issues
search
hats-finance
/
Origami-0x998f1b716a5022be026ca6b919c0ddf45ca31abd
GNU Affero General Public License v3.0
2
stars
0
forks
source link
issues
Newest
Newest
Most commented
Recently updated
Oldest
Least commented
Least recently updated
Audit Report Draft Update
#64
shayzluf
opened
2 months ago
0
the `repay()` function will revert if repay interest rate updates
#63
hats-bug-reporter[bot]
opened
6 months ago
3
An attacker can bypass the dynamic fees in `lovStEth` vault under certain depeg conditions, and extract value from honest depositors
#62
hats-bug-reporter[bot]
opened
7 months ago
3
`OrigamiOToken::exitToToken()` - L115: Missing return value check for `_transfer()` for oToken, and additionally should use `safeTransfer()` instead.
#61
hats-bug-reporter[bot]
opened
7 months ago
4
`RepricingToken::checkpointReserves()` - L168: Should use `<=` here, NOT `<`, otherwise it allows for checkpointing pending reserves BEFORE the `reservesVestingDuration` has completely passed.
#60
hats-bug-reporter[bot]
opened
7 months ago
3
`LinearWithKinkInterestRateModel::_setRateParams()` - L89: Should use `>` not `>=` for `(_kinkUtilizationRatio >= PRECISION)`.
#59
hats-bug-reporter[bot]
opened
7 months ago
2
hardcoding aave pool address is a serious aave integration flaw because valid pool addresses can change
#58
hats-bug-reporter[bot]
opened
7 months ago
3
Changing `globalInterestRateModel` need to be automatically reflected or trigger borrowers refresh
#57
hats-bug-reporter[bot]
opened
7 months ago
2
Hardcoded rounding strategy in `DynamicFees::dynamicFeeBps()` rounds against the protocol on lovTokens deposits
#56
hats-bug-reporter[bot]
opened
7 months ago
2
In some cases, the redemption process in the Repricing Token may be reverted.
#55
hats-bug-reporter[bot]
opened
7 months ago
3
It is not possible to rebalance-down the `lovDsr` strategy when the USDC borrows circuit-breaker cap is hit, even when using `forceRebalanceDown()`
#54
hats-bug-reporter[bot]
opened
7 months ago
2
Incorrect thresholds configuration in `OrigamiIdleStrategyManager` will make the two thresholds compete against each other
#53
hats-bug-reporter[bot]
opened
7 months ago
1
There may be a lesser amount of Aave aTokens than what is tracked in the OrigamiAaveV3BorrowAndLend.
#52
hats-bug-reporter[bot]
opened
7 months ago
2
The donated debt token can be used for repayment when attempting to rebalance up in the OrigamiLovTokenFlashAndBorrowManager.
#51
hats-bug-reporter[bot]
opened
7 months ago
2
`OrigamiAbstractLovTokenManager::maxInvest()` does not take into account the `redeemableReservesBuffer()`
#50
hats-bug-reporter[bot]
opened
7 months ago
4
latestPrice() doesn't check Arbitrum l2 chainlink feed is active
#49
hats-bug-reporter[bot]
opened
7 months ago
8
The rounding direction is inverted in the _maxUserReserves function
#48
hats-bug-reporter[bot]
opened
7 months ago
4
In OrigamiAaveV3BorrowAndLend, the ability to recover borrowToken should be restricted
#47
hats-bug-reporter[bot]
opened
7 months ago
6
Some USDC tokens are missing when calculating the global available borrow amount and global utilization ratio.
#46
hats-bug-reporter[bot]
opened
7 months ago
1
When we update the old IdleStrategy, there may be some USDC tokens in that.
#45
hats-bug-reporter[bot]
opened
7 months ago
1
`OrigamiLendingClerk::borrowMax()` will revert everytime `_availableToBorrow()` returns a higer value than the remaining amount until hitting the circuit-breaker cap
#44
hats-bug-reporter[bot]
opened
7 months ago
2
Dandling approvals in `FlashLoanProvider` contract with Aave pools as spenders
#43
hats-bug-reporter[bot]
opened
7 months ago
2
Insufficient input validation in `LinearWithKinkInterestRateModel::_setRateParams()` allows for steeper slope before the kink
#42
hats-bug-reporter[bot]
opened
7 months ago
1
Anyone can manipulate the AL ratio.
#41
hats-bug-reporter[bot]
opened
7 months ago
6
Performance Fee calculation potential revenue loss on changing `performanceFee` value
#40
hats-bug-reporter[bot]
opened
7 months ago
2
`OrigamiLendingSupplyManager::maxExit()` does not account for circuit breaker cap when returning the max exit amount
#39
hats-bug-reporter[bot]
opened
7 months ago
1
attacker can take over USDC by calling investWithToken/exitToken more than once
#38
hats-bug-reporter[bot]
opened
7 months ago
3
attacker can take most of the usdc from the protocol by flashloan
#37
hats-bug-reporter[bot]
opened
7 months ago
12
First depositor can significantly inflate share value and limit vault operability
#36
hats-bug-reporter[bot]
opened
7 months ago
3
OrigamiDexAggregatorSwapper.sol : unsafe unchecked block would lead to loss of funds
#35
hats-bug-reporter[bot]
opened
7 months ago
7
OrigamiDexAggregatorSwapper : absense of slippage protection lead to loss of funds.
#34
hats-bug-reporter[bot]
opened
7 months ago
1
`OrigamiLovTokenFlashAndBorrowManager::forceRebalanceUp()` will revert when attempting to pay a `flashLoanAmount` higher than the current debt
#33
hats-bug-reporter[bot]
opened
7 months ago
1
Rounding in LovTokenManager doesn't sync with design
#32
hats-bug-reporter[bot]
opened
7 months ago
1
Incorrect value of `totalDebtRepaid` in the event `RebalanceUp()` when attempting to repay more debt than the remaining one (when `amountRepaid < flashLoanAmount`)
#31
hats-bug-reporter[bot]
opened
7 months ago
2
there is no check for deadline in `investwithToken` function inside origamiOtoken.sol which opens the possibility to theft of funds
#30
hats-bug-reporter[bot]
opened
7 months ago
2
the otoken contract did not respect users minimum slippage which may cause loss of tokens value
#29
hats-bug-reporter[bot]
opened
7 months ago
2
Excess amount of debtToken asset is not accounted when rebalanceUp, making the asset untracked
#28
hats-bug-reporter[bot]
opened
7 months ago
1
Adversary can block any `exit` due to `preCheck` reached `cap` by using flash-loan
#27
hats-bug-reporter[bot]
opened
7 months ago
6
Use of slot0 to get sqrtPriceLimitX96 can lead to price manipulation. #823
#26
hats-bug-reporter[bot]
opened
7 months ago
1
`OrigamiOTokenManager` should be initialized in constructor
#25
hats-bug-reporter[bot]
opened
7 months ago
1
`exitToToken()`does not check `maxExit` limit
#24
hats-bug-reporter[bot]
opened
7 months ago
1
`investWithToken()`does not check `maxInvest` limit
#23
hats-bug-reporter[bot]
opened
7 months ago
1
Investment and exit paused must be checked in `investWithToken()` and `exitToToken()`
#22
hats-bug-reporter[bot]
opened
7 months ago
1
`price()`will return the wrong price for asset if the underlying aggregator hits minAnswer
#21
hats-bug-reporter[bot]
opened
7 months ago
1
Unhandled chainlink revert would lock price oracle access in `price()`
#20
hats-bug-reporter[bot]
opened
7 months ago
1
Rebalance can be temporarily prevented by sending dust amount
#19
hats-bug-reporter[bot]
opened
7 months ago
1
`OrigamiLovToken::collectPerformanceFees()` can be frontrunned to extract value
#18
hats-bug-reporter[bot]
opened
7 months ago
2
`OrigamiWstEthToEthOracle` utilizes Chainlink's stETH/ETH feed which has 24 hour long Heartbeat
#17
hats-bug-reporter[bot]
opened
7 months ago
6
The slippage protection in `OrigamiAbstractLovTokenManager::investQuote` rounds against protecting the user because of 'ROUND_DOWN' mode being hardcoded
#16
hats-bug-reporter[bot]
opened
7 months ago
1
We can burn more debt than the exact amount when withdrawing in OrigamiLendingClerk.
#15
hats-bug-reporter[bot]
opened
7 months ago
2
Next