code-423n4 2024-02-thruster-findings issues

code-423n4 / 2024-02-thruster-findings

2 stars 1 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

Upgraded Q -> 2 from #21 [1710810629649]

#33 c4-judge closed 6 months ago
4
Upgraded Q -> 2 from #21 [1710478061247]

#31 c4-judge closed 6 months ago
2
Tickets will be lost if they're entered after `MAX_ROUND_TIME`

#30 c4-bot-7 opened 7 months ago
11
Analysis

#29 c4-bot-7 opened 7 months ago
2
Tickets can be entered after prizes for current round have partially been distributed

#28 c4-bot-1 opened 7 months ago
12
`claimPrizesForRound` transfers the entire amount deposited for a prize regardless of the number of winners

#27 c4-bot-10 opened 7 months ago
5
Risk of losing prizes for early claims in `ThrusterTreasure`

#26 c4-bot-6 opened 7 months ago
12
Dynamic modification of `maxPrizeCount` affects prize claims

#25 c4-bot-6 opened 7 months ago
6
Incorrect gas claiming logic in ThrusterPoolDeployer

#24 c4-bot-6 opened 7 months ago
6
QA Report

#23 c4-bot-10 opened 7 months ago
2
Gas Optimizations

#22 c4-bot-3 opened 7 months ago
3
QA Report

#21 c4-bot-9 opened 7 months ago
4
Time to enter the tickets and claim the prize is highly uncertain due to setWinningTickets() can be called at any time

#20 c4-bot-7 closed 6 months ago
11
Weired design when setting the winner tickets allows one tickets to win different prizeIndex and win more than time within the same prizeIndex

#19 c4-bot-3 closed 6 months ago
7
Prize deposited through setPrize() is insufficient to be distributed to all winners

#18 c4-bot-3 closed 6 months ago
4
Lottery winners might lose some of their entitled prize due to vulnerable implementation in claimPrizesForRound()

#17 c4-bot-8 closed 6 months ago
5
QA Report

#16 c4-bot-8 opened 7 months ago
4
A lottery winner can steal rewards from other winners and drain the ThrusterTreasure's funds.

#15 c4-bot-10 closed 6 months ago
4
PoolDeployer will lose all gas yield due to incorrect claiming implementation

#14 c4-bot-1 closed 6 months ago
5
Incorrect hardcoded USDB and WETH asset address for Blast mainnet, leading to USDB and WETH rewards not claimable on Blast mainnet.

#13 c4-bot-10 opened 7 months ago
9
ThrusterFactory.setYieldCut should claim fees for all pools before

#12 c4-bot-8 opened 7 months ago
4
ThrusterTreasure doesn't have ability to claim native yield

#11 c4-bot-3 closed 7 months ago
1
setMaxPrizeCount function may lock some prizes

#10 c4-bot-4 closed 6 months ago
4
Analysis

#9 c4-bot-7 opened 7 months ago
1
Winner can be manipulated by frontrunning

#8 c4-bot-10 closed 6 months ago
6
If ThrusterTreasure.setRoot is called before winners selection, result will be wrong

#7 c4-bot-4 opened 7 months ago
8
User can claim rewards when not all prizes are distributed yet

#6 c4-bot-2 closed 6 months ago
4
Gas Optimizations

#5 c4-bot-7 opened 7 months ago
2
ThrusterPoolDeployer will not be able to claim gas fees

#4 c4-bot-5 closed 6 months ago
10
Protocol uses wrong addresses as weth and usdb

#3 c4-bot-9 opened 7 months ago
4
QA Report

#2 c4-bot-3 opened 7 months ago
2
Agreements & Disclosures

#1 code423n4 opened 7 months ago
0