issues
search
sherlock-audit
/
2024-03-arrakis-judging
0
stars
0
forks
source link
issues
Newest
Newest
Most commented
Recently updated
Oldest
Least commented
Least recently updated
juaan - `setPriceBounds` is not timelocked, so malicious executor can steal funds
#49
sherlock-admin3
closed
1 month ago
17
cu5t0mPe0 - Incorrect rounding of precision will cause maxDeviation to fail.
#48
sherlock-admin3
closed
1 month ago
2
Ocean_Sky - Updating maxSlippagePIPS can be DOSed and may cause losses to the vault.
#47
sherlock-admin2
closed
1 month ago
1
NoOne - Missing Initialization of Parent Contracts in `ValantisModule`
#46
sherlock-admin2
closed
1 month ago
0
juaan - A malicious executor can grief 100% of the pool reserves
#45
sherlock-admin2
closed
1 month ago
8
juaan - Through rebalance(), an executor can drain 100% of vault reserves by minting cheap shares
#44
sherlock-admin4
opened
1 month ago
26
juaan - Malicious Public Vault Owner can bypass `validateRebalance()`, to sandwich the rebalance for profit
#43
sherlock-admin3
closed
1 month ago
17
juaan - Due to incorrect rounding, a malicious user can cause the router to ALWAYS revert on adding liquidity
#42
sherlock-admin3
closed
1 month ago
0
iamandreiski - Certain functions in the Router don't validate if the msg.value == amount when dealing with native token
#41
sherlock-admin3
closed
1 month ago
0
skyge - Oracle doesn't check if Arbitrum Sequencer is active
#40
sherlock-admin3
closed
1 month ago
0
Patreeciy - the function does not match its description
#39
sherlock-admin2
closed
1 month ago
0
Patreeciy - Chainlink’s latestRoundData might return stale or incorrect results
#38
sherlock-admin4
closed
1 month ago
0
iamandreiski - Deposits/Withdrawals to/from Arrakis Vaults can be sandwiched due to no slippage checks in mint/burn functions
#37
sherlock-admin3
closed
1 month ago
9
Naresh - Chainlink's `latestRoundData` might return stale or incorrect results
#36
sherlock-admin2
closed
1 month ago
0
iamandreiski - Executor can steal all funds from public vault when a new module is set
#35
sherlock-admin2
closed
1 month ago
6
iamandreiski - Timelock roles/deployment gives the public vault owner full control over the vault
#34
sherlock-admin4
closed
1 month ago
0
iamandreiski - Malicious private vault owners can honeypot other users by withdrawing vault liquidity before a transfer/sale
#33
sherlock-admin4
closed
1 month ago
0
juaan - Malicious vault owner can change ALM to malicious contract and then setModule to steal funds
#32
sherlock-admin3
closed
1 month ago
0
iamandreiski - ArrakisMetaVaultFactory can't deploy pools with non-string symbol ERC20 tokens
#31
sherlock-admin3
closed
1 month ago
0
KungFuPanda - Malicious actors can temporarily DoS user's access to the ArrakisPublicVaultRouter contract's permit-based functions by frontrunning and calling the UniPermit2 contract with the signatures of those users
#30
sherlock-admin2
closed
1 month ago
0
whitehair0330 - `ArrakisPublicVaultRouter.addLiquidity()` function can frequently revert due to rounding errors.
#29
sherlock-admin2
closed
1 month ago
5
juaan - When the poolManager is changed to address(0), the manager fees are permanently lost
#28
sherlock-admin4
closed
1 month ago
15
juaan - Incorrect handling of first deposit for new modules leads to all liquidity sent to vault manager
#27
sherlock-admin4
opened
1 month ago
12
juaan - When poolManager is set to address(0), a vault’s module can no longer be changed forever
#26
sherlock-admin3
closed
1 month ago
21
juaan - First depositor via new module mints large amount of shares at huge discount
#25
sherlock-admin3
closed
1 month ago
10
unix515 - Chainlink's latestRoundData() might return stale or incorrect results.
#24
sherlock-admin2
closed
1 month ago
0
unix515 - HOT#`getLiquidityQuote()` is always reverted because `liquidityQuote` is never updated.
#23
sherlock-admin2
closed
1 month ago
0
gscode_ - Summary
#22
sherlock-admin4
closed
1 month ago
0
juaan - When calling `setModule`, a malicious executor can use malicious payload to steal 100% of the pool's liquidity
#21
sherlock-admin4
closed
1 month ago
8
juaan - Malicious Executor can use rebalance() to drain the vault in a complex attack (10% each time)
#20
sherlock-admin3
closed
1 month ago
10
cu5t0mPe0 - USDT is not supported
#19
sherlock-admin2
opened
1 month ago
19
cu5t0mPe0 - The executor can prevent the manager from receiving the manager fee.
#18
sherlock-admin2
closed
1 month ago
10
cu5t0mPe0 - The attacker can steal funds from the pool.
#17
sherlock-admin4
closed
1 month ago
4
cu5t0mPe0 - Did not check whether the router is legal
#16
sherlock-admin2
closed
1 month ago
6
cu5t0mPe0 - The executor takes away all the funds during `setModule`
#15
sherlock-admin3
closed
1 month ago
5
cu5t0mPe0 - setModule is not compatible with ValantisHOTModulePublic.
#14
sherlock-admin3
closed
1 month ago
13
cu5t0mPe0 - The way ArrakisPublicVaultRouter and ValantisHOTModulePublic calculate the deposit amount is inconsistent.
#13
sherlock-admin2
closed
1 month ago
8
NoOne - Library function isn't `internal` or `private`
#12
sherlock-admin4
closed
1 month ago
0
NoOne - Contracts are vulnerable to fee-on-transfer accounting-related issues
#11
sherlock-admin4
closed
1 month ago
0
NoOne - Incorrect Access Control in `setMaxOracleDeviationBips` Function
#10
sherlock-admin3
closed
1 month ago
10
juaan - Malicious executor can front-run swapper to make them lose funds (by changing liquidity bounds)
#9
sherlock-admin3
closed
1 month ago
14
juaan - A malicious executor can delete the fees belonging to the owner of `ArrakisStandardManager`
#8
sherlock-admin2
opened
1 month ago
3
NoOne - Missing `whenNotPaused` Modifier in `withdraw` Function
#7
sherlock-admin2
closed
1 month ago
0
NoOne - Missing Access Control in withdrawManagerBalance Function
#6
sherlock-admin4
closed
1 month ago
0
NoOne - Minting to Zero Address Causes Revert During Initial Supply Setup
#5
sherlock-admin4
closed
1 month ago
4
juaan - The expected price bounds are not passed in to alm.depositLiquidity(), allowing a sandwich attack
#4
sherlock-admin3
closed
1 month ago
0
NoOne - Missing checks in `whitelistModules`
#3
sherlock-admin2
closed
1 month ago
0
BiasedMerc - When Vault Executors set one _init to 0, deposit() will be broken
#2
sherlock-admin2
closed
1 month ago
1
_karanel - No way to update `maxOracleUpdateDurationFeed0` and `maxOracleUpdateDurationFeed1` outside of constructor, and could lead to DOS of the Valantis module due to falsely getting stale price
#1
sherlock-admin4
closed
1 month ago
0
Previous