectedly ](https://reports.immunefi.com/movement-labs-attackathon/43108-bc-critical-attackers-can-front-run-transactions-in-celestia-mempool-to-cause-transactions-of.md) - [#43110 \[BC-Critical\] Validator can DoS the DA Layer by requesting a big range of blobs](https://reports.immunefi.com/movement-labs-attackathon/43110-bc-critical-validator-can-dos-the-da-layer-by-requesting-a-big-range-of-blobs.md) - [#43132 \[BC-Medium\] upgrade\_burn\_percentage Resets Block Proposer, Blocking Fee Distribution](https://reports.immunefi.com/movement-labs-attackathon/43132-bc-medium-upgrade_burn_percentage-resets-block-proposer-blocking-fee-distribution.md) - [#43114 \[BC-Critical\] attackers can cause total shutdown network by exploiting missing of blob size check in da lightnode](https://reports.immunefi.com/movement-labs-attackathon/43114-bc-critical-attackers-can-cause-total-shutdown-network-by-exploiting-missing-of-blob-size-chec.md) - [#43135 \[BC-High\] \`epilogue\_gas\_payer\` Silently Drops Excess Storage Fee Refunds Under Governed Gas Pool](https://reports.immunefi.com/movement-labs-attackathon/43135-bc-high-epilogue_gas_payer-silently-drops-excess-storage-fee-refunds-under-governed-gas-pool.md) - [#43136 \[BC-High\] Multiple transactions sent by the same account in the same block timeframe can get stuck in the TranactionPipe core\_mempool](https://reports.immunefi.com/movement-labs-attackathon/43136-bc-high-multiple-transactions-sent-by-the-same-account-in-the-same-block-timeframe-can-get-stu.md) - [#43137 \[BC-Medium\] Multiple Transactions from the same account with increasing sequence number and priorities will be sorted incorrectly in the block causing some to fail](https://reports.immunefi.com/movement-labs-attackathon/43137-bc-medium-multiple-transactions-from-the-same-account-with-increasing-sequence-number-and-prio.md) - [#43148 \[BC-Medium\] Potential unhandled panic in protocol-units::execution::maptos::opt-executor::executor/mod::decrement\_transactions\_in\_flight](https://reports.immunefi.com/movement-labs-attackathon/43148-bc-medium-potential-unhandled-panic-in-protocol-units-execution-maptos-opt-executor-executor-m.md) - [#43150 \[BC-High\] Excessive transaction processing caused by a faulty garbage collector in transaction\_pipe.rs](https://reports.immunefi.com/movement-labs-attackathon/43150-bc-high-excessive-transaction-processing-caused-by-a-faulty-garbage-collector-in-transaction_p.md) - [#43177 \[BC-Critical\] dos vulnerability in da light node via unbounded height parameter](https://reports.immunefi.com/movement-labs-attackathon/43177-bc-critical-dos-vulnerability-in-da-light-node-via-unbounded-height-parameter.md) - [#43184 \[BC-Insight\] Vulnerable \`Secp256k1\` version allows validation of malformed signatures](https://reports.immunefi.com/movement-labs-attackathon/43184-bc-insight-vulnerable-secp256k1-version-allows-validation-of-malformed-signatures.md) - [#43168 \[BC-Insight\] Under normal usage of the blockchain, transactions will not be persisted](https://reports.immunefi.com/movement-labs-attackathon/43168-bc-insight-under-normal-usage-of-the-blockchain-transactions-will-not-be-persisted.md) - [#43186 \[BC-Insight\] Flawed documentation when streaming da blobs leads to confusion](https://reports.immunefi.com/movement-labs-attackathon/43186-bc-insight-flawed-documentation-when-streaming-da-blobs-leads-to-confusion.md) - [#43190 \[BC-Critical\] Deadlock in \`submit\_transaction()\`](https://reports.immunefi.com/movement-labs-attackathon/43190-bc-critical-deadlock-in-submit_transaction.md) - [#43187 \[BC-Insight\] Movement Full Node Panics and Crashes Uncleanly on Connection failure with DA Light Node](https://reports.immunefi.com/movement-labs-attackathon/43187-bc-insight-movement-full-node-panics-and-crashes-uncleanly-on-connection-failure-with-da-light.md) - [#43214 \[BC-Critical\] Unchecked transaction size allows malicious users to DOS honest users transactions](https://reports.immunefi.com/movement-labs-attackathon/43214-bc-critical-unchecked-transaction-size-allows-malicious-users-to-dos-honest-users-transactions.md) - [#43191 \[BC-High\] DOS attack by sending transactions that pass the sufficient balance test when entering mempool but fail it in execution](https://reports.immunefi.com/movement-labs-attackathon/43191-bc-high-dos-attack-by-sending-transactions-that-pass-the-sufficient-balance-test-when-entering.md) - [#43217 \[BC-Insight\] Incorrect public key notification after key rotation](https://reports.immunefi.com/movement-labs-attackathon/43217-bc-insight-incorrect-public-key-notification-after-key-rotation.md) - [#43220 \[BC-Insight\] The GC\_INTERVAL might not be fitting for the configured sequence\_number\_ttl\_ms](https://reports.immunefi.com/movement-labs-attackathon/43220-bc-insight-the-gc_interval-might-not-be-fitting-for-the-configured-sequence_number_ttl_ms.md) - [#43221 \[BC-Insight\] Expired transactions prevent new submissions due to delayed garbage collection](https://reports.immunefi.com/movement-labs-attackathon/43221-bc-insight-expired-transactions-prevent-new-submissions-due-to-delayed-garbage-collection.md) - [#43222 \[BC-High\] A transaction with sequence number 0 can be submitted multiple times](https://reports.immunefi.com/movement-labs-attackathon/43222-bc-high-a-transaction-with-sequence-number-0-can-be-submitted-multiple-times.md) - [#43229 \[BC-High\] There is a bug can allows malicious data to enter the DA layer and be signed by a legitimate node](https://reports.immunefi.com/movement-labs-attackathon/43229-bc-high-there-is-a-bug-can-allows-malicious-data-to-enter-the-da-layer-and-be-signed-by-a-legi.md) - [#43241 \[BC-High\] Attackers can drain TIA from nodes in networks running in passthrough mode](https://reports.immunefi.com/movement-labs-attackathon/43241-bc-high-attackers-can-drain-tia-from-nodes-in-networks-running-in-passthrough-mode.md) - [#43243 \[BC-Critical\] Attacker can halt chains operating in sequencer mode](https://reports.immunefi.com/movement-labs-attackathon/43243-bc-critical-attacker-can-halt-chains-operating-in-sequencer-mode.md) - [#43244 \[BC-Critical\] Lack of TCP timeout allows attacker to crash the sequencer via the Light Node Service](https://reports.immunefi.com/movement-labs-attackathon/43244-bc-critical-lack-of-tcp-timeout-allows-attacker-to-crash-the-sequencer-via-the-light-node-serv.md) - [#43250 \[BC-Critical\] Excessive TCP timeout allows attacker to crash the sequencer via the indexer service](https://reports.immunefi.com/movement-labs-attackathon/43250-bc-critical-excessive-tcp-timeout-allows-attacker-to-crash-the-sequencer-via-the-indexer-servi.md) - [#43251 \[BC-Critical\] Lack of TCP timeout allows attacker to crash the sequencer via the finality viewer service](https://reports.immunefi.com/movement-labs-attackathon/43251-bc-critical-lack-of-tcp-timeout-allows-attacker-to-crash-the-sequencer-via-the-finality-viewer.md) - [#43246 \[BC-Critical\] Lack of TCP timeout allows attacker to crash the sequencer via the maptos-opt-executor service](https://reports.immunefi.com/movement-labs-attackathon/43246-bc-critical-lack-of-tcp-timeout-allows-attacker-to-crash-the-sequencer-via-the-maptos-opt-exec.md) - [#43253 \[BC-Critical\] Attackers can drain TIA from nodes in networks running in sequencer mode](https://reports.immunefi.com/movement-labs-attackathon/43253-bc-critical-attackers-can-drain-tia-from-nodes-in-networks-running-in-sequencer-mode.md) - [#43255 \[BC-Medium\] user transactions might be lost due to missing error handling in celestia rpc client requests blob submit failure ](https://reports.immunefi.com/movement-labs-attackathon/43255-bc-medium-user-transactions-might-be-lost-due-to-missing-error-handling-in-celestia-rpc-client.md) - [#43267 \[BC-Insight\] Potential Indefinite Hang (Denial of Service) in Full Node DA Sync Due to Missing Stream Timeout For Light Node Connection](https://reports.immunefi.com/movement-labs-attackathon/43267-bc-insight-potential-indefinite-hang-denial-of-service-in-full-node-da-sync-due-to-missing-str.md) - [#43287 \[BC-Low\] Certain fees are unaccounted for causing failed transactions](https://reports.immunefi.com/movement-labs-attackathon/43287-bc-low-certain-fees-are-unaccounted-for-causing-failed-transactions.md) - [#43288 \[BC-Critical\] Attackers could force Nodes to process TraAttackers could force Nodes to process Transactions in wrong order, by attacking moveRocks/sequencing implementation](https://reports.immunefi.com/movement-labs-attackathon/43288-bc-critical-attackers-could-force-nodes-to-process-traattackers-could-force-nodes-to-process-t.md) - [#43290 \[BC-Critical\] Anyone can send a write\_batch to the DA node, enabling a DOS attack that shuts down the network](https://reports.immunefi.com/movement-labs-attackathon/43290-bc-critical-anyone-can-send-a-write_batch-to-the-da-node-enabling-a-dos-attack-that-shuts-down.md) - [#43303 \[BC-Medium\] The call to \`commit\_transaction()\` includes the wrong sequence number](https://reports.immunefi.com/movement-labs-attackathon/43303-bc-medium-the-call-to-commit_transaction-includes-the-wrong-sequence-number.md) - [#43307 \[BC-High\] Not verifying the signatures upon execution leads to direct loss of funds](https://reports.immunefi.com/movement-labs-attackathon/43307-bc-high-not-verifying-the-signatures-upon-execution-leads-to-direct-loss-of-funds.md) - [#43312 \[BC-Medium\] get\_state\_proof() is called with the current version leading to the epoch\_changes of the StateProof always being empty](https://reports.immunefi.com/movement-labs-attackathon/43312-bc-medium-get_state_proof-is-called-with-the-current-version-leading-to-the-epoch_changes-of-t.md) - [#43315 \[BC-Critical\] DA Light Node Can Be DoSed Due to Lack of Batch Validation](https://reports.immunefi.com/movement-labs-attackathon/43315-bc-critical-da-light-node-can-be-dosed-due-to-lack-of-batch-validation.md) - [#43322 \[BC-High\] inadequate transaction validation in da light node allows unprocessable block creation](https://reports.immunefi.com/movement-labs-attackathon/43322-bc-high-inadequate-transaction-validation-in-da-light-node-allows-unprocessable-block-creation.md) - [#43324 \[BC-High\] insufficient validation in da light node allows malicious override of application priority ](https://reports.immunefi.com/movement-labs-attackathon/43324-bc-high-insufficient-validation-in-da-light-node-allows-malicious-override-of-application-prio.md) - [#43326 \[BC-Insight\] stale transaction state in mempool when sender receiver pipe fails](https://reports.immunefi.com/movement-labs-attackathon/43326-bc-insight-stale-transaction-state-in-mempool-when-sender-receiver-pipe-fails.md) - [#43323 \[BC-High\] inadequate sequence number validation in da light node enables transaction censorship](https://reports.immunefi.com/movement-labs-attackathon/43323-bc-high-inadequate-sequence-number-validation-in-da-light-node-enables-transaction-censorship.md) - [#43330 \[BC-Critical\] Freezing new transaction processing by sending invalid requests to movement DA light node](https://reports.immunefi.com/movement-labs-attackathon/43330-bc-critical-freezing-new-transaction-processing-by-sending-invalid-requests-to-movement-da-lig.md) - [#43333 \[BC-Critical\] Missing Depths Checks in Cached TypeLayout leads to Network Divergence](https://reports.immunefi.com/movement-labs-attackathon/43333-bc-critical-missing-depths-checks-in-cached-typelayout-leads-to-network-divergence.md) - [#43346 \[BC-Insight\] Transactions arriving at the node out of sequence order will be rejected due to the has\_invalid\_sequence\_number function](https://reports.immunefi.com/movement-labs-attackathon/43346-bc-insight-transactions-arriving-at-the-node-out-of-sequence-order-will-be-rejected-due-to-the.md) - [CircuitDAO | IOP](https://reports.immunefi.com/circuitdaoiop.md) - [#43705 \[SC-Critical\] attackers can exploit lack of validation in byc coin issuance process to issue arbitrary amount of byc coin](https://reports.immunefi.com/circuitdaoiop/43705-sc-critical-attackers-can-exploit-lack-of-validation-in-byc-coin-issuance-process-to-issue-arb.md) - [#44324 \[SC-Medium\] atom announcer owner can nulify financial penalty by self penalizing ](https://reports.immunefi.com/circuitdaoiop/44324-sc-medium-atom-announcer-owner-can-nulify-financial-penalty-by-self-penalizing.md) - [#44355 \[SC-High\] announcer owner can inflate announcers registry entries via mutate and register loop to claim most of rewards](https://reports.immunefi.com/circuitdaoiop/44355-sc-high-announcer-owner-can-inflate-announcers-registry-entries-via-mutate-and-register-loop-t.md) - [Spectra Finance](https://reports.immunefi.com/spectra-finance.md) - [#43971 \[SC-Insight\] Incorrect NatSpec Tag in removeRateOracle() Misrepresents Function Reference](https://reports.immunefi.com/spectra-finance/43971-sc-insight-incorrect-natspec-tag-in-removerateoracle-misrepresents-function-reference.md) - [#43803 \[SC-Low\] Boolean success returned from address.call{value: amount}() not checked](https://reports.immunefi.com/spectra-finance/43803-sc-low-boolean-success-returned-from-address.call-value-amount-not-checked.md) - [#44167 \[SC-Medium\] Incorrect balance check in PT redemption commands](https://reports.immunefi.com/spectra-finance/44167-sc-medium-incorrect-balance-check-in-pt-redemption-commands.md) - [#44091 \[SC-Low\] Lack of ETH transfer check leads to stolen funds](https://reports.immunefi.com/spectra-finance/44091-sc-low-lack-of-eth-transfer-check-leads-to-stolen-funds.md) - [#43469 \[SC-Low\] Return value of low level call not checked can cause silent Reverts](https://reports.immunefi.com/spectra-finance/43469-sc-low-return-value-of-low-level-call-not-checked-can-cause-silent-reverts.md) - [#43314 \[SC-Insight\] Oracle functions mislead integrators as it is not compatible with Chainlink Price feed behaviour](https://reports.immunefi.com/spectra-finance/43314-sc-insight-oracle-functions-mislead-integrators-as-it-is-not-compatible-with-chainlink-price-f.md) - [#43659 \[SC-Low\] Silent ETH transfer failure in \`Dispatcher.sol\` leads to permament freezing of funds](https://reports.immunefi.com/spectra-finance/43659-sc-low-silent-eth-transfer-failure-in-dispatcher.sol-leads-to-permament-freezing-of-funds.md) - [#44161 \[SC-Low\] Return value of low level call not ckecked in \`Dispatcher.sol\` contract](https://reports.immunefi.com/spectra-finance/44161-sc-low-return-value-of-low-level-call-not-ckecked-in-dispatcher.sol-contract.md) - [#44101 \[SC-Low\] \`\_dispatch()\` incorrectly assumes revert bubbling when transferring native tokens.](https://reports.immunefi.com/spectra-finance/44101-sc-low-_dispatch-incorrectly-assumes-revert-bubbling-when-transferring-native-tokens..md) - [#44064 \[SC-Medium\] Dispatcher incorrect validation causes principal tokens to be stuck in inheriting contract allowing attacker to steal user funds](https://reports.immunefi.com/spectra-finance/44064-sc-medium-dispatcher-incorrect-validation-causes-principal-tokens-to-be-stuck-in-inheriting-co.md) - [#43981 \[SC-Low\] Silent ETH transfer failure in \`TRANSFER\_NATIVE\` command can permanently lock user funds](https://reports.immunefi.com/spectra-finance/43981-sc-low-silent-eth-transfer-failure-in-transfer_native-command-can-permanently-lock-user-funds.md) - [#43712 \[SC-Low\] Silent ETH transfer failure in \`TRANSFER\_NATIVE\` command leads to permament locking of user funds](https://reports.immunefi.com/spectra-finance/43712-sc-low-silent-eth-transfer-failure-in-transfer_native-command-leads-to-permament-locking-of-us.md) - [#44081 \[SC-Low\] Users ETH could be stuck forever without a way to recover it](https://reports.immunefi.com/spectra-finance/44081-sc-low-users-eth-could-be-stuck-forever-without-a-way-to-recover-it.md) - [#44158 \[SC-Low\] Dispatcher does not check if native transfers are successful](https://reports.immunefi.com/spectra-finance/44158-sc-low-dispatcher-does-not-check-if-native-transfers-are-successful.md) - [#43856 \[SC-Low\] Dispatcher.\_dispatch() does not revert on failure of transfer of funds when called with the TRANSFER\_NATIVE command](https://reports.immunefi.com/spectra-finance/43856-sc-low-dispatcher._dispatch-does-not-revert-on-failure-of-transfer-of-funds-when-called-with-t.md) - [#44035 \[SC-Low\] Lack of validation in native transfer allows attacker to steal user funds](https://reports.immunefi.com/spectra-finance/44035-sc-low-lack-of-validation-in-native-transfer-allows-attacker-to-steal-user-funds.md) - [#43987 \[SC-Low\] Unchecked low-level ETH transfer in \`Dispatcher.sol\` may lead to undetected failures](https://reports.immunefi.com/spectra-finance/43987-sc-low-unchecked-low-level-eth-transfer-in-dispatcher.sol-may-lead-to-undetected-failures.md) - [#43528 \[SC-Low\] fund freeze scenario](https://reports.immunefi.com/spectra-finance/43528-sc-low-fund-freeze-scenario.md) - [#43611 \[SC-Low\] Unchecked ETH Transfer in TRANSFER\_NATIVE Command Risks Silent Failures](https://reports.immunefi.com/spectra-finance/43611-sc-low-unchecked-eth-transfer-in-transfer_native-command-risks-silent-failures.md) - [#43380 \[SC-Low\] Missing Error Check in TRANSFER\_NATIVE Command](https://reports.immunefi.com/spectra-finance/43380-sc-low-missing-error-check-in-transfer_native-command.md) - [#43490 \[SC-Low\] TRANSFER\_NATIVE in Dispatcher can lead to loss of funds due to not checking user can receive ETH](https://reports.immunefi.com/spectra-finance/43490-sc-low-transfer_native-in-dispatcher-can-lead-to-loss-of-funds-due-to-not-checking-user-can-re.md) - [#43408 \[SC-Low\] Not checking call success in \`TRANSFER\_NATIVE\`](https://reports.immunefi.com/spectra-finance/43408-sc-low-not-checking-call-success-in-transfer_native.md) - [#43402 \[SC-Insight\] Function \`getPTUnderlyingUnit\` could be marked external](https://reports.immunefi.com/spectra-finance/43402-sc-insight-function-getptunderlyingunit-could-be-marked-external.md) - [#43464 \[SC-Insight\] Refactoring \`Router.sol\` for gas savings and reducing code redundancy from two different \`Router::execute()\` which can result in undesirable outcomes for potentially delayed tra...](https://reports.immunefi.com/spectra-finance/43464-sc-insight-refactoring-router.sol-for-gas-savings-and-reducing-code-redundancy-from-two-differ.md) - [#44083 \[SC-Insight\] Inconsistency in \`CurvePoolUtil\`](https://reports.immunefi.com/spectra-finance/44083-sc-insight-inconsistency-in-curvepoolutil.md) - [#43912 \[SC-Low\] Lack of ETH Success Transfer Checks in Dispatcher.sol](https://reports.immunefi.com/spectra-finance/43912-sc-low-lack-of-eth-success-transfer-checks-in-dispatcher.sol.md) - [#44170 \[SC-Low\] Missing Check for Native ETH Transfer Success Allows Silent Failures and Potential Theft of Funds](https://reports.immunefi.com/spectra-finance/44170-sc-low-missing-check-for-native-eth-transfer-success-allows-silent-failures-and-potential-thef.md) - [#44173 \[SC-Low\] Unchecked Low-Level Call in TRANSFER\_NATIVE in \`Dispatcher::\_dispatch\` Can Lead to Locked Ether and Potential Theft](https://reports.immunefi.com/spectra-finance/44173-sc-low-unchecked-low-level-call-in-transfer_native-in-dispatcher-_dispatch-can-lead-to-locked.md) - [#43274 \[SC-Low\] \`TRANSFER\_NATIVE\` Command in Dispatcher Does Not Check Return Value of Low-Level Call](https://reports.immunefi.com/spectra-finance/43274-sc-low-transfer_native-command-in-dispatcher-does-not-check-return-value-of-low-level-call.md) - [#44131 \[SC-Low\] An attacker can steal frozen user ETH due to Dispatcher error](https://reports.immunefi.com/spectra-finance/44131-sc-low-an-attacker-can-steal-frozen-user-eth-due-to-dispatcher-error.md) - [#43195 \[SC-Insight\] \`Dispatcher.sol\` uses \`initializer\` modifier instead of \`onlyInitializing\`](https://reports.immunefi.com/spectra-finance/43195-sc-insight-dispatcher.sol-uses-initializer-modifier-instead-of-onlyinitializing.md) - [#44084 \[SC-Insight\] Incorrect Nat spec in \`calcIBTsToTokenizeForCurvePool\` and \`calcIBTsToTokenizeForCurvePoolCustomProp\`](https://reports.immunefi.com/spectra-finance/44084-sc-insight-incorrect-nat-spec-in-calcibtstotokenizeforcurvepool-and-calcibtstotokenizeforcurve.md) - [#43729 \[SC-Low\] Silent execution failure on \`Dispatcher::\_dispatch\` due to unchecked return value on \`Dispatcher:TRANSFER\_NATIVE\` operation](https://reports.immunefi.com/spectra-finance/43729-sc-low-silent-execution-failure-on-dispatcher-_dispatch-due-to-unchecked-return-value-on-dispa.md) - [#44175 \[SC-Low\] Missing Success Check for payable(recipient).call](https://reports.immunefi.com/spectra-finance/44175-sc-low-missing-success-check-for-payable-recipient-.call.md) - [Term Structure Institutional | IOP](https://reports.immunefi.com/term-structure-institutional_iop.md) - [#46819 \[SC-Critical\] direct theft of users funds when expired loan get liquidated](https://reports.immunefi.com/term-structure-institutional_iop/46819-sc-critical-direct-theft-of-users-funds-when-expired-loan-get-liquidated.md) - [#46608 \[SC-Medium\] Any call to the repay function can potentially be front-run by a malicious actor, lead to prevent users from repaying on time.](https://reports.immunefi.com/term-structure-institutional_iop/46608-sc-medium-any-call-to-the-repay-function-can-potentially-be-front-run-by-a-malicious-actor-lea.md) - [#46903 \[SC-Critical\] malicious borrower can take theft of other borrower collateral](https://reports.immunefi.com/term-structure-institutional_iop/46903-sc-critical-malicious-borrower-can-take-theft-of-other-borrower-collateral.md) - [#46893 \[SC-High\] settlement functionality can be break forever and blocking settlement actions.](https://reports.immunefi.com/term-structure-institutional_iop/46893-sc-high-settlement-functionality-can-be-break-forever-and-blocking-settlement-actions..md) - [#47008 \[SC-High\] any users with expired loan(not settled) can take theft of lenders collateral when the collateral price increase](https://reports.immunefi.com/term-structure-institutional_iop/47008-sc-high-any-users-with-expired-loan-not-settled-can-take-theft-of-lenders-collateral-when-the.md) - [#47009 \[SC-Low\] Any position can be closed (by repaying the debt) even after the maturity date has passed](https://reports.immunefi.com/term-structure-institutional_iop/47009-sc-low-any-position-can-be-closed-by-repaying-the-debt-even-after-the-maturity-date-has-passed.md) - [#47100 \[SC-Insight\] some checks should be added even if the operator checks each input parameters](https://reports.immunefi.com/term-structure-institutional_iop/47100-sc-insight-some-checks-should-be-added-even-if-the-operator-checks-each-input-parameters.md) - [#47112 \[SC-Critical\] addCollateral causes double economic loss through premature asset transfer and inflated settlement requirements](https://reports.immunefi.com/term-structure-institutional_iop/47112-sc-critical-addcollateral-causes-double-economic-loss-through-premature-asset-transfer-and-inf.md) - [#47115 \[SC-Critical\] Missing Settlement Status Validation in Loan Operations](https://reports.immunefi.com/term-structure-institutional_iop/47115-sc-critical-missing-settlement-status-validation-in-loan-operations.md) - [#47118 \[SC-High\] Incorrect Allowance Validation in addCollateralBeforeSettle](https://reports.immunefi.com/term-structure-institutional_iop/47118-sc-high-incorrect-allowance-validation-in-addcollateralbeforesettle.md) - [#47122 \[SC-Medium\] Array Length Mismatch Enables Partial Settlement Processing](https://reports.immunefi.com/term-structure-institutional_iop/47122-sc-medium-array-length-mismatch-enables-partial-settlement-processing.md) - [#47124 \[SC-Insight\] Minimum Debt Value Updates Trigger Instant Liquidation Condition Changes](https://reports.immunefi.com/term-structure-institutional_iop/47124-sc-insight-minimum-debt-value-updates-trigger-instant-liquidation-condition-changes.md) - [#47125 \[SC-Medium\] Cross-Chain Signature Replay Attack in Settlement Contract](https://reports.immunefi.com/term-structure-institutional_iop/47125-sc-medium-cross-chain-signature-replay-attack-in-settlement-contract.md) - [Zano Trade | IOP](https://reports.immunefi.com/zano-trade-iop.md) - [#47728 \[W\&A-Critical\] Server-Side Request Forgery (SSRF) Vulnerability in Next.js \_app.tsx component](https://reports.immunefi.com/zano-trade-iop/47728-w-and-a-critical-server-side-request-forgery-ssrf-vulnerability-in-next.js-_app.tsx-component.md) - [#47725 \[W\&A-Insight\] Non-Expiring Tokens and CSRF Exposure](https://reports.immunefi.com/zano-trade-iop/47725-w-and-a-insight-non-expiring-tokens-and-csrf-exposure.md) - [#47729 \[W\&A-Insight\] Insecure Token Storage in SessionStorage](https://reports.immunefi.com/zano-trade-iop/47729-w-and-a-insight-insecure-token-storage-in-sessionstorage.md) - [#47731 \[W\&A-Insight\] Offer Listings N+1 Query Performance Vulnerability](https://reports.immunefi.com/zano-trade-iop/47731-w-and-a-insight-offer-listings-n+1-query-performance-vulnerability.md) - [#47740 \[W\&A-Critical\] Server-Side Request Forgery (SSRF) in \`./src/pages/\_app.tsx\` via the Host header](https://reports.immunefi.com/zano-trade-iop/47740-w-and-a-critical-server-side-request-forgery-ssrf-in-.-src-pages-_app.tsx-via-the-host-header.md) - [#47741 \[W\&A-Insight\] Missing JWT\_SECRET in Env Allows Token Forgery via Empty Secret](https://reports.immunefi.com/zano-trade-iop/47741-w-and-a-insight-missing-jwt_secret-in-env-allows-token-forgery-via-empty-secret.md) - [#48436 \[W\&A-Critical\] Dos is possible through the order creation api](https://reports.immunefi.com/zano-trade-iop/48436-w-and-a-critical-dos-is-possible-through-the-order-creation-api.md) - [Paradex | IOP](https://reports.immunefi.com/iop-paradex.md) - [#46611 \[SC-Insight\] Missing staleness checks in oracle queries](https://reports.immunefi.com/iop-paradex/46611-sc-insight-missing-staleness-checks-in-oracle-queries.md) - [#46570 \[SC-Insight\] account list DoS issue](https://reports.immunefi.com/iop-paradex/46570-sc-insight-account-list-dos-issue.md) - [#46639 \[SC-Low\] The \`\_settlement\_fee\_payments\` function contains a calculation error that leads to abnormal user balances.](https://reports.immunefi.com/iop-paradex/46639-sc-low-the-_settlement_fee_payments-function-contains-a-calculation-error-that-leads-to-abnorm.md) - [#46675 \[SC-Insight\] Insufficient Time Validation in function settle\_trade\_v2](https://reports.immunefi.com/iop-paradex/46675-sc-insight-insufficient-time-validation-in-function-settle_trade_v2.md) - [#46676 \[SC-Insight\] Unrestricted Minimum Lockup Period](https://reports.immunefi.com/iop-paradex/46676-sc-insight-unrestricted-minimum-lockup-period.md) - [#46747 \[SC-Insight\] Self-Referral Vulnerability in Account Referral System](https://reports.immunefi.com/iop-paradex/46747-sc-insight-self-referral-vulnerability-in-account-referral-system.md) - [#46839 \[SC-Low\] \`max\_withdraw\` and \`max\_withdraw\` do not fully consider global restrictions.](https://reports.immunefi.com/iop-paradex/46839-sc-low-max_withdraw-and-max_withdraw-do-not-fully-consider-global-restrictions..md) - [#46843 \[SC-Critical\] Bypass of Restrictions When Paraclear\_transfer\_registry Is Unregistered](https://reports.immunefi.com/iop-paradex/46843-sc-critical-bypass-of-restrictions-when-paraclear_transfer_registry-is-unregistered.md) - [#46856 \[SC-Medium\] The calculation of shares obtained through token trades will be incorrect, causing users to pay excessive yield fees.](https://reports.immunefi.com/iop-paradex/46856-sc-medium-the-calculation-of-shares-obtained-through-token-trades-will-be-incorrect-causing-us.md) - [#46867 \[SC-Insight\] The \`is\_liquidation\` field in \`transfer\_internal\` is not properly differentiated.](https://reports.immunefi.com/iop-paradex/46867-sc-insight-the-is_liquidation-field-in-transfer_internal-is-not-properly-differentiated..md) - [#46888 \[SC-High\] account\_transfer\_partial: lack of input validation when working with signed integers](https://reports.immunefi.com/iop-paradex/46888-sc-high-account_transfer_partial-lack-of-input-validation-when-working-with-signed-integers.md) - [#46892 \[SC-High\] small deposits could prevent users from withdrawing their funds](https://reports.immunefi.com/iop-paradex/46892-sc-high-small-deposits-could-prevent-users-from-withdrawing-their-funds.md) - [#46910 \[SC-Insight\] Token Balance Event Data Inconsistency in Position Transfers](https://reports.immunefi.com/iop-paradex/46910-sc-insight-token-balance-event-data-inconsistency-in-position-transfers.md) - [#46942 \[SC-Low\] set perpetual asset balance link there is no cycle checks](https://reports.immunefi.com/iop-paradex/46942-sc-low-set-perpetual-asset-balance-link-there-is-no-cycle-checks.md) - [#46960 \[SC-Insight\] trade order sizes are not validated properly](https://reports.immunefi.com/iop-paradex/46960-sc-insight-trade-order-sizes-are-not-validated-properly.md) - [#46989 \[SC-Insight\] Invalid trade side check](https://reports.immunefi.com/iop-paradex/46989-sc-insight-invalid-trade-side-check.md) - [#46997 \[SC-Medium\] The vault performs an unsafe conversion on the getAccountValue result.](https://reports.immunefi.com/iop-paradex/46997-sc-medium-the-vault-performs-an-unsafe-conversion-on-the-getaccountvalue-result..md) - [#47198 \[SC-Critical\] The operator can perform unauthorized fund transfers.](https://reports.immunefi.com/iop-paradex/47198-sc-critical-the-operator-can-perform-unauthorized-fund-transfers..md) - [#47257 \[SC-Insight\] Lack of position quantity limit for a single account.](https://reports.immunefi.com/iop-paradex/47257-sc-insight-lack-of-position-quantity-limit-for-a-single-account..md) - [#47291 \[SC-Insight\] Serveal bugs in function set\_prices\_and\_funding\_snapshot](https://reports.immunefi.com/iop-paradex/47291-sc-insight-serveal-bugs-in-function-set_prices_and_funding_snapshot.md) - [#47295 \[SC-Insight\] Configurator Can Manipulate Critical Parameters to Force Mass Liquidations and Drain Protocol Funds](https://reports.immunefi.com/iop-paradex/47295-sc-insight-configurator-can-manipulate-critical-parameters-to-force-mass-liquidations-and-drai.md) - [#47299 \[SC-Insight\] The \`is\_risky\` check is improper.](https://reports.immunefi.com/iop-paradex/47299-sc-insight-the-is_risky-check-is-improper..md) - [#47309 \[SC-Medium\] Type mishandling allows for users to withdraw FAST from vault instead of STANDARD](https://reports.immunefi.com/iop-paradex/47309-sc-medium-type-mishandling-allows-for-users-to-withdraw-fast-from-vault-instead-of-standard.md) - [#47310 \[SC-Medium\] Integer to Felt conversion completely ruins the Vaults accounting](https://reports.immunefi.com/iop-paradex/47310-sc-medium-integer-to-felt-conversion-completely-ruins-the-vaults-accounting.md) - [#47314 \[SC-Medium\] account\_transfer\_partial(...) function doesn't check sender's health after transferring balances](https://reports.immunefi.com/iop-paradex/47314-sc-medium-account_transfer_partial-...-function-doesnt-check-senders-health-after-transferring.md) - [#47313 \[SC-Insight\] Transfer(...) function doesn't account for current USDC price](https://reports.immunefi.com/iop-paradex/47313-sc-insight-transfer-...-function-doesnt-account-for-current-usdc-price.md) - [#47316 \[SC-Low\] account\_transfer\_partial(...) function doesn't check that receiver has a registered account in the system](https://reports.immunefi.com/iop-paradex/47316-sc-low-account_transfer_partial-...-function-doesnt-check-that-receiver-has-a-registered-accou.md) - [#47317 \[SC-Low\] Transfer function only allows collateral transfers from free balance but can be bypassed](https://reports.immunefi.com/iop-paradex/47317-sc-low-transfer-function-only-allows-collateral-transfers-from-free-balance-but-can-be-bypasse.md) - [#47330 \[SC-Low\] The fee calculation in \`settle\_market\` is unreasonable.](https://reports.immunefi.com/iop-paradex/47330-sc-low-the-fee-calculation-in-settle_market-is-unreasonable..md) - [#47318 \[SC-Insight\] If the counterparty happens to be their own referrer, the protocol does not take the referral fee into account during the risk check.](https://reports.immunefi.com/iop-paradex/47318-sc-insight-if-the-counterparty-happens-to-be-their-own-referrer-the-protocol-does-not-take-the.md) - [#47370 \[SC-Critical\] \`account\_transfer\_partial\` should not be enabled when \`transfer\_registry\_address\` is not configured.](https://reports.immunefi.com/iop-paradex/47370-sc-critical-account_transfer_partial-should-not-be-enabled-when-transfer_registry_address-is-n.md) - [#47351 \[SC-Low\] Funds get stuck in the bridge if attempted to be deposited into a restricted address](https://reports.immunefi.com/iop-paradex/47351-sc-low-funds-get-stuck-in-the-bridge-if-attempted-to-be-deposited-into-a-restricted-address.md) - [#47377 \[SC-Insight\] No Restriction on Self Transfer](https://reports.immunefi.com/iop-paradex/47377-sc-insight-no-restriction-on-self-transfer.md) - [#47380 \[SC-Insight\] Incorrect token\_assets\_value in AccountLiquidated Event](https://reports.immunefi.com/iop-paradex/47380-sc-insight-incorrect-token_assets_value-in-accountliquidated-event.md) - [Flare FAssets | Mainnet Audit Comp](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp.md) - [#45309 \[SC-Insight\] Gas Optimization in \`\_burnForAtNow\` Function for efficient balance retrieval](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45309-sc-insight-gas-optimization-in-_burnforatnow-function-for-efficient-balance-retrieval.md) - [#45310 \[SC-Insight\] \`IWNat(address(token)).governanceVotePower().undelegate()\` is redundant after \`undelegateGovernance()\`](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45310-sc-insight-iwnat-address-token-.governancevotepower-.undelegate-is-redundant-after-undelegateg.md) - [#45357 \[SC-Insight\] Increase in the usedTokens array](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45357-sc-insight-increase-in-the-usedtokens-array.md) - [#45368 \[SC-Insight\] Corruptible Upgradability Pattern](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45368-sc-insight-corruptible-upgradability-pattern.md) - [#45377 \[SC-Insight\] Missing pause modifier in \`beforeCollateralWithdrawal\` allows collateral theft during a pause](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45377-sc-insight-missing-pause-modifier-in-beforecollateralwithdrawal-allows-collateral-theft-during.md) - [#45379 \[SC-Low\] Frontrunning Vulnerability in createAgentVault Suffix Reservation](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45379-sc-low-frontrunning-vulnerability-in-createagentvault-suffix-reservation.md) - [#45405 \[SC-Insight\] Insufficient Documentation for Governance-Controlled Functions and Critical Parameters in 'CoreVaultManager.sol'](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45405-sc-insight-insufficient-documentation-for-governance-controlled-functions-and-critical-paramet.md) - [#45439 \[SC-Low\] Empty String Allowed as Pool Token Suffix in \_reserveAndValidatePoolTokenSuffix](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45439-sc-low-empty-string-allowed-as-pool-token-suffix-in-_reserveandvalidatepooltokensuffix.md) - [#45447 \[SC-Medium\] Executor cannot execute minting while the agent can execute the transaction and steal executor fee](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45447-sc-medium-executor-cannot-execute-minting-while-the-agent-can-execute-the-transaction-and-stea.md) - [#45450 \[SC-Insight\] Outdated underlying chain data lead to shortened minting windows or DoS when minting fAssets](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45450-sc-insight-outdated-underlying-chain-data-lead-to-shortened-minting-windows-or-dos-when-mintin.md) - [#45478 \[SC-Medium\] Minting Cap Check Doesn't Include \`poolFeeUBA\` in \`selfMint\` and \`mintFromUnderlying\`](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45478-sc-medium-minting-cap-check-doesnt-include-poolfeeuba-in-selfmint-and-mintfromunderlying.md) - [#45485 \[SC-Insight\] Comments above \`reserveCollateral\` indicate collateral reservation fee is burned, which is not the case](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45485-sc-insight-comments-above-reservecollateral-indicate-collateral-reservation-fee-is-burned-whic.md) - [#45499 \[SC-Low\] Malicious user can prevent agent to be destroyed and lock up his funds](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45499-sc-low-malicious-user-can-prevent-agent-to-be-destroyed-and-lock-up-his-funds.md) - [#45514 \[SC-Medium\] malicious agents can trap stakers by raising the exit collateral ratio](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45514-sc-medium-malicious-agents-can-trap-stakers-by-raising-the-exit-collateral-ratio.md) - [#45517 \[SC-Insight\] Partial Documentation for Self-Close Exit Fee Handling and Redemption Workflow in 'CollateralPool.sol'](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45517-sc-insight-partial-documentation-for-self-close-exit-fee-handling-and-redemption-workflow-in-c.md) - [#45533 \[SC-Low\] Incorrect gas allowance comparison in CoreVault transfer function leads to user fund loss](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45533-sc-low-incorrect-gas-allowance-comparison-in-corevault-transfer-function-leads-to-user-fund-lo.md) - [#45554 \[SC-Medium\] Fee loss during Agent's feeBIPS reduction in \`selfMint\` function](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45554-sc-medium-fee-loss-during-agents-feebips-reduction-in-selfmint-function.md) - [#45550 \[SC-Medium\] \[H-01\] \`illegalPaymentChallenge\` is vulnerable to frontrunning by external challengers stealing the reward](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45550-sc-medium-h-01-illegalpaymentchallenge-is-vulnerable-to-frontrunning-by-external-challengers-s.md) - [#45574 \[SC-Insight\] Redundant Per‑Item Upper Bound Check in \`validateLiquidationFactors\`](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45574-sc-insight-redundant-per-item-upper-bound-check-in-validateliquidationfactors.md) - [#45665 \[SC-Medium\] \[H-02\] Minting Cap Bypass via Pool Fee Exclusion during Self Mint](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45665-sc-medium-h-02-minting-cap-bypass-via-pool-fee-exclusion-during-self-mint.md) - [#45674 \[SC-Insight\] \`executeMinting()\` allows impersonation of minter during chain-reorg due to deterministic \`crtId\` and lack of minter binding](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45674-sc-insight-executeminting-allows-impersonation-of-minter-during-chain-reorg-due-to-determinist.md) - [#45604 \[SC-Low\] User Overpayment in \`transferToCoreVault\` Fee Handling](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45604-sc-low-user-overpayment-in-transfertocorevault-fee-handling.md) - [#45731 \[SC-Insight\] Off-by-One Logic in Escrow End Timestamp Calculation May Cause Unintended Escrow Delay](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45731-sc-insight-off-by-one-logic-in-escrow-end-timestamp-calculation-may-cause-unintended-escrow-de.md) - [#45685 \[SC-Insight\] Incorrect comments in finishRedemptionWithoutPayment](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45685-sc-insight-incorrect-comments-in-finishredemptionwithoutpayment.md) - [#45769 \[SC-Medium\] Permanent blocking of Agent's fund by allowed minters](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45769-sc-medium-permanent-blocking-of-agents-fund-by-allowed-minters.md) - [#45772 \[SC-Insight\] NatSpec Mismatch in CoreVault Redemption Logic](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45772-sc-insight-natspec-mismatch-in-corevault-redemption-logic.md) - [#45830 \[SC-Medium\] Incorrect amount passed to checkMintingCap in self-minting allows bypassing of config minting cap](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45830-sc-medium-incorrect-amount-passed-to-checkmintingcap-in-self-minting-allows-bypassing-of-confi.md) - [#45813 \[SC-Insight\] Missing \`setAutoClaiming\` Function](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45813-sc-insight-missing-setautoclaiming-function.md) - [#45864 \[SC-Insight\] Minter's underlying token can get stuck if the agent calls mintingDefault before the minter’s transaction is recorded on the underlying blockchain.](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45864-sc-insight-minters-underlying-token-can-get-stuck-if-the-agent-calls-mintingdefault-before-the.md) - [#45893 \[SC-High\] Agent role can stolen nat token from protocol users](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45893-sc-high-agent-role-can-stolen-nat-token-from-protocol-users.md) - [#45897 \[SC-Low\] Executor Fee Lost in \`rejectInvalidRedemption()\` Due to Missing Handling Logic](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45897-sc-low-executor-fee-lost-in-rejectinvalidredemption-due-to-missing-handling-logic.md) - [#45904 \[SC-High\] Malicious agent can forge a non-payment proof despite user's valid payment and fraudulently trigger \`mintingPaymentDefault\`](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45904-sc-high-malicious-agent-can-forge-a-non-payment-proof-despite-users-valid-payment-and-fraudule.md) - [#45910 \[SC-Medium\] Changing collateral ratio makes Agents prone to liquidation](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45910-sc-medium-changing-collateral-ratio-makes-agents-prone-to-liquidation.md) - [#45943 \[SC-Low\] rejectInvalidRedemption fee is not awarded to agent, resulting in stuck or misallocated funds](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45943-sc-low-rejectinvalidredemption-fee-is-not-awarded-to-agent-resulting-in-stuck-or-misallocated.md) - [#45949 \[SC-Insight\] Mismatch between doc and implementation for \`confirmationByOthersAfterSeconds\` minimum on XRP](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45949-sc-insight-mismatch-between-doc-and-implementation-for-confirmationbyothersafterseconds-minimu.md) - [#45956 \[SC-Insight\] EOA only on smart contract chains bypassed on ETH](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45956-sc-insight-eoa-only-on-smart-contract-chains-bypassed-on-eth.md) - [#45978 \[SC-Insight\] Failed Transactions Trigger Invalid Double Payment Challenges Causing Loss of Funds for Legitimate Agents](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45978-sc-insight-failed-transactions-trigger-invalid-double-payment-challenges-causing-loss-of-funds.md) - [#45961 \[SC-Insight\] \`selfMint()\` Can Lead to Permanent Loss of Agents' Funds During Emergency Pause](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45961-sc-insight-selfmint-can-lead-to-permanent-loss-of-agents-funds-during-emergency-pause.md) - [#45987 \[SC-Medium\] A malicious user can fill up the redemption queue with the minimum size (1 lot), making legitimate redeemers to redeem always multiple times](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45987-sc-medium-a-malicious-user-can-fill-up-the-redemption-queue-with-the-minimum-size-1-lot-making.md) - [#45979 \[SC-High\] Agent can steal funds from FLR holders who have deposited in agent's collateral pool](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45979-sc-high-agent-can-steal-funds-from-flr-holders-who-have-deposited-in-agents-collateral-pool.md) - [#46068 \[SC-Low\] selfCloseExitTo is lack of slippage protect](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46068-sc-low-selfcloseexitto-is-lack-of-slippage-protect.md) - [#46081 \[SC-Medium\] Wrong check in \`redeemFromCoreVault\` will result in unnecessary revert](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46081-sc-medium-wrong-check-in-redeemfromcorevault-will-result-in-unnecessary-revert.md) - [#46071 \[SC-Low\] Ultra-low amount of total shares in collateral pool](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46071-sc-low-ultra-low-amount-of-total-shares-in-collateral-pool.md) - [#46092 \[SC-Insight\] AgentVault::destroy mismatch between comment documentation and contract behavior](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46092-sc-insight-agentvault-destroy-mismatch-between-comment-documentation-and-contract-behavior.md) - [#46108 \[SC-Medium\] Minting Cap can by bypassed while self minting](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46108-sc-medium-minting-cap-can-by-bypassed-while-self-minting.md) - [#46121 \[SC-High\] Malicious agent can manipulate the totalCollateral to cause damage to the protocol](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46121-sc-high-malicious-agent-can-manipulate-the-totalcollateral-to-cause-damage-to-the-protocol.md) - [#46119 \[SC-Low\] Incorrect \`msg.Value\` check in \`CoreVault\` Transfer](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46119-sc-low-incorrect-msg.value-check-in-corevault-transfer.md) - [#46122 \[SC-Insight\] Incorrect Minimum Lots Validation in CoreVault Redemption](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46122-sc-insight-incorrect-minimum-lots-validation-in-corevault-redemption.md) - [#46198 \[SC-Insight\] Redemption Blocked if Agent Refuses to Confirm Core Vault Payment](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46198-sc-insight-redemption-blocked-if-agent-refuses-to-confirm-core-vault-payment.md) - [#46210 \[SC-Insight\] Incorrect timestamp comparison in function "beforeCollateralWithdrawal" allows agent to withdraw at last second without being challenged](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46210-sc-insight-incorrect-timestamp-comparison-in-function-beforecollateralwithdrawal-allows-agent.md) - [#46218 \[SC-Insight\] Documentation-Implementation Discrepancy in Agent Vault Access Control](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46218-sc-insight-documentation-implementation-discrepancy-in-agent-vault-access-control.md) - [#46220 \[SC-Insight\] Missing Documented Function in the CollateralPool Contract](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46220-sc-insight-missing-documented-function-in-the-collateralpool-contract.md) - [#46241 \[SC-Insight\] Misleading definition in Core-Vault documentation (“CV operators submit proof”)](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46241-sc-insight-misleading-definition-in-core-vault-documentation-cv-operators-submit-proof.md) - [#46247 \[SC-Medium\] Token transfer can revert in unstickMinting because of insufficient funds in the vault.](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46247-sc-medium-token-transfer-can-revert-in-unstickminting-because-of-insufficient-funds-in-the-vau.md) - [#46266 \[SC-Insight\] Cannot use a pool token suffix of MAX\_SUFFIX\_LEN](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46266-sc-insight-cannot-use-a-pool-token-suffix-of-max_suffix_len.md) - [#46265 \[SC-Medium\] Logic flaw in transferToCoreVault allows creation of zero-value redemption request](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46265-sc-medium-logic-flaw-in-transfertocorevault-allows-creation-of-zero-value-redemption-request.md) - [#46282 \[SC-High\] Wrong implementation of \`payout\` would lead to loss of fee share of \`AgentVault\`](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46282-sc-high-wrong-implementation-of-payout-would-lead-to-loss-of-fee-share-of-agentvault.md) - [#46311 \[SC-Insight\] Unbacked Redemptions Due to Donation- Attack on CoreVault Can Freeze Agent Collateral](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46311-sc-insight-unbacked-redemptions-due-to-donation-attack-on-corevault-can-freeze-agent-collatera.md) - [#46320 \[SC-Low\] Executor fee will be stuck in the contract when rejectInvalidRedemption is called](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46320-sc-low-executor-fee-will-be-stuck-in-the-contract-when-rejectinvalidredemption-is-called.md) - [#46271 \[SC-Medium\] Rewards claiming functionality is broken.](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46271-sc-medium-rewards-claiming-functionality-is-broken..md) - [#46326 \[SC-Medium\] Incorrect Minting Cap Check in Minting Process](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46326-sc-medium-incorrect-minting-cap-check-in-minting-process.md) - [#46378 \[SC-High\] Unconditional F-Asset burn during partial collateral redemptions enables direct theft of user funds](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46378-sc-high-unconditional-f-asset-burn-during-partial-collateral-redemptions-enables-direct-theft.md) - [#46442 \[SC-Low\] Agent collateral pool is vulnerable to inflation attack](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46442-sc-low-agent-collateral-pool-is-vulnerable-to-inflation-attack.md) - [#46437 \[SC-High\] Agent can circumvent double payment challenge on XRP chain using other types of transaction](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46437-sc-high-agent-can-circumvent-double-payment-challenge-on-xrp-chain-using-other-types-of-transa.md) - [#46486 \[SC-Low\] Faulty logic in \`transferToCoreVault\` makes users pay more for the refund transaction than the amount being refunded.](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46486-sc-low-faulty-logic-in-transfertocorevault-makes-users-pay-more-for-the-refund-transaction-tha.md) - [#46462 \[SC-Low\] Malicious collateral provider can steal funds from agent collateral pool by donating a large amount of native token to the pool (inflation attack)](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46462-sc-low-malicious-collateral-provider-can-steal-funds-from-agent-collateral-pool-by-donating-a.md) - [#46493 \[SC-Insight\] ADDRESS\_STORAGE\_POSITION is not ERC7201 compliant](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46493-sc-insight-address_storage_position-is-not-erc7201-compliant.md) - [#46520 \[SC-Low\] ETH loss on \`selfCloseExitTo\` when redeeming to collateral](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46520-sc-low-eth-loss-on-selfcloseexitto-when-redeeming-to-collateral.md) - [#46534 \[SC-Insight\] Missing Validation to Prevent Self-Assignment of Work Address](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46534-sc-insight-missing-validation-to-prevent-self-assignment-of-work-address.md) - [#46541 \[SC-High\] Historical Payment Transaction Exploitation Leading to Instant Agent Liquidation](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46541-sc-high-historical-payment-transaction-exploitation-leading-to-instant-agent-liquidation.md) - [#46546 \[SC-Insight\] Accounting Mismatches in AgentVault.sol Due to Non-Standard ERC20 Tokens](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46546-sc-insight-accounting-mismatches-in-agentvault.sol-due-to-non-standard-erc20-tokens.md) - [#46587 \[SC-Low\] Overpayment loss in \`transferToCoreVault\` due to incorrect refund condition](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46587-sc-low-overpayment-loss-in-transfertocorevault-due-to-incorrect-refund-condition.md) - [#46592 \[SC-High\] The return value of redeemFromAgent/redeemFromAgentInCollateral in the selfCloseExitTo is not checked](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46592-sc-high-the-return-value-of-redeemfromagent-redeemfromagentincollateral-in-the-selfcloseexitto.md) - [#46643 \[SC-Low\] \`destroyAgent\` in \`AgentsCreateDestroy\` is prone to DOS](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46643-sc-low-destroyagent-in-agentscreatedestroy-is-prone-to-dos.md) - [#46677 \[SC-Insight\] Wrong comment in \_getFAssetRequiredToNotSpoilCR](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46677-sc-insight-wrong-comment-in-_getfassetrequiredtonotspoilcr.md) - [#46681 \[SC-Low\] malicious actor can prevent agent from being destroyed](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46681-sc-low-malicious-actor-can-prevent-agent-from-being-destroyed.md) - [#46688 \[SC-High\] \`claimAirdropDistribution()\` Allows Arbitrary Inflation of \`totalCollateral\`](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46688-sc-high-claimairdropdistribution-allows-arbitrary-inflation-of-totalcollateral.md) - [#46702 \[SC-Insight\] \`executeMinting()\` Enables Cross-Contract Reentrancy to Manipulate Collateral Pool Pricing](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46702-sc-insight-executeminting-enables-cross-contract-reentrancy-to-manipulate-collateral-pool-pric.md) - [#46714 \[SC-Medium\] Agent can frontrun executor to steal unclaimed executor fee in minting process](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46714-sc-medium-agent-can-frontrun-executor-to-steal-unclaimed-executor-fee-in-minting-process.md) - [#46721 \[SC-Insight\] Inconsistencies for agentTimelockedOperationWindowSeconds value checks between SettingsInitializer.sol::\_validateSettings and SettingsManagementFacet.sol::setAgentTimelockedOpera...](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46721-sc-insight-inconsistencies-for-agenttimelockedoperationwindowseconds-value-checks-between-sett.md) - [#46758 \[SC-Low\] Collateral Reservation Fee Calculation Inconsistent with Actual Reserved Value](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46758-sc-low-collateral-reservation-fee-calculation-inconsistent-with-actual-reserved-value.md) - [#46771 \[SC-Insight\] Incorrect Collateral Ratio Check Due to Rounding Error](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46771-sc-insight-incorrect-collateral-ratio-check-due-to-rounding-error.md) - [#46826 \[SC-Medium\] transferFeeWei + Transfers.TRANSFER\_GAS\_ALLOWANCE\` when \`CoreVault::transferToCoreVault()\` is called.](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46826-sc-medium-transferfeewei-+-transfers.transfer_gas_allowance-when-corevault-transfertocorevault.md) - [#46838 \[SC-Low\] Agent Destruction Can Be Blocked by Malicious Collateral Pool Entries](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46838-sc-low-agent-destruction-can-be-blocked-by-malicious-collateral-pool-entries.md) - [#46836 \[SC-Low\] buybackAgentCollateral will revert due to overflow](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46836-sc-low-buybackagentcollateral-will-revert-due-to-overflow.md) - [#46847 \[SC-Low\] executor fee is not paid or burned in \`rejectInvalidRedemption\`](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46847-sc-low-executor-fee-is-not-paid-or-burned-in-rejectinvalidredemption.md) - [#46848 \[SC-Insight\] Minters can grief agents by deliberately fragmenting the agent's redemption ticket queue with minimal size tickets, preventing or delaying large transfers to core vault](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46848-sc-insight-minters-can-grief-agents-by-deliberately-fragmenting-the-agents-redemption-ticket-q.md) - [#46886 \[SC-Low\] \`destroyAgent()\` functionality can easily be bricked due to Frontrunning Attack](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46886-sc-low-destroyagent-functionality-can-easily-be-bricked-due-to-frontrunning-attack.md) - [#46858 \[SC-High\] The agent owner can exploit a malicious rewardManager to steal tokens from the protocol](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46858-sc-high-the-agent-owner-can-exploit-a-malicious-rewardmanager-to-steal-tokens-from-the-protoco.md) - [#46924 \[SC-Low\] Last user may exit with almost all of his values, but he'll purposefully leave a small 1e18 or a little more to grief \`destroy()\`](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46924-sc-low-last-user-may-exit-with-almost-all-of-his-values-but-hell-purposefully-leave-a-small-1e.md) - [#46930 \[SC-Low\] \`depositNat()\` in \`CollateralPool\` Fails to Notify Asset Manager, By not calling the \`updateCollateral\`](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46930-sc-low-depositnat-in-collateralpool-fails-to-notify-asset-manager-by-not-calling-the-updatecol.md) - [#46929 \[SC-Medium\] Incorrect required underlying value check used in mintFromFreeUnderlying function](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46929-sc-medium-incorrect-required-underlying-value-check-used-in-mintfromfreeunderlying-function.md) - [#46943 \[SC-Medium\] Agents can prevent user CoreVault redemptions by sandwiching them with a requestReturnFromCoreVault and a cancelReturnFromCoreVault](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46943-sc-medium-agents-can-prevent-user-corevault-redemptions-by-sandwiching-them-with-a-requestretu.md) - [#46949 \[SC-High\] Top-up discount miscalculation allows minting excess pool tokens via repeated small deposits in \`CollateralPool::enter\`](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46949-sc-high-top-up-discount-miscalculation-allows-minting-excess-pool-tokens-via-repeated-small-de.md) - [#46953 \[SC-High\] agents who create agents with prior transactions can be instantly unfairly liquidated](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46953-sc-high-agents-who-create-agents-with-prior-transactions-can-be-instantly-unfairly-liquidated.md) - [#46969 \[SC-Low\] Inconsistent Use of poolFeeShareBIPS Between Collateral Reservation and Distribution](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46969-sc-low-inconsistent-use-of-poolfeesharebips-between-collateral-reservation-and-distribution.md) - [#46976 \[SC-Low\] Agent Destruction Can Permanently Lock Unclaimed Transfer Fees](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46976-sc-low-agent-destruction-can-permanently-lock-unclaimed-transfer-fees.md) - [#46982 \[SC-Insight\] Spread calculation discrepancy allows wildly divergent prices to be accepted](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46982-sc-insight-spread-calculation-discrepancy-allows-wildly-divergent-prices-to-be-accepted.md) - [#46984 \[SC-Low\] Incomplete Token Supply Check After Token Share Recalculation in \`\_selfCloseExitTo\`](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46984-sc-low-incomplete-token-supply-check-after-token-share-recalculation-in-_selfcloseexitto.md) - [#46985 \[SC-High\] CollateralPool::totalCollateral can be increased to arbitrary value](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46985-sc-high-collateralpool-totalcollateral-can-be-increased-to-arbitrary-value.md) - [#46993 \[SC-Low\] Malicious agent with large capital can abuse \`cancelReturnFromCoreVault\` to block access to core vault liquidity during high redemption demand](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46993-sc-low-malicious-agent-with-large-capital-can-abuse-cancelreturnfromcorevault-to-block-access.md) - [#46999 \[SC-Insight\] Absence of event emission in critical functions](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/46999-sc-insight-absence-of-event-emission-in-critical-functions.md) - [#47010 \[SC-Low\] \`CollateralPool::donateNat\` manipulation enables arbitrary pool‐token value inflation and fee‐debt evasion](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/47010-sc-low-collateralpool-donatenat-manipulation-enables-arbitrary-pool-token-value-inflation-and.md) - [#47020 \[SC-High\] A malicious agent can extract funds from the collateral pool by diluting the value of existing collateral providers' shares.](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/47020-sc-high-a-malicious-agent-can-extract-funds-from-the-collateral-pool-by-diluting-the-value-of.md) - [#47034 \[SC-Medium\] check minting cap function checks on incorrect amount in mintFromFreeUnderlying function](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/47034-sc-medium-check-minting-cap-function-checks-on-incorrect-amount-in-mintfromfreeunderlying-func.md) - [#47039 \[SC-Medium\] \`poolMintFee\` is not considered for or checked against the\`mintingCapAMG\` limits.](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/47039-sc-medium-poolmintfee-is-not-considered-for-or-checked-against-the-mintingcapamg-limits..md) - [#47033 \[SC-Low\] Incorrect calculation of total available amount in core vault in a certain case when a user redeems from the core vault](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/47033-sc-low-incorrect-calculation-of-total-available-amount-in-core-vault-in-a-certain-case-when-a.md) - [#47053 \[SC-Low\] \`transferToCoreVault()\` allows agents to have unbacked synthetic assets by extracting underlying value without burning](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/47053-sc-low-transfertocorevault-allows-agents-to-have-unbacked-synthetic-assets-by-extracting-under.md) - [#47060 \[SC-High\] Unchecked Partial Payout on selfCloseExit Allows User Underpayment](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/47060-sc-high-unchecked-partial-payout-on-selfcloseexit-allows-user-underpayment.md) - [#47082 \[SC-Low\] Zero collateral payout despite burned fAssets](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/47082-sc-low-zero-collateral-payout-despite-burned-fassets.md) - [#47087 \[SC-Insight\] CollateralTypesFacet.sol::deprecateCollateralType allows to break CollateralTypes.sol::initialize invariant because it allows to deprecate all token collateral vaults leading to ...](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/47087-sc-insight-collateraltypesfacet.sol-deprecatecollateraltype-allows-to-break-collateraltypes.so.md) - [#47091 \[SC-Insight\] \`setWorkAddress()\` enables front-running attacks to hijack work addresses](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/47091-sc-insight-setworkaddress-enables-front-running-attacks-to-hijack-work-addresses.md) - [#47106 \[SC-Low\] Collateral Reservation Fee distribution uses current poolFeeShareBips instead of value stored during during time of collateral reservation](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/47106-sc-low-collateral-reservation-fee-distribution-uses-current-poolfeesharebips-instead-of-value.md) - [#47094 \[SC-Insight\] Missing Event Emission in \`AgentVault\` and \`CollateralPoolToken\` Factory Contracts](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/47094-sc-insight-missing-event-emission-in-agentvault-and-collateralpooltoken-factory-contracts.md) - [#47108 \[SC-High\] selfCloseExitTo() can cause users to receive partial payments without validation, leading to permanent asset loss](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/47108-sc-high-selfcloseexitto-can-cause-users-to-receive-partial-payments-without-validation-leading.md) - [#47116 \[SC-Insight\] Undocumented Redemption Pool Fee Share potentially leading to confusion](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/47116-sc-insight-undocumented-redemption-pool-fee-share-potentially-leading-to-confusion.md) - [#47121 \[SC-Insight\] Incorrect documentation on pool Top-up feature](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/47121-sc-insight-incorrect-documentation-on-pool-top-up-feature.md) - [#47150 \[SC-Insight\] XRP Deposit Authorization Griefing Attack on Minting Process](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/47150-sc-insight-xrp-deposit-authorization-griefing-attack-on-minting-process.md) - [#47159 \[SC-Insight\] Lack of Access Control on \`triggerInstructions()\` Allows Unauthorized Transfers Post-Deletion](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/47159-sc-insight-lack-of-access-control-on-triggerinstructions-allows-unauthorized-transfers-post-de.md) - [#45336 \[SC-Low\] Malicious Agent could repeatedly create and destroy vaults reserving different suffixes and grief other agents](https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45336-sc-low-malicious-agent-could-repeatedly-create-and-destroy-vaults-reserving-different-suffixes.md) - [Flare FAssets | Mitigation Audit](https://reports.immunefi.com/flare-fassets-or-mitigation-audit.md) - [#54887 \[SC-Insight\] mitigation regression pool token suffix length excludes valid 1 and 20 char values the fix rejects valid edge lengths and breaks agent creation ](https://reports.immunefi.com/flare-fassets-or-mitigation-audit/54887-sc-insight-mitigation-regression-pool-token-suffix-length-excludes-valid-1-and-20-char-values.md) - [#55046 \[SC-Insight\] claimed rewards paid in legacy wnat after an upgrade are silently ignored by the balance delta fix](https://reports.immunefi.com/flare-fassets-or-mitigation-audit/55046-sc-insight-claimed-rewards-paid-in-legacy-wnat-after-an-upgrade-are-silently-ignored-by-the-ba.md) - [#54955 \[SC-Insight\] malicious agents can trap stakers by raising exit collateral ratio](https://reports.immunefi.com/flare-fassets-or-mitigation-audit/54955-sc-insight-malicious-agents-can-trap-stakers-by-raising-exit-collateral-ratio.md) - [#55025 \[SC-Insight\] corevault refund failure can permanently freeze overpaid nat on assetmanager](https://reports.immunefi.com/flare-fassets-or-mitigation-audit/55025-sc-insight-corevault-refund-failure-can-permanently-freeze-overpaid-nat-on-assetmanager.md) - [#54916 \[SC-Low\] minting cap can be surpassed via redemption fee](https://reports.immunefi.com/flare-fassets-or-mitigation-audit/54916-sc-low-minting-cap-can-be-surpassed-via-redemption-fee.md) - [#55002 \[SC-Low\] rewards claims increase pool collateral but do not notify assetmanager stale cr accounting after fix for 45893 ](https://reports.immunefi.com/flare-fassets-or-mitigation-audit/55002-sc-low-rewards-claims-increase-pool-collateral-but-do-not-notify-assetmanager-stale-cr-account.md) - [#55174 \[SC-Insight\] over assignment of payable in claimairdropdistribution function could cause confusion regarding native token handling](https://reports.immunefi.com/flare-fassets-or-mitigation-audit/55174-sc-insight-over-assignment-of-payable-in-claimairdropdistribution-function-could-cause-confusi.md) - [#55230 \[SC-Insight\] there is a sub gwei executor fee can be bypass and freezes eth in redemptionrequests](https://reports.immunefi.com/flare-fassets-or-mitigation-audit/55230-sc-insight-there-is-a-sub-gwei-executor-fee-can-be-bypass-and-freezes-eth-in-redemptionrequest.md) - [#55241 \[SC-Insight\] insufficient validation of pool token suffix allows consecutive hyphens enables token symbol impersonation and user confusion](https://reports.immunefi.com/flare-fassets-or-mitigation-audit/55241-sc-insight-insufficient-validation-of-pool-token-suffix-allows-consecutive-hyphens-enables-tok.md) - [#55049 \[SC-Insight\] there is a issue related that the msg value not returned to payer in self close exit](https://reports.immunefi.com/flare-fassets-or-mitigation-audit/55049-sc-insight-there-is-a-issue-related-that-the-msg-value-not-returned-to-payer-in-self-close-exi.md) - [#55242 \[SC-Low\] selfcloseexitto vulnerable to frontrunning griefing via exit ](https://reports.immunefi.com/flare-fassets-or-mitigation-audit/55242-sc-low-selfcloseexitto-vulnerable-to-frontrunning-griefing-via-exit.md) - [#55208 \[SC-Low\] executors receive a greater reward than the assigned value](https://reports.immunefi.com/flare-fassets-or-mitigation-audit/55208-sc-low-executors-receive-a-greater-reward-than-the-assigned-value.md) - [Folks Smart Contract Library | Aud Comp](https://reports.immunefi.com/folks-smart-contract-library.md) - [#48718 \[SC-Insight\] Contract Upgrade Completion DoS/Takeover Risk](https://reports.immunefi.com/folks-smart-contract-library/48718-sc-insight-contract-upgrade-completion-dos-takeover-risk.md) - [#48717 \[SC-Insight\] RateLimiter current capacity can be permanently held at zero](https://reports.immunefi.com/folks-smart-contract-library/48717-sc-insight-ratelimiter-current-capacity-can-be-permanently-held-at-zero.md) - [#48747 \[SC-Insight\] Consider emitting BucketConsumed for infinite buckets in RateLimiter](https://reports.immunefi.com/folks-smart-contract-library/48747-sc-insight-consider-emitting-bucketconsumed-for-infinite-buckets-in-ratelimiter.md) - [#48885 \[SC-Low\] No items length check in remove\_item leads to a revert with an underflow](https://reports.immunefi.com/folks-smart-contract-library/48885-sc-low-no-items-length-check-in-remove_item-leads-to-a-revert-with-an-underflow.md) - [#48804 \[SC-Insight\] Accelerated Rate Limit Refill via Block Timestamp Control](https://reports.immunefi.com/folks-smart-contract-library/48804-sc-insight-accelerated-rate-limit-refill-via-block-timestamp-control.md) - [#48894 \[SC-Low\] Underflow in index calculation fails remove\_item](https://reports.immunefi.com/folks-smart-contract-library/48894-sc-low-underflow-in-index-calculation-fails-remove_item.md) - [#48983 \[SC-Low\] Potential Underflow in remove\_item() on Empty Array](https://reports.immunefi.com/folks-smart-contract-library/48983-sc-low-potential-underflow-in-remove_item-on-empty-array.md) - [#48990 \[SC-Low\] Integer underflow in remove\_item leads to AVM trap and DoS via empty array call](https://reports.immunefi.com/folks-smart-contract-library/48990-sc-low-integer-underflow-in-remove_item-leads-to-avm-trap-and-dos-via-empty-array-call.md) - [#48998 \[SC-Low\] Critical UInt64 underflow in set removal causes permanent denial of service](https://reports.immunefi.com/folks-smart-contract-library/48998-sc-low-critical-uint64-underflow-in-set-removal-causes-permanent-denial-of-service.md) - [#49003 \[SC-Low\] Array Underflow Vulnerability in UInt64SetLib leads to contract failure](https://reports.immunefi.com/folks-smart-contract-library/49003-sc-low-array-underflow-vulnerability-in-uint64setlib-leads-to-contract-failure.md) - [#49051 \[SC-Insight\] Improving and expanding documentation to reduce risks](https://reports.immunefi.com/folks-smart-contract-library/49051-sc-insight-improving-and-expanding-documentation-to-reduce-risks.md) - [#49061 \[SC-Insight\] The Function \`get\_current\_capacity()\` returns wrong value when bucket is infinite](https://reports.immunefi.com/folks-smart-contract-library/49061-sc-insight-the-function-get_current_capacity-returns-wrong-value-when-bucket-is-infinite.md) - [#49075 \[SC-Low\] \`SetLib.remove\_item()\` is not safe on empty Dynamic arrays](https://reports.immunefi.com/folks-smart-contract-library/49075-sc-low-setlib.remove_item-is-not-safe-on-empty-dynamic-arrays.md) - [#49250 \[SC-Insight\] \`AccessControl\`: unnecessary box usage in \`\_grant\_role\`](https://reports.immunefi.com/folks-smart-contract-library/49250-sc-insight-accesscontrol-unnecessary-box-usage-in-_grant_role.md) - [#49390 \[SC-Low\] \`UInt64SetLib#remove\_item\` would revert if the item is empty](https://reports.immunefi.com/folks-smart-contract-library/49390-sc-low-uint64setlib-remove_item-would-revert-if-the-item-is-empty.md) - [#49409 \[SC-Insight\] Incorrect comment in UInt64SetLib](https://reports.immunefi.com/folks-smart-contract-library/49409-sc-insight-incorrect-comment-in-uint64setlib.md) - [#49413 \[SC-Insight\] discrepancy between document and codebase](https://reports.immunefi.com/folks-smart-contract-library/49413-sc-insight-discrepancy-between-document-and-codebase.md) - [#49527 \[SC-Low\] Edge case Integer UInt64SetLib.py::remove\_item leads to int underflow](https://reports.immunefi.com/folks-smart-contract-library/49527-sc-low-edge-case-integer-uint64setlib.py-remove_item-leads-to-int-underflow.md) - [#49553 \[SC-Insight\] program\_sha256\`, Reducing Auditability and Monitoring Efficiency](https://reports.immunefi.com/folks-smart-contract-library/49553-sc-insight-program_sha256-reducing-auditability-and-monitoring-efficiency.md) - [#49437 \[SC-Insight\] \`RateLimiter\`: incorrect infinite -> finite bucket transition](https://reports.immunefi.com/folks-smart-contract-library/49437-sc-insight-ratelimiter-incorrect-infinite-greater-than-finite-bucket-transition.md) - [#49559 \[SC-Low\] The remove functionality in \`UInt64SetLib::remove\_item\` underflows on empty array](https://reports.immunefi.com/folks-smart-contract-library/49559-sc-low-the-remove-functionality-in-uint64setlib-remove_item-underflows-on-empty-array.md) - [#49690 \[SC-Low\] Integer Underflow in UInt64SetLib.py](https://reports.immunefi.com/folks-smart-contract-library/49690-sc-low-integer-underflow-in-uint64setlib.py.md) - [#49687 \[SC-Low\] An underflow in \`remove\_item\` function in \`Uint64SetLib\` Contract.](https://reports.immunefi.com/folks-smart-contract-library/49687-sc-low-an-underflow-in-remove_item-function-in-uint64setlib-contract..md) - [#49938 \[SC-Low\] Underflow Revert in \`remove\_item\` When Removing from an Empty Array](https://reports.immunefi.com/folks-smart-contract-library/49938-sc-low-underflow-revert-in-remove_item-when-removing-from-an-empty-array.md) - [#49970 \[SC-Insight\] Malicious upgradable admin can permanently brick contract upgradeability](https://reports.immunefi.com/folks-smart-contract-library/49970-sc-insight-malicious-upgradable-admin-can-permanently-brick-contract-upgradeability.md) - [Folks Finance Wormhole NTT on Algorand](https://reports.immunefi.com/folks-finance-wormhole-ntt-on-algorand.md) - [57336 sc insight explicit precise and consistent use of application and address types and variable naming prevents bugs](https://reports.immunefi.com/folks-finance-wormhole-ntt-on-algorand/57336-sc-insight-explicit-precise-and-consistent-use-of-application-and-address-types-and-variable-n.md) - [57333 sc high inconsistent handler address decoding prevents any message from being executed](https://reports.immunefi.com/folks-finance-wormhole-ntt-on-algorand/57333-sc-high-inconsistent-handler-address-decoding-prevents-any-message-from-being-executed.md) - [57300 sc insight initialization bypasses the max 2 weeks guard for min upgrade delay ](https://reports.immunefi.com/folks-finance-wormhole-ntt-on-algorand/57300-sc-insight-initialization-bypasses-the-max-2-weeks-guard-for-min-upgrade-delay.md) - [57018 sc high handler address format mismatch causes digest divergence and unexecutable messages](https://reports.immunefi.com/folks-finance-wormhole-ntt-on-algorand/57018-sc-high-handler-address-format-mismatch-causes-digest-divergence-and-unexecutable-messages.md) - [57013 sc insight incorrect event parameter in inboundtransferratelimited emits recipient instead of caller](https://reports.immunefi.com/folks-finance-wormhole-ntt-on-algorand/57013-sc-insight-incorrect-event-parameter-in-inboundtransferratelimited-emits-recipient-instead-of.md) - [56615 sc high inconsistent handler address representation in transceivermanager leads to permanent freezing of incoming transfers](https://reports.immunefi.com/folks-finance-wormhole-ntt-on-algorand/56615-sc-high-inconsistent-handler-address-representation-in-transceivermanager-leads-to-permanent-f.md) - [Plume | Attackathon](https://reports.immunefi.com/plume-or-attackathon.md) - [53077 sc high permanent fund lock due to flawed remainder logic in distributeyield](https://reports.immunefi.com/plume-or-attackathon/53077-sc-high-permanent-fund-lock-due-to-flawed-remainder-logic-in-distributeyield.md) - [53072 sc high ceil vs floor rounding mismatch causes systematic underpayment and unclaimed yield leakage](https://reports.immunefi.com/plume-or-attackathon/53072-sc-high-ceil-vs-floor-rounding-mismatch-causes-systematic-underpayment-and-unclaimed-yield-lea.md) - [53071 sc insight okxhelper function incompatible with the uniswap v3 swap to with permit selector ](https://reports.immunefi.com/plume-or-attackathon/53071-sc-insight-okxhelper-function-incompatible-with-the-uniswap-v3-swap-to-with-permit-selector.md) - [53070 sc high validator commission update during max allowed commission change causes incorrect reward calculations](https://reports.immunefi.com/plume-or-attackathon/53070-sc-high-validator-commission-update-during-max-allowed-commission-change-causes-incorrect-rewa.md) - [53069 sc low dynamic cooldown interval changes cause unexpected fund lockup extensions](https://reports.immunefi.com/plume-or-attackathon/53069-sc-low-dynamic-cooldown-interval-changes-cause-unexpected-fund-lockup-extensions.md) - [53063 sc low maxvalidatorpercentage can be used to dos protocol staking ](https://reports.immunefi.com/plume-or-attackathon/53063-sc-low-maxvalidatorpercentage-can-be-used-to-dos-protocol-staking.md) - [53061 sc high asymmetric rounding in commission ceil for users floor for validators enables per segment rounding loss validators can amplify via frequent commission checkpoints ](https://reports.immunefi.com/plume-or-attackathon/53061-sc-high-asymmetric-rounding-in-commission-ceil-for-users-floor-for-validators-enables-per-segm.md) - [53059 sc low reward rate checkpoints are used but are never set](https://reports.immunefi.com/plume-or-attackathon/53059-sc-low-reward-rate-checkpoints-are-used-but-are-never-set.md) - [53056 sc low native withdraw to msg sender only non payable contract stakers cannot withdraw permanent funds lock ](https://reports.immunefi.com/plume-or-attackathon/53056-sc-low-native-withdraw-to-msg-sender-only-non-payable-contract-stakers-cannot-withdraw-permane.md) - [53051 sc high unconsented stakeonbehalf enables third party gas griefing dos by bloating uservalidators breaking withdraw claimall](https://reports.immunefi.com/plume-or-attackathon/53051-sc-high-unconsented-stakeonbehalf-enables-third-party-gas-griefing-dos-by-bloating-uservalidat.md) - [53048 sc medium approval logic can break on non standard erc 20s usdt style and leave allowances loose](https://reports.immunefi.com/plume-or-attackathon/53048-sc-medium-approval-logic-can-break-on-non-standard-erc-20s-usdt-style-and-leave-allowances-loo.md) - [53047 sc high the jackpot eligibility check uses stale storage data instead of the freshly calculated streak ](https://reports.immunefi.com/plume-or-attackathon/53047-sc-high-the-jackpot-eligibility-check-uses-stale-storage-data-instead-of-the-freshly-calculate.md) - [53043 sc high handlerandomness doesn t properly account for current streak which could result in the user spinning losing a jackpot](https://reports.immunefi.com/plume-or-attackathon/53043-sc-high-handlerandomness-doesn-t-properly-account-for-current-streak-which-could-result-in-the.md) - [53039 sc high rewards and commissions accrued in the interval before a slash might be lost](https://reports.immunefi.com/plume-or-attackathon/53039-sc-high-rewards-and-commissions-accrued-in-the-interval-before-a-slash-might-be-lost.md) - [53038 sc low distributeyield can be frontrun to sandwich rewards we can force ourselves to be the last holder and get unfairly big bonuses](https://reports.immunefi.com/plume-or-attackathon/53038-sc-low-distributeyield-can-be-frontrun-to-sandwich-rewards-we-can-force-ourselves-to-be-the-la.md) - [53037 sc critical commission changes can retroactively affect user rewards](https://reports.immunefi.com/plume-or-attackathon/53037-sc-critical-commission-changes-can-retroactively-affect-user-rewards.md) - [53035 sc medium share lock applied to wrapper instead of end user breaks transfers or bypasses lock](https://reports.immunefi.com/plume-or-attackathon/53035-sc-medium-share-lock-applied-to-wrapper-instead-of-end-user-breaks-transfers-or-bypasses-lock.md) - [53034 sc high arctokenfactory doesn t properly handle role management which allows users to arbitrary upgrade their arctoken s implementation](https://reports.immunefi.com/plume-or-attackathon/53034-sc-high-arctokenfactory-doesn-t-properly-handle-role-management-which-allows-users-to-arbitrar.md) - [53028 sc high there is an asymmetric rounding issue that is can cause a theft of unclaimed yield in reward or commission accounting](https://reports.immunefi.com/plume-or-attackathon/53028-sc-high-there-is-an-asymmetric-rounding-issue-that-is-can-cause-a-theft-of-unclaimed-yield-in.md) - [53025 sc high commission on removed tokens is unclaimable](https://reports.immunefi.com/plume-or-attackathon/53025-sc-high-commission-on-removed-tokens-is-unclaimable.md) - [53022 sc critical funds are not properly refunded to user which calls for swap on the dex aggregator](https://reports.immunefi.com/plume-or-attackathon/53022-sc-critical-funds-are-not-properly-refunded-to-user-which-calls-for-swap-on-the-dex-aggregator.md) - [53021 sc medium deposit and bridge workflow bricked by immediate share lock users cannot bridge immediately after deposit](https://reports.immunefi.com/plume-or-attackathon/53021-sc-medium-deposit-and-bridge-workflow-bricked-by-immediate-share-lock-users-cannot-bridge-imme.md) - [53020 sc high there are functions which when inevitably used could result in wrongly accruing yield for inactive validators which can make the protocol insolvent](https://reports.immunefi.com/plume-or-attackathon/53020-sc-high-there-are-functions-which-when-inevitably-used-could-result-in-wrongly-accruing-yield.md) - [53018 sc high owed rewards could be lost for some users for periods before slashing time due to incorrect logic ](https://reports.immunefi.com/plume-or-attackathon/53018-sc-high-owed-rewards-could-be-lost-for-some-users-for-periods-before-slashing-time-due-to-inco.md) - [53016 sc high arctokenpurchase doesn t allow rwa token owners to recover accrued yield from stored arctokens waiting for sale ](https://reports.immunefi.com/plume-or-attackathon/53016-sc-high-arctokenpurchase-doesn-t-allow-rwa-token-owners-to-recover-accrued-yield-from-stored-a.md) - [53015 sc low raffle does not invalidate used tickets breaking fairness](https://reports.immunefi.com/plume-or-attackathon/53015-sc-low-raffle-does-not-invalidate-used-tickets-breaking-fairness.md) - [53011 sc critical uncleaned partial approval consumption in dex aggregator integration leads to permanent dos](https://reports.immunefi.com/plume-or-attackathon/53011-sc-critical-uncleaned-partial-approval-consumption-in-dex-aggregator-integration-leads-to-perm.md) - [53001 sc high yield tokens become stuck in arctokenpurchase contract when distributing yield during active sales](https://reports.immunefi.com/plume-or-attackathon/53001-sc-high-yield-tokens-become-stuck-in-arctokenpurchase-contract-when-distributing-yield-during.md) - [52998 sc low minor delays from oracle can unfairly reset users streak](https://reports.immunefi.com/plume-or-attackathon/52998-sc-low-minor-delays-from-oracle-can-unfairly-reset-users-streak.md) - [52896 sc low pause gate is present but no way to pause](https://reports.immunefi.com/plume-or-attackathon/52896-sc-low-pause-gate-is-present-but-no-way-to-pause.md) - [52891 sc low staking and unstaking immediately an amount little less than the original staked amount leaves dust stake amounts in the system ](https://reports.immunefi.com/plume-or-attackathon/52891-sc-low-staking-and-unstaking-immediately-an-amount-little-less-than-the-original-staked-amount.md) - [52996 sc high users can claim rewards for newly added reward tokens even when the validator they staked for was inactive during some time interval ](https://reports.immunefi.com/plume-or-attackathon/52996-sc-high-users-can-claim-rewards-for-newly-added-reward-tokens-even-when-the-validator-they-sta.md) - [52995 sc high validators lose access to historical reward tokens when tokens are removed](https://reports.immunefi.com/plume-or-attackathon/52995-sc-high-validators-lose-access-to-historical-reward-tokens-when-tokens-are-removed.md) - [52589 sc low in distribute yield function if there are no legitimate users i e no restricted users the funds will remain stuck](https://reports.immunefi.com/plume-or-attackathon/52589-sc-low-in-distribute-yield-function-if-there-are-no-legitimate-users-i-e-no-restricted-users-t.md) - [52990 sc low uint8 truncation and missing cap on week index can return wrong zero jackpot amounts low contract fails to deliver promised returns ](https://reports.immunefi.com/plume-or-attackathon/52990-sc-low-uint8-truncation-and-missing-cap-on-week-index-can-return-wrong-zero-jackpot-amounts-lo.md) - [52890 sc low no recipient yield distribution locks yield tokens on arctoken efftotal 0 ](https://reports.immunefi.com/plume-or-attackathon/52890-sc-low-no-recipient-yield-distribution-locks-yield-tokens-on-arctoken-efftotal-0.md) - [52588 sc high retroactive reward accrual for newly added tokens when validator was inactive ](https://reports.immunefi.com/plume-or-attackathon/52588-sc-high-retroactive-reward-accrual-for-newly-added-tokens-when-validator-was-inactive.md) - [52988 sc medium deposit function dos](https://reports.immunefi.com/plume-or-attackathon/52988-sc-medium-deposit-function-dos.md) - [52290 sc medium deposit function in tellerwithmultiassetsupportpredicateproxy is completely broken due to wrong share lock](https://reports.immunefi.com/plume-or-attackathon/52290-sc-medium-deposit-function-in-tellerwithmultiassetsupportpredicateproxy-is-completely-broken-d.md) - [52986 sc high jackpot check uses previous streakcount instead of current computed streak denying jackpot on first eligible day](https://reports.immunefi.com/plume-or-attackathon/52986-sc-high-jackpot-check-uses-previous-streakcount-instead-of-current-computed-streak-denying-jac.md) - [52576 sc high flaw in raffle determinereward in jackpot prize calculation after week 12](https://reports.immunefi.com/plume-or-attackathon/52576-sc-high-flaw-in-raffle-determinereward-in-jackpot-prize-calculation-after-week-12.md) - [52889 sc high inactive validators accrue rewards for new tokens](https://reports.immunefi.com/plume-or-attackathon/52889-sc-high-inactive-validators-accrue-rewards-for-new-tokens.md) - [52286 sc high off by one error in jackpot eligibility check leads to denial of legitimate rewards](https://reports.immunefi.com/plume-or-attackathon/52286-sc-high-off-by-one-error-in-jackpot-eligibility-check-leads-to-denial-of-legitimate-rewards.md) - [52573 sc high unconsented stakeonbehalf enables unbounded gas consumption via uservalidators growth causing dos at scale in claimall withdraw ](https://reports.immunefi.com/plume-or-attackathon/52573-sc-high-unconsented-stakeonbehalf-enables-unbounded-gas-consumption-via-uservalidators-growth.md) - [52983 sc high validator will loose commission for the tokens which are removed from the reward tokens but they still have commission left to be claimed ](https://reports.immunefi.com/plume-or-attackathon/52983-sc-high-validator-will-loose-commission-for-the-tokens-which-are-removed-from-the-reward-token.md) - [52870 sc low cooldown extension logic may lead to locked funds](https://reports.immunefi.com/plume-or-attackathon/52870-sc-low-cooldown-extension-logic-may-lead-to-locked-funds.md) - [52285 sc high incorrect dust handling in yield distribution leads to permanent fund lock](https://reports.immunefi.com/plume-or-attackathon/52285-sc-high-incorrect-dust-handling-in-yield-distribution-leads-to-permanent-fund-lock.md) - [52572 sc high a legitimate arc token holder can be denied his yield ](https://reports.immunefi.com/plume-or-attackathon/52572-sc-high-a-legitimate-arc-token-holder-can-be-denied-his-yield.md) - [52865 sc high inconsistency in how stake cooldown is handled due to off by one error ](https://reports.immunefi.com/plume-or-attackathon/52865-sc-high-inconsistency-in-how-stake-cooldown-is-handled-due-to-off-by-one-error.md) - [51999 sc high logical flaw in validator reactivation and addrewardtoken allows claiming rewards for validators in inactive periods](https://reports.immunefi.com/plume-or-attackathon/51999-sc-high-logical-flaw-in-validator-reactivation-and-addrewardtoken-allows-claiming-rewards-for.md) - [52982 sc medium non standard erc20 approvals usdt like cause repeat call failures after partial fills](https://reports.immunefi.com/plume-or-attackathon/52982-sc-medium-non-standard-erc20-approvals-usdt-like-cause-repeat-call-failures-after-partial-fill.md) - [52278 sc high incorrect streak check in jackpot eligibility leads to unfair reward denial](https://reports.immunefi.com/plume-or-attackathon/52278-sc-high-incorrect-streak-check-in-jackpot-eligibility-leads-to-unfair-reward-denial.md) - [51994 sc high permanent loss of validator commission upon reward token removal](https://reports.immunefi.com/plume-or-attackathon/51994-sc-high-permanent-loss-of-validator-commission-upon-reward-token-removal.md) - [52560 sc high incorrect current streak used when calculating whether the jackpot should be awarded or not](https://reports.immunefi.com/plume-or-attackathon/52560-sc-high-incorrect-current-streak-used-when-calculating-whether-the-jackpot-should-be-awarded-o.md) - [52277 sc low race condition in streak calculation leads to unfair streak reset for users spinning near utc day change](https://reports.immunefi.com/plume-or-attackathon/52277-sc-low-race-condition-in-streak-calculation-leads-to-unfair-streak-reset-for-users-spinning-ne.md) - [52849 sc high claimers who claim after slash inactive updaterewardpertokenforvalidator which advances validatorlastupdatetimes to be more than slashtimestamp will lose rewards for a segment](https://reports.immunefi.com/plume-or-attackathon/52849-sc-high-claimers-who-claim-after-slash-inactive-updaterewardpertokenforvalidator-which-advance.md) - [51771 sc low unsafe downcast of uint256 to uint8 will lead to silent overflow](https://reports.immunefi.com/plume-or-attackathon/51771-sc-low-unsafe-downcast-of-uint256-to-uint8-will-lead-to-silent-overflow.md) - [51992 sc high dust accumulation in arctoken during yield distribution ](https://reports.immunefi.com/plume-or-attackathon/51992-sc-high-dust-accumulation-in-arctoken-during-yield-distribution.md) - [52254 sc high arctoken theft beyond unclaimed yield during distribution](https://reports.immunefi.com/plume-or-attackathon/52254-sc-high-arctoken-theft-beyond-unclaimed-yield-during-distribution.md) - [51989 sc low event restrictionscreated always emits msg sender as owner ](https://reports.immunefi.com/plume-or-attackathon/51989-sc-low-event-restrictionscreated-always-emits-msg-sender-as-owner.md) - [52847 sc high no function to recover the remained yield by distributeyieldwithlimit ](https://reports.immunefi.com/plume-or-attackathon/52847-sc-high-no-function-to-recover-the-remained-yield-by-distributeyieldwithlimit.md) - [51754 sc high double yield distribution via token transfers between distributeyieldwithlimit calls](https://reports.immunefi.com/plume-or-attackathon/51754-sc-high-double-yield-distribution-via-token-transfers-between-distributeyieldwithlimit-calls.md) - [52527 sc high the validator admin might claim less commission token when validatorfacet requestcommissionclaim is called ](https://reports.immunefi.com/plume-or-attackathon/52527-sc-high-the-validator-admin-might-claim-less-commission-token-when-validatorfacet-requestcommi.md) - [52980 sc critical partial fills strand source tokens in the wrapper and leave dangerous residual allowances](https://reports.immunefi.com/plume-or-attackathon/52980-sc-critical-partial-fills-strand-source-tokens-in-the-wrapper-and-leave-dangerous-residual-all.md) - [52248 sc insight lack of initialization check in staking allows users to stake without reward token configured causing permanent loss of yield](https://reports.immunefi.com/plume-or-attackathon/52248-sc-insight-lack-of-initialization-check-in-staking-allows-users-to-stake-without-reward-token.md) - [51596 sc low unsafe uint256 to uint8 downcast causes integer overflow leading to unauthorized jackpot payouts after week 255](https://reports.immunefi.com/plume-or-attackathon/51596-sc-low-unsafe-uint256-to-uint8-downcast-causes-integer-overflow-leading-to-unauthorized-jackpo.md) - [52845 sc high distributeyieldwithlimit lacks snapshot between batches allowing state changes to break distribution and lock yield](https://reports.immunefi.com/plume-or-attackathon/52845-sc-high-distributeyieldwithlimit-lacks-snapshot-between-batches-allowing-state-changes-to-brea.md) - [52241 sc low unexposed pauseable functionality](https://reports.immunefi.com/plume-or-attackathon/52241-sc-low-unexposed-pauseable-functionality.md) - [51746 sc low depositandbridge function of tellerwithmultiassetsupportpredicateproxy sol can not be paused](https://reports.immunefi.com/plume-or-attackathon/51746-sc-low-depositandbridge-function-of-tellerwithmultiassetsupportpredicateproxy-sol-can-not-be-p.md) - [51988 sc medium plumerewardlogic calculaterewardswithcheckpointsview lacking of checking if the validator is inactive but not slashed ](https://reports.immunefi.com/plume-or-attackathon/51988-sc-medium-plumerewardlogic-calculaterewardswithcheckpointsview-lacking-of-checking-if-the-vali.md) - [52519 sc low missing eligibility check before fund transfer in distributeyield leads to permanent loss of yield tokens](https://reports.immunefi.com/plume-or-attackathon/52519-sc-low-missing-eligibility-check-before-fund-transfer-in-distributeyield-leads-to-permanent-lo.md) - [51391 sc low enabletoken function overwrites amountsold to zero causing permanent loss of sales history](https://reports.immunefi.com/plume-or-attackathon/51391-sc-low-enabletoken-function-overwrites-amountsold-to-zero-causing-permanent-loss-of-sales-hist.md) - [52221 sc insight hardcoded supra subscription wallet can freeze spin](https://reports.immunefi.com/plume-or-attackathon/52221-sc-insight-hardcoded-supra-subscription-wallet-can-freeze-spin.md) - [52843 sc low the zero address cannot be whitelisted which means during restrictions minting and burning cannot work](https://reports.immunefi.com/plume-or-attackathon/52843-sc-low-the-zero-address-cannot-be-whitelisted-which-means-during-restrictions-minting-and-burn.md) - [51589 sc high tokencreator retains upgrade rights fix remains insufficient finding 01 immunefi report](https://reports.immunefi.com/plume-or-attackathon/51589-sc-high-tokencreator-retains-upgrade-rights-fix-remains-insufficient-finding-01-immunefi-repor.md) - [52979 sc low whitelistrestrictions unintentionally disables mint and burn when transfers are restricted](https://reports.immunefi.com/plume-or-attackathon/52979-sc-low-whitelistrestrictions-unintentionally-disables-mint-and-burn-when-transfers-are-restric.md) - [52517 sc high missing point in time snapshot in batched yield distribution enables double claims and permanent fund lock](https://reports.immunefi.com/plume-or-attackathon/52517-sc-high-missing-point-in-time-snapshot-in-batched-yield-distribution-enables-double-claims-and.md) - [52218 sc high creator retains default admin role allowing bypass of upgrade restrictions](https://reports.immunefi.com/plume-or-attackathon/52218-sc-high-creator-retains-default-admin-role-allowing-bypass-of-upgrade-restrictions.md) - [52841 sc medium token admin can dos admin to not let admin change purchase token](https://reports.immunefi.com/plume-or-attackathon/52841-sc-medium-token-admin-can-dos-admin-to-not-let-admin-change-purchase-token.md) - [52976 sc low turning on transfer restriction permanently blocks minting and burning](https://reports.immunefi.com/plume-or-attackathon/52976-sc-low-turning-on-transfer-restriction-permanently-blocks-minting-and-burning.md) - [51369 sc high unbounded iteration gas dos in validatetokenforclaim ](https://reports.immunefi.com/plume-or-attackathon/51369-sc-high-unbounded-iteration-gas-dos-in-validatetokenforclaim.md) - [51987 sc high validators will be able to steal more commission from users that isn t the commission to be charged](https://reports.immunefi.com/plume-or-attackathon/51987-sc-high-validators-will-be-able-to-steal-more-commission-from-users-that-isn-t-the-commission.md) - [52203 sc medium griefing attack on arctokenpurchase setpurchasetoken function via front running](https://reports.immunefi.com/plume-or-attackathon/52203-sc-medium-griefing-attack-on-arctokenpurchase-setpurchasetoken-function-via-front-running.md) - [52837 sc insight gas heavy repeated binary search increases reward calculation gas costs](https://reports.immunefi.com/plume-or-attackathon/52837-sc-insight-gas-heavy-repeated-binary-search-increases-reward-calculation-gas-costs.md) - [51090 sc high malicious user can steal yields when arctoken distributeyieldwithlimit is used ](https://reports.immunefi.com/plume-or-attackathon/51090-sc-high-malicious-user-can-steal-yields-when-arctoken-distributeyieldwithlimit-is-used.md) - [51567 sc low contract cannot be paused missing public pause and unpause functions](https://reports.immunefi.com/plume-or-attackathon/51567-sc-low-contract-cannot-be-paused-missing-public-pause-and-unpause-functions.md) - [52974 sc medium when the approval to the okxapprover is not fully spent the deposit function will be blocked](https://reports.immunefi.com/plume-or-attackathon/52974-sc-medium-when-the-approval-to-the-okxapprover-is-not-fully-spent-the-deposit-function-will-be.md) - [51352 sc critical user will lose the unspent amount when executing partial swaps via 1inch](https://reports.immunefi.com/plume-or-attackathon/51352-sc-critical-user-will-lose-the-unspent-amount-when-executing-partial-swaps-via-1inch.md) - [51083 sc insight claimall only loops over active reward tokens and ignores historical tokens](https://reports.immunefi.com/plume-or-attackathon/51083-sc-insight-claimall-only-loops-over-active-reward-tokens-and-ignores-historical-tokens.md) - [52833 sc high bypass the fix of immunefi audit imm crit 01 token creator can upgrade arctoken implementation](https://reports.immunefi.com/plume-or-attackathon/52833-sc-high-bypass-the-fix-of-immunefi-audit-imm-crit-01-token-creator-can-upgrade-arctoken-implem.md) - [52202 sc low failure to invalidate winning tickets allows multiple wins from single entry](https://reports.immunefi.com/plume-or-attackathon/52202-sc-low-failure-to-invalidate-winning-tickets-allows-multiple-wins-from-single-entry.md) - [51980 sc low unstake cooldown period is mistakenly reset on each claim resulting in temporary frozen funds](https://reports.immunefi.com/plume-or-attackathon/51980-sc-low-unstake-cooldown-period-is-mistakenly-reset-on-each-claim-resulting-in-temporary-frozen.md) - [51558 sc high arctoken holder can receive yield twice from distributeyieldwithlimit ](https://reports.immunefi.com/plume-or-attackathon/51558-sc-high-arctoken-holder-can-receive-yield-twice-from-distributeyieldwithlimit.md) - [50796 sc high jackpot eligibility uses stale streak](https://reports.immunefi.com/plume-or-attackathon/50796-sc-high-jackpot-eligibility-uses-stale-streak.md) - [52500 sc high missing commission checkpoint initialization leads to retroactive commission theft of user rewards](https://reports.immunefi.com/plume-or-attackathon/52500-sc-high-missing-commission-checkpoint-initialization-leads-to-retroactive-commission-theft-of.md) - [52198 sc high balance manipulation between batches leading to inflated payout and dos](https://reports.immunefi.com/plume-or-attackathon/52198-sc-high-balance-manipulation-between-batches-leading-to-inflated-payout-and-dos.md) - [51979 sc low getaccruedcommission returns outdated accrued commission](https://reports.immunefi.com/plume-or-attackathon/51979-sc-low-getaccruedcommission-returns-outdated-accrued-commission.md) - [51070 sc low winning raffle ticket can be re used to maintain unfair advantage over other players in raffle ](https://reports.immunefi.com/plume-or-attackathon/51070-sc-low-winning-raffle-ticket-can-be-re-used-to-maintain-unfair-advantage-over-other-players-in.md) - [52499 sc high arctoken factory s admin cannot upgrade an arctoken](https://reports.immunefi.com/plume-or-attackathon/52499-sc-high-arctoken-factory-s-admin-cannot-upgrade-an-arctoken.md) - [50784 sc high any arc token creator can upgrade the implementation ](https://reports.immunefi.com/plume-or-attackathon/50784-sc-high-any-arc-token-creator-can-upgrade-the-implementation.md) - [52964 sc high if a new reward token is added during a the period a validator is inactive the validator will still earn rewards commission for some of the duration in which they were inactive ](https://reports.immunefi.com/plume-or-attackathon/52964-sc-high-if-a-new-reward-token-is-added-during-a-the-period-a-validator-is-inactive-the-validat.md) - [52186 sc low incorrect reward calculation for slashed validators due to single segment time handling ](https://reports.immunefi.com/plume-or-attackathon/52186-sc-low-incorrect-reward-calculation-for-slashed-validators-due-to-single-segment-time-handling.md) - [51970 sc low spin streak computation relies on oracle callback time any third party delay can reset the user s streak and block jackpot eligibility ](https://reports.immunefi.com/plume-or-attackathon/51970-sc-low-spin-streak-computation-relies-on-oracle-callback-time-any-third-party-delay-can-reset.md) - [51324 sc high rounding in commission accounting burns delegator rewards](https://reports.immunefi.com/plume-or-attackathon/51324-sc-high-rounding-in-commission-accounting-burns-delegator-rewards.md) - [52803 sc high canrecoverfromcooldown is inconsistent when slash and cooldown maturity occur in the same block](https://reports.immunefi.com/plume-or-attackathon/52803-sc-high-canrecoverfromcooldown-is-inconsistent-when-slash-and-cooldown-maturity-occur-in-the-s.md) - [52489 sc low when users perform unstake operations in batches it may cause some funds to be frozen for an additional period of time ](https://reports.immunefi.com/plume-or-attackathon/52489-sc-low-when-users-perform-unstake-operations-in-batches-it-may-cause-some-funds-to-be-frozen-f.md) - [52961 sc high theft of yield from the distributor ](https://reports.immunefi.com/plume-or-attackathon/52961-sc-high-theft-of-yield-from-the-distributor.md) - [50783 sc low validator percentage cap does not work properly](https://reports.immunefi.com/plume-or-attackathon/50783-sc-low-validator-percentage-cap-does-not-work-properly.md) - [51320 sc low malicious teller parameter allow event data manipulation](https://reports.immunefi.com/plume-or-attackathon/51320-sc-low-malicious-teller-parameter-allow-event-data-manipulation.md) - [51966 sc low totalamountclaimable reverts instead of returning the claimable reward for historical tokens](https://reports.immunefi.com/plume-or-attackathon/51966-sc-low-totalamountclaimable-reverts-instead-of-returning-the-claimable-reward-for-historical-t.md) - [50399 sc low broken access control in particular contract functions due lack of pause unpause functionality](https://reports.immunefi.com/plume-or-attackathon/50399-sc-low-broken-access-control-in-particular-contract-functions-due-lack-of-pause-unpause-functi.md) - [51547 sc medium approval race condition with safeapprove leads to transaction reverts](https://reports.immunefi.com/plume-or-attackathon/51547-sc-medium-approval-race-condition-with-safeapprove-leads-to-transaction-reverts.md) - [52960 sc insight incosistent withdrawable amount calculations](https://reports.immunefi.com/plume-or-attackathon/52960-sc-insight-incosistent-withdrawable-amount-calculations.md) - [52798 sc high integer division remainder loss in batched yield distribution causes permanent fund lock](https://reports.immunefi.com/plume-or-attackathon/52798-sc-high-integer-division-remainder-loss-in-batched-yield-distribution-causes-permanent-fund-lo.md) - [51961 sc high attackers can deny commission rewards to validators by repeatedly calling forcesettlevalidatorcommission ](https://reports.immunefi.com/plume-or-attackathon/51961-sc-high-attackers-can-deny-commission-rewards-to-validators-by-repeatedly-calling-forcesettlev.md) - [50745 sc low single cooldown entry design causes timer reset on multiple unstakes leading to extended lock periods](https://reports.immunefi.com/plume-or-attackathon/50745-sc-low-single-cooldown-entry-design-causes-timer-reset-on-multiple-unstakes-leading-to-extende.md) - [51530 sc high validators can not claim pending accrued commission when reward tokens have been removed from the isrewardtoken mapping ](https://reports.immunefi.com/plume-or-attackathon/51530-sc-high-validators-can-not-claim-pending-accrued-commission-when-reward-tokens-have-been-remov.md) - [50393 sc insight unused admin state variable increases deployment and storage costs ](https://reports.immunefi.com/plume-or-attackathon/50393-sc-insight-unused-admin-state-variable-increases-deployment-and-storage-costs.md) - [52796 sc low whitelist restriction in arctoken blocks all minting and burning](https://reports.immunefi.com/plume-or-attackathon/52796-sc-low-whitelist-restriction-in-arctoken-blocks-all-minting-and-burning.md) - [52956 sc high state inconsistency in batched yield distribution leads to direct theft of user funds and protocol insolvency](https://reports.immunefi.com/plume-or-attackathon/52956-sc-high-state-inconsistency-in-batched-yield-distribution-leads-to-direct-theft-of-user-funds.md) - [49787 sc high batched yield distribution doesn t account for transfers purchases between batches](https://reports.immunefi.com/plume-or-attackathon/49787-sc-high-batched-yield-distribution-doesn-t-account-for-transfers-purchases-between-batches.md) - [52178 sc critical user will lose the unspent amount when executing partial swaps via okxrouter](https://reports.immunefi.com/plume-or-attackathon/52178-sc-critical-user-will-lose-the-unspent-amount-when-executing-partial-swaps-via-okxrouter.md) - [51296 sc low arctokenpurchase withdrawal breaks view functions](https://reports.immunefi.com/plume-or-attackathon/51296-sc-low-arctokenpurchase-withdrawal-breaks-view-functions.md) - [51051 sc high inactive validator reward accrual bypass](https://reports.immunefi.com/plume-or-attackathon/51051-sc-high-inactive-validator-reward-accrual-bypass.md) - [50392 sc insight phantom commission burn](https://reports.immunefi.com/plume-or-attackathon/50392-sc-insight-phantom-commission-burn.md) - [52955 sc high a commission rate checkpoint is not created when adding a validator despite the commission rate being set leading to loss of validator commission ](https://reports.immunefi.com/plume-or-attackathon/52955-sc-high-a-commission-rate-checkpoint-is-not-created-when-adding-a-validator-despite-the-commis.md) - [52468 sc insight dos in batch yield distribution due to cross batch state inconsistency](https://reports.immunefi.com/plume-or-attackathon/52468-sc-insight-dos-in-batch-yield-distribution-due-to-cross-batch-state-inconsistency.md) - [52165 sc high user can t claim reward erc20 tokens since rewards transfer will revert](https://reports.immunefi.com/plume-or-attackathon/52165-sc-high-user-can-t-claim-reward-erc20-tokens-since-rewards-transfer-will-revert.md) - [51951 sc low a global blocking check in claimprize prevents individual winner claims until all winners are drawn](https://reports.immunefi.com/plume-or-attackathon/51951-sc-low-a-global-blocking-check-in-claimprize-prevents-individual-winner-claims-until-all-winne.md) - [51728 sc high users can claim rewards for inactive validator periods due to incorrect checkpoint accrual ](https://reports.immunefi.com/plume-or-attackathon/51728-sc-high-users-can-claim-rewards-for-inactive-validator-periods-due-to-incorrect-checkpoint-acc.md) - [52794 sc low remainingforsale not updated after withdrawunsoldarctokens will cause following buy revert](https://reports.immunefi.com/plume-or-attackathon/52794-sc-low-remainingforsale-not-updated-after-withdrawunsoldarctokens-will-cause-following-buy-rev.md) - [52948 sc low jackpot reward rejected at exact threshold](https://reports.immunefi.com/plume-or-attackathon/52948-sc-low-jackpot-reward-rejected-at-exact-threshold.md) - [50735 sc high some yield tokens will be stuck in contract due to incorrect lastprocessedindex calculation ](https://reports.immunefi.com/plume-or-attackathon/50735-sc-high-some-yield-tokens-will-be-stuck-in-contract-due-to-incorrect-lastprocessedindex-calcul.md) - [51525 sc low unfair yield distribution to last holder due to flawed dust handling](https://reports.immunefi.com/plume-or-attackathon/51525-sc-low-unfair-yield-distribution-to-last-holder-due-to-flawed-dust-handling.md) - [49768 sc insight missing input validation in raffle editprize breaks functionality](https://reports.immunefi.com/plume-or-attackathon/49768-sc-insight-missing-input-validation-in-raffle-editprize-breaks-functionality.md) - [51288 sc insight validators commission can be permanently lost](https://reports.immunefi.com/plume-or-attackathon/51288-sc-insight-validators-commission-can-be-permanently-lost.md) - [50380 sc insight redundant use of allowedimplementations mapping in factory contracts createtoken and createwhitelistrestrictions in arctokenfactory and restrictionsfactory respectively ](https://reports.immunefi.com/plume-or-attackathon/50380-sc-insight-redundant-use-of-allowedimplementations-mapping-in-factory-contracts-createtoken-an.md) - [51946 sc high commission claims fail for removed reward tokens](https://reports.immunefi.com/plume-or-attackathon/51946-sc-high-commission-claims-fail-for-removed-reward-tokens.md) - [51043 sc medium core deposit and depositandbridge functionality in tellerwithmultiassetsupportpredicateproxy is non functional due to flawed sharelockperiod logic](https://reports.immunefi.com/plume-or-attackathon/51043-sc-medium-core-deposit-and-depositandbridge-functionality-in-tellerwithmultiassetsupportpredic.md) - [52137 sc insight silent override of non global module implementation causes stored state and event log inconsistency](https://reports.immunefi.com/plume-or-attackathon/52137-sc-insight-silent-override-of-non-global-module-implementation-causes-stored-state-and-event-l.md) - [51519 sc low unstake does not validate users remaing stake](https://reports.immunefi.com/plume-or-attackathon/51519-sc-low-unstake-does-not-validate-users-remaing-stake.md) - [52464 sc high commission rounding mismatch under payment bug](https://reports.immunefi.com/plume-or-attackathon/52464-sc-high-commission-rounding-mismatch-under-payment-bug.md) - [50721 sc low winners cannot claim prizes until all winners have been drawn in raffle claimprize ](https://reports.immunefi.com/plume-or-attackathon/50721-sc-low-winners-cannot-claim-prizes-until-all-winners-have-been-drawn-in-raffle-claimprize.md) - [51713 sc low missing minimum stake validation in unstake operations](https://reports.immunefi.com/plume-or-attackathon/51713-sc-low-missing-minimum-stake-validation-in-unstake-operations.md) - [52787 sc high batched yield distribution rounding in arctoken permanently freezes unclaimed funds and misreports payouts](https://reports.immunefi.com/plume-or-attackathon/52787-sc-high-batched-yield-distribution-rounding-in-arctoken-permanently-freezes-unclaimed-funds-an.md) - [49738 sc insight active users in prize pool loose invested raffle tickets when raffle removeprize is called ](https://reports.immunefi.com/plume-or-attackathon/49738-sc-insight-active-users-in-prize-pool-loose-invested-raffle-tickets-when-raffle-removeprize-is.md) - [51041 sc high streak count misuse in jackpot eligibility allows theft of user funds](https://reports.immunefi.com/plume-or-attackathon/51041-sc-high-streak-count-misuse-in-jackpot-eligibility-allows-theft-of-user-funds.md) - [52944 sc high the requestcommisionclaim function can only claim commission on tokens that are currently reward tokens](https://reports.immunefi.com/plume-or-attackathon/52944-sc-high-the-requestcommisionclaim-function-can-only-claim-commission-on-tokens-that-are-curren.md) - [51286 sc low event restrictionscreated uses wrong owner](https://reports.immunefi.com/plume-or-attackathon/51286-sc-low-event-restrictionscreated-uses-wrong-owner.md) - [50713 sc high deployer s default admin role enables self grant of upgrader role bypassing implementation whitelist](https://reports.immunefi.com/plume-or-attackathon/50713-sc-high-deployer-s-default-admin-role-enables-self-grant-of-upgrader-role-bypassing-implementa.md) - [51510 sc low bypass of maxvalidatorpercentage allows a validator to exceed the decentralisation cap](https://reports.immunefi.com/plume-or-attackathon/51510-sc-low-bypass-of-maxvalidatorpercentage-allows-a-validator-to-exceed-the-decentralisation-cap.md) - [51941 sc high token creator can revoke factory s upgrade capability permanently blocking upgrades](https://reports.immunefi.com/plume-or-attackathon/51941-sc-high-token-creator-can-revoke-factory-s-upgrade-capability-permanently-blocking-upgrades.md) - [51712 sc insight yield distribution will revert if global module doesn t implement iyieldrestrictions](https://reports.immunefi.com/plume-or-attackathon/51712-sc-insight-yield-distribution-will-revert-if-global-module-doesn-t-implement-iyieldrestriction.md) - [49732 sc medium malicious token admin can permanently block setpurchasetoken](https://reports.immunefi.com/plume-or-attackathon/49732-sc-medium-malicious-token-admin-can-permanently-block-setpurchasetoken.md) - [51034 sc low sales information is lost when enabling token](https://reports.immunefi.com/plume-or-attackathon/51034-sc-low-sales-information-is-lost-when-enabling-token.md) - [52780 sc high timestamp manipulation in forcesettlevalidatorcommission leads to permanent loss of staker rewards](https://reports.immunefi.com/plume-or-attackathon/52780-sc-high-timestamp-manipulation-in-forcesettlevalidatorcommission-leads-to-permanent-loss-of-st.md) - [52129 sc low previewyielddistribution reverts instead of returning zero when no tokens are in circulation](https://reports.immunefi.com/plume-or-attackathon/52129-sc-low-previewyielddistribution-reverts-instead-of-returning-zero-when-no-tokens-are-in-circul.md) - [50694 sc low spins occuring close to midnight lead to users streaks being unfairly broken due to vrf callback delay](https://reports.immunefi.com/plume-or-attackathon/50694-sc-low-spins-occuring-close-to-midnight-lead-to-users-streaks-being-unfairly-broken-due-to-vrf.md) - [51929 sc low deactivating istransferallowed indirectly doses minting burning functionality](https://reports.immunefi.com/plume-or-attackathon/51929-sc-low-deactivating-istransferallowed-indirectly-doses-minting-burning-functionality.md) - [50350 sc high stakingfacet stakeonbehalf allows to prevent withdraws](https://reports.immunefi.com/plume-or-attackathon/50350-sc-high-stakingfacet-stakeonbehalf-allows-to-prevent-withdraws.md) - [49731 sc high theft on re added tokens](https://reports.immunefi.com/plume-or-attackathon/49731-sc-high-theft-on-re-added-tokens.md) - [51502 sc low enabling transfer restrictions permanently blocks minting and burning](https://reports.immunefi.com/plume-or-attackathon/51502-sc-low-enabling-transfer-restrictions-permanently-blocks-minting-and-burning.md) - [52937 sc insight redundant raffle ticket balance check](https://reports.immunefi.com/plume-or-attackathon/52937-sc-insight-redundant-raffle-ticket-balance-check.md) - [50691 sc insight no validator limit can lead to dos](https://reports.immunefi.com/plume-or-attackathon/50691-sc-insight-no-validator-limit-can-lead-to-dos.md) - [49726 sc insight there is a redundant zero address check in the validatorfacet sol that is obsolete and could never be true](https://reports.immunefi.com/plume-or-attackathon/49726-sc-insight-there-is-a-redundant-zero-address-check-in-the-validatorfacet-sol-that-is-obsolete.md) - [51707 sc insight gas inefficiency due to redundant validatevalidatorexists modifier in requestcommissionclaim ](https://reports.immunefi.com/plume-or-attackathon/51707-sc-insight-gas-inefficiency-due-to-redundant-validatevalidatorexists-modifier-in-requestcommis.md) - [51283 sc critical permanent freeze of user token due to unhandled partial fill refunds for swap via 1inch in dexaggregatorwrapperwithpredicateproxy ](https://reports.immunefi.com/plume-or-attackathon/51283-sc-critical-permanent-freeze-of-user-token-due-to-unhandled-partial-fill-refunds-for-swap-via.md) - [52770 sc high unbounded gas consumption via stakeonbehalf manipulation](https://reports.immunefi.com/plume-or-attackathon/52770-sc-high-unbounded-gas-consumption-via-stakeonbehalf-manipulation.md) - [51001 sc insight inaccurate share calculation in emitted event for non bridge deposits](https://reports.immunefi.com/plume-or-attackathon/51001-sc-insight-inaccurate-share-calculation-in-emitted-event-for-non-bridge-deposits.md) - [50677 sc insight redundant code in dexaggregatorwrapperwithpredicateproxy impairs readability and potentially increases gas costs](https://reports.immunefi.com/plume-or-attackathon/50677-sc-insight-redundant-code-in-dexaggregatorwrapperwithpredicateproxy-impairs-readability-and-po.md) - [51276 sc low arctokenpurchase re enabling active token sales causes accounting corruption and token loss](https://reports.immunefi.com/plume-or-attackathon/51276-sc-low-arctokenpurchase-re-enabling-active-token-sales-causes-accounting-corruption-and-token.md) - [51493 sc insight misleading view function documentation](https://reports.immunefi.com/plume-or-attackathon/51493-sc-insight-misleading-view-function-documentation.md) - [50977 sc low tellerwithmultiassetsupportpredicateproxy contract cannot be emergency paused ](https://reports.immunefi.com/plume-or-attackathon/50977-sc-low-tellerwithmultiassetsupportpredicateproxy-contract-cannot-be-emergency-paused.md) - [51684 sc medium unbounded gas consumption in removestakerfromallvalidators leads to denial of service preventing users with large validator counts from removing associations and potentially lock ](https://reports.immunefi.com/plume-or-attackathon/51684-sc-medium-unbounded-gas-consumption-in-removestakerfromallvalidators-leads-to-denial-of-servic.md) - [52750 sc low percentage limit bypass via unstaking from other validators](https://reports.immunefi.com/plume-or-attackathon/52750-sc-low-percentage-limit-bypass-via-unstaking-from-other-validators.md) - [52931 sc high validators can not claim their commissions after the reward token removal ](https://reports.immunefi.com/plume-or-attackathon/52931-sc-high-validators-can-not-claim-their-commissions-after-the-reward-token-removal.md) - [50675 sc insight re entrant eth refund can emit mismatched shares in deposit event](https://reports.immunefi.com/plume-or-attackathon/50675-sc-insight-re-entrant-eth-refund-can-emit-mismatched-shares-in-deposit-event.md) - [50343 sc low cooldown reset vulnerability](https://reports.immunefi.com/plume-or-attackathon/50343-sc-low-cooldown-reset-vulnerability.md) - [51479 sc high inaccurate reward calculation post validator slashing due to premature timestamp update on token removal](https://reports.immunefi.com/plume-or-attackathon/51479-sc-high-inaccurate-reward-calculation-post-validator-slashing-due-to-premature-timestamp-updat.md) - [50340 sc medium any arctoken admin can block the setting update of the purchase token indefinitely ](https://reports.immunefi.com/plume-or-attackathon/50340-sc-medium-any-arctoken-admin-can-block-the-setting-update-of-the-purchase-token-indefinitely.md) - [52449 sc high broken streaks still pass jackpot eligibility in spin contract](https://reports.immunefi.com/plume-or-attackathon/52449-sc-high-broken-streaks-still-pass-jackpot-eligibility-in-spin-contract.md) - [51476 sc medium validators can t claim their accrued commission if they are made inactive](https://reports.immunefi.com/plume-or-attackathon/51476-sc-medium-validators-can-t-claim-their-accrued-commission-if-they-are-made-inactive.md) - [49710 sc high cross batch state manipulation in yield distribution allows double dipping of yield funds](https://reports.immunefi.com/plume-or-attackathon/49710-sc-high-cross-batch-state-manipulation-in-yield-distribution-allows-double-dipping-of-yield-fu.md) - [52113 sc low stakingfacet unstake uint16 validatorid uint256 amount can be abused to bypass minstakeamount ](https://reports.immunefi.com/plume-or-attackathon/52113-sc-low-stakingfacet-unstake-uint16-validatorid-uint256-amount-can-be-abused-to-bypass-minstake.md) - [50973 sc insight incorrect parameter type in setjackpotprobabilities](https://reports.immunefi.com/plume-or-attackathon/50973-sc-insight-incorrect-parameter-type-in-setjackpotprobabilities.md) - [51920 sc insight unnecessary second hand of if check in calculaterewardswithcheckpointsview ](https://reports.immunefi.com/plume-or-attackathon/51920-sc-insight-unnecessary-second-hand-of-if-check-in-calculaterewardswithcheckpointsview.md) - [52446 sc low withdrawing unsold tokens desynchronizes sale accounting](https://reports.immunefi.com/plume-or-attackathon/52446-sc-low-withdrawing-unsold-tokens-desynchronizes-sale-accounting.md) - [51457 sc low getaccruedcommission reverts when token was removed instead of returning the accrued commission](https://reports.immunefi.com/plume-or-attackathon/51457-sc-low-getaccruedcommission-reverts-when-token-was-removed-instead-of-returning-the-accrued-co.md) - [52925 sc medium usdt like approval hygiene can block subsequent operations after partial fill leaves non zero allowance](https://reports.immunefi.com/plume-or-attackathon/52925-sc-medium-usdt-like-approval-hygiene-can-block-subsequent-operations-after-partial-fill-leaves.md) - [52104 sc high removed reward tokens block validator commission claims](https://reports.immunefi.com/plume-or-attackathon/52104-sc-high-removed-reward-tokens-block-validator-commission-claims.md) - [51918 sc insight redundant zero address checks for router address ](https://reports.immunefi.com/plume-or-attackathon/51918-sc-insight-redundant-zero-address-checks-for-router-address.md) - [52732 sc medium permanent dos of purchase token change](https://reports.immunefi.com/plume-or-attackathon/52732-sc-medium-permanent-dos-of-purchase-token-change.md) - [50312 sc insight validator can steal user rewards due to a lack of cooldown when validator increases commission](https://reports.immunefi.com/plume-or-attackathon/50312-sc-insight-validator-can-steal-user-rewards-due-to-a-lack-of-cooldown-when-validator-increases.md) - [51456 sc high token creator can revoke the upgrader role from the factory in order to avoid upgrades](https://reports.immunefi.com/plume-or-attackathon/51456-sc-high-token-creator-can-revoke-the-upgrader-role-from-the-factory-in-order-to-avoid-upgrades.md) - [50632 sc insight critical timestamp parsing bug in getyear of datetime contract](https://reports.immunefi.com/plume-or-attackathon/50632-sc-insight-critical-timestamp-parsing-bug-in-getyear-of-datetime-contract.md) - [50951 sc high inconsistent streak count usage between jackpot and raffle ticket calculations](https://reports.immunefi.com/plume-or-attackathon/50951-sc-high-inconsistent-streak-count-usage-between-jackpot-and-raffle-ticket-calculations.md) - [52439 sc high dust accumulation in batched yield payouts leaves tokens stranded](https://reports.immunefi.com/plume-or-attackathon/52439-sc-high-dust-accumulation-in-batched-yield-payouts-leaves-tokens-stranded.md) - [49705 sc medium two vectors for unbounded gas consumption due to the normal raffle operations](https://reports.immunefi.com/plume-or-attackathon/49705-sc-medium-two-vectors-for-unbounded-gas-consumption-due-to-the-normal-raffle-operations.md) - [50949 sc insight no check if raffle actually has enough funds](https://reports.immunefi.com/plume-or-attackathon/50949-sc-insight-no-check-if-raffle-actually-has-enough-funds.md) - [51455 sc low inflated earned ui rewards when validator stake is zero due to missing totalstaked guard in view logic](https://reports.immunefi.com/plume-or-attackathon/51455-sc-low-inflated-earned-ui-rewards-when-validator-stake-is-zero-due-to-missing-totalstaked-guar.md) - [52436 sc low getaccruedcommission could return an inaccurate value](https://reports.immunefi.com/plume-or-attackathon/52436-sc-low-getaccruedcommission-could-return-an-inaccurate-value.md) - [52923 sc critical partial fill traps source token residual inside the wrapper and leaves unsafe residual allowance](https://reports.immunefi.com/plume-or-attackathon/52923-sc-critical-partial-fill-traps-source-token-residual-inside-the-wrapper-and-leaves-unsafe-resi.md) - [51666 sc medium inactive validators blocked from claiming accrued commission](https://reports.immunefi.com/plume-or-attackathon/51666-sc-medium-inactive-validators-blocked-from-claiming-accrued-commission.md) - [49700 sc high validator commission can be blocked](https://reports.immunefi.com/plume-or-attackathon/49700-sc-high-validator-commission-can-be-blocked.md) - [52719 sc medium inactive validators blocked from claiming commissions despite passed timelock](https://reports.immunefi.com/plume-or-attackathon/52719-sc-medium-inactive-validators-blocked-from-claiming-commissions-despite-passed-timelock.md) - [51218 sc high oracle callback timing vulnerability causes jackpot prize loss](https://reports.immunefi.com/plume-or-attackathon/51218-sc-high-oracle-callback-timing-vulnerability-causes-jackpot-prize-loss.md) - [51912 sc high mismatched rounding rules in reward logic library results in two fold loss of earnings](https://reports.immunefi.com/plume-or-attackathon/51912-sc-high-mismatched-rounding-rules-in-reward-logic-library-results-in-two-fold-loss-of-earnings.md) - [51658 sc high yield distribution in batches let the same tokens collect rewards in multiple batches stealing yield from other users](https://reports.immunefi.com/plume-or-attackathon/51658-sc-high-yield-distribution-in-batches-let-the-same-tokens-collect-rewards-in-multiple-batches.md) - [52084 sc high unstaking before reward token removal leads to incorrect reward accrual on re addition](https://reports.immunefi.com/plume-or-attackathon/52084-sc-high-unstaking-before-reward-token-removal-leads-to-incorrect-reward-accrual-on-re-addition.md) - [52711 sc high in validatorfacet validator cannot claims commissions of removed tokens](https://reports.immunefi.com/plume-or-attackathon/52711-sc-high-in-validatorfacet-validator-cannot-claims-commissions-of-removed-tokens.md) - [51452 sc high stakeonbehalf function enables out of gas dos](https://reports.immunefi.com/plume-or-attackathon/51452-sc-high-stakeonbehalf-function-enables-out-of-gas-dos.md) - [49698 sc low coordinated validator attack delays slashing and enables commission theft](https://reports.immunefi.com/plume-or-attackathon/49698-sc-low-coordinated-validator-attack-delays-slashing-and-enables-commission-theft.md) - [52075 sc medium arctokenpurchase contract is a token holder and may be yield recipient ](https://reports.immunefi.com/plume-or-attackathon/52075-sc-medium-arctokenpurchase-contract-is-a-token-holder-and-may-be-yield-recipient.md) - [52918 sc insight redundant check for allwinnersdrawn error](https://reports.immunefi.com/plume-or-attackathon/52918-sc-insight-redundant-check-for-allwinnersdrawn-error.md) - [51910 sc low inconsistent yield token transfer logic causes permanent loss of yield in distributeyield ](https://reports.immunefi.com/plume-or-attackathon/51910-sc-low-inconsistent-yield-token-transfer-logic-causes-permanent-loss-of-yield-in-distributeyie.md) - [51451 sc low token freezing via whitelist restriction bypass](https://reports.immunefi.com/plume-or-attackathon/51451-sc-low-token-freezing-via-whitelist-restriction-bypass.md) - [51201 sc low contracts without payable entry points cannot withdraw nor claim rewards](https://reports.immunefi.com/plume-or-attackathon/51201-sc-low-contracts-without-payable-entry-points-cannot-withdraw-nor-claim-rewards.md) - [50937 sc medium non zero approve pattern causes permanent freeze of token deposits e g usdt due to erc20 incompatibility](https://reports.immunefi.com/plume-or-attackathon/50937-sc-medium-non-zero-approve-pattern-causes-permanent-freeze-of-token-deposits-e-g-usdt-due-to-e.md) - [52710 sc low mint burn are blocked when whitelist restrictions are enabled](https://reports.immunefi.com/plume-or-attackathon/52710-sc-low-mint-burn-are-blocked-when-whitelist-restrictions-are-enabled.md) - [51414 sc high attacker can drain yield by transferring tokens to other address in yield batch distributions](https://reports.immunefi.com/plume-or-attackathon/51414-sc-high-attacker-can-drain-yield-by-transferring-tokens-to-other-address-in-yield-batch-distri.md) - [50284 sc insight incorrect erc7201 storage implementation in core factory contracts](https://reports.immunefi.com/plume-or-attackathon/50284-sc-insight-incorrect-erc7201-storage-implementation-in-core-factory-contracts.md) - [50624 sc low there is a missing emergency pause in predicate proxy ](https://reports.immunefi.com/plume-or-attackathon/50624-sc-low-there-is-a-missing-emergency-pause-in-predicate-proxy.md) - [52915 sc low yield are transferred before eligibility check potentially leading to freezing of funds](https://reports.immunefi.com/plume-or-attackathon/52915-sc-low-yield-are-transferred-before-eligibility-check-potentially-leading-to-freezing-of-funds.md) - [51909 sc medium inconsistent commission claim logic denies legitimate claims for inactive validators](https://reports.immunefi.com/plume-or-attackathon/51909-sc-medium-inconsistent-commission-claim-logic-denies-legitimate-claims-for-inactive-validators.md) - [50275 sc high eligible user loses jackpot](https://reports.immunefi.com/plume-or-attackathon/50275-sc-high-eligible-user-loses-jackpot.md) - [52424 sc high there is a retroactive commission miscalculation in plumerewardlogic](https://reports.immunefi.com/plume-or-attackathon/52424-sc-high-there-is-a-retroactive-commission-miscalculation-in-plumerewardlogic.md) - [51412 sc low token admin can withdraw the token from the purchase contract making the token balance to be less than the totalamountforsale](https://reports.immunefi.com/plume-or-attackathon/51412-sc-low-token-admin-can-withdraw-the-token-from-the-purchase-contract-making-the-token-balance.md) - [52706 sc low multi quantity prize claims revert until all winners are drawn freezing early winners](https://reports.immunefi.com/plume-or-attackathon/52706-sc-low-multi-quantity-prize-claims-revert-until-all-winners-are-drawn-freezing-early-winners.md) - [49671 sc insight wrong emission in stake](https://reports.immunefi.com/plume-or-attackathon/49671-sc-insight-wrong-emission-in-stake.md) - [50252 sc high rounding excess yield tokens become permanently stuck when last holder is yield restricted](https://reports.immunefi.com/plume-or-attackathon/50252-sc-high-rounding-excess-yield-tokens-become-permanently-stuck-when-last-holder-is-yield-restri.md) - [51197 sc high arc token owner can take upgrader role for themselves lockout the factory and upgrade the contract without the knowledge of the factory](https://reports.immunefi.com/plume-or-attackathon/51197-sc-high-arc-token-owner-can-take-upgrader-role-for-themselves-lockout-the-factory-and-upgrade.md) - [52690 sc medium dos of smart contracts on bridging functions](https://reports.immunefi.com/plume-or-attackathon/52690-sc-medium-dos-of-smart-contracts-on-bridging-functions.md) - [52422 sc low using the current time in geteffectiverewardrateat will result in incorrect reward calculation for an entire duration of a time segment](https://reports.immunefi.com/plume-or-attackathon/52422-sc-low-using-the-current-time-in-geteffectiverewardrateat-will-result-in-incorrect-reward-calc.md) - [50924 sc high validators are not able to claim their accrued commission when the reward token is removed ](https://reports.immunefi.com/plume-or-attackathon/50924-sc-high-validators-are-not-able-to-claim-their-accrued-commission-when-the-reward-token-is-rem.md) - [49668 sc insight validator status function emit misleading event ](https://reports.immunefi.com/plume-or-attackathon/49668-sc-insight-validator-status-function-emit-misleading-event.md) - [51180 sc medium function is vulnerable to gas griefing](https://reports.immunefi.com/plume-or-attackathon/51180-sc-medium-function-is-vulnerable-to-gas-griefing.md) - [52680 sc high holders length changing when distributing limit with limit could lead to case where new holders unfairly claim yield and yield is permanently frozen ](https://reports.immunefi.com/plume-or-attackathon/52680-sc-high-holders-length-changing-when-distributing-limit-with-limit-could-lead-to-case-where-ne.md) - [51899 sc medium partial distribution of yield will fail if the totalefficentive supply increases ](https://reports.immunefi.com/plume-or-attackathon/51899-sc-medium-partial-distribution-of-yield-will-fail-if-the-totalefficentive-supply-increases.md) - [49647 sc low pausable functions are not exposed](https://reports.immunefi.com/plume-or-attackathon/49647-sc-low-pausable-functions-are-not-exposed.md) - [52041 sc low in arctoken attacker can reposition to last holder and capture entire yield remainder](https://reports.immunefi.com/plume-or-attackathon/52041-sc-low-in-arctoken-attacker-can-reposition-to-last-holder-and-capture-entire-yield-remainder.md) - [50922 sc low unstaking partially will extend the cooldown time for previously unstaked amount too](https://reports.immunefi.com/plume-or-attackathon/50922-sc-low-unstaking-partially-will-extend-the-cooldown-time-for-previously-unstaked-amount-too.md) - [49639 sc insight gas inefficiency in loop storage reads processmaturedcooldowns](https://reports.immunefi.com/plume-or-attackathon/49639-sc-insight-gas-inefficiency-in-loop-storage-reads-processmaturedcooldowns.md) - [51653 sc high permanent loss of staker rewards after slashing when validator records are cleared](https://reports.immunefi.com/plume-or-attackathon/51653-sc-high-permanent-loss-of-staker-rewards-after-slashing-when-validator-records-are-cleared.md) - [52901 sc low wrapped week index can mis price jackpot table after long uptime](https://reports.immunefi.com/plume-or-attackathon/52901-sc-low-wrapped-week-index-can-mis-price-jackpot-table-after-long-uptime.md) - [50225 sc low user can bypass minstakeamount checking ](https://reports.immunefi.com/plume-or-attackathon/50225-sc-low-user-can-bypass-minstakeamount-checking.md) - [49626 sc insight modulo bias in winner selection in raffle](https://reports.immunefi.com/plume-or-attackathon/49626-sc-insight-modulo-bias-in-winner-selection-in-raffle.md) - [51651 sc insight redundant array access in removestakerfromvalidator](https://reports.immunefi.com/plume-or-attackathon/51651-sc-insight-redundant-array-access-in-removestakerfromvalidator.md) - [52409 sc high asymmetric commission rounding creates systematic accounting drift](https://reports.immunefi.com/plume-or-attackathon/52409-sc-high-asymmetric-commission-rounding-creates-systematic-accounting-drift.md) - [51613 sc medium yield tokens can be stuck in arctokenpurchase plumestakingrewardtreasury or other defi protocols when distributeyield is called ](https://reports.immunefi.com/plume-or-attackathon/51613-sc-medium-yield-tokens-can-be-stuck-in-arctokenpurchase-plumestakingrewardtreasury-or-other-de.md) - [51171 sc insight redundant storage reads and unnecessary checks in reward rate checkpoint logic lead to inefficient gas usage](https://reports.immunefi.com/plume-or-attackathon/51171-sc-insight-redundant-storage-reads-and-unnecessary-checks-in-reward-rate-checkpoint-logic-lead.md) - [50916 sc high token creators can bypass factory upgrade controls via wrong code implementation of default admin role in arctokenfactory sol ](https://reports.immunefi.com/plume-or-attackathon/50916-sc-high-token-creators-can-bypass-factory-upgrade-controls-via-wrong-code-implementation-of-de.md) - [49623 sc low unstaking allows going below minimum stake](https://reports.immunefi.com/plume-or-attackathon/49623-sc-low-unstaking-allows-going-below-minimum-stake.md) - [50560 sc high inconsistent commission rounding traps user validator funds](https://reports.immunefi.com/plume-or-attackathon/50560-sc-high-inconsistent-commission-rounding-traps-user-validator-funds.md) - [50212 sc insight validators without staked funds can control slashing decisions leading to protocol insolvency](https://reports.immunefi.com/plume-or-attackathon/50212-sc-insight-validators-without-staked-funds-can-control-slashing-decisions-leading-to-protocol.md) - [52397 sc medium repeated approve without zero reset can revert on nonstandard erc20s blocking deposits](https://reports.immunefi.com/plume-or-attackathon/52397-sc-medium-repeated-approve-without-zero-reset-can-revert-on-nonstandard-erc20s-blocking-deposi.md) - [52031 sc medium insufficient access control in token sales management leads to permanent griefing attack](https://reports.immunefi.com/plume-or-attackathon/52031-sc-medium-insufficient-access-control-in-token-sales-management-leads-to-permanent-griefing-at.md) - [50914 sc low bypass of minimum stake enforcement via partial unstake](https://reports.immunefi.com/plume-or-attackathon/50914-sc-low-bypass-of-minimum-stake-enforcement-via-partial-unstake.md) - [49616 sc high user can steal rewards](https://reports.immunefi.com/plume-or-attackathon/49616-sc-high-user-can-steal-rewards.md) - [50551 sc low staked dust positions are not properly prevented](https://reports.immunefi.com/plume-or-attackathon/50551-sc-low-staked-dust-positions-are-not-properly-prevented.md) - [51162 sc low missing pause control implementation in tellerwithmultiassetsupportpredicateproxy](https://reports.immunefi.com/plume-or-attackathon/51162-sc-low-missing-pause-control-implementation-in-tellerwithmultiassetsupportpredicateproxy.md) - [50889 sc low arctokenpurchase withdrawunsoldarctokens fails to reduce totalamountforsale leaving availability counters wrong](https://reports.immunefi.com/plume-or-attackathon/50889-sc-low-arctokenpurchase-withdrawunsoldarctokens-fails-to-reduce-totalamountforsale-leaving-ava.md) - [51887 sc medium safeapprove will cause revert of usdt and similar erc20 token](https://reports.immunefi.com/plume-or-attackathon/51887-sc-medium-safeapprove-will-cause-revert-of-usdt-and-similar-erc20-token.md) - [52393 sc low burns blocked by both sides whitelist with zero address exclusion when restrictions are enabled](https://reports.immunefi.com/plume-or-attackathon/52393-sc-low-burns-blocked-by-both-sides-whitelist-with-zero-address-exclusion-when-restrictions-are.md) - [51159 sc insight high gas iterative date calculations in datetime sol](https://reports.immunefi.com/plume-or-attackathon/51159-sc-insight-high-gas-iterative-date-calculations-in-datetime-sol.md) - [50195 sc low unfair yield distribution due to remainder allocation to last holder](https://reports.immunefi.com/plume-or-attackathon/50195-sc-low-unfair-yield-distribution-due-to-remainder-allocation-to-last-holder.md) - [50887 sc insight arcotokenpurchase purchasemade event mislabels payment amount as pricepaid instead of unit price](https://reports.immunefi.com/plume-or-attackathon/50887-sc-insight-arcotokenpurchase-purchasemade-event-mislabels-payment-amount-as-pricepaid-instead.md) - [52390 sc high validateistoken blocks validators from claiming earned rewards from removed tokens ](https://reports.immunefi.com/plume-or-attackathon/52390-sc-high-validateistoken-blocks-validators-from-claiming-earned-rewards-from-removed-tokens.md) - [51882 sc low unnecessary claiming restriction in raffle contract prevents winners from claiming prizes until all winners are drawn](https://reports.immunefi.com/plume-or-attackathon/51882-sc-low-unnecessary-claiming-restriction-in-raffle-contract-prevents-winners-from-claiming-priz.md) - [52669 sc low token minting is blocked for whitelisted addresses when transfersallowed is false](https://reports.immunefi.com/plume-or-attackathon/52669-sc-low-token-minting-is-blocked-for-whitelisted-addresses-when-transfersallowed-is-false.md) - [50527 sc high attacker can steal yield during batch distribution](https://reports.immunefi.com/plume-or-attackathon/50527-sc-high-attacker-can-steal-yield-during-batch-distribution.md) - [50860 sc high logic error in jackpot eligibility check leads to systematic theft of user rewards](https://reports.immunefi.com/plume-or-attackathon/50860-sc-high-logic-error-in-jackpot-eligibility-check-leads-to-systematic-theft-of-user-rewards.md) - [50187 sc insight yieldblacklistrestrictions uses slot 0 instead of unstructured storage risking slot collision](https://reports.immunefi.com/plume-or-attackathon/50187-sc-insight-yieldblacklistrestrictions-uses-slot-0-instead-of-unstructured-storage-risking-slot.md) - [51146 sc low getmaxnumberoftokens returns wrong max number of tokens available to buy](https://reports.immunefi.com/plume-or-attackathon/51146-sc-low-getmaxnumberoftokens-returns-wrong-max-number-of-tokens-available-to-buy.md) - [52667 sc high commission is not added at point of adding validator hence stakers that stake before the first checkpoint would always use the current commission ](https://reports.immunefi.com/plume-or-attackathon/52667-sc-high-commission-is-not-added-at-point-of-adding-validator-hence-stakers-that-stake-before-t.md) - [51878 sc high timing misalignment between campaign days and calendar days allows double spinning on high probability jackpot days](https://reports.immunefi.com/plume-or-attackathon/51878-sc-high-timing-misalignment-between-campaign-days-and-calendar-days-allows-double-spinning-on.md) - [52027 sc low whitelistrestrictions sol mint burn operations blocked when transfers disabled](https://reports.immunefi.com/plume-or-attackathon/52027-sc-low-whitelistrestrictions-sol-mint-burn-operations-blocked-when-transfers-disabled.md) - [50839 sc low last holder always gets more yield](https://reports.immunefi.com/plume-or-attackathon/50839-sc-low-last-holder-always-gets-more-yield.md) - [50168 sc insight unused and duplicated functions should be removed from rewardsfacet and stakingfacet](https://reports.immunefi.com/plume-or-attackathon/50168-sc-insight-unused-and-duplicated-functions-should-be-removed-from-rewardsfacet-and-stakingface.md) - [52649 sc high token creator can seize upgrade control bypassing factory whitelist and enabling theft of funds](https://reports.immunefi.com/plume-or-attackathon/52649-sc-high-token-creator-can-seize-upgrade-control-bypassing-factory-whitelist-and-enabling-theft.md) - [52026 sc medium claimall could revert because of unbounded gas consumptions](https://reports.immunefi.com/plume-or-attackathon/52026-sc-medium-claimall-could-revert-because-of-unbounded-gas-consumptions.md) - [50822 sc high deployer can cpgrade arctoken to malicious implementation and steal all user funds](https://reports.immunefi.com/plume-or-attackathon/50822-sc-high-deployer-can-cpgrade-arctoken-to-malicious-implementation-and-steal-all-user-funds.md) - [50167 sc high retroactive reward drain via incomplete reward debt reset](https://reports.immunefi.com/plume-or-attackathon/50167-sc-high-retroactive-reward-drain-via-incomplete-reward-debt-reset.md) - [51863 sc low lack of winning ticket removal in handlewinnerselection leads to unfair prize distribution and economic exploitation](https://reports.immunefi.com/plume-or-attackathon/51863-sc-low-lack-of-winning-ticket-removal-in-handlewinnerselection-leads-to-unfair-prize-distribut.md) - [52371 sc high distributeyieldwithlimit is vulnerable to inter batch balance and holders array mutations](https://reports.immunefi.com/plume-or-attackathon/52371-sc-high-distributeyieldwithlimit-is-vulnerable-to-inter-batch-balance-and-holders-array-mutati.md) - [50120 sc low arctokens cannot be burned or minted when transfers are restricted](https://reports.immunefi.com/plume-or-attackathon/50120-sc-low-arctokens-cannot-be-burned-or-minted-when-transfers-are-restricted.md) - [52634 sc high batch yield distribution has a mathematical flaw that enables economic manipulation](https://reports.immunefi.com/plume-or-attackathon/52634-sc-high-batch-yield-distribution-has-a-mathematical-flaw-that-enables-economic-manipulation.md) - [50519 sc high rewardsfacet reintroducing an old reward token will result in wrong accounting leading to theft of yield](https://reports.immunefi.com/plume-or-attackathon/50519-sc-high-rewardsfacet-reintroducing-an-old-reward-token-will-result-in-wrong-accounting-leading.md) - [51132 sc low tellerwithmultiassetsupportpredicateproxy cannot be paused unpaused](https://reports.immunefi.com/plume-or-attackathon/51132-sc-low-tellerwithmultiassetsupportpredicateproxy-cannot-be-paused-unpaused.md) - [50082 sc low protocol lets validators operate with dust amounts making attacks risk free](https://reports.immunefi.com/plume-or-attackathon/50082-sc-low-protocol-lets-validators-operate-with-dust-amounts-making-attacks-risk-free.md) - [52347 sc high improper handling of yield distribution state in distributeyieldwithlimit leads to revert freezing users yield ](https://reports.immunefi.com/plume-or-attackathon/52347-sc-high-improper-handling-of-yield-distribution-state-in-distributeyieldwithlimit-leads-to-rev.md) - [50507 sc high non atomic yield distribution may lead to theft of yield](https://reports.immunefi.com/plume-or-attackathon/50507-sc-high-non-atomic-yield-distribution-may-lead-to-theft-of-yield.md) - [51129 sc low boringvault proxies do not support smart contract wallets](https://reports.immunefi.com/plume-or-attackathon/51129-sc-low-boringvault-proxies-do-not-support-smart-contract-wallets.md) - [51860 sc high missing access control in stakeonbehalf lets anyone bloat another user s validator list leading to permanent fund lock via gas exhaustion dos](https://reports.immunefi.com/plume-or-attackathon/51860-sc-high-missing-access-control-in-stakeonbehalf-lets-anyone-bloat-another-user-s-validator-lis.md) - [50060 sc insight scattered module processing pattern in arctoken update function](https://reports.immunefi.com/plume-or-attackathon/50060-sc-insight-scattered-module-processing-pattern-in-arctoken-update-function.md) - [51850 sc low upgradetoken can not initialize an upgraded token because the data variable of upgradetoandcall is hardcoded to empty string](https://reports.immunefi.com/plume-or-attackathon/51850-sc-low-upgradetoken-can-not-initialize-an-upgraded-token-because-the-data-variable-of-upgradet.md) - [50506 sc insight stakingfacet missing event emission on any unstaking operations](https://reports.immunefi.com/plume-or-attackathon/50506-sc-insight-stakingfacet-missing-event-emission-on-any-unstaking-operations.md) - [51124 sc high validator would loss commission fee if the rewards token are removed](https://reports.immunefi.com/plume-or-attackathon/51124-sc-high-validator-would-loss-commission-fee-if-the-rewards-token-are-removed.md) - [52620 sc medium permanently dos to arctokenpurchase contract](https://reports.immunefi.com/plume-or-attackathon/52620-sc-medium-permanently-dos-to-arctokenpurchase-contract.md) - [52339 sc low loss of daily streak and jackpot eligibility due to supra generator callback delay and on callback time usage in spin sol ](https://reports.immunefi.com/plume-or-attackathon/52339-sc-low-loss-of-daily-streak-and-jackpot-eligibility-due-to-supra-generator-callback-delay-and.md) - [51847 sc critical dos via dust leftover in erc 20 approvals](https://reports.immunefi.com/plume-or-attackathon/51847-sc-critical-dos-via-dust-leftover-in-erc-20-approvals.md) - [52601 sc high in spin handlerandomness jackpot eligibility uses outdated streakcount instead of updated streak](https://reports.immunefi.com/plume-or-attackathon/52601-sc-high-in-spin-handlerandomness-jackpot-eligibility-uses-outdated-streakcount-instead-of-upda.md) - [51122 sc low arctokenpurchase enabletoken can reset the amountsold to 0](https://reports.immunefi.com/plume-or-attackathon/51122-sc-low-arctokenpurchase-enabletoken-can-reset-the-amountsold-to-0.md) - [52327 sc low unfair yield distribution due to last holder bias](https://reports.immunefi.com/plume-or-attackathon/52327-sc-low-unfair-yield-distribution-due-to-last-holder-bias.md) - [51842 sc high unclaimed staker rewards lost when admin clears validator records without checking pending rewards](https://reports.immunefi.com/plume-or-attackathon/51842-sc-high-unclaimed-staker-rewards-lost-when-admin-clears-validator-records-without-checking-pen.md) - [50040 sc low missing pause controls eth refund flaws and miscalculated shares enable fund loss and protocol inconsistency in depositandbridge](https://reports.immunefi.com/plume-or-attackathon/50040-sc-low-missing-pause-controls-eth-refund-flaws-and-miscalculated-shares-enable-fund-loss-and-p.md) - [52314 sc low unsold token withdrawal causes permanent inventory mismatch](https://reports.immunefi.com/plume-or-attackathon/52314-sc-low-unsold-token-withdrawal-causes-permanent-inventory-mismatch.md) - [51836 sc low contract cannot be paused despite inheriting pausable](https://reports.immunefi.com/plume-or-attackathon/51836-sc-low-contract-cannot-be-paused-despite-inheriting-pausable.md) - [51100 sc insight gas inefficiency in prize removal logic](https://reports.immunefi.com/plume-or-attackathon/51100-sc-insight-gas-inefficiency-in-prize-removal-logic.md) - [50493 sc low immutable proxy implementation mapping in restrictionsfactory breaks upgrade logic](https://reports.immunefi.com/plume-or-attackathon/50493-sc-low-immutable-proxy-implementation-mapping-in-restrictionsfactory-breaks-upgrade-logic.md) - [52312 sc low cooldown coalescing bug unintended cooldown extension for prior unstakes](https://reports.immunefi.com/plume-or-attackathon/52312-sc-low-cooldown-coalescing-bug-unintended-cooldown-extension-for-prior-unstakes.md) - [51816 sc low yield distribution can be front run to steal rounding remainder as last holder](https://reports.immunefi.com/plume-or-attackathon/51816-sc-low-yield-distribution-can-be-front-run-to-steal-rounding-remainder-as-last-holder.md) - [50027 sc insight missing validation of okx swap output token in function okxhelper ](https://reports.immunefi.com/plume-or-attackathon/50027-sc-insight-missing-validation-of-okx-swap-output-token-in-function-okxhelper.md) - [52303 sc insight incorrect yield distribution event emission](https://reports.immunefi.com/plume-or-attackathon/52303-sc-insight-incorrect-yield-distribution-event-emission.md) - [51814 sc insight checkpoint cumulativeindex returned in the getrewardratecheckpoint function will be zero](https://reports.immunefi.com/plume-or-attackathon/51814-sc-insight-checkpoint-cumulativeindex-returned-in-the-getrewardratecheckpoint-function-will-be.md) - [50490 sc high user loses reward tokens during validator user relationship clearing](https://reports.immunefi.com/plume-or-attackathon/50490-sc-high-user-loses-reward-tokens-during-validator-user-relationship-clearing.md) - [50022 sc low missing admin pause unpause functions in tellerwithmultiassetsupportpredicateproxy contract](https://reports.immunefi.com/plume-or-attackathon/50022-sc-low-missing-admin-pause-unpause-functions-in-tellerwithmultiassetsupportpredicateproxy-cont.md) - [49963 sc medium anyone can create an arctoken and block the setpurchasetoken function](https://reports.immunefi.com/plume-or-attackathon/49963-sc-medium-anyone-can-create-an-arctoken-and-block-the-setpurchasetoken-function.md) - [50487 sc low cross campaign jackpot denial due to state pollution](https://reports.immunefi.com/plume-or-attackathon/50487-sc-low-cross-campaign-jackpot-denial-due-to-state-pollution.md) - [49954 sc insight raffle editprizes lacks logic to make prizes immutable once winner selection starts or users join breaking user trust ](https://reports.immunefi.com/plume-or-attackathon/49954-sc-insight-raffle-editprizes-lacks-logic-to-make-prizes-immutable-once-winner-selection-starts.md) - [51813 sc high malicious user can grief victims by staking them across many validators leading to fund freezing](https://reports.immunefi.com/plume-or-attackathon/51813-sc-high-malicious-user-can-grief-victims-by-staking-them-across-many-validators-leading-to-fun.md) - [49941 sc low permanent freezing of yield tokens due to flawed check in distribution logic](https://reports.immunefi.com/plume-or-attackathon/49941-sc-low-permanent-freezing-of-yield-tokens-due-to-flawed-check-in-distribution-logic.md) - [51802 sc low temporary freeze of rewards is possible if efficientsupply 0](https://reports.immunefi.com/plume-or-attackathon/51802-sc-low-temporary-freeze-of-rewards-is-possible-if-efficientsupply-0.md) - [50477 sc high validator loses all accrued commission when reward token is removed](https://reports.immunefi.com/plume-or-attackathon/50477-sc-high-validator-loses-all-accrued-commission-when-reward-token-is-removed.md) - [51801 sc medium supra callback allows for theft of gas](https://reports.immunefi.com/plume-or-attackathon/51801-sc-medium-supra-callback-allows-for-theft-of-gas.md) - [49939 sc high initial timestamp mismatch might lead to users being able to spin twice in the same day](https://reports.immunefi.com/plume-or-attackathon/49939-sc-high-initial-timestamp-mismatch-might-lead-to-users-being-able-to-spin-twice-in-the-same-da.md) - [50470 sc insight inefficient design in distributeyieldwithlimit arctoken creates unnecessary gas consumption](https://reports.immunefi.com/plume-or-attackathon/50470-sc-insight-inefficient-design-in-distributeyieldwithlimit-arctoken-creates-unnecessary-gas-con.md) - [49932 sc insight there are five separate but similar implementations of a binary search that can be condensed into one function](https://reports.immunefi.com/plume-or-attackathon/49932-sc-insight-there-are-five-separate-but-similar-implementations-of-a-binary-search-that-can-be.md) - [51777 sc medium denial of service on depositandbridge function for sharelockperiod is non zero](https://reports.immunefi.com/plume-or-attackathon/51777-sc-medium-denial-of-service-on-depositandbridge-function-for-sharelockperiod-is-non-zero.md) - [50461 sc insight incorrect deposit event receiver logged in bridge functions of dexaggregatorwrapperwithpredicateproxy sol ](https://reports.immunefi.com/plume-or-attackathon/50461-sc-insight-incorrect-deposit-event-receiver-logged-in-bridge-functions-of-dexaggregatorwrapper.md) - [49919 sc insight unstake function does not unstake all as mentioned in the natspec](https://reports.immunefi.com/plume-or-attackathon/49919-sc-insight-unstake-function-does-not-unstake-all-as-mentioned-in-the-natspec.md) - [50450 sc high logic error in streak validation causes legitimate jackpot wins to be denied violating reward contract expectations](https://reports.immunefi.com/plume-or-attackathon/50450-sc-high-logic-error-in-streak-validation-causes-legitimate-jackpot-wins-to-be-denied-violating.md) - [51776 sc low streak system breaks despite timely user action due to delayed supra oracle callback](https://reports.immunefi.com/plume-or-attackathon/51776-sc-low-streak-system-breaks-despite-timely-user-action-due-to-delayed-supra-oracle-callback.md) - [49915 sc low misleading event emission in createwhitelistrestrictions function in restrictionsfactory contract](https://reports.immunefi.com/plume-or-attackathon/49915-sc-low-misleading-event-emission-in-createwhitelistrestrictions-function-in-restrictionsfactor.md) - [50436 sc low votetoslashvalidator prevents malicious inactive validators to be slashed ](https://reports.immunefi.com/plume-or-attackathon/50436-sc-low-votetoslashvalidator-prevents-malicious-inactive-validators-to-be-slashed.md) - [49893 sc insight raffle sol implementation logic allows direct plume transfers but has no withdraw locking funds permanently](https://reports.immunefi.com/plume-or-attackathon/49893-sc-insight-raffle-sol-implementation-logic-allows-direct-plume-transfers-but-has-no-withdraw-l.md) - [50433 sc high validator list griefing unrestricted stakeonbehalf allows user asset freeze permanently](https://reports.immunefi.com/plume-or-attackathon/50433-sc-high-validator-list-griefing-unrestricted-stakeonbehalf-allows-user-asset-freeze-permanentl.md) - [49876 sc insight lack of refund on admin canceled spin requests leads to permanent loss of funds](https://reports.immunefi.com/plume-or-attackathon/49876-sc-insight-lack-of-refund-on-admin-canceled-spin-requests-leads-to-permanent-loss-of-funds.md) - [50428 sc medium reverting on callback increases chances of winning](https://reports.immunefi.com/plume-or-attackathon/50428-sc-medium-reverting-on-callback-increases-chances-of-winning.md) - [49868 sc insight raffle sol does not enforce prize endtimestamp allowing user and admin interactions with expired prizes](https://reports.immunefi.com/plume-or-attackathon/49868-sc-insight-raffle-sol-does-not-enforce-prize-endtimestamp-allowing-user-and-admin-interactions.md) - [50425 sc high active non slashed validators cannot claim rewards when a reward token is disabled](https://reports.immunefi.com/plume-or-attackathon/50425-sc-high-active-non-slashed-validators-cannot-claim-rewards-when-a-reward-token-is-disabled.md) - [49863 sc critical dex aggregator erc20 token theft](https://reports.immunefi.com/plume-or-attackathon/49863-sc-critical-dex-aggregator-erc20-token-theft.md) - [50415 sc low getmaxnumberoftokens returns wrong value when arctokens are withdrawn](https://reports.immunefi.com/plume-or-attackathon/50415-sc-low-getmaxnumberoftokens-returns-wrong-value-when-arctokens-are-withdrawn.md) - [49854 sc critical dex aggregator partial fill token loss](https://reports.immunefi.com/plume-or-attackathon/49854-sc-critical-dex-aggregator-partial-fill-token-loss.md) - [49835 sc insight dex aggregator unused eth loss](https://reports.immunefi.com/plume-or-attackathon/49835-sc-insight-dex-aggregator-unused-eth-loss.md) - [50412 sc high illegitimate reward claim after unstake due to overlapping reward rate checkpoints](https://reports.immunefi.com/plume-or-attackathon/50412-sc-high-illegitimate-reward-claim-after-unstake-due-to-overlapping-reward-rate-checkpoints.md) - [50409 sc high validator will lose comission](https://reports.immunefi.com/plume-or-attackathon/50409-sc-high-validator-will-lose-comission.md) - [49817 sc medium inactive validators are prevented to claim to eligible commission rewards](https://reports.immunefi.com/plume-or-attackathon/49817-sc-medium-inactive-validators-are-prevented-to-claim-to-eligible-commission-rewards.md) - [49800 sc insight yield distribution could encounter an unexpected revert](https://reports.immunefi.com/plume-or-attackathon/49800-sc-insight-yield-distribution-could-encounter-an-unexpected-revert.md) - [49798 sc insight invalid holder set initialization bypasses modular restrictions corrupting yield distribution](https://reports.immunefi.com/plume-or-attackathon/49798-sc-insight-invalid-holder-set-initialization-bypasses-modular-restrictions-corrupting-yield-di.md) - [50402 sc low single rate assumption ignores checkpoints in slashed case ](https://reports.immunefi.com/plume-or-attackathon/50402-sc-low-single-rate-assumption-ignores-checkpoints-in-slashed-case.md) - [49787 sc high batched yield distribution doesn t account for transfers purchases between batches](https://reports.immunefi.com/plume-or-attackathon/49787-sc-high-batched-yield-distribution-doesn-t-account-for-transfers-purchases-between-batches-1.md) - [VeChain Hayabusa Upgrade | Attackathon](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon.md) - [#57468 \[BC-Insight\] there is an issue about zero vtho generation during hayabusa transition period](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/57468-bc-insight-there-is-an-issue-about-zero-vtho-generation-during-hayabusa-transition-period.md) - [57412 sc insight gas optimization insight improve gas cost efficiency by the use of custom errors in staker sol contract](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/57412-sc-insight-gas-optimization-insight-improve-gas-cost-efficiency-by-the-use-of-custom-errors-in.md) - [57179 bc insight during the call to native totalsupply there s missing gas charges](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/57179-bc-insight-during-the-call-to-native-totalsupply-there-s-missing-gas-charges.md) - [57136 bc low txpool priority cache lets base fee swings reduce proposers tips](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/57136-bc-low-txpool-priority-cache-lets-base-fee-swings-reduce-proposers-tips.md) - [57055 bc medium dos via p2p during block header validation using bad proof](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/57055-bc-medium-dos-via-p2p-during-block-header-validation-using-bad-proof.md) - [57021 bc insight lack of panic recovery in housekeeping goroutine creates potential for denial of service](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/57021-bc-insight-lack-of-panic-recovery-in-housekeeping-goroutine-creates-potential-for-denial-of-se.md) - [56946 bc insight the code comparing two big in pointers for equality not their numeric values](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/56946-bc-insight-the-code-comparing-two-big-in-pointers-for-equality-not-their-numeric-values.md) - [56761 bc insight the check for integer overflow in the function staker go checkstake is incorrect](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/56761-bc-insight-the-check-for-integer-overflow-in-the-function-staker-go-checkstake-is-incorrect.md) - [56657 bc insight inactive validator scheduling bypass in vechain thor pos consensus mechanism](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/56657-bc-insight-inactive-validator-scheduling-bypass-in-vechain-thor-pos-consensus-mechanism.md) - [56629 bc insight there is an issue in mapping gas undercharge and is enables 30 extra node work per unit gas ](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/56629-bc-insight-there-is-an-issue-in-mapping-gas-undercharge-and-is-enables-30-extra-node-work-per.md) - [56626 bc insight trivial renewallist bloat attack exploits unmetered database writes to increase block processing time risking bft disruption](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/56626-bc-insight-trivial-renewallist-bloat-attack-exploits-unmetered-database-writes-to-increase-blo.md) - [56611 bc medium remote p2p crash during sync thor default configuration ](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/56611-bc-medium-remote-p2p-crash-during-sync-thor-default-configuration.md) - [56513 bc insight during the call to native issuance there s a missing gas charge before call to calculaterewards ](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/56513-bc-insight-during-the-call-to-native-issuance-there-s-a-missing-gas-charge-before-call-to-calc.md) - [56454 bc insight gas undercharging threatens hayabusa network upgrade](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/56454-bc-insight-gas-undercharging-threatens-hayabusa-network-upgrade.md) - [56403 bc insight there is a problem in the dpos threshold switch undercounts votes at hayabusa activation ](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/56403-bc-insight-there-is-a-problem-in-the-dpos-threshold-switch-undercounts-votes-at-hayabusa-activ.md) - [56367 sc insight staker gas optimization public to external visibility](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/56367-sc-insight-staker-gas-optimization-public-to-external-visibility.md) - [56362 bc insight during addvalidation if pos not active authority native env state get should consume double the gas](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/56362-bc-insight-during-addvalidation-if-pos-not-active-authority-native-env-state-get-should-consum.md) - [56345 bc insight there is an issue related to strict threshold breaks exact 2 3 and is causing finality freeze](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/56345-bc-insight-there-is-an-issue-related-to-strict-threshold-breaks-exact-2-3-and-is-causing-final.md) - [56256 bc insight redundant sload for global endorsement parameter](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/56256-bc-insight-redundant-sload-for-global-endorsement-parameter.md) - [56187 bc insight brittle hardcoded gas metering model](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/56187-bc-insight-brittle-hardcoded-gas-metering-model.md) - [56045 bc insight block packing starvation via oversized priority transactions](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/56045-bc-insight-block-packing-starvation-via-oversized-priority-transactions.md) - [55957 sc medium checkstake does not check for uint64 overflow](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/55957-sc-medium-checkstake-does-not-check-for-uint64-overflow.md) - [55926 bc insight totalsupply overstates circulating vtho](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/55926-bc-insight-totalsupply-overstates-circulating-vtho.md) - [55925 bc insight underpriced supply queries enable cheap cpu dos](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/55925-bc-insight-underpriced-supply-queries-enable-cheap-cpu-dos.md) - [55806 bc insight critical missing input validation in governance parameter allows malicious underflow leading to permanent freeze of all dpos rewards](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/55806-bc-insight-critical-missing-input-validation-in-governance-parameter-allows-malicious-underflo.md) - [55711 sc insight redundant gas charge in native addvalidation function leads to unnecessary gas costs](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/55711-sc-insight-redundant-gas-charge-in-native-addvalidation-function-leads-to-unnecessary-gas-cost.md) - [55632 bc critical delegation submitted in the same period before a validator exit will be permanently frozen](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/55632-bc-critical-delegation-submitted-in-the-same-period-before-a-validator-exit-will-be-permanentl.md) - [55524 bc insight null body transaction submission crashes rpc handler](https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/55524-bc-insight-null-body-transaction-submission-crashes-rpc-handler.md) - [Firelight](https://reports.immunefi.com/firelight.md) - [#59967 \[SC-Low\] broken historical period calculation](https://reports.immunefi.com/firelight/59967-sc-low-broken-historical-period-calculation.md) - [#59937 \[SC-Low\] periodattimestamp uses current time instead of inputtimestamp returning wrong period](https://reports.immunefi.com/firelight/59937-sc-low-periodattimestamp-uses-current-time-instead-of-inputtimestamp-returning-wrong-period.md) - [59931 sc insight useless check](https://reports.immunefi.com/firelight/59931-sc-insight-useless-check.md) - [#59928 \[SC-Low\] incorrect period calculation periodattimestamp function](https://reports.immunefi.com/firelight/59928-sc-low-incorrect-period-calculation-periodattimestamp-function.md) - [#59879 \[SC-Low\] logic bug in periodattimestamp](https://reports.immunefi.com/firelight/59879-sc-low-logic-bug-in-periodattimestamp.md) - [59852 sc low incorrect period calculation inside periodattimestamp resulting in returning period now instead of period at given timestamp](https://reports.immunefi.com/firelight/59852-sc-low-incorrect-period-calculation-inside-periodattimestamp-resulting-in-returning-period-now.md) - [#59820 \[SC-Low\] periodattimestamp returns current period instead of historical period](https://reports.immunefi.com/firelight/59820-sc-low-periodattimestamp-returns-current-period-instead-of-historical-period.md) - [59740 \[SC-Low\] periodattimestamp provides period of current timestamp even for different timestamps](https://reports.immunefi.com/firelight/59740-sc-low-periodattimestamp-provides-period-of-current-timestamp-even-for-different-timestamps.md) - [#59728 \[SC-Low\] underflow issue leading to a periodattimestamp dos](https://reports.immunefi.com/firelight/59728-sc-low-underflow-issue-leading-to-a-periodattimestamp-dos.md) - [#59715 \[SC-Low\] periodattimestamp will return different period for the same timestamp input](https://reports.immunefi.com/firelight/59715-sc-low-periodattimestamp-will-return-different-period-for-the-same-timestamp-input.md) - [59691 sc low missing disableinitializers allows direct implementation initialization leading to vault takeover](https://reports.immunefi.com/firelight/59691-sc-low-missing-disableinitializers-allows-direct-implementation-initialization-leading-to-vaul.md) - [59635 sc low timestamp agnostic periodattimestamp misreports historical periods breaking time locked logic](https://reports.immunefi.com/firelight/59635-sc-low-timestamp-agnostic-periodattimestamp-misreports-historical-periods-breaking-time-locked.md) - [#59605 \[SC-Low\] logic error in periodattimestamp returns incorrect periods](https://reports.immunefi.com/firelight/59605-sc-low-logic-error-in-periodattimestamp-returns-incorrect-periods.md) - [#59559 \[SC-Low\] period calculation does not use provided timestamp in periodattimestamp](https://reports.immunefi.com/firelight/59559-sc-low-period-calculation-does-not-use-provided-timestamp-in-periodattimestamp.md) - [59533 sc low firelightvault sol periodattimestamp will return an incorrect period number due to flawed logic](https://reports.immunefi.com/firelight/59533-sc-low-firelightvault-sol-periodattimestamp-will-return-an-incorrect-period-number-due-to-flaw.md) - [#59467 \[SC-Low\] periodattimestamp ignores input parameter](https://reports.immunefi.com/firelight/59467-sc-low-periodattimestamp-ignores-input-parameter.md) - [#59445 \[SC-Low\] periodattimestamp does not work as expected](https://reports.immunefi.com/firelight/59445-sc-low-periodattimestamp-does-not-work-as-expected.md) - [#59422 \[SC-Low\] periodattimestamp ignores the supplied timestamp](https://reports.immunefi.com/firelight/59422-sc-low-periodattimestamp-ignores-the-supplied-timestamp.md) - [#59385 \[SC-Low\] timestamp ignored current block time used](https://reports.immunefi.com/firelight/59385-sc-low-timestamp-ignored-current-block-time-used.md) - [#59371 \[SC-Low\] avoid leaving a vault contract uninitialized](https://reports.immunefi.com/firelight/59371-sc-low-avoid-leaving-a-vault-contract-uninitialized.md) - [59369 sc low the function periodattimestamp uses the current timestamp instead of provided timestamp causing incorrect period calculation](https://reports.immunefi.com/firelight/59369-sc-low-the-function-periodattimestamp-uses-the-current-timestamp-instead-of-provided-timestamp.md) - [59355 sc low periodattimestamp ignores the input timestamp and returns the wrong period for non current timestamps](https://reports.immunefi.com/firelight/59355-sc-low-periodattimestamp-ignores-the-input-timestamp-and-returns-the-wrong-period-for-non-curr.md) - [59335 sc low periodattimestamp function returns current period instead of queried period leading to temporary freezing of funds](https://reports.immunefi.com/firelight/59335-sc-low-periodattimestamp-function-returns-current-period-instead-of-queried-period-leading-to.md) - [59334 sc low periodattimestamp function uses current timestamp instead of input parameter causing incorrect period calculation for historical or future queries](https://reports.immunefi.com/firelight/59334-sc-low-periodattimestamp-function-uses-current-timestamp-instead-of-input-parameter-causing-in.md) - [59330 sc insight rescuer role not assigned during initialization](https://reports.immunefi.com/firelight/59330-sc-insight-rescuer-role-not-assigned-during-initialization.md) - [59298 sc low function periodattimestamp ignores the input timestamp returning the current period instead](https://reports.immunefi.com/firelight/59298-sc-low-function-periodattimestamp-ignores-the-input-timestamp-returning-the-current-period-ins.md) - [59296 sc low periodattimestamp uint48 timestamp ignores its parameter and always returns the current period](https://reports.immunefi.com/firelight/59296-sc-low-periodattimestamp-uint48-timestamp-ignores-its-parameter-and-always-returns-the-current.md) - [59288 sc insight repeated array access in rescuewithdrawfromblocklisted loop causes unnecessary gas consumption](https://reports.immunefi.com/firelight/59288-sc-insight-repeated-array-access-in-rescuewithdrawfromblocklisted-loop-causes-unnecessary-gas.md) - [59280 sc low periodattimestamp uint48 timestamp ignores timestamp and return incorrect values when it is not time timestamp ](https://reports.immunefi.com/firelight/59280-sc-low-periodattimestamp-uint48-timestamp-ignores-timestamp-and-return-incorrect-values-when-i.md) - [59236 sc low implementation contract lacks initializer protection](https://reports.immunefi.com/firelight/59236-sc-low-implementation-contract-lacks-initializer-protection.md) - [59235 sc low firelight vault deviation from security best practice of locking down implementation logic ](https://reports.immunefi.com/firelight/59235-sc-low-firelight-vault-deviation-from-security-best-practice-of-locking-down-implementation-lo.md) - [59226 sc low logic flaw in periodattimestamp function breaks historical queries returning current period instead](https://reports.immunefi.com/firelight/59226-sc-low-logic-flaw-in-periodattimestamp-function-breaks-historical-queries-returning-current-pe.md) - [59179 sc low periodattimestamp bug returns current period for all timestamps](https://reports.immunefi.com/firelight/59179-sc-low-periodattimestamp-bug-returns-current-period-for-all-timestamps.md) - [59168 sc low incorrect time semantics in periodattimestamp cause off chain miscalculations and data inconsistency](https://reports.immunefi.com/firelight/59168-sc-low-incorrect-time-semantics-in-periodattimestamp-cause-off-chain-miscalculations-and-data.md) - [59124 sc insight inefficient loop direction in periodconfigurationattimestamp causes unnecessary gas consumption](https://reports.immunefi.com/firelight/59124-sc-insight-inefficient-loop-direction-in-periodconfigurationattimestamp-causes-unnecessary-gas.md) - [59115 sc low periodattimestamp function is incorrectly implemented and always returns period at current timestamp ](https://reports.immunefi.com/firelight/59115-sc-low-periodattimestamp-function-is-incorrectly-implemented-and-always-returns-period-at-curr.md) - [59100 sc low periodattimestamp returns current period instead of queried historical period](https://reports.immunefi.com/firelight/59100-sc-low-periodattimestamp-returns-current-period-instead-of-queried-historical-period.md) - [#59091 \[SC-Low\] low firelightvault sol implementation contract does not disable initializers](https://reports.immunefi.com/firelight/59091-sc-low-low-firelightvault-sol-implementation-contract-does-not-disable-initializers.md) - [#59054 \[SC-Low\] periodattimestamp returns incorrect period number](https://reports.immunefi.com/firelight/59054-sc-low-periodattimestamp-returns-incorrect-period-number.md) - [59034 sc insight islogassets parameter of the logtrace function will always be set to true and can be removed ](https://reports.immunefi.com/firelight/59034-sc-insight-islogassets-parameter-of-the-logtrace-function-will-always-be-set-to-true-and-can-b.md) - [#59031 \[SC-Low\] periodattimestamp returns incorrect period numbers for non current timestamps](https://reports.immunefi.com/firelight/59031-sc-low-periodattimestamp-returns-incorrect-period-numbers-for-non-current-timestamps.md) - [59027 sc insight withdrawalsof view function does not account for already withdrawn funds](https://reports.immunefi.com/firelight/59027-sc-insight-withdrawalsof-view-function-does-not-account-for-already-withdrawn-funds.md) - [59023 sc low unprotected implementation contract initializer allows unauthorized admin role assignment leading to potential governance manipulation](https://reports.immunefi.com/firelight/59023-sc-low-unprotected-implementation-contract-initializer-allows-unauthorized-admin-role-assignme.md) - [#59007 \[SC-Low\] periodattimestamp returns current period instead of historical](https://reports.immunefi.com/firelight/59007-sc-low-periodattimestamp-returns-current-period-instead-of-historical.md) - [58993 sc low incorrect timestamp calculation in periodattimestamp leads to broken historical period lookups](https://reports.immunefi.com/firelight/58993-sc-low-incorrect-timestamp-calculation-in-periodattimestamp-leads-to-broken-historical-period.md) - [#58992 \[SC-Low\] the firelightvault contract doesn t call disableinitializers in its construcotor](https://reports.immunefi.com/firelight/58992-sc-low-the-firelightvault-contract-doesn-t-call-disableinitializers-in-its-construcotor.md) - [Vechain | Stargate Hayabusa](https://reports.immunefi.com/vechain-or-stargate-hayabusa.md) - [60149 sc insight revised missing input validation in addlevels can break multiple staking tier invariant in startgatenft ](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60149-sc-insight-revised-missing-input-validation-in-addlevels-can-break-multiple-staking-tier-invar.md) - [59244 sc insight missing event emission on critical state change](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59244-sc-insight-missing-event-emission-on-critical-state-change.md) - [59316 sc high off by one unlocks infinite vtho reward drain from ghost stakes](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59316-sc-high-off-by-one-unlocks-infinite-vtho-reward-drain-from-ghost-stakes.md) - [59358 sc high off by one error in reward claim logic allows delegators to steal vtho for periods after delegation ended](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59358-sc-high-off-by-one-error-in-reward-claim-logic-allows-delegators-to-steal-vtho-for-periods-aft.md) - [59361 sc high off by one in claimabledelegationperiods allows claimrewards to pay for periods after delegation end over claim theft of unclaimed yield](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59361-sc-high-off-by-one-in-claimabledelegationperiods-allows-claimrewards-to-pay-for-periods-after.md) - [59386 sc high fund freeze from double stake subtraction when validator exits ](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59386-sc-high-fund-freeze-from-double-stake-subtraction-when-validator-exits.md) - [59411 sc insight inconsistency in migratetokenmanager in terms of the permitted caller](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59411-sc-insight-inconsistency-in-migratetokenmanager-in-terms-of-the-permitted-caller.md) - [59421 sc high theft of unclaimed yield via incorrect period range calculation and lack of per user effective stake tracking](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59421-sc-high-theft-of-unclaimed-yield-via-incorrect-period-range-calculation-and-lack-of-per-user-e.md) - [59443 sc high rithmetic underflow in effective stake accounting causes permanent loss of funds](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59443-sc-high-rithmetic-underflow-in-effective-stake-accounting-causes-permanent-loss-of-funds.md) - [59563 sc high exited delegators can claim rewards indefinitely after exit](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59563-sc-high-exited-delegators-can-claim-rewards-indefinitely-after-exit.md) - [59564 sc high double calling updateperiodeffectivestake during the exit flow makes unstake revert trapping staked vet ](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59564-sc-high-double-calling-updateperiodeffectivestake-during-the-exit-flow-makes-unstake-revert-tr.md) - [59570 sc medium access control bypass in unstake leads to permanent freezing of funds](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59570-sc-medium-access-control-bypass-in-unstake-leads-to-permanent-freezing-of-funds.md) - [59615 sc high off by one error in period boundary check allows theft of unclaimed yield after delegation exit](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59615-sc-high-off-by-one-error-in-period-boundary-check-allows-theft-of-unclaimed-yield-after-delega.md) - [59657 sc high delegators lose first reward period when delegating to pending validators](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59657-sc-high-delegators-lose-first-reward-period-when-delegating-to-pending-validators.md) - [59665 sc high delegators can claim rewards beyond delegation end](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59665-sc-high-delegators-can-claim-rewards-beyond-delegation-end.md) - [59709 sc high post exit rewards overpayment theft of unclaimed yield due to misclamped claim window in stargate](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59709-sc-high-post-exit-rewards-overpayment-theft-of-unclaimed-yield-due-to-misclamped-claim-window.md) - [59723 sc high double decrease after exit validator exited leads to underflow and permanent freeze](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59723-sc-high-double-decrease-after-exit-validator-exited-leads-to-underflow-and-permanent-freeze.md) - [59727 sc high double decrease dos on exit permanent unstake revert](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59727-sc-high-double-decrease-dos-on-exit-permanent-unstake-revert.md) - [59730 sc high permanent dos users cannot unstake after double exit scenario](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59730-sc-high-permanent-dos-users-cannot-unstake-after-double-exit-scenario.md) - [59733 sc high post exit delegations can drain future rewards](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59733-sc-high-post-exit-delegations-can-drain-future-rewards.md) - [59742 sc high user funds get stucked in the contract when validators exits ](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59742-sc-high-user-funds-get-stucked-in-the-contract-when-validators-exits.md) - [59752 sc high off by one bug in claimabledelegationperiods allows claiming yield for periods after exit](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59752-sc-high-off-by-one-bug-in-claimabledelegationperiods-allows-claiming-yield-for-periods-after-e.md) - [59756 sc high exiting delegators stakes can be bricked permanently by the validator signaling an exit after them in the same period](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59756-sc-high-exiting-delegators-stakes-can-be-bricked-permanently-by-the-validator-signaling-an-exi.md) - [59776 sc high exited delegators can over claim vtho rewards for post exit periods due to off by one error in claimabledelegationperiods](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59776-sc-high-exited-delegators-can-over-claim-vtho-rewards-for-post-exit-periods-due-to-off-by-one.md) - [59795 sc low free boosts for levels added after v3](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59795-sc-low-free-boosts-for-levels-added-after-v3.md) - [59802 sc high double subtraction of validator effective stake will permanently lock other delegators staked vet](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59802-sc-high-double-subtraction-of-validator-effective-stake-will-permanently-lock-other-delegators.md) - [59809 sc high user balances are permanently frozen in specific delegation scenarios](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59809-sc-high-user-balances-are-permanently-frozen-in-specific-delegation-scenarios.md) - [59814 sc low stargatenft sol addlevel function not implement updatelevelboostpriceperblock](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59814-sc-low-stargatenft-sol-addlevel-function-not-implement-updatelevelboostpriceperblock.md) - [59841 sc low the newly added level cannot have its boost price set because the updatelevelboostpriceperblock function is not exposed](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59841-sc-low-the-newly-added-level-cannot-have-its-boost-price-set-because-the-updatelevelboostprice.md) - [59844 sc insight incorrect and misleading events when adding levels in stargatenft ](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59844-sc-insight-incorrect-and-misleading-events-when-adding-levels-in-stargatenft.md) - [59850 sc high users funds stuck in the contract permanently](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59850-sc-high-users-funds-stuck-in-the-contract-permanently.md) - [59863 sc high over claim of delegation rewards after exit](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59863-sc-high-over-claim-of-delegation-rewards-after-exit.md) - [59866 sc high the delegator s rewards in period 1 cannot be claimed](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59866-sc-high-the-delegator-s-rewards-in-period-1-cannot-be-claimed.md) - [59904 sc high it s possible to decrease twice delegator stake in certain conditions](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59904-sc-high-it-s-possible-to-decrease-twice-delegator-stake-in-certain-conditions.md) - [59919 sc high loss of funds delegators can claim rewards for periods where they had no stake](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59919-sc-high-loss-of-funds-delegators-can-claim-rewards-for-periods-where-they-had-no-stake.md) - [59951 sc high in special cases delegatorseffectivestake may decrease twice and cause staked funds to become locked](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59951-sc-high-in-special-cases-delegatorseffectivestake-may-decrease-twice-and-cause-staked-funds-to.md) - [59993 sc insight unnecessary call to get balance in mintinglogic boostonbehalfof ](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59993-sc-insight-unnecessary-call-to-get-balance-in-mintinglogic-boostonbehalfof.md) - [59997 sc medium claimrewards fails to update state for zero value periods causing permanent fund freeze in unstake ](https://reports.immunefi.com/vechain-or-stargate-hayabusa/59997-sc-medium-claimrewards-fails-to-update-state-for-zero-value-periods-causing-permanent-fund-fre.md) - [60004 sc high double decrease effective stake bug in unstake ](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60004-sc-high-double-decrease-effective-stake-bug-in-unstake.md) - [60019 sc high off by one in stargate sol claimabledelegationperiods lets exited nfts siphon validator rewards leading to protocol insolvency](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60019-sc-high-off-by-one-in-stargate-sol-claimabledelegationperiods-lets-exited-nfts-siphon-validato.md) - [60023 sc insight unchecked address 0 validator in unstake ](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60023-sc-insight-unchecked-address-0-validator-in-unstake.md) - [60027 sc high stuck funds for the later delegators due to an edge case led to double decreasing effective stakes](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60027-sc-high-stuck-funds-for-the-later-delegators-due-to-an-edge-case-led-to-double-decreasing-effe.md) - [60028 sc high a delegator who has requested an exit continues to accumulate rewards](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60028-sc-high-a-delegator-who-has-requested-an-exit-continues-to-accumulate-rewards.md) - [60049 sc high double effective stake decrement locks delegators unstake reverts due to duplicate effectivestake decrements in exit flow](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60049-sc-high-double-effective-stake-decrement-locks-delegators-unstake-reverts-due-to-duplicate-eff.md) - [60069 sc high incorrect claimable period calculation leading to attacker keep claiming even after exiting the delegation ](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60069-sc-high-incorrect-claimable-period-calculation-leading-to-attacker-keep-claiming-even-after-ex.md) - [60079 sc low critical historical state corruption via stale checkpoints leads to permanent loss of future yield](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60079-sc-low-critical-historical-state-corruption-via-stale-checkpoints-leads-to-permanent-loss-of-f.md) - [60080 sc high unstake exit requests can either lock funds or silently double deduct effective stake after validator exit](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60080-sc-high-unstake-exit-requests-can-either-lock-funds-or-silently-double-deduct-effective-stake.md) - [60081 sc high exited delegator can continue to accrue and claim delegation rewards ](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60081-sc-high-exited-delegator-can-continue-to-accrue-and-claim-delegation-rewards.md) - [60102 sc high exited delegator could keep claiming rewards stealing them from active delegators which would then lead to freeze of funds](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60102-sc-high-exited-delegator-could-keep-claiming-rewards-stealing-them-from-active-delegators-whic.md) - [60125 sc high moving delegations from one validator to another validator will not be possible in exit case for validator 1](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60125-sc-high-moving-delegations-from-one-validator-to-another-validator-will-not-be-possible-in-exi.md) - [60150 sc high off by one in claim window lets exited delegations harvest post exit rewards](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60150-sc-high-off-by-one-in-claim-window-lets-exited-delegations-harvest-post-exit-rewards.md) - [60151 sc high double reduction of effective stake can lead to stuck delegations ](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60151-sc-high-double-reduction-of-effective-stake-can-lead-to-stuck-delegations.md) - [60154 sc high exited delegations can continue claiming vtho rewards for future periods](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60154-sc-high-exited-delegations-can-continue-claiming-vtho-rewards-for-future-periods.md) - [60169 sc high exited delegations can continue to claim rewards due to logic fall through in claimabledelegationperiods ](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60169-sc-high-exited-delegations-can-continue-to-claim-rewards-due-to-logic-fall-through-in-claimabl.md) - [60171 sc low levels added after deployment lack boost price initialization resulting in free boosting](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60171-sc-low-levels-added-after-deployment-lack-boost-price-initialization-resulting-in-free-boostin.md) - [60173 sc high the phantom claimable periods can permanently lock the staked vet for ended delegations](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60173-sc-high-the-phantom-claimable-periods-can-permanently-lock-the-staked-vet-for-ended-delegation.md) - [60192 sc high users can claim delegation rewards after exit endperiod has passed](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60192-sc-high-users-can-claim-delegation-rewards-after-exit-endperiod-has-passed.md) - [60210 sc high during a validator exit users will be unable to unstake due to underflow](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60210-sc-high-during-a-validator-exit-users-will-be-unable-to-unstake-due-to-underflow.md) - [60241 sc medium permanent freezing of staked funds caused by accumulation with zero rewards](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60241-sc-medium-permanent-freezing-of-staked-funds-caused-by-accumulation-with-zero-rewards.md) - [60259 sc low malicious user can bypass maturity period for newly added levels](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60259-sc-low-malicious-user-can-bypass-maturity-period-for-newly-added-levels.md) - [60265 sc high the attacker can still claim rewards after exiting from validator](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60265-sc-high-the-attacker-can-still-claim-rewards-after-exiting-from-validator.md) - [60597 sc low hasrequestedexit returns true for not just requested exits but also delegations that are already exited](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60597-sc-low-hasrequestedexit-returns-true-for-not-just-requested-exits-but-also-delegations-that-ar.md) - [60593 sc low no mechanism to set boostpriceperblock for levels added after initialization](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60593-sc-low-no-mechanism-to-set-boostpriceperblock-for-levels-added-after-initialization.md) - [60592 sc high users are unable to unstake under certain conditions](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60592-sc-high-users-are-unable-to-unstake-under-certain-conditions.md) - [60586 sc high incorrect double reduction of effective stake in stargate sol](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60586-sc-high-incorrect-double-reduction-of-effective-stake-in-stargate-sol.md) - [60578 sc low zero boost fee for newly added levels lets users skip maturity for free and avoid paying intended vtho boost cost](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60578-sc-low-zero-boost-fee-for-newly-added-levels-lets-users-skip-maturity-for-free-and-avoid-payin.md) - [60575 sc high double subtraction of delegator effective stake on exit can freeze vet and break reward distribution](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60575-sc-high-double-subtraction-of-delegator-effective-stake-on-exit-can-freeze-vet-and-break-rewar.md) - [60557 sc high double decrement of effective stake in unstake leads to dos and permanent fund lock](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60557-sc-high-double-decrement-of-effective-stake-in-unstake-leads-to-dos-and-permanent-fund-lock.md) - [60553 sc high the delegator and the validator both exiting consecutively could lead to underflow in the unstake and delegate and stuck staked vet ](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60553-sc-high-the-delegator-and-the-validator-both-exiting-consecutively-could-lead-to-underflow-in.md) - [60548 sc high an exited delegator who has not unstaked or delegated to a validator will be dos ed if a validator exits ](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60548-sc-high-an-exited-delegator-who-has-not-unstaked-or-delegated-to-a-validator-will-be-dos-ed-if.md) - [60539 sc medium critical withdraw dos zero reward validators cause permanent user fund lock via broken reward claim logic](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60539-sc-medium-critical-withdraw-dos-zero-reward-validators-cause-permanent-user-fund-lock-via-brok.md) - [60534 sc high a delegator who signals exit and waits for the validator to finish its period can no longer withdraw in the unstake function causing permanent loss of funds ](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60534-sc-high-a-delegator-who-signals-exit-and-waits-for-the-validator-to-finish-its-period-can-no-l.md) - [60533 sc high overlap which will lead to loss of fund](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60533-sc-high-overlap-which-will-lead-to-loss-of-fund.md) - [60527 sc insight delegationexitrequested event emits inconsistent exit period values](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60527-sc-insight-delegationexitrequested-event-emits-inconsistent-exit-period-values.md) - [60525 sc insight levelcirculatingsupplyupdated not emitted during supply changes](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60525-sc-insight-levelcirculatingsupplyupdated-not-emitted-during-supply-changes.md) - [60516 sc high incorrect boundary check in claimabledelegationperiods allows claiming rewards beyond delegation end period](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60516-sc-high-incorrect-boundary-check-in-claimabledelegationperiods-allows-claiming-rewards-beyond.md) - [60506 sc high double delegatorseffectivestake decrease permanently prevents single nft from unstaking](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60506-sc-high-double-delegatorseffectivestake-decrease-permanently-prevents-single-nft-from-unstakin.md) - [60470 sc high double decrease of validator stake in stargate sol](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60470-sc-high-double-decrease-of-validator-stake-in-stargate-sol.md) - [60466 sc medium maxclaimableperiodsexceeded lock zero reward backlog permanently locks nfts](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60466-sc-medium-maxclaimableperiodsexceeded-lock-zero-reward-backlog-permanently-locks-nfts.md) - [60450 sc insight code optimizations and enhancemets for efficient gas usage in several functions](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60450-sc-insight-code-optimizations-and-enhancemets-for-efficient-gas-usage-in-several-functions.md) - [60431 sc high unauthorized vtho reward claims after delegation exit](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60431-sc-high-unauthorized-vtho-reward-claims-after-delegation-exit.md) - [60429 sc high double decrease of effective stake prevents delegators from unstaking](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60429-sc-high-double-decrease-of-effective-stake-prevents-delegators-from-unstaking.md) - [60426 sc high rewards accounting off by one skipped double period exploit leads to direct loss of user funds via incorrect reward distribution theft of unclaimed yield misallocation of vt ](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60426-sc-high-rewards-accounting-off-by-one-skipped-double-period-exploit-leads-to-direct-loss-of-us.md) - [60419 sc high double decrease of effective stake leads to dos and permanent loss of funds](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60419-sc-high-double-decrease-of-effective-stake-leads-to-dos-and-permanent-loss-of-funds.md) - [60400 sc high off by one in claimabledelegationperiods lets claims beyond exit](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60400-sc-high-off-by-one-in-claimabledelegationperiods-lets-claims-beyond-exit.md) - [60386 sc low missing setter for boostpriceperblock after adding new nft levels can allow users to bypass intended staking boost](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60386-sc-low-missing-setter-for-boostpriceperblock-after-adding-new-nft-levels-can-allow-users-to-by.md) - [60373 sc high incorrect effective stake decrement when validator exits causes permanent freezing of user stake](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60373-sc-high-incorrect-effective-stake-decrement-when-validator-exits-causes-permanent-freezing-of.md) - [60372 sc high double decrement bug effective stake underflow permanently locks funds](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60372-sc-high-double-decrement-bug-effective-stake-underflow-permanently-locks-funds.md) - [60335 sc insight missing or misleading code comments causes confusion and may lead to unnecessary code changes](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60335-sc-insight-missing-or-misleading-code-comments-causes-confusion-and-may-lead-to-unnecessary-co.md) - [60334 sc high unstake permanently reverts when validator exits after delegator exit double decrease of effective stake ](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60334-sc-high-unstake-permanently-reverts-when-validator-exits-after-delegator-exit-double-decrease.md) - [60318 sc low zero cost boost bypass for new levels](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60318-sc-low-zero-cost-boost-bypass-for-new-levels.md) - [60311 sc high double effective stake decrement freezes unstake permanently after validator exit](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60311-sc-high-double-effective-stake-decrement-freezes-unstake-permanently-after-validator-exit.md) - [60310 sc high incorrect boundary check in claimabledelegationperiods allows claiming rewards beyond delegation end period](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60310-sc-high-incorrect-boundary-check-in-claimabledelegationperiods-allows-claiming-rewards-beyond.md) - [60298 sc high duplicate effectivestake decrement path bricks unstake re delegate](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60298-sc-high-duplicate-effectivestake-decrement-path-bricks-unstake-re-delegate.md) - [60289 sc low misconfigured level with maturityblocks 0 allows skip of maturity requirements and backrun minting](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60289-sc-low-misconfigured-level-with-maturityblocks-0-allows-skip-of-maturity-requirements-and-back.md) - [60282 sc high last delegators for an exited validator may be dosed from re delegating or unstaking due to incorrect accounting of period effective stake](https://reports.immunefi.com/vechain-or-stargate-hayabusa/60282-sc-high-last-delegators-for-an-exited-validator-may-be-dosed-from-re-delegating-or-unstaking-d.md) - [Belong](https://reports.immunefi.com/belong.md) - [57810 sc insight gas optimization use calldata for external struct parameters in checkaccesstokeninfo or checkcustomerinfo or checkpromoterpaymentdistribution ](https://reports.immunefi.com/belong/57810-sc-insight-gas-optimization-use-calldata-for-external-struct-parameters-in-checkaccesstokeninf.md) - [57921 sc insight whitelisted role cannot be revoked in nft cairo ](https://reports.immunefi.com/belong/57921-sc-insight-whitelisted-role-cannot-be-revoked-in-nft-cairo.md) - [57931 sc insight consumes more gas than intended in getstandardizedprice function in helper library](https://reports.immunefi.com/belong/57931-sc-insight-consumes-more-gas-than-intended-in-getstandardizedprice-function-in-helper-library.md) - [57437 sc medium front running in factory produce ](https://reports.immunefi.com/belong/57437-sc-medium-front-running-in-factory-produce.md) - [57924 sc critical the staking contract is suceptible to the classic first depositor exploit](https://reports.immunefi.com/belong/57924-sc-critical-the-staking-contract-is-suceptible-to-the-classic-first-depositor-exploit.md) - [57453 sc low attackers can drain user allowance provided to the belongcheckin sol](https://reports.immunefi.com/belong/57453-sc-low-attackers-can-drain-user-allowance-provided-to-the-belongcheckin-sol.md) - [57803 sc insight gas optimize paymentsinfo struct layout to save storage slots and reduce gas costs](https://reports.immunefi.com/belong/57803-sc-insight-gas-optimize-paymentsinfo-struct-layout-to-save-storage-slots-and-reduce-gas-costs.md) - [57634 sc medium unauthorized minting of nfts due to signature replay](https://reports.immunefi.com/belong/57634-sc-medium-unauthorized-minting-of-nfts-due-to-signature-replay.md) - [57942 sc critical transferred slong shares are permanently unredeemable due to missing stake entry creation](https://reports.immunefi.com/belong/57942-sc-critical-transferred-slong-shares-are-permanently-unredeemable-due-to-missing-stake-entry-c.md) - [56826 sc medium attacker can bloat a victim s stakes array and cause withdrawals emergency flows to run out of gas](https://reports.immunefi.com/belong/56826-sc-medium-attacker-can-bloat-a-victim-s-stakes-array-and-cause-withdrawals-emergency-flows-to.md) - [57610 sc medium venues can steal from customers by replaying payments via belongcheckin paytovenue ](https://reports.immunefi.com/belong/57610-sc-medium-venues-can-steal-from-customers-by-replaying-payments-via-belongcheckin-paytovenue.md) - [57691 sc medium malicious referrer can permanently block eth payment flow](https://reports.immunefi.com/belong/57691-sc-medium-malicious-referrer-can-permanently-block-eth-payment-flow.md) - [57727 sc medium venues with autostake long paymenttype can be griefed and cause permanent freeze of long token](https://reports.immunefi.com/belong/57727-sc-medium-venues-with-autostake-long-paymenttype-can-be-griefed-and-cause-permanent-freeze-of.md) - [57615 sc medium permanent freezing of user assets in staking sol ](https://reports.immunefi.com/belong/57615-sc-medium-permanent-freezing-of-user-assets-in-staking-sol.md) - [57076 sc high incorrect slippage would result in swap manipulations](https://reports.immunefi.com/belong/57076-sc-high-incorrect-slippage-would-result-in-swap-manipulations.md) - [57786 sc high malicious users can frontrun staking distributerewards to claim majority of rewards](https://reports.immunefi.com/belong/57786-sc-high-malicious-users-can-frontrun-staking-distributerewards-to-claim-majority-of-rewards.md) - [57905 sc medium signature malleability and replay attack vulnerabilities in signature verification](https://reports.immunefi.com/belong/57905-sc-medium-signature-malleability-and-replay-attack-vulnerabilities-in-signature-verification.md) - [57927 sc medium front run takeover in factory produce](https://reports.immunefi.com/belong/57927-sc-medium-front-run-takeover-in-factory-produce.md) - [57427 sc medium mint signatures are not bound to a collection which makes cross collection replay possible under a shared signer](https://reports.immunefi.com/belong/57427-sc-medium-mint-signatures-are-not-bound-to-a-collection-which-makes-cross-collection-replay-po.md) - [57134 sc insight accesstoken sol is not erc721 compliant](https://reports.immunefi.com/belong/57134-sc-insight-accesstoken-sol-is-not-erc721-compliant.md) - [57850 sc medium by transferring his staking shares to another non staking address allowing him to bypass minstakeperiod ](https://reports.immunefi.com/belong/57850-sc-medium-by-transferring-his-staking-shares-to-another-non-staking-address-allowing-him-to-by.md) - [57445 sc medium signature replay with mutable parameters](https://reports.immunefi.com/belong/57445-sc-medium-signature-replay-with-mutable-parameters.md) - [57458 sc medium dos griefing in batch eth payout malicious payee receive can revert and block releaseall for all payees in royaltiesreceiverv2](https://reports.immunefi.com/belong/57458-sc-medium-dos-griefing-in-batch-eth-payout-malicious-payee-receive-can-revert-and-block-releas.md) - [57237 sc high cross token math contaminates payouts in receiver ](https://reports.immunefi.com/belong/57237-sc-high-cross-token-math-contaminates-payouts-in-receiver.md) - [56872 sc critical freezing of funds ](https://reports.immunefi.com/belong/56872-sc-critical-freezing-of-funds.md) - [57790 sc medium withdrawal denial of service via dust stake spam](https://reports.immunefi.com/belong/57790-sc-medium-withdrawal-denial-of-service-via-dust-stake-spam.md) - [56881 sc high temporary claim freezing](https://reports.immunefi.com/belong/56881-sc-high-temporary-claim-freezing.md) - [57702 sc medium the long payment path is sensitive to the long inventory in escrow and insufficient inventory can easily lead to business unavailability dos of long payments ](https://reports.immunefi.com/belong/57702-sc-medium-the-long-payment-path-is-sensitive-to-the-long-inventory-in-escrow-and-insufficient.md) - [57736 sc critical first depositor attack is possible](https://reports.immunefi.com/belong/57736-sc-critical-first-depositor-attack-is-possible.md) - [57733 sc high swapexact s slippge is not works as expected](https://reports.immunefi.com/belong/57733-sc-high-swapexact-s-slippge-is-not-works-as-expected.md) - [57938 sc medium produce function doesn t check if creator is the caller allowing frontrunning attacks](https://reports.immunefi.com/belong/57938-sc-medium-produce-function-doesn-t-check-if-creator-is-the-caller-allowing-frontrunning-attack.md) - [57348 sc insight incorrectly returned values and emitted data on staking emergency functionality](https://reports.immunefi.com/belong/57348-sc-insight-incorrectly-returned-values-and-emitted-data-on-staking-emergency-functionality.md) - [57194 sc medium signature replay across collections missing contract binding ](https://reports.immunefi.com/belong/57194-sc-medium-signature-replay-across-collections-missing-contract-binding.md) - [57685 sc critical vulnerabilities in the design of the token s staking mechanism resulted in financial harm to users involved in transfer related operations ](https://reports.immunefi.com/belong/57685-sc-critical-vulnerabilities-in-the-design-of-the-token-s-staking-mechanism-resulted-in-financi.md) - [57913 sc insight missing validation in setparameters allows invalid fee configuration causing reverts in paytovenue ](https://reports.immunefi.com/belong/57913-sc-insight-missing-validation-in-setparameters-allows-invalid-fee-configuration-causing-revert.md) - [57656 sc insight incorrect supply cap check uses token id instead of total supply in base mint ](https://reports.immunefi.com/belong/57656-sc-insight-incorrect-supply-cap-check-uses-token-id-instead-of-total-supply-in-base-mint.md) - [57515 sc high cross token accounting is broken](https://reports.immunefi.com/belong/57515-sc-high-cross-token-accounting-is-broken.md) - [56841 sc high sudden addition of rewards will be frontrun with deposits just to steal part of reward](https://reports.immunefi.com/belong/56841-sc-high-sudden-addition-of-rewards-will-be-frontrun-with-deposits-just-to-steal-part-of-reward.md) - [57586 sc high calculating slippage for swap onchain does not prevent slippage loss](https://reports.immunefi.com/belong/57586-sc-high-calculating-slippage-for-swap-onchain-does-not-prevent-slippage-loss.md) - [57268 sc insight erc1155base missing collection uri fallback causes significant gas waste on every token mint](https://reports.immunefi.com/belong/57268-sc-insight-erc1155base-missing-collection-uri-fallback-causes-significant-gas-waste-on-every-t.md) - [57362 sc medium attacker can dos user withdraw in staking contract](https://reports.immunefi.com/belong/57362-sc-medium-attacker-can-dos-user-withdraw-in-staking-contract.md) - [57895 sc medium lack of msg sender validation in collection creation signature enables front running attack leading to creator impersonation](https://reports.immunefi.com/belong/57895-sc-medium-lack-of-msg-sender-validation-in-collection-creation-signature-enables-front-running.md) - [57255 sc low allowed minting of nfts after collection expiry date](https://reports.immunefi.com/belong/57255-sc-low-allowed-minting-of-nfts-after-collection-expiry-date.md) - [57650 sc low wrapped native token routing can fail without full validation](https://reports.immunefi.com/belong/57650-sc-low-wrapped-native-token-routing-can-fail-without-full-validation.md) - [57388 sc medium cross contract signature replay because verifying contract is not included in the digest](https://reports.immunefi.com/belong/57388-sc-medium-cross-contract-signature-replay-because-verifying-contract-is-not-included-in-the-di.md) - [57882 sc insight venue tokens cannot be withdrawn when there are no promoters involved in customers transactions](https://reports.immunefi.com/belong/57882-sc-insight-venue-tokens-cannot-be-withdrawn-when-there-are-no-promoters-involved-in-customers.md) - [57401 sc critical erc4626 inflation attack vulnerability](https://reports.immunefi.com/belong/57401-sc-critical-erc4626-inflation-attack-vulnerability.md) - [57911 sc medium signature are malleable in signatureverifier sol ](https://reports.immunefi.com/belong/57911-sc-medium-signature-are-malleable-in-signatureverifier-sol.md) - [57932 sc critical attacker can bypass stake lock](https://reports.immunefi.com/belong/57932-sc-critical-attacker-can-bypass-stake-lock.md) - [57435 sc high missing slippage protection enables direct theft via mev sandwich attacks](https://reports.immunefi.com/belong/57435-sc-high-missing-slippage-protection-enables-direct-theft-via-mev-sandwich-attacks.md) - [57718 sc low staking tier error using erc4626 shares rather than assets to determine staking tiers leads to long term distortion in fees and commissions ](https://reports.immunefi.com/belong/57718-sc-low-staking-tier-error-using-erc4626-shares-rather-than-assets-to-determine-staking-tiers-l.md) - [57917 sc medium penallty can be bypassed in staking sol emergencywithdraw ](https://reports.immunefi.com/belong/57917-sc-medium-penallty-can-be-bypassed-in-staking-sol-emergencywithdraw.md) - [57089 sc medium unauthorized collection hijack via unsigned creator](https://reports.immunefi.com/belong/57089-sc-medium-unauthorized-collection-hijack-via-unsigned-creator.md) - [57558 sc low front running issue in emergencycancelpayment ](https://reports.immunefi.com/belong/57558-sc-low-front-running-issue-in-emergencycancelpayment.md) - [57467 sc insight unlimited referrals hashedcode referralusers increases gas cost with each new referral making it very expensive ](https://reports.immunefi.com/belong/57467-sc-insight-unlimited-referrals-hashedcode-referralusers-increases-gas-cost-with-each-new-refer.md) - [57307 sc low cairo factory referral percentages never update](https://reports.immunefi.com/belong/57307-sc-low-cairo-factory-referral-percentages-never-update.md) - [57425 sc low referral percentage updates are ignored due to append only storage in nftfactory](https://reports.immunefi.com/belong/57425-sc-low-referral-percentage-updates-are-ignored-due-to-append-only-storage-in-nftfactory.md) - [57595 sc low single tier swap path can stall core flows](https://reports.immunefi.com/belong/57595-sc-low-single-tier-swap-path-can-stall-core-flows.md) - [57008 sc critical emergencywithdraw function malfunction due to missing validation in removeanysharesfor](https://reports.immunefi.com/belong/57008-sc-critical-emergencywithdraw-function-malfunction-due-to-missing-validation-in-removeanyshare.md) - [57677 sc medium signature replay in venuedeposit enables affiliate referral code hijacking leading to unauthorized commission theft](https://reports.immunefi.com/belong/57677-sc-medium-signature-replay-in-venuedeposit-enables-affiliate-referral-code-hijacking-leading-t.md) - [57245 sc medium needless iterations in for loops should be removed for better optimization and code maintenance](https://reports.immunefi.com/belong/57245-sc-medium-needless-iterations-in-for-loops-should-be-removed-for-better-optimization-and-code.md) - [57875 sc medium signature bypass lets creators alter key accesstoken parameters before deployment](https://reports.immunefi.com/belong/57875-sc-medium-signature-bypass-lets-creators-alter-key-accesstoken-parameters-before-deployment.md) - [57874 sc insight global metadata wipe on burn one promoter s payout clears the shared erc1155 token uri for all promoters of the same venue](https://reports.immunefi.com/belong/57874-sc-insight-global-metadata-wipe-on-burn-one-promoter-s-payout-clears-the-shared-erc1155-token.md) - [56814 sc medium users can create unauthorized accesstoken collections by exploiting abi encodepacked collision](https://reports.immunefi.com/belong/56814-sc-medium-users-can-create-unauthorized-accesstoken-collections-by-exploiting-abi-encodepacked.md) - [56869 sc medium hijacking deployment of accesstoken and stealing ownership to prevent further deployments](https://reports.immunefi.com/belong/56869-sc-medium-hijacking-deployment-of-accesstoken-and-stealing-ownership-to-prevent-further-deploy.md) - [57864 sc medium abi encodepacked hash collision vulnerability in dynamic type encoding permits malicious signature bypass enabling unauthorized and repeatable transaction execution](https://reports.immunefi.com/belong/57864-sc-medium-abi-encodepacked-hash-collision-vulnerability-in-dynamic-type-encoding-permits-malic.md) - [57902 sc insight erc1155base re mint overwrites token uri allowing post issuance nft alteration griefing](https://reports.immunefi.com/belong/57902-sc-insight-erc1155base-re-mint-overwrites-token-uri-allowing-post-issuance-nft-alteration-grie.md) - [57373 sc medium signature replay vulnerability due to missing nonce and deadline checks](https://reports.immunefi.com/belong/57373-sc-medium-signature-replay-vulnerability-due-to-missing-nonce-and-deadline-checks.md) - [56863 sc critical first depositor advantage](https://reports.immunefi.com/belong/56863-sc-critical-first-depositor-advantage.md) - [57583 sc low promoter bounty bait and switch via updatevenuerules](https://reports.immunefi.com/belong/57583-sc-low-promoter-bounty-bait-and-switch-via-updatevenuerules.md) - [57804 sc insight unbounded percentages cause underflow and dos in mint payment flow](https://reports.immunefi.com/belong/57804-sc-insight-unbounded-percentages-cause-underflow-and-dos-in-mint-payment-flow.md) - [57854 sc medium front running attack allows collection ownership theft](https://reports.immunefi.com/belong/57854-sc-medium-front-running-attack-allows-collection-ownership-theft.md) - [57910 sc insight missing validation on referral percentage sum](https://reports.immunefi.com/belong/57910-sc-insight-missing-validation-on-referral-percentage-sum.md) - [57838 sc insight missing produce name sanitization allows breaking snip 12 standard compliance](https://reports.immunefi.com/belong/57838-sc-insight-missing-produce-name-sanitization-allows-breaking-snip-12-standard-compliance.md) - [57776 sc insight staking sol is not eip4626 compliant breaking integrations](https://reports.immunefi.com/belong/57776-sc-insight-staking-sol-is-not-eip4626-compliant-breaking-integrations.md) - [57452 sc high on chain quoter reliance and spot price based swaps enable pool manipulation and value extraction from protocol controlled conversions usdc long ](https://reports.immunefi.com/belong/57452-sc-high-on-chain-quoter-reliance-and-spot-price-based-swaps-enable-pool-manipulation-and-value.md) - [57676 sc high cross token accounting in receiver allows permanent freezing of erc20 royalty payouts](https://reports.immunefi.com/belong/57676-sc-high-cross-token-accounting-in-receiver-allows-permanent-freezing-of-erc20-royalty-payouts.md) - [57580 sc medium signature replay enables frontrunning of produce producecredittoken](https://reports.immunefi.com/belong/57580-sc-medium-signature-replay-enables-frontrunning-of-produce-producecredittoken.md) - [57505 sc low missing collection expiration enforcement allows unauthorized minting ](https://reports.immunefi.com/belong/57505-sc-low-missing-collection-expiration-enforcement-allows-unauthorized-minting.md) - [57279 sc medium signature replayability repeated use of signed access tokens allows duplicate mints high ](https://reports.immunefi.com/belong/57279-sc-medium-signature-replayability-repeated-use-of-signed-access-tokens-allows-duplicate-mints.md) - [57939 sc medium signature collision via abi encodepacked](https://reports.immunefi.com/belong/57939-sc-medium-signature-collision-via-abi-encodepacked.md) - [57671 sc high royaltiesreceiverv2 shares referralshare uses dynamic values which may result in failure to release funds properly ](https://reports.immunefi.com/belong/57671-sc-high-royaltiesreceiverv2-shares-referralshare-uses-dynamic-values-which-may-result-in-failu.md) - [57201 sc low missing collection expiry enforcement](https://reports.immunefi.com/belong/57201-sc-low-missing-collection-expiry-enforcement.md) - [57596 sc low reentrancy in distributepromoterpayments allows total theft of promoter and venue funds](https://reports.immunefi.com/belong/57596-sc-low-reentrancy-in-distributepromoterpayments-allows-total-theft-of-promoter-and-venue-funds.md) - [57848 sc medium permanent freezing of funds due to no minimum stake limit](https://reports.immunefi.com/belong/57848-sc-medium-permanent-freezing-of-funds-due-to-no-minimum-stake-limit.md) - [57766 sc medium attacker can permanently lock any user s funds](https://reports.immunefi.com/belong/57766-sc-medium-attacker-can-permanently-lock-any-user-s-funds.md) - [57891 sc medium signature replay lets attackers hijack nft collection deployment](https://reports.immunefi.com/belong/57891-sc-medium-signature-replay-lets-attackers-hijack-nft-collection-deployment.md) - [57358 sc medium unlimited stake entries allow account griefing via tiny deposits](https://reports.immunefi.com/belong/57358-sc-medium-unlimited-stake-entries-allow-account-griefing-via-tiny-deposits.md) - [57872 sc low processing fee computed on full long amount instead of subsidy in paytovenue underpaying venues and enabling long payment dos under misconfiguration](https://reports.immunefi.com/belong/57872-sc-low-processing-fee-computed-on-full-long-amount-instead-of-subsidy-in-paytovenue-underpayin.md) - [57717 sc medium attacker can spam tiny stakes to a victim and make their withdrawal run out of gas griefing dos ](https://reports.immunefi.com/belong/57717-sc-medium-attacker-can-spam-tiny-stakes-to-a-victim-and-make-their-withdrawal-run-out-of-gas-g.md) - [57283 sc medium unauthorised promoter payouts due to signature replay attack ](https://reports.immunefi.com/belong/57283-sc-medium-unauthorised-promoter-payouts-due-to-signature-replay-attack.md) - [56867 sc medium signature collision caused counterfeit accesstoken collections with arbitrary name symbol uri](https://reports.immunefi.com/belong/56867-sc-medium-signature-collision-caused-counterfeit-accesstoken-collections-with-arbitrary-name-s.md) - [57236 sc medium accesstoken collection front running attack permanent ownership hijack ](https://reports.immunefi.com/belong/57236-sc-medium-accesstoken-collection-front-running-attack-permanent-ownership-hijack.md) - [57884 sc low staking tier manipulation via erc4626 shares slong ](https://reports.immunefi.com/belong/57884-sc-low-staking-tier-manipulation-via-erc4626-shares-slong.md) - [57669 sc medium stakers will bypass minstakeperiod time locks and extract rewards without commitment through emergency withdrawal mechanism](https://reports.immunefi.com/belong/57669-sc-medium-stakers-will-bypass-minstakeperiod-time-locks-and-extract-rewards-without-commitment.md) - [56896 sc critical staking contract is vulnerable to inflation attack making malicious 1st staker grief the following stakers](https://reports.immunefi.com/belong/56896-sc-critical-staking-contract-is-vulnerable-to-inflation-attack-making-malicious-1st-staker-gri.md) - [57485 sc medium emergencywithdraw cost more penalty than expected](https://reports.immunefi.com/belong/57485-sc-medium-emergencywithdraw-cost-more-penalty-than-expected.md) - [57271 sc medium incorrect penalty calculation on emergency withdrawals redemption s ](https://reports.immunefi.com/belong/57271-sc-medium-incorrect-penalty-calculation-on-emergency-withdrawals-redemption-s.md) - [57716 sc critical erc4626 inflation bug in staking contract](https://reports.immunefi.com/belong/57716-sc-critical-erc4626-inflation-bug-in-staking-contract.md) - [57314 sc medium signature replay and hash collision via abi encodepacked in signatureverifier sol](https://reports.immunefi.com/belong/57314-sc-medium-signature-replay-and-hash-collision-via-abi-encodepacked-in-signatureverifier-sol.md) - [57712 sc medium receiver deployment dos via salt reuse](https://reports.immunefi.com/belong/57712-sc-medium-receiver-deployment-dos-via-salt-reuse.md) - [57482 sc critical front running a donation can inflate the share causing users to lose funds](https://reports.immunefi.com/belong/57482-sc-critical-front-running-a-donation-can-inflate-the-share-causing-users-to-lose-funds.md) - [57426 sc medium dynamic price signature replay allows unlimited minting at historical prices](https://reports.immunefi.com/belong/57426-sc-medium-dynamic-price-signature-replay-allows-unlimited-minting-at-historical-prices.md) - [57940 sc medium deterministic address collision in cairo deployment causes dos and unintended receiver sharing](https://reports.immunefi.com/belong/57940-sc-medium-deterministic-address-collision-in-cairo-deployment-causes-dos-and-unintended-receiv.md) - [57203 sc medium revised malicious accesstoken creator can steal gas via mintstaticprice or mintdynamicprice ](https://reports.immunefi.com/belong/57203-sc-medium-revised-malicious-accesstoken-creator-can-steal-gas-via-mintstaticprice-or-mintdynam.md) - [57829 sc high incorrect fee implementation in paytovenue long payment path causes protocol fees to be permanently locked in escrow](https://reports.immunefi.com/belong/57829-sc-high-incorrect-fee-implementation-in-paytovenue-long-payment-path-causes-protocol-fees-to-b.md) - [57398 sc critical incorrect platform subsidy processing in long payments causing venue payout failures](https://reports.immunefi.com/belong/57398-sc-critical-incorrect-platform-subsidy-processing-in-long-payments-causing-venue-payout-failur.md) - [57877 sc high accesstoken creators can bypass fees so that platform address will receive 0 fees ](https://reports.immunefi.com/belong/57877-sc-high-accesstoken-creators-can-bypass-fees-so-that-platform-address-will-receive-0-fees.md) - [56810 sc medium accesstoken cross contract signature replay allows unauthorized minting on other collections](https://reports.immunefi.com/belong/56810-sc-medium-accesstoken-cross-contract-signature-replay-allows-unauthorized-minting-on-other-col.md) - [56907 sc critical attacker can steal first depositor s asset with inflation attack](https://reports.immunefi.com/belong/56907-sc-critical-attacker-can-steal-first-depositor-s-asset-with-inflation-attack.md) - [56850 sc critical donation attack posible on staking sol because its totalasset uses asset balanceof ](https://reports.immunefi.com/belong/56850-sc-critical-donation-attack-posible-on-staking-sol-because-its-totalasset-uses-asset-balanceof.md) - [57399 sc critical erc4626 staking lockbook breaks share fungibility partial transfers can dos withdrawals](https://reports.immunefi.com/belong/57399-sc-critical-erc4626-staking-lockbook-breaks-share-fungibility-partial-transfers-can-dos-withdr.md) - [57221 sc high incorrect processing fee calculation causes venue payouts to be misallocated](https://reports.immunefi.com/belong/57221-sc-high-incorrect-processing-fee-calculation-causes-venue-payouts-to-be-misallocated.md) - [57519 sc medium unbounded stake array allows permanent withdraw lock via dust deposits on behalf of victims](https://reports.immunefi.com/belong/57519-sc-medium-unbounded-stake-array-allows-permanent-withdraw-lock-via-dust-deposits-on-behalf-of.md) - [56860 sc medium hash collision in signature verification](https://reports.immunefi.com/belong/56860-sc-medium-hash-collision-in-signature-verification.md) - [57813 sc critical transfer recipients will pay unwarranted emergency withdrawal penalties for share positions they legitimately own](https://reports.immunefi.com/belong/57813-sc-critical-transfer-recipients-will-pay-unwarranted-emergency-withdrawal-penalties-for-share.md) - [57809 sc critical inflation of shares in staking contract](https://reports.immunefi.com/belong/57809-sc-critical-inflation-of-shares-in-staking-contract.md) - [57800 sc medium signature replay vulnerability in belongcheckin distributepromoterpayments](https://reports.immunefi.com/belong/57800-sc-medium-signature-replay-vulnerability-in-belongcheckin-distributepromoterpayments.md) - [57799 sc low retroactive lock period changes affect existing stakes](https://reports.immunefi.com/belong/57799-sc-low-retroactive-lock-period-changes-affect-existing-stakes.md) - [57796 sc medium signature hashing collision in signatureverifier lets attacker deploy forged accesstoken credittoken metadata critical unintended alteration of what the nft represents ](https://reports.immunefi.com/belong/57796-sc-medium-signature-hashing-collision-in-signatureverifier-lets-attacker-deploy-forged-accesst.md) - [57701 sc insight accesstoken collectionexpire is never checked allowing tokens to be minted even after the collection expires ](https://reports.immunefi.com/belong/57701-sc-insight-accesstoken-collectionexpire-is-never-checked-allowing-tokens-to-be-minted-even-aft.md) - [57015 sc medium unbounded array loop](https://reports.immunefi.com/belong/57015-sc-medium-unbounded-array-loop.md) - [57775 sc medium paytovenue will revert due to notenoughlongs funds in the escrow contract](https://reports.immunefi.com/belong/57775-sc-medium-paytovenue-will-revert-due-to-notenoughlongs-funds-in-the-escrow-contract.md) - [57628 sc critical improper transfer can lead to funds been frozen](https://reports.immunefi.com/belong/57628-sc-critical-improper-transfer-can-lead-to-funds-been-frozen.md) - [57061 sc high retroactive share recalculation causes royalty distribution failure](https://reports.immunefi.com/belong/57061-sc-high-retroactive-share-recalculation-causes-royalty-distribution-failure.md) - [56941 sc critical staking vault vulnerable to first depositor donation attack](https://reports.immunefi.com/belong/56941-sc-critical-staking-vault-vulnerable-to-first-depositor-donation-attack.md) - [57738 sc medium name squatting front run on produce allows attacker to preempt legitimate creator and capture future mint revenue](https://reports.immunefi.com/belong/57738-sc-medium-name-squatting-front-run-on-produce-allows-attacker-to-preempt-legitimate-creator-an.md) - [57735 sc insight whitelist bypass in static mint pricing trusting signed params whitelisted instead of on chain iswhitelisted leads to underpricing and access control violation ](https://reports.immunefi.com/belong/57735-sc-insight-whitelist-bypass-in-static-mint-pricing-trusting-signed-params-whitelisted-instead.md) - [57724 sc medium universal signature for produce allows front running and collection hijack](https://reports.immunefi.com/belong/57724-sc-medium-universal-signature-for-produce-allows-front-running-and-collection-hijack.md) - [57723 sc medium signature replay front run and timing control issues](https://reports.immunefi.com/belong/57723-sc-medium-signature-replay-front-run-and-timing-control-issues.md) - [57929 sc medium produce function doesn t check if creator is the caller allowing frontrunning attacks](https://reports.immunefi.com/belong/57929-sc-medium-produce-function-doesn-t-check-if-creator-is-the-caller-allowing-frontrunning-attack.md) - [57284 sc medium updating minimum staking period griefs previously unlocked users](https://reports.immunefi.com/belong/57284-sc-medium-updating-minimum-staking-period-griefs-previously-unlocked-users.md) - [57703 sc medium dos with revert via unbounded loop](https://reports.immunefi.com/belong/57703-sc-medium-dos-with-revert-via-unbounded-loop.md) - [57892 sc insight long tokens will be stuck in the escrow if customers exclusively use usdc payments in paytovenue](https://reports.immunefi.com/belong/57892-sc-insight-long-tokens-will-be-stuck-in-the-escrow-if-customers-exclusively-use-usdc-payments.md) - [57663 sc insight gas storage optimization erc1155info struct in structures sol can save one slot through field reordering](https://reports.immunefi.com/belong/57663-sc-insight-gas-storage-optimization-erc1155info-struct-in-structures-sol-can-save-one-slot-thr.md) - [57898 sc high unprotected swap function allows sandwich attacks](https://reports.immunefi.com/belong/57898-sc-high-unprotected-swap-function-allows-sandwich-attacks.md) - [57888 sc high referral tier upgrades freeze legacy royalties](https://reports.immunefi.com/belong/57888-sc-high-referral-tier-upgrades-freeze-legacy-royalties.md) - [57885 sc high dynamic share drift in royaltiesreceiverv2](https://reports.immunefi.com/belong/57885-sc-high-dynamic-share-drift-in-royaltiesreceiverv2.md) - [57594 sc medium signature collision from abi encodepacked adjacent strings enables unauthorized nft actions mint uri abuse ](https://reports.immunefi.com/belong/57594-sc-medium-signature-collision-from-abi-encodepacked-adjacent-strings-enables-unauthorized-nft.md) - [57635 sc critical erc4626 share transfers desynchronize time lock ledger blocking standard withdrawals for recipients](https://reports.immunefi.com/belong/57635-sc-critical-erc4626-share-transfers-desynchronize-time-lock-ledger-blocking-standard-withdrawa.md) - [57454 sc low referral percentages schedule stuck on first configuration](https://reports.immunefi.com/belong/57454-sc-low-referral-percentages-schedule-stuck-on-first-configuration.md) - [57374 sc low staking tier misclassification](https://reports.immunefi.com/belong/57374-sc-low-staking-tier-misclassification.md) - [57290 sc high mev sandwich attack vulnerability no user controlled slippage protection in token swaps](https://reports.immunefi.com/belong/57290-sc-high-mev-sandwich-attack-vulnerability-no-user-controlled-slippage-protection-in-token-swap.md) - [57327 sc medium title front running leads to denial of service and unauthorized referral farming in creation functions ](https://reports.immunefi.com/belong/57327-sc-medium-title-front-running-leads-to-denial-of-service-and-unauthorized-referral-farming-in.md) - [57432 sc insight royaltiesreceiverv2 fails to distribute full balance when royalties percentages do not sum to 10000](https://reports.immunefi.com/belong/57432-sc-insight-royaltiesreceiverv2-fails-to-distribute-full-balance-when-royalties-percentages-do.md) - [57310 sc medium unaccounted processing fees in long payment path](https://reports.immunefi.com/belong/57310-sc-medium-unaccounted-processing-fees-in-long-payment-path.md) - [57298 sc critical state sync omission in staking transfers forces transferred slong holders into penalized emergency exits](https://reports.immunefi.com/belong/57298-sc-critical-state-sync-omission-in-staking-transfers-forces-transferred-slong-holders-into-pen.md) - [57296 sc high retroactive referral tier underpayment in royaltiesreceiverv2 due to dynamic shares applied to historical funds](https://reports.immunefi.com/belong/57296-sc-high-retroactive-referral-tier-underpayment-in-royaltiesreceiverv2-due-to-dynamic-shares-ap.md) - [57285 sc medium incomplete signature in factory produce enables full accesstoken hijacking and direct fund theft](https://reports.immunefi.com/belong/57285-sc-medium-incomplete-signature-in-factory-produce-enables-full-accesstoken-hijacking-and-direc.md) - [57060 sc medium unconditional subsidy withdrawal in paytovenue leads to dos when venue s long pool is depleted](https://reports.immunefi.com/belong/57060-sc-medium-unconditional-subsidy-withdrawal-in-paytovenue-leads-to-dos-when-venue-s-long-pool-i.md) - [57423 sc medium unbounded gas consumption in emergency redemption enables low cost dos against staking vault users](https://reports.immunefi.com/belong/57423-sc-medium-unbounded-gas-consumption-in-emergency-redemption-enables-low-cost-dos-against-staki.md) - [57039 sc critical processing fee logic flaw in paytovenue causes permanent loss of platform revenue](https://reports.immunefi.com/belong/57039-sc-critical-processing-fee-logic-flaw-in-paytovenue-causes-permanent-loss-of-platform-revenue.md) - [Alchemix V3](https://reports.immunefi.com/alchemix-v3.md) - [alchemix-v3-audit-competition%20(no%20readme)](https://reports.immunefi.com/alchemix-v3/alchemix-v3-audit-competition-20-no-20readme.md) - [58427 sc medium stargateethpoolstrategy allocate and deallocate inconsistent dust handling causes eth to be permanently locked in strategy contract](https://reports.immunefi.com/alchemix-v3/alchemix-v3-audit-competition-20-no-20readme/58427-sc-medium-stargateethpoolstrategy-allocate-and-deallocate-inconsistent-dust-handling-causes-et.md) - [58607 sc low incorrect access control in admin ownership transfer allows only current admin to accept ownership instead of pending admin](https://reports.immunefi.com/alchemix-v3/alchemix-v3-audit-competition-20-no-20readme/58607-sc-low-incorrect-access-control-in-admin-ownership-transfer-allows-only-current-admin-to-accep.md) - [57644 sc low unenforced cap logic in alchemistallocator allows not controlled allocations](https://reports.immunefi.com/alchemix-v3/alchemix-v3-audit-competition-20-no-20readme/57644-sc-low-unenforced-cap-logic-in-alchemistallocator-allows-not-controlled-allocations.md) - [58742 sc high liquidators will not earn fees in some cases](https://reports.immunefi.com/alchemix-v3/alchemix-v3-audit-competition-20-no-20readme/58742-sc-high-liquidators-will-not-earn-fees-in-some-cases.md) - [57378 sc high impossible to withdraw yield from strategies](https://reports.immunefi.com/alchemix-v3/alchemix-v3-audit-competition-20-no-20readme/57378-sc-high-impossible-to-withdraw-yield-from-strategies.md) - [58329 sc low incorrect balance measurement in morphoyearnogweth deallocate leads to temporary freezing of funds via spurious loss events](https://reports.immunefi.com/alchemix-v3/alchemix-v3-audit-competition-20-no-20readme/58329-sc-low-incorrect-balance-measurement-in-morphoyearnogweth-deallocate-leads-to-temporary-freezi.md) - [58007 sc low pendingadmin cannot call acceptadminownership to accept admin role](https://reports.immunefi.com/alchemix-v3/alchemix-v3-audit-competition-20-no-20readme/58007-sc-low-pendingadmin-cannot-call-acceptadminownership-to-accept-admin-role.md) - [58395 sc high repayment fee exit leaves mytsharesdeposited inflated hiding protocol insolvency](https://reports.immunefi.com/alchemix-v3/alchemix-v3-audit-competition-20-no-20readme/58395-sc-high-repayment-fee-exit-leaves-mytsharesdeposited-inflated-hiding-protocol-insolvency.md) - [58763 sc high accounting is broken when redeem is bypassed due to transmuter balance](https://reports.immunefi.com/alchemix-v3/alchemix-v3-audit-competition-20-no-20readme/58763-sc-high-accounting-is-broken-when-redeem-is-bypassed-due-to-transmuter-balance.md) - [57138 sc critical protocol subsidizes repayment fees during liquidation](https://reports.immunefi.com/alchemix-v3/alchemix-v3-audit-competition-20-no-20readme/57138-sc-critical-protocol-subsidizes-repayment-fees-during-liquidation.md) - [56347 sc insight burn contains redundant calculations](https://reports.immunefi.com/alchemix-v3/56347-sc-insight-burn-contains-redundant-calculations.md) - [56561 sc insight fee amount is recomputed multiple times when the initial value has already been cached](https://reports.immunefi.com/alchemix-v3/56561-sc-insight-fee-amount-is-recomputed-multiple-times-when-the-initial-value-has-already-been-cac.md) - [58768 sc high mytsharesdeposited is not updated during liquidations breaking core accounting ](https://reports.immunefi.com/alchemix-v3/58768-sc-high-mytsharesdeposited-is-not-updated-during-liquidations-breaking-core-accounting.md) - [58751 sc medium setminimumcollateralization allows for increasing the current minimumcollateralization instantly exposing users to risk of liquidation](https://reports.immunefi.com/alchemix-v3/58751-sc-medium-setminimumcollateralization-allows-for-increasing-the-current-minimumcollateralizati.md) - [57662 sc critical portion of users alasset amount that staked in transmuter can be lost forever when amount cumulativeearmarked ](https://reports.immunefi.com/alchemix-v3/57662-sc-critical-portion-of-users-alasset-amount-that-staked-in-transmuter-can-be-lost-forever-when.md) - [57057 sc low wrong order of balance checks in morphoyearnogwethstrategy](https://reports.immunefi.com/alchemix-v3/57057-sc-low-wrong-order-of-balance-checks-in-morphoyearnogwethstrategy.md) - [58093 sc medium morpho reward in morphoyearnogweth will be lost or stuck](https://reports.immunefi.com/alchemix-v3/58093-sc-medium-morpho-reward-in-morphoyearnogweth-will-be-lost-or-stuck.md) - [58759 sc high yield stuck in adapter contracts forever](https://reports.immunefi.com/alchemix-v3/58759-sc-high-yield-stuck-in-adapter-contracts-forever.md) - [56435 sc critical alchemistv3 repayment only liquidation pays liquidator from pool fee leak theft of unclaimed yield](https://reports.immunefi.com/alchemix-v3/56435-sc-critical-alchemistv3-repayment-only-liquidation-pays-liquidator-from-pool-fee-leak-theft-of.md) - [57923 sc insight redundant synthetic transfers in claimredemption when amountnottransmuted is zero](https://reports.immunefi.com/alchemix-v3/57923-sc-insight-redundant-synthetic-transfers-in-claimredemption-when-amountnottransmuted-is-zero.md) - [58616 sc medium liquidation can revert due to 0 amount fee withdraw ](https://reports.immunefi.com/alchemix-v3/58616-sc-medium-liquidation-can-revert-due-to-0-amount-fee-withdraw.md) - [56359 sc high permanent deposit freeze after forcerepay misaccounts freed shares](https://reports.immunefi.com/alchemix-v3/56359-sc-high-permanent-deposit-freeze-after-forcerepay-misaccounts-freed-shares.md) - [56552 sc high liquidation fee misrouting in alchemistv3 doliquidation leads to theft of unclaimed yield liquidator fee stranded ](https://reports.immunefi.com/alchemix-v3/56552-sc-high-liquidation-fee-misrouting-in-alchemistv3-doliquidation-leads-to-theft-of-unclaimed-yi.md) - [56368 sc insight alchemisttokenvault deposit should use safetransferfrom instead of transferfrom alchemisttokenvault withdraw should use safetransfer instead of transfer ](https://reports.immunefi.com/alchemix-v3/56368-sc-insight-alchemisttokenvault-deposit-should-use-safetransferfrom-instead-of-transferfrom-alc.md) - [57473 sc low inverted comparison operator allows operators admin level allocation privileges](https://reports.immunefi.com/alchemix-v3/57473-sc-low-inverted-comparison-operator-allows-operators-admin-level-allocation-privileges.md) - [58749 sc low incorrect balance snapshot](https://reports.immunefi.com/alchemix-v3/58749-sc-low-incorrect-balance-snapshot.md) - [56560 sc high liquidation base fee transfer is gated by a condition that s usually false](https://reports.immunefi.com/alchemix-v3/56560-sc-high-liquidation-base-fee-transfer-is-gated-by-a-condition-that-s-usually-false.md) - [58291 sc medium unlike setters collateralization functions alchemistv3 initialize doesnt enforce collateralization invariants allowing to break them ](https://reports.immunefi.com/alchemix-v3/58291-sc-medium-unlike-setters-collateralization-functions-alchemistv3-initialize-doesnt-enforce-col.md) - [58190 sc low operator has no allocation restrictions in alchemistallocator https github com alchemix finance v3 poc blob a192ab313c81ba3ab621d9ca1ee000110fbdd1e9 src alchemistallocator sol ](https://reports.immunefi.com/alchemix-v3/58190-sc-low-operator-has-no-allocation-restrictions-in-alchemistallocator-https-github-com-alchemix.md) - [58150 sc high missing slippage protection in tokeautousdstrategy allocate leads to direct theft of user funds via mev sandwich attacks](https://reports.immunefi.com/alchemix-v3/58150-sc-high-missing-slippage-protection-in-tokeautousdstrategy-allocate-leads-to-direct-theft-of-u.md) - [57665 sc low incorrect balance measurement in deallocate function of morphoyearnogwethstrategy ](https://reports.immunefi.com/alchemix-v3/57665-sc-low-incorrect-balance-measurement-in-deallocate-function-of-morphoyearnogwethstrategy.md) - [58089 sc low arithmetic underflow revert in deallocate ](https://reports.immunefi.com/alchemix-v3/58089-sc-low-arithmetic-underflow-revert-in-deallocate.md) - [58722 sc medium tokenauto strategy allocation uses maxdeposit which may allocate less than requested leaving any excess funds permanently locked](https://reports.immunefi.com/alchemix-v3/58722-sc-medium-tokenauto-strategy-allocation-uses-maxdeposit-which-may-allocate-less-than-requested.md) - [56692 sc medium zeroxswapverifier verification will always revert due to wrong hardcoded execution function selectors](https://reports.immunefi.com/alchemix-v3/56692-sc-medium-zeroxswapverifier-verification-will-always-revert-due-to-wrong-hardcoded-execution-f.md) - [57102 sc high tvl overstatement from mytsharesdeposited desync enables softened liquidations no haircut over redemptions transmuter ](https://reports.immunefi.com/alchemix-v3/57102-sc-high-tvl-overstatement-from-mytsharesdeposited-desync-enables-softened-liquidations-no-hair.md) - [58762 sc insight manipulation of feeinunderlying through front running during liquidations on ethereum](https://reports.immunefi.com/alchemix-v3/58762-sc-insight-manipulation-of-feeinunderlying-through-front-running-during-liquidations-on-ethere.md) - [56633 sc low access control flaw in acceptadminownership prevents secure admin transfer leading to potential permanent loss of curator control](https://reports.immunefi.com/alchemix-v3/56633-sc-low-access-control-flaw-in-acceptadminownership-prevents-secure-admin-transfer-leading-to-p.md) - [58036 sc critical incorrect fee deduction may drain collateral pool when account balance is insufficient](https://reports.immunefi.com/alchemix-v3/58036-sc-critical-incorrect-fee-deduction-may-drain-collateral-pool-when-account-balance-is-insuffic.md) - [57129 sc high missing mytsharesdeposited decrement in liquidation functions causes permanent tvl inflation](https://reports.immunefi.com/alchemix-v3/57129-sc-high-missing-mytsharesdeposited-decrement-in-liquidation-functions-causes-permanent-tvl-inf.md) - [58778 sc low zeroxswapverifier implements incorrect data extraction logic enabling verification bypass in future strategy integrations](https://reports.immunefi.com/alchemix-v3/58778-sc-low-zeroxswapverifier-implements-incorrect-data-extraction-logic-enabling-verification-bypa.md) - [57090 sc low ownership transfer failure in alchemistcurator https github com alchemix finance v3 poc blob immunefi audit src alchemistcurator sol prevents future dao governance or recovery](https://reports.immunefi.com/alchemix-v3/57090-sc-low-ownership-transfer-failure-in-alchemistcurator-https-github-com-alchemix-finance-v3-poc.md) - [57360 sc critical unreconciled repayment fee transfer enables myt overpayment and tvl inflation](https://reports.immunefi.com/alchemix-v3/57360-sc-critical-unreconciled-repayment-fee-transfer-enables-myt-overpayment-and-tvl-inflation.md) - [57697 sc low missing recipient from checks in zeroxswapverifier enable direct asset theft](https://reports.immunefi.com/alchemix-v3/57697-sc-low-missing-recipient-from-checks-in-zeroxswapverifier-enable-direct-asset-theft.md) - [56451 sc low alchemistallocator allocate and deallocate do not enforce cap checks as intended](https://reports.immunefi.com/alchemix-v3/56451-sc-low-alchemistallocator-allocate-and-deallocate-do-not-enforce-cap-checks-as-intended.md) - [56956 sc high lack of slippage control in tokemak strategies can make myt suffer losses on allocation](https://reports.immunefi.com/alchemix-v3/56956-sc-high-lack-of-slippage-control-in-tokemak-strategies-can-make-myt-suffer-losses-on-allocatio.md) - [56947 sc low flawed access control in alchemistcurator admin transfer pattern leads to risk of permanent loss of control](https://reports.immunefi.com/alchemix-v3/56947-sc-low-flawed-access-control-in-alchemistcurator-admin-transfer-pattern-leads-to-risk-of-perma.md) - [56522 sc medium tokeautousdstrategy allocate and tokeautoethstrategy allocate may suffer a denial of service dos due to token amount mismatch in autopilotrouter depositmax ](https://reports.immunefi.com/alchemix-v3/56522-sc-medium-tokeautousdstrategy-allocate-and-tokeautoethstrategy-allocate-may-suffer-a-denial-of.md) - [58257 sc low in tokeautoeth deallocate can be dosed if the vault incuring losses](https://reports.immunefi.com/alchemix-v3/58257-sc-low-in-tokeautoeth-deallocate-can-be-dosed-if-the-vault-incuring-losses.md) - [57530 sc high stale tvl accounting in liquidations leads to protocol insolvency](https://reports.immunefi.com/alchemix-v3/57530-sc-high-stale-tvl-accounting-in-liquidations-leads-to-protocol-insolvency.md) - [56516 sc high allocate assets in killswitch mode can lead to assets stuck on contract](https://reports.immunefi.com/alchemix-v3/56516-sc-high-allocate-assets-in-killswitch-mode-can-lead-to-assets-stuck-on-contract.md) - [58410 sc low tokemak strategy deallocation causes toke token lockup](https://reports.immunefi.com/alchemix-v3/58410-sc-low-tokemak-strategy-deallocation-causes-toke-token-lockup.md) - [58462 sc low incorrect post withdraw balance measurement causes false loss reporting and mis accounting in morphoyearnogwethstrategy deallocate ](https://reports.immunefi.com/alchemix-v3/58462-sc-low-incorrect-post-withdraw-balance-measurement-causes-false-loss-reporting-and-mis-account.md) - [56583 sc low wrong 2 step transferadminownership logic and insufficient checks in alchemistcurator sol leads to permanent admin ownership loss ](https://reports.immunefi.com/alchemix-v3/56583-sc-low-wrong-2-step-transferadminownership-logic-and-insufficient-checks-in-alchemistcurator-s.md) - [58345 sc low operators in alchemistallocator sol can allocate higher than dao defined limits](https://reports.immunefi.com/alchemix-v3/58345-sc-low-operators-in-alchemistallocator-sol-can-allocate-higher-than-dao-defined-limits.md) - [58110 sc low morphoyearnogwethstrategy will always report strategy loss](https://reports.immunefi.com/alchemix-v3/58110-sc-low-morphoyearnogwethstrategy-will-always-report-strategy-loss.md) - [58424 sc low morphoyearnogweth strategy balance check order bug](https://reports.immunefi.com/alchemix-v3/58424-sc-low-morphoyearnogweth-strategy-balance-check-order-bug.md) - [57975 sc low broken admin rotation in acceptadminownership causes permanent governance lockout](https://reports.immunefi.com/alchemix-v3/57975-sc-low-broken-admin-rotation-in-acceptadminownership-causes-permanent-governance-lockout.md) - [58163 sc critical total loss of user funds in claim redemption ](https://reports.immunefi.com/alchemix-v3/58163-sc-critical-total-loss-of-user-funds-in-claim-redemption.md) - [57604 sc high nominal accounting mismatch in moonwell strategies leads to permanent locking of all generated yield](https://reports.immunefi.com/alchemix-v3/57604-sc-high-nominal-accounting-mismatch-in-moonwell-strategies-leads-to-permanent-locking-of-all-g.md) - [58469 sc low pending admin cannot accept ownership](https://reports.immunefi.com/alchemix-v3/58469-sc-low-pending-admin-cannot-accept-ownership.md) - [57565 sc medium the amount of dust will be permanently locked in stargateethpoolstrategy ](https://reports.immunefi.com/alchemix-v3/57565-sc-medium-the-amount-of-dust-will-be-permanently-locked-in-stargateethpoolstrategy.md) - [57860 sc high incorrect mytsharesdeposited accounting inflates collateral and underreports bad debt enabling insolvency](https://reports.immunefi.com/alchemix-v3/57860-sc-high-incorrect-mytsharesdeposited-accounting-inflates-collateral-and-underreports-bad-debt.md) - [58534 sc high zero slippage protection in toke strategies allocation](https://reports.immunefi.com/alchemix-v3/58534-sc-high-zero-slippage-protection-in-toke-strategies-allocation.md) - [58473 sc low wrong redeemed amount calculation in morphoyearnogweth strategy](https://reports.immunefi.com/alchemix-v3/58473-sc-low-wrong-redeemed-amount-calculation-in-morphoyearnogweth-strategy.md) - [58724 sc critical partial redemption burns full position accounting desynchronization and potential underpayment in transmuter claimredemption ](https://reports.immunefi.com/alchemix-v3/58724-sc-critical-partial-redemption-burns-full-position-accounting-desynchronization-and-potential.md) - [58615 sc high mytsharesdeposited didn t get updated after forcerepay doliquidation called](https://reports.immunefi.com/alchemix-v3/58615-sc-high-mytsharesdeposited-didn-t-get-updated-after-forcerepay-doliquidation-called.md) - [58098 sc high there is a problem from ledger tvl sesync inliquidations cause a under liquidation and systemic insolvency risk](https://reports.immunefi.com/alchemix-v3/58098-sc-high-there-is-a-problem-from-ledger-tvl-sesync-inliquidations-cause-a-under-liquidation-and.md) - [56494 sc insight gas optimization redundant external calls in strategy deallocate functions](https://reports.immunefi.com/alchemix-v3/56494-sc-insight-gas-optimization-redundant-external-calls-in-strategy-deallocate-functions.md) - [57017 sc medium aavev3arbwethstrategy cant claim aave incentive](https://reports.immunefi.com/alchemix-v3/57017-sc-medium-aavev3arbwethstrategy-cant-claim-aave-incentive.md) - [58077 sc low reward tokens are incorrectly claimed to strategy contract during deallocation leads to permanent token loss](https://reports.immunefi.com/alchemix-v3/58077-sc-low-reward-tokens-are-incorrectly-claimed-to-strategy-contract-during-deallocation-leads-to.md) - [57096 sc medium the implementation of tokeautoeth allocate is incorrect](https://reports.immunefi.com/alchemix-v3/57096-sc-medium-the-implementation-of-tokeautoeth-allocate-is-incorrect.md) - [57957 sc medium loss of eulereth vault yields for euler weth strategy](https://reports.immunefi.com/alchemix-v3/57957-sc-medium-loss-of-eulereth-vault-yields-for-euler-weth-strategy.md) - [58338 sc critical alchemistv3 repayment fee can exceed remaining collateral leading to position insolvency](https://reports.immunefi.com/alchemix-v3/58338-sc-critical-alchemistv3-repayment-fee-can-exceed-remaining-collateral-leading-to-position-inso.md) - [58780 sc high weth yield will be locked on aaveweth pool on arbitrum ](https://reports.immunefi.com/alchemix-v3/58780-sc-high-weth-yield-will-be-locked-on-aaveweth-pool-on-arbitrum.md) - [58735 sc insight calculateliquidation reverts due to divide by zero if targetcollateralization fixed point scalar ](https://reports.immunefi.com/alchemix-v3/58735-sc-insight-calculateliquidation-reverts-due-to-divide-by-zero-if-targetcollateralization-fixed.md) - [58526 sc high missing accounting update in liquidation functions leads to permanent dos on deposits](https://reports.immunefi.com/alchemix-v3/58526-sc-high-missing-accounting-update-in-liquidation-functions-leads-to-permanent-dos-on-deposits.md) - [58683 sc critical there is an issue in earmarked debt eeduction in the repay can causes a permanent fund freeze](https://reports.immunefi.com/alchemix-v3/58683-sc-critical-there-is-an-issue-in-earmarked-debt-eeduction-in-the-repay-can-causes-a-permanent.md) - [58471 sc high accounting error in forcerepay doliquidation overstates tvl enabling under scaled redemptions and potential insolvency](https://reports.immunefi.com/alchemix-v3/58471-sc-high-accounting-error-in-forcerepay-doliquidation-overstates-tvl-enabling-under-scaled-rede.md) - [58116 sc high tvl accounting mismatch leading to protocol insolvency](https://reports.immunefi.com/alchemix-v3/58116-sc-high-tvl-accounting-mismatch-leading-to-protocol-insolvency.md) - [57506 sc high force repay don t update cumulativeearmarked variable](https://reports.immunefi.com/alchemix-v3/57506-sc-high-force-repay-don-t-update-cumulativeearmarked-variable.md) - [58348 sc low zeroxswapverifier accepts malicious 0x calldata recipient not bound minout ignored transferfrom misused attacker can route strategy vault funds to self direct theft ](https://reports.immunefi.com/alchemix-v3/58348-sc-low-zeroxswapverifier-accepts-malicious-0x-calldata-recipient-not-bound-minout-ignored-tran.md) - [56519 sc critical unchecked repayment fee transfer in liquidate pays liquidators from other users collateral](https://reports.immunefi.com/alchemix-v3/56519-sc-critical-unchecked-repayment-fee-transfer-in-liquidate-pays-liquidators-from-other-users-co.md) - [57977 sc high inconsistent rawlocked state of a user after subdebt leads to irrecoverable user collateral loss](https://reports.immunefi.com/alchemix-v3/57977-sc-high-inconsistent-rawlocked-state-of-a-user-after-subdebt-leads-to-irrecoverable-user-colla.md) - [57590 sc critical double counted transmuter cover in redeem allows overstated redemptions and potential over withdraw over borrow](https://reports.immunefi.com/alchemix-v3/57590-sc-critical-double-counted-transmuter-cover-in-redeem-allows-overstated-redemptions-and-potent.md) - [56706 sc medium stargateethpoolstrategy incomplete eth wrapping causes withdrawal dos](https://reports.immunefi.com/alchemix-v3/56706-sc-medium-stargateethpoolstrategy-incomplete-eth-wrapping-causes-withdrawal-dos.md) - [58635 sc high cumulativeearmarked is not subtracted in forcerepay ](https://reports.immunefi.com/alchemix-v3/58635-sc-high-cumulativeearmarked-is-not-subtracted-in-forcerepay.md) - [57067 sc low overstated per account locked collateral due to global clamp in subdebt](https://reports.immunefi.com/alchemix-v3/57067-sc-low-overstated-per-account-locked-collateral-due-to-global-clamp-in-subdebt.md) - [57345 sc high missing cumulativeearmarked decrement in forcerepay breaks earmarking invariant leading to unfair redemption burden distribution](https://reports.immunefi.com/alchemix-v3/57345-sc-high-missing-cumulativeearmarked-decrement-in-forcerepay-breaks-earmarking-invariant-leadin.md) - [58198 sc low broken two step admin transfer pattern](https://reports.immunefi.com/alchemix-v3/58198-sc-low-broken-two-step-admin-transfer-pattern.md) - [58578 sc low zeroxswapverifier allows attackers to drain strategy tokens via crafted calldata](https://reports.immunefi.com/alchemix-v3/58578-sc-low-zeroxswapverifier-allows-attackers-to-drain-strategy-tokens-via-crafted-calldata.md) - [57771 sc medium fee not collected in forcerepay when should](https://reports.immunefi.com/alchemix-v3/57771-sc-medium-fee-not-collected-in-forcerepay-when-should.md) - [57534 sc low small debt positions cannot be liquidated due to zero amount checks on token vaults](https://reports.immunefi.com/alchemix-v3/57534-sc-low-small-debt-positions-cannot-be-liquidated-due-to-zero-amount-checks-on-token-vaults.md) - [56418 sc low two step owner transfer is broken and can lead to unforseen damages](https://reports.immunefi.com/alchemix-v3/56418-sc-low-two-step-owner-transfer-is-broken-and-can-lead-to-unforseen-damages.md) - [58087 sc medium moonwellusdcstrategy ignores redeemunderlying error codes temporary freezing of funds withdrawals revert ](https://reports.immunefi.com/alchemix-v3/58087-sc-medium-moonwellusdcstrategy-ignores-redeemunderlying-error-codes-temporary-freezing-of-fund.md) - [58004 sc high protocol insolvency from cumulativeearmarked during forcerepay ](https://reports.immunefi.com/alchemix-v3/58004-sc-high-protocol-insolvency-from-cumulativeearmarked-during-forcerepay.md) - [58236 sc high accounting mismatch forcerepay doliquidation fail to decrement mytsharesdeposited locking deposit capacity and overstating collateral](https://reports.immunefi.com/alchemix-v3/58236-sc-high-accounting-mismatch-forcerepay-doliquidation-fail-to-decrement-mytsharesdeposited-lock.md) - [58289 sc low missing addresses verification in zeroxswapverifier](https://reports.immunefi.com/alchemix-v3/58289-sc-low-missing-addresses-verification-in-zeroxswapverifier.md) - [58739 sc insight decimals mismatch causes 1e12 under reporting in strategy returns letting allocations silently exceed per strategy and global caps](https://reports.immunefi.com/alchemix-v3/58739-sc-insight-decimals-mismatch-causes-1e12-under-reporting-in-strategy-returns-letting-allocatio.md) - [57088 sc high unscaled collateral accounting in redeem lets users withdraw more than intended](https://reports.immunefi.com/alchemix-v3/57088-sc-high-unscaled-collateral-accounting-in-redeem-lets-users-withdraw-more-than-intended.md) - [58324 sc high incorrect return value in deallocate function leads to permanent fund locking in mytstrategy implementations](https://reports.immunefi.com/alchemix-v3/58324-sc-high-incorrect-return-value-in-deallocate-function-leads-to-permanent-fund-locking-in-mytst.md) - [58051 sc low incorrect access control in acceptadminownership ](https://reports.immunefi.com/alchemix-v3/58051-sc-low-incorrect-access-control-in-acceptadminownership.md) - [58394 sc high mev opportunity because no slippage protection in tokeautoethstrategy](https://reports.immunefi.com/alchemix-v3/58394-sc-high-mev-opportunity-because-no-slippage-protection-in-tokeautoethstrategy.md) - [56949 sc insight uncapped collateral transfer in redemption leads to accounting discrepancy enabling theft of user funds](https://reports.immunefi.com/alchemix-v3/56949-sc-insight-uncapped-collateral-transfer-in-redemption-leads-to-accounting-discrepancy-enabling.md) - [57787 sc high asset can be transferred to strategies even when the killswitch enabled without posibility to use this funds for allocation](https://reports.immunefi.com/alchemix-v3/57787-sc-high-asset-can-be-transferred-to-strategies-even-when-the-killswitch-enabled-without-posibi.md) - [58519 sc high double counting of collateral due to mytsharesdeposited not being updated during liquidations](https://reports.immunefi.com/alchemix-v3/58519-sc-high-double-counting-of-collateral-due-to-mytsharesdeposited-not-being-updated-during-liqui.md) - [57079 sc low h 1 morphoyearnogweth strategy incorrect balance measurement order in deallocate causes dos on withdrawals with any loss](https://reports.immunefi.com/alchemix-v3/57079-sc-low-h-1-morphoyearnogweth-strategy-incorrect-balance-measurement-order-in-deallocate-causes.md) - [58702 sc high no slippage provided in auto strategy implementation will open room for mev attacks](https://reports.immunefi.com/alchemix-v3/58702-sc-high-no-slippage-provided-in-auto-strategy-implementation-will-open-room-for-mev-attacks.md) - [58347 sc high accounting drift due to missing mytsharesdeposited decrements during liquidation](https://reports.immunefi.com/alchemix-v3/58347-sc-high-accounting-drift-due-to-missing-mytsharesdeposited-decrements-during-liquidation.md) - [58769 sc high forcerepay fails to decrement global cumulativeearmarked causing redemption accounting desynchronization and potential protocol wide redemption halt](https://reports.immunefi.com/alchemix-v3/58769-sc-high-forcerepay-fails-to-decrement-global-cumulativeearmarked-causing-redemption-accounting.md) - [58796 sc low incorrect balance snapshot in deallocate causes wethredeemed always 0](https://reports.immunefi.com/alchemix-v3/58796-sc-low-incorrect-balance-snapshot-in-deallocate-causes-wethredeemed-always-0.md) - [58714 sc low pending admin cannot accept ownership in alchemistcurator sol ](https://reports.immunefi.com/alchemix-v3/58714-sc-low-pending-admin-cannot-accept-ownership-in-alchemistcurator-sol.md) - [58575 sc low operator limit bypass ](https://reports.immunefi.com/alchemix-v3/58575-sc-low-operator-limit-bypass.md) - [56324 sc low missing from owner check in transferfrom verifier direct theft of user funds](https://reports.immunefi.com/alchemix-v3/56324-sc-low-missing-from-owner-check-in-transferfrom-verifier-direct-theft-of-user-funds.md) - [57680 sc high peapodsethstrategy unable to withdraw yield from price share increase](https://reports.immunefi.com/alchemix-v3/57680-sc-high-peapodsethstrategy-unable-to-withdraw-yield-from-price-share-increase.md) - [57167 sc medium missing claim function in euler and morpho strategies leads to loss of yield rewards](https://reports.immunefi.com/alchemix-v3/57167-sc-medium-missing-claim-function-in-euler-and-morpho-strategies-leads-to-loss-of-yield-rewards.md) - [58002 sc low missing submitremovestrategy function ](https://reports.immunefi.com/alchemix-v3/58002-sc-low-missing-submitremovestrategy-function.md) - [56346 sc insight redundant calculation of feeamount in repay function](https://reports.immunefi.com/alchemix-v3/56346-sc-insight-redundant-calculation-of-feeamount-in-repay-function.md) - [57749 sc low zeroxswapverifier misses critical sender recipient minout validations allowing malicious 0x calldata to drain funds critical direct theft ](https://reports.immunefi.com/alchemix-v3/57749-sc-low-zeroxswapverifier-misses-critical-sender-recipient-minout-validations-allowing-maliciou.md) - [56776 sc high tvl manipulation via missing mytsharesdeposited decrement in liquidations](https://reports.immunefi.com/alchemix-v3/56776-sc-high-tvl-manipulation-via-missing-mytsharesdeposited-decrement-in-liquidations.md) - [57023 sc high global earmark not reduced in forcerepay lets redeem over burn global debt cross account leakage protocol insolvency ](https://reports.immunefi.com/alchemix-v3/57023-sc-high-global-earmark-not-reduced-in-forcerepay-lets-redeem-over-burn-global-debt-cross-accou.md) - [57950 sc high unit mismatch in adddebt collateralization check allows unbacked debt issuance and protocol insolvency](https://reports.immunefi.com/alchemix-v3/57950-sc-high-unit-mismatch-in-adddebt-collateralization-check-allows-unbacked-debt-issuance-and-pro.md) - [58270 sc critical incorrect handling of debt cover in redeem can affect early liquidation and incorrectly sync accounts](https://reports.immunefi.com/alchemix-v3/58270-sc-critical-incorrect-handling-of-debt-cover-in-redeem-can-affect-early-liquidation-and-incorr.md) - [58398 sc high no slippage protection on large allocation deposits](https://reports.immunefi.com/alchemix-v3/58398-sc-high-no-slippage-protection-on-large-allocation-deposits.md) - [58413 sc critical attacker user can prevent earmark from updating the earnmarkweight causing the transmuter action to repay det gradually to fail for all users](https://reports.immunefi.com/alchemix-v3/58413-sc-critical-attacker-user-can-prevent-earmark-from-updating-the-earnmarkweight-causing-the-tra.md) - [57288 sc high flawed rounding logic in tokeautoeth deallocate function causes permanent freezing of funds](https://reports.immunefi.com/alchemix-v3/57288-sc-high-flawed-rounding-logic-in-tokeautoeth-deallocate-function-causes-permanent-freezing-of.md) - [57704 sc high missing global state update in forcerepay leads to permanent freezing of unclaimed yield](https://reports.immunefi.com/alchemix-v3/57704-sc-high-missing-global-state-update-in-forcerepay-leads-to-permanent-freezing-of-unclaimed-yie.md) - [56555 sc critical user can avoid bad debt ratio scaling when claiming redeem leading to protocol insolvency](https://reports.immunefi.com/alchemix-v3/56555-sc-critical-user-can-avoid-bad-debt-ratio-scaling-when-claiming-redeem-leading-to-protocol-ins.md) - [58442 sc high liquidation breaks core accounting invariant missing cumulativeearmarked update in forcerepay causes permanent state drift](https://reports.immunefi.com/alchemix-v3/58442-sc-high-liquidation-breaks-core-accounting-invariant-missing-cumulativeearmarked-update-in-for.md) - [56800 sc medium minimum collateral change lets liquidators seize compliant accounts](https://reports.immunefi.com/alchemix-v3/56800-sc-medium-minimum-collateral-change-lets-liquidators-seize-compliant-accounts.md) - [58515 sc medium a liquidated position can end the liquidation process still below collateralizationlowerbound allowing for double liquidation of positions ](https://reports.immunefi.com/alchemix-v3/58515-sc-medium-a-liquidated-position-can-end-the-liquidation-process-still-below-collateralizationl.md) - [56571 sc high inflated claim payouts from double counted myt after liquidation](https://reports.immunefi.com/alchemix-v3/56571-sc-high-inflated-claim-payouts-from-double-counted-myt-after-liquidation.md) - [58757 sc critical forgotten cover in earmark causes systematic over earmarking and temporary freezing of user collateral](https://reports.immunefi.com/alchemix-v3/58757-sc-critical-forgotten-cover-in-earmark-causes-systematic-over-earmarking-and-temporary-freezin.md) - [58143 sc low unused cap enforcement variables adjusted ](https://reports.immunefi.com/alchemix-v3/58143-sc-low-unused-cap-enforcement-variables-adjusted.md) - [57866 sc low failure to verify the recipient s address can result in the theft of purchased tokens](https://reports.immunefi.com/alchemix-v3/57866-sc-low-failure-to-verify-the-recipient-s-address-can-result-in-the-theft-of-purchased-tokens.md) - [58781 sc high totallocked accounting mismatch leading to token balance deficit in alchemistv3](https://reports.immunefi.com/alchemix-v3/58781-sc-high-totallocked-accounting-mismatch-leading-to-token-balance-deficit-in-alchemistv3.md) - [58352 sc low assets become permanently stuck in tokeautoeth strategy due to strict balance check](https://reports.immunefi.com/alchemix-v3/58352-sc-low-assets-become-permanently-stuck-in-tokeautoeth-strategy-due-to-strict-balance-check.md) - [58547 sc high mismatched accounting and transfer for capped fees ](https://reports.immunefi.com/alchemix-v3/58547-sc-high-mismatched-accounting-and-transfer-for-capped-fees.md) - [57272 sc medium silent failures on moonwell deposit are not catched by strategy](https://reports.immunefi.com/alchemix-v3/57272-sc-medium-silent-failures-on-moonwell-deposit-are-not-catched-by-strategy.md) - [58423 sc low pending admin cannot accept ownership transfer in alchemistcurator ](https://reports.immunefi.com/alchemix-v3/58423-sc-low-pending-admin-cannot-accept-ownership-transfer-in-alchemistcurator.md) - [57632 sc high inflated tvl in mytsharesdeposited hides protocol insolvency](https://reports.immunefi.com/alchemix-v3/57632-sc-high-inflated-tvl-in-mytsharesdeposited-hides-protocol-insolvency.md) - [56911 sc low incorrectly implemented two step admin ownership transfer mechanism prevents new admin to accept role](https://reports.immunefi.com/alchemix-v3/56911-sc-low-incorrectly-implemented-two-step-admin-ownership-transfer-mechanism-prevents-new-admin.md) - [57730 sc high liquidation does not decrease mytsharesdeposited](https://reports.immunefi.com/alchemix-v3/57730-sc-high-liquidation-does-not-decrease-mytsharesdeposited.md) - [56678 sc high missing internal myt shares accounting in liquidation functions causes deposit blocking and protocol insolvency risk through inflated tvl calculations](https://reports.immunefi.com/alchemix-v3/56678-sc-high-missing-internal-myt-shares-accounting-in-liquidation-functions-causes-deposit-blockin.md) - [57448 sc insight unnecessary computation of lockedcollateral in adddebt and subdebt ](https://reports.immunefi.com/alchemix-v3/57448-sc-insight-unnecessary-computation-of-lockedcollateral-in-adddebt-and-subdebt.md) - [57973 sc critical repay doesnt set lasttransmutertokenbalance leading to the same balance covering earmark twice ](https://reports.immunefi.com/alchemix-v3/57973-sc-critical-repay-doesnt-set-lasttransmutertokenbalance-leading-to-the-same-balance-covering-e.md) - [57514 sc low calldata verification bypass in 0x preflight logic enables arbitrary from recipient manipulation and direct fund theft](https://reports.immunefi.com/alchemix-v3/57514-sc-low-calldata-verification-bypass-in-0x-preflight-logic-enables-arbitrary-from-recipient-man.md) - [57637 sc low acceptadminownership doesn t allow expected user approval](https://reports.immunefi.com/alchemix-v3/57637-sc-low-acceptadminownership-doesn-t-allow-expected-user-approval.md) - [56719 sc high the function forcerepay reduces debt before clamp creating unbacked loan forgiveness and protocol insolvency](https://reports.immunefi.com/alchemix-v3/56719-sc-high-the-function-forcerepay-reduces-debt-before-clamp-creating-unbacked-loan-forgiveness-a.md) - [58419 sc low alchemistcurator two step ownership transfer mis implemented](https://reports.immunefi.com/alchemix-v3/58419-sc-low-alchemistcurator-two-step-ownership-transfer-mis-implemented.md) - [58120 sc low incorrect balance measurement in morphoyearnogweth strategy leads to incorrect deallocation loss registering](https://reports.immunefi.com/alchemix-v3/58120-sc-low-incorrect-balance-measurement-in-morphoyearnogweth-strategy-leads-to-incorrect-dealloca.md) - [56791 sc high missing mytsharesdeposited decrements in token transfers](https://reports.immunefi.com/alchemix-v3/56791-sc-high-missing-mytsharesdeposited-decrements-in-token-transfers.md) - [56689 sc low reward token toke is stuck in myt](https://reports.immunefi.com/alchemix-v3/56689-sc-low-reward-token-toke-is-stuck-in-myt.md) - [56839 sc medium moonwell strategies fail to check compound error codes causing silent allocation failures](https://reports.immunefi.com/alchemix-v3/56839-sc-medium-moonwell-strategies-fail-to-check-compound-error-codes-causing-silent-allocation-fai.md) - [58542 sc low low logic error in morphoyearnogwethstrategy deallocate wethredeemed always zero all deallocations emit strategydeallocationloss ](https://reports.immunefi.com/alchemix-v3/58542-sc-low-low-logic-error-in-morphoyearnogwethstrategy-deallocate-wethredeemed-always-zero-all-de.md) - [56348 sc insight incorrect apy calculation in mytstrategy approxapy causes underreported yields](https://reports.immunefi.com/alchemix-v3/56348-sc-insight-incorrect-apy-calculation-in-mytstrategy-approxapy-causes-underreported-yields.md) - [58667 sc insight permit2 is approved the wrong asset which leads to loss of funds or failing swaps](https://reports.immunefi.com/alchemix-v3/58667-sc-insight-permit2-is-approved-the-wrong-asset-which-leads-to-loss-of-funds-or-failing-swaps.md) - [56350 sc insight implementation contract alchemistv3 not locked disableinitializers missing ](https://reports.immunefi.com/alchemix-v3/56350-sc-insight-implementation-contract-alchemistv3-not-locked-disableinitializers-missing.md) - [57622 sc low lack of claimed reward handling in myt strategies will keep all external token rewards stuck forever](https://reports.immunefi.com/alchemix-v3/57622-sc-low-lack-of-claimed-reward-handling-in-myt-strategies-will-keep-all-external-token-rewards.md) - [56730 sc insight transmuter tokenuri is not eip 721 compliance](https://reports.immunefi.com/alchemix-v3/56730-sc-insight-transmuter-tokenuri-is-not-eip-721-compliance.md) - [58273 sc medium incorrect hardcoded 0x settler function selectors](https://reports.immunefi.com/alchemix-v3/58273-sc-medium-incorrect-hardcoded-0x-settler-function-selectors.md) - [57849 sc high funds gets stuck even when killswitch is enabled](https://reports.immunefi.com/alchemix-v3/57849-sc-high-funds-gets-stuck-even-when-killswitch-is-enabled.md) - [57169 sc low zeroxswapverifier policy bypass via rfq filldata prefix token amount spoof ](https://reports.immunefi.com/alchemix-v3/57169-sc-low-zeroxswapverifier-policy-bypass-via-rfq-filldata-prefix-token-amount-spoof.md) - [57093 sc critical potential locked funds due to partial redeem shortfall and miss calculation lead to user loss their myt token forever ](https://reports.immunefi.com/alchemix-v3/57093-sc-critical-potential-locked-funds-due-to-partial-redeem-shortfall-and-miss-calculation-lead-t.md) - [58703 sc insight cached interest rate calculation in peapodseth strategy leads to inaccurate apr apy estimates](https://reports.immunefi.com/alchemix-v3/58703-sc-insight-cached-interest-rate-calculation-in-peapodseth-strategy-leads-to-inaccurate-apr-apy.md) - [57621 sc low improper reward claiming in tokeautoethstrategy sends toke tokens to wrong address causing permanent freezing of unclaimed yield](https://reports.immunefi.com/alchemix-v3/57621-sc-low-improper-reward-claiming-in-tokeautoethstrategy-sends-toke-tokens-to-wrong-address-caus.md) - [58207 sc high alchemistv3 mytsharesdeposited not reduced when repaid collateral sent to transmuter](https://reports.immunefi.com/alchemix-v3/58207-sc-high-alchemistv3-mytsharesdeposited-not-reduced-when-repaid-collateral-sent-to-transmuter.md) - [57511 sc medium protocol could atleast be taking a part of the protocol fee](https://reports.immunefi.com/alchemix-v3/57511-sc-medium-protocol-could-atleast-be-taking-a-part-of-the-protocol-fee.md) - [57582 sc critical calling earmark one block apart skips the block s earmark value](https://reports.immunefi.com/alchemix-v3/57582-sc-critical-calling-earmark-one-block-apart-skips-the-block-s-earmark-value.md) - [58076 sc insight fix unit mismatch in doliquidation collateralinunderlying collateralindebt](https://reports.immunefi.com/alchemix-v3/58076-sc-insight-fix-unit-mismatch-in-doliquidation-collateralinunderlying-collateralindebt.md) - [58209 sc medium lack of slippage protection in transmuter claimredemption and alchemistv3 withdraw leads to user yield losses](https://reports.immunefi.com/alchemix-v3/58209-sc-medium-lack-of-slippage-protection-in-transmuter-claimredemption-and-alchemistv3-withdraw-l.md) - [56751 sc medium stargateethpoolstrategy deallocate function redeem less weth than expected](https://reports.immunefi.com/alchemix-v3/56751-sc-medium-stargateethpoolstrategy-deallocate-function-redeem-less-weth-than-expected.md) - [58146 sc insight whitelist can be disabled repeatedly contradicting intended program behavior ](https://reports.immunefi.com/alchemix-v3/58146-sc-insight-whitelist-can-be-disabled-repeatedly-contradicting-intended-program-behavior.md) - [58452 sc high mytstrategy allocation underflow in deallocate when allocation profits exceed old allocation](https://reports.immunefi.com/alchemix-v3/58452-sc-high-mytstrategy-allocation-underflow-in-deallocate-when-allocation-profits-exceed-old-allo.md) - [56859 sc medium lp underlying mismatch in stargateethpoolstrategy deallocate causes withdrawal dos](https://reports.immunefi.com/alchemix-v3/56859-sc-medium-lp-underlying-mismatch-in-stargateethpoolstrategy-deallocate-causes-withdrawal-dos.md) - [56809 sc high vulnerable redemption survival ratio in sync allows theft of altokens](https://reports.immunefi.com/alchemix-v3/56809-sc-high-vulnerable-redemption-survival-ratio-in-sync-allows-theft-of-altokens.md) - [57328 sc low once tokelockduration is the opposite of zero in tokeautoethstrategy accumulated rewards in acctoke can be stuck](https://reports.immunefi.com/alchemix-v3/57328-sc-low-once-tokelockduration-is-the-opposite-of-zero-in-tokeautoethstrategy-accumulated-reward.md) - [56732 sc critical incorrect boundary condition in querygraph leads to systematic under earmarking and transmuter redemption fund loss](https://reports.immunefi.com/alchemix-v3/56732-sc-critical-incorrect-boundary-condition-in-querygraph-leads-to-systematic-under-earmarking-an.md) - [56961 sc low incorrect balance snapshot check in deallocate logs false deallocation loss in morphoyearnogweth strategy](https://reports.immunefi.com/alchemix-v3/56961-sc-low-incorrect-balance-snapshot-check-in-deallocate-logs-false-deallocation-loss-in-morphoye.md) - [57791 sc insight receipt token misconfiguration in aave strategies](https://reports.immunefi.com/alchemix-v3/57791-sc-insight-receipt-token-misconfiguration-in-aave-strategies.md) - [57692 sc high alchemistv3 liquidation fee loss vulnerability](https://reports.immunefi.com/alchemix-v3/57692-sc-high-alchemistv3-liquidation-fee-loss-vulnerability.md) - [56462 sc insight unused mapping causes unnecessary storage gas consumption](https://reports.immunefi.com/alchemix-v3/56462-sc-insight-unused-mapping-causes-unnecessary-storage-gas-consumption.md) - [57122 sc critical mismatch between capped fee and returned fee in resolverepaymentfee ](https://reports.immunefi.com/alchemix-v3/57122-sc-critical-mismatch-between-capped-fee-and-returned-fee-in-resolverepaymentfee.md) - [58474 sc high liquidator will bypass liquidation fees affecting protocol revenue](https://reports.immunefi.com/alchemix-v3/58474-sc-high-liquidator-will-bypass-liquidation-fees-affecting-protocol-revenue.md) - [56965 sc critical alchemistv3 handling of added transmuter coverage includes an error that enables an attacker to cause protocol insolvency](https://reports.immunefi.com/alchemix-v3/56965-sc-critical-alchemistv3-handling-of-added-transmuter-coverage-includes-an-error-that-enables-a.md) - [58274 sc high liquidation fee logic in doliquidation strands liquidator rewards when balance is exhausted freezing funds](https://reports.immunefi.com/alchemix-v3/58274-sc-high-liquidation-fee-logic-in-doliquidation-strands-liquidator-rewards-when-balance-is-exha.md) - [58734 sc low broken strategy realassets calculation](https://reports.immunefi.com/alchemix-v3/58734-sc-low-broken-strategy-realassets-calculation.md) - [58522 sc high earmark consumes excess cover inflating cumulativeearmarked](https://reports.immunefi.com/alchemix-v3/58522-sc-high-earmark-consumes-excess-cover-inflating-cumulativeearmarked.md) - [57770 sc medium admin can bypass permissionedcalls protection using multicall](https://reports.immunefi.com/alchemix-v3/57770-sc-medium-admin-can-bypass-permissionedcalls-protection-using-multicall.md) - [57982 sc low permanently stuck rewards in the vault](https://reports.immunefi.com/alchemix-v3/57982-sc-low-permanently-stuck-rewards-in-the-vault.md) - [58358 sc high mismatched collateralweight and rawlocked causes incorrect collateral removal in sync](https://reports.immunefi.com/alchemix-v3/58358-sc-high-mismatched-collateralweight-and-rawlocked-causes-incorrect-collateral-removal-in-sync.md) - [56737 sc medium the return value of mint is not checked](https://reports.immunefi.com/alchemix-v3/56737-sc-medium-the-return-value-of-mint-is-not-checked.md) - [58131 sc critical rounding errors in debt to collateral conversions allow attackers to drain protocol assets](https://reports.immunefi.com/alchemix-v3/58131-sc-critical-rounding-errors-in-debt-to-collateral-conversions-allow-attackers-to-drain-protoco.md) - [58400 sc low alchemist allocator does not actually enforce caps](https://reports.immunefi.com/alchemix-v3/58400-sc-low-alchemist-allocator-does-not-actually-enforce-caps.md) - [58792 sc high the cumulativeearmark does not decrease in forcerepay which lead to transfer more collateral from users even when all earmark debt cleared which breaks the alchemix v3 core logic](https://reports.immunefi.com/alchemix-v3/58792-sc-high-the-cumulativeearmark-does-not-decrease-in-forcerepay-which-lead-to-transfer-more-coll.md) - [57212 sc high totallocked is not properly decremented in the redeem function causing system insolvency ](https://reports.immunefi.com/alchemix-v3/57212-sc-high-totallocked-is-not-properly-decremented-in-the-redeem-function-causing-system-insolven.md) - [57793 sc high cumulativeearmarked variable is not updated in forcerepay function breaking core internal logic and leading to user funds being stuck ](https://reports.immunefi.com/alchemix-v3/57793-sc-high-cumulativeearmarked-variable-is-not-updated-in-forcerepay-function-breaking-core-inter.md) - [57114 sc low inherited setadmin function allows to bypass two step admin ownership transfer mechanism](https://reports.immunefi.com/alchemix-v3/57114-sc-low-inherited-setadmin-function-allows-to-bypass-two-step-admin-ownership-transfer-mechanis.md) - [58450 sc high missing transmuter balance update after redemption blocks future earmarking and underfunds redemptions](https://reports.immunefi.com/alchemix-v3/58450-sc-high-missing-transmuter-balance-update-after-redemption-blocks-future-earmarking-and-underf.md) - [56757 sc high incorrect leftover collateral check blocks liquidator fee payment leading broken incentives delayed deleveraging](https://reports.immunefi.com/alchemix-v3/56757-sc-high-incorrect-leftover-collateral-check-blocks-liquidator-fee-payment-leading-broken-incen.md) - [58719 sc insight insight gas optimization save gas by using the cached fee amount in burn and repay in alchemist sol ](https://reports.immunefi.com/alchemix-v3/58719-sc-insight-insight-gas-optimization-save-gas-by-using-the-cached-fee-amount-in-burn-and-repay.md) - [58356 sc insight the alchemist tokeauto strategies doesn t use recommended best practice by tokeauto ](https://reports.immunefi.com/alchemix-v3/58356-sc-insight-the-alchemist-tokeauto-strategies-doesn-t-use-recommended-best-practice-by-tokeauto.md) - [56491 sc critical user collateral loss triggered by setminimumcollateralization update](https://reports.immunefi.com/alchemix-v3/56491-sc-critical-user-collateral-loss-triggered-by-setminimumcollateralization-update.md) - [58628 sc high attackers can avoid redemption losses by temporarily burning and re borrowing the debt](https://reports.immunefi.com/alchemix-v3/58628-sc-high-attackers-can-avoid-redemption-losses-by-temporarily-burning-and-re-borrowing-the-debt.md) - [58626 sc critical repayment fee overpayment in liquidation repay only path](https://reports.immunefi.com/alchemix-v3/58626-sc-critical-repayment-fee-overpayment-in-liquidation-repay-only-path.md) - [56336 sc insight stargateethpoolstrategy deallocate would emit false deallocating loss event in some cases](https://reports.immunefi.com/alchemix-v3/56336-sc-insight-stargateethpoolstrategy-deallocate-would-emit-false-deallocating-loss-event-in-some.md) - [58133 sc low toke rewards permanently locked in strategy adapter](https://reports.immunefi.com/alchemix-v3/58133-sc-low-toke-rewards-permanently-locked-in-strategy-adapter.md) - [58129 sc high missing mytsharesdeposited update in forcerepay causes accounting inconsistency which can dos deposit and liquidation](https://reports.immunefi.com/alchemix-v3/58129-sc-high-missing-mytsharesdeposited-update-in-forcerepay-causes-accounting-inconsistency-which.md) - [56328 sc insight redundant require statement in eulerusdcstrategy deallocate function leads to unnecessary gas consumption](https://reports.immunefi.com/alchemix-v3/56328-sc-insight-redundant-require-statement-in-eulerusdcstrategy-deallocate-function-leads-to-unnec.md) - [57633 sc high block gated earmark call in redeem nullifies prefunded transmuter cover on the first redemption of each block leading to collateral overpayment and potential protocol insolvency](https://reports.immunefi.com/alchemix-v3/57633-sc-high-block-gated-earmark-call-in-redeem-nullifies-prefunded-transmuter-cover-on-the-first-r.md) - [57585 sc high alchemistv3 does not properly update cdp collateralbalance when redemptions exceed totallocked which enables some cdps to over withdraw collateral on account of others](https://reports.immunefi.com/alchemix-v3/57585-sc-high-alchemistv3-does-not-properly-update-cdp-collateralbalance-when-redemptions-exceed-tot.md) - [57460 sc high protocol fails to subtract fee from total locked when burning and repaying](https://reports.immunefi.com/alchemix-v3/57460-sc-high-protocol-fails-to-subtract-fee-from-total-locked-when-burning-and-repaying.md) - [58555 sc low alchemistcurator 2 step ownership transfer is implemented incorrectly](https://reports.immunefi.com/alchemix-v3/58555-sc-low-alchemistcurator-2-step-ownership-transfer-is-implemented-incorrectly.md) - [58086 sc high mis accounting of myt outflows inflates tvl distorts collateralization and can dos deposits liquidations](https://reports.immunefi.com/alchemix-v3/58086-sc-high-mis-accounting-of-myt-outflows-inflates-tvl-distorts-collateralization-and-can-dos-dep.md) - [58590 sc low incorrect balance read ordering in morphoyearnogwethstrategy deallocate](https://reports.immunefi.com/alchemix-v3/58590-sc-low-incorrect-balance-read-ordering-in-morphoyearnogwethstrategy-deallocate.md) - [57189 sc high alchemistcurator contract not implement setforcedeallocatepenalty](https://reports.immunefi.com/alchemix-v3/57189-sc-high-alchemistcurator-contract-not-implement-setforcedeallocatepenalty.md) - [56395 sc high accounting desync in liquidation outflows leads to artificial deposit cap exhaustion and denial of service on recapitalization](https://reports.immunefi.com/alchemix-v3/56395-sc-high-accounting-desync-in-liquidation-outflows-leads-to-artificial-deposit-cap-exhaustion-a.md) - [58203 sc medium moonwell strategies silent failure due to unchecked mint and redeemunderlying return values](https://reports.immunefi.com/alchemix-v3/58203-sc-medium-moonwell-strategies-silent-failure-due-to-unchecked-mint-and-redeemunderlying-return.md) - [56846 sc medium liquidation will return because of insufficient funds](https://reports.immunefi.com/alchemix-v3/56846-sc-medium-liquidation-will-return-because-of-insufficient-funds.md) - [57335 sc medium zero min out erc 4626 deposits cause under mint and permanent allocation loss](https://reports.immunefi.com/alchemix-v3/57335-sc-medium-zero-min-out-erc-4626-deposits-cause-under-mint-and-permanent-allocation-loss.md) - [58105 sc medium zeroxswapverifier decodes execute payload with wrong abi bytes vs bytes temporary freezing of funds](https://reports.immunefi.com/alchemix-v3/58105-sc-medium-zeroxswapverifier-decodes-execute-payload-with-wrong-abi-bytes-vs-bytes-temporary-fr.md) - [58491 sc high mytsharesdeposited not reduced on liquidation leading to deposit cap bypass and potential insovency](https://reports.immunefi.com/alchemix-v3/58491-sc-high-mytsharesdeposited-not-reduced-on-liquidation-leading-to-deposit-cap-bypass-and-potent.md) - [58210 sc low incorrect balance measurement in deallocation disables loss detection in morphoyearnogweth ](https://reports.immunefi.com/alchemix-v3/58210-sc-low-incorrect-balance-measurement-in-deallocation-disables-loss-detection-in-morphoyearnogw.md) - [57546 sc low moonwellusdcstrategy fail to claim its reward from moonwell comptroller](https://reports.immunefi.com/alchemix-v3/57546-sc-low-moonwellusdcstrategy-fail-to-claim-its-reward-from-moonwell-comptroller.md) - [57751 sc high there is a problem related to forced liquidation branch and this creates issue thatk cna drains protocol backing ](https://reports.immunefi.com/alchemix-v3/57751-sc-high-there-is-a-problem-related-to-forced-liquidation-branch-and-this-creates-issue-thatk-c.md) - [57941 sc high incorrect handling of deallocate return val causes any interest gains in a strategy to become unclaimable and permanently locked](https://reports.immunefi.com/alchemix-v3/57941-sc-high-incorrect-handling-of-deallocate-return-val-causes-any-interest-gains-in-a-strategy-to.md) - [56806 sc insight broken withdrawal logic in aavev3arbwethstrategy permanently locks user funds](https://reports.immunefi.com/alchemix-v3/56806-sc-insight-broken-withdrawal-logic-in-aavev3arbwethstrategy-permanently-locks-user-funds.md) - [58572 sc high liquidation of account collateral doesn t subtract mytsharesdeposited which creates bad debt in the system and causes insolvency ](https://reports.immunefi.com/alchemix-v3/58572-sc-high-liquidation-of-account-collateral-doesn-t-subtract-mytsharesdeposited-which-creates-ba.md) - [58078 sc low access control bypass in zeroxswapverifier missing owner validation](https://reports.immunefi.com/alchemix-v3/58078-sc-low-access-control-bypass-in-zeroxswapverifier-missing-owner-validation.md) - [58403 sc medium missing checks for transaction return values in moonwell strategies](https://reports.immunefi.com/alchemix-v3/58403-sc-medium-missing-checks-for-transaction-return-values-in-moonwell-strategies.md) - [57439 sc low incorrect baddebtratio rounding in transmuter claimredemption may cause funds to become permanently stuck](https://reports.immunefi.com/alchemix-v3/57439-sc-low-incorrect-baddebtratio-rounding-in-transmuter-claimredemption-may-cause-funds-to-become.md) - [57123 sc low incorrect 2 step ownership in alchemistcurator](https://reports.immunefi.com/alchemix-v3/57123-sc-low-incorrect-2-step-ownership-in-alchemistcurator.md) - [56365 sc critical liquidation fee overdraft drains pooled collateral](https://reports.immunefi.com/alchemix-v3/56365-sc-critical-liquidation-fee-overdraft-drains-pooled-collateral.md) - [58488 sc low tokeautousdstrategy claims rewards to itself automatically when deallocate is called but since reward token is tokemak the rewards remain permanently locked](https://reports.immunefi.com/alchemix-v3/58488-sc-low-tokeautousdstrategy-claims-rewards-to-itself-automatically-when-deallocate-is-called-bu.md) - [58019 sc high flawed killswitch implementation in mytstrategy leads to permanent loss of funds](https://reports.immunefi.com/alchemix-v3/58019-sc-high-flawed-killswitch-implementation-in-mytstrategy-leads-to-permanent-loss-of-funds.md) - [56975 sc high liquidation fee trapping in alchemistv3](https://reports.immunefi.com/alchemix-v3/56975-sc-high-liquidation-fee-trapping-in-alchemistv3.md) - [58507 sc critical repayment fee after forcerepay could result in socialized loss during global undercollateralization](https://reports.immunefi.com/alchemix-v3/58507-sc-critical-repayment-fee-after-forcerepay-could-result-in-socialized-loss-during-global-under.md) - [56882 sc low missing cap enforcement in alchemistallocator allows operators to bypass risk controls](https://reports.immunefi.com/alchemix-v3/56882-sc-low-missing-cap-enforcement-in-alchemistallocator-allows-operators-to-bypass-risk-controls.md) - [57788 sc medium missing claimrewards implementation in aavev3arbusdcstrategy leads to permanent loss of aave incentive rewards](https://reports.immunefi.com/alchemix-v3/57788-sc-medium-missing-claimrewards-implementation-in-aavev3arbusdcstrategy-leads-to-permanent-loss.md) - [56909 sc low incorrect balance snapshot in strategy deallocation causes false loss events and masks real shortfalls](https://reports.immunefi.com/alchemix-v3/56909-sc-low-incorrect-balance-snapshot-in-strategy-deallocation-causes-false-loss-events-and-masks.md) - [57563 sc insight reward tokens being permanently frozen in tokeautousdstrategy](https://reports.immunefi.com/alchemix-v3/57563-sc-insight-reward-tokens-being-permanently-frozen-in-tokeautousdstrategy.md) - [57036 sc high unconditional debt reduction before protocol fee check in force repayment ](https://reports.immunefi.com/alchemix-v3/57036-sc-high-unconditional-debt-reduction-before-protocol-fee-check-in-force-repayment.md) - [58115 sc medium incorrect weth deposit amount prevents deposited eth through receive function to cover strategy loss ](https://reports.immunefi.com/alchemix-v3/58115-sc-medium-incorrect-weth-deposit-amount-prevents-deposited-eth-through-receive-function-to-cov.md) - [56873 sc medium incorrect eth wrapping condition in moonwellwethstrategy deallocate leads to temporary freezing of funds](https://reports.immunefi.com/alchemix-v3/56873-sc-medium-incorrect-eth-wrapping-condition-in-moonwellwethstrategy-deallocate-leads-to-tempora.md) - [56602 sc low function takes incorrect modifier](https://reports.immunefi.com/alchemix-v3/56602-sc-low-function-takes-incorrect-modifier.md) - [56628 sc high liquidate does not update mytsharesdeposited that is reduced by fees](https://reports.immunefi.com/alchemix-v3/56628-sc-high-liquidate-does-not-update-mytsharesdeposited-that-is-reduced-by-fees.md) - [58552 sc insight single transfer instead of multiple saves gas](https://reports.immunefi.com/alchemix-v3/58552-sc-insight-single-transfer-instead-of-multiple-saves-gas.md) - [57954 sc high lackf of tracking of excess cover in earmark function leads to permanent loss of cover value and stuck user positions ](https://reports.immunefi.com/alchemix-v3/57954-sc-high-lackf-of-tracking-of-excess-cover-in-earmark-function-leads-to-permanent-loss-of-cover.md) - [58313 sc medium incorrect allocation accounting and dust handling in stargateethpoolstrategy causes systematic loss cap mis accounting and deallocation reverts](https://reports.immunefi.com/alchemix-v3/58313-sc-medium-incorrect-allocation-accounting-and-dust-handling-in-stargateethpoolstrategy-causes.md) - [57476 sc high forcerepay fails to decrement global cumulativeearmarked](https://reports.immunefi.com/alchemix-v3/57476-sc-high-forcerepay-fails-to-decrement-global-cumulativeearmarked.md) - [57907 sc high incorrect forced repayment accounting allows debt forgiveness and frees locked collateral systemic loss ](https://reports.immunefi.com/alchemix-v3/57907-sc-high-incorrect-forced-repayment-accounting-allows-debt-forgiveness-and-frees-locked-collate.md) - [58787 sc medium when allocation amount is greater than the maxdeposit of tokeautoeth sol the remaining is stuck in tokeautoeth sol](https://reports.immunefi.com/alchemix-v3/58787-sc-medium-when-allocation-amount-is-greater-than-the-maxdeposit-of-tokeautoeth-sol-the-remaini.md) - [58006 sc medium moonwellusdcstrategy allocate ignores compound style mint failures and corrupts vault accounting](https://reports.immunefi.com/alchemix-v3/58006-sc-medium-moonwellusdcstrategy-allocate-ignores-compound-style-mint-failures-and-corrupts-vaul.md) - [58709 sc low naive 0x fill parsing lets attackers spoof token and amount checks](https://reports.immunefi.com/alchemix-v3/58709-sc-low-naive-0x-fill-parsing-lets-attackers-spoof-token-and-amount-checks.md) - [58387 sc high liquidator fee in the doliquidation function withheld when collateral is exhausted leading to seized fee trapped in protocol](https://reports.immunefi.com/alchemix-v3/58387-sc-high-liquidator-fee-in-the-doliquidation-function-withheld-when-collateral-is-exhausted-lea.md) - [56817 sc high forcerepay doesn t decrement mytsharesdeposited inflating tvl](https://reports.immunefi.com/alchemix-v3/56817-sc-high-forcerepay-doesn-t-decrement-mytsharesdeposited-inflating-tvl.md) - [58185 sc medium incorrect survivalaccumulator accounting logic after earmarkweight reaches 128 breaks core system invariants and can lead to protocol insolvency](https://reports.immunefi.com/alchemix-v3/58185-sc-medium-incorrect-survivalaccumulator-accounting-logic-after-earmarkweight-reaches-128-break.md) - [56878 sc medium the permissionedcalls check can be bypass](https://reports.immunefi.com/alchemix-v3/56878-sc-medium-the-permissionedcalls-check-can-be-bypass.md) - [58472 sc high liquidator base fee seized but not paid due to post deduction balance check](https://reports.immunefi.com/alchemix-v3/58472-sc-high-liquidator-base-fee-seized-but-not-paid-due-to-post-deduction-balance-check.md) - [58408 sc low underflow account rawlocked on subdebt due to rounding inconsistency](https://reports.immunefi.com/alchemix-v3/58408-sc-low-underflow-account-rawlocked-on-subdebt-due-to-rounding-inconsistency.md) - [58354 sc high forcerepay does not decrement mytsharesdeposited causing a temporal blocking of new deposits](https://reports.immunefi.com/alchemix-v3/58354-sc-high-forcerepay-does-not-decrement-mytsharesdeposited-causing-a-temporal-blocking-of-new-de.md) - [58320 sc critical incorrect fee return value in resolverepaymentfee enables fund theft under extreme conditions](https://reports.immunefi.com/alchemix-v3/58320-sc-critical-incorrect-fee-return-value-in-resolverepaymentfee-enables-fund-theft-under-extreme.md) - [57316 sc low allocation cap enforcement missing deadcode](https://reports.immunefi.com/alchemix-v3/57316-sc-low-allocation-cap-enforcement-missing-deadcode.md) - [58743 sc low zeroxswapverifier recipient validation bypass](https://reports.immunefi.com/alchemix-v3/58743-sc-low-zeroxswapverifier-recipient-validation-bypass.md) - [58323 sc critical the alchemist burn function experiences precision loss resulting in the avoidance of protocol fees](https://reports.immunefi.com/alchemix-v3/58323-sc-critical-the-alchemist-burn-function-experiences-precision-loss-resulting-in-the-avoidance.md) - [58666 sc low recipient owner not enforced in action verifiers enables theft of swap proceeds](https://reports.immunefi.com/alchemix-v3/58666-sc-low-recipient-owner-not-enforced-in-action-verifiers-enables-theft-of-swap-proceeds.md) - [56572 sc insight aave v3 lending pool is immutable in aave strategies](https://reports.immunefi.com/alchemix-v3/56572-sc-insight-aave-v3-lending-pool-is-immutable-in-aave-strategies.md) - [56625 sc low broken ownership transfer logic in alchemistcurator permanently freezes contract operations](https://reports.immunefi.com/alchemix-v3/56625-sc-low-broken-ownership-transfer-logic-in-alchemistcurator-permanently-freezes-contract-operat.md) - [57995 sc high missing slippage protection in tokeautousdstrategy allocation function leads to permanent value loss](https://reports.immunefi.com/alchemix-v3/57995-sc-high-missing-slippage-protection-in-tokeautousdstrategy-allocation-function-leads-to-perman.md) - [57746 sc low broken contract ownership logic at alchemistv3 sol](https://reports.immunefi.com/alchemix-v3/57746-sc-low-broken-contract-ownership-logic-at-alchemistv3-sol.md) - [57760 sc high mytstrategy allocate deallocate doesnt account for profit and loss ](https://reports.immunefi.com/alchemix-v3/57760-sc-high-mytstrategy-allocate-deallocate-doesnt-account-for-profit-and-loss.md) - [57227 sc medium unchecked return codes in moonwellusdcstrategy leading to stuck funds ](https://reports.immunefi.com/alchemix-v3/57227-sc-medium-unchecked-return-codes-in-moonwellusdcstrategy-leading-to-stuck-funds.md) - [57964 sc low improper validation of absolutecap and relativecap enables excessive fund allocation in alchemistallocator ](https://reports.immunefi.com/alchemix-v3/57964-sc-low-improper-validation-of-absolutecap-and-relativecap-enables-excessive-fund-allocation-in.md) - [58730 sc medium an attacker can prevent any tokenauto strategy allocation by making a donation to the vault of as little as 1 wei of underlying token](https://reports.immunefi.com/alchemix-v3/58730-sc-medium-an-attacker-can-prevent-any-tokenauto-strategy-allocation-by-making-a-donation-to-th.md) - [57752 sc medium aave and euler incentives for myt will be lost due to unimplemented claimrewards function](https://reports.immunefi.com/alchemix-v3/57752-sc-medium-aave-and-euler-incentives-for-myt-will-be-lost-due-to-unimplemented-claimrewards-fun.md) - [57983 sc low direct asset drain via zeroxswapverifier bypass and mytstrategy unlimited permit2 approvals](https://reports.immunefi.com/alchemix-v3/57983-sc-low-direct-asset-drain-via-zeroxswapverifier-bypass-and-mytstrategy-unlimited-permit2-appro.md) - [56827 sc high missing global earmark reduction in forcerepay ](https://reports.immunefi.com/alchemix-v3/56827-sc-high-missing-global-earmark-reduction-in-forcerepay.md) - [56714 sc high accounting invariant violation in forcerepay leads to protocol insolvency](https://reports.immunefi.com/alchemix-v3/56714-sc-high-accounting-invariant-violation-in-forcerepay-leads-to-protocol-insolvency.md) - [57989 sc low broken isvalidsignature leads to fund freezing ](https://reports.immunefi.com/alchemix-v3/57989-sc-low-broken-isvalidsignature-leads-to-fund-freezing.md) - [58782 sc high rewards earned by eulerarbusdcstrategy will not be withdrawable from euler pool on arbitrum](https://reports.immunefi.com/alchemix-v3/58782-sc-high-rewards-earned-by-eulerarbusdcstrategy-will-not-be-withdrawable-from-euler-pool-on-arb.md) - [56383 sc low the alchemistcurator acceptadminownership can t be called by the pending admin and if the function is called without pending admin the admin rigths will be lost](https://reports.immunefi.com/alchemix-v3/56383-sc-low-the-alchemistcurator-acceptadminownership-can-t-be-called-by-the-pending-admin-and-if-t.md) - [57066 sc critical a malicious actor can keep calling poke at every block to prevent collateral earmarking exposing transmuter users to delayed redemptions and loss of funds](https://reports.immunefi.com/alchemix-v3/57066-sc-critical-a-malicious-actor-can-keep-calling-poke-at-every-block-to-prevent-collateral-earma.md) - [58275 sc high account rawlocked not clear even when debt is clear](https://reports.immunefi.com/alchemix-v3/58275-sc-high-account-rawlocked-not-clear-even-when-debt-is-clear.md) - [58480 sc low missing recipient and token binding in verifyswapcalldata leads to unauthorized fund transfers](https://reports.immunefi.com/alchemix-v3/58480-sc-low-missing-recipient-and-token-binding-in-verifyswapcalldata-leads-to-unauthorized-fund-tr.md) - [57330 sc critical resolverepaymentfee returns initial fee when fee is greater collateral balance](https://reports.immunefi.com/alchemix-v3/57330-sc-critical-resolverepaymentfee-returns-initial-fee-when-fee-is-greater-collateral-balance.md) - [57740 sc high eulereth strategy will have weth locked in the strategy contract](https://reports.immunefi.com/alchemix-v3/57740-sc-high-eulereth-strategy-will-have-weth-locked-in-the-strategy-contract.md) - [58771 sc high incorrect tracking of total deposited yield tokens mytsharesdeposited in liquidation and force repayment paths](https://reports.immunefi.com/alchemix-v3/58771-sc-high-incorrect-tracking-of-total-deposited-yield-tokens-mytsharesdeposited-in-liquidation-a.md) - [58334 sc medium incorrect function selectors](https://reports.immunefi.com/alchemix-v3/58334-sc-medium-incorrect-function-selectors.md) - [56960 sc medium missing slippage protection during redemption execution lead to loss of token for user ](https://reports.immunefi.com/alchemix-v3/56960-sc-medium-missing-slippage-protection-during-redemption-execution-lead-to-loss-of-token-for-us.md) - [58512 sc low mytstrategy isvalidsignature is implemented wrong and will not work](https://reports.immunefi.com/alchemix-v3/58512-sc-low-mytstrategy-isvalidsignature-is-implemented-wrong-and-will-not-work.md) - [58531 sc critical querygraph function zero return bug causing tracking earmarking failure over progressive block intervals](https://reports.immunefi.com/alchemix-v3/58531-sc-critical-querygraph-function-zero-return-bug-causing-tracking-earmarking-failure-over-progr.md) - [57394 sc low acceptadminownership only allows the current admin to finalise transfers](https://reports.immunefi.com/alchemix-v3/57394-sc-low-acceptadminownership-only-allows-the-current-admin-to-finalise-transfers.md) - [58497 sc low the amount of weth redeemed is not calculated properly in morphoyearnogweth](https://reports.immunefi.com/alchemix-v3/58497-sc-low-the-amount-of-weth-redeemed-is-not-calculated-properly-in-morphoyearnogweth.md) - [56517 sc low zeroxswapverifier validates struct but executes external actions enabling direct fund theft](https://reports.immunefi.com/alchemix-v3/56517-sc-low-zeroxswapverifier-validates-struct-but-executes-external-actions-enabling-direct-fund-t.md) - [56406 sc insight getestimatedyield never updates after snapshots](https://reports.immunefi.com/alchemix-v3/56406-sc-insight-getestimatedyield-never-updates-after-snapshots.md) - [58456 sc medium account can enter unliquidatable state with residual debt](https://reports.immunefi.com/alchemix-v3/58456-sc-medium-account-can-enter-unliquidatable-state-with-residual-debt.md) - [57861 sc high missing slippage protection in tokemak autopool allocation functions leads to direct theft of user funds](https://reports.immunefi.com/alchemix-v3/57861-sc-high-missing-slippage-protection-in-tokemak-autopool-allocation-functions-leads-to-direct-t.md) - [57916 sc critical repay removes earmark meant to be reducing debt while collateral is still reduced](https://reports.immunefi.com/alchemix-v3/57916-sc-critical-repay-removes-earmark-meant-to-be-reducing-debt-while-collateral-is-still-reduced.md) - [58648 sc low incorrect wethbalancebefore read causes broken loss detection in deallocation](https://reports.immunefi.com/alchemix-v3/58648-sc-low-incorrect-wethbalancebefore-read-causes-broken-loss-detection-in-deallocation.md) - [57127 sc low pending admin should call the function instead of admin ](https://reports.immunefi.com/alchemix-v3/57127-sc-low-pending-admin-should-call-the-function-instead-of-admin.md) - [58418 sc low verifyswapcalldata cant verify the output token of the swap](https://reports.immunefi.com/alchemix-v3/58418-sc-low-verifyswapcalldata-cant-verify-the-output-token-of-the-swap.md) - [56830 sc low broken admin ownership transfer logic acceptadminownership requires current admin instead of pending admin blocking role claim ](https://reports.immunefi.com/alchemix-v3/56830-sc-low-broken-admin-ownership-transfer-logic-acceptadminownership-requires-current-admin-inste.md) - [58125 sc critical repayment fee overpayment from pooled collateral](https://reports.immunefi.com/alchemix-v3/58125-sc-critical-repayment-fee-overpayment-from-pooled-collateral.md) - [57970 sc high forcerepay leaves cumulativeearmarked stale ](https://reports.immunefi.com/alchemix-v3/57970-sc-high-forcerepay-leaves-cumulativeearmarked-stale.md) - [58249 sc low broken two step admin handover in alchemistcurator](https://reports.immunefi.com/alchemix-v3/58249-sc-low-broken-two-step-admin-handover-in-alchemistcurator.md) - [57101 sc critical same block earmark early exit leaves stale transmuter balance causing under earmarking](https://reports.immunefi.com/alchemix-v3/57101-sc-critical-same-block-earmark-early-exit-leaves-stale-transmuter-balance-causing-under-earmar.md) - [58516 sc low inverted min max logic in alchemistallocator operator cap calculation](https://reports.immunefi.com/alchemix-v3/58516-sc-low-inverted-min-max-logic-in-alchemistallocator-operator-cap-calculation.md) - [56389 sc high mytsharesdeposited is not updated on liquidation outflows which could lead to solvency illusion and misreported global ratios](https://reports.immunefi.com/alchemix-v3/56389-sc-high-mytsharesdeposited-is-not-updated-on-liquidation-outflows-which-could-lead-to-solvency.md) - [58688 sc critical alchemistv3 liquidate can steal other users collateral](https://reports.immunefi.com/alchemix-v3/58688-sc-critical-alchemistv3-liquidate-can-steal-other-users-collateral.md) - [57777 sc low zerox swap verifier bypass enables direct theft of user funds](https://reports.immunefi.com/alchemix-v3/57777-sc-low-zerox-swap-verifier-bypass-enables-direct-theft-of-user-funds.md) - [56798 sc critical flash vote exploit drains all funds via alchemistallocator](https://reports.immunefi.com/alchemix-v3/56798-sc-critical-flash-vote-exploit-drains-all-funds-via-alchemistallocator.md) - [58231 sc medium attacker can stop protocol from allocating assets to the autoeth vaults](https://reports.immunefi.com/alchemix-v3/58231-sc-medium-attacker-can-stop-protocol-from-allocating-assets-to-the-autoeth-vaults.md) - [57148 sc high mytsharesdeposited variable is not correctly updated during liquidations leading to wrong assumptions and incorrect bad debt calculation in the transmuter ](https://reports.immunefi.com/alchemix-v3/57148-sc-high-mytsharesdeposited-variable-is-not-correctly-updated-during-liquidations-leading-to-wr.md) - [58736 sc high missing tvl accounting in forcerepay and doliquidation leads to protocol insolvency](https://reports.immunefi.com/alchemix-v3/58736-sc-high-missing-tvl-accounting-in-forcerepay-and-doliquidation-leads-to-protocol-insolvency.md) - [57678 sc high liquidation fee is deducted from user but not paid to liquidator](https://reports.immunefi.com/alchemix-v3/57678-sc-high-liquidation-fee-is-deducted-from-user-but-not-paid-to-liquidator.md) - [58658 sc high cumulativeearmarked not updated](https://reports.immunefi.com/alchemix-v3/58658-sc-high-cumulativeearmarked-not-updated.md) - [58094 sc insight autopooleth vault slippage during lp token liquidation leads to temporary fund freezing](https://reports.immunefi.com/alchemix-v3/58094-sc-insight-autopooleth-vault-slippage-during-lp-token-liquidation-leads-to-temporary-fund-free.md) - [58527 sc low complete loss of all reward value on tokeautoethstrategy claimrewards](https://reports.immunefi.com/alchemix-v3/58527-sc-low-complete-loss-of-all-reward-value-on-tokeautoethstrategy-claimrewards.md) - [58376 sc low claimrewards function permanently locks earned toke reward token on morpho vaultv2](https://reports.immunefi.com/alchemix-v3/58376-sc-low-claimrewards-function-permanently-locks-earned-toke-reward-token-on-morpho-vaultv2.md) - [57606 sc insight attacker can dos deposits by hitting the deposit cap](https://reports.immunefi.com/alchemix-v3/57606-sc-insight-attacker-can-dos-deposits-by-hitting-the-deposit-cap.md) - [56845 sc high the deposit will be reverted because mytsharesdeposited references an outdated value](https://reports.immunefi.com/alchemix-v3/56845-sc-high-the-deposit-will-be-reverted-because-mytsharesdeposited-references-an-outdated-value.md) - [56658 sc insight transmuter s tokenuri does not revert for nonexistent tokenids](https://reports.immunefi.com/alchemix-v3/56658-sc-insight-transmuter-s-tokenuri-does-not-revert-for-nonexistent-tokenids.md) - [56887 sc low incorrect balance tracking in morphoyearnogwethstrategy deallocate function leads to wrong loss event emission resend ](https://reports.immunefi.com/alchemix-v3/56887-sc-low-incorrect-balance-tracking-in-morphoyearnogwethstrategy-deallocate-function-leads-to-wr.md) - [57972 sc high liquidation doesn t update mytsharesdeposited](https://reports.immunefi.com/alchemix-v3/57972-sc-high-liquidation-doesn-t-update-mytsharesdeposited.md) - [56740 sc critical unbounded liquidation fee allows theft of shared collateral](https://reports.immunefi.com/alchemix-v3/56740-sc-critical-unbounded-liquidation-fee-allows-theft-of-shared-collateral.md) - [58287 sc high mytsharesdeposited is not updated on some token transfer](https://reports.immunefi.com/alchemix-v3/58287-sc-high-mytsharesdeposited-is-not-updated-on-some-token-transfer.md) - [58579 sc low inconsistent admin management implementation in alchemistcurator sol](https://reports.immunefi.com/alchemix-v3/58579-sc-low-inconsistent-admin-management-implementation-in-alchemistcurator-sol.md) - [58022 sc medium accounting mismatch and fund stuck due to dust eth on stargateethpoolstrategy](https://reports.immunefi.com/alchemix-v3/58022-sc-medium-accounting-mismatch-and-fund-stuck-due-to-dust-eth-on-stargateethpoolstrategy.md) - [58723 sc high cumulativeearmarked is not updated at forcerepay ](https://reports.immunefi.com/alchemix-v3/58723-sc-high-cumulativeearmarked-is-not-updated-at-forcerepay.md) - [58239 sc medium missing aave incentives rewards claiming mechanism leads to permanent loss of protocol royalties](https://reports.immunefi.com/alchemix-v3/58239-sc-medium-missing-aave-incentives-rewards-claiming-mechanism-leads-to-permanent-loss-of-protoc.md) - [58333 sc low incorrect onlyadmin modifier in acceptadminownership](https://reports.immunefi.com/alchemix-v3/58333-sc-low-incorrect-onlyadmin-modifier-in-acceptadminownership.md) - [58520 sc low pending admin cannot accept ownership](https://reports.immunefi.com/alchemix-v3/58520-sc-low-pending-admin-cannot-accept-ownership.md) - [58067 sc high asymmetric deallocation in tokeautoethstrategy leads to permanent weth funds stuck in strategy](https://reports.immunefi.com/alchemix-v3/58067-sc-high-asymmetric-deallocation-in-tokeautoethstrategy-leads-to-permanent-weth-funds-stuck-in.md) - [58260 sc high inconsistent collateral accounting where force repay liquidation transfer out myt without adjusting tvl](https://reports.immunefi.com/alchemix-v3/58260-sc-high-inconsistent-collateral-accounting-where-force-repay-liquidation-transfer-out-myt-with.md) - [57963 sc high incorrect mytsharesdeposited accounting in liquidate allows theft of user funds via corrupted bad debt ratio](https://reports.immunefi.com/alchemix-v3/57963-sc-high-incorrect-mytsharesdeposited-accounting-in-liquidate-allows-theft-of-user-funds-via-co.md) - [58645 sc medium incorrect weth wrapping amount in moonwellwethstrategy deallocate wraps ethredeemed instead of amount ](https://reports.immunefi.com/alchemix-v3/58645-sc-medium-incorrect-weth-wrapping-amount-in-moonwellwethstrategy-deallocate-wraps-ethredeemed.md) - [58138 sc critical liquidator fees could surpass the user remaining collateral resulting in protocol insolvency](https://reports.immunefi.com/alchemix-v3/58138-sc-critical-liquidator-fees-could-surpass-the-user-remaining-collateral-resulting-in-protocol.md) - [58544 sc critical it is possible to underflow on sync making positions bricked forever](https://reports.immunefi.com/alchemix-v3/58544-sc-critical-it-is-possible-to-underflow-on-sync-making-positions-bricked-forever.md) - [57725 sc high alchemistv liquidate is not updating the mytsharesdeposited which makes it inflated and can cause deposits dos and liquidations malfunction that may cause protocol insolvency ](https://reports.immunefi.com/alchemix-v3/57725-sc-high-alchemistv-liquidate-is-not-updating-the-mytsharesdeposited-which-makes-it-inflated-an.md) - [58443 sc critical incorrect consumption of yield cover in redeem leading to reuse of accrued yield ](https://reports.immunefi.com/alchemix-v3/58443-sc-critical-incorrect-consumption-of-yield-cover-in-redeem-leading-to-reuse-of-accrued-yield.md) - [56824 sc high missing update to mytsharesdeposited during liquidation](https://reports.immunefi.com/alchemix-v3/56824-sc-high-missing-update-to-mytsharesdeposited-during-liquidation.md) - [56962 sc low balance check logic error in deallocate function leads to broken loss detection and false event emissions](https://reports.immunefi.com/alchemix-v3/56962-sc-low-balance-check-logic-error-in-deallocate-function-leads-to-broken-loss-detection-and-fal.md) - [57625 sc low incorrect cover accounting in earmark leads to earmarking failure and value leakage](https://reports.immunefi.com/alchemix-v3/57625-sc-low-incorrect-cover-accounting-in-earmark-leads-to-earmarking-failure-and-value-leakage.md) - [58447 sc critical unfair collateral loss through socialized redemption costs](https://reports.immunefi.com/alchemix-v3/58447-sc-critical-unfair-collateral-loss-through-socialized-redemption-costs.md) - [57196 sc high artificially inflated mytsharesdeposited in alchemixv3 sol deflates bad debt ratio in transmuter sol ](https://reports.immunefi.com/alchemix-v3/57196-sc-high-artificially-inflated-mytsharesdeposited-in-alchemixv3-sol-deflates-bad-debt-ratio-in.md) - [56895 sc insight function approvemint is vulnerable to race conditions](https://reports.immunefi.com/alchemix-v3/56895-sc-insight-function-approvemint-is-vulnerable-to-race-conditions.md) - [58755 sc high users position that are synced at certain times overestimate collateralbalance of the position](https://reports.immunefi.com/alchemix-v3/58755-sc-high-users-position-that-are-synced-at-certain-times-overestimate-collateralbalance-of-the.md) - [58269 sc high liquidator fee not paid when fee equals surplus](https://reports.immunefi.com/alchemix-v3/58269-sc-high-liquidator-fee-not-paid-when-fee-equals-surplus.md) - [58383 sc high due to cumulativeearmarked not being updated in alchemix forcerepay user funds are locked longer due to slower debt decay and calculation of system collaterization rate is inc ](https://reports.immunefi.com/alchemix-v3/58383-sc-high-due-to-cumulativeearmarked-not-being-updated-in-alchemix-forcerepay-user-funds-are-loc.md) - [58636 sc low broken two step admin transfer prevents legitimate admin succession in alchemistcurator](https://reports.immunefi.com/alchemix-v3/58636-sc-low-broken-two-step-admin-transfer-prevents-legitimate-admin-succession-in-alchemistcurator.md) - [56343 sc low morphoyearnogweth deallocate function always emits strategydeallocationloss due to flawed balance measurement](https://reports.immunefi.com/alchemix-v3/56343-sc-low-morphoyearnogweth-deallocate-function-always-emits-strategydeallocationloss-due-to-flaw.md) - [56902 sc high strategy adapter aavev3opusdcstrategy would not work well with atoken rebasing mechanism](https://reports.immunefi.com/alchemix-v3/56902-sc-high-strategy-adapter-aavev3opusdcstrategy-would-not-work-well-with-atoken-rebasing-mechani.md) - [58215 sc high funds can become permanently stuck in adapter when kill switch is enabled](https://reports.immunefi.com/alchemix-v3/58215-sc-high-funds-can-become-permanently-stuck-in-adapter-when-kill-switch-is-enabled.md) - [56672 sc high inconsistent myt share accounting leads to under liquidation and solvency risk](https://reports.immunefi.com/alchemix-v3/56672-sc-high-inconsistent-myt-share-accounting-leads-to-under-liquidation-and-solvency-risk.md) - [58088 sc low inadequate enforcement of global cap enables cumulative over allocation](https://reports.immunefi.com/alchemix-v3/58088-sc-low-inadequate-enforcement-of-global-cap-enables-cumulative-over-allocation.md) - [57867 sc medium zeroxswapverifier erroneously rejects uniswap v3 swaps due to an an incorrect selector](https://reports.immunefi.com/alchemix-v3/57867-sc-medium-zeroxswapverifier-erroneously-rejects-uniswap-v3-swaps-due-to-an-an-incorrect-select.md) - [58466 sc high liquidation fee payment failure due to redundant wrong collateral check](https://reports.immunefi.com/alchemix-v3/58466-sc-high-liquidation-fee-payment-failure-due-to-redundant-wrong-collateral-check.md) - [56465 sc low gettotaldeposited doesn t reflect the correct total deposited](https://reports.immunefi.com/alchemix-v3/56465-sc-low-gettotaldeposited-doesn-t-reflect-the-correct-total-deposited.md) - [57544 sc high mytsharesdeposited is not reduced upon fee transfers to protocol](https://reports.immunefi.com/alchemix-v3/57544-sc-high-mytsharesdeposited-is-not-reduced-upon-fee-transfers-to-protocol.md) - [57311 sc medium moonwell allocation and deallocation can fail silently causing incorrect state updates and loss of yield](https://reports.immunefi.com/alchemix-v3/57311-sc-medium-moonwell-allocation-and-deallocation-can-fail-silently-causing-incorrect-state-updat.md) - [56673 sc high zero cost fee farming via forced earmarked repayment](https://reports.immunefi.com/alchemix-v3/56673-sc-high-zero-cost-fee-farming-via-forced-earmarked-repayment.md) - [58369 sc high missing mytsharesdeposited decrements in forcerepay doliquidation leads to smart contract unable to operate due to lack of token funds](https://reports.immunefi.com/alchemix-v3/58369-sc-high-missing-mytsharesdeposited-decrements-in-forcerepay-doliquidation-leads-to-smart-contr.md) - [56927 sc medium setminimumcollateralization function also needs a another check ](https://reports.immunefi.com/alchemix-v3/56927-sc-medium-setminimumcollateralization-function-also-needs-a-another-check.md) - [58080 sc medium aave v3 strategies fail to claim op arb liquidity mining rewards causing permanent loss of yield](https://reports.immunefi.com/alchemix-v3/58080-sc-medium-aave-v3-strategies-fail-to-claim-op-arb-liquidity-mining-rewards-causing-permanent-l.md) - [56983 sc low tokemak rewards sent to myt vault contract not strategy rewards stranded](https://reports.immunefi.com/alchemix-v3/56983-sc-low-tokemak-rewards-sent-to-myt-vault-contract-not-strategy-rewards-stranded.md) - [57726 sc high alchemistv3 myt tvl accounting drift on liquidation forcerepay blocks deposits via depositcap medium smart contract unable to operate due to lack of token funds ](https://reports.immunefi.com/alchemix-v3/57726-sc-high-alchemistv3-myt-tvl-accounting-drift-on-liquidation-forcerepay-blocks-deposits-via-dep.md) - [58741 sc medium action function signatures to 0x settler are wrong](https://reports.immunefi.com/alchemix-v3/58741-sc-medium-action-function-signatures-to-0x-settler-are-wrong.md) - [58422 sc low morphoyearn og weth strategy always emits deallocation loss event due to zero delta calculation](https://reports.immunefi.com/alchemix-v3/58422-sc-low-morphoyearn-og-weth-strategy-always-emits-deallocation-loss-event-due-to-zero-delta-cal.md) - [57208 sc insight it is possible to prevent lowering the deposit cap by front running](https://reports.immunefi.com/alchemix-v3/57208-sc-insight-it-is-possible-to-prevent-lowering-the-deposit-cap-by-front-running.md) - [58357 sc low permanent freezing of tokeautoeth strategy rewards in myt vault](https://reports.immunefi.com/alchemix-v3/58357-sc-low-permanent-freezing-of-tokeautoeth-strategy-rewards-in-myt-vault.md) - [57479 sc low logical bug in alchemistcurator acceptadminownership asking to current admin to accept ownership ](https://reports.immunefi.com/alchemix-v3/57479-sc-low-logical-bug-in-alchemistcurator-acceptadminownership-asking-to-current-admin-to-accept.md) - [58177 sc high transmuter claimredemption cant update mytsharesdeposited leading to permanent underlying value state inside alchemist](https://reports.immunefi.com/alchemix-v3/58177-sc-high-transmuter-claimredemption-cant-update-mytsharesdeposited-leading-to-permanent-underly.md) - [57291 sc insight hardcoded slippage in myt strategy](https://reports.immunefi.com/alchemix-v3/57291-sc-insight-hardcoded-slippage-in-myt-strategy.md) - [56709 sc low zeroxswapverifier missing source validation](https://reports.immunefi.com/alchemix-v3/56709-sc-low-zeroxswapverifier-missing-source-validation.md) - [58033 sc medium unimplemented claimrewards function results in permanent freezing of aave incentive rewards](https://reports.immunefi.com/alchemix-v3/58033-sc-medium-unimplemented-claimrewards-function-results-in-permanent-freezing-of-aave-incentive.md) - [56855 sc medium liquidations fail with arithmetic underflow when forced repayment exhausts collateral](https://reports.immunefi.com/alchemix-v3/56855-sc-medium-liquidations-fail-with-arithmetic-underflow-when-forced-repayment-exhausts-collatera.md) - [58672 sc low incorrect balance check sequence ](https://reports.immunefi.com/alchemix-v3/58672-sc-low-incorrect-balance-check-sequence.md) - [58130 sc medium asymmetric validation in collateralization setters allows protocol misconfiguration breaking all borrowing](https://reports.immunefi.com/alchemix-v3/58130-sc-medium-asymmetric-validation-in-collateralization-setters-allows-protocol-misconfiguration.md) - [57152 sc high assets permanently locked due to killswitch flag](https://reports.immunefi.com/alchemix-v3/57152-sc-high-assets-permanently-locked-due-to-killswitch-flag.md) - [58754 sc high missing mytsharesdeposited decrements in alchemistv3 forcerepay doliquidation ](https://reports.immunefi.com/alchemix-v3/58754-sc-high-missing-mytsharesdeposited-decrements-in-alchemistv3-forcerepay-doliquidation.md) - [57812 sc medium no function to claim aave incentives](https://reports.immunefi.com/alchemix-v3/57812-sc-medium-no-function-to-claim-aave-incentives.md) - [58564 sc critical earmarked funds fail to accumulate when earmark is called in consecutive blocks](https://reports.immunefi.com/alchemix-v3/58564-sc-critical-earmarked-funds-fail-to-accumulate-when-earmark-is-called-in-consecutive-blocks.md) - [57183 sc medium missing incentive rewards claiming in multiple strategy contracts](https://reports.immunefi.com/alchemix-v3/57183-sc-medium-missing-incentive-rewards-claiming-in-multiple-strategy-contracts.md) - [58518 sc critical liquidation will steal repayment fee from innocent users funds](https://reports.immunefi.com/alchemix-v3/58518-sc-critical-liquidation-will-steal-repayment-fee-from-innocent-users-funds.md) - [58705 sc low mismatch between emitted protocol fee and actual fee paid in forcerepay due to strict inequality check](https://reports.immunefi.com/alchemix-v3/58705-sc-low-mismatch-between-emitted-protocol-fee-and-actual-fee-paid-in-forcerepay-due-to-strict-i.md) - [58707 sc medium moonwell strategy allocate does not revert when mint fails which can result in a sudden drop in myt share price and consequently sever under collateralization](https://reports.immunefi.com/alchemix-v3/58707-sc-medium-moonwell-strategy-allocate-does-not-revert-when-mint-fails-which-can-result-in-a-sud.md) - [58627 sc low incorrect delta calculation in deallocate causes wethredeemed to always be zero ](https://reports.immunefi.com/alchemix-v3/58627-sc-low-incorrect-delta-calculation-in-deallocate-causes-wethredeemed-to-always-be-zero.md) - [57024 sc low wethbalancebefore is computed after withdrawal in deallocate function in morphoyearnogwethstrategy contract leading to systematic strategydeallocationloss event emission ](https://reports.immunefi.com/alchemix-v3/57024-sc-low-wethbalancebefore-is-computed-after-withdrawal-in-deallocate-function-in-morphoyearnogw.md) - [58773 sc medium in stargate incorrect allocation cap accounting leading to unnecessary dos](https://reports.immunefi.com/alchemix-v3/58773-sc-medium-in-stargate-incorrect-allocation-cap-accounting-leading-to-unnecessary-dos.md) - [58010 sc high slippage tolerance not enforced in tokeautousdstrategy](https://reports.immunefi.com/alchemix-v3/58010-sc-high-slippage-tolerance-not-enforced-in-tokeautousdstrategy.md) - [58266 sc high partial liquidation strands base fee due to post seizure balance check](https://reports.immunefi.com/alchemix-v3/58266-sc-high-partial-liquidation-strands-base-fee-due-to-post-seizure-balance-check.md) - [58101 sc critical repayment only liquidation overpays fee from pooled collateral](https://reports.immunefi.com/alchemix-v3/58101-sc-critical-repayment-only-liquidation-overpays-fee-from-pooled-collateral.md) - [56936 sc high missing mytsharesdeposited decrements on repay liquidation tvl drift false over collateralization and deposit cap dos](https://reports.immunefi.com/alchemix-v3/56936-sc-high-missing-mytsharesdeposited-decrements-on-repay-liquidation-tvl-drift-false-over-collat.md) - [58360 sc low round down calculation in converttoshares leads to deallocation failure in tokeautoeth strategy](https://reports.immunefi.com/alchemix-v3/58360-sc-low-round-down-calculation-in-converttoshares-leads-to-deallocation-failure-in-tokeautoeth.md) - [56622 sc critical repayment fee overpays liquidators using pooled collateral after forcerepay](https://reports.immunefi.com/alchemix-v3/56622-sc-critical-repayment-fee-overpays-liquidators-using-pooled-collateral-after-forcerepay.md) - [58113 sc high stargateethpoolstrategy realassets return false real assets ](https://reports.immunefi.com/alchemix-v3/58113-sc-high-stargateethpoolstrategy-realassets-return-false-real-assets.md) - [58337 sc high incorrect handling of cumulativeearmarked in forcerepay leads to inflated survival accumulator ](https://reports.immunefi.com/alchemix-v3/58337-sc-high-incorrect-handling-of-cumulativeearmarked-in-forcerepay-leads-to-inflated-survival-acc.md) - [58793 sc critical repayment fee overpayment from global collateral pool](https://reports.immunefi.com/alchemix-v3/58793-sc-critical-repayment-fee-overpayment-from-global-collateral-pool.md) - [58464 sc critical repayment fee paid from protocol funds when user collateral is depleted](https://reports.immunefi.com/alchemix-v3/58464-sc-critical-repayment-fee-paid-from-protocol-funds-when-user-collateral-is-depleted.md) - [58259 sc low broken operator logic inside alchemistcurator](https://reports.immunefi.com/alchemix-v3/58259-sc-low-broken-operator-logic-inside-alchemistcurator.md) - [56923 sc high missing cumulativeearmarked update in forcerepay causes incorrect debt accounting in alchemistv3](https://reports.immunefi.com/alchemix-v3/56923-sc-high-missing-cumulativeearmarked-update-in-forcerepay-causes-incorrect-debt-accounting-in-a.md) - [58409 sc high high arithmetic underflow in mytstrategy sol s deallocate check prevents yield withdrawal](https://reports.immunefi.com/alchemix-v3/58409-sc-high-high-arithmetic-underflow-in-mytstrategy-sol-s-deallocate-check-prevents-yield-withdra.md) - [58435 sc high systemic accounting bug leads to protocol insolvency](https://reports.immunefi.com/alchemix-v3/58435-sc-high-systemic-accounting-bug-leads-to-protocol-insolvency.md) - [58573 sc critical alchemistv3 repayment fee cross account theft vulnerability](https://reports.immunefi.com/alchemix-v3/58573-sc-critical-alchemistv3-repayment-fee-cross-account-theft-vulnerability.md) - [57308 sc high alchemistv3 does not update mytsharesdeposited when performing liquidation causing global accounting and liquidation logic mismatch](https://reports.immunefi.com/alchemix-v3/57308-sc-high-alchemistv3-does-not-update-mytsharesdeposited-when-performing-liquidation-causing-glo.md) - [57599 sc low protocol wrongly withdraws before checking balance of withdraw](https://reports.immunefi.com/alchemix-v3/57599-sc-low-protocol-wrongly-withdraws-before-checking-balance-of-withdraw.md) - [58492 sc medium unbounded deposit exposure in tokeautoethstrategy allocate ](https://reports.immunefi.com/alchemix-v3/58492-sc-medium-unbounded-deposit-exposure-in-tokeautoethstrategy-allocate.md) - [58449 sc medium tokeautoeth strategy balance approval mismatch dos](https://reports.immunefi.com/alchemix-v3/58449-sc-medium-tokeautoeth-strategy-balance-approval-mismatch-dos.md) - [56775 sc medium permanent freezing of funds from precision dust strict deallocation check](https://reports.immunefi.com/alchemix-v3/56775-sc-medium-permanent-freezing-of-funds-from-precision-dust-strict-deallocation-check.md) - [58244 sc low incorrect balance check order in morphoyearnogweth strategy leads to false deallocation loss events](https://reports.immunefi.com/alchemix-v3/58244-sc-low-incorrect-balance-check-order-in-morphoyearnogweth-strategy-leads-to-false-deallocation.md) - [58604 sc low verification bypass in verifyexecutemetatxncalldata enables arbitrary 0x actions to pass checks and execute in the zeroxswapverifier sol contract](https://reports.immunefi.com/alchemix-v3/58604-sc-low-verification-bypass-in-verifyexecutemetatxncalldata-enables-arbitrary-0x-actions-to-pas.md) - [57369 sc high deallocation may revert due to an underflow](https://reports.immunefi.com/alchemix-v3/57369-sc-high-deallocation-may-revert-due-to-an-underflow.md) - [57028 sc insight wrong amount variable in repay event](https://reports.immunefi.com/alchemix-v3/57028-sc-insight-wrong-amount-variable-in-repay-event.md) - [57331 sc medium conditional eth wrapping logic causes withdrawal dos in moonwellweth and stargateeth strategies](https://reports.immunefi.com/alchemix-v3/57331-sc-medium-conditional-eth-wrapping-logic-causes-withdrawal-dos-in-moonwellweth-and-stargateeth.md) - [57930 sc high allocation tracking underflow in strategy deallocation leads to protocol insolvency](https://reports.immunefi.com/alchemix-v3/57930-sc-high-allocation-tracking-underflow-in-strategy-deallocation-leads-to-protocol-insolvency.md) - [56498 sc low reserve drainage due to incorrect balance measurement](https://reports.immunefi.com/alchemix-v3/56498-sc-low-reserve-drainage-due-to-incorrect-balance-measurement.md) - [58728 sc medium when the strategy is at a loss the assets cannot be withdrawn](https://reports.immunefi.com/alchemix-v3/58728-sc-medium-when-the-strategy-is-at-a-loss-the-assets-cannot-be-withdrawn.md) - [58524 sc high when liquidating there are cases where the fee is not paid to the liquidator ](https://reports.immunefi.com/alchemix-v3/58524-sc-high-when-liquidating-there-are-cases-where-the-fee-is-not-paid-to-the-liquidator.md) - [56982 sc medium incorrect function selectors used in zeroxswapverifier](https://reports.immunefi.com/alchemix-v3/56982-sc-medium-incorrect-function-selectors-used-in-zeroxswapverifier.md) - [58325 sc low operator can shift vault funds to risky strategies without oversight leading to potential loss of user funds ](https://reports.immunefi.com/alchemix-v3/58325-sc-low-operator-can-shift-vault-funds-to-risky-strategies-without-oversight-leading-to-potenti.md) - [58386 sc low rewards claimed during deallocation remain stranded on strategy and unaccounted](https://reports.immunefi.com/alchemix-v3/58386-sc-low-rewards-claimed-during-deallocation-remain-stranded-on-strategy-and-unaccounted.md) - [56832 sc low alchemistcurator contract doesn t allow to remove strategies from the myt morpho v2 vault ](https://reports.immunefi.com/alchemix-v3/56832-sc-low-alchemistcurator-contract-doesn-t-allow-to-remove-strategies-from-the-myt-morpho-v2-vau.md) - [56385 sc critical repayment fee can be paid from the pool even when the account has no collateral left](https://reports.immunefi.com/alchemix-v3/56385-sc-critical-repayment-fee-can-be-paid-from-the-pool-even-when-the-account-has-no-collateral-le.md) - [58502 sc high deposit cap denial of service due to stale mytsharesdeposited during liquidation](https://reports.immunefi.com/alchemix-v3/58502-sc-high-deposit-cap-denial-of-service-due-to-stale-mytsharesdeposited-during-liquidation.md) - [58310 sc low strategy fluidarbusdcstrategy cant claim fluid token reward](https://reports.immunefi.com/alchemix-v3/58310-sc-low-strategy-fluidarbusdcstrategy-cant-claim-fluid-token-reward.md) - [58288 sc critical incorrect fee payment logic leads to underpayment ](https://reports.immunefi.com/alchemix-v3/58288-sc-critical-incorrect-fee-payment-logic-leads-to-underpayment.md) - [56621 sc insight broken withdrawal logic in aavev3arbusdcstrategy permanently locks user funds](https://reports.immunefi.com/alchemix-v3/56621-sc-insight-broken-withdrawal-logic-in-aavev3arbusdcstrategy-permanently-locks-user-funds.md) - [57774 sc critical redemption earmark mechanism can be permanently blocked via single block earmark calls](https://reports.immunefi.com/alchemix-v3/57774-sc-critical-redemption-earmark-mechanism-can-be-permanently-blocked-via-single-block-earmark-c.md) - [56529 sc low incorrect token balance calculation in morphoyearnogwethstrategy sol deallocate leads to wrong event emitted every time](https://reports.immunefi.com/alchemix-v3/56529-sc-low-incorrect-token-balance-calculation-in-morphoyearnogwethstrategy-sol-deallocate-leads-t.md) - [58396 sc high total locked is not cleared proportionally to the total debt this forces the collateral weight to become incorrect and new users transmuter redeem repayment will repay more debt fo ](https://reports.immunefi.com/alchemix-v3/58396-sc-high-total-locked-is-not-cleared-proportionally-to-the-total-debt-this-forces-the-collatera.md) - [58428 sc low toke reward loss when calling deallocate](https://reports.immunefi.com/alchemix-v3/58428-sc-low-toke-reward-loss-when-calling-deallocate.md) - [58056 sc low the auto eth and usdc staking rewards will stuck in vault](https://reports.immunefi.com/alchemix-v3/58056-sc-low-the-auto-eth-and-usdc-staking-rewards-will-stuck-in-vault.md) - [56836 sc low ownership transfer failure in alchemistcurator https github com alchemix finance v3 poc blob immunefi audit src alchemistcurator sol prevents future dao governance or recovery](https://reports.immunefi.com/alchemix-v3/56836-sc-low-ownership-transfer-failure-in-alchemistcurator-https-github-com-alchemix-finance-v3-poc.md) - [56518 sc insight claimwithdrawalqueue discards claimed amount](https://reports.immunefi.com/alchemix-v3/56518-sc-insight-claimwithdrawalqueue-discards-claimed-amount.md) - [56326 sc insight variable could be immutable](https://reports.immunefi.com/alchemix-v3/56326-sc-insight-variable-could-be-immutable.md) - [57862 sc low incorrect balancebefore reading order in morphoyearnogwethstrategy deallocate function leads to wrong event emission](https://reports.immunefi.com/alchemix-v3/57862-sc-low-incorrect-balancebefore-reading-order-in-morphoyearnogwethstrategy-deallocate-function.md) - [56427 sc insight src utils permissionedproxy sol setpermissionedcall incomplete event emission because it doesnt include value argument for signature](https://reports.immunefi.com/alchemix-v3/56427-sc-insight-src-utils-permissionedproxy-sol-setpermissionedcall-incomplete-event-emission-becau.md) - [56794 sc critical liquidators can be overpaid due to accounting error ](https://reports.immunefi.com/alchemix-v3/56794-sc-critical-liquidators-can-be-overpaid-due-to-accounting-error.md) - [58040 sc low removestrategy is non functional](https://reports.immunefi.com/alchemix-v3/58040-sc-low-removestrategy-is-non-functional.md) - [57053 sc critical integer division precision loss in normalizedebttokenstounderlying leads to permanent collateral locking](https://reports.immunefi.com/alchemix-v3/57053-sc-critical-integer-division-precision-loss-in-normalizedebttokenstounderlying-leads-to-perman.md) - [56815 sc high missing mytsharesdeposited decrements in internal outflows cause tvl inflation deposit dos](https://reports.immunefi.com/alchemix-v3/56815-sc-high-missing-mytsharesdeposited-decrements-in-internal-outflows-cause-tvl-inflation-deposit.md) - [57587 sc critical earmark reduction of transmuterdifference does not always account for the full transmuter balance diff which can cause permanent earmark to accrue in alchemist](https://reports.immunefi.com/alchemix-v3/57587-sc-critical-earmark-reduction-of-transmuterdifference-does-not-always-account-for-the-full-tra.md) - [58112 sc high a malicious user can avoid getting penalized upon a transmuter redemption by depositing and withdrawing collateral in the alchemist](https://reports.immunefi.com/alchemix-v3/58112-sc-high-a-malicious-user-can-avoid-getting-penalized-upon-a-transmuter-redemption-by-depositin.md) - [57197 sc high incorrect totallocked reduction](https://reports.immunefi.com/alchemix-v3/57197-sc-high-incorrect-totallocked-reduction.md) - [57837 sc low moonwellwethstrategy cant claim reward from moonwell comptroller](https://reports.immunefi.com/alchemix-v3/57837-sc-low-moonwellwethstrategy-cant-claim-reward-from-moonwell-comptroller.md) - [57483 sc medium fees could be skipped when there is not enough collateral](https://reports.immunefi.com/alchemix-v3/57483-sc-medium-fees-could-be-skipped-when-there-is-not-enough-collateral.md) - [58079 sc low missing from validation in zeroxswapverifier verifyswapcalldata enables direct theft of approved funds](https://reports.immunefi.com/alchemix-v3/58079-sc-low-missing-from-validation-in-zeroxswapverifier-verifyswapcalldata-enables-direct-theft-of.md) - [56363 sc high mytsharesdeposited not correctly updated in all cases leading to incorrect protocol collateralization and reduced liquidation incentives](https://reports.immunefi.com/alchemix-v3/56363-sc-high-mytsharesdeposited-not-correctly-updated-in-all-cases-leading-to-incorrect-protocol-co.md) - [57918 sc high incorrect totallocked collateral accounting in alchemistv3](https://reports.immunefi.com/alchemix-v3/57918-sc-high-incorrect-totallocked-collateral-accounting-in-alchemistv3.md) - [56528 sc insight unbounded slippagebps can freeze withdrawals](https://reports.immunefi.com/alchemix-v3/56528-sc-insight-unbounded-slippagebps-can-freeze-withdrawals.md) - [57825 sc high forced repay cover enables double counted debt reduction in redeem](https://reports.immunefi.com/alchemix-v3/57825-sc-high-forced-repay-cover-enables-double-counted-debt-reduction-in-redeem.md) - [58797 sc low the tokeauto strategies implementation does not accurately report the actual assets held by the strategy](https://reports.immunefi.com/alchemix-v3/58797-sc-low-the-tokeauto-strategies-implementation-does-not-accurately-report-the-actual-assets-hel.md) - [58642 sc low cap bypass in alchemistallocator deallocate allows over deallocation beyond computed limits](https://reports.immunefi.com/alchemix-v3/58642-sc-low-cap-bypass-in-alchemistallocator-deallocate-allows-over-deallocation-beyond-computed-li.md) - [58611 sc medium double counting of earmarked debt repayments as cover leads to user funds being stuck and protocol insolvency ](https://reports.immunefi.com/alchemix-v3/58611-sc-medium-double-counting-of-earmarked-debt-repayments-as-cover-leads-to-user-funds-being-stuc.md) - [58189 sc low two step mechanism to transfer ownership is broken due to incorrect access control](https://reports.immunefi.com/alchemix-v3/58189-sc-low-two-step-mechanism-to-transfer-ownership-is-broken-due-to-incorrect-access-control.md) - [58306 sc critical repayment fee not adjusted for insufficient collateral](https://reports.immunefi.com/alchemix-v3/58306-sc-critical-repayment-fee-not-adjusted-for-insufficient-collateral.md) - [58322 sc low incorrect emit due to wrong ordering of wethbalancebefore calculation](https://reports.immunefi.com/alchemix-v3/58322-sc-low-incorrect-emit-due-to-wrong-ordering-of-wethbalancebefore-calculation.md) - [57516 sc low arbitrary external call in zeroxswapverifier leads to theft of unclaimed yield](https://reports.immunefi.com/alchemix-v3/57516-sc-low-arbitrary-external-call-in-zeroxswapverifier-leads-to-theft-of-unclaimed-yield.md) - [57832 sc insight cap logic error in alchemistallocator](https://reports.immunefi.com/alchemix-v3/57832-sc-insight-cap-logic-error-in-alchemistallocator.md) - [58718 sc medium in forcerepay protocol fee collection leads to theft of unclaimed yield](https://reports.immunefi.com/alchemix-v3/58718-sc-medium-in-forcerepay-protocol-fee-collection-leads-to-theft-of-unclaimed-yield.md) - [57668 sc high missing collateral tracking update during liquidation leads to inflated total value calculation and delayed under collateralization protection](https://reports.immunefi.com/alchemix-v3/57668-sc-high-missing-collateral-tracking-update-during-liquidation-leads-to-inflated-total-value-ca.md) - [56332 sc low pending admin cannot accept ownership](https://reports.immunefi.com/alchemix-v3/56332-sc-low-pending-admin-cannot-accept-ownership.md) - [58276 sc critical uncapped feeinyield in resolverepaymentfee allows for collateral theft from other depositors](https://reports.immunefi.com/alchemix-v3/58276-sc-critical-uncapped-feeinyield-in-resolverepaymentfee-allows-for-collateral-theft-from-other.md) - [58362 sc low users will lose tokemak rewards earned in tokeautoethstrategy](https://reports.immunefi.com/alchemix-v3/58362-sc-low-users-will-lose-tokemak-rewards-earned-in-tokeautoethstrategy.md) - [56893 sc low pending admin cannot accept ownership in alchemistcurator](https://reports.immunefi.com/alchemix-v3/56893-sc-low-pending-admin-cannot-accept-ownership-in-alchemistcurator.md) - [58689 sc critical incorrect deduction logic in alchemistv3 redeem may lead to insufficient contract collateral](https://reports.immunefi.com/alchemix-v3/58689-sc-critical-incorrect-deduction-logic-in-alchemistv3-redeem-may-lead-to-insufficient-contract.md) - [56801 sc insight function burn could be gas optimized](https://reports.immunefi.com/alchemix-v3/56801-sc-insight-function-burn-could-be-gas-optimized.md) - [57464 sc high incorrect accounting in stargate strategy causes protocol insolvency and user liquidations](https://reports.immunefi.com/alchemix-v3/57464-sc-high-incorrect-accounting-in-stargate-strategy-causes-protocol-insolvency-and-user-liquidat.md) - [57532 sc high assets are not accounted for when the contract is in killswitch mode](https://reports.immunefi.com/alchemix-v3/57532-sc-high-assets-are-not-accounted-for-when-the-contract-is-in-killswitch-mode.md) - [58124 sc low direct theft of funds via malicious actions in execute call due to incorrect calldata verification](https://reports.immunefi.com/alchemix-v3/58124-sc-low-direct-theft-of-funds-via-malicious-actions-in-execute-call-due-to-incorrect-calldata-v.md) - [57926 sc low the conditional strategydeallocationloss event in morphoyearnogwethstrategy deallocate gets logged all the time due a misplacement in variable declaration](https://reports.immunefi.com/alchemix-v3/57926-sc-low-the-conditional-strategydeallocationloss-event-in-morphoyearnogwethstrategy-deallocate.md) - [57969 sc insight lack of incentive to liquidate small positions can cause the system to accumulate bad debt](https://reports.immunefi.com/alchemix-v3/57969-sc-insight-lack-of-incentive-to-liquidate-small-positions-can-cause-the-system-to-accumulate-b.md) - [57806 sc low staking graph argument bounds are incorrectly defined](https://reports.immunefi.com/alchemix-v3/57806-sc-low-staking-graph-argument-bounds-are-incorrectly-defined.md) - [57447 sc high untracked myt outflows inflate tvl causing liquidation suppression](https://reports.immunefi.com/alchemix-v3/57447-sc-high-untracked-myt-outflows-inflate-tvl-causing-liquidation-suppression.md) - [58605 sc medium missing claimrewards in aavev3arbusdcstrategy leads to permanent freezing of accrued aave incentives](https://reports.immunefi.com/alchemix-v3/58605-sc-medium-missing-claimrewards-in-aavev3arbusdcstrategy-leads-to-permanent-freezing-of-accrued.md) - [57251 sc low curator cannot remove adapter due to timelock requirement](https://reports.immunefi.com/alchemix-v3/57251-sc-low-curator-cannot-remove-adapter-due-to-timelock-requirement.md) - [58061 sc high incorrect collateral and fee check in doliquidation allows liquidator to loose fee ](https://reports.immunefi.com/alchemix-v3/58061-sc-high-incorrect-collateral-and-fee-check-in-doliquidation-allows-liquidator-to-loose-fee.md) - [57816 sc insight critical incentive failure in calculateliquidation leads to protocol insolvency risk during global bad debt](https://reports.immunefi.com/alchemix-v3/57816-sc-insight-critical-incentive-failure-in-calculateliquidation-leads-to-protocol-insolvency-ris.md) - [58280 sc critical repayment s fee is charged from other users causing the contract to fail when the myt total balance of a user cannot cover the fee](https://reports.immunefi.com/alchemix-v3/58280-sc-critical-repayment-s-fee-is-charged-from-other-users-causing-the-contract-to-fail-when-the.md) - [57346 sc low alchemistallocator compares incompatible units asset wei vs wad percentage ](https://reports.immunefi.com/alchemix-v3/57346-sc-low-alchemistallocator-compares-incompatible-units-asset-wei-vs-wad-percentage.md) - [58081 sc medium missing check in function alchemistv3 setminimumcollateralization could lead to set minimumcollateralization globalminimumcollateralization ](https://reports.immunefi.com/alchemix-v3/58081-sc-medium-missing-check-in-function-alchemistv3-setminimumcollateralization-could-lead-to-set.md) - [58336 sc medium additive update to survival accumulator causing overflow ](https://reports.immunefi.com/alchemix-v3/58336-sc-medium-additive-update-to-survival-accumulator-causing-overflow.md) - [58181 sc medium a griefer can cause a permanent dos in tokeautoeth tokeautousdcstrategy allocate ](https://reports.immunefi.com/alchemix-v3/58181-sc-medium-a-griefer-can-cause-a-permanent-dos-in-tokeautoeth-tokeautousdcstrategy-allocate.md) - [58399 sc critical precision loss in baddebtratio calculation causes overpayment and dos](https://reports.immunefi.com/alchemix-v3/58399-sc-critical-precision-loss-in-baddebtratio-calculation-causes-overpayment-and-dos.md) - [58326 sc insight the value of the burned peapods share token may exceed expectations](https://reports.immunefi.com/alchemix-v3/58326-sc-insight-the-value-of-the-burned-peapods-share-token-may-exceed-expectations.md) - [58639 sc medium off by one issue in the forcerepay function causes protocol to lose funds in the form of protocol fee ](https://reports.immunefi.com/alchemix-v3/58639-sc-medium-off-by-one-issue-in-the-forcerepay-function-causes-protocol-to-lose-funds-in-the-for.md) - [58035 sc high killswitch early return in strategy causes vault to adapter asset leakage mis accounting and deallocation dos](https://reports.immunefi.com/alchemix-v3/58035-sc-high-killswitch-early-return-in-strategy-causes-vault-to-adapter-asset-leakage-mis-accounti.md) - [56442 sc high inflated totallocked because vault yield accrual would skew collateralweight calculation](https://reports.immunefi.com/alchemix-v3/56442-sc-high-inflated-totallocked-because-vault-yield-accrual-would-skew-collateralweight-calculati.md) - [57510 sc high stale locked collateral tracking during price appreciation causes disproportionate redemption losses](https://reports.immunefi.com/alchemix-v3/57510-sc-high-stale-locked-collateral-tracking-during-price-appreciation-causes-disproportionate-red.md) - [57745 sc high syn fails to update the rawlocked valuation leading to a loss of fund for users with rawlock 0 when total lock become 0 ](https://reports.immunefi.com/alchemix-v3/57745-sc-high-syn-fails-to-update-the-rawlocked-valuation-leading-to-a-loss-of-fund-for-users-with-r.md) - [56582 sc low alchemistcurator removestrategy is unable to remove strategies from vaults due to wrong logic implementation ](https://reports.immunefi.com/alchemix-v3/56582-sc-low-alchemistcurator-removestrategy-is-unable-to-remove-strategies-from-vaults-due-to-wrong.md) - [58506 sc low adjusted cap limits are never enforced](https://reports.immunefi.com/alchemix-v3/58506-sc-low-adjusted-cap-limits-are-never-enforced.md) - [56545 sc high force repayment leaves stale global earmarks freezing transmuter redemptions](https://reports.immunefi.com/alchemix-v3/56545-sc-high-force-repayment-leaves-stale-global-earmarks-freezing-transmuter-redemptions.md) - [57852 sc critical old borrowers steal from new borrowers after redemptions are claimed](https://reports.immunefi.com/alchemix-v3/57852-sc-critical-old-borrowers-steal-from-new-borrowers-after-redemptions-are-claimed.md) - [57883 sc high mytsharesdeposited updates in liquidation functions leads to critical tvl inflation](https://reports.immunefi.com/alchemix-v3/57883-sc-high-mytsharesdeposited-updates-in-liquidation-functions-leads-to-critical-tvl-inflation.md) - [57172 sc high missing mytsharesdeposited decrements in liquidation flows causes accounting divergence](https://reports.immunefi.com/alchemix-v3/57172-sc-high-missing-mytsharesdeposited-decrements-in-liquidation-flows-causes-accounting-divergenc.md) - [58168 sc medium safe position liquidation vulnerability in alchemistv3 when minimumcollateralization equals collateralizationlowerbound](https://reports.immunefi.com/alchemix-v3/58168-sc-medium-safe-position-liquidation-vulnerability-in-alchemistv3-when-minimumcollateralization.md) - [58149 sc low morphoyearnogweth incorrectly reports loss and triggers strategydeallocationloss event](https://reports.immunefi.com/alchemix-v3/58149-sc-low-morphoyearnogweth-incorrectly-reports-loss-and-triggers-strategydeallocationloss-event.md) - [58772 sc critical resolverepaymentfee overpays liquidators when collateral is gone letting attackers drain myt](https://reports.immunefi.com/alchemix-v3/58772-sc-critical-resolverepaymentfee-overpays-liquidators-when-collateral-is-gone-letting-attackers.md) - [58799 sc high forcerepay does not reduce cumulativeearmarked which leads to wrong accounting users debts are incorrectly higher which can cause wrongful liquidations](https://reports.immunefi.com/alchemix-v3/58799-sc-high-forcerepay-does-not-reduce-cumulativeearmarked-which-leads-to-wrong-accounting-users-d.md) - [58794 sc high hardcoded 0 amount as the minsharesout to depositmax function call does not provide slippage protection](https://reports.immunefi.com/alchemix-v3/58794-sc-high-hardcoded-0-amount-as-the-minsharesout-to-depositmax-function-call-does-not-provide-sl.md) - [57441 sc critical repay only fee drain in alchemistv3](https://reports.immunefi.com/alchemix-v3/57441-sc-critical-repay-only-fee-drain-in-alchemistv3.md) - [58301 sc critical accounting issue in liquidation logic after force repay we charge repayment fee even if collateral balanc cannot account for it](https://reports.immunefi.com/alchemix-v3/58301-sc-critical-accounting-issue-in-liquidation-logic-after-force-repay-we-charge-repayment-fee-ev.md) - [58192 sc high tokeautoeth strategy tokens locked when autopool router enforces maxdeposit cap](https://reports.immunefi.com/alchemix-v3/58192-sc-high-tokeautoeth-strategy-tokens-locked-when-autopool-router-enforces-maxdeposit-cap.md) - [57522 sc insight usecurrent flag ignored in preview functions in moonwell strategies](https://reports.immunefi.com/alchemix-v3/57522-sc-insight-usecurrent-flag-ignored-in-preview-functions-in-moonwell-strategies.md) - [58393 sc low wrong order in balance querying instructions in morphoyearnogwethstrategy deallocate function leads to always emit strategydeallocationloss event ](https://reports.immunefi.com/alchemix-v3/58393-sc-low-wrong-order-in-balance-querying-instructions-in-morphoyearnogwethstrategy-deallocate-fu.md) - [58363 sc high accounting corruption in liquidations due to missing global counter update](https://reports.immunefi.com/alchemix-v3/58363-sc-high-accounting-corruption-in-liquidations-due-to-missing-global-counter-update.md) - [57617 sc critical protocol paid repayment fee transfer allows draining of protocol myt yield ](https://reports.immunefi.com/alchemix-v3/57617-sc-critical-protocol-paid-repayment-fee-transfer-allows-draining-of-protocol-myt-yield.md) - [56727 sc high underlying increase in forced repayments leads to insolvency](https://reports.immunefi.com/alchemix-v3/56727-sc-high-underlying-increase-in-forced-repayments-leads-to-insolvency.md) - [58513 sc low broken access control in alchemistcurator acceptadminownership prevents admin transfer](https://reports.immunefi.com/alchemix-v3/58513-sc-low-broken-access-control-in-alchemistcurator-acceptadminownership-prevents-admin-transfer.md) - [57041 sc high deallocation accounting mismatch between vault and adapter](https://reports.immunefi.com/alchemix-v3/57041-sc-high-deallocation-accounting-mismatch-between-vault-and-adapter.md) - [58346 sc high forcerepay fails to decrement cumulativeearmarked breaking earmark invariant and skewing redemptions](https://reports.immunefi.com/alchemix-v3/58346-sc-high-forcerepay-fails-to-decrement-cumulativeearmarked-breaking-earmark-invariant-and-skewi.md) - [57646 sc medium abi signature mismatch in zeroxswapverifier causes complete failure to verify legitimate 0x settler transactions](https://reports.immunefi.com/alchemix-v3/57646-sc-medium-abi-signature-mismatch-in-zeroxswapverifier-causes-complete-failure-to-verify-legiti.md) - [57526 sc medium stargateethpoolstrategy rounding mismatch freezes vaultv2 allocations](https://reports.immunefi.com/alchemix-v3/57526-sc-medium-stargateethpoolstrategy-rounding-mismatch-freezes-vaultv2-allocations.md) - [58127 sc critical users can invoke the poke function whenever the lastearmarkdebtblock is exactly one block behind the current block number which lead to affecting users earmarked debt](https://reports.immunefi.com/alchemix-v3/58127-sc-critical-users-can-invoke-the-poke-function-whenever-the-lastearmarkdebtblock-is-exactly-on.md) - [57533 sc high inaccurate tvl calculation prevents liquidations leading to protocol insolvency risk](https://reports.immunefi.com/alchemix-v3/57533-sc-high-inaccurate-tvl-calculation-prevents-liquidations-leading-to-protocol-insolvency-risk.md) - [58530 sc high protocol insolvency via stale totallocked zeroed totallocked prevents collateralweight update in redeem leading to missed collateral haircut](https://reports.immunefi.com/alchemix-v3/58530-sc-high-protocol-insolvency-via-stale-totallocked-zeroed-totallocked-prevents-collateralweight.md) - [58606 sc high missing collateral accounting in liquidation leads to inflated bad debt calculations](https://reports.immunefi.com/alchemix-v3/58606-sc-high-missing-collateral-accounting-in-liquidation-leads-to-inflated-bad-debt-calculations.md) - [57545 sc medium stargate eth strategy rounding bug](https://reports.immunefi.com/alchemix-v3/57545-sc-medium-stargate-eth-strategy-rounding-bug.md) - [56402 sc high killswitch leaves vault assets stranded and blocks withdrawals](https://reports.immunefi.com/alchemix-v3/56402-sc-high-killswitch-leaves-vault-assets-stranded-and-blocks-withdrawals.md) - [58196 sc high aavev3arbusdcstrategy strategy will have its reward stuck in aave usdc](https://reports.immunefi.com/alchemix-v3/58196-sc-high-aavev3arbusdcstrategy-strategy-will-have-its-reward-stuck-in-aave-usdc.md) - [57559 sc high missing mytsharesdeposited decrement in liquidation paths enables theft of unclaimed yield and protocol insolvency](https://reports.immunefi.com/alchemix-v3/57559-sc-high-missing-mytsharesdeposited-decrement-in-liquidation-paths-enables-theft-of-unclaimed-y.md) - [58234 sc critical there is a problem related ot repayment fee overpayment can lead to protocol insolvency](https://reports.immunefi.com/alchemix-v3/58234-sc-critical-there-is-a-problem-related-ot-repayment-fee-overpayment-can-lead-to-protocol-insol.md) - [58070 sc high forced repay accounting lets borrowers erase debt without paying equivalent assets protocol deficit insolvency ](https://reports.immunefi.com/alchemix-v3/58070-sc-high-forced-repay-accounting-lets-borrowers-erase-debt-without-paying-equivalent-assets-pro.md) - [56702 sc critical claimredemption would not return all alasset that is not get converted to myt in some case](https://reports.immunefi.com/alchemix-v3/56702-sc-critical-claimredemption-would-not-return-all-alasset-that-is-not-get-converted-to-myt-in-s.md) - [58425 sc high missing slippage protection when depositing to tokeauto strategies](https://reports.immunefi.com/alchemix-v3/58425-sc-high-missing-slippage-protection-when-depositing-to-tokeauto-strategies.md) - [57553 sc high mytsharesdeposited is not updated in liquidations which breaks bad debt ratio alchemistcr calculations and causes failures in bad debt handling and liquidation handling ](https://reports.immunefi.com/alchemix-v3/57553-sc-high-mytsharesdeposited-is-not-updated-in-liquidations-which-breaks-bad-debt-ratio-alchemis.md) - [58416 sc low unclaimed extra rewards in tokemak integration lead to permanent freezing of yield](https://reports.immunefi.com/alchemix-v3/58416-sc-low-unclaimed-extra-rewards-in-tokemak-integration-lead-to-permanent-freezing-of-yield.md) - [Folks Finance: Staking Contracts](https://reports.immunefi.com/folks-finance-staking-contracts.md) - [69376 sc low incorrect guard in setmigrationpermit prevents revocation after role removal breaking documented user control](https://reports.immunefi.com/folks-finance-staking-contracts/69376-sc-low-incorrect-guard-in-setmigrationpermit-prevents-revocation-after-role-removal-breaking-d.md) - [69188 sc low setmigrationpermit revoke blocked after migrator role revocation](https://reports.immunefi.com/folks-finance-staking-contracts/69188-sc-low-setmigrationpermit-revoke-blocked-after-migrator-role-revocation.md) - [68970 sc insight insufficient event emission in migratepositionsfrom leads to loss of migration accounting visibility](https://reports.immunefi.com/folks-finance-staking-contracts/68970-sc-insight-insufficient-event-emission-in-migratepositionsfrom-leads-to-loss-of-migration-acco.md) - [69605 sc low users cannot revoke migration authorization after role revocation contrary to documented behavior](https://reports.immunefi.com/folks-finance-staking-contracts/69605-sc-low-users-cannot-revoke-migration-authorization-after-role-revocation-contrary-to-documente.md) - [69908 sc low stale migration approvals cannot be revoked after role revocation and automatically reactivate on role re grant](https://reports.immunefi.com/folks-finance-staking-contracts/69908-sc-low-stale-migration-approvals-cannot-be-revoked-after-role-revocation-and-automatically-rea.md) - [69836 sc low setmigrationpermit blocks users from revoking permits after role removal stale permits auto reactivate on re grant and drain user funds](https://reports.immunefi.com/folks-finance-staking-contracts/69836-sc-low-setmigrationpermit-blocks-users-from-revoking-permits-after-role-removal-stale-permits.md) - [69794 sc low user cannot revoke migration approval if migrator loses migrator role](https://reports.immunefi.com/folks-finance-staking-contracts/69794-sc-low-user-cannot-revoke-migration-approval-if-migrator-loses-migrator-role.md) - [69966 sc low cannot revoke migration permit after role revocation stale permits re activate on re grant ](https://reports.immunefi.com/folks-finance-staking-contracts/69966-sc-low-cannot-revoke-migration-permit-after-role-revocation-stale-permits-re-activate-on-re-gr.md) - [69540 sc insight missing return value on withdraw and missing view function for withdrawable amount](https://reports.immunefi.com/folks-finance-staking-contracts/69540-sc-insight-missing-return-value-on-withdraw-and-missing-view-function-for-withdrawable-amount.md) - [69097 sc low broken migration permit revocation allows a re authorized migrator to transfer user principal and rewards without fresh consent](https://reports.immunefi.com/folks-finance-staking-contracts/69097-sc-low-broken-migration-permit-revocation-allows-a-re-authorized-migrator-to-transfer-user-pri.md) - [69410 sc low migration permit cannot be revoked after migrator role removal](https://reports.immunefi.com/folks-finance-staking-contracts/69410-sc-low-migration-permit-cannot-be-revoked-after-migrator-role-removal.md) - [68906 sc insight missing reentrancy guard on function recovererc20 ](https://reports.immunefi.com/folks-finance-staking-contracts/68906-sc-insight-missing-reentrancy-guard-on-function-recovererc20.md) - [69587 sc insight recovered event missing recipient makes fund attribution impossible with multiple managers](https://reports.immunefi.com/folks-finance-staking-contracts/69587-sc-insight-recovered-event-missing-recipient-makes-fund-attribution-impossible-with-multiple-m.md) - [69650 sc low setmigrationpermit blocks revocation after role revoke enabling stale consent reuse](https://reports.immunefi.com/folks-finance-staking-contracts/69650-sc-low-setmigrationpermit-blocks-revocation-after-role-revoke-enabling-stale-consent-reuse.md) - [68880 sc insight missing reward parameter in staked event breaks off chain accounting](https://reports.immunefi.com/folks-finance-staking-contracts/68880-sc-insight-missing-reward-parameter-in-staked-event-breaks-off-chain-accounting.md) - [69964 sc low users cannot revoke migration permission after migrator role revocation](https://reports.immunefi.com/folks-finance-staking-contracts/69964-sc-low-users-cannot-revoke-migration-permission-after-migrator-role-revocation.md) - [69814 sc low stale migration permits cannot be revoked after migrator role removal](https://reports.immunefi.com/folks-finance-staking-contracts/69814-sc-low-stale-migration-permits-cannot-be-revoked-after-migrator-role-removal.md) - [69423 sc low audit multiple authorization and migration bugs in folks staking lead to direct theft fund freezing and operational failure](https://reports.immunefi.com/folks-finance-staking-contracts/69423-sc-low-audit-multiple-authorization-and-migration-bugs-in-folks-staking-lead-to-direct-theft-f.md) - [69275 sc low protocol s explicit revoke at any time promise broken users cannot revoke migration consent during incident window](https://reports.immunefi.com/folks-finance-staking-contracts/69275-sc-low-protocol-s-explicit-revoke-at-any-time-promise-broken-users-cannot-revoke-migration-con.md) - [68983 sc insight staketime field in userstake struct is stored but never used on chain wasting storage on every stake](https://reports.immunefi.com/folks-finance-staking-contracts/68983-sc-insight-staketime-field-in-userstake-struct-is-stored-but-never-used-on-chain-wasting-stora.md) - [68872 sc insight copy paste typo in error parameter names](https://reports.immunefi.com/folks-finance-staking-contracts/68872-sc-insight-copy-paste-typo-in-error-parameter-names.md) - [68955 sc low unconditional hasrole check in setmigrationpermit authorization entrapment](https://reports.immunefi.com/folks-finance-staking-contracts/68955-sc-low-unconditional-hasrole-check-in-setmigrationpermit-authorization-entrapment.md) - [69463 sc low stale migration permits can be reactivated by re granting migrator role to a previously approved migrator](https://reports.immunefi.com/folks-finance-staking-contracts/69463-sc-low-stale-migration-permits-can-be-reactivated-by-re-granting-migrator-role-to-a-previously.md) - [69738 sc low setmigrationpermit prevents users from revoking stale permits after migrator role is revoked](https://reports.immunefi.com/folks-finance-staking-contracts/69738-sc-low-setmigrationpermit-prevents-users-from-revoking-stale-permits-after-migrator-role-is-re.md) - [69890 sc low users won t be able to revoke migration permits from revoked migrators](https://reports.immunefi.com/folks-finance-staking-contracts/69890-sc-low-users-won-t-be-able-to-revoke-migration-permits-from-revoked-migrators.md) - [69245 sc insight no view function to compute current claimable amounts](https://reports.immunefi.com/folks-finance-staking-contracts/69245-sc-insight-no-view-function-to-compute-current-claimable-amounts.md) - [69769 sc low setmigrationpermit prevents users from revoking migration consent after migrator role is revoked](https://reports.immunefi.com/folks-finance-staking-contracts/69769-sc-low-setmigrationpermit-prevents-users-from-revoking-migration-consent-after-migrator-role-i.md) - [69956 sc low users cannot revoke migration permits after migrator role is revoked stale permits enable unconsented future migrations](https://reports.immunefi.com/folks-finance-staking-contracts/69956-sc-low-users-cannot-revoke-migration-permits-after-migrator-role-is-revoked-stale-permits-enab.md) - [69860 sc low users are permanently prevented from revoking migration permits if the migrator s role is temporarily or permanently revoked](https://reports.immunefi.com/folks-finance-staking-contracts/69860-sc-low-users-are-permanently-prevented-from-revoking-migration-permits-if-the-migrator-s-role.md) - [69031 sc low user cannot revoke permission from migrator if it does not have migrator role ](https://reports.immunefi.com/folks-finance-staking-contracts/69031-sc-low-user-cannot-revoke-permission-from-migrator-if-it-does-not-have-migrator-role.md) - [69263 sc low stale migration permit reactivation in folks finance staking contract](https://reports.immunefi.com/folks-finance-staking-contracts/69263-sc-low-stale-migration-permit-reactivation-in-folks-finance-staking-contract.md) - [69345 sc low migration permits cannot be revoked after migrator role is revoked despite readme claiming revocation is possible at any time ](https://reports.immunefi.com/folks-finance-staking-contracts/69345-sc-low-migration-permits-cannot-be-revoked-after-migrator-role-is-revoked-despite-readme-claim.md) - [69100 sc low permit irrevocability after migrator role revocation](https://reports.immunefi.com/folks-finance-staking-contracts/69100-sc-low-permit-irrevocability-after-migrator-role-revocation.md) - [68995 sc insight event parameter typo referer in staked event vs referrer in stakeparams struct](https://reports.immunefi.com/folks-finance-staking-contracts/68995-sc-insight-event-parameter-typo-referer-in-staked-event-vs-referrer-in-stakeparams-struct.md) - [69962 sc low users cannot revoke migration permission during migrator role rotation window](https://reports.immunefi.com/folks-finance-staking-contracts/69962-sc-low-users-cannot-revoke-migration-permission-during-migrator-role-rotation-window.md) - [69870 sc insight events emitted after external calls in recovererc20 and migratepositionsfrom violate cei pattern](https://reports.immunefi.com/folks-finance-staking-contracts/69870-sc-insight-events-emitted-after-external-calls-in-recovererc20-and-migratepositionsfrom-violat.md) - [69136 sc low missing revocation condition in setmigrationpermit prevents users from revoking stale migration permissions violating documented protocol guarantee](https://reports.immunefi.com/folks-finance-staking-contracts/69136-sc-low-missing-revocation-condition-in-setmigrationpermit-prevents-users-from-revoking-stale-m.md) - [69476 sc low users cannot revoke stale migration approvals after a migrator is offboarded so old permits can silently reactivate](https://reports.immunefi.com/folks-finance-staking-contracts/69476-sc-low-users-cannot-revoke-stale-migration-approvals-after-a-migrator-is-offboarded-so-old-per.md) - [69756 sc low staking setmigrationpermit unnecessary hasrole check on revocation blocks users from managing own permits](https://reports.immunefi.com/folks-finance-staking-contracts/69756-sc-low-staking-setmigrationpermit-unnecessary-hasrole-check-on-revocation-blocks-users-from-ma.md) - [68870 sc insight reward calculation intermediate multiplication overflow](https://reports.immunefi.com/folks-finance-staking-contracts/68870-sc-insight-reward-calculation-intermediate-multiplication-overflow.md) - [69898 sc low stale migration approvals allow a re authorized migrator to move user positions without renewed consent](https://reports.immunefi.com/folks-finance-staking-contracts/69898-sc-low-stale-migration-approvals-allow-a-re-authorized-migrator-to-move-user-positions-without.md) - [69396 sc low users unable to remove migration permission from migrator who had role revoked](https://reports.immunefi.com/folks-finance-staking-contracts/69396-sc-low-users-unable-to-remove-migration-permission-from-migrator-who-had-role-revoked.md) - [69141 sc low setmigrationpermit revocation silently blocked for de listed migrators contradicting documented guarantee](https://reports.immunefi.com/folks-finance-staking-contracts/69141-sc-low-setmigrationpermit-revocation-silently-blocked-for-de-listed-migrators-contradicting-do.md) - [69420 sc insight avoid the use of floating pragma to ensure same compiler version used for testing is also used for deployment](https://reports.immunefi.com/folks-finance-staking-contracts/69420-sc-insight-avoid-the-use-of-floating-pragma-to-ensure-same-compiler-version-used-for-testing-i.md) - [68849 sc insight elapsed computed twice in withdraw code optimization ](https://reports.immunefi.com/folks-finance-staking-contracts/68849-sc-insight-elapsed-computed-twice-in-withdraw-code-optimization.md) - [69390 sc low users cannot revoke migration permit at any time breaking documented guarantee](https://reports.immunefi.com/folks-finance-staking-contracts/69390-sc-low-users-cannot-revoke-migration-permit-at-any-time-breaking-documented-guarantee.md) - [69505 sc low user cannot revoke migration permit after migrator role is revoked](https://reports.immunefi.com/folks-finance-staking-contracts/69505-sc-low-user-cannot-revoke-migration-permit-after-migrator-role-is-revoked.md) - [68903 sc low users cannot revoke a migration permit after the migrator loses migrator role allowing stale approval to reactivate if the same address is re granted the role](https://reports.immunefi.com/folks-finance-staking-contracts/68903-sc-low-users-cannot-revoke-a-migration-permit-after-the-migrator-loses-migrator-role-allowing.md) - [69008 sc low denial of service on migration permit revocation](https://reports.immunefi.com/folks-finance-staking-contracts/69008-sc-low-denial-of-service-on-migration-permit-revocation.md) - [69929 sc low inability to revoke migrationpermits for revoked migrators leads to permanent state persistence of user approvals](https://reports.immunefi.com/folks-finance-staking-contracts/69929-sc-low-inability-to-revoke-migrationpermits-for-revoked-migrators-leads-to-permanent-state-per.md) - [69747 sc low broken migration permit revocation allows stale user consent to reactivate after migrator role is re granted](https://reports.immunefi.com/folks-finance-staking-contracts/69747-sc-low-broken-migration-permit-revocation-allows-stale-user-consent-to-reactivate-after-migrat.md) - [69570 sc low users cannot revoke migration approvals for removed migrators contrary to what the docs says](https://reports.immunefi.com/folks-finance-staking-contracts/69570-sc-low-users-cannot-revoke-migration-approvals-for-removed-migrators-contrary-to-what-the-docs.md) - [69527 sc low users cannot revoke migration authorization after migrator role removal](https://reports.immunefi.com/folks-finance-staking-contracts/69527-sc-low-users-cannot-revoke-migration-authorization-after-migrator-role-removal.md) - [69493 sc low users cannot revoke permit for a role revoked migrator leading to residual permit risk if such migrator s role is ever reinstated](https://reports.immunefi.com/folks-finance-staking-contracts/69493-sc-low-users-cannot-revoke-permit-for-a-role-revoked-migrator-leading-to-residual-permit-risk.md) - [69524 sc low role validation on revocation can lock migration permits](https://reports.immunefi.com/folks-finance-staking-contracts/69524-sc-low-role-validation-on-revocation-can-lock-migration-permits.md) - [69673 sc low users cannot revoke a migration permit after role removal](https://reports.immunefi.com/folks-finance-staking-contracts/69673-sc-low-users-cannot-revoke-a-migration-permit-after-role-removal.md) - [69936 sc low users cannot revoke migration permits once the migrator s role has been revoked](https://reports.immunefi.com/folks-finance-staking-contracts/69936-sc-low-users-cannot-revoke-migration-permits-once-the-migrator-s-role-has-been-revoked.md) - [69663 sc low users cannot revoke previously granted migration permit after migrator role is revoked](https://reports.immunefi.com/folks-finance-staking-contracts/69663-sc-low-users-cannot-revoke-previously-granted-migration-permit-after-migrator-role-is-revoked.md) - [69382 sc low irrevocable migration permit users cannot revoke permit after migrator role revocation](https://reports.immunefi.com/folks-finance-staking-contracts/69382-sc-low-irrevocable-migration-permit-users-cannot-revoke-permit-after-migrator-role-revocation.md) - [69146 sc low readme states migration permission can be revoked at any time but revocation becomes impossible after migrator role is removed](https://reports.immunefi.com/folks-finance-staking-contracts/69146-sc-low-readme-states-migration-permission-can-be-revoked-at-any-time-but-revocation-becomes-im.md) - [68879 sc insight essential function declarations missing from istakingv1 ](https://reports.immunefi.com/folks-finance-staking-contracts/68879-sc-insight-essential-function-declarations-missing-from-istakingv1.md) - [69678 sc low lack of conditional role check in setmigrationpermit prevents users from revoking permits leading to unauthorized migration and theft of unclaimed yield](https://reports.immunefi.com/folks-finance-staking-contracts/69678-sc-low-lack-of-conditional-role-check-in-setmigrationpermit-prevents-users-from-revoking-permi.md) - [69926 sc low users cannot revoke migration permits after migrator role is removed enabling fund migration without re consent](https://reports.immunefi.com/folks-finance-staking-contracts/69926-sc-low-users-cannot-revoke-migration-permits-after-migrator-role-is-removed-enabling-fund-migr.md) - [69777 sc low setmigrationpermit does not deliver on specified functionalities ](https://reports.immunefi.com/folks-finance-staking-contracts/69777-sc-low-setmigrationpermit-does-not-deliver-on-specified-functionalities.md) - [68994 sc low users cannot revoke migration permits after migrator role is removed](https://reports.immunefi.com/folks-finance-staking-contracts/68994-sc-low-users-cannot-revoke-migration-permits-after-migrator-role-is-removed.md) - [69218 sc low access control defect in setmigrationpermit leads to irrevocable stale migration permits](https://reports.immunefi.com/folks-finance-staking-contracts/69218-sc-low-access-control-defect-in-setmigrationpermit-leads-to-irrevocable-stale-migration-permit.md) - [69278 sc low migration permission can not be removed from the migrator if its migrator role is revoked in advance](https://reports.immunefi.com/folks-finance-staking-contracts/69278-sc-low-migration-permission-can-not-be-removed-from-the-migrator-if-its-migrator-role-is-revok.md) - [69717 sc low users are unable to revoke migration permits for deprecated or demoted migrators](https://reports.immunefi.com/folks-finance-staking-contracts/69717-sc-low-users-are-unable-to-revoke-migration-permits-for-deprecated-or-demoted-migrators.md) - [69772 sc insight after a revert stakewithpermit might be prevented](https://reports.immunefi.com/folks-finance-staking-contracts/69772-sc-insight-after-a-revert-stakewithpermit-might-be-prevented.md) - [69330 sc low revoked migrators leave non revocable stale permits that reactivate on role re grant](https://reports.immunefi.com/folks-finance-staking-contracts/69330-sc-low-revoked-migrators-leave-non-revocable-stale-permits-that-reactivate-on-role-re-grant.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on a page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/readme.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.