DateFindingImpact
March 5, 2024Owner set for implementation instead of proxy Medium March 5, 2024Using deprecated Chainlink function Medium March 5, 2024Using invalid Maker token address Low February 22, 2024Erroneous token transfer in `UpdateTokenShares` High February 22, 2024The `_toLower` incorrectly handles Unicode Medium February 14, 2024Session key `maxAmount` parameter is not stateful Critical February 12, 2024Potential DOS Critical February 12, 2024Preferential swaps Critical February 12, 2024Withdraw leads to loss of stake Critical February 12, 2024Centralization risks High February 6, 2024Potential front-running for `buy` Medium January 26, 2024Invariant may be calculated incorrectly Medium January 26, 2024Incorrect operator in `_tweakPrice` Low January 26, 2024Exit-fee arbitrage Low January 26, 2024Rebalance asset/liability slippage Low January 26, 2024Seed-deposit mispricing Low January 11, 2024Incorrect calculation effectively removes fee High January 11, 2024Front-runners can cancel any permit deposit High January 11, 2024Completing unqueued withdrawal loses/locks funds High January 11, 2024More than one strategy per token breaks accounting Medium January 11, 2024Admins can steal funds by self-sandwiching swaps Medium January 11, 2024Accumulated fee logic can prevent withdrawals Low January 11, 2024ERC-20 deposit and queued withdrawal whitelists Low January 9, 2024Centralization risk Critical January 9, 2024Incorrect down payment calculation Critical January 9, 2024Unused on-chain interest calculation High January 9, 2024Zero interest automatically changed to maximum Low January 9, 2024Loss of precision Low January 9, 2024Missing length check Low January 9, 2024Initializers not disabled Low January 9, 2024User is able to revert a position being closed Medium December 21, 2023Lack of input validation Low December 21, 2023Reentrancy in the `manage` function Low December 8, 2023Calls may be queued multiple times High December 8, 2023Funds may be trapped in the protocol Medium December 8, 2023Broker fees are not taken from swap amount Critical December 4, 2023Removal-of-owners underflow Medium December 4, 2023Wrong parameter used in revert Low December 4, 2023Entries of `eoaOwners` not checked Low December 1, 2023Stop loss higher than `openPrice` causes fund loss Critical December 1, 2023Unsafe cast in take profit can lead to fund loss Critical December 1, 2023No access control on `setWithdrawThreshold` Critical December 1, 2023Reserve requirement checked before withdrawal Critical December 1, 2023Locked shares have undue access to rewards Critical December 1, 2023Max profit can exceed amount reserved from vault Critical December 1, 2023Update margin uses new leverage High December 1, 2023Partial trades update open-interest incorrectly High December 1, 2023Referrer rebates must not decrease `totalRewards` High December 1, 2023Precision loss in `totalLockPoints` High December 1, 2023Wrong reserve ratio returned by getReserveRatio High December 1, 2023Loss-protection tier is reduced for larger trades High December 1, 2023Trading inflow much less than zero skew outflow High December 1, 2023Arbitrage opportunities with older price feeds Medium December 1, 2023Margin update assumes zero price in backup mode Medium December 1, 2023Referral close function includes referrer rebate Medium December 1, 2023Bot latency prevents limit-close order execution High December 1, 2023Referrer-code transfer process breaks assumptions Medium December 1, 2023Delayed force unlock causes reward insolvency High December 1, 2023Price impact is not tracked cumulatively Medium December 1, 2023Loss protection reduces the -100% cap on losses Medium December 1, 2023Miscalculation of `totalPrincipalDeposited` Low December 1, 2023Fee charged without market-order placement Low December 1, 2023One account can register multiple referral codes Low December 1, 2023Vault manager cannot access entire junior tranche Low December 1, 2023The maxRedeem function should comply with ERC-4626 Low December 1, 2023Incorrect access control causes update lockout Low December 1, 2023Trader contract can bypass max trades per pair Low December 1, 2023Limit-order timelock not initialized on open Low December 1, 2023Partial closes emit incorrect value Low December 1, 2023Function lacks incorrect-payment sanity checks Low November 14, 2023No enforced minimum value on `fixedPriceMarkup` Medium November 14, 2023Multiple events in the same TX cause loss of funds Critical November 14, 2023TSS funds migration may not be done correctly Medium November 14, 2023ZRC-20 mapping is overwritten on new deployment Medium November 14, 2023ZRC-20 paused status can be bypassed High November 14, 2023No slippage limit set in Uniswap swap Medium November 14, 2023Median gas-price threshold Medium November 14, 2023ZetaChain pays gas costs for EVM-to-zEVM transfers High November 9, 2023Possible DOS on cross-chain messages Critical November 9, 2023Large withdrawal may be blocked High November 9, 2023No health checks High November 9, 2023The `ecrecover` malleability Medium November 9, 2023Function inputs need validation High November 9, 2023Nonces not used in signatures Medium November 9, 2023Default blocking behavior on LZ High November 9, 2023Restore frozen balance Medium November 7, 2023Incorrect trade-volume calculation High November 6, 2023Missing selector validation High November 6, 2023Potential guardian deanonymization risk Low October 30, 2023Addition for equal summands wrong High October 30, 2023Signatures with large `r` rejected High October 30, 2023Validity of public keys High October 30, 2023Collateral inflation Critical October 30, 2023Free liquidation Critical October 30, 2023Interest theft Critical October 30, 2023Centralized pricing arbitrage High October 30, 2023Slippage is set to zero during swap High October 30, 2023EIP-712 fork replayable signature High October 30, 2023Assure debtors are auctionable Medium October 30, 2023Calculations reduce value of user collateral Low October 30, 2023ERC-4626 vault inflation Medium October 16, 2023Denial of service Low October 12, 2023Authentication bypass Critical October 12, 2023Fee payer authentication Critical October 12, 2023Any/all authenticators skip postexecution checks High October 12, 2023Multiple signers' auth bypass High October 12, 2023Incorrect validation Medium October 12, 2023Authentication bypass Medium October 12, 2023Incorrect error check Low October 12, 2023Panic for zero signers Low October 12, 2023Fee payer authentication Low October 2, 2023Insufficient test coverage Low September 21, 2023Vester incorrect burn High September 21, 2023Cancellation still allows rewards to be claimed Medium September 15, 2023Test coverage Low September 7, 2023Flywheel index mismatch issue during `optOut` High August 25, 2023ERC-4626 inflation attack Critical August 25, 2023Negative liquidations can cause bank run High August 25, 2023Markets missing slippage protection Medium August 25, 2023Reentrancy due to unauthenticated calls Low August 25, 2023Malicious market can drain funds from MultiInvoker Low August 14, 2023Signature bypass Critical August 14, 2023PasskeyDecodeError High August 14, 2023Missing tests Medium August 14, 2023Modexp gas limit High August 14, 2023CurveTestFailures High August 14, 2023Withdrawal finalization does not work High August 14, 2023Disputed actions are not blocked High July 31, 2023High-fraction liquidations Critical July 31, 2023Boost delegator might not receive delegate fee Low July 25, 2023Risk of unintended token minting High July 25, 2023Possible DOS Medium July 25, 2023No storage gap Medium July 12, 2023Migrate recalled Medium July 12, 2023Param limit Low July 12, 2023Ethermint Ante handler bypass High July 12, 2023Missing `nil` check in Zetaclient High July 12, 2023Admin policy check will always fail Medium July 11, 2023Initializer High July 11, 2023Fee-on-transfer tokens Low July 10, 2023Insecure default value for JWT secret Medium July 5, 2023Inconsistencies in signers and roles Medium July 5, 2023Lack of input validation Low July 3, 2023Margin ratio not checked Critical July 3, 2023Iterating over maps High July 3, 2023AMM price manipulation Critical July 3, 2023Sender is not checked Critical July 3, 2023Wasm bindings validation Critical July 3, 2023Incorrect TWAP price High July 3, 2023Panic in `EndBlock` hooks High July 3, 2023TWAP not updated High July 3, 2023`BeginBlocker` chain halt High July 3, 2023Large `rewardSpread` High June 30, 2023`ZetaSent` events from arbitrary contracts are processed Critical June 30, 2023No panic handler in Zetaclient may halt cross chain communication High June 30, 2023Ethermint Ante handler bypass High June 30, 2023Unbonded validators prevent the TSS vote from passing Medium June 30, 2023Bonded validators can trigger reverts for successful transactions Critical June 30, 2023Sending ZETA to a bitcoin network results in BTC being sent instead Critical June 30, 2023Race condition in Bitcoin client leads to double spend Critical June 30, 2023Not waiting for minimum number of block confirmations results in double spend Critical June 30, 2023Multiple events in the same transaction causes loss of funds and chain halting Critical June 30, 2023Missing authentication when adding node keys Critical June 30, 2023Missing `nil` check in zeta client High June 30, 2023Case-sensitive address check allows for double signing High May 25, 2023Emergency withdraw functions are missing zero address checks Medium May 25, 2023Paymaster data is parsed without performing a length check Low May 24, 2023Protocol owner can drain pools Critical May 24, 2023Extraneous approval during withdrawal Critical May 24, 2023The underlying vault admin can drain pools Critical May 24, 2023Missing slippage limits allow front-running Medium May 24, 2023Unenforced assumptions about Definitive behavior Medium May 24, 2023Excessive owner responsibility creates deployment risks Medium May 24, 2023Staking manager may become locked Medium May 15, 2023The `_getAccount` function may return inaccurate information Low May 15, 2023Centralization risk: locked user funds Low May 12, 2023Missing registry check in `restrict` Low May 12, 2023Restriction pattern creates centralization risk Low May 4, 2023Lack of input validation leading to potentially dangerous calls High May 2, 2023The `_calcSharesAndAmounts` rounds amounts used down Low April 18, 2023Iteration over options can prevent withdraws High April 18, 2023Fee manager upgrades allow factory owner to change fees and prevent option exercise High April 18, 2023Locking to Solidity version 0.8.x Medium April 18, 2023Usage of transfer to send ETH can prevent receiving Medium April 18, 2023Protocol does not check return value of ERC20 swaps Medium April 18, 2023Factory update logic of option NFT enables owner to steal funds High April 18, 2023Pool toggling functionality may allow factory owner to lock exercising of options High April 13, 2023ABI-encoded inputs can mismatch specified amount High April 13, 2023Inconsistent coding conventions Medium April 13, 2023Possible denial of service in `claim` Medium April 13, 2023Protocol does not check return value of ERC20 swaps Medium April 13, 2023High minimum investment amount Medium March 14, 2023Transfer functionality Low February 27, 2023Variable not fully validated High February 13, 2023Malformed responses Medium February 13, 2023Low password complexity Low February 13, 2023RPC responses Low December 5, 2022Missing check in `process_transfer` Critical December 5, 2022Missing check in `process_withdraw` Critical December 5, 2022Missing public key check High December 5, 2022Information leak Low December 5, 2022Withdrawal instructions ignore constraints Low December 5, 2022Confidential public key not validated Low November 21, 2022Missing PDA validation Critical November 21, 2022Unsafe account deletion Low November 3, 2022Computation inaccuracy Low November 3, 2022Implicit precision loss Low November 3, 2022Incorrect rouding behavior Low November 3, 2022Function should be a friend Low November 2, 2022Bond can be in the past Medium November 2, 2022Inconclusive removal Medium November 2, 2022Data desynchronization Low October 26, 2022Incorrect implementation of iterator High October 26, 2022Duplicate call in coin register High October 26, 2022Potential frontrunning High October 26, 2022Incorrect order size High October 26, 2022Incorrect queue implementation Medium October 26, 2022ERC20 token heist Critical October 26, 2022Redeem implementation High October 26, 2022RefundGas miscalculation Medium October 26, 2022PostRelayedCall access High October 26, 2022Upgrade limitations Medium October 26, 2022PaymentsFacet access High October 26, 2022Multicall msg.value High October 26, 2022Broken maxWithdraw Low October 26, 2022PreviewBuyNow incorrect order Low October 26, 2022Blanket ERC20 approval Low October 26, 2022Junior IR interest Low October 26, 2022TransferReserve collateral heist Critical October 26, 2022ERC20 transfer validation Low October 26, 2022Reentrancy Medium October 26, 2022buyNow validation Critical October 26, 2022No timelocks Critical October 26, 2022Depositor misaccounting Critical October 26, 2022Lost totalUnbonding assets Critical October 26, 2022Vtoken loss of funds Critical October 26, 2022Interest double payment High October 26, 2022Stale price oracle High October 25, 2022Forgable key High October 25, 2022Incorrect expression values Medium October 25, 2022Faulty comparison function Medium October 25, 2022Incorrect use of comparison function Low October 25, 2022Inconsistent stale entry check Low October 21, 2022Tortuga coin initialization Medium October 21, 2022Protocol configurations Medium October 21, 2022Payouts round down Low October 21, 2022Centralization risk Low October 11, 2022Unwanted voting influence High October 11, 2022Initialize check missing Medium October 11, 2022Address should not change Medium October 11, 2022Unused allowance Medium October 11, 2022Inconsistent SafeMath usage Low September 28, 2022Missing validation check Critical September 28, 2022Incorrect asset tracking Critical September 28, 2022Failure to cancel orders Medium September 28, 2022Can allow dangerous calls Low September 28, 2022Centralization risk Low September 28, 2022Inconsistent interest calculations Low September 28, 2022Incomplete functionality Low August 1, 2022Same token swap allowed Low July 1, 2022migratePool loss of funds Medium July 1, 2022Swap lacks slippage Low July 1, 2022Centralization risk Low June 3, 2022Lack of check within withdrawNative Low May 22, 2022Force test failure Critical May 22, 2022Constrained challengers High May 22, 2022Bypass minimum stake Low May 22, 2022Reentrant checkTest Medium May 22, 2022No payout Low May 19, 2022Unexpected reverts Medium May 19, 2022Improperly set parameter Medium May 19, 2022Lack of input validation Low May 19, 2022Centralization risk Low May 19, 2022Missing coverage Low May 16, 2022Deposits potentially frontrun High May 16, 2022Centralization risks High May 16, 2022Unwanted deposits High May 16, 2022Emergency-only functions Medium May 16, 2022Invalid business logic Medium May 16, 2022Unaccounted dust Low May 16, 2022Missing account reload Low April 25, 2022Griefing opportunity High April 25, 2022Batched mints can be rejected Low April 15, 2022Out-of-bounds write High April 15, 2022Lack of rent exemption enforcement High April 15, 2022Inefficient algorithm Low April 15, 2022 Future message blocker Low April 15, 2022 Bypass of library address check High March 24, 2022Test suite coverage Low March 24, 2022Gas optimizations Low March 18, 2022Claim rewards without risk High March 18, 2022Lack of slippage checks High March 18, 2022FractalVaultV1 potential lock-up Medium March 18, 2022AnySwap potential lock-up Low March 14, 2022Insufficient validation Low March 14, 2022Undocumented code Low March 14, 2022Internal discrepancy Low March 14, 2022Methods not exposed Low March 14, 2022Insufficient test coverage Low March 6, 2022Cross-chain desynchronization High March 6, 2022Swaps can fail Medium March 6, 2022Out-of-bounds read Low March 6, 2022Unclear inline assembly Low March 6, 2022Missing test suite coverage Low March 6, 2022Lack of documentation Low March 6, 2022Unfavorable rewarding incentives Low