code-423n4 2024-02-tapioca-findings issues

code-423n4 / 2024-02-tapioca-findings

1 stars 1 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

Upgraded Q -> 2 from #184 [1712936233288]

#188 c4-judge closed 2 months ago
2
Upgraded Q -> 2 from #184 [1712935796435]

#187 c4-judge closed 2 months ago
2
[H10] `MagnetarMintXChainModule.sol`:`mintBBLendXChainSGL` can be used to manipulate user positions by abusing whitelist privileges

#185 c4-bot-2 opened 3 months ago
3
QA Report

#184 c4-bot-3 opened 3 months ago
1
Gas Optimizations

#183 c4-bot-8 opened 3 months ago
2
Missing an option to wrap Singularity tokens in `mintBBLendSGLLockTOLP` function to be able to lock into OLP

#182 c4-bot-5 closed 3 months ago
4
QA Report

#181 c4-bot-5 opened 3 months ago
1
Missing unwrap configuration when withdrawing cross-chain in the `depositYBLendSGLLockXchainTOLP()` function of MagnetarAssetXChainModule results in being unable to lock and participate on the destination chain

#180 c4-bot-9 opened 3 months ago
6
[H9] Missing check on helper contract allows arbitrary actions and theft of assets

#179 c4-bot-5 opened 3 months ago
11
QA Report

#178 c4-bot-2 opened 3 months ago
3
pool rescue timelock can be bypassed

#177 c4-bot-7 closed 2 months ago
7
`tOLP` positions created through `MagnetarAction.Permit` can be stolen

#176 c4-bot-6 opened 3 months ago
7
Spearbit finding 5.2.2 not fixed

#175 c4-bot-6 opened 3 months ago
5
`MagnetarAction.Permit` interaction with `Pearlmit` wrongly assumes second argument is owner

#174 c4-bot-6 opened 3 months ago
7
anyone holding TapTokens needs to be in control of their address on all chains `TAP` is deployed on

#173 c4-bot-4 closed 3 months ago
10
anyone with a `Pearlmit` approval to transfer `TapToken` can have their funds stolen

#172 c4-bot-10 opened 3 months ago
7
anyone can claim rewards for users with approval to `TapToken` or steal the whole position

#171 c4-bot-10 closed 2 months ago
5
anyone can take any whitelisted tokens approved to `Magnetar`

#170 c4-bot-10 closed 3 months ago
7
`MagnetarAction.Market` wrongly assumes `owner` is first parameter in `IMarket.execute.selector`

#169 c4-bot-9 opened 3 months ago
5
`MagnetarAction.TapToken` integration will leave tokens stuck in `Magnetar` contract

#168 c4-bot-4 closed 3 months ago
4
Vesting vests too much when `initialUnlock` is used

#167 c4-bot-9 closed 3 months ago
7
AirdropBroker / TapiocaOptionBroker cannot ensure that paymentTokenValuation's decimals in _getDiscountedPaymentAmount is 18

#166 c4-bot-6 closed 3 months ago
4
`TwTAP` participation can be bricked stopping user to participate

#165 c4-bot-5 closed 3 months ago
6
misaligned incentive model for `twAML` in `TapiocaOptionBroker`

#164 c4-bot-8 opened 3 months ago
5
Missing slippage check when depositing to YieldBox

#163 c4-bot-6 closed 2 months ago
7
The order of composed messages is reversed during the `depositYBLendSGLLockXchainTOLP()` function of MagnetarAssetXChainModule

#162 c4-bot-9 closed 3 months ago
4
Tokens deposited will be stuck in `depositRepayAndRemoveCollateralFromMarket` function if user attempts to execute the deposit step but skip the repay step

#161 c4-bot-9 opened 3 months ago
10
Approval for pearlmit is missing before repaying in the `depositRepayAndRemoveCollateralFromMarket` function of MagnetarAssetModule

#160 c4-bot-6 closed 3 months ago
6
`exitPositionAndRemoveCollateral` function of MagnetarOptionModule calls `removeAsset()` with the wrong value

#159 c4-bot-7 closed 3 months ago
7
`depositRepayAndRemoveCollateralFromMarket` function of MagnetarAssetModule can't be used on behalf of user

#158 c4-bot-9 opened 3 months ago
4
`depositYBLendSGLLockXchainTOLP` function of the MagnetarAssetXChainModule will not work because it transfers Singularity tokens to the user before `_withdrawToChain`

#157 c4-bot-5 opened 3 months ago
10
`_lockOnTOB` function of MagnetarMintCommonModule will not work due to the missing approved asset for YieldBox before depositing

#156 c4-bot-9 opened 3 months ago
4
`_lzCustomWithdraw` function of MagnetarBaseModule will not send any tokens cross-chain

#155 c4-bot-4 closed 2 months ago
12
Missing conversion of deposited assets to borrow parts before repayment in MagnetarAssetModule

#154 c4-bot-9 opened 3 months ago
10
Incorrect return value of function `BaseTapiocaOmnichainEngine._payNative()`

#153 c4-bot-7 opened 3 months ago
7
Attacker can drain all tap token from victim's wallet using function `BaseTapiocaOmnichainEngine::transferFrom()`

#152 c4-bot-9 closed 3 months ago
5
Attacker can create an DOS for every composed messages that contains permit message type by front-running

#151 c4-bot-5 closed 3 months ago
6
The introduction of `__initialUnlockTimeOffset` may allow the attacker to vest more tokens than anticipated

#150 c4-bot-9 closed 3 months ago
3
User can't exercise the option with `paymentToken` that has decimals > 18

#149 c4-bot-4 closed 3 months ago
4
The attacker can exercise the TAP option twice by just locking their position for slightly more than one week

#148 c4-bot-9 closed 3 months ago
5
Incorrect use of `_removeDust()` in function `TapTokenReceiver._claimTwpTapRewardsReceiver()`

#147 c4-bot-7 opened 3 months ago
4
Use safeTransfer/safeTransferFrom consistenly instead of transfer/transferFrom

#146 c4-bot-8 closed 3 months ago
5
The attacker can steal the reward from twTAP by utilizing the function `TapTokenReceiver::_claimTwpTapRewardsReceiver()`

#145 c4-bot-7 closed 3 months ago
3
Unable to decode the `duration` parameter in the function `TapTokenC::decodeLockTwpTapDstMsg()`

#144 c4-bot-8 closed 3 months ago
6
TAP tokens will be lost in the event that no singularities are registered for a week

#143 c4-bot-8 opened 3 months ago
10
Absence of restrictions on the sender of the `twTAP.claimsReward()` function could enable attackers to freeze reward tokens within the Tap token contract

#142 c4-bot-7 opened 3 months ago
10
QA Report

#141 c4-bot-10 opened 3 months ago
1
[M15] Magnetar's `mintBBLendSGLLockTOLP` reverts when `lock` is set to false

#140 c4-bot-3 opened 3 months ago
4
[M14] Missing approval in Mangetar's `_lockOnTOB` function results in broken functionality

#139 c4-bot-1 closed 3 months ago
3
[M13] Magnetar's `depositYBLendSGLLockXchainTOLP` fails if deposit is skipped

#138 c4-bot-3 closed 3 months ago
5