sherlock-audit 2023-04-ajna-judging issues

sherlock-audit / 2023-04-ajna-judging

4 stars 3 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

Chinmay - KickerActions uses wrong check to prevent Kickers from using deposits below LUP for KIckWithDeposit

#113 sherlock-admin opened 1 year ago
13
stopthecap - Staking rewards can be sandwichable

#112 sherlock-admin closed 1 year ago
4
Chinmay - Wrong Inflator used in calculating HTP to determine accrualIndex in accrueInterest

#111 sherlock-admin opened 1 year ago
2
hyh - Debt write off can be prohibited by HPB depositor by continuously allocating settlement blocking dust deposits in the higher buckets

#110 sherlock-admin opened 1 year ago
5
osmanozdemir1 - `redeemPositions` will always revert due to access control issues, and prevent token owners from getting their LPs back

#109 sherlock-admin closed 1 year ago
0
Chinmay - The kick function uses outdated LUP to update Interest State

#108 sherlock-admin closed 1 year ago
0
hyh - LUP is not recalculated after adding kicking penalty to pool's debt, so kick() updates the pool state with an outdated LUP

#107 sherlock-admin opened 1 year ago
2
hyh - Settlement can be called when auction period isn't concluded, allowing HPB depositors to game bad debt settlements

#106 sherlock-admin opened 1 year ago
2
Shubham - A proposal with more votes in the top ten list may end up getting removed in the screening process

#105 sherlock-admin closed 1 year ago
2
Chinmay - Mathematical Discrepancies in equations used for calculating Interest Rates

#104 sherlock-admin closed 1 year ago
13
lemonmon - The `poolstate.debt` calculation inside the Pool contract can potentially be in favor of the user

#103 sherlock-admin closed 1 year ago
2
lemonmon - Users can earn more rewards than they should, due to rounding error

#102 sherlock-admin closed 1 year ago
0
lemonmon - `Pool.addQuoteToken` rounding issue that can be used by a malicious user to round in the user's favor

#101 sherlock-admin closed 1 year ago
0
lemonmon - Loss of unclaimed rewards if a bucket went bankrupt

#100 sherlock-admin closed 1 year ago
13
lemonmon - Accounting issues leading to potential loss of user rewards

#99 sherlock-admin closed 1 year ago
0
lemonmon - Removing collateral can be exploited due to rounding issues in `Buckets.collateralToLP()`

#98 sherlock-admin closed 1 year ago
0
osmanozdemir1 - `removeCollateral` might cause a bucket to bankrupt but not update bankruptcy time, which might cause unexpected behavior and loss of funds

#97 sherlock-admin closed 1 year ago
9
Chinmay - Rounding issue in MAU calculation leads to interest rates not being raised for a certain range of utilization

#96 sherlock-admin closed 1 year ago
0
Chinmay - Threshold Price can be incorrectly calculated as zero while calculating the liquidation bond size

#95 sherlock-admin closed 1 year ago
1
osmanozdemir1 - Anyone who has allowance can transfer LPs even if they are not approved transferors.

#94 sherlock-admin closed 1 year ago
2
Oxhunter526 - Title: Event Emitted Before Staking Completion

#93 sherlock-admin closed 1 year ago
0
Oxhunter526 - Title: Debt Forgiveness Mechanism Allows Closure Without Repayment

#92 sherlock-admin closed 1 year ago
0
LuchoLeonel1 - Missing expiration timestamp in removeQuoteToken

#91 sherlock-admin closed 1 year ago
0
LuchoLeonel1 - Missing isEpochClaimed validation in _unstake function

#90 sherlock-admin closed 1 year ago
0
lanrebayode77 - Debt Repayment Manipulation with FlashLoan

#89 sherlock-admin closed 1 year ago
0
hyh - LenderActions's moveQuoteToken can create a total debt undercoverage

#88 sherlock-admin opened 1 year ago
2
hyh - moveQuoteToken updates pool state using intermediary LUP, biasing pool's interest rate calculations

#87 sherlock-admin opened 1 year ago
2
hyh - kickWithDeposit removes the deposit without HTP pool state check

#86 sherlock-admin opened 1 year ago
2
hyh - Limit index isn't checked in repayDebt, so user control is void

#85 sherlock-admin opened 1 year ago
7
hyh - Due to excessive HTP check moveQuoteToken can be unavailable for big deposits

#84 sherlock-admin opened 1 year ago
2
Tendency - Actors will be unable to Exchange Quote Tokens for Collateral in ERC20Pool Auctions

#83 sherlock-admin closed 1 year ago
0
hyh - Pool's kickWithDeposit misses liquidation debt check

#82 sherlock-admin opened 1 year ago
2
XDZIBEC - XO-`getBucketStateStakeInfo` function get Incorrect `bucketId_` check

#81 sherlock-admin closed 1 year ago
0
josephdara - Early vote cutoff

#80 sherlock-admin closed 1 year ago
2
josephdara - Conflicting Burn Mechanisms

#79 sherlock-admin closed 1 year ago
2
SAAJ - ERC721 tokens will be locked forever due to usage of transferFrom

#78 sherlock-admin closed 1 year ago
0
josephdara - transferFromWithPermit not callable by token owner

#77 sherlock-admin closed 1 year ago
0
PRAISE - Incorrect rounding of collateralAmount in take() function

#76 sherlock-admin closed 1 year ago
8
kutugu - Deposits prefixSum function can go into a DOS loop

#75 sherlock-admin closed 1 year ago
6
branch_indigo - Malicious users can manipulate spot LUP to kick borrower's loan, causing borrowers penalized with more debts

#74 sherlock-admin closed 1 year ago
1
XDZIBEC - XO-`transferFromWithPermit` function allows attackers to steal `tokens`

#73 sherlock-admin closed 1 year ago
0
branch_indigo - Lenders lose interests and pay deposit fees due to no slippage control

#72 sherlock-admin opened 1 year ago
14
seerether - Calling the kickWithDeposit function with insufficient deposit balance depletes User's deposits

#71 sherlock-admin closed 1 year ago
1
XDZIBEC - XO- `revokeLPTransferors` function prevent users from `transferring LP tokens`

#70 sherlock-admin closed 1 year ago
0
devival - Overriding AJNA token address in GrantFund.sol constructor

#69 sherlock-admin closed 1 year ago
0
XDZIBEC - XO-`tokenIds` parameter in `atomicSwapCallback()` function is not properly `validated`

#68 sherlock-admin closed 1 year ago
0
XDZIBEC - XO-`deployPool()` function in the `IERC721PoolFactory` allows attacker to create pool with no collateral

#67 sherlock-admin closed 1 year ago
0
XDZIBEC - XO-`MergeOrRemoveCollateralNFT` event does not specify the `index` of the `bucket` from which the `collateral` was merged.

#66 sherlock-admin closed 1 year ago
0
PRAISE - Malicious actor can steal collaterals from any bucket index because the mergeOrRemoveCollateral() function misses the ownerOf check on the NFTs

#65 sherlock-admin closed 1 year ago
6
Oxhunter526 - Title: Precision Loss Due to Floating-Point Arithmetic in Loan Calculation

#64 sherlock-admin closed 1 year ago
0