issues
search
sherlock-audit
/
2024-05-beefy-cowcentrated-liquidity-manager-judging
5
stars
5
forks
source link
issues
Newest
Newest
Most commented
Recently updated
Oldest
Least commented
Least recently updated
Naresh - Usage of `slot0` to get sqrtPriceX96 is extremely prone to manipulation
#45
sherlock-admin3
closed
3 months ago
0
4b - Precision Loss in return price for first and second token
#44
sherlock-admin2
closed
3 months ago
0
Rhaydden - Usage of slot0 is extremely easy to manipulate
#43
sherlock-admin4
closed
3 months ago
0
4b - Incorrect total Balance calculation
#42
sherlock-admin3
closed
3 months ago
2
Sparrow_Jac - Potential for Price Manipulation in Using `slot0` to Obtain `sqrtPriceX96`
#41
sherlock-admin2
closed
3 months ago
0
bughuntoor - Attacker can sandwich call to `unpause` and steal most funds from the strategy
#40
sherlock-admin4
closed
3 months ago
1
bughuntoor - Changing `positionWidth` also centers the position
#39
sherlock-admin3
closed
3 months ago
2
bughuntoor - Alt ticks will not be set if `bal1 == amount0`
#38
sherlock-admin2
closed
3 months ago
2
nikolap - No correction on a deadline when minting/burning etc
#37
sherlock-admin4
closed
3 months ago
0
nikolap - No slippage protection when decreasing liquidity from a position
#36
sherlock-admin3
closed
3 months ago
1
nikolap - No slippage protection when minting a position
#35
sherlock-admin2
closed
3 months ago
1
pwning_dev - Potential Overflow in FullMath.mulDiv
#34
sherlock-admin4
closed
3 months ago
1
BiasedMerc - StrategyPassiveManagerVelodrome::setDeviation incorrectly checks new _maxDeviation
#33
sherlock-admin3
closed
3 months ago
18
BiasedMerc - StrategyPassiveManagerVelodrome::lpToken0ToNativePrice and lpToken1ToNativePrice incorrectly calculate prices
#32
sherlock-admin2
closed
3 months ago
0
nour99 - [M-1] Unsafe casting of user amount from uint256 to uint128
#31
sherlock-admin4
closed
3 months ago
1
KungFuPanda - Revert-on-0-value-transfers tokens can DoS the retireVault function of the StrategyPassiveManagerVelodrome contract
#30
sherlock-admin3
closed
3 months ago
0
blackhole - The `harvest` function should check if the feeLeft is greater than 0 before calling `notifyRewardAmount`
#29
sherlock-admin2
closed
3 months ago
2
blackhole - The maximum tick deviation should be less than or equal to 4 times the tick spacing in the setDeviation function
#28
sherlock-admin4
closed
3 months ago
1
blackhole - The `harvest` function may revert after the owner changes the rewardPool address due to missing approval
#27
sherlock-admin3
closed
3 months ago
0
blackhole - `retireVault` function can fail on zero amount transfer if lpToken balance is 0
#26
sherlock-admin2
closed
3 months ago
1
WildSniper - in `StratFeeManagerInitializable::setStratFeeId()` setting new `stratFeeId` retrospectively applies new fees to pending LP rewards yet to be claimed
#25
sherlock-admin4
closed
3 months ago
2
0xreadyplayer1 - Incorrect twap interval can jeopardise deposit and withdraw protection
#24
sherlock-admin3
closed
3 months ago
2
0xreadyplayer1 - Path.sol library returns incorrect results on passed data instead of reverting
#23
sherlock-admin2
closed
3 months ago
1
blackhole - The incorrect lpToken price calculation can lead to potential issues in future integrations
#22
sherlock-admin4
closed
3 months ago
1
blackhole - _addLiquidty can be reverted when guage is not alive
#21
sherlock-admin3
closed
3 months ago
8
iamnmt - `StrategyPassiveManagerVelodrome` does not reset the reward pool's allowance upon setting the new reward pool
#20
sherlock-admin2
closed
3 months ago
0
Rhaydden - `twap()` would return the wrong prices for negative tick deltas since it doesn't round up for them
#19
sherlock-admin4
closed
3 months ago
1
unix515 - Add default constructor that calls `_disableInitializers()` to StrategyPassiveManagerVelodrome
#18
sherlock-admin3
closed
3 months ago
1
unix515 - `uniswapV3MintCallback()` will be reverted if uniswap pool's internal logic is postponed.
#17
sherlock-admin2
closed
3 months ago
2
iamnmt - `StrategyPassiveManagerVelodrome`'s functionality would break when being initialized with a pool that has one of the trading tokens as a reward token
#16
sherlock-admin4
closed
3 months ago
5
BiasedMerc - VeloSwapUtils.sol utilises wrong Route struct for interacting with unirouter
#15
sherlock-admin3
closed
3 months ago
12
BiasedMerc - VeloSwapUtils::swap() passes address[] instead of route[] to V2_SWAP_EXACT_IN due to incorrect pathToRoute function
#14
sherlock-admin2
closed
3 months ago
11
BiasedMerc - VeloSwapUtils::swap() do not provide 0 value as minAmountOut whilst not checking received amount afterwards
#13
sherlock-admin4
closed
3 months ago
0
peyodp - Unsafe casting of the `_liquidty` parameter in `TickUtils::quoteAddLiquidity` in TickUtils.sol
#12
sherlock-admin3
closed
3 months ago
1
Bauchibred - Swaps that need to use the `VeloSwapUtils#pathToRoute()` would not work
#11
sherlock-admin2
closed
3 months ago
18
Bauchibred - An easily manipulated price data is being used when minting/adding liquidity for positions
#10
sherlock-admin4
closed
3 months ago
1
Bauchibred - `StrategyPassiveManagerVelodrome#retireVault()` can be permanently bricked for as little as `~1 wei`
#9
sherlock-admin3
closed
3 months ago
9
Bauchibred - Protocol mints and decreases liquidity from Velodrome without slippage/deadline
#8
sherlock-admin2
closed
3 months ago
1
Bauchibred - `skipToken() & decodeFirstPool()` are broken for swaps like `V2_SWAP_EXACT_IN`
#7
sherlock-admin4
closed
3 months ago
22
ccashwell - Uninitialized State: `StratFeeManagerInitializable.totalLocked1` is never initialized
#6
sherlock-admin3
closed
3 months ago
1
ccashwell - Uninitialized State: `StratFeeManagerInitializable.totalLocked0` is never initialized
#5
sherlock-admin2
closed
3 months ago
1
BiasedMerc - StrategyPassiveManagerVelodrome::retireVault() can be front-run to prevert retirement
#4
sherlock-admin4
closed
3 months ago
2
BiasedMerc - StrategyPassiveManagerVelordrome::setRewardPool() doesn't set rewardPool allowance
#3
sherlock-admin3
closed
3 months ago
6
0xreadyplayer1 - `TickMath` might revert in solidity version 0.8
#2
sherlock-admin2
closed
3 months ago
1
0xreadyplayer1 - Using `block.timestamp` for swap deadline offers no protection
#1
sherlock-admin4
closed
3 months ago
1
Previous