sherlock-audit 2023-05-blueberry-judging issues

sherlock-audit / 2023-05-blueberry-judging

5 stars 1 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

sam_gmk - Missing check for active Arbitrum Sequencer

#39 sherlock-admin closed 1 year ago
0
kaysoft - NO CHECK FOR ROUND COMPLETENESS WITH CHAINLINK FEED

#38 sherlock-admin closed 1 year ago
0
ChainGuardian - [M] getPrice() does not account for the possibility of the sequencer being down

#37 sherlock-admin closed 1 year ago
0
0x52 - Malicious user can permanently DOS collateral on BlueBerryBank by repaying bToken directly

#36 sherlock-admin closed 1 year ago
1
0x52 - IchiVaultOracle accidentally uses mockup UniV3 lib instead of actual lib resulting in a nonfunctional contract

#35 sherlock-admin closed 1 year ago
1
0x52 - AggregatorOracle#getPrice makes a critical change to how deviation is calculated

#34 sherlock-admin closed 1 year ago
1
0x52 - IchiSpell#_withdraw attempts to limit slippage but applies slippage limit to user supplied data making it ineffective

#33 sherlock-admin closed 1 year ago
2
0x52 - Updating the feeManger on config will cause desync between bank and vaults

#32 sherlock-admin opened 1 year ago
2
0x52 - ShortLongSpell#openPosition uses the wrong balanceOf when determining how much collateral to put

#31 sherlock-admin opened 1 year ago
7
0x52 - ShortLongSpell#openPosition attempts to burn wrong token

#30 sherlock-admin opened 1 year ago
2
0x52 - AuraSpell#openPositionFarm fails to return all rewards to user

#29 sherlock-admin opened 1 year ago
9
0x52 - BalancerPairOracle will return highly incorrect price if one token isn't 18 dp

#28 sherlock-admin closed 1 year ago
0
0xc86 - DoS due to unbounded loop

#27 sherlock-admin closed 1 year ago
0
nobody2018 - Incorrect decimals used as divisor in WCurveGauge#burn

#26 sherlock-admin closed 1 year ago
3
nobody2018 - BalancerPairOracle#getPrice will revert due to division by zero in some cases

#25 sherlock-admin opened 1 year ago
7
Bauer - User will lose funds

#24 sherlock-admin closed 1 year ago
0
Bauer - If the `swapData.fromToken` is USDT, user will not be not able to open a position.

#23 sherlock-admin closed 1 year ago
0
nobody2018 - Attacker can steal the reward tokens left by users when updating position via AuraSpell#openPositionFarm

#22 sherlock-admin closed 1 year ago
0
nobody2018 - Anyone can take away the reward tokens left by users when updating position via ConvexSpell#openPositionFarm

#21 sherlock-admin closed 1 year ago
5
Bauer - In the AuraSpell protocol, users are unable to open a position.

#20 sherlock-admin closed 1 year ago
0
Tendency - Positions With 6 Decimal Precision Underlying Tokens Will be Wrongly Flagged as Liquidatable

#19 sherlock-admin closed 1 year ago
11
Tendency - CoreOracle#getTokenValue Returns an Incorrect USD Value Due to Precision Loss

#18 sherlock-admin closed 1 year ago
5
0xGoodess - 1-sided withdrawal from CurvePool is subject to MEV due to lack of slippage checks

#17 sherlock-admin closed 1 year ago
0
Bauer - If the Balancer pool is paused, the user will not be able to repay their debt

#16 sherlock-admin closed 1 year ago
0
Bauer - AuraSpell `Vault.exitPool` without any slippage protection

#15 sherlock-admin closed 1 year ago
2
klkvr - Invalid Curve LP price calculation

#14 sherlock-admin closed 1 year ago
0
klkvr - modifier onlyEOAEx() can be avoided by calling from contract during construction

#13 sherlock-admin closed 1 year ago
0
Bauchibred - TWAP period could be very low and potentiallybe maliciously influenced by an attacker

#12 sherlock-admin closed 1 year ago
0
Bauchibred - BlueBerryBank.borrow() is still vulnerable to a DOS attack, can easily be done when bank total debt is low.

#11 sherlock-admin closed 1 year ago
0
Bauchibred - Manipulation of the IchiVaultOracle can be easily achieved due to the math used in the oracle

#10 sherlock-admin closed 1 year ago
0
Bauchibred - Oracles being unpausable should be reconsidered

#9 sherlock-admin closed 1 year ago
0
Bauchibred - Stuckage of LP tokens is still possible which would mean that they are not sent back to withdrawing user from the IchiSpell contract

#8 sherlock-admin closed 1 year ago
0
Bauchibred - BlueBerryBank.sol: Incorrect liquidation logic would be implemented in some cases

#7 sherlock-admin closed 1 year ago
0
Tendency - WIchiFarm.pendingReward will calculate rewards using not up-to-date variables

#6 sherlock-admin closed 1 year ago
2
Tendency - Users will get less rewards than expected when burning ERC1155 tokens to redeem LP ERC20 tokens back in WIchiFarm#burn

#5 sherlock-admin closed 1 year ago
0
Bauer - If `pool.shutdown` in the convex.pool contract becomes true,users may lose their funds

#4 sherlock-admin closed 1 year ago
0
moneyversed - Incorrect handling of token transfers in BasicSpell.sol

#3 sherlock-admin closed 1 year ago
0
Jigsaw - UniswapV2Oracle.sol can be manipulated through potential flashloan attack

#2 sherlock-admin closed 1 year ago
0
Jigsaw - AuraSpell.closePositionFarm forces uses to exit Balancer pools w/ no slippage protection

#1 sherlock-admin closed 1 year ago
0