issues
search
sherlock-audit
/
2023-04-unitasprotocol-judging
4
stars
3
forks
source link
issues
Newest
Newest
Most commented
Recently updated
Oldest
Least commented
Least recently updated
kutugu - Not check getLatestPrice value threshold
#64
sherlock-admin
closed
1 year ago
0
stopthecap - The same pausing modifier for (USD1) is tied to minting, burning and transfer at the same time which breaks crucial invariants
#63
sherlock-admin
closed
1 year ago
0
stopthecap - Corruptible Upgradability Pattern
#62
sherlock-admin
closed
1 year ago
0
kutugu - _checkPrice not check price freshness
#61
sherlock-admin
closed
1 year ago
0
tsvetanovv - Missing deadline check when performing a swap
#60
sherlock-admin
closed
1 year ago
0
tsvetanovv - No slippage protection when swap tokens
#59
sherlock-admin
closed
1 year ago
0
Ruhum - Updating USD1 address will leave existing users & protocol with worthless tokens
#58
sherlock-admin
closed
1 year ago
8
Ruhum - Pairs can have reserve ratio threshold of 0 allowing the protocol to be undercollateralized
#57
sherlock-admin
closed
1 year ago
0
YakuzaKiawe - Gas griefing/theft is possible on unsafe call
#56
sherlock-admin
closed
1 year ago
0
0xG0P1 - [M] Minter can burn anyone's / any amount of tokens
#55
sherlock-admin
closed
1 year ago
0
0xGoodess - There is no liveness check on the getLatestPrice from oracle when used on Unitas
#54
sherlock-admin
closed
1 year ago
0
0xGoodess - decreaseAllowance has modifier `notBlacklisted(spender)`, which stops other users who would like to revoke allowance to a black-listed address
#53
sherlock-admin
closed
1 year ago
5
ravikiran.web3 - ERC20Token has missing inheritance
#52
sherlock-admin
closed
1 year ago
0
0xGoodess - the swap function is subject to MEV bundle since it does not have slippage proportional to trrade size, but just a fixed fee.
#51
sherlock-admin
closed
1 year ago
0
Ruhum - Custom oracle is a security risk
#50
sherlock-admin
closed
1 year ago
0
toshii - Fetching asset prices from oracle does not check for stale prices, which can lead to invalid prices for assets
#49
sherlock-admin
closed
1 year ago
0
Ruhum - USD1 is priced as $1 instead of being pegged to USDT
#48
sherlock-admin
opened
1 year ago
30
0x00ffDa - Cannot receive any yield profits from portfolio usage
#47
sherlock-admin
closed
1 year ago
0
Ruhum - Guardian can't be removed by Governor
#46
sherlock-admin
closed
1 year ago
0
0x4non - Missing deadline checks in token `swap` function
#45
sherlock-admin
closed
1 year ago
0
sashik_eth - Oracle update could be sandwiched
#44
sherlock-admin
closed
1 year ago
0
XDZIBEC - XO- Missing Portfolio Check in _require Statement
#43
sherlock-admin
closed
1 year ago
5
XDZIBEC - XO-Gas Parameter Not Used in SafeERC20.safeTransferFrom
#42
sherlock-admin
closed
1 year ago
0
Ruhum - Price tolerance can break protocol if USDT depegs.
#41
sherlock-admin
closed
1 year ago
0
Ruhum - `Unitas.sendPortfolio()` can cause Unitas to fall below reserve ratio
#40
sherlock-admin
closed
1 year ago
0
Ruhum - Unitas includes funds inside portfolio when calculating total reserves
#39
sherlock-admin
closed
1 year ago
0
evilakela - SwapFunctions::_getFeeByAmountWithFee wrong calculating fee
#38
sherlock-admin
closed
1 year ago
0
evilakela - SwapFunctions::_getFeeByAmountWithoutFee wrong calculating fee
#37
sherlock-admin
closed
1 year ago
0
0xGoodess - Unconditional exit from EMCs back to USDPEGA – that is, conversions from USD_EMC to USD1 and then from USD1 to USDPEGA, is not true when _checkPrice fails
#36
sherlock-admin
closed
1 year ago
0
0xGoodess - _getTotalLiabilities should round up liabilities to be safe instead of rounding down
#35
sherlock-admin
closed
1 year ago
0
0xGoodess - user has no way to express minimum output acceptance during swap in Unitas
#34
sherlock-admin
closed
1 year ago
0
user786 - TimelockController.sol: Arbitrary Ether Transfer Vulnerability
#33
sherlock-admin
closed
1 year ago
0
user786 - PoolBalances.sol:contract that allows arbitrary senders to execute safeTransferFrom calls.
#32
sherlock-admin
closed
1 year ago
0
Tendency - Protocol Won't be Able to Receive Portfolio Sent Out For Yield Generation
#31
sherlock-admin
closed
1 year ago
0
dirk_y - Lack of oracle timestamp validation could result in stale or permanently manipulated prices
#30
sherlock-admin
closed
1 year ago
8
cducrest-brainbot - USDT can introduce fee on transfer
#29
sherlock-admin
closed
1 year ago
0
n1punp - Executor can misuse deposited ETH in TimelockController for the execution.
#28
sherlock-admin
closed
1 year ago
0
Karl - Add require removeBlackList functions
#27
sherlock-admin
closed
1 year ago
0
yy - The `_convert` function reverts if neither `fromToken` nor `toToken` is the quoteToken.
#26
sherlock-admin
closed
1 year ago
0
yy - Accept Zero Value in `SwapFunctions.sol`
#25
sherlock-admin
closed
1 year ago
0
cducrest-brainbot - Reserve ratio can flicker below 100% and allow minting of USD1
#24
sherlock-admin
closed
1 year ago
0
lil.eth - Denial of Service Attack via Gas Limit in _getTotalReservesAndCollaterals() and _getTotalLiabilities()
#23
sherlock-admin
closed
1 year ago
0
ravikiran.web3 - TimeLock controller misses key checks and admin functions makes is vulnerable to certain scenarios.
#22
sherlock-admin
closed
1 year ago
0
lil.eth - Precision Loss Due to Integer Division in _getReserveStatus Function
#21
sherlock-admin
closed
1 year ago
0
ravikiran.web3 - XOracles does not have admin function to manager feeder role
#20
sherlock-admin
closed
1 year ago
0
ravikiran.web3 - Blacklisting and minter role administration is mutually exclusive causing conflict in operational functions
#19
sherlock-admin
closed
1 year ago
0
ravikiran.web3 - Revoke for Governor and Guardian are dangerous
#18
sherlock-admin
closed
1 year ago
0
yy - The _validateFeeFraction function allows for a fee fraction of 0/0 in `SwapFunctions.sol`
#17
sherlock-admin
closed
1 year ago
0
ast3ros - In case the portfolio makes a loss, the total reserves and reserve ratio will be inflated.
#16
sherlock-admin
opened
1 year ago
18
ast3ros - Profit of the portfolio are not transferred back to the pool balance.
#15
sherlock-admin
closed
1 year ago
3
Previous
Next