sherlock-audit 2023-07-blueberry-judging issues

sherlock-audit / 2023-07-blueberry-judging

2 stars 1 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

chainNue - All closing positions, except for full exits, need to verify that their position size meets the minimum requirement set by `minPositionSize`

#142 sherlock-admin2 closed 1 year ago
0
HALITUS - WeightedBPTOracle can return an uncertain price due to unchecked values

#141 sherlock-admin2 closed 1 year ago
1
0xMosh - Malicious borrower can self liquidate and eventually steal funds .

#140 sherlock-admin2 closed 1 year ago
1
BugBusters - Risk of Insolvency Due to Blocked `Repayment`

#139 sherlock-admin2 closed 1 year ago
1
kaysoft - `deadline` should not be `block.timestamp`

#138 sherlock-admin2 closed 1 year ago
0
sandy - MAX_TIME_GAP can be set too high for token price feeds whose heartbeat is as low as 1 hour.

#137 sherlock-admin2 closed 1 year ago
1
kaysoft - OwnableUpgradable not initialized in the initialize function of the WAuraPools.sol contract

#136 sherlock-admin2 closed 1 year ago
1
trauki - approve() call with incorrect function signature will make any SoftVault deployed with USDT as the underlying token unusable

#135 sherlock-admin2 opened 1 year ago
13
mert_eren - wAur pools extra reward have a chance to track false

#134 sherlock-admin2 closed 1 year ago
1
nisedo - Hardcoded Decimal Precision in `ChainlinkAdapterOracleL2.getPrice()`

#133 sherlock-admin2 closed 1 year ago
3
Oxhunter526 - Inconsistent Interest Accrual for Debt Tokens in BlueBerryBank Contract

#132 sherlock-admin2 closed 1 year ago
0
BugBusters - Possible precision loss in `getPrice` function of `CurveVolatileOracle.sol`

#131 sherlock-admin2 closed 1 year ago
1
JP_Courses - IchiSpell#_deposit: `ichiVaultShare` local variable isn't actually used anywhere other than being assigned the result of the vault.deposit.

#130 sherlock-admin2 closed 1 year ago
1
Strausses - Only one action can be allowed

#129 sherlock-admin2 closed 1 year ago
1
mert_eren - Lack of accrue underlyingToken in liquidiate

#128 sherlock-admin2 closed 1 year ago
0
bitsurfer - AuraSpell close position open for slippage issue due to `minAmountsOut` is 0, no deadline check and the ClosePosParam's `amountOutMin` value is ignored

#127 sherlock-admin2 closed 1 year ago
0
fides - The success flag of `augustusSwapper.call(data)` isn't checked.

#126 sherlock-admin2 closed 1 year ago
1
bitsurfer - AuraSpell `openPositionFarm` will revert when the tokens contains `lpToken`

#125 sherlock-admin2 opened 1 year ago
0
fides - Zero Address Validation implementation is incorrect.

#124 sherlock-admin2 closed 1 year ago
1
fides - Curve MetaPool Registry is incorrectly added in `addressProvider.get_address()`

#123 sherlock-admin2 closed 1 year ago
0
bitsurfer - Potential for user positions to fall below `minPositionSize` when partially closing or reducing positions

#122 sherlock-admin2 closed 1 year ago
7
feelereth - race condition in the mint() function could allow a malicious user to manipulate the approval.

#121 sherlock-admin2 closed 1 year ago
1
feelereth - _getPendingReward() function is vulnerable to manipulation of the rewardPerToken

#120 sherlock-admin2 closed 1 year ago
1
Kow - WConvexPool.sol will be broken on Arbitrum due to improper integration with Convex Arbitrum contracts

#119 sherlock-admin2 opened 1 year ago
0
fides - The `poolToken0` and `poolToken1` are incorrectly returned.

#118 sherlock-admin2 closed 1 year ago
0
mert_eren - wrong bToken's exchangeRateStored used for calculate ColleteralValue

#117 sherlock-admin2 opened 1 year ago
7
Kow - CurveVolatileOracle.sol reports heavily overvalued price of curve LP tokens for volatile pools

#116 sherlock-admin2 closed 1 year ago
0
Kow - CurveTricryptoOracle.sol reports heavily undervalued price of tricrypto LP token allowing unsafe position sizes

#115 sherlock-admin2 closed 1 year ago
1
sweven - Missing Explicit Reverts for Enhanced User Clarity"

#114 sherlock-admin2 closed 1 year ago
1
Strausses - onlyEOAEx can be bypassed

#113 sherlock-admin2 closed 1 year ago
1
feelereth - pendingRewards() function can return incorrect reward

#112 sherlock-admin2 closed 1 year ago
1
sweven - Missing Explicit Reverts for Enhanced User Clarity"

#111 sherlock-admin2 closed 1 year ago
1
feelereth - rounding errors due to performing divisions on raw token amounts in _getPendingReward().

#110 sherlock-admin2 closed 1 year ago
1
0x52 - CVX/AURA distribution calculation is incorrect and will lead to loss of rewards at the end of each cliff

#109 sherlock-admin2 opened 1 year ago
7
0x52 - WAuraPools doesn't correctly account for AuraStash causing all deposits to be permanently lost

#108 sherlock-admin2 opened 1 year ago
6
0x52 - Issue #145 from Update #1 is still present in IchiSpell

#107 sherlock-admin2 closed 1 year ago
0
0x52 - Issue #47 from Update #1 is still present in ConvexSpell

#106 sherlock-admin2 opened 1 year ago
8
0x52 - ConvexSpell is completely broken for any curve LP that utilizes native ETH

#105 sherlock-admin2 opened 1 year ago
1
0x52 - Adversary can abuse hanging approvals left by PSwapLib.swap to bypass reward fees

#104 sherlock-admin2 opened 1 year ago
10
0x52 - AuraSpell#closePositionFarm will take reward fees on underlying tokens when borrow token is also a reward

#103 sherlock-admin2 opened 1 year ago
0
0x52 - AuraSpell#closePositionFarm exits pool with single token and without any slippage protection

#102 sherlock-admin2 opened 1 year ago
8
0x52 - CurveVolatileOracle#getPrice contains precision errors that heavily over values LP

#101 sherlock-admin2 closed 1 year ago
9
0x52 - CurveTricryptoOracle#getPrice contains math error that causes LP to be priced completely wrong

#100 sherlock-admin2 opened 1 year ago
5
feelereth - usage of type(uint).max to represent an unset reward per share can lead to overflow errors

#99 sherlock-admin2 closed 1 year ago
1
0x52 - CurveTricryptoOracle incorrectly assumes that WETH is always the last token in the pool which leads to bad LP pricing

#98 sherlock-admin2 opened 1 year ago
5
0x52 - Stable BPT valuation is incorrect and can be exploited to cause protocol insolvency

#97 sherlock-admin2 opened 1 year ago
7
0x52 - Mainnet oracles are incompatible with wstETH causing many popular yields strategies to be broken

#96 sherlock-admin2 opened 1 year ago
9
feelereth - Reentrancy vulnerability in the withdraw() function

#95 sherlock-admin2 closed 1 year ago
1
tsueti_ - _safeMint() SHOULD BE USED RATHER THAN _mint() WHEREVER POSSIBLE

#94 sherlock-admin2 closed 1 year ago
1
feelereth - Risk of ETH becoming locked in the contract

#93 sherlock-admin2 closed 1 year ago
1