code-423n4 2024-03-abracadabra-money-findings issues

code-423n4 / 2024-03-abracadabra-money-findings

9 stars 7 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

Factory::create() is vulnerable to reorg attacks

#211 c4-bot-8 opened 8 months ago
15
QA Report

#210 c4-bot-2 opened 8 months ago
5
no user withdrawal mechanism for locked token in BlastOnboarding contract

#209 c4-bot-4 closed 7 months ago
5
The `_rewardPerToken` Function performs mainly internal logic but it is marked public instead of internal exposing it to multiple external calls

#208 c4-bot-9 opened 8 months ago
7
Gas Optimizations

#207 c4-bot-9 closed 8 months ago
3
Attacker can call `removeLiquidity` on the router contract with `sharesIn` greater than their actual balance.

#206 c4-bot-7 closed 7 months ago
4
Implementation in FlashLoan can lead to manipulation of reserves and drain funds in pool

#205 c4-bot-9 closed 8 months ago
2
Gas Optimizations

#204 c4-bot-1 opened 8 months ago
5
Changing Parameters using `setParameters` will create a sandwich opportunity

#203 c4-bot-8 closed 8 months ago
3
Implementation owner can steal all Base/Quote Tokens if tokens are Proxied Tokens

#202 c4-bot-7 closed 8 months ago
3
QA Report

#201 c4-bot-4 opened 8 months ago
5
Protocol queries chainlink's deprecated pricing function which is not sufficiently validated and could return stale prices

#200 c4-bot-1 closed 8 months ago
4
ReardTokens can't be removed

#199 c4-bot-8 opened 8 months ago
7
MissingwhenNotpaused modifer

#198 c4-bot-7 closed 7 months ago
6
No Slippage Protection in `buyShares` can lead to Losses for User

#197 c4-bot-7 closed 7 months ago
6
DoS in creation of certain pools using `Router` due to incorrect Validation

#196 c4-bot-4 closed 8 months ago
3
Incorrect Method of Price calculation in `MagicLpAggregator` Allows for LP Price Manipulation

#195 c4-bot-10 closed 8 months ago
4
`BlastOnboarding` contract: users deposits will be stuck if they have locked deposits after claiming

#194 c4-bot-10 closed 7 months ago
8
`MagicLp` contract: pool can be drained if any of the reserves are empty

#193 c4-bot-7 closed 7 months ago
6
wrong implement of 'sqrt' function

#192 c4-bot-7 closed 8 months ago
5
`MagicLpAggregator.latestAnswer()` doesn't return the price in 18 decimals

#191 c4-bot-7 closed 8 months ago
3
`buyShares` function will never work and always DoS when deployed

#190 c4-bot-7 closed 7 months ago
7
`LockingMultiRewards` contract: rewards calculation assumes that staking token is always of 18 decimals

#189 c4-bot-10 closed 7 months ago
4
Missing upper limit in setfee ( centralization risk )

#188 c4-bot-7 closed 8 months ago
4
Users can be griefed by staking unlocked dust amounts on their behalf

#187 c4-bot-7 closed 7 months ago
5
First deposit can unintentionally lock the quote target value to zero

#186 c4-bot-7 closed 8 months ago
1
Incorrect rewards calculation with low balances (rounding down to zero)

#185 c4-bot-9 closed 7 months ago
5
Incorrect deployment of `MagicLP` will make zero address as owner and DoS every `onlyImplementationOwner` modifier functions

#184 c4-bot-9 closed 7 months ago
5
The staker will lose from his accumulated rewards if his locks are expired and processed by the operator

#183 c4-bot-2 closed 7 months ago
4
`LockingMultiRewards` contract: the first staker can inflate `_rewardData[token_].rewardPerTokenStored`

#182 c4-bot-6 closed 7 months ago
5
Gas Optimizations

#181 c4-bot-2 closed 8 months ago
3
`LockingMultiRewards` contract: users will be able to claim more rewards than they are entitled to by calling `withdrawWithRewards()`

#180 c4-bot-5 closed 7 months ago
5
`MagicLp.flashLoan` function can be exploited to empty the contract base and quote tokens balances

#179 c4-bot-4 closed 7 months ago
5
`MagicLp.buyShares()`: a malicious actor can mint himself the `totalSupply` of the shares token with dust amounts if the reserves are empty

#178 c4-bot-2 closed 7 months ago
3
`MagicLp` contract: updating base/quote tokens price (`_I_`) can be sandwiched by arbitrageurs

#177 c4-bot-5 closed 8 months ago
2
Gas Optimizations

#176 c4-bot-4 opened 8 months ago
4
function swapTokensForETH, function sellBaseTokensForETH, function sellQuoteTokensForETH, function removeLiquidityETH sends ether to an address not marked as payable.

#175 c4-bot-4 closed 7 months ago
4
BLAST_POINTS_OPERATOR might be wrong

#174 c4-bot-4 closed 7 months ago
2
QA Report

#173 c4-bot-8 opened 8 months ago
3
Gas Optimizations

#172 c4-bot-3 closed 8 months ago
3
Adjusting "_I_" will create a sandwich opportunity because of price changes

#171 c4-bot-7 opened 8 months ago
7
wrong implementation of powFloor

#170 c4-bot-4 closed 7 months ago
6
Automative characteristic influence mimswap

#169 c4-bot-5 closed 8 months ago
2
Initialization Checks

#168 c4-bot-4 closed 7 months ago
5
`MagicLpAggregator::latestAnswer` function will **always return 0** due to missing return in `_getReserves` function breaking all the logic wherever it is used to get price.

#167 c4-bot-4 closed 8 months ago
6
Griefing attack: small stakes reward griefing due to rounding down to 0

#166 c4-bot-7 closed 7 months ago
10
`MagicLPAggregator` will return wrong price for base tokens less than 18 decimals.

#165 c4-bot-7 closed 8 months ago
5
The lock() function does not check if the amount being locked is greater than or equal to the minLockAmount.

#164 c4-bot-2 closed 7 months ago
3
In `MagicLpAggregator.latestAnswer()` and `MagicLpAggregator.latestRoundData()`, there is missing check for active Arbitrum Sequencer

#163 c4-bot-6 closed 7 months ago
9
Gas Optimizations

#162 c4-bot-3 closed 8 months ago
2

Previous Next