| EigenLayer |
High |
It is impossible to slash queued withdrawals that contain a malicious strategy due to a misplacement of the ++i increment |
π |
| EigenLayer |
Medium |
Conflicting strategy can lead to reverting the whole withdrawal and temporary freeze user assets from other strategies |
|
| EigenLayer |
QA |
QA Report |
|
| Lens Protocol |
Medium |
Lens Handles from v1 can be minted by other users on v2 before they are migrated to their corresponding owner |
|
| Lens Protocol |
Medium |
Users can make any user follow them via FollowNFT::tryMigrate() without their consent |
π |
| Lens Protocol |
Medium |
Users can self-follow via FollowNFT::tryMigrate() on Lens V2 |
π |
| Lens Protocol |
Medium |
Implementation error of EIP-712 due to wrong Typehash can lead to tx reverts |
|
| Lens Protocol |
Medium |
Missing pause modifier on important LensV2Migration and FollowNFT functions |
|
| Lens Protocol |
QA |
QA Report |
|
| Chainlink |
Report |
2nd Best Report |
π₯ |
| Ajna |
High |
Anyone can call memorializePositions() on behalf of other user's position due to lack of access control |
|
| Ajna |
Medium |
Adversary can prevent the creation of any extraordinary funding proposal by frontrunning proposeExtraordinary() |
π |
| Lybra |
High |
Missmatch in supportVotes[] order in LybraGovernance |
|
| Lybra |
Medium |
Incorrect use of token.decimals() leads to error in rewards calculation and distribution |
|
| Lybra |
Medium |
StakingRewardsV2 does not impose any restriction regarding esLBRBoost unlock time |
|
| Lybra |
Medium |
It is impossible to mint PeUSD tokens via the LybraRETHVault and LybraWBETHVault contracts due to incorrect interface |
|
| Stader Labs |
Medium |
addBid() does not increment the endBlock of the auction when it is close to the end, preventing the protocol from capturing extra value |
|
| Stader Labs |
Medium |
Stale or incorrect results from data feeds can affect assets and shares calculation on deposits and withdrawals |
|
| Stader Labs |
Medium |
Lack of Pause and Unpause Functionality in Auction Contract |
|
| Stader Labs |
QA |
QA Report |
|
| Stader Labs |
Gas |
Gas Report |
|
| Dopex |
High |
All options settlements can be blocked with a permanent DOS of the settle() function |
|
| Dopex |
Medium |
Missing slippage parameter on Uniswap addLiquidity() function |
π |
| Dopex |
Medium |
The owner of RPDX Decaying Bonds is not updated on token transfers |
π |
| Dopex |
QA |
QA Report |
π |
| Frankencoin |
High |
Fresh positions can be instantly challenged leading to unrestricted minting of ZCHF tokens |
|
| Frankencoin |
High |
Position owners can perform a sandwich attack against challengers to steal their collateral |
|
| Frankencoin |
High |
Adjusting position prices can lead to unavertable challenges that the protocol will have to pay for |
|
| Frankencoin |
High |
Lack of validation in opening positions parameters can lead to critical vulnerabilities at protocol level |
|
| Frankencoin |
Medium |
restructureCapTable() only wipes out the first address on the list |
|
| Frankencoin |
Medium |
No way to transfer minter role or rennounce to it |
|
| Frankencoin |
QA |
QA Report |
π |
| NextGen |
High |
Max minting limit can be bypassed via re-entrancy |
|
| NextGen |
High |
Ether from the Auction contract can be stolen on the block the auction ends |
|
| NextGen |
High |
Highest bidder can cancel their bid to win auctions for free |
|
| NextGen |
High |
Adversary can block claimAuction() due to push-strategy to transfer assets to multiple bidders |
π |
| NextGen |
Medium |
The owner of the auctioned token does not receive the funds after an auction ends |
|
| NextGen |
Medium |
Artist signatures can be forged to impersonate the artist behind a collection |
π |
| NextGen |
Medium |
Auction winner can prevent payments via safeTransferFrom callback |
π |
| NextGen |
QA |
QA Report |
π |
| ReNFT Mitigation |
High |
All orders can be hijacked to lock rental assets forever by tipping a huge amount of small ERC20 tips |
|
| AI Arena |
High |
Non-transferable Game Items can be transferred using safeBatchTransferFrom() |
|
| AI Arena |
High |
FighterFarm security checks for transfers can be avoided by using the version of safeTransferFrom() with data |
|
| AI Arena |
High |
Incrementing a fighter type generation will brick the element attribute selection forever because of a missing function to update numElements |
|
| AI Arena |
High |
Users with minting passes can mint fighters that are both Dendroids and Icons |
|
| AI Arena |
High |
Fighters can be rerolled with a different fighterType than their own |
|
| AI Arena |
High |
Users redeeming a mint pass can mint Icon fighters with any iconsType, including inexisting ones |
|
| AI Arena |
High |
Precision error in curStakeAtRisk |
|
| AI Arena |
Medium |
The rarity of the last physical attribute in the probability array is undermined |
|
| AI Arena |
Medium |
Fighters can be minted with out of range weight, and element attributes via MergingPool::claimRewards() |
|
| AI Arena |
Medium |
Rerolling allows users to outwin the pseudo-randomness of fighters DNA to mint NFTs with the best stats |
|
| AI Arena |
Medium |
Roles can't be revoked |
|
| AI Arena |
QA |
QA Report |
|
| Althea |
Medium |
setDistributableERC20s() should check there is no ongoing distribution to prevent bricking the contract |
|
| Althe |
Medium |
ERC20 tokens should be distributed before removing them from LiquidInfrastructureERC20 |
|
| Althea |
Medium |
Withdrawals can be bricked if releasing more than one NFT during ongoing withdrawal |
|
| Salty |
High |
Users can avoid liquidations by abusing the cooldown mechanism |
|
| Salty |
High |
USDS is sent to the wrong contract when repaying borrowed USDS |
|
| Salty |
Medium |
Adversary can prevent updating price feed addresses by creating poisonous proposals ending in _confirm |
π |
| Salty |
Medium |
DOS of proposals by abusing ballot names without important parameters |
π |
| Salty |
Medium |
Proposals that didn't reach quorum should be able to be finalized without changes when the voting phase ends |
|
| Salty |
Medium |
Wallet proposals aren't reset when they are rejected |
|
| Salty |
Medium |
Chainlink price feed uses BTC/USD feed instead of one with WBTC |
|
| Salty |
Medium |
Pools reserves can be manipulated because of failed check of remaining reserves on removeLiquidity() |
|
| Salty |
Medium |
proposeWallets enters in a deadlock if the proposed wallet doesnβt call changeWallets() |
|
| Salty |
QA |
QA Report |
π |
| USSD |
High |
USSDRebalancer::getOwnValuation() is easy to manipulate as it doesn't use TWAP for getting the pool price |
|
| USSD |
High |
USSD::UniV3SwapInput() executes swaps with no slippage protection |
|
| USSD |
High |
The protocol can't rebalance because USSD::UniV3SwapInput() will revert as it is missing the deadline when creating the ExactInputParams for the swap |
|
| USSD |
High |
StableOracleWBTC::getPriceUSD() is using ETH/USD as its price feed |
|
| USSD |
High |
getPriceUSD in StableOracleDai is miscalculated with wrong decimals from the priceFeedDAIETH Chainlink feed |
|
| USSD |
High |
StableOracleDAI calculates getPriceUSD with inverted base/rate tokens for Chainlink price |
π |
| USSD |
High |
Static oracles in StableOracleDAI and StableOracleWBGL have wrong addresses |
|
| USSD |
High |
ethOracle is not defined in StableOracleDAI making getPriceUSD always revert |
|
| USSD |
High |
Missing access control on burnRebalancer allows unrestricted burning of USSD tokens by anyone affecting pool balance on rebalance |
|
| USSD |
High |
Missing access control on mintRebalancer allows unrestricted minting of USSD tokens by anyone affecting pool balance on rebalance |
|
| USSD |
Medium |
latestRoundData from Chainlink might return stale or incorrect results |
|
| USSD |
Medium |
There is no method for redeeming DAI to prevent negative scenarios described in the whitepaper |
|
| USSD |
Medium |
Collateral tokens will be stuck on the contract and will be unusable after calling USSD::removeCollateral() |
|
| Footium |
Medium |
Some ERC20 tokens can get permanently stuck in the contract due to use of transfer() |
|
| Footium |
Medium |
Increasing _maxGenerationId allows extra minting of academy players on previous seasons |
|
| Footium |
Medium |
One extra academy player can be minted per season due to mischeck in mintPlayers |
|
| Gravita |
Low |
Out of gas in collectFees |
|
| Teller |
High |
Borrowers can steal lenders principal without providing collateral by frontrunning lenderAcceptBid and updating the bid |
|
| Teller |
High |
Adversary can modify the commited collateral of any bid at any time leading to lost or locked assets and DOS of the protocol |
|
| Teller |
Medium |
Marketplaces owners can frontrun submitBid to steal collateral by modifying market parameters |
|
| Caviar Private Pools |
Medium |
Adversary can prevent the creation of any private pools by frontrunning the deployer |
|
| Canto Identity Subprotocols |
Medium |
Users can end up buying and paying for a different Tray than the one they were trying to acquire |
π |
| Neo Tokyo |
High |
A malicious user can mint a huge amount of BYTES 2.0 tokens for himself |
|
| Neo Tokyo |
High |
Malicious users can claim BYTES rewards after withdrawing all of their LP stake |
|
| Wenwin |
QA |
QA Report |
|
| Hats |
Medium |
Transactions will be frozen if incorrect settings are used during a deployment on HatsSignerGateFactory |
|
| Biconomy |
QA |
QA Report |
|
| Polynomial |
High |
KangarooVault.removeCollateral doesn't remove the collateral from the position |
|
| Polynomial |
Medium |
Invalid and stale prices from Synthethix are not validated |
|
| Polynomial |
Medium |
Spamming deposit and withdraw queues |
|
| Polynomial |
QA |
QA Report |
|
| Asymmetry |
High |
Adversary can alter derivatives balances in contracts to steal Ether |
|
| Asymmetry |
Medium |
Precision loss in stake function affects share calculation |
|
| Asymmetry |
Medium |
Remaining dust from Ether deposits is not returned to users |
|
| Asymmetry |
QA |
QA Report |
|
| Arcade |
QA |
Report TBA |
π |
| reNFT |
High |
Report TBA |
|
| reNFT |
High |
Report TBA |
|
| reNFT |
High |
Report TBA |
|
| reNFT |
Medium |
Report TBA |
|
| reNFT |
Medium |
Report TBA |
|
| reNFT |
Medium |
Report TBA |
|
| reNFT |
Medium |
Report TBA |
|
| reNFT |
Medium |
Report TBA |
|
| reNFT |
QA |
Report TBA |
|
| zkSync Era |
Medium |
Report TBA |
|
| zkSync Era |
Medium |
Report TBA |
|
| zkSync Era |
QA |
Report TBA |
|
| Chainlink Staking |
Medium |
Report TBA |
|
| Chainlink Staking |
Medium |
Report TBA |
|
| Chainlink Staking |
Medium |
Report TBA |
|
| Chainlink Staking |
Medium |
Report TBA |
|
| Chainlink Staking |
QA |
Report TBA |
|
| Rubicon v2 |
High |
Report TBA |
|
| Rubicon v2 |
Medium |
Report TBA |
|
| Rubicon v2 |
Medium |
Report TBA |
|
| Contest 225 |
High |
Report TBA |
|
| Contest 225 |
High |
Report TBA |
|
| Contest 225 |
High |
Report TBA |
|
| Contest 225 |
High |
Report TBA |
|
| Contest 225 |
High |
Report TBA |
|
| Contest 225 |
High |
Report TBA |
|
| Contest 225 |
Medium |
Report TBA |
|
| Contest 225 |
Medium |
Report TBA |
|
| Contest 225 |
QA |
Report TBA |
|