sherlock-audit 2022-10-union-finance-judging issues

sherlock-audit / 2022-10-union-finance-judging

4 stars 1 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

hyh - Rewards can be gathered by an overdue staker

#163 sherlock-admin closed 1 year ago
1
peanuts - Vouch.lastUpdated() is not updated when a new Vouch is created

#162 sherlock-admin closed 2 years ago
0
ak1 - FixedInterestRateModel.sol#L69 : getSupplyRate can be updated to consider the one more factor utilizationRate like how compound works.

#161 sherlock-admin closed 2 years ago
1
Picodes - `voucherIndexes` is incorrectly updated

#160 sherlock-admin closed 2 years ago
0
Bahurum - UserManager:debtWriteOff reverts if caller is not a member

#159 sherlock-admin closed 2 years ago
0
GimelSec - interestRatePerBlock in FixedInterestRateModel.constructor can exceed BORROW_RATE_MAX_MANTISSA

#158 sherlock-admin closed 2 years ago
0
hyh - Vouchers and vouchees indices become corrupted by UserManager's cancelVouch

#157 sherlock-admin opened 2 years ago
1
GimelSec - AssetManager.removeAdapter() should check that there are no remaining tokens in the adapter.

#156 sherlock-admin closed 2 years ago
0
Bahurum - `Comptroller:withdrawRewards` leaks rewards

#155 sherlock-admin closed 1 year ago
6
Picodes - Using `removeReserves`, `admin` can withdraw all `lenders` funds.

#154 sherlock-admin closed 2 years ago
0
GimelSec - `removeAdapter()` doesn't pop the market index in `withdrawSeq`, leading to users not being able to call withdraw

#153 sherlock-admin closed 2 years ago
0
GimelSec - `Aave3Adapter.claimRewards()` has a rug issue for rewards

#152 sherlock-admin closed 2 years ago
0
minhtrng - Fee-on-transfer tokens not handled consistently; can cause repayments to always revert

#151 sherlock-admin closed 2 years ago
0
GimelSec - The protocol doesn't handle fee-on-transfer tokens

#150 sherlock-admin closed 2 years ago
1
GimelSec - A malicious admin can use `setWithdrawSequence()` to temporarily disable `withdraw()` function

#149 sherlock-admin closed 2 years ago
0
ak1 - UToken.sol#L518 : It is safe to consider to check for if(fee > 0)

#148 sherlock-admin closed 2 years ago
0
GimelSec - AssetManager.removeToken() should check whether getPoolBalance() == 0

#147 sherlock-admin closed 2 years ago
0
peanuts - Vouchers that vouches first may not get their stake locked or unlocked sequentially according to updateLocked() if cancelVouch() is called

#146 sherlock-admin closed 2 years ago
0
Picodes - There is no way to manage bad debt or any loss made by `Aave` for `stakers`

#145 sherlock-admin closed 1 year ago
1
ak1 - AssetManager.sol#L374 : debtWriteOff should happen only if token is not Utoken.

#144 sherlock-admin closed 2 years ago
0
hyh - repayBorrow calls wrong frozen info update for overdue repayments

#143 sherlock-admin opened 2 years ago
4
Bahurum - A stake that has just been locked gets full reward multiplier

#142 sherlock-admin opened 2 years ago
1
cryptphi - Possible DoS on contracts due to initialized Controller

#141 sherlock-admin closed 2 years ago
0
Bahurum - Wrong function called by `AaveV3Adapter` to deposit liquidity into Aave V3 pool

#140 sherlock-admin closed 2 years ago
0
hansfriese - `AssetManager.removeAdapter()` doesn't update `withdrawSeq` after removing an adapter.

#139 sherlock-admin closed 2 years ago
0
Picodes - `effectiveCount` requirement can be bypassed

#138 sherlock-admin closed 2 years ago
1
cryptphi - Any user can initialize Controller Contract and become admin

#137 sherlock-admin closed 2 years ago
0
TurnipBoy - When debt becomes overdue the staker is penalized for the entire time since last payment rather than just the time the debt is overdue

#136 sherlock-admin closed 2 years ago
1
hyh - Stakers will lose their rewards as updateLocked() updates only the first active vouches until there is a prepayment

#135 sherlock-admin opened 2 years ago
3
Tutturu - All implementations that inherit from Controller.sol can be destroyed, leading to loss of funds

#134 sherlock-admin closed 2 years ago
1
hyh - repayBorrow is inaccessible by overdue borrowers

#133 sherlock-admin opened 2 years ago
1
TurnipBoy - If UserManger.sol is paused for long enough all user debt will default and can be canceled when contract is unpaused

#132 sherlock-admin closed 2 years ago
0
ctf_sec - AavePool#deposit is deprecated, can use AavePool#supply in AaveV3Adapter.sol

#131 sherlock-admin closed 2 years ago
1
ctf_sec - remaining amount AssetManager.sol#withdraw is not handled properly when user unstake in UserManager.sol#unstake

#130 sherlock-admin closed 2 years ago
0
ctf_sec - More granular control of the pause is needed for each money market because deposit and withdrawal can be guaranteed to revert if the underlying money market is paused or has high utilization rate

#129 sherlock-admin closed 1 year ago
2
ctf_sec - User's fund is locked if the admin pause the contract

#128 sherlock-admin closed 2 years ago
0
ctf_sec - UserManager.sol#debtWriteOff may be not publicly callable after the loan is overdue by overdue blocks + maxOverdueBlocks

#127 sherlock-admin closed 1 year ago
2
Jeiwan - Removed adapter can still hold funds, removed token can still be deposited to a market

#126 sherlock-admin opened 2 years ago
1
Jeiwan - Removed money market adapters can drain `AssetManager` due to approved token spending

#125 sherlock-admin closed 2 years ago
0
ctf_sec - UToken.sol#debtWriteOff should accrueInterest first

#124 sherlock-admin closed 1 year ago
6
Jeiwan - `AssetManager.withdraw()` can lock user funds indefinitely

#123 sherlock-admin closed 2 years ago
0
ctf_sec - AaveV3Adapter.sol#getRate may be outdated and stale.

#122 sherlock-admin closed 1 year ago
2
dipp - Incorrect inflation index due to incorrect calculation of ```totalStaked```

#121 sherlock-admin closed 2 years ago
0
Jeiwan - Interest accrued after borrow amount checks in `UToken`

#120 sherlock-admin closed 2 years ago
1
Jeiwan - Increased reward token inflation due to double counting of `totalFrozen`

#119 sherlock-admin closed 1 year ago
1
__141345__ - Fee on transfer token support

#118 sherlock-admin closed 2 years ago
0
TurnipBoy - When UToken.sol is paused borrowers cannot repay their loans but still accumulate interest on them

#117 sherlock-admin closed 2 years ago
0
TurnipBoy - Staker can pay off interest of delinquent debtor and back claim reward tokens for the entire time the loan was delinquent

#116 sherlock-admin closed 1 year ago
1
Bahurum - Loan can be written off by anybody before overdue delay expires

#115 sherlock-admin opened 2 years ago
1
hyh - Stakers can have their funds locked for an extended period not related to the performance of their borrowers

#114 sherlock-admin opened 2 years ago
5