code-423n4 2023-12-initcapital-findings issues

code-423n4 / 2023-12-initcapital-findings

3 stars 3 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

Upgraded Q -> 2 from #8 [1703832984112]

#47 c4-judge closed 8 months ago
2
QA Report

#46 c4-bot-5 opened 8 months ago
2
RebaseHelperParams.rebaseHelperParams.helper is not whitelisted, which could lead to user mistakes or phishing attacks

#45 c4-bot-6 opened 8 months ago
5
Possible price manipulation in InitOracle due to lack of checks

#44 c4-bot-3 opened 8 months ago
6
Liquidations can possibly be prevented if a liquidate call frontruns another one with a partial liquidation

#43 c4-bot-7 opened 8 months ago
7
Liquidations can be prevented by frontrunning and liquidating 1 debt (or more) due to wrong assumption in POS_MANAGER

#42 c4-bot-2 opened 8 months ago
7
A wLP collateral that is no longer whitelisted but was at some point won't let users decollateralize or be liquidated

#41 c4-bot-3 closed 8 months ago
2
Users can avoid liquidation by splitting their positions into smaller ones

#40 c4-bot-2 closed 8 months ago
5
Api3OracleReader may be unavailable up to 1 hour if the timestamp of the price from the Api3Server is bigger than the current block.timestamp

#39 c4-bot-3 closed 8 months ago
3
repay(), liquidate() and liquidateWLp() receive shares as argument, which may revert if from approval to tx settled blocks have passed

#38 c4-bot-1 opened 8 months ago
5
burn() and borrow() in LendingPool are very likely to revert due to insufficient cash and could be triggered maliciously

#37 c4-bot-1 closed 8 months ago
7
Decimals of LendingPool don't take into account the offset introduced by VIRTUAL_SHARES

#36 c4-bot-2 opened 8 months ago
4
QA Report

#35 c4-bot-2 opened 8 months ago
4
Gas Optimizations

#34 c4-bot-8 opened 8 months ago
2
Liquidators could front-run repay tx after protocol 'unpausing' event

#33 c4-bot-4 opened 8 months ago
10
Delisted wLp still could be used for collateralization by changing position mode

#32 c4-bot-8 closed 8 months ago
2
wLp tokens could be stolen

#31 c4-bot-8 opened 8 months ago
4
Lack of `receive()` inside `MoneyMarketHook` contract when interacting with `WNATIVE`.

#30 c4-bot-6 closed 8 months ago
3
When the `returnNative` parameter is set to true in the `_params` provided to `MoneyMarketHook.execute`, it is not handled properly and could disrupt user expectations

#29 c4-bot-4 opened 8 months ago
5
`_handleRepay` of `MoneyMarketHook` does not consider the actual debt shares of the `posId` inside the position manager and could lead to a user's tokens getting stuck inside the hook.

#28 c4-bot-5 opened 8 months ago
7
`LendingPool` interest should not accrue when pool's repay is paused

#27 c4-bot-8 closed 8 months ago
2
`setPosMode` should not allow changing the mode when the new mode's `canRepay` status is disabled

#26 c4-bot-2 opened 8 months ago
4
`collateralizeWLp` can be bypassed even when collateralization is paused

#25 c4-bot-5 opened 8 months ago
8
Position owners can steal others position's `Wlp` collaterals

#24 c4-bot-2 closed 8 months ago
3
Gas Optimizations

#23 c4-bot-6 opened 8 months ago
3
setPosMode function doesn't check if wLp is whitelisted

#22 c4-bot-3 opened 8 months ago
6
Liquidator can get higher rate for liquidation

#21 c4-bot-9 closed 8 months ago
5
Interest still accuring when repayment is paused, creating debt that cannot be repaid

#20 c4-bot-4 closed 8 months ago
2
Malicious user can still native tokens of MoneyMarketHook caller

#19 c4-bot-3 opened 8 months ago
9
InitCore.liquidate will revert in case if poolOut is paused for collateral

#18 c4-bot-7 closed 8 months ago
1
TRST-M-8 from previous audit still present

#17 c4-bot-10 opened 8 months ago
6
TRST-M-1 finding from previous audit still exists

#16 c4-bot-10 closed 8 months ago
2
bad debt is not socialized

#15 c4-bot-6 closed 8 months ago
20
InitiCore.liquidate uses stale toShares function

#14 c4-bot-9 closed 8 months ago
5
In case if wLP will be blacklisted then user will not be able to withdraw it

#13 c4-bot-9 opened 8 months ago
5
Small positions are allowed in the system that are not profitable for liquidators

#12 c4-bot-2 closed 8 months ago
5
Should count pending harvest reward and already harvested reward as collateral credit if the collateral is WLP

#11 c4-bot-2 closed 8 months ago
4
Use WLP as collateral can bypass the supply cap check for underlying asset exposure

#10 c4-bot-6 opened 8 months ago
7
Lack of way to handle not fully repaid bad debt after liquidation after the lending pool share or WLP are fully seized

#9 c4-bot-10 opened 8 months ago
4
QA Report

#8 c4-bot-3 opened 8 months ago
4
Analysis

#7 c4-bot-9 opened 8 months ago
3
Should let liquidator seize the pending harvested reward and already harvested reward instead of letting original position nft owner who failed to pay the debt claim the reward

#6 c4-bot-8 closed 8 months ago
4
Repayment or liquidation can be blocked if debt ceiling amount is decreased

#5 c4-bot-3 closed 8 months ago
5
API3 oracle timestamp can be set to future timestamp and block API3 Oracle usage to make code revert in underflow

#4 c4-bot-7 opened 8 months ago
5
admin configuration isAllowedForCollateral(mode, pool) can be bypassed by donating asset to the pool directly and then trigger sync cash via flashloan

#3 c4-bot-2 opened 8 months ago
6
MoneyMarketHook.sol is not capable of handling and receive WETH in function execute when WETH is unwrapped to ETH

#2 c4-bot-3 closed 8 months ago
7
Agreements & Disclosures

#1 code423n4 opened 8 months ago
0