sherlock-audit 2023-11-convergence-judging issues

sherlock-audit / 2023-11-convergence-judging

8 stars 8 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

jah - wrong calculation which leads to a not being able to function properly

#221 sherlock-admin closed 10 months ago
1
GimelSec - `SdtStakingPositionService.processSdtRewards` could record the wrong amount of sdt reward.

#220 sherlock-admin2 closed 10 months ago
0
hash - Possible loss of unclaimed rewards for long-term frequent stakers

#219 sherlock-admin closed 10 months ago
0
Inspex - If admin kill a gauge, user’s voting power for that gauge may lost 1 or 2 cycles

#218 sherlock-admin2 closed 9 months ago
1
qpzm - Out-of-gas error in `CvgERC721TimeLockingUpgradeable.getTokenIdsForWallet`

#217 sherlock-admin closed 10 months ago
1
lemonmon - `LockingPositionService.mintPosition()` problems with duplicate `tokenIds` from `LockingPositionManager` may cause users to lose their funds

#216 sherlock-admin2 closed 9 months ago
3
jah - wrong time when increasing the locking time

#215 sherlock-admin closed 9 months ago
1
bitsurfer - Possible DoS happening when gauge weight is changing due to underflow of `pt.slope -= d_slope`

#214 sherlock-admin2 closed 10 months ago
0
bitsurfer - Did not approve to zero first issue

#213 sherlock-admin closed 10 months ago
0
jah - a malicious user can prevent a user from receiving a delegation

#212 sherlock-admin2 closed 10 months ago
0
CL001 - In the case that the total supply of CVG tokens is insufficient, the last user to claim the rewards will suffer a loss

#211 sherlock-admin closed 9 months ago
2
0xmuxyz - The locked-amount and the voting power can still be increased even after the given `tokenId` of locking position NFT (ERC721) would be burned via the LockingPositionService#`burnPosition()`

#210 sherlock-admin2 closed 10 months ago
1
pontifex - Tokens distribution may be broken due to incorrect address verification when depositing tokens

#209 sherlock-admin closed 10 months ago
1
zraxx - When `delegateMgCvg` is used for update or remove, it will be reverted due to improper require checks.

#208 sherlock-admin2 closed 10 months ago
1
pontifex - Users can't receive rewards in the actual `cvgCycle` due to unexpected error

#207 sherlock-admin closed 9 months ago
11
pontifex - Unexpected revert at the `delegateMgCvg` and `delegateVeCvg` when delegation removal

#206 sherlock-admin2 closed 10 months ago
0
mahmudsudo - empty array input claims rewards

#205 sherlock-admin closed 10 months ago
1
cducrest-brainbot - Withdrawing rewards will convert sdt to cvgSDT at any rate

#204 sherlock-admin2 closed 10 months ago
0
chainNue - Allowance is not set to zero first before approving

#203 sherlock-admin closed 10 months ago
0
ydlee - A token owner cannot remove one mgCvg delegation when he already delegates to `maxMgDelegatees` addresses.

#202 sherlock-admin2 closed 10 months ago
0
cducrest-brainbot - Claiming cvgSDT rewards may run out of gas

#201 sherlock-admin closed 10 months ago
0
eta - Forcing conversion of _cvgControlTower.cvgCycle() can cause accounting errors in missing values

#200 sherlock-admin2 closed 10 months ago
1
detectiveking - Tokens that are both gauge and bribe reward tokens will have rewards calculated incorrectly

#199 sherlock-admin closed 10 months ago
0
detectiveking - Claiming rewards might take more gas than Ethereum block gas limit

#198 sherlock-admin2 closed 9 months ago
1
lemonmon - `SdtRewardReceiver.claimMultipleStaking`: rewards will be locked when called with zero `sdtRewardCount`

#197 sherlock-admin closed 10 months ago
0
lemonmon - `LockingPositionService`'s voting power can be inflated by putting duplicated entries to `LockingPositionDelegate.tokenOwnedAndDelegated`

#196 sherlock-admin2 closed 10 months ago
0
detectiveking - Protocol doesn't account for the fact that bribe rewards can be provided in SDT instead of sdTKN

#195 sherlock-admin closed 9 months ago
3
lemonmon - Rewards may be lost when `SdtStakingPositionService.processSdtRewards()` is processing multiple rewards that contain the same reward token

#194 sherlock-admin2 closed 10 months ago
0
hash - cvgRewards may be incorrectly calculated due to possible changes in gagueWeights and totalWeight

#193 sherlock-admin closed 9 months ago
1
hash - Killing a gague can lead to bricking of the protocol

#192 sherlock-admin2 closed 8 months ago
10
detectiveking - SdtStakingPositionManager NFT doesn't claim rewards before burning

#191 sherlock-admin closed 10 months ago
0
hash - Division difference can result in a revert when claiming treasury yield and excess rewards to some users

#190 sherlock-admin2 opened 10 months ago
17
hash - User's can attain unlimited `veCvg/mgCvg` voting power due to lack of duplication checks

#189 sherlock-admin closed 10 months ago
0
hash - Incorrect slippage protection for sdt/cvgSdt exchange

#188 sherlock-admin2 closed 10 months ago
0
ydlee - Unable to add a killed gauge back again.

#187 sherlock-admin closed 9 months ago
1
detectiveking - No slippage tolerance amount for curve swaps

#186 sherlock-admin2 closed 10 months ago
0
detectiveking - Use safeTransfer instead of transfer

#185 sherlock-admin closed 10 months ago
0
hash - `sdt` fees of a cycle may be distributed to the next cycle `cvgSdt` stakers

#184 sherlock-admin2 closed 10 months ago
0
Inspex - Delegated Sub-assets Persist After Position Transfer

#183 sherlock-admin closed 10 months ago
0
0x52 - Tokens that are both bribes and StakeDao gauge rewards will cause loss of funds

#182 sherlock-admin2 opened 10 months ago
3
0x52 - SdtRewardReceiver#setPoolCvgSdtAndApprove fails to clear past approvals which can leave dangerous hanging approvals

#181 sherlock-admin closed 9 months ago
2
0x52 - SdtRewardReceiver#_withdrawRewards has incorrect slippage protection and withdraws can be sandwiched

#180 sherlock-admin2 opened 10 months ago
3
0x52 - Bribe collection from sdtBlackHole is first-mover takes all which causes loss for multiple gauges that share the same bribe token

#179 sherlock-admin closed 9 months ago
11
0x52 - cvgControlTower and veCVG lock timing will be different and lead to yield loss scenarios

#178 sherlock-admin2 opened 10 months ago
2
0x52 - Users who frequently increase lock balance will DOS themselves over time

#177 sherlock-admin closed 9 months ago
8
0x52 - Tokens minted during non-TDE cycles vote count is unfairly reduced and can't get max vote boost causing significant loss of yield

#176 sherlock-admin2 closed 9 months ago
21
0x52 - LockPositionDelegate doesn't clear delegates on transfer which can be used to honeypot buyers

#175 sherlock-admin closed 9 months ago
11
bulej93 - Buffer could cheat claimer out of rewards

#174 sherlock-admin2 closed 10 months ago
1
bulej93 - multiplication after division could lead to precision loss

#173 sherlock-admin closed 10 months ago
1
bulej93 - When increasing lock time, the voting power isnt increased

#172 sherlock-admin2 closed 10 months ago
0