issues
search
sherlock-audit
/
2023-07-perennial-judging
2
stars
1
forks
source link
issues
Newest
Newest
Most commented
Recently updated
Oldest
Least commented
Least recently updated
feelereth - the _update function is vulnerable to an attacker draining funds from arbitrary accounts
#82
sherlock-admin
closed
1 year ago
1
feelereth - The _loadPendingPositions call ignores pending withdrawals. Attackers could withdraw more than available collateral.
#81
sherlock-admin
closed
1 year ago
1
feelereth - The protect parameter in the update function can be used to avoid liquidation by skipping invariant checks
#80
sherlock-admin
closed
1 year ago
1
ck - Keepers will continue earning rewards for commiting prices even when the protocol is paused
#79
sherlock-admin
closed
1 year ago
1
Emmanuel - Market.sol: User can deposit, open & close position, and withdraw in a single transaction
#78
sherlock-admin
closed
1 year ago
2
cartlex - PAUSER CAN'T PAUSE / UNPAUSE AFTER `updatePause()` FUNCTION USED.
#77
sherlock-admin
closed
1 year ago
1
XDZIBEC - Loss of Funds + Inconsistent Updates in AccountLib.processLocal
#76
sherlock-admin
closed
1 year ago
1
XDZIBEC - Inadequate Position Limit Calculation can lead to unintended position sizes.
#75
sherlock-admin
closed
1 year ago
1
XDZIBEC - Incorrect Oracle Version Validation
#74
sherlock-admin
closed
1 year ago
1
hassan-truscova - Require users to use order amounts greater than zero
#73
sherlock-admin
closed
1 year ago
1
panprog - Bad debt (shortfall) liquidation leaves liquidated user in a negative collateral balance which can cause bank run and loss of funds for the last users to withdraw
#72
sherlock-admin
opened
1 year ago
3
XDZIBEC - issue in store function lead to further issues downstream.
#71
sherlock-admin
closed
1 year ago
1
tives - Oracle stale price is not checked, only 1 oracle is used
#70
sherlock-admin
closed
1 year ago
1
Hama - Chainlink Oracle will return the wrong price for asset if underlying aggregator hits minAnswer
#69
sherlock-admin
closed
1 year ago
1
Hama - Chainlink’s latestRoundData Might Return Stale Results Inbox
#68
sherlock-admin
closed
1 year ago
1
0xTheC0der - DSU token balance of MultiInvoker contract can be drained by anyone
#67
sherlock-admin
closed
1 year ago
3
Emmanuel - Exiting the market as a trader results in a deficit in collateral balance.
#66
sherlock-admin
closed
1 year ago
15
Emmanuel - Malicious user can use liquidation to bypass most of the global invariant checks
#65
sherlock-admin
closed
1 year ago
1
Emmanuel - Positions will be unfairly liquidated immediately after an unpause
#64
sherlock-admin
closed
1 year ago
3
Emmanuel - User is not allowed to reduce his position when it gets undercollateralized
#63
sherlock-admin
closed
1 year ago
1
Emmanuel - Vault.sol: `settle`ing the 0 address will disrupt accounting
#62
sherlock-admin
opened
1 year ago
4
Emmanuel - Vault.sol: No slippage protection when claiming assets
#61
sherlock-admin
closed
1 year ago
8
Emmanuel - Users can open positions such that the liquidationFee is more than the collateral balance
#60
sherlock-admin
closed
1 year ago
2
Emmanuel - Vault.sol: Keeper fee accounting is bricked when a user calls update multiple times
#59
sherlock-admin
closed
1 year ago
2
Emmanuel - Malicious user can claim dust amount numerous times to cause Vault to lose through fees
#58
sherlock-admin
closed
1 year ago
2
Emmanuel - MultiInvoker is max approving any arbitrary address
#57
sherlock-admin
closed
1 year ago
1
Emmanuel - PythOracle:if price.expo is less than 0, wrong prices will be recorded
#56
sherlock-admin
opened
1 year ago
4
Emmanuel - Vault.sol: Underlying Market fee is not accounted for in Vault.sol
#55
sherlock-admin
closed
1 year ago
2
Emmanuel - Several inconsistencies with payoffs especially if we are expecting base to be 1e6
#54
sherlock-admin
closed
1 year ago
2
Emmanuel - Excess native value is not sent back to keeper after a commit call
#53
sherlock-admin
closed
1 year ago
2
Emmanuel - Protocol fee from Market.sol is locked
#52
sherlock-admin
opened
1 year ago
10
Emmanuel - Attacker can drain Market.sol through liquidation
#51
sherlock-admin
closed
1 year ago
2
OxZ00mer - Markets with equities as indexes can cause unexpected behavior and economic damage
#50
sherlock-admin
closed
1 year ago
1
panprog - Invalid oracle versions can cause desync of global and local positions making protocol lose funds and being unable to pay back all users
#49
sherlock-admin
opened
1 year ago
28
panprog - No slippage protection when opening or closing positions
#48
sherlock-admin
closed
1 year ago
12
panprog - Collateral removal user action doesn't require oracle price and doesn't trigger oracle request to commit new oracle version, which can be used to front-run price updates to gain unfair advantage and profit at the expense of the other protocol users
#47
sherlock-admin
closed
1 year ago
12
panprog - During oracle provider switch, if it is impossible to commit the last request of previous provider, then the oracle will get stuck (no price updates) without any possibility to fix it
#46
sherlock-admin
opened
1 year ago
4
panprog - PythOracle `_recordPrice()` function incorrectly treats `expo` (exponent) from `PythStructs.Price` which can lead to protocol malfunction and loss of funds after oracle switch
#45
sherlock-admin
closed
1 year ago
1
panprog - PythOracle `commit()` function doesn't require (nor stores) pyth price publish timestamp to be after the previous commit's publish timestamp, which makes it possible to manipulate price to unfairly liquidate users and possible stealing protocol funds
#44
sherlock-admin
opened
1 year ago
18
panprog - PythOracle allows any user to commit non-requested oracle version for any timestamp after the previous commit even if it's long ago which can be abused to steal from the protocol via price manipulation and collateral removal
#43
sherlock-admin
closed
1 year ago
19
panprog - Oracle request timestamp and pending position timestamp mismatch can make most position updates invalid
#42
sherlock-admin
opened
1 year ago
4
mert_eren - Wrong implamatation of pythOracle request for using time.
#41
sherlock-admin
closed
1 year ago
1
YakuzaKiawe - Incorrect calculation in `convertToAssets`
#40
sherlock-admin
closed
1 year ago
1
YakuzaKiawe - Unable to withdraw funds if `wrap` is true
#39
sherlock-admin
closed
1 year ago
1
YakuzaKiawe - Chainlink's latestRoundData return stale or incorrect result
#38
sherlock-admin
closed
1 year ago
2
shtesesamoubiq - latestRoundData() has no check for round completeness
#37
sherlock-admin
closed
1 year ago
1
shtesesamoubiq - _etherPrice() will return the wrong price for asset if underlying aggregator hits minAnswer
#36
sherlock-admin
closed
1 year ago
1
shtesesamoubiq - _etherPrice() doesn't check If Arbitrum sequencer is down in Chainlink feeds
#35
sherlock-admin
closed
1 year ago
1
shtesesamoubiq - Not checking the staleness of the price from latestRoundData
#34
sherlock-admin
closed
1 year ago
1
BugBusters - No minAnswer/maxAnswer Circuit Breaker Checks while Querying Prices in Oracle.sol
#33
sherlock-admin
closed
1 year ago
1
Previous
Next