Audits
About Us
General
Overview
Public Findings
Public Findings (130)
Showing only public findings
Note: Some findings in old reports may be hidden due to technical limitations
Buffer overflow
May 23, 2023
Null-terminated strings
May 23, 2023
Invisible bytes
May 23, 2023
Unescaped characters
May 23, 2023
Lack of the RootBridgeAgent contract verification
May 23, 2023
Missing access control for Multicall
May 23, 2023
Multitoken lacks validations
May 23, 2023
Multiple redeems of the same deposit are possible
May 23, 2023
Broken fee sweep
May 23, 2023
Lack of validation in UlyssesFactory
May 23, 2023
Asset removal is broken
May 23, 2023
Unsupported function codes
May 23, 2023
Missing access control on `anyExecuteNoSettlement`
May 23, 2023
The protocol fee from pools will be claimed to zero address
May 23, 2023
Unlimited cross-chain asset transfer without deposit requirement
May 23, 2023
ChainId type confusion
May 23, 2023
Incorrect accounting of total and strategies debt
May 23, 2023
Bridging assets erroneously mints new assets
May 23, 2023
Lack of new owner address check
May 23, 2023
Addresses may accidentally be overwritten
May 23, 2023
Ownable contracts allow renouncing
May 23, 2023
Transfer functionality
March 14, 2023
Variable not fully validated
February 27, 2023
Malformed responses
February 13, 2023
Low password complexity
February 13, 2023
RPC responses
February 13, 2023
Missing check in `process_transfer`
December 5, 2022
Missing check in `process_withdraw`
December 5, 2022
Missing public key check
December 5, 2022
Information leak
December 5, 2022
Withdrawal instructions ignore constraints
December 5, 2022
Confidential public key not validated
December 5, 2022
Missing PDA validation
November 21, 2022
Unsafe account deletion
November 21, 2022
Computation inaccuracy
November 3, 2022
Implicit precision loss
November 3, 2022
Incorrect rouding behavior
November 3, 2022
Function should be a friend
November 3, 2022
Bond can be in the past
November 2, 2022
Inconclusive removal
November 2, 2022
Data desynchronization
November 2, 2022
Incorrect implementation of iterator
October 26, 2022
Duplicate call in coin register
October 26, 2022
Potential frontrunning
October 26, 2022
Incorrect order size
October 26, 2022
Incorrect queue implementation
October 26, 2022
ERC20 token heist
October 26, 2022
Redeem implementation
October 26, 2022
RefundGas miscalculation
October 26, 2022
PostRelayedCall access
October 26, 2022
Upgrade limitations
October 26, 2022
PaymentsFacet access
October 26, 2022
Multicall msg.value
October 26, 2022
Broken maxWithdraw
October 26, 2022
PreviewBuyNow incorrect order
October 26, 2022
Blanket ERC20 approval
October 26, 2022
Junior IR interest
October 26, 2022
TransferReserve collateral heist
October 26, 2022
ERC20 transfer validation
October 26, 2022
Reentrancy
October 26, 2022
buyNow validation
October 26, 2022
No timelocks
October 26, 2022
Depositor misaccounting
October 26, 2022
Lost totalUnbonding assets
October 26, 2022
Vtoken loss of funds
October 26, 2022
Interest double payment
October 26, 2022
Stale price oracle
October 26, 2022
Forgable key
October 25, 2022
Incorrect expression values
October 25, 2022
Faulty comparison function
October 25, 2022
Incorrect use of comparison function
October 25, 2022
Inconsistent stale entry check
October 25, 2022
Tortuga coin initialization
October 21, 2022
Protocol configurations
October 21, 2022
Payouts round down
October 21, 2022
Centralization risk
October 21, 2022
Unwanted voting influence
October 11, 2022
Initialize check missing
October 11, 2022
Address should not change
October 11, 2022
Unused allowance
October 11, 2022
Inconsistent SafeMath usage
October 11, 2022
Missing validation check
September 28, 2022
Incorrect asset tracking
September 28, 2022
Failure to cancel orders
September 28, 2022
Can allow dangerous calls
September 28, 2022
Centralization risk
September 28, 2022
Inconsistent interest calculations
September 28, 2022
Incomplete functionality
September 28, 2022
Same token swap allowed
August 1, 2022
migratePool loss of funds
July 1, 2022
Swap lacks slippage
July 1, 2022
Centralization risk
July 1, 2022
Lack of check within withdrawNative
June 3, 2022
Force test failure
May 22, 2022
Constrained challengers
May 22, 2022
Bypass minimum stake
May 22, 2022
Reentrant checkTest
May 22, 2022
No payout
May 22, 2022
Deposits potentially frontrun
May 16, 2022
Centralization risks
May 16, 2022
Unwanted deposits
May 16, 2022
Emergency-only functions
May 16, 2022
Invalid business logic
May 16, 2022
Unaccounted dust
May 16, 2022
Missing account reload
May 16, 2022
Griefing opportunity
April 25, 2022
Batched mints can be rejected
April 25, 2022
Out-of-bounds write
April 15, 2022
Lack of rent exemption enforcement
April 15, 2022
Inefficient algorithm
April 15, 2022
Future message blocker
April 15, 2022
Bypass of library address check
April 15, 2022
Test suite coverage
March 24, 2022
Gas optimizations
March 24, 2022
Claim rewards without risk
March 18, 2022
Lack of slippage checks
March 18, 2022
FractalVaultV1 potential lock-up
March 18, 2022
AnySwap potential lock-up
March 18, 2022
Insufficient validation
March 14, 2022
Undocumented code
March 14, 2022
Internal discrepancy
March 14, 2022
Methods not exposed
March 14, 2022
Insufficient test coverage
March 14, 2022
Cross-chain desynchronization
March 6, 2022
Swaps can fail
March 6, 2022
Out-of-bounds read
March 6, 2022
Unclear inline assembly
March 6, 2022
Missing test suite coverage
March 6, 2022
Lack of documentation
March 6, 2022
Unfavorable rewarding incentives
March 6, 2022