sherlock-audit 2023-10-aloe-judging issues

sherlock-audit / 2023-10-aloe-judging

9 stars 6 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

moneyversed - Risk of manipulation of implied volatility calculations due to lack of input validation in VolatilityOracle's `prepare` function

#152 sherlock-admin closed 1 year ago
1
bitsurfer - `enrollCourier` lack of share check open for user owning share to loss their reward

#151 sherlock-admin2 closed 1 year ago
1
Milad-Sha - readonly reentrancy on getrate()

#150 sherlock-admin closed 1 year ago
1
MohammedRizwan - `Lender.sol` is not fully compliant with `EIP2612`

#149 sherlock-admin2 closed 1 year ago
12
OxZ00mer - Users who have shares in vaults with lower decimals receive less rewards

#148 sherlock-admin closed 1 year ago
1
feelereth - Skipping rewards accounting for couriers does reduce the effective rewards rate for other users

#147 sherlock-admin2 closed 1 year ago
1
OxZ00mer - The whole ante balance of a user with a very small loan, who is up for liquidation can be stolen without repaying the debt

#146 sherlock-admin opened 1 year ago
10
0xReiAyanami - Liquidation process is flawed. missing incentive to call warn

#145 sherlock-admin2 opened 1 year ago
3
bitsurfer - Non monoatomic operation issue on `deposit` and `repay` open for user's asset lost

#144 sherlock-admin closed 1 year ago
2
Chinmay - Position cannot be modified when probe price a rounds down to MIN_SQRT_RATIO

#143 sherlock-admin2 closed 1 year ago
1
feelereth - Principle accounting is skipped for couriers. This means couriers could manipulate their principle to reduce fees paid to the next courier.

#142 sherlock-admin closed 1 year ago
2
MohammedRizwan - Uniswap V3 oracles are susceptible to price manipulation on Layer 2 Rollups

#141 sherlock-admin2 closed 1 year ago
3
0xReiAyanami - permanent DoS of Courier (Affiliate function)

#140 sherlock-admin closed 1 year ago
1
tsvetanovv - When interest is accrued using `_previewInterest()` the token is always scaled to 18 decimal and this leads to miscalculation of interest

#139 sherlock-admin2 closed 1 year ago
2
feelereth - Burning 100% of the shares will result in a 0 fee being paid to the courier.

#138 sherlock-admin closed 1 year ago
1
bitsurfer - Gamma values are not properly scaled

#137 sherlock-admin2 closed 1 year ago
2
OxZ00mer - The Lender contract is not fully EIP-4626 compliant, leading to confusion when interacting with it

#136 sherlock-admin closed 1 year ago
9
0xReiAyanami - possible loss of funds because of miscalculation in liablitites

#135 sherlock-admin2 closed 1 year ago
1
dipp - Users may lose rewards accrued before enrolling as courier

#134 sherlock-admin closed 1 year ago
2
SilentDefendersOfDeFi - Latest interest is not included in Liabilities, causes possible Loss of funds.

#133 sherlock-admin2 closed 1 year ago
1
OxZ00mer - The protocol doesn't maximise it's pool balances when executing operations, leading to them favouring the user

#132 sherlock-admin closed 1 year ago
2
mstpr-brainbot - Liquidations can make debt stuck in the Lenders

#131 sherlock-admin2 closed 1 year ago
1
0xepley - `createMarket` function can be Dos

#130 sherlock-admin closed 1 year ago
1
mstpr-brainbot - Computing probe prices are not suitable for stable pools

#129 sherlock-admin2 closed 1 year ago
2
stackangel22 - AloeII code Audit Contest 2023

#128 sherlock-admin closed 1 year ago
1
OxZ00mer - The omission of Uniswap position fees from a user's assets can result in a premature liquidation

#127 sherlock-admin2 closed 1 year ago
1
bulej93 - `initialize` can be called multiple times

#126 sherlock-admin closed 1 year ago
1
mstpr-brainbot - IV can be manipulated to return the maximum IV value on the next write

#125 sherlock-admin2 closed 1 year ago
1
bulej93 - `poolState.lastUpdated` doesnt get updated after accumalating rewards

#124 sherlock-admin closed 1 year ago
1
OxZ00mer - The functionality of payable(address).transfer will be compromised if the cost of SLOAD increases

#123 sherlock-admin2 closed 1 year ago
2
mstpr-brainbot - When the new rate model is set the latest interest is not accrued according to the previous rate model

#122 sherlock-admin closed 1 year ago
4
mstpr-brainbot - Race condition in lender shares

#121 sherlock-admin2 closed 1 year ago
1
feelereth - getMaxSecondsAgo() makes an invalid assumption that the observation at index 0 is always initialized

#120 sherlock-admin closed 1 year ago
1
feelereth - The getMaxSecondsAgo() function makes an incorrect assumption that can lead it to return an inaccurately low value for the age of the oldest observation

#119 sherlock-admin2 closed 1 year ago
1
OxZ00mer - Fees unclaimed by a soon-to-be courier will become stuck

#118 sherlock-admin closed 1 year ago
1
feelereth - An attacker could manipulate prices in only one of the intervals [-2w,-w] or [-w,0] and potentially avoid detection by the metric.

#117 sherlock-admin2 closed 1 year ago
2
0x007 - Issues would arise as lastBalance or totalSupply hit 2**112

#116 sherlock-admin closed 1 year ago
1
OxZ00mer - The balance of a courier doesn't get updated when a user burns, leading to an even lower fee effectiveness

#115 sherlock-admin2 closed 1 year ago
2
feelereth - The metric calculation in consult() is vulnerable to manipulation further back than 2*UNISWAP_AVG_WINDOW.

#114 sherlock-admin closed 1 year ago
2
0x007 - Liquidator could reverse LP sandwich _uniswapWithdraw and easily cause bad debts for Lenders

#113 sherlock-admin2 closed 1 year ago
1
feelereth - Accrual factor is not validated to be <= 1. Could be used to manipulate interest in unexpected ways

#112 sherlock-admin closed 1 year ago
1
0x007 - There's no remedy for when liquidator manipulates price

#111 sherlock-admin2 closed 1 year ago
1
0x007 - _getLiabilities uses borrowBalanceStored instead of borrowBalance

#110 sherlock-admin closed 1 year ago
1
roguereddwarf - Implied Volatility can be manipulated and takes a long time to recover, which can lead to bad debt

#109 sherlock-admin2 closed 1 year ago
1
Chinmay - Borrower can lose fees from Uniswap Positions when an Aloe market is paused

#108 sherlock-admin closed 1 year ago
16
feelereth - _previewInterest function does not check that accrualFactor is greater than 0 before using it to update borrowIndex. This is highly vulnerable

#107 sherlock-admin2 closed 1 year ago
2
Jaraxxus - Borrower can be his own liquidator

#106 sherlock-admin closed 1 year ago
2
Jaraxxus - address.call{value:x}() should be used instead of payable.transfer()

#105 sherlock-admin2 closed 1 year ago
1
Chinmay - Borrows are not properly handled in the case of both liabilities0 and liabilities1 unable to be repaid from available assets

#104 sherlock-admin closed 1 year ago
24
feelereth - _previewInterest does not properly check for a zero borrowBase leading to major vulnerabilities

#103 sherlock-admin2 closed 1 year ago
2