DateFindingImpact
May 9, 2024Centralization risk Medium May 9, 2024Underflow Medium April 10, 2024centralization-risk High April 10, 2024Withdrawal bricks High March 28, 2024Calling reconcile can lead to stuck funds High March 28, 2024First depositor Issue Low March 13, 2024Repeated validator IDs, `batchRevertExitRequest` Critical March 13, 2024ETH sent to wrong address on cancellation Critical March 13, 2024BNFT holder is compared with an incorrect address Medium March 13, 2024Repeated validator IDs, `batchSendExitRequest` Critical March 13, 2024BNFT holder could cancel the deposit Critical March 13, 2024Malicious users could mint themselves NFTs Critical March 13, 2024Wrong rewards calculation High March 13, 2024Queued withdrawals are not claimed by `forcePartialWithdraw` Medium March 13, 2024Deposit cancellation may fail Medium March 13, 2024Reward and withdrawal payout getters might fail Low March 5, 2024Owner set for implementation instead of proxy Medium March 5, 2024Using deprecated Chainlink function Medium March 5, 2024Using invalid Maker token address Low March 4, 2024Data hash underconstrained Critical March 4, 2024End hash underconstrained Critical March 4, 2024Underconstrained `prove_subchain` inputs Critical March 4, 2024End block height not range checked Critical March 4, 2024Tendermint X skip underconstrained Critical March 4, 2024Data commitment batch-size undeflow Low February 29, 2024Transfer return Medium February 29, 2024Lack-of-pool check Low February 28, 2024Calm period detection Critical February 28, 2024TWAP interval High February 28, 2024Balances discontinuous High February 28, 2024Calm period not checked High February 28, 2024Paused state Medium February 28, 2024Withdrawals might revert Medium February 28, 2024Withdraw might not add liquidity again Low February 28, 2024Vault withdraw slippage Low February 28, 2024Deposit rounding Low February 28, 2024Uniswap mint edge case Low February 22, 2024Erroneous token transfer in `UpdateTokenShares` High February 22, 2024The `_toLower` incorrectly handles Unicode Medium February 14, 2024Session key `maxAmount` parameter is not stateful Critical February 12, 2024Potential DOS Critical February 12, 2024Preferential swaps Critical February 12, 2024Withdraw leads to loss of stake Critical February 12, 2024Centralization risks High February 6, 2024Potential front-running for `buy` Medium January 26, 2024Invariant may be calculated incorrectly Medium January 26, 2024Incorrect operator in `_tweakPrice` Low January 26, 2024Exit-fee arbitrage Low January 26, 2024Rebalance asset/liability slippage Low January 26, 2024Seed-deposit mispricing Low January 11, 2024Incorrect calculation effectively removes fee High January 11, 2024Front-runners can cancel any permit deposit High January 11, 2024Completing unqueued withdrawal loses/locks funds High January 11, 2024More than one strategy per token breaks accounting Medium January 11, 2024Admins can steal funds by self-sandwiching swaps Medium January 11, 2024Accumulated fee logic can prevent withdrawals Low January 11, 2024ERC-20 deposit and queued withdrawal whitelists Low January 9, 2024Centralization risk Critical January 9, 2024Incorrect down payment calculation Critical January 9, 2024Unused on-chain interest calculation High January 9, 2024Zero interest automatically changed to maximum Low January 9, 2024Loss of precision Low January 9, 2024Missing length check Low January 9, 2024Initializers not disabled Low January 9, 2024User is able to revert a position being closed Medium December 21, 2023Lack of input validation Low December 21, 2023Reentrancy in the `manage` function Low December 8, 2023Calls may be queued multiple times High December 8, 2023Funds may be trapped in the protocol Medium December 8, 2023Broker fees are not taken from swap amount Critical December 4, 2023Removal-of-owners underflow Medium December 4, 2023Wrong parameter used in revert Low December 4, 2023Entries of `eoaOwners` not checked Low November 24, 2023Anyone can become a validator Critical November 24, 2023Storage not set properly High November 24, 2023Out-of-bounds access High November 24, 2023Inaccurate handling in `findModelerUpperBound` Medium November 24, 2023Storage gaps improperly defined Medium November 24, 2023Incorrect removal logic Medium November 24, 2023Properties should be updated in `updateModel` Low November 14, 2023No enforced minimum value on `fixedPriceMarkup` Medium November 14, 2023Multiple events in the same TX cause loss of funds Critical November 14, 2023TSS funds migration may not be done correctly Medium November 14, 2023ZRC-20 mapping is overwritten on new deployment Medium November 14, 2023ZRC-20 paused status can be bypassed High November 14, 2023No slippage limit set in Uniswap swap Medium November 14, 2023Median gas-price threshold Medium November 14, 2023ZetaChain pays gas costs for EVM-to-zEVM transfers High November 9, 2023Possible DOS on cross-chain messages Critical November 9, 2023Large withdrawal may be blocked High November 9, 2023No health checks High November 9, 2023The `ecrecover` malleability Medium November 9, 2023Function inputs need validation High November 9, 2023Nonces not used in signatures Medium November 9, 2023Default blocking behavior on LZ High November 9, 2023Restore frozen balance Medium November 7, 2023Incorrect trade-volume calculation High November 6, 2023Missing selector validation High November 6, 2023Potential guardian deanonymization risk Low October 30, 2023Addition for equal summands wrong High October 30, 2023Signatures with large `r` rejected High October 30, 2023Validity of public keys High October 30, 2023Collateral inflation Critical October 30, 2023Free liquidation Critical October 30, 2023Interest theft Critical October 30, 2023Centralized pricing arbitrage High October 30, 2023Slippage is set to zero during swap High October 30, 2023EIP-712 fork replayable signature High October 30, 2023Assure debtors are auctionable Medium October 30, 2023Calculations reduce value of user collateral Low October 30, 2023ERC-4626 vault inflation Medium October 16, 2023Denial of service Low October 2, 2023Insufficient test coverage Low September 21, 2023Vester incorrect burn High September 21, 2023Cancellation still allows rewards to be claimed Medium September 15, 2023Test coverage Low Sept 13, 2023First depositor issue Low September 7, 2023Flywheel index mismatch issue during `optOut` High August 25, 2023ERC-4626 inflation attack Critical August 25, 2023Negative liquidations can cause bank run High August 25, 2023Markets missing slippage protection Medium August 25, 2023Reentrancy due to unauthenticated calls Low August 25, 2023Malicious market can drain funds from MultiInvoker Low August 17, 2023The `lastWithdrawalAt` is not initialized Low August 14, 2023Signature bypass Critical August 14, 2023PasskeyDecodeError High August 14, 2023Missing tests Medium August 14, 2023Modexp gas limit High August 14, 2023CurveTestFailures High August 14, 2023Withdrawal finalization does not work High August 14, 2023Disputed actions are not blocked High July 31, 2023High-fraction liquidations Critical July 31, 2023Boost delegator might not receive delegate fee Low July 25, 2023Risk of unintended token minting High July 25, 2023Possible DOS Medium July 25, 2023No storage gap Medium July 12, 2023Migrate recalled Medium July 12, 2023Param limit Low July 12, 2023Ethermint Ante handler bypass High July 12, 2023Missing `nil` check in Zetaclient High July 12, 2023Admin policy check will always fail Medium July 11, 2023Initializer High July 11, 2023Fee-on-transfer tokens Low July 10, 2023Insecure default value for JWT secret Medium July 5, 2023Inconsistencies in signers and roles Medium July 5, 2023Lack of input validation Low July 3, 2023Margin ratio not checked Critical July 3, 2023Iterating over maps High July 3, 2023AMM price manipulation Critical July 3, 2023Sender is not checked Critical July 3, 2023Wasm bindings validation Critical July 3, 2023Incorrect TWAP price High July 3, 2023Panic in `EndBlock` hooks High July 3, 2023TWAP not updated High July 3, 2023`BeginBlocker` chain halt High July 3, 2023Large `rewardSpread` High June 30, 2023`ZetaSent` events from arbitrary contracts are processed Critical June 30, 2023No panic handler in Zetaclient may halt cross chain communication High June 30, 2023Ethermint Ante handler bypass High June 30, 2023Unbonded validators prevent the TSS vote from passing Medium June 30, 2023Bonded validators can trigger reverts for successful transactions Critical June 30, 2023Sending ZETA to a bitcoin network results in BTC being sent instead Critical June 30, 2023Race condition in Bitcoin client leads to double spend Critical June 30, 2023Not waiting for minimum number of block confirmations results in double spend Critical June 30, 2023Multiple events in the same transaction causes loss of funds and chain halting Critical June 30, 2023Missing authentication when adding node keys Critical June 30, 2023Missing `nil` check in zeta client High June 30, 2023Case-sensitive address check allows for double signing High May 25, 2023Emergency withdraw functions are missing zero address checks Medium May 25, 2023Paymaster data is parsed without performing a length check Low May 24, 2023Protocol owner can drain pools Critical May 24, 2023Extraneous approval during withdrawal Critical May 24, 2023The underlying vault admin can drain pools Critical May 24, 2023Missing slippage limits allow front-running Medium May 24, 2023Unenforced assumptions about Definitive behavior Medium May 24, 2023Excessive owner responsibility creates deployment risks Medium May 24, 2023Staking manager may become locked Medium May 15, 2023The `_getAccount` function may return inaccurate information Low May 15, 2023Centralization risk: locked user funds Low May 12, 2023Missing registry check in `restrict` Low May 12, 2023Restriction pattern creates centralization risk Low May 4, 2023Lack of input validation leading to potentially dangerous calls High May 2, 2023The `_calcSharesAndAmounts` rounds amounts used down Low April 18, 2023Iteration over options can prevent withdraws High April 18, 2023Fee manager upgrades allow factory owner to change fees and prevent option exercise High April 18, 2023Locking to Solidity version 0.8.x Medium April 18, 2023Usage of transfer to send ETH can prevent receiving Medium April 18, 2023Protocol does not check return value of ERC20 swaps Medium April 18, 2023Factory update logic of option NFT enables owner to steal funds High April 18, 2023Pool toggling functionality may allow factory owner to lock exercising of options High April 13, 2023ABI-encoded inputs can mismatch specified amount High April 13, 2023Inconsistent coding conventions Medium April 13, 2023Possible denial of service in `claim` Medium April 13, 2023Protocol does not check return value of ERC20 swaps Medium April 13, 2023High minimum investment amount Medium March 14, 2023Transfer functionality Low February 27, 2023Variable not fully validated High February 13, 2023Malformed responses Medium February 13, 2023Low password complexity Low February 13, 2023RPC responses Low December 5, 2022Missing check in `process_transfer` Critical December 5, 2022Missing check in `process_withdraw` Critical December 5, 2022Missing public key check High December 5, 2022Information leak Low December 5, 2022Withdrawal instructions ignore constraints Low December 5, 2022Confidential public key not validated Low November 21, 2022Missing PDA validation Critical November 21, 2022Unsafe account deletion Low November 3, 2022Computation inaccuracy Low November 3, 2022Implicit precision loss Low November 3, 2022Incorrect rouding behavior Low November 3, 2022Function should be a friend Low November 2, 2022Bond can be in the past Medium November 2, 2022Inconclusive removal Medium November 2, 2022Data desynchronization Low October 26, 2022Incorrect implementation of iterator High October 26, 2022Duplicate call in coin register High October 26, 2022Potential frontrunning High October 26, 2022Incorrect order size High October 26, 2022Incorrect queue implementation Medium October 26, 2022ERC20 token heist Critical October 26, 2022Redeem implementation High October 26, 2022RefundGas miscalculation Medium October 26, 2022PostRelayedCall access High October 26, 2022Upgrade limitations Medium October 26, 2022PaymentsFacet access High October 26, 2022Multicall msg.value High October 26, 2022Broken maxWithdraw Low October 26, 2022PreviewBuyNow incorrect order Low October 26, 2022Blanket ERC20 approval Low October 26, 2022Junior IR interest Low October 26, 2022TransferReserve collateral heist Critical October 26, 2022ERC20 transfer validation Low October 26, 2022Reentrancy Medium October 26, 2022buyNow validation Critical October 26, 2022No timelocks Critical October 26, 2022Depositor misaccounting Critical October 26, 2022Lost totalUnbonding assets Critical October 26, 2022Vtoken loss of funds Critical October 26, 2022Interest double payment High October 26, 2022Stale price oracle High October 25, 2022Forgable key High October 25, 2022Incorrect expression values Medium October 25, 2022Faulty comparison function Medium October 25, 2022Incorrect use of comparison function Low October 25, 2022Inconsistent stale entry check Low October 21, 2022Tortuga coin initialization Medium October 21, 2022Protocol configurations Medium October 21, 2022Payouts round down Low October 21, 2022Centralization risk Low September 28, 2022Missing validation check Critical September 28, 2022Incorrect asset tracking Critical September 28, 2022Failure to cancel orders Medium September 28, 2022Can allow dangerous calls Low September 28, 2022Centralization risk Low September 28, 2022Inconsistent interest calculations Low September 28, 2022Incomplete functionality Low August 1, 2022Same token swap allowed Low July 1, 2022migratePool loss of funds Medium July 1, 2022Swap lacks slippage Low July 1, 2022Centralization risk Low May 19, 2022Unexpected reverts Medium May 19, 2022Improperly set parameter Medium May 19, 2022Lack of input validation Low May 19, 2022Centralization risk Low May 19, 2022Missing coverage Low May 16, 2022Deposits potentially frontrun High May 16, 2022Centralization risks High May 16, 2022Unwanted deposits High May 16, 2022Emergency-only functions Medium May 16, 2022Invalid business logic Medium May 16, 2022Unaccounted dust Low May 16, 2022Missing account reload Low April 25, 2022Griefing opportunity High April 25, 2022Batched mints can be rejected Low April 15, 2022Out-of-bounds write High April 15, 2022Lack of rent exemption enforcement High April 15, 2022Inefficient algorithm Low March 24, 2022Test suite coverage Low March 24, 2022Gas optimizations Low March 18, 2022Claim rewards without risk High March 18, 2022Lack of slippage checks High March 18, 2022FractalVaultV1 potential lock-up Medium March 18, 2022AnySwap potential lock-up Low March 14, 2022Insufficient validation Low March 14, 2022Undocumented code Low March 14, 2022Internal discrepancy Low March 14, 2022Methods not exposed Low March 14, 2022Insufficient test coverage Low