Public findings

(710)

DateFindingImpact
July 4, 2025Proposals can be passed without quorum and threshold requirements being met
Medium
July 4, 2025Zero TargetBlockUtilization disables fee market
Medium
July 4, 2025The min_quorum > max_quorum flips interpolation
Low
May 30, 2025Incorrect position update order relative to isLiquidatable check in processMakerFill permits fund theft
Critical
May 30, 2025The isLong flag for a position is not reset to false during liquidation, preventing users from opening long positions
High
May 30, 2025The _gtlHook is not triggered when a GTL limit order is fully filled, resulting in inflated GTL totalAssets
High
May 30, 2025Stale price pointer after expired-order removal
Medium
May 30, 2025Time-weighted average price is manipulatable
High
May 30, 2025Incorrect shortcut used in isLiquidatable
Medium
May 30, 2025A malicious actor could block a market if minLimitOrderAmountInBase is set too low
High
May 30, 2025Incorrect ZeroCostTrade revert condition
Medium
May 30, 2025Unhandled edge case in the twap function of PriceHistoryLib
Low
May 30, 2025The queueWithdraw function lacks a zero-value check for the shares parameter
Low
May 30, 2025Inflated funding rate during first settlement
Medium
May 30, 2025Incorrect condition check in setMinLimitOrderAmountInBase
Low
May 19, 2025Excessive GitHub organization permissions
High
May 19, 2025Secrets in source code
Medium
May 19, 2025Pull requests merged without code reviews
Low
May 5, 2025Lack of a whitelist check
High
April 16, 2025Full base-token balance can be drained from CLOBManager
Critical
April 16, 2025Noncompetitive orders can be replaced with smaller orders
Medium
April 16, 2025Invalid baseReserve stalls buy on bonding curve
High
April 16, 2025The VIRTUAL_BASE upper-bound stalls buy on bonding curve
High
April 16, 2025Front-running orders is possible through order amendments
Medium
April 16, 2025Global bondingCurve misuse in SimpleLaunchPad functions
Medium
April 16, 2025WETH unwrap fails due to incorrect token flow
Medium
April 16, 2025Invalid fee tiers cause permanent order-matching denial of service
Medium
April 16, 2025Inconsistent amountIn handling in the first swap of executeRoute
Low
April 9, 2025Insufficient block validation
High
March 26, 2025Nonce reuse in adaptor signatures allows recovering signing key
Critical
March 26, 2025CosmWasm Stargate/Any messages bypass AnteHandler checks
Critical
March 26, 2025Incorrect parity check in adaptor signatures
Critical
March 26, 2025Panic triggered by incorrect logic in finality module’s EndBlock
Critical
March 26, 2025Slashed finality provider retaining voting power
Critical
March 26, 2025Slashed finality provider restoring voting power through pending delegations
Critical
March 26, 2025Arbitrary Deduction of Total Bond Satoshi from Unbonding Delegation Handling
Critical
March 26, 2025The btclightclient module design flaw after Babylon chain halt
Critical
March 26, 2025Arbitrary Deduction of Total Bond Satoshi from Expiring Delegation Handling
Critical
March 26, 2025Incorrect Delegation Status Check Leading to Chain Halt
Critical
March 26, 2025Variable-time multiplication by nonce in adaptor signatures, EOTSs, ECDSA, and Schnorr signatures
High
March 26, 2025Unauthenticated exposed Prometheus
High
March 26, 2025Unauthenticated exposed Prometheus
High
March 26, 2025Griefing vector through fork handling in btclightclient
Medium
March 26, 2025Floating values result in nondeterminism
Medium
March 26, 2025BLS keystore password is stored as plaintext
High
March 26, 2025The test keyring backend is used
Medium
March 26, 2025Inability to restore confirmed checkpoints to sealed state
Low
March 26, 2025Lack of commission-rate change restrictions in EditFinalityProvider
Low
March 26, 2025Hide slashing targets from vigilante by spamming
Low
March 26, 2025Public randomness reset due to block-height overflow
Low
March 26, 2025Proposal vote extensions' byte limit
Medium
March 26, 2025Incorrect negative checks
Low
March 26, 2025Unsafe swagger Content Security Policy
Low
March 26, 2025Multiple issues when inputting password for the BLS keystore
Low
March 25, 2025Untrusted input is used as trusted consensus state
Critical
March 25, 2025Merkle verification could be bypassed
Critical
March 25, 2025IBC does not work with chains that generate subsecond blocks
Critical
March 25, 2025Attested header is stored instead of finalized header
High
March 18, 2025Proof-set owner can reset proofSetLastProvenEpoch to avoid accumulated fees
Medium
March 18, 2025Fee refund can revert due to the gas limit or smart wallets
Low
March 17, 2025Users' funds can be stolen
Critical
March 17, 2025Fee can be minted multiple times
High
March 17, 2025Drain and financial loss resulting from rounding issue
Medium
March 17, 2025Freezing of users' funds due to excessive fee settings
Medium
March 17, 2025Precision loss prevents harvesting fees
Low
March 17, 2025Centralization risk
Medium
March 7, 2025Incorrect maturityFeeGrowthX128 may lead to miscalculated rewards
Medium
March 7, 2025Function _cleanupMaturedBuckets may run out of gas
Low
March 7, 2025Attacker can manipulate the initial price in the Uniswap pool
Critical
March 7, 2025Purchase token with zero USDC repeat
Critical
March 7, 2025Remove launchpadSell function from MegaRouterFacet
Medium
March 7, 2025MegaRouterFacet does not validate that clob is trusted
Low
March 7, 2025The Uniswap router contract still retains an approval after an unsuccessful swap
Low
February 24, 2025Broken lineage check due to governance-coin unwrap logic
Critical
February 24, 2025Missing MOD_HASH validation
Critical
February 24, 2025Improper condition filters in savings vault
Critical
February 24, 2025Missing condition filters in outlier resolver
Critical
February 24, 2025Incorrect STATUTES_MAX_IDX for statutes mutation
High
February 24, 2025Mistakes in auction-collateral calculations
High
February 24, 2025Outlier resolution--logic bugs
High
February 24, 2025Unverified solution parameters in announcer_registry could lead to loss of rewards
High
February 24, 2025Unverified solution parameters in recharge_win could lead to loss of tokens
High
February 24, 2025Missing timestamp validation in collateral vault
High
February 24, 2025Treasury withdrawals can create unauthorized treasury coins
Medium
February 24, 2025Unverified MIN_DEPOSIT value
High
February 24, 2025Veto from proposal coin has limited effect
Low
February 24, 2025Low gas costs of precompiles lead to denial of service
High
February 24, 2025The ECRecover precompile computes an incorrect key
Medium
February 24, 2025Missing overflow check in AddTransientGasWanted
Medium
February 24, 2025Lack of validation in ElasticityMultiplier causes division by zero
Medium
February 24, 2025Unbounded originalData can be provided
Low
February 24, 2025The EvmDenom can be updated by the EVM module's MsgUpdateParams
Low
February 24, 2025Potential division by zero in fee_checker
Low
February 24, 2025Potential overflow in fee_checker
Low
February 20, 2025Weights are calculated through total balances of tokens
Medium
February 20, 2025The _checkCap function is missing a check
Low
February 6, 2025Bypassing daily quota may lead to stuck funds
High
February 4, 2025Incorrect account bindings allows admin to deduct from vester
Low
February 4, 2025Broken uniqueness invariant in binary search
Low
January 31, 2025Struct not shared
Low
January 31, 2025Incorrect check for claimable amount
Low
January 31, 2025Bypass overriding index
Low
January 31, 2025Malformed Ether address could be added
Low
January 21, 2025Burn request emitted on identical amounts
Low
January 21, 2025Denial of service on pending requests
Low
January 21, 2025Debts owed by blacklisted users cannot be liquidated
Critical
January 21, 2025AssetDeployer deploys tokens that are vulnerable to inflation attacks
High
January 21, 2025Lack of freshness check in Api3Aggregator and LinkedAssetAggregator
High
January 21, 2025Underlying tokens can be swept by the admin
Medium
January 21, 2025Markets entered automatically can be exited
Low
January 21, 2025Infinite token approval is triggered outside the spec
Low
January 21, 2025Nonce collision in permit and delegateBySig functions
Low
January 21, 2025Potential underflow in getUnderlyingPrice due to high decimals
Low
January 17, 2025Signature bypass
Critical
January 17, 2025Migration applicable to already migrated storage account
Low
January 16, 2025ERC20Plugins token can lead to reentrancy issues
High
January 16, 2025Tokens with callback support can inflate the actualAmount
High
December 23, 2024Missing validation check on ERC-20 transfer
Medium
December 23, 2024Lack of comprehensive test suite
Medium
December 23, 2024Centralization risk
Critical
December 23, 2024Fee transfers occur without owner consent and can be front-run
Low
December 23, 2024Lack of access control in requestDeposit
Critical
December 23, 2024Potential price manipulation via read-only reentrancy in BasketToken.proRataRedeem()
Medium
December 23, 2024Potential asset manipulation via read-only reentrancy in BasketManagerUtils.proRataRedeem()L!\label{reentrancy_transfer}
Low
December 23, 2024Underflow when calculating basket balances
Critical
December 23, 2024Missing rebalance-status check in updateBitFlag() leads to incorrect rebalancing
High
December 23, 2024Incorrect swap-fee calculation on feeOnBuy
High
December 23, 2024Management-fee calculation results in lower effective rate
High
December 23, 2024Missing mapping update in BasketToken.updateBitFlag() causes rebalancing failure
Medium
December 20, 2024Return value of transferFrom is not checked
Critical
December 20, 2024Signatures can be replayed
Critical
December 20, 2024Validator public key is not checked
Critical
December 20, 2024Function getValidatorIndex returns index of first validator for every public key
Critical
December 20, 2024The protocol owner can withdraw all funds from the bridge
High
December 20, 2024Validators cannot be removed
Medium
December 20, 2024No domain separation for validator signatures
High
December 13, 2024Fees could be overcharged by duplicated chainIds during broadcast
Medium
December 13, 2024High voting power could be usable without minimum lock time
Medium
December 13, 2024Incorrect use of totalPendingTokens leads to inability to rescue ERC-1155 tokens
Medium
December 13, 2024Rounding issue in USDz markets
High
December 13, 2024Cross-chain VotingEscrow sync temporarily fails
Low
December 13, 2024Missing expiration time check in the fillOffer function
Low
December 10, 2024Missing subgroup check in BLS12-381 key and signature aggregation
High
December 10, 2024Memory resource exhaustion via untracked buffers
Medium
December 10, 2024Gas-accounting discrepancy for infinite loops
Medium
December 10, 2024Inefficient Metadata array validation sequence
Low
December 10, 2024Unbounded transaction reference validation
Low
November 29, 2024Message Nonce uniqueness lacks guarantees
Low
November 28, 2024Withdrawal does not send tokens
Critical
November 27, 2024Accounting validator bonds share could be broken
High
November 27, 2024Function BeforeTokenizeShareRecordRemoved does not work as expected
Low
November 19, 2024Distributor could be drained by fake pool
Critical
November 19, 2024Decimals of the data in the function latestRoundData
High
November 19, 2024The start time could be updated during the predeposit period
Medium
November 19, 2024The function removeExcessBids may cause internal accounting inconsistencies
Medium
November 19, 2024Incorrect initialization of the contract BalancerOracleAdapter
Medium
November 19, 2024Precision loss in the getCreateAmount and getRedeemAmount functions
Medium
November 19, 2024The function getOraclePrice may return an incorrect price
High
November 19, 2024The governance may fail to set the fee
Low
November 19, 2024OracleReader does not have a storage gap
Low
November 19, 2024Potentially obtaining a stale price
Low
November 19, 2024A malicious bidder could drain the Auction contract
Critical
November 19, 2024Incorrect PreDeposit reward
High
November 19, 2024Claim function could be broken by timing attack
High
November 19, 2024Lack of handling of auction failures
High
November 19, 2024Bidders are unable to claim the expected amount of reserve tokens
High
November 19, 2024Distribution's claim function does not update storage variables
High
November 19, 2024Huge bid could cause overflow in subsequent bids
High
November 19, 2024Number of coupon tokens obtained from the auction may differ from number of coupon tokens to be distributed
High
November 19, 2024Unstake could be blocked for certain users
Medium
November 15, 2024DOS vulnerability via MsgRegisterContract due to unlimited gas execution in BeginBlock
Critical
November 15, 2024DOS vulnerability from inaccurate gas estimation in BeginBlock via simCheck
Critical
November 15, 2024Gas-price calculation error due to integer division rounding
High
November 15, 2024Insufficient error handling in gas deduction for failed transactions
Medium
November 15, 2024Inconsistent keyshare verification and logging due to Epoch switch
Low
November 15, 2024Slice append issue
Low
November 13, 2024Using the FromValues method for the Int248 type can lead to incorrect cached SignBit
Critical
November 13, 2024Unconstrained arithmetic operations
Critical
November 13, 2024Input-uniqueness check in CircuitAPI is ignored
Critical
November 13, 2024Function assertInputUniqueness is unsound
Critical
November 13, 2024Missing fields in calculation of verifying key hash
High
November 13, 2024Shallow copies leading to unintended side effects
High
November 13, 2024Function ConstInt248 allows invalid ranges for arguments, returning incorrect values
High
November 13, 2024Conversion functions fromInterface and Var2BigInt return zero instead of erroring on unrecognized types
High
November 13, 2024No range check in ToBinary of Uint521
Medium
November 13, 2024Keccak padding circuit incorrect for some input lengths
Medium
November 13, 2024Native Keccak padding and round-index functions incorrect
Medium
November 13, 2024Padding incorrect for output-commitment computation
Medium
November 13, 2024Assumptions made regarding log topics are not correct in full generality
Medium
November 13, 2024Selector not constrained to be Boolean for Select
High
November 13, 2024Conversion from Uint248 to Uint521 fails for values wider than 96 bits
Low
November 13, 2024Prover assignment will fail for custom inputs
Low
November 13, 2024Function to export Groth16 proofs only works for proofs with exactly one commitment
Low
November 13, 2024Incorrect constant used in twosComplement
Low
November 13, 2024Unexpected behavior for decompose-related functions on negative input
Low
November 13, 2024Mismatch between Uint521 type and its documentation
Low
November 13, 2024Raw data may be overwritten by index reuse
Low
November 13, 2024Data might be arranged incorrectly by rawData[T].list
Low
November 13, 2024Invalid receipts with empty LogField entries may be assigned
Low
November 13, 2024Parsing errors ignored in GetHexArray
Low
November 13, 2024Incorrect elliptic curve
Low
November 13, 2024Proof submission calls callback even if submission fails
Low
November 13, 2024Native tokens are not transferred to the exchange contracts
High
November 13, 2024No test suite
High
November 13, 2024The function supportToken does not configure the yield mode
Medium
November 13, 2024Calling the function configure regardless of whether the token is rebasing
Low
November 13, 2024Use of identical domain separators
Low
November 13, 2024Lack of storage gap in the contract EIP712VerifierU
Low
November 12, 2024Long-position--reserved collateral cannot be rebased
High
November 12, 2024VaultPriceFeed may be misconfigured, causing unexpected pricing calculations
Low
November 12, 2024Price feed may be gamed if insufficient rounds are captured
Low
November 12, 2024Extra calls into timelock EOA will fail
High
October 22, 2024Reachable unwrap panic in ics23_prove
Critical
October 21, 2024The changeOwner function does not update the UPGRADER_ROLE
Low
October 21, 2024Duplicate values of registry
Low
October 21, 2024Arithmetic overflow leading to DOS
High
October 21, 2024Router fee is bypassable
Low
October 21, 2024Missing function to remove a delegated signer
High
October 21, 2024Missing function to remove tokens from the whitelist
Medium
October 21, 2024Unset state variable custodianList
Low
October 21, 2024Mismatched function parameter types affecting inheritance
Low
October 21, 2024MoneyBrinter susceptible to stealth deposit
Critical
October 21, 2024Lack of user access control in StakeV2
Critical
October 21, 2024Formulaic error allows stakers to steal excess rewards
Critical
October 21, 2024The rewardIndex only increases, leading to eventual inability to claim rewards
High
October 21, 2024Manager can leak funds during reward distribution
Medium
October 21, 2024Zapper contract leaks excess token balance to OBRouter
Low
October 21, 2024Circuit Breaker's unsafe casting results in errors during liquidity tracking
Low
October 15, 2024Log parsing issue in extract_required_fee_from_log
Low
October 15, 2024Soft-block channel capacity misconfiguration
Low
October 15, 2024Potential overflow in celestia_block_variance to usize conversion
Low
October 15, 2024Universal XSS in Fuelet dApp WebView
Critical
October 15, 2024Origin impersonation via URL username and elision
High
October 15, 2024Optimizable PasswordManager check
Medium
October 15, 2024Insecure cloud-backup encryption
Medium
October 15, 2024Type confusion between Withdrawal and Cancel actions
Critical
October 15, 2024Reentrancy issue allowing repeat withdrawals
Critical
October 15, 2024Improper status tracking
High
October 15, 2024Raw ERC-20 interface usage
Medium
October 15, 2024Incorrect tracking of in-use status for alias accounts
Low
October 15, 2024Missing maximum-number-of-sequencers check
Low
September 11, 2024Signature replay allows unauthorized migrations
Critical
September 11, 2024No test suite
High
September 11, 2024Tokens from previous migrations may be lost
Medium
September 11, 2024Uneffective wETH limit
Low
September 3, 2024Fee-recipient reentrancy
High
September 3, 2024Fee recipient can censor forum posts
High
September 3, 2024Constructor left uninitialized
Medium
September 3, 2024Identifiable anonymous tokens
Low
September 3, 2024Fee amount may be rounded to zero
Low
September 3, 2024Edit function does not change ERC-20 symbol and name
Low
September 3, 2024Native ETH may be sent by mistake in some cases
Low
August 28, 2024Range check in add_slice_at_offset
Low
August 16, 2024ERC-1155 mint can be reentered with
Critical
August 16, 2024Possible fee leeching
Medium
August 16, 2024Possible DOS
Medium
August 16, 2024The costSharePrice is not properly maintained
Low
August 13, 2024There is no upper limit to the time-out on PFM packets
Medium
August 13, 2024Missing prefix for RefundPacketKey
Medium
August 3, 2024Invalid address could break down the bridge withdrawer
High
August 3, 2024Arbitrary withdrawal could be executed by bridge admin
High
August 3, 2024Withdrawal event could be reused by bridge admin
High
August 3, 2024TOCTOU bugs in ActionHandler
Medium
August 3, 2024Withdrawer address is not working in ICS20 withdrawal
Low
July 23, 2024Range check in unsafe_evaluate_multiply_add may be ineffective
Critical
July 23, 2024Underflow possible in evaluate_non_native_field_multiplication
Critical
July 23, 2024Overflow possible in evaluate_non_native_field_multiplication
Critical
July 23, 2024Missing field_t normalization in constructor
Critical
July 23, 2024Missing range check in constructors
Critical
July 23, 2024Missing consistency check for prime limb in constructor
Critical
July 23, 2024Proving that multiples of L!$p$ are unequal to L!$0$ modulo L!$p$ possible
Critical
July 23, 2024Equation checks not enforced
Medium
July 23, 2024Large limbs for constant inputs to conditional_negate
Medium
July 23, 2024Incomplete constant check
Low
July 23, 2024Null-pointer dereference
Low
July 23, 2024Handling of max argument to Limb constructor
Low
July 23, 2024Mistakes in calculation of MAX_UNREDUCED_LIMB_SIZE
Low
July 23, 2024Behavior of assert_equal for constant operands
Low
July 23, 2024Assert for add_to_lower_limb could be ineffective due to overflow
Low
July 15, 2024Chain halt due to unbounded votes by proposer
High
July 12, 2024Reward-token registration is irreversible
Critical
July 12, 2024PDT can be set as a reward token and withdrawn by admin
Medium
July 12, 2024The transferFrom function could fail
Medium
July 12, 2024The approve function could fail
Medium
July 12, 2024Rounding errors in computing fee
Medium
July 9, 2024Aggregation ISM cannot skip ISMs
Critical
July 9, 2024Modules cannot be removed from routing ISM
Medium
July 9, 2024Routing ISM with the fallback configuration does not show fallback behavior
Medium
July 9, 2024Owner address is not initialized
Medium
July 9, 2024Incorrect size for fetching branches of the Merkle tree
Medium
July 9, 2024Message can be sent multiple times to an untrusted recipient
Medium
July 9, 2024Announcing a new storage location overwrites the previous storage location
Low
July 9, 2024Aggregation ISM misfunctions if more than 255 modules exist
Low
July 9, 2024ISM configuration of MailboxComponent is disregarded
Low
July 9, 2024Unclear behavior of the function set_modules
Low
July 9, 2024Incorrect size of StoreFelt252Array
Low
July 9, 2024Incorrect splitting of a number in Keccak implementation
Critical
July 9, 2024Improper optimization in Keccak implementation
Critical
July 9, 2024Dynamic variable size for hash parameters
Critical
July 9, 2024Message incorrectly includes the size of body
Critical
July 9, 2024Multisig ISM allows duplicated signatures
High
July 9, 2024The protocol fee hook will always be reverted
High
July 9, 2024The contractAddress type cannot use the 32-byte addressing mechanism
High
July 9, 2024Input arguments in the Bytes type may be invalid
High
July 8, 2024Potential vulnerability in _aggregatePubkey update mechanism
Critical
July 8, 2024Lack of proof-of-possession verification
High
July 8, 2024Incorrect curve mapping
Medium
July 8, 2024Bias in hashToField function
Low
June 28, 2024Lack of input validations
Low
June 28, 2024Invalid creation of unbonding TX leads to loss of gas
Medium
June 28, 2024Authz module can be used to bypass validator message checks
Critical
June 28, 2024Finality provider can crash when submitting signature on finalized block
Critical
June 28, 2024Finality provider can get stuck in an infinite loop
Critical
June 28, 2024BTC reorg would lead to slash avoidance
Critical
June 28, 2024Vigilante makes an unnecessary report to Babylon
Low
June 28, 2024Differences between signHash and Sign
Low
June 28, 2024Finality provider BTC private key used as HMAC key for generating nonces
Low
June 18, 2024Unsound native-function declaration leading to critical verifier bypass
Critical
June 18, 2024Infinite recursion possible with module dependencies
Critical
June 18, 2024Unchecked UTF-8 decoding enables memory corruption
Critical
June 18, 2024Missing gas charge on memo in native_nft_transfer
High
June 18, 2024Next zapping ID potentially duplicated
High
June 18, 2024Published module names do not necessarily match binary module
High
June 18, 2024Ability to bypass swap fees
Low
June 18, 2024Module can be duplicated in module publish requests
Low
June 18, 2024Hex decode accepting invalid characters
Low
June 18, 2024Stablepools can be created with one or no assets
High
June 18, 2024Bad decimal-parsing function accepts multiple dots
Low
June 18, 2024Potential out-of-gas reversion when checking object permissions
Low
June 18, 2024Stablepool swap can be called, repeating the same asset
High
June 18, 2024Incorrect string-formatting helper
Low
June 18, 2024Incorrect minimum-TVL module-parameter check
Low
June 18, 2024Frozen module coin store can cause chain halt
High
June 18, 2024Malicious proposer can skip fee check
High
June 18, 2024A malicious user can become a permissioned relayer for IBC
Medium
June 18, 2024Move coins can be burned twice
High
June 18, 2024Move coin transfer can bypass blocked accounts
Medium
June 18, 2024Error not checked when fetching starting info
Low
June 18, 2024Move coins are case-insensitive in cosmos
Low
June 18, 2024Query gas limit not enforced through bank module
High
June 18, 2024Incorrect signer check for shorthand accounts
High
June 18, 2024Validator set updates can skip current validators
High
June 18, 2024Challenger can increase the next output index
Medium
June 18, 2024Missing token pair will crash the bridge executor
Medium
June 18, 2024Withdrawal hash clash using variable-length fields
High
June 14, 2024Fake pool could drain all the pool's tokens
Critical
June 14, 2024The redeemShort function is available before the pool is closed
Critical
June 14, 2024Simultaneous pool starting and closing is possible
High
June 14, 2024Order could be executed after the end of the pool's duration
Medium
June 14, 2024Bounty does not work with low-decimal tokens
Medium
June 14, 2024Lack of check that an order has already been canceled
Low
June 14, 2024Redeem functions do not work correctly
Critical
June 7, 2024Public input length might not be checked as intended due to overflow
Low
June 7, 2024Function AssignedKeccakInputs::to_instance_values incorrect for fixed-length inputs
Low
June 6, 2024Maximum supply cap is not immutable
Low
June 5, 2024Missing constraints in the copy circuit for MCOPY allow inserting illegitimate entries in the rw table
Critical
June 5, 2024Lack of constraints specific to transient storage and transaction receipts in the state circuit
Critical
June 5, 2024Source address is not constrained for ErrorOOGMemoryCopyGadget, allowing illegitimate reverts on MCOPY
Critical
June 5, 2024Step transition for end_tx not constrained
Critical
June 5, 2024Completeness issue for some out-of-gas cases for MCOPY
Medium
June 4, 2024Lack of stale price check in getAssetPrice function
High
June 4, 2024Unnecessary parameter usage in getRoundData function
Low
June 4, 2024Centralization risk in setPyth function
Low
May 22, 2024The supply limit limits issue, not supply
High
May 22, 2024Anyone can create tokens before initialization
High
May 22, 2024The `AssertContractInitialized` function should check `Initialized`
High
May 22, 2024Calling `ChangeOwner` may lock ownership upon user error
Medium
May 22, 2024No guard on admin-set fee rate
Medium
May 22, 2024Deadline-enforcement unit is inconsistent
Low
May 21, 2024Wrong fee mechanism in redeemBackSPCT
Medium
May 21, 2024Transfer event is emitted twice for minting or burning USDz
Medium
May 21, 2024Protection logic in rescueERC20 can be bypassed
Low
May 20, 2024Verification-batching implementation unsound
Critical
May 20, 2024Proving fails for public inputs that are all zero
Medium
May 9, 2024Centralization risk
Medium
May 9, 2024Underflow
Medium
May 8, 2024Missing yield-mode configuration
Low
May 8, 2024Minimum amount of `claimYield` does not work
Low
May 1, 2024Front-run
Low
April 30, 2024Centralization risk
Critical
April 30, 2024Fee amount not burned
Low
April 30, 2024No genesis state validation
Low
April 19, 2024Reentrancy in withdrawals
Critical
April 19, 2024Centralization Risk
High
April 19, 2024Nonpayable `bridgeTokenConnext` function
Low
April 19, 2024Nonpayable `bridgeTokenArb` function
Medium
April 19, 2024Allowance given to incorrect address
Medium
April 19, 2024Fixed depositor reentrancy can take all the ETH
Critical
April 19, 2024Unsafe handling of over-100% early exit fees
Critical
April 19, 2024Clone construction leaves constants uninitialized
High
April 19, 2024Quadratic-complexity logic risks gas-limit attacks
High
April 19, 2024Inconsistent division of fixed-side withdrawals
High
April 19, 2024Variable-side yield on yield is unfairly split
Medium
April 19, 2024Variable side cannot always withdraw fee share
Medium
April 19, 2024Open receive function can lock native ETH
Low
April 19, 2024Implementation contract can be used
Low
April 19, 2024Incorrect withdrawnFeeEarnings after finalization
Low
April 19, 2024Reentrancy can falsify isStarted in emitted event
Low
April 19, 2024Inactive variable depositor locks protocol fees
Low
April 16, 2024Successful swaps do not update spread
High
April 16, 2024Griefing potential
High
April 16, 2024The fallback function can collide with selectors
Medium
April 16, 2024Halving spread in base-to-base may be unsafe
Medium
April 16, 2024Chainlink data staleness
Medium
April 16, 2024Sandwich attack can affect base-to-base swap fee
Low
April 16, 2024Arbitrary calldata in `externalSwap` may be unsafe
Low
April 12, 2024Double spend for multi-input-actions
Critical
April 12, 2024Note-footer reuse within same action
High
April 12, 2024Note footer reuse in DarkpoolAssetManager
High
April 12, 2024Uniswap liquidity fee manipulation
Medium
April 12, 2024No slippage limits in UniswapLiquidityAssetManager
Medium
April 12, 2024Relayers can drain Curve asset managers
Medium
April 12, 2024Transfer and approval done by `_transferERC20`
Medium
April 12, 2024Low-entropy note generation
Medium
April 12, 2024Pool parameters are not verified
Low
April 12, 2024Signatures in circuits are not domain separated
Low
April 12, 2024Incomplete asset-validation logic
Low
April 12, 2024Reentrancy in withdrawals leading to double-spend
Critical
April 12, 2024Uniswap liquidity positions stealable
Critical
April 12, 2024Lack of wraparound protection in circuits
Critical
April 12, 2024Uniswap swaps can get stolen
Critical
April 12, 2024Fund lock via dummy notes in curve\_add\_liquidity
Critical
April 12, 2024Reentrancy for multi-asset-actions
Critical
April 12, 2024Relayers can steal from users/relayers
Critical
April 12, 2024Note footers not checked by `uniswapCollectFees`
High
April 11, 2024No withdrawal function
High
April 10, 2024Centralization risk
High
April 10, 2024Withdrawal bricks
High
March 29, 2024Infinite loop in `_getSelfDelegations`
High
March 29, 2024Minimum staking is only checked in registration
High
March 29, 2024States are not automatically synced
Medium
March 28, 2024Calling reconcile can lead to stuck funds
High
March 28, 2024First depositor Issue
Low
March 18, 2024Stale prices from oracle
High
March 18, 2024Zero price from the fallback oracle
High
March 18, 2024The leverage closing function fails in most cases
Medium
March 18, 2024Inconsistent sources of decimal information
Medium
March 18, 2024Suspending a token does not clear the variable
High
March 18, 2024The locked amount is truncated to `int128`
High
March 18, 2024Emergency withdrawal mechanism breaks assumptions
Low
March 18, 2024An interest portion of collected fees are locked
High
March 18, 2024Collected fees cannot be claimed after withdrawal
Medium
March 13, 2024Deposit/stake functions are front-runnable
High
March 13, 2024Updating when `TRIGGERED`
High
March 13, 2024Centralized control of fee-dripping model
High
March 13, 2024round-issue-in-reward
Medium
March 13, 2024Fee dripped in any state
Medium
March 13, 2024Wrong ERC bricks fee system
Medium
March 13, 2024Deprivileging manager by owner
Low
March 13, 2024Deterministic address
Low
March 13, 2024Repeated validator IDs, `batchRevertExitRequest`
Critical
March 13, 2024ETH sent to wrong address on cancellation
Critical
March 13, 2024BNFT holder is compared with an incorrect address
Medium
March 13, 2024Repeated validator IDs, `batchSendExitRequest`
Critical
March 13, 2024BNFT holder could cancel the deposit
Critical
March 13, 2024Malicious users could mint themselves NFTs
Critical
March 13, 2024Wrong rewards calculation
High
March 13, 2024Queued withdrawals are not claimed by `forcePartialWithdraw`
Medium
March 13, 2024Deposit cancellation may fail
Medium
March 13, 2024Reward and withdrawal payout getters might fail
Low
March 5, 2024Owner set for implementation instead of proxy
Medium
March 5, 2024Using deprecated Chainlink function
Medium
March 5, 2024Using invalid Maker token address
Low
March 5, 2024Incorrect ICS-20 balance on time-out
Critical
March 5, 2024Arbitrary balance via dummy spend
Critical
March 5, 2024Asset total supply can be inflated
Critical
March 5, 2024Delegation tokens can be forged
Critical
March 5, 2024Multiple positions with the same ID
Critical
March 5, 2024IBC time-out packet is fallible
High
March 5, 2024Division by zero in SwapExecution::max\_price
High
March 5, 2024Duplicate `validator::Definitions` in transaction
High
March 5, 2024SwapClaim proof panic
High
March 5, 2024Panic in `handle_batch_swaps`
High
March 5, 2024Limit orders can be erroneously closed
Medium
March 5, 2024Gas fees can be paid in any asset
Medium
March 5, 2024Incorrect denom prefix replacement
Medium
March 5, 2024Malicious validator can trigger epoch
Low
March 5, 2024Unchecked addition in ICS-20 transfer
Low
March 5, 2024No mechanism for debt write-off
Medium
March 5, 2024Rate limiter can be abused
Medium
March 4, 2024Data hash underconstrained
Critical
March 4, 2024End hash underconstrained
Critical
March 4, 2024Underconstrained `prove_subchain` inputs
Critical
March 4, 2024End block height not range checked
Critical
March 4, 2024Tendermint X skip underconstrained
Critical
March 4, 2024Data commitment batch-size undeflow
Low
February 29, 2024Transfer return
Medium
February 29, 2024Lack-of-pool check
Low
February 28, 2024Origin spoofing
High
February 28, 2024Improper URL handling
High
February 28, 2024Improper host
High
February 28, 2024Suboptimal symmetric key derivation
Medium
February 28, 2024Suboptimal symmetric key derivation
Medium
February 28, 2024Calm period detection
Critical
February 28, 2024TWAP interval
High
February 28, 2024Balances discontinuous
High
February 28, 2024Calm period not checked
High
February 28, 2024Paused state
Medium
February 28, 2024Withdrawals might revert
Medium
February 28, 2024Withdraw might not add liquidity again
Low
February 28, 2024Vault withdraw slippage
Low
February 28, 2024Deposit rounding
Low
February 28, 2024Uniswap mint edge case
Low
February 22, 2024Traders can increase collateral
Critical
February 22, 2024Order ID reuse due to multiple `PriceUpkeeps`
Critical
February 22, 2024Incorrect funding-rate calculation
High
February 22, 2024Total open PNL improperly adjusted at zero price
High
February 22, 2024Vault PNL per token is only scaled if negative
High
February 22, 2024The `maxAllowedCollateral` check could be bypassed
Medium
February 22, 2024Premium price feeds are not used
Medium
February 22, 2024Value of `groupsCollaterals` could exceed
Medium
February 22, 2024Extra `PRECISION_6` divides `utilizationFee`
Medium
February 22, 2024Incorrect funding-rate calculation due to rounding
Medium
February 22, 2024Centralization risk of trusted owner
Medium
February 22, 2024Any allowance allows unlimited withdrawal changes
Low
February 22, 2024Market-close time-out reissuance can be skipped
Low
February 22, 2024Unexecutable trades added to `tradesToTrigger`
Low
February 22, 2024No penalty for missed withdrawals from OstiumVault
Low
February 22, 2024Trade closing can revert in `sendAssets`
Low
February 22, 2024Locked deposit-discount accounting time
Low
February 22, 2024Erroneous token transfer in `UpdateTokenShares`
High
February 22, 2024The `_toLower` incorrectly handles Unicode
Medium
February 14, 2024Session key `maxAmount` parameter is not stateful
Critical
February 12, 2024Potential DOS
Critical
February 12, 2024Preferential swaps
Critical
February 12, 2024Withdraw leads to loss of stake
Critical
February 12, 2024Centralization risks
High
February 6, 2024Potential front-running for `buy`
Medium
February 5, 2024Minimum confirmations check
High
February 5, 2024Malicious libraries
Medium
January 26, 2024Invariant may be calculated incorrectly
Medium
January 26, 2024Incorrect operator in `_tweakPrice`
Low
January 26, 2024Exit-fee arbitrage
Low
January 26, 2024Rebalance asset/liability slippage
Low
January 26, 2024Seed-deposit mispricing
Low
January 11, 2024Incorrect calculation effectively removes fee
High
January 11, 2024Front-runners can cancel any permit deposit
High
January 11, 2024Completing unqueued withdrawal loses/locks funds
High
January 11, 2024More than one strategy per token breaks accounting
Medium
January 11, 2024Admins can steal funds by self-sandwiching swaps
Medium
January 11, 2024Accumulated fee logic can prevent withdrawals
Low
January 11, 2024ERC-20 deposit and queued withdrawal whitelists
Low
January 9, 2024Centralization risk
Critical
January 9, 2024Incorrect down payment calculation
Critical
January 9, 2024Unused on-chain interest calculation
High
January 9, 2024Zero interest automatically changed to maximum
Low
January 9, 2024Loss of precision
Low
January 9, 2024Missing length check
Low
January 9, 2024Initializers not disabled
Low
January 9, 2024User is able to revert a position being closed
Medium
December 21, 2023Lack of input validation
Low
December 21, 2023Reentrancy in the `manage` function
Low
December 8, 2023Calls may be queued multiple times
High
December 8, 2023Funds may be trapped in the protocol
Medium
December 8, 2023Broker fees are not taken from swap amount
Critical
December 4, 2023Removal-of-owners underflow
Medium
December 4, 2023Wrong parameter used in revert
Low
December 4, 2023Entries of `eoaOwners` not checked
Low
December 1, 2023Stop loss higher than `openPrice` causes fund loss
Critical
December 1, 2023Unsafe cast in take profit can lead to fund loss
Critical
December 1, 2023No access control on `setWithdrawThreshold`
Critical
December 1, 2023Reserve requirement checked before withdrawal
Critical
December 1, 2023Locked shares have undue access to rewards
Critical
December 1, 2023Max profit can exceed amount reserved from vault
Critical
December 1, 2023Update margin uses new leverage
High
December 1, 2023Partial trades update open-interest incorrectly
High
December 1, 2023Referrer rebates must not decrease `totalRewards`
High
December 1, 2023Precision loss in `totalLockPoints`
High
December 1, 2023Wrong reserve ratio returned by getReserveRatio
High
December 1, 2023Loss-protection tier is reduced for larger trades
High
December 1, 2023Trading inflow much less than zero skew outflow
High
December 1, 2023Arbitrage opportunities with older price feeds
Medium
December 1, 2023Margin update assumes zero price in backup mode
Medium
December 1, 2023Referral close function includes referrer rebate
Medium
December 1, 2023Bot latency prevents limit-close order execution
High
December 1, 2023Referrer-code transfer process breaks assumptions
Medium
December 1, 2023Delayed force unlock causes reward insolvency
High
December 1, 2023Price impact is not tracked cumulatively
Medium
December 1, 2023Loss protection reduces the -100% cap on losses
Medium
December 1, 2023Miscalculation of `totalPrincipalDeposited`
Low
December 1, 2023Fee charged without market-order placement
Low
December 1, 2023One account can register multiple referral codes
Low
December 1, 2023Vault manager cannot access entire junior tranche
Low
December 1, 2023The maxRedeem function should comply with ERC-4626
Low
December 1, 2023Incorrect access control causes update lockout
Low
December 1, 2023Trader contract can bypass max trades per pair
Low
December 1, 2023Limit-order timelock not initialized on open
Low
December 1, 2023Partial closes emit incorrect value
Low
December 1, 2023Function lacks incorrect-payment sanity checks
Low
November 24, 2023Anyone can become a validator
Critical
November 24, 2023Storage not set properly
High
November 24, 2023Out-of-bounds access
High
November 24, 2023Inaccurate handling in `findModelerUpperBound`
Medium
November 24, 2023Storage gaps improperly defined
Medium
November 24, 2023Incorrect removal logic
Medium
November 24, 2023Properties should be updated in `updateModel`
Low
November 14, 2023No enforced minimum value on `fixedPriceMarkup`
Medium
November 14, 2023Multiple events in the same TX cause loss of funds
Critical
November 14, 2023TSS funds migration may not be done correctly
Medium
November 14, 2023ZRC-20 mapping is overwritten on new deployment
Medium
November 14, 2023ZRC-20 paused status can be bypassed
High
November 14, 2023No slippage limit set in Uniswap swap
Medium
November 14, 2023Median gas-price threshold
Medium
November 14, 2023ZetaChain pays gas costs for EVM-to-zEVM transfers
High
November 9, 2023Possible DOS on cross-chain messages
Critical
November 9, 2023Large withdrawal may be blocked
High
November 9, 2023No health checks
High
November 9, 2023The `ecrecover` malleability
Medium
November 9, 2023Function inputs need validation
High
November 9, 2023Nonces not used in signatures
Medium
November 9, 2023Default blocking behavior on LZ
High
November 9, 2023Restore frozen balance
Medium
November 7, 2023Incorrect trade-volume calculation
High
November 6, 2023Missing selector validation
High
November 6, 2023Potential guardian deanonymization risk
Low
October 30, 2023Addition for equal summands wrong
High
October 30, 2023Signatures with large `r` rejected
High
October 30, 2023Validity of public keys
High
October 30, 2023Collateral inflation
Critical
October 30, 2023Free liquidation
Critical
October 30, 2023Interest theft
Critical
October 30, 2023Centralized pricing arbitrage
High
October 30, 2023Slippage is set to zero during swap
High
October 30, 2023EIP-712 fork replayable signature
High
October 30, 2023Assure debtors are auctionable
Medium
October 30, 2023Calculations reduce value of user collateral
Low
October 30, 2023ERC-4626 vault inflation
Medium
October 30, 2023Emissions can be claimed multiple times
Critical
October 30, 2023Value can be artificially inflated
High
October 30, 2023The lack of token addresses' verification
High
October 30, 2023The lack of verification of the payload data
High
October 30, 2023Incorrect loop implementation in function
Low
October 30, 2023Array out-of-bound exception in `_removeVaults`
Low
October 30, 2023The function `_removeVaults` returns early
Low
October 30, 2023The `weightStrategy` range violation
Low
October 30, 2023Incompatibility with USDT token
Medium
October 30, 2023Conversion does not account for token decimals
Medium
October 30, 2023Malicious users can profit
Medium
October 30, 2023Incorrect `weights` calculation
Medium
October 30, 2023Incorrect return value in `fetchEpochIds`
Medium
October 20, 2023Attacker-deployed ERC-20s
High
October 20, 2023Arbitrage opportunities bypass deposit limits
High
October 20, 2023Bundler calls can be identified and front-run
Low
October 20, 2023Operation with zero joinsplits can be tampered
Low
October 20, 2023Note encryption is unconstrained
Low
October 16, 2023Denial of service
Low
October 12, 2023Authentication bypass
Critical
October 12, 2023Fee payer authentication
Critical
October 12, 2023Any/all authenticators skip postexecution checks
High
October 12, 2023Multiple signers' auth bypass
High
October 12, 2023Incorrect validation
Medium
October 12, 2023Authentication bypass
Medium
October 12, 2023Incorrect error check
Low
October 12, 2023Panic for zero signers
Low
October 12, 2023Fee payer authentication
Low
October 2, 2023Insufficient test coverage
Low
September 21, 2023Vester incorrect burn
High
September 21, 2023Cancellation still allows rewards to be claimed
Medium
September 15, 2023Test coverage
Low
Sept 13, 2023First depositor issue
Low
September 7, 2023Flywheel index mismatch issue during `optOut`
High
August 25, 2023ERC-4626 inflation attack
Critical
August 25, 2023Negative liquidations can cause bank run
High
August 25, 2023Markets missing slippage protection
Medium
August 25, 2023Reentrancy due to unauthenticated calls
Low
August 25, 2023Malicious market can drain funds from MultiInvoker
Low
August 17, 2023The `lastWithdrawalAt` is not initialized
Low
August 14, 2023Signature bypass
Critical
August 14, 2023PasskeyDecodeError
High
August 14, 2023Missing tests
Medium
August 14, 2023Modexp gas limit
High
August 14, 2023CurveTestFailures
High
August 14, 2023Withdrawal finalization does not work
High
August 14, 2023Disputed actions are not blocked
High
July 31, 2023High-fraction liquidations
Critical
July 31, 2023Boost delegator might not receive delegate fee
Low
July 25, 2023Risk of unintended token minting
High
July 25, 2023Possible DOS
Medium
July 25, 2023No storage gap
Medium
July 12, 2023Migrate recalled
Medium
July 12, 2023Param limit
Low
July 12, 2023Ethermint Ante handler bypass
High
July 12, 2023Missing `nil` check in Zetaclient
High
July 12, 2023Admin policy check will always fail
Medium
July 11, 2023Initializer
High
July 11, 2023Fee-on-transfer tokens
Low
July 10, 2023Insecure default value for JWT secret
Medium
July 5, 2023Inconsistencies in signers and roles
Medium
July 5, 2023Lack of input validation
Low
July 3, 2023Margin ratio not checked
Critical
July 3, 2023Iterating over maps
High
July 3, 2023AMM price manipulation
Critical
July 3, 2023Sender is not checked
Critical
July 3, 2023Wasm bindings validation
Critical
July 3, 2023Incorrect TWAP price
High
July 3, 2023Panic in `EndBlock` hooks
High
July 3, 2023TWAP not updated
High
July 3, 2023`BeginBlocker` chain halt
High
July 3, 2023Large `rewardSpread`
High
June 26, 2023ZK and MPT Verifiers
High
June 26, 2023Test suite
Low
May 12, 2023Missing registry check in `restrict`
Low
May 12, 2023Restriction pattern creates centralization risk
Low
March 9, 2023Missing valid vault address check in processDepositQueue
High
March 9, 2023A malicious or compromised trader admin may lead to locked funds
Medium
March 9, 2023The vaultAddress validity check can be bypassed
Medium
March 9, 2023Ability to deposit on other users' behalf
Medium
March 9, 2023Missing status check in openVaultDeposits
Low
March 9, 2023Missing sanity checks for crucial protocol parameters
Medium
March 9, 2023Gas griefing using zero-value deposits and withdrawals
Low
Proposals can be passed without quorum and threshold requirements being metLearn more
July 4, 2025
Medium
Zero TargetBlockUtilization disables fee marketLearn more
July 4, 2025
Medium
The min_quorum > max_quorum flips interpolationLearn more
July 4, 2025
Low
Incorrect position update order relative to isLiquidatable check in processMakerFill permits fund theftLearn more
May 30, 2025
Critical
The isLong flag for a position is not reset to false during liquidation, preventing users from opening long positionsLearn more
May 30, 2025
High
The _gtlHook is not triggered when a GTL limit order is fully filled, resulting in inflated GTL totalAssetsLearn more
May 30, 2025
High
Stale price pointer after expired-order removalLearn more
May 30, 2025
Medium
Time-weighted average price is manipulatableLearn more
May 30, 2025
High
Incorrect shortcut used in isLiquidatableLearn more
May 30, 2025
Medium
A malicious actor could block a market if minLimitOrderAmountInBase is set too lowLearn more
May 30, 2025
High
Incorrect ZeroCostTrade revert conditionLearn more
May 30, 2025
Medium
Unhandled edge case in the twap function of PriceHistoryLibLearn more
May 30, 2025
Low
The queueWithdraw function lacks a zero-value check for the shares parameterLearn more
May 30, 2025
Low
Inflated funding rate during first settlementLearn more
May 30, 2025
Medium
Incorrect condition check in setMinLimitOrderAmountInBaseLearn more
May 30, 2025
Low
Excessive GitHub organization permissionsLearn more
May 19, 2025
High
Secrets in source codeLearn more
May 19, 2025
Medium
Pull requests merged without code reviewsLearn more
May 19, 2025
Low
Lack of a whitelist checkLearn more
May 5, 2025
High
Full base-token balance can be drained from CLOBManagerLearn more
April 16, 2025
Critical
Noncompetitive orders can be replaced with smaller ordersLearn more
April 16, 2025
Medium
Invalid baseReserve stalls buy on bonding curveLearn more
April 16, 2025
High
The VIRTUAL_BASE upper-bound stalls buy on bonding curveLearn more
April 16, 2025
High
Front-running orders is possible through order amendmentsLearn more
April 16, 2025
Medium
Global bondingCurve misuse in SimpleLaunchPad functionsLearn more
April 16, 2025
Medium
WETH unwrap fails due to incorrect token flowLearn more
April 16, 2025
Medium
Invalid fee tiers cause permanent order-matching denial of serviceLearn more
April 16, 2025
Medium
Inconsistent amountIn handling in the first swap of executeRouteLearn more
April 16, 2025
Low
Insufficient block validationLearn more
April 9, 2025
High
Nonce reuse in adaptor signatures allows recovering signing keyLearn more
March 26, 2025
Critical
CosmWasm Stargate/Any messages bypass AnteHandler checksLearn more
March 26, 2025
Critical
Incorrect parity check in adaptor signaturesLearn more
March 26, 2025
Critical
Panic triggered by incorrect logic in finality module’s EndBlockLearn more
March 26, 2025
Critical
Slashed finality provider retaining voting powerLearn more
March 26, 2025
Critical
Slashed finality provider restoring voting power through pending delegationsLearn more
March 26, 2025
Critical
Arbitrary Deduction of Total Bond Satoshi from Unbonding Delegation HandlingLearn more
March 26, 2025
Critical
The btclightclient module design flaw after Babylon chain haltLearn more
March 26, 2025
Critical
Arbitrary Deduction of Total Bond Satoshi from Expiring Delegation HandlingLearn more
March 26, 2025
Critical
Incorrect Delegation Status Check Leading to Chain HaltLearn more
March 26, 2025
Critical
Variable-time multiplication by nonce in adaptor signatures, EOTSs, ECDSA, and Schnorr signaturesLearn more
March 26, 2025
High
Unauthenticated exposed PrometheusLearn more
March 26, 2025
High
Unauthenticated exposed PrometheusLearn more
March 26, 2025
High
Griefing vector through fork handling in btclightclientLearn more
March 26, 2025
Medium
Floating values result in nondeterminismLearn more
March 26, 2025
Medium
BLS keystore password is stored as plaintextLearn more
March 26, 2025
High
The test keyring backend is usedLearn more
March 26, 2025
Medium
Inability to restore confirmed checkpoints to sealed stateLearn more
March 26, 2025
Low
Lack of commission-rate change restrictions in EditFinalityProviderLearn more
March 26, 2025
Low
Hide slashing targets from vigilante by spammingLearn more
March 26, 2025
Low
Public randomness reset due to block-height overflowLearn more
March 26, 2025
Low
Proposal vote extensions' byte limitLearn more
March 26, 2025
Medium
Incorrect negative checksLearn more
March 26, 2025
Low
Unsafe swagger Content Security PolicyLearn more
March 26, 2025
Low
Multiple issues when inputting password for the BLS keystoreLearn more
March 26, 2025
Low
Untrusted input is used as trusted consensus stateLearn more
March 25, 2025
Critical
Merkle verification could be bypassedLearn more
March 25, 2025
Critical
IBC does not work with chains that generate subsecond blocksLearn more
March 25, 2025
Critical
Attested header is stored instead of finalized headerLearn more
March 25, 2025
High
Proof-set owner can reset proofSetLastProvenEpoch to avoid accumulated feesLearn more
March 18, 2025
Medium
Fee refund can revert due to the gas limit or smart walletsLearn more
March 18, 2025
Low
Users' funds can be stolenLearn more
March 17, 2025
Critical
Fee can be minted multiple timesLearn more
March 17, 2025
High
Drain and financial loss resulting from rounding issueLearn more
March 17, 2025
Medium
Freezing of users' funds due to excessive fee settingsLearn more
March 17, 2025
Medium
Precision loss prevents harvesting feesLearn more
March 17, 2025
Low
Centralization riskLearn more
March 17, 2025
Medium
Incorrect maturityFeeGrowthX128 may lead to miscalculated rewardsLearn more
March 7, 2025
Medium
Function _cleanupMaturedBuckets may run out of gasLearn more
March 7, 2025
Low
Attacker can manipulate the initial price in the Uniswap poolLearn more
March 7, 2025
Critical
Purchase token with zero USDC repeatLearn more
March 7, 2025
Critical
Remove launchpadSell function from MegaRouterFacetLearn more
March 7, 2025
Medium
MegaRouterFacet does not validate that clob is trustedLearn more
March 7, 2025
Low
The Uniswap router contract still retains an approval after an unsuccessful swapLearn more
March 7, 2025
Low
Broken lineage check due to governance-coin unwrap logicLearn more
February 24, 2025
Critical
Missing MOD_HASH validationLearn more
February 24, 2025
Critical
Improper condition filters in savings vaultLearn more
February 24, 2025
Critical
Missing condition filters in outlier resolverLearn more
February 24, 2025
Critical
Incorrect STATUTES_MAX_IDX for statutes mutationLearn more
February 24, 2025
High
Mistakes in auction-collateral calculationsLearn more
February 24, 2025
High
Outlier resolution--logic bugsLearn more
February 24, 2025
High
Unverified solution parameters in announcer_registry could lead to loss of rewardsLearn more
February 24, 2025
High
Unverified solution parameters in recharge_win could lead to loss of tokensLearn more
February 24, 2025
High
Missing timestamp validation in collateral vaultLearn more
February 24, 2025
High
Treasury withdrawals can create unauthorized treasury coinsLearn more
February 24, 2025
Medium
Unverified MIN_DEPOSIT valueLearn more
February 24, 2025
High
Veto from proposal coin has limited effectLearn more
February 24, 2025
Low
Low gas costs of precompiles lead to denial of serviceLearn more
February 24, 2025
High
The ECRecover precompile computes an incorrect keyLearn more
February 24, 2025
Medium
Missing overflow check in AddTransientGasWantedLearn more
February 24, 2025
Medium
Lack of validation in ElasticityMultiplier causes division by zeroLearn more
February 24, 2025
Medium
Unbounded originalData can be providedLearn more
February 24, 2025
Low
The EvmDenom can be updated by the EVM module's MsgUpdateParamsLearn more
February 24, 2025
Low
Potential division by zero in fee_checkerLearn more
February 24, 2025
Low
Potential overflow in fee_checkerLearn more
February 24, 2025
Low
Weights are calculated through total balances of tokensLearn more
February 20, 2025
Medium
The _checkCap function is missing a checkLearn more
February 20, 2025
Low
Bypassing daily quota may lead to stuck fundsLearn more
February 6, 2025
High
Incorrect account bindings allows admin to deduct from vesterLearn more
February 4, 2025
Low
Broken uniqueness invariant in binary searchLearn more
February 4, 2025
Low
Struct not sharedLearn more
January 31, 2025
Low
Incorrect check for claimable amountLearn more
January 31, 2025
Low
Bypass overriding indexLearn more
January 31, 2025
Low
Malformed Ether address could be addedLearn more
January 31, 2025
Low
Burn request emitted on identical amountsLearn more
January 21, 2025
Low
Denial of service on pending requestsLearn more
January 21, 2025
Low
Debts owed by blacklisted users cannot be liquidatedLearn more
January 21, 2025
Critical
AssetDeployer deploys tokens that are vulnerable to inflation attacksLearn more
January 21, 2025
High
Lack of freshness check in Api3Aggregator and LinkedAssetAggregatorLearn more
January 21, 2025
High
Underlying tokens can be swept by the adminLearn more
January 21, 2025
Medium
Markets entered automatically can be exitedLearn more
January 21, 2025
Low
Infinite token approval is triggered outside the specLearn more
January 21, 2025
Low
Nonce collision in permit and delegateBySig functionsLearn more
January 21, 2025
Low
Potential underflow in getUnderlyingPrice due to high decimalsLearn more
January 21, 2025
Low
Signature bypassLearn more
January 17, 2025
Critical
Migration applicable to already migrated storage accountLearn more
January 17, 2025
Low
ERC20Plugins token can lead to reentrancy issuesLearn more
January 16, 2025
High
Tokens with callback support can inflate the actualAmountLearn more
January 16, 2025
High
Missing validation check on ERC-20 transferLearn more
December 23, 2024
Medium
Lack of comprehensive test suiteLearn more
December 23, 2024
Medium
Centralization riskLearn more
December 23, 2024
Critical
Fee transfers occur without owner consent and can be front-runLearn more
December 23, 2024
Low
Lack of access control in requestDepositLearn more
December 23, 2024
Critical
Potential price manipulation via read-only reentrancy in BasketToken.proRataRedeem()Learn more
December 23, 2024
Medium
Potential asset manipulation via read-only reentrancy in BasketManagerUtils.proRataRedeem()L!\label{reentrancy_transfer}Learn more
December 23, 2024
Low
Underflow when calculating basket balancesLearn more
December 23, 2024
Critical
Missing rebalance-status check in updateBitFlag() leads to incorrect rebalancingLearn more
December 23, 2024
High
Incorrect swap-fee calculation on feeOnBuyLearn more
December 23, 2024
High
Management-fee calculation results in lower effective rateLearn more
December 23, 2024
High
Missing mapping update in BasketToken.updateBitFlag() causes rebalancing failureLearn more
December 23, 2024
Medium
Return value of transferFrom is not checkedLearn more
December 20, 2024
Critical
Signatures can be replayedLearn more
December 20, 2024
Critical
Validator public key is not checkedLearn more
December 20, 2024
Critical
Function getValidatorIndex returns index of first validator for every public keyLearn more
December 20, 2024
Critical
The protocol owner can withdraw all funds from the bridgeLearn more
December 20, 2024
High
Validators cannot be removedLearn more
December 20, 2024
Medium
No domain separation for validator signaturesLearn more
December 20, 2024
High
Fees could be overcharged by duplicated chainIds during broadcastLearn more
December 13, 2024
Medium
High voting power could be usable without minimum lock timeLearn more
December 13, 2024
Medium
Incorrect use of totalPendingTokens leads to inability to rescue ERC-1155 tokensLearn more
December 13, 2024
Medium
Rounding issue in USDz marketsLearn more
December 13, 2024
High
Cross-chain VotingEscrow sync temporarily failsLearn more
December 13, 2024
Low
Missing expiration time check in the fillOffer functionLearn more
December 13, 2024
Low
Missing subgroup check in BLS12-381 key and signature aggregationLearn more
December 10, 2024
High
Memory resource exhaustion via untracked buffersLearn more
December 10, 2024
Medium
Gas-accounting discrepancy for infinite loopsLearn more
December 10, 2024
Medium
Inefficient Metadata array validation sequenceLearn more
December 10, 2024
Low
Unbounded transaction reference validationLearn more
December 10, 2024
Low
Message Nonce uniqueness lacks guaranteesLearn more
November 29, 2024
Low
Withdrawal does not send tokensLearn more
November 28, 2024
Critical
Accounting validator bonds share could be brokenLearn more
November 27, 2024
High
Function BeforeTokenizeShareRecordRemoved does not work as expectedLearn more
November 27, 2024
Low
Distributor could be drained by fake poolLearn more
November 19, 2024
Critical
Decimals of the data in the function latestRoundDataLearn more
November 19, 2024
High
The start time could be updated during the predeposit periodLearn more
November 19, 2024
Medium
The function removeExcessBids may cause internal accounting inconsistenciesLearn more
November 19, 2024
Medium
Incorrect initialization of the contract BalancerOracleAdapterLearn more
November 19, 2024
Medium
Precision loss in the getCreateAmount and getRedeemAmount functionsLearn more
November 19, 2024
Medium
The function getOraclePrice may return an incorrect priceLearn more
November 19, 2024
High
The governance may fail to set the feeLearn more
November 19, 2024
Low
OracleReader does not have a storage gapLearn more
November 19, 2024
Low
Potentially obtaining a stale priceLearn more
November 19, 2024
Low
A malicious bidder could drain the Auction contractLearn more
November 19, 2024
Critical
Incorrect PreDeposit rewardLearn more
November 19, 2024
High
Claim function could be broken by timing attackLearn more
November 19, 2024
High
Lack of handling of auction failuresLearn more
November 19, 2024
High
Bidders are unable to claim the expected amount of reserve tokensLearn more
November 19, 2024
High
Distribution's claim function does not update storage variablesLearn more
November 19, 2024
High
Huge bid could cause overflow in subsequent bidsLearn more
November 19, 2024
High
Number of coupon tokens obtained from the auction may differ from number of coupon tokens to be distributedLearn more
November 19, 2024
High
Unstake could be blocked for certain usersLearn more
November 19, 2024
Medium
DOS vulnerability via MsgRegisterContract due to unlimited gas execution in BeginBlockLearn more
November 15, 2024
Critical
DOS vulnerability from inaccurate gas estimation in BeginBlock via simCheckLearn more
November 15, 2024
Critical
Gas-price calculation error due to integer division roundingLearn more
November 15, 2024
High
Insufficient error handling in gas deduction for failed transactionsLearn more
November 15, 2024
Medium
Inconsistent keyshare verification and logging due to Epoch switchLearn more
November 15, 2024
Low
Slice append issueLearn more
November 15, 2024
Low
Using the FromValues method for the Int248 type can lead to incorrect cached SignBitLearn more
November 13, 2024
Critical
Unconstrained arithmetic operationsLearn more
November 13, 2024
Critical
Input-uniqueness check in CircuitAPI is ignoredLearn more
November 13, 2024
Critical
Function assertInputUniqueness is unsoundLearn more
November 13, 2024
Critical
Missing fields in calculation of verifying key hashLearn more
November 13, 2024
High
Shallow copies leading to unintended side effectsLearn more
November 13, 2024
High
Function ConstInt248 allows invalid ranges for arguments, returning incorrect valuesLearn more
November 13, 2024
High
Conversion functions fromInterface and Var2BigInt return zero instead of erroring on unrecognized typesLearn more
November 13, 2024
High
No range check in ToBinary of Uint521Learn more
November 13, 2024
Medium
Keccak padding circuit incorrect for some input lengthsLearn more
November 13, 2024
Medium
Native Keccak padding and round-index functions incorrectLearn more
November 13, 2024
Medium
Padding incorrect for output-commitment computationLearn more
November 13, 2024
Medium
Assumptions made regarding log topics are not correct in full generalityLearn more
November 13, 2024
Medium
Selector not constrained to be Boolean for SelectLearn more
November 13, 2024
High
Conversion from Uint248 to Uint521 fails for values wider than 96 bitsLearn more
November 13, 2024
Low
Prover assignment will fail for custom inputsLearn more
November 13, 2024
Low
Function to export Groth16 proofs only works for proofs with exactly one commitmentLearn more
November 13, 2024
Low
Incorrect constant used in twosComplementLearn more
November 13, 2024
Low
Unexpected behavior for decompose-related functions on negative inputLearn more
November 13, 2024
Low
Mismatch between Uint521 type and its documentationLearn more
November 13, 2024
Low
Raw data may be overwritten by index reuseLearn more
November 13, 2024
Low
Data might be arranged incorrectly by rawData[T].listLearn more
November 13, 2024
Low
Invalid receipts with empty LogField entries may be assignedLearn more
November 13, 2024
Low
Parsing errors ignored in GetHexArrayLearn more
November 13, 2024
Low
Incorrect elliptic curveLearn more
November 13, 2024
Low
Proof submission calls callback even if submission failsLearn more
November 13, 2024
Low
Native tokens are not transferred to the exchange contractsLearn more
November 13, 2024
High
No test suiteLearn more
November 13, 2024
High
The function supportToken does not configure the yield modeLearn more
November 13, 2024
Medium
Calling the function configure regardless of whether the token is rebasingLearn more
November 13, 2024
Low
Use of identical domain separatorsLearn more
November 13, 2024
Low
Lack of storage gap in the contract EIP712VerifierULearn more
November 13, 2024
Low
Long-position--reserved collateral cannot be rebasedLearn more
November 12, 2024
High
VaultPriceFeed may be misconfigured, causing unexpected pricing calculationsLearn more
November 12, 2024
Low
Price feed may be gamed if insufficient rounds are capturedLearn more
November 12, 2024
Low
Extra calls into timelock EOA will failLearn more
November 12, 2024
High
Reachable unwrap panic in ics23_proveLearn more
October 22, 2024
Critical
The changeOwner function does not update the UPGRADER_ROLELearn more
October 21, 2024
Low
Duplicate values of registryLearn more
October 21, 2024
Low
Arithmetic overflow leading to DOSLearn more
October 21, 2024
High
Router fee is bypassableLearn more
October 21, 2024
Low
Missing function to remove a delegated signerLearn more
October 21, 2024
High
Missing function to remove tokens from the whitelistLearn more
October 21, 2024
Medium
Unset state variable custodianListLearn more
October 21, 2024
Low
Mismatched function parameter types affecting inheritanceLearn more
October 21, 2024
Low
MoneyBrinter susceptible to stealth depositLearn more
October 21, 2024
Critical
Lack of user access control in StakeV2Learn more
October 21, 2024
Critical
Formulaic error allows stakers to steal excess rewardsLearn more
October 21, 2024
Critical
The rewardIndex only increases, leading to eventual inability to claim rewardsLearn more
October 21, 2024
High
Manager can leak funds during reward distributionLearn more
October 21, 2024
Medium
Zapper contract leaks excess token balance to OBRouterLearn more
October 21, 2024
Low
Circuit Breaker's unsafe casting results in errors during liquidity trackingLearn more
October 21, 2024
Low
Log parsing issue in extract_required_fee_from_logLearn more
October 15, 2024
Low
Soft-block channel capacity misconfigurationLearn more
October 15, 2024
Low
Potential overflow in celestia_block_variance to usize conversionLearn more
October 15, 2024
Low
Universal XSS in Fuelet dApp WebViewLearn more
October 15, 2024
Critical
Origin impersonation via URL username and elisionLearn more
October 15, 2024
High
Optimizable PasswordManager checkLearn more
October 15, 2024
Medium
Insecure cloud-backup encryptionLearn more
October 15, 2024
Medium
Type confusion between Withdrawal and Cancel actionsLearn more
October 15, 2024
Critical
Reentrancy issue allowing repeat withdrawalsLearn more
October 15, 2024
Critical
Improper status trackingLearn more
October 15, 2024
High
Raw ERC-20 interface usageLearn more
October 15, 2024
Medium
Incorrect tracking of in-use status for alias accountsLearn more
October 15, 2024
Low
Missing maximum-number-of-sequencers checkLearn more
October 15, 2024
Low
Signature replay allows unauthorized migrationsLearn more
September 11, 2024
Critical
No test suiteLearn more
September 11, 2024
High
Tokens from previous migrations may be lostLearn more
September 11, 2024
Medium
Uneffective wETH limitLearn more
September 11, 2024
Low
Fee-recipient reentrancyLearn more
September 3, 2024
High
Fee recipient can censor forum postsLearn more
September 3, 2024
High
Constructor left uninitializedLearn more
September 3, 2024
Medium
Identifiable anonymous tokensLearn more
September 3, 2024
Low
Fee amount may be rounded to zeroLearn more
September 3, 2024
Low
Edit function does not change ERC-20 symbol and nameLearn more
September 3, 2024
Low
Native ETH may be sent by mistake in some casesLearn more
September 3, 2024
Low
Range check in add_slice_at_offsetLearn more
August 28, 2024
Low
ERC-1155 mint can be reentered withLearn more
August 16, 2024
Critical
Possible fee leechingLearn more
August 16, 2024
Medium
Possible DOSLearn more
August 16, 2024
Medium
The costSharePrice is not properly maintainedLearn more
August 16, 2024
Low
There is no upper limit to the time-out on PFM packetsLearn more
August 13, 2024
Medium
Missing prefix for RefundPacketKeyLearn more
August 13, 2024
Medium
Invalid address could break down the bridge withdrawerLearn more
August 3, 2024
High
Arbitrary withdrawal could be executed by bridge adminLearn more
August 3, 2024
High
Withdrawal event could be reused by bridge adminLearn more
August 3, 2024
High
TOCTOU bugs in ActionHandlerLearn more
August 3, 2024
Medium
Withdrawer address is not working in ICS20 withdrawalLearn more
August 3, 2024
Low
Range check in unsafe_evaluate_multiply_add may be ineffectiveLearn more
July 23, 2024
Critical
Underflow possible in evaluate_non_native_field_multiplicationLearn more
July 23, 2024
Critical
Overflow possible in evaluate_non_native_field_multiplicationLearn more
July 23, 2024
Critical
Missing field_t normalization in constructorLearn more
July 23, 2024
Critical
Missing range check in constructorsLearn more
July 23, 2024
Critical
Missing consistency check for prime limb in constructorLearn more
July 23, 2024
Critical
Proving that multiples of L!$p$ are unequal to L!$0$ modulo L!$p$ possibleLearn more
July 23, 2024
Critical
Equation checks not enforcedLearn more
July 23, 2024
Medium
Large limbs for constant inputs to conditional_negateLearn more
July 23, 2024
Medium
Incomplete constant checkLearn more
July 23, 2024
Low
Null-pointer dereferenceLearn more
July 23, 2024
Low
Handling of max argument to Limb constructorLearn more
July 23, 2024
Low
Mistakes in calculation of MAX_UNREDUCED_LIMB_SIZELearn more
July 23, 2024
Low
Behavior of assert_equal for constant operandsLearn more
July 23, 2024
Low
Assert for add_to_lower_limb could be ineffective due to overflowLearn more
July 23, 2024
Low
Chain halt due to unbounded votes by proposerLearn more
July 15, 2024
High
Reward-token registration is irreversibleLearn more
July 12, 2024
Critical
PDT can be set as a reward token and withdrawn by adminLearn more
July 12, 2024
Medium
The transferFrom function could failLearn more
July 12, 2024
Medium
The approve function could failLearn more
July 12, 2024
Medium
Rounding errors in computing feeLearn more
July 12, 2024
Medium
Aggregation ISM cannot skip ISMsLearn more
July 9, 2024
Critical
Modules cannot be removed from routing ISMLearn more
July 9, 2024
Medium
Routing ISM with the fallback configuration does not show fallback behaviorLearn more
July 9, 2024
Medium
Owner address is not initializedLearn more
July 9, 2024
Medium
Incorrect size for fetching branches of the Merkle treeLearn more
July 9, 2024
Medium
Message can be sent multiple times to an untrusted recipientLearn more
July 9, 2024
Medium
Announcing a new storage location overwrites the previous storage locationLearn more
July 9, 2024
Low
Aggregation ISM misfunctions if more than 255 modules existLearn more
July 9, 2024
Low
ISM configuration of MailboxComponent is disregardedLearn more
July 9, 2024
Low
Unclear behavior of the function set_modulesLearn more
July 9, 2024
Low
Incorrect size of StoreFelt252ArrayLearn more
July 9, 2024
Low
Incorrect splitting of a number in Keccak implementationLearn more
July 9, 2024
Critical
Improper optimization in Keccak implementationLearn more
July 9, 2024
Critical
Dynamic variable size for hash parametersLearn more
July 9, 2024
Critical
Message incorrectly includes the size of bodyLearn more
July 9, 2024
Critical
Multisig ISM allows duplicated signaturesLearn more
July 9, 2024
High
The protocol fee hook will always be revertedLearn more
July 9, 2024
High
The contractAddress type cannot use the 32-byte addressing mechanismLearn more
July 9, 2024
High
Input arguments in the Bytes type may be invalidLearn more
July 9, 2024
High
Potential vulnerability in _aggregatePubkey update mechanismLearn more
July 8, 2024
Critical
Lack of proof-of-possession verificationLearn more
July 8, 2024
High
Incorrect curve mappingLearn more
July 8, 2024
Medium
Bias in hashToField functionLearn more
July 8, 2024
Low
Lack of input validationsLearn more
June 28, 2024
Low
Invalid creation of unbonding TX leads to loss of gasLearn more
June 28, 2024
Medium
Authz module can be used to bypass validator message checksLearn more
June 28, 2024
Critical
Finality provider can crash when submitting signature on finalized blockLearn more
June 28, 2024
Critical
Finality provider can get stuck in an infinite loopLearn more
June 28, 2024
Critical
BTC reorg would lead to slash avoidanceLearn more
June 28, 2024
Critical
Vigilante makes an unnecessary report to BabylonLearn more
June 28, 2024
Low
Differences between signHash and SignLearn more
June 28, 2024
Low
Finality provider BTC private key used as HMAC key for generating noncesLearn more
June 28, 2024
Low
Unsound native-function declaration leading to critical verifier bypassLearn more
June 18, 2024
Critical
Infinite recursion possible with module dependenciesLearn more
June 18, 2024
Critical
Unchecked UTF-8 decoding enables memory corruptionLearn more
June 18, 2024
Critical
Missing gas charge on memo in native_nft_transferLearn more
June 18, 2024
High
Next zapping ID potentially duplicatedLearn more
June 18, 2024
High
Published module names do not necessarily match binary moduleLearn more
June 18, 2024
High
Ability to bypass swap feesLearn more
June 18, 2024
Low
Module can be duplicated in module publish requestsLearn more
June 18, 2024
Low
Hex decode accepting invalid charactersLearn more
June 18, 2024
Low
Stablepools can be created with one or no assetsLearn more
June 18, 2024
High
Bad decimal-parsing function accepts multiple dotsLearn more
June 18, 2024
Low
Potential out-of-gas reversion when checking object permissionsLearn more
June 18, 2024
Low
Stablepool swap can be called, repeating the same assetLearn more
June 18, 2024
High
Incorrect string-formatting helperLearn more
June 18, 2024
Low
Incorrect minimum-TVL module-parameter checkLearn more
June 18, 2024
Low
Frozen module coin store can cause chain haltLearn more
June 18, 2024
High
Malicious proposer can skip fee checkLearn more
June 18, 2024
High
A malicious user can become a permissioned relayer for IBCLearn more
June 18, 2024
Medium
Move coins can be burned twiceLearn more
June 18, 2024
High
Move coin transfer can bypass blocked accountsLearn more
June 18, 2024
Medium
Error not checked when fetching starting infoLearn more
June 18, 2024
Low
Move coins are case-insensitive in cosmosLearn more
June 18, 2024
Low
Query gas limit not enforced through bank moduleLearn more
June 18, 2024
High
Incorrect signer check for shorthand accountsLearn more
June 18, 2024
High
Validator set updates can skip current validatorsLearn more
June 18, 2024
High
Challenger can increase the next output indexLearn more
June 18, 2024
Medium
Missing token pair will crash the bridge executorLearn more
June 18, 2024
Medium
Withdrawal hash clash using variable-length fieldsLearn more
June 18, 2024
High
Fake pool could drain all the pool's tokensLearn more
June 14, 2024
Critical
The redeemShort function is available before the pool is closedLearn more
June 14, 2024
Critical
Simultaneous pool starting and closing is possibleLearn more
June 14, 2024
High
Order could be executed after the end of the pool's durationLearn more
June 14, 2024
Medium
Bounty does not work with low-decimal tokensLearn more
June 14, 2024
Medium
Lack of check that an order has already been canceledLearn more
June 14, 2024
Low
Redeem functions do not work correctlyLearn more
June 14, 2024
Critical
Public input length might not be checked as intended due to overflowLearn more
June 7, 2024
Low
Function AssignedKeccakInputs::to_instance_values incorrect for fixed-length inputsLearn more
June 7, 2024
Low
Maximum supply cap is not immutableLearn more
June 6, 2024
Low
Missing constraints in the copy circuit for MCOPY allow inserting illegitimate entries in the rw tableLearn more
June 5, 2024
Critical
Lack of constraints specific to transient storage and transaction receipts in the state circuitLearn more
June 5, 2024
Critical
Source address is not constrained for ErrorOOGMemoryCopyGadget, allowing illegitimate reverts on MCOPYLearn more
June 5, 2024
Critical
Step transition for end_tx not constrainedLearn more
June 5, 2024
Critical
Completeness issue for some out-of-gas cases for MCOPYLearn more
June 5, 2024
Medium
Lack of stale price check in getAssetPrice functionLearn more
June 4, 2024
High
Unnecessary parameter usage in getRoundData functionLearn more
June 4, 2024
Low
Centralization risk in setPyth functionLearn more
June 4, 2024
Low
The supply limit limits issue, not supplyLearn more
May 22, 2024
High
Anyone can create tokens before initializationLearn more
May 22, 2024
High
The `AssertContractInitialized` function should check `Initialized`Learn more
May 22, 2024
High
Calling `ChangeOwner` may lock ownership upon user errorLearn more
May 22, 2024
Medium
No guard on admin-set fee rateLearn more
May 22, 2024
Medium
Deadline-enforcement unit is inconsistentLearn more
May 22, 2024
Low
Wrong fee mechanism in redeemBackSPCTLearn more
May 21, 2024
Medium
Transfer event is emitted twice for minting or burning USDzLearn more
May 21, 2024
Medium
Protection logic in rescueERC20 can be bypassedLearn more
May 21, 2024
Low
Verification-batching implementation unsoundLearn more
May 20, 2024
Critical
Proving fails for public inputs that are all zeroLearn more
May 20, 2024
Medium
Centralization riskLearn more
May 9, 2024
Medium
UnderflowLearn more
May 9, 2024
Medium
Missing yield-mode configurationLearn more
May 8, 2024
Low
Minimum amount of `claimYield` does not workLearn more
May 8, 2024
Low
Front-runLearn more
May 1, 2024
Low
Centralization riskLearn more
April 30, 2024
Critical
Fee amount not burnedLearn more
April 30, 2024
Low
No genesis state validationLearn more
April 30, 2024
Low
Reentrancy in withdrawalsLearn more
April 19, 2024
Critical
Centralization RiskLearn more
April 19, 2024
High
Nonpayable `bridgeTokenConnext` functionLearn more
April 19, 2024
Low
Nonpayable `bridgeTokenArb` functionLearn more
April 19, 2024
Medium
Allowance given to incorrect addressLearn more
April 19, 2024
Medium
Fixed depositor reentrancy can take all the ETHLearn more
April 19, 2024
Critical
Unsafe handling of over-100% early exit feesLearn more
April 19, 2024
Critical
Clone construction leaves constants uninitializedLearn more
April 19, 2024
High
Quadratic-complexity logic risks gas-limit attacksLearn more
April 19, 2024
High
Inconsistent division of fixed-side withdrawalsLearn more
April 19, 2024
High
Variable-side yield on yield is unfairly splitLearn more
April 19, 2024
Medium
Variable side cannot always withdraw fee shareLearn more
April 19, 2024
Medium
Open receive function can lock native ETHLearn more
April 19, 2024
Low
Implementation contract can be usedLearn more
April 19, 2024
Low
Incorrect withdrawnFeeEarnings after finalizationLearn more
April 19, 2024
Low
Reentrancy can falsify isStarted in emitted eventLearn more
April 19, 2024
Low
Inactive variable depositor locks protocol feesLearn more
April 19, 2024
Low
Successful swaps do not update spreadLearn more
April 16, 2024
High
Griefing potentialLearn more
April 16, 2024
High
The fallback function can collide with selectorsLearn more
April 16, 2024
Medium
Halving spread in base-to-base may be unsafeLearn more
April 16, 2024
Medium
Chainlink data stalenessLearn more
April 16, 2024
Medium
Sandwich attack can affect base-to-base swap feeLearn more
April 16, 2024
Low
Arbitrary calldata in `externalSwap` may be unsafeLearn more
April 16, 2024
Low
Double spend for multi-input-actionsLearn more
April 12, 2024
Critical
Note-footer reuse within same actionLearn more
April 12, 2024
High
Note footer reuse in DarkpoolAssetManager Learn more
April 12, 2024
High
Uniswap liquidity fee manipulationLearn more
April 12, 2024
Medium
No slippage limits in UniswapLiquidityAssetManagerLearn more
April 12, 2024
Medium
Relayers can drain Curve asset managersLearn more
April 12, 2024
Medium
Transfer and approval done by `_transferERC20`Learn more
April 12, 2024
Medium
Low-entropy note generationLearn more
April 12, 2024
Medium
Pool parameters are not verifiedLearn more
April 12, 2024
Low
Signatures in circuits are not domain separatedLearn more
April 12, 2024
Low
Incomplete asset-validation logicLearn more
April 12, 2024
Low
Reentrancy in withdrawals leading to double-spendLearn more
April 12, 2024
Critical
Uniswap liquidity positions stealableLearn more
April 12, 2024
Critical
Lack of wraparound protection in circuitsLearn more
April 12, 2024
Critical
Uniswap swaps can get stolenLearn more
April 12, 2024
Critical
Fund lock via dummy notes in curve\_add\_liquidityLearn more
April 12, 2024
Critical
Reentrancy for multi-asset-actionsLearn more
April 12, 2024
Critical
Relayers can steal from users/relayersLearn more
April 12, 2024
Critical
Note footers not checked by `uniswapCollectFees`Learn more
April 12, 2024
High
No withdrawal functionLearn more
April 11, 2024
High
Centralization riskLearn more
April 10, 2024
High
Withdrawal bricksLearn more
April 10, 2024
High
Infinite loop in `_getSelfDelegations`Learn more
March 29, 2024
High
Minimum staking is only checked in registrationLearn more
March 29, 2024
High
States are not automatically syncedLearn more
March 29, 2024
Medium
Calling reconcile can lead to stuck fundsLearn more
March 28, 2024
High
First depositor IssueLearn more
March 28, 2024
Low
Stale prices from oracleLearn more
March 18, 2024
High
Zero price from the fallback oracleLearn more
March 18, 2024
High
The leverage closing function fails in most casesLearn more
March 18, 2024
Medium
Inconsistent sources of decimal informationLearn more
March 18, 2024
Medium
Suspending a token does not clear the variableLearn more
March 18, 2024
High
The locked amount is truncated to `int128`Learn more
March 18, 2024
High
Emergency withdrawal mechanism breaks assumptionsLearn more
March 18, 2024
Low
An interest portion of collected fees are lockedLearn more
March 18, 2024
High
Collected fees cannot be claimed after withdrawalLearn more
March 18, 2024
Medium
Deposit/stake functions are front-runnableLearn more
March 13, 2024
High
Updating when `TRIGGERED`Learn more
March 13, 2024
High
Centralized control of fee-dripping modelLearn more
March 13, 2024
High
round-issue-in-rewardLearn more
March 13, 2024
Medium
Fee dripped in any stateLearn more
March 13, 2024
Medium
Wrong ERC bricks fee systemLearn more
March 13, 2024
Medium
Deprivileging manager by ownerLearn more
March 13, 2024
Low
Deterministic addressLearn more
March 13, 2024
Low
Repeated validator IDs, `batchRevertExitRequest`Learn more
March 13, 2024
Critical
ETH sent to wrong address on cancellationLearn more
March 13, 2024
Critical
BNFT holder is compared with an incorrect addressLearn more
March 13, 2024
Medium
Repeated validator IDs, `batchSendExitRequest`Learn more
March 13, 2024
Critical
BNFT holder could cancel the depositLearn more
March 13, 2024
Critical
Malicious users could mint themselves NFTsLearn more
March 13, 2024
Critical
Wrong rewards calculationLearn more
March 13, 2024
High
Queued withdrawals are not claimed by `forcePartialWithdraw`Learn more
March 13, 2024
Medium
Deposit cancellation may failLearn more
March 13, 2024
Medium
Reward and withdrawal payout getters might failLearn more
March 13, 2024
Low
Owner set for implementation instead of proxyLearn more
March 5, 2024
Medium
Using deprecated Chainlink functionLearn more
March 5, 2024
Medium
Using invalid Maker token addressLearn more
March 5, 2024
Low
Incorrect ICS-20 balance on time-outLearn more
March 5, 2024
Critical
Arbitrary balance via dummy spendLearn more
March 5, 2024
Critical
Asset total supply can be inflatedLearn more
March 5, 2024
Critical
Delegation tokens can be forgedLearn more
March 5, 2024
Critical
Multiple positions with the same IDLearn more
March 5, 2024
Critical
IBC time-out packet is fallibleLearn more
March 5, 2024
High
Division by zero in SwapExecution::max\_priceLearn more
March 5, 2024
High
Duplicate `validator::Definitions` in transactionLearn more
March 5, 2024
High
SwapClaim proof panicLearn more
March 5, 2024
High
Panic in `handle_batch_swaps`Learn more
March 5, 2024
High
Limit orders can be erroneously closedLearn more
March 5, 2024
Medium
Gas fees can be paid in any assetLearn more
March 5, 2024
Medium
Incorrect denom prefix replacement Learn more
March 5, 2024
Medium
Malicious validator can trigger epochLearn more
March 5, 2024
Low
Unchecked addition in ICS-20 transferLearn more
March 5, 2024
Low
No mechanism for debt write-offLearn more
March 5, 2024
Medium
Rate limiter can be abusedLearn more
March 5, 2024
Medium
Data hash underconstrainedLearn more
March 4, 2024
Critical
End hash underconstrainedLearn more
March 4, 2024
Critical
Underconstrained `prove_subchain` inputs Learn more
March 4, 2024
Critical
End block height not range checkedLearn more
March 4, 2024
Critical
Tendermint X skip underconstrainedLearn more
March 4, 2024
Critical
Data commitment batch-size undeflowLearn more
March 4, 2024
Low
Transfer returnLearn more
February 29, 2024
Medium
Lack-of-pool checkLearn more
February 29, 2024
Low
Origin spoofingLearn more
February 28, 2024
High
Improper URL handlingLearn more
February 28, 2024
High
Improper host Learn more
February 28, 2024
High
Suboptimal symmetric key derivationLearn more
February 28, 2024
Medium
Suboptimal symmetric key derivationLearn more
February 28, 2024
Medium
Calm period detectionLearn more
February 28, 2024
Critical
TWAP intervalLearn more
February 28, 2024
High
Balances discontinuousLearn more
February 28, 2024
High
Calm period not checkedLearn more
February 28, 2024
High
Paused stateLearn more
February 28, 2024
Medium
Withdrawals might revertLearn more
February 28, 2024
Medium
Withdraw might not add liquidity againLearn more
February 28, 2024
Low
Vault withdraw slippageLearn more
February 28, 2024
Low
Deposit roundingLearn more
February 28, 2024
Low
Uniswap mint edge caseLearn more
February 28, 2024
Low
Traders can increase collateralLearn more
February 22, 2024
Critical
Order ID reuse due to multiple `PriceUpkeeps`Learn more
February 22, 2024
Critical
Incorrect funding-rate calculationLearn more
February 22, 2024
High
Total open PNL improperly adjusted at zero priceLearn more
February 22, 2024
High
Vault PNL per token is only scaled if negativeLearn more
February 22, 2024
High
The `maxAllowedCollateral` check could be bypassedLearn more
February 22, 2024
Medium
Premium price feeds are not usedLearn more
February 22, 2024
Medium
Value of `groupsCollaterals` could exceedLearn more
February 22, 2024
Medium
Extra `PRECISION_6` divides `utilizationFee`Learn more
February 22, 2024
Medium
Incorrect funding-rate calculation due to roundingLearn more
February 22, 2024
Medium
Centralization risk of trusted ownerLearn more
February 22, 2024
Medium
Any allowance allows unlimited withdrawal changesLearn more
February 22, 2024
Low
Market-close time-out reissuance can be skippedLearn more
February 22, 2024
Low
Unexecutable trades added to `tradesToTrigger`Learn more
February 22, 2024
Low
No penalty for missed withdrawals from OstiumVaultLearn more
February 22, 2024
Low
Trade closing can revert in `sendAssets`Learn more
February 22, 2024
Low
Locked deposit-discount accounting timeLearn more
February 22, 2024
Low
Erroneous token transfer in `UpdateTokenShares`Learn more
February 22, 2024
High
The `_toLower` incorrectly handles UnicodeLearn more
February 22, 2024
Medium
Session key `maxAmount` parameter is not statefulLearn more
February 14, 2024
Critical
Potential DOSLearn more
February 12, 2024
Critical
Preferential swapsLearn more
February 12, 2024
Critical
Withdraw leads to loss of stakeLearn more
February 12, 2024
Critical
Centralization risksLearn more
February 12, 2024
High
Potential front-running for `buy`Learn more
February 6, 2024
Medium
Minimum confirmations checkLearn more
February 5, 2024
High
Malicious librariesLearn more
February 5, 2024
Medium
Invariant may be calculated incorrectlyLearn more
January 26, 2024
Medium
Incorrect operator in `_tweakPrice`Learn more
January 26, 2024
Low
Exit-fee arbitrageLearn more
January 26, 2024
Low
Rebalance asset/liability slippageLearn more
January 26, 2024
Low
Seed-deposit mispricingLearn more
January 26, 2024
Low
Incorrect calculation effectively removes feeLearn more
January 11, 2024
High
Front-runners can cancel any permit depositLearn more
January 11, 2024
High
Completing unqueued withdrawal loses/locks fundsLearn more
January 11, 2024
High
More than one strategy per token breaks accountingLearn more
January 11, 2024
Medium
Admins can steal funds by self-sandwiching swapsLearn more
January 11, 2024
Medium
Accumulated fee logic can prevent withdrawalsLearn more
January 11, 2024
Low
ERC-20 deposit and queued withdrawal whitelistsLearn more
January 11, 2024
Low
Centralization riskLearn more
January 9, 2024
Critical
Incorrect down payment calculationLearn more
January 9, 2024
Critical
Unused on-chain interest calculationLearn more
January 9, 2024
High
Zero interest automatically changed to maximum Learn more
January 9, 2024
Low
Loss of precisionLearn more
January 9, 2024
Low
Missing length checkLearn more
January 9, 2024
Low
Initializers not disabledLearn more
January 9, 2024
Low
User is able to revert a position being closedLearn more
January 9, 2024
Medium
Lack of input validationLearn more
December 21, 2023
Low
Reentrancy in the `manage` function Learn more
December 21, 2023
Low
Calls may be queued multiple timesLearn more
December 8, 2023
High
Funds may be trapped in the protocolLearn more
December 8, 2023
Medium
Broker fees are not taken from swap amountLearn more
December 8, 2023
Critical
Removal-of-owners underflowLearn more
December 4, 2023
Medium
Wrong parameter used in revert Learn more
December 4, 2023
Low
Entries of `eoaOwners` not checkedLearn more
December 4, 2023
Low
Stop loss higher than `openPrice` causes fund lossLearn more
December 1, 2023
Critical
Unsafe cast in take profit can lead to fund lossLearn more
December 1, 2023
Critical
No access control on `setWithdrawThreshold`Learn more
December 1, 2023
Critical
Reserve requirement checked before withdrawalLearn more
December 1, 2023
Critical
Locked shares have undue access to rewardsLearn more
December 1, 2023
Critical
Max profit can exceed amount reserved from vaultLearn more
December 1, 2023
Critical
Update margin uses new leverageLearn more
December 1, 2023
High
Partial trades update open-interest incorrectlyLearn more
December 1, 2023
High
Referrer rebates must not decrease `totalRewards`Learn more
December 1, 2023
High
Precision loss in `totalLockPoints`Learn more
December 1, 2023
High
Wrong reserve ratio returned by getReserveRatioLearn more
December 1, 2023
High
Loss-protection tier is reduced for larger tradesLearn more
December 1, 2023
High
Trading inflow much less than zero skew outflowLearn more
December 1, 2023
High
Arbitrage opportunities with older price feedsLearn more
December 1, 2023
Medium
Margin update assumes zero price in backup modeLearn more
December 1, 2023
Medium
Referral close function includes referrer rebateLearn more
December 1, 2023
Medium
Bot latency prevents limit-close order executionLearn more
December 1, 2023
High
Referrer-code transfer process breaks assumptionsLearn more
December 1, 2023
Medium
Delayed force unlock causes reward insolvencyLearn more
December 1, 2023
High
Price impact is not tracked cumulativelyLearn more
December 1, 2023
Medium
Loss protection reduces the -100% cap on lossesLearn more
December 1, 2023
Medium
Miscalculation of `totalPrincipalDeposited`Learn more
December 1, 2023
Low
Fee charged without market-order placementLearn more
December 1, 2023
Low
One account can register multiple referral codesLearn more
December 1, 2023
Low
Vault manager cannot access entire junior trancheLearn more
December 1, 2023
Low
The maxRedeem function should comply with ERC-4626Learn more
December 1, 2023
Low
Incorrect access control causes update lockoutLearn more
December 1, 2023
Low
Trader contract can bypass max trades per pairLearn more
December 1, 2023
Low
Limit-order timelock not initialized on openLearn more
December 1, 2023
Low
Partial closes emit incorrect valueLearn more
December 1, 2023
Low
Function lacks incorrect-payment sanity checksLearn more
December 1, 2023
Low
Anyone can become a validatorLearn more
November 24, 2023
Critical
Storage not set properlyLearn more
November 24, 2023
High
Out-of-bounds accessLearn more
November 24, 2023
High
Inaccurate handling in `findModelerUpperBound`Learn more
November 24, 2023
Medium
Storage gaps improperly definedLearn more
November 24, 2023
Medium
Incorrect removal logicLearn more
November 24, 2023
Medium
Properties should be updated in `updateModel`Learn more
November 24, 2023
Low
No enforced minimum value on `fixedPriceMarkup`Learn more
November 14, 2023
Medium
Multiple events in the same TX cause loss of fundsLearn more
November 14, 2023
Critical
TSS funds migration may not be done correctlyLearn more
November 14, 2023
Medium
ZRC-20 mapping is overwritten on new deploymentLearn more
November 14, 2023
Medium
ZRC-20 paused status can be bypassedLearn more
November 14, 2023
High
No slippage limit set in Uniswap swapLearn more
November 14, 2023
Medium
Median gas-price thresholdLearn more
November 14, 2023
Medium
ZetaChain pays gas costs for EVM-to-zEVM transfersLearn more
November 14, 2023
High
Possible DOS on cross-chain messagesLearn more
November 9, 2023
Critical
Large withdrawal may be blockedLearn more
November 9, 2023
High
No health checksLearn more
November 9, 2023
High
The `ecrecover` malleabilityLearn more
November 9, 2023
Medium
Function inputs need validationLearn more
November 9, 2023
High
Nonces not used in signaturesLearn more
November 9, 2023
Medium
Default blocking behavior on LZLearn more
November 9, 2023
High
Restore frozen balance Learn more
November 9, 2023
Medium
Incorrect trade-volume calculation Learn more
November 7, 2023
High
Missing selector validationLearn more
November 6, 2023
High
Potential guardian deanonymization riskLearn more
November 6, 2023
Low
Addition for equal summands wrongLearn more
October 30, 2023
High
Signatures with large `r` rejectedLearn more
October 30, 2023
High
Validity of public keysLearn more
October 30, 2023
High
Collateral inflationLearn more
October 30, 2023
Critical
Free liquidationLearn more
October 30, 2023
Critical
Interest theftLearn more
October 30, 2023
Critical
Centralized pricing arbitrageLearn more
October 30, 2023
High
Slippage is set to zero during swapLearn more
October 30, 2023
High
EIP-712 fork replayable signatureLearn more
October 30, 2023
High
Assure debtors are auctionableLearn more
October 30, 2023
Medium
Calculations reduce value of user collateralLearn more
October 30, 2023
Low
ERC-4626 vault inflationLearn more
October 30, 2023
Medium
Emissions can be claimed multiple timesLearn more
October 30, 2023
Critical
Value can be artificially inflatedLearn more
October 30, 2023
High
The lack of token addresses' verificationLearn more
October 30, 2023
High
The lack of verification of the payload dataLearn more
October 30, 2023
High
Incorrect loop implementation in functionLearn more
October 30, 2023
Low
Array out-of-bound exception in `_removeVaults`Learn more
October 30, 2023
Low
The function `_removeVaults` returns earlyLearn more
October 30, 2023
Low
The `weightStrategy` range violationLearn more
October 30, 2023
Low
Incompatibility with USDT tokenLearn more
October 30, 2023
Medium
Conversion does not account for token decimalsLearn more
October 30, 2023
Medium
Malicious users can profitLearn more
October 30, 2023
Medium
Incorrect `weights` calculationLearn more
October 30, 2023
Medium
Incorrect return value in `fetchEpochIds`Learn more
October 30, 2023
Medium
Attacker-deployed ERC-20sLearn more
October 20, 2023
High
Arbitrage opportunities bypass deposit limitsLearn more
October 20, 2023
High
Bundler calls can be identified and front-runLearn more
October 20, 2023
Low
Operation with zero joinsplits can be tamperedLearn more
October 20, 2023
Low
Note encryption is unconstrainedLearn more
October 20, 2023
Low
Denial of serviceLearn more
October 16, 2023
Low
Authentication bypassLearn more
October 12, 2023
Critical
Fee payer authenticationLearn more
October 12, 2023
Critical
Any/all authenticators skip postexecution checksLearn more
October 12, 2023
High
Multiple signers' auth bypassLearn more
October 12, 2023
High
Incorrect validationLearn more
October 12, 2023
Medium
Authentication bypassLearn more
October 12, 2023
Medium
Incorrect error checkLearn more
October 12, 2023
Low
Panic for zero signersLearn more
October 12, 2023
Low
Fee payer authenticationLearn more
October 12, 2023
Low
Insufficient test coverageLearn more
October 2, 2023
Low
Vester incorrect burnLearn more
September 21, 2023
High
Cancellation still allows rewards to be claimedLearn more
September 21, 2023
Medium
Test coverageLearn more
September 15, 2023
Low
First depositor issueLearn more
Sept 13, 2023
Low
Flywheel index mismatch issue during `optOut`Learn more
September 7, 2023
High
ERC-4626 inflation attackLearn more
August 25, 2023
Critical
Negative liquidations can cause bank runLearn more
August 25, 2023
High
Markets missing slippage protectionLearn more
August 25, 2023
Medium
Reentrancy due to unauthenticated callsLearn more
August 25, 2023
Low
Malicious market can drain funds from MultiInvokerLearn more
August 25, 2023
Low
The `lastWithdrawalAt` is not initializedLearn more
August 17, 2023
Low
Signature bypassLearn more
August 14, 2023
Critical
PasskeyDecodeErrorLearn more
August 14, 2023
High
Missing testsLearn more
August 14, 2023
Medium
Modexp gas limitLearn more
August 14, 2023
High
CurveTestFailuresLearn more
August 14, 2023
High
Withdrawal finalization does not workLearn more
August 14, 2023
High
Disputed actions are not blockedLearn more
August 14, 2023
High
High-fraction liquidationsLearn more
July 31, 2023
Critical
Boost delegator might not receive delegate feeLearn more
July 31, 2023
Low
Risk of unintended token mintingLearn more
July 25, 2023
High
Possible DOSLearn more
July 25, 2023
Medium
No storage gapLearn more
July 25, 2023
Medium
Migrate recalledLearn more
July 12, 2023
Medium
Param limitLearn more
July 12, 2023
Low
Ethermint Ante handler bypassLearn more
July 12, 2023
High
Missing `nil` check in ZetaclientLearn more
July 12, 2023
High
Admin policy check will always failLearn more
July 12, 2023
Medium
InitializerLearn more
July 11, 2023
High
Fee-on-transfer tokensLearn more
July 11, 2023
Low
Insecure default value for JWT secretLearn more
July 10, 2023
Medium
Inconsistencies in signers and rolesLearn more
July 5, 2023
Medium
Lack of input validationLearn more
July 5, 2023
Low
Margin ratio not checkedLearn more
July 3, 2023
Critical
Iterating over mapsLearn more
July 3, 2023
High
AMM price manipulationLearn more
July 3, 2023
Critical
Sender is not checkedLearn more
July 3, 2023
Critical
Wasm bindings validationLearn more
July 3, 2023
Critical
Incorrect TWAP priceLearn more
July 3, 2023
High
Panic in `EndBlock` hooksLearn more
July 3, 2023
High
TWAP not updatedLearn more
July 3, 2023
High
`BeginBlocker` chain haltLearn more
July 3, 2023
High
Large `rewardSpread`Learn more
July 3, 2023
High
ZK and MPT VerifiersLearn more
June 26, 2023
High
Test suiteLearn more
June 26, 2023
Low
Missing registry check in `restrict`Learn more
May 12, 2023
Low
Restriction pattern creates centralization riskLearn more
May 12, 2023
Low
Missing valid vault address check in processDepositQueueLearn more
March 9, 2023
High
A malicious or compromised trader admin may lead to locked fundsLearn more
March 9, 2023
Medium
The vaultAddress validity check can be bypassedLearn more
March 9, 2023
Medium
Ability to deposit on other users' behalfLearn more
March 9, 2023
Medium
Missing status check in openVaultDepositsLearn more
March 9, 2023
Low
Missing sanity checks for crucial protocol parametersLearn more
March 9, 2023
Medium
Gas griefing using zero-value deposits and withdrawalsLearn more
March 9, 2023
Low