issues
search
code-423n4
/
2024-05-loop-findings
4
stars
4
forks
source link
issues
Newest
Newest
Most commented
Recently updated
Oldest
Least commented
Least recently updated
Inaccurate Calculation of lpETH During Token Claiming
#36
howlbot-integration[bot]
closed
4 months ago
7
User can maliciously lock specific tokens (`ETH` and `WETH`) to gain additional `lpETH` tokens unfairly, if `ETH` was mistakenly deposited by someone.
#35
howlbot-integration[bot]
closed
4 months ago
7
User can manipulate locking mechanism by locking small amount of wrapped `LRT` then send the rest of the ethers at the claim date
#34
howlbot-integration[bot]
closed
4 months ago
4
Availability of deposit invariant can be bypassed
#33
howlbot-integration[bot]
opened
4 months ago
10
Users can claim and mint tokens that they have not locked
#32
howlbot-integration[bot]
closed
4 months ago
8
Users can break a main invariant by manipulating the exchange rate
#31
howlbot-integration[bot]
closed
3 months ago
9
User can get as much `lpETH` as he wants with low locked amount of tokens
#30
howlbot-integration[bot]
closed
4 months ago
3
Malicious user can lock all lpETH using wrapped LRT from being claimed via a direct donation
#29
howlbot-integration[bot]
closed
3 months ago
3
Attackers could steal the ETH contained in the PrelaunchPoints contract
#28
howlbot-integration[bot]
closed
4 months ago
5
User can bypass the locking mechanism and still be able to get as big amount of `lpETH` as he wants
#27
howlbot-integration[bot]
closed
4 months ago
3
[H-1] `PrelaunchPoints::lock, lockFor` allows a users to lock s small amount of LRT token and then force ether into the contract claiming as much lpETH as they want, removing the risk of locking a lot of tokens and braking the 2nd invariant
#26
howlbot-integration[bot]
closed
4 months ago
3
Users are able to get more lpETH tokens than they have staked for during the locking period
#25
howlbot-integration[bot]
closed
4 months ago
6
Users can claim the eth accidently sent to PrelaunchPoints using the claim function
#24
howlbot-integration[bot]
closed
4 months ago
7
Users can raise the `lpETH` tokens out of the locking process
#23
howlbot-integration[bot]
closed
4 months ago
5
Unaccounted ETH Deposits May Lead to Unintended `lpETH` Minting and Staking
#22
howlbot-integration[bot]
closed
4 months ago
6
Users don't claim the correct amount of `lpETH` token, violating the invariant
#21
howlbot-integration[bot]
closed
4 months ago
5
Malicious user can claim any amount of ``lpeth`` and stake that amount without depositing equivalent amount of ETH/WETH or other LRT's in a specific case.
#20
howlbot-integration[bot]
closed
4 months ago
5
Users can bypass locking funds and use claim directly
#19
howlbot-integration[bot]
closed
4 months ago
3
Users can claim more lpETH than locked ETH in case of someone sends ETH to the contract directly
#18
howlbot-integration[bot]
closed
3 months ago
9
Reverting Withdrawal During Emergency Mode
#17
howlbot-integration[bot]
closed
3 months ago
5
Inconsistent Emergency Mode Handling in `withdraw` Function
#16
howlbot-integration[bot]
closed
4 months ago
2
Missing withdrawal time check for non-ETH tokens
#15
howlbot-integration[bot]
closed
4 months ago
3
During emergency withdraw() if the token is ERC20 then it doesn't check block.timestamp with `startClaimDate`
#14
howlbot-integration[bot]
closed
4 months ago
2
Potential Loss of ETH to Zero Address on Claim
#13
howlbot-integration[bot]
closed
3 months ago
6
Wrong `if` statement in the `_validateData` function causes the `claim` function always to revert when claiming tokens that are not ETH
#12
howlbot-integration[bot]
closed
3 months ago
2
function `_validateData` Allows recipient to be set to zero address when ` (_exchange == Exchange.UniswapV3)`
#11
howlbot-integration[bot]
closed
3 months ago
5
Recipient address(0) may result in loss of funds
#10
howlbot-integration[bot]
closed
3 months ago
5
The absence of a zero address check when users transfer tokens in the `_validateData` function can result in the loss of user funds.
#9
howlbot-integration[bot]
closed
3 months ago
3
Incorrect recipient validation
#8
howlbot-integration[bot]
closed
3 months ago
6
Incorrect Validation Logic for Swap Recipient Address in `function _validateData`
#7
howlbot-integration[bot]
closed
3 months ago
2
it is possible to claim `lpETH` anytime after the `startClaimDate` without locking assets from before
#6
howlbot-integration[bot]
closed
3 months ago
5
`withdraw` can be maliciously used to mint gas tokens
#5
howlbot-integration[bot]
closed
3 months ago
3
QA Report
#4
c4-bot-10
closed
3 months ago
2
Users can exploit `claim()` to withdraw their locked tokens when they are not allowed.
#3
c4-bot-1
closed
3 months ago
4
QA Report
#2
c4-bot-4
opened
4 months ago
3
Agreements & Disclosures
#1
code4rena-id[bot]
opened
4 months ago
0
Previous