sherlock-audit 2024-03-zivoe-judging issues

sherlock-audit / 2024-03-zivoe-judging

8 stars 6 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

Wrong input validation in `OCE_ZVE::updateExponentialDecayPerSecond`

#718 sherlock-admin3 closed 6 months ago
1
Temporary DoS in `OCR_Modular::DestroyRequest`

#717 sherlock-admin4 closed 6 months ago
1
Title: Inconsistent Handling of Token Order in Uniswap Pool Validation,`ZivoeSwapper::handle_validation_0502b1c5` assetIn should be token0 when zeroForOne_0 is true

#716 sherlock-admin3 closed 6 months ago
1
Title: Lack of Overflow and Underflow Protection in Arithmetic Operations in `ZivoeVotes`.

#715 sherlock-admin4 closed 6 months ago
0
`applyCombine` incorrectly sets the `valid` flag of `combinations` at `combineCounter`

#714 sherlock-admin3 closed 6 months ago
1
use `safeApprove` instead of `safeDecreaseAllowance` when removing allowance inside DAO

#713 sherlock-admin4 closed 6 months ago
1
Combining loans by using `OCC_Modular::applyCombine` will potentially cause a rounding error in the annualized percentage rate (APR), causing it to be lower than it should due to truncation

#712 sherlock-admin3 closed 6 months ago
1
Input Array Lengths in `initializeGlobals` function are not validated

#711 sherlock-admin4 closed 6 months ago
1
Potential Revert Due to Zero Senior Supply

#710 sherlock-admin3 closed 6 months ago
1
updateDistributionRatioBIPS and updateExponentialDecayPerSecond affect the past

#709 sherlock-admin4 closed 6 months ago
1
Yield distribution can only start after 60 days of being ITO being concluded

#708 sherlock-admin3 closed 6 months ago
1
Missing check to ensure stablecoin is whitelisted

#707 sherlock-admin4 closed 6 months ago
1
ZivoeDAO ownership not locked

#706 sherlock-admin3 closed 6 months ago
1
John_Femi - Precision loss in `earningsTrancheuse` function

#705 sherlock-admin4 closed 6 months ago
4
Bauchibred - `pushToLocker()` can be DOS'd due to restricted external admin actions

#704 sherlock-admin3 closed 6 months ago
2
burhan_khaja - Anybody can manupilate rewardRate and Steal all of the rewards

#703 sherlock-admin4 closed 6 months ago
2
heedfxn - Reward rate can be diluted in rewards contracts

#702 sherlock-admin3 closed 6 months ago
1
ZanyBonzy - Curve and convex pools can be killed/shutdown

#701 sherlock-admin4 closed 6 months ago
2
Ironsidesec - Opting out of rebase when the rebasing is in neagtive curve is not possible

#700 sherlock-admin3 closed 6 months ago
2
Bauchibred - Protocol's functionality can end up being broken based on the asset being used

#699 sherlock-admin4 closed 6 months ago
2
w42d3n - Reentrancy Vulnerability in `withdraw()

#698 sherlock-admin3 closed 6 months ago
2
ZanyBonzy - `PyUSD` admins can seize protocol's tokens.

#697 sherlock-admin4 closed 6 months ago
8
Ironsidesec - max JTT mint (`isJuniorOpen`) can be breached at the epoch end.

#696 sherlock-admin3 closed 6 months ago
2
aman - DoS : Unable to get rewards due to USDC blacklisted user's

#695 sherlock-admin4 closed 6 months ago
2
John_Femi - some users could be rejected while attempting to deposit with `depositJunior`

#694 sherlock-admin3 closed 6 months ago
2
denzi_ - Potential loss of rewards and incorrect account of _totalSupply if the user executes `withdraw()` before being revoked

#693 sherlock-admin4 closed 6 months ago
2
ZanyBonzy - Interest rates keep rising when underlying stablecoin gets paused

#692 sherlock-admin3 closed 6 months ago
7
0xe4669da - `ZivoeITO::depositSenior` allows 1 `wei` to be deposited and this could lead to Denial of Service attack

#691 sherlock-admin4 closed 6 months ago
1
Jameslaycon700 - Fund is Lost in ZivoeGlobals Contract

#690 sherlock-admin3 closed 6 months ago
2
0xRstStn - `createVestingSchedule` allows to create vesting periods with a duration longer than the maximum (i.e. 1800 days)

#689 sherlock-admin4 closed 6 months ago
1
denzi_ - `removeLiquidity` when forwarding yield in OCL_ZVE contract can cause loss of funds for the protocol due to hardcoded 0 for min PairAsset and ZVE

#688 sherlock-admin3 closed 6 months ago
1
Ironsidesec - `OCL_ZVE` is assuming thet ZVE will always be token 1 and the pair asset will always be token 0 when adding, removing the liquidity

#687 sherlock-admin4 closed 6 months ago
2
0bing076 - H-1 Reentrancy Vulnerability in ZivoeTranches.depositBoth(uint256,address,uint256,address) (src/ZivoeTranches.sol#322-325)

#686 sherlock-admin3 closed 6 months ago
2
denzi_ - Incorrect Updation of _checkpoints[account] in `ZivoeRewardsVesting::revokeVestingSchedule()` can mess up accounting of votes

#685 sherlock-admin4 closed 6 months ago
1
jasonxiale - Precision loss in `OCC_Modular.applyCombine`

#684 sherlock-admin3 closed 6 months ago
2
denzi_ - Front-Running Vulnerability Due to Predictable Incentive Calculations in ZivoeTranches Contract

#683 sherlock-admin4 closed 6 months ago
1
0xvj - Excess yield is granted to tranche token holders

#682 sherlock-admin3 closed 6 months ago
2
denzi_ - On combining loans, the new calculated APR rounds down causing the user to pay less interest

#681 sherlock-admin4 closed 6 months ago
1
0xe4669da - [M-1] `ZivoeITO::depositSenior` allows 1 `wei` to be deposited and this could lead to Denial of Service attack

#680 sherlock-admin3 closed 6 months ago
2
jasonxiale - APR in `OCC_Modular.applyCombine` is not correct

#679 sherlock-admin4 closed 6 months ago
1
Bauchibred - Curve admin can drain pool via reentrancy

#678 sherlock-admin3 closed 6 months ago
15
BoRonGod - curve pool's emergency_admin can kill a curve pool

#677 sherlock-admin4 closed 6 months ago
2
sl1 - `OCL_ZVE.pushToLockerMulti()` uses contract balances to add liquidity.

#676 sherlock-admin3 closed 6 months ago
1
Aymen0909 - `ZivoeRewardsVesting::revokeVestingSchedule` incorrectly decreases the total staking supply `_totalSupply`

#675 sherlock-admin4 closed 6 months ago
1
sl1 - Deposits to tranches can be DoS'ed.

#674 sherlock-admin3 closed 6 months ago
2
0xvj - forwardYield function can be sandwiched to make it distribute more yield than intended

#673 sherlock-admin4 closed 6 months ago
1
BoRonGod - DAO unable to withdraw their funds due to Origin admin action

#672 sherlock-admin3 closed 6 months ago
8
marchev - `OCC_Modular` Borrower can get up to a week of a loan with 0% interest rate

#671 sherlock-admin4 closed 6 months ago
6
Ironsidesec - Yield distribution cannot be done after 30 days days after ITO end, or better put, First yield distribution is possible only after 60 days of ITO conclusion.

#670 sherlock-admin3 closed 6 months ago
1
sl1 - `makePayment()` charges interest on the intervals that have not yet passed.

#669 sherlock-admin4 closed 6 months ago
2