sherlock-audit 2024-05-pooltogether-judging issues

sherlock-audit / 2024-05-pooltogether-judging

13 stars 8 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

`transfer` is used to send ETH

#170 sherlock-admin2 closed 5 months ago
0
witnet not supported in chains

#169 sherlock-admin3 closed 5 months ago
0
Potential Loss of Funds in TwabERC20 Due to Unchecked Transfers to TwabController

#168 sherlock-admin4 closed 5 months ago
0
gas Optimization

#167 sherlock-admin2 closed 5 months ago
0
Using Arrays

#166 sherlock-admin3 closed 5 months ago
0
Arithmetics

#165 sherlock-admin4 closed 5 months ago
0
Delegate to the sponsor without ``PrizeVault#sponsor`` function.

#164 sherlock-admin2 closed 5 months ago
0
jo13 - Gas Manipulation by Malicious Winners in claimPrizes Function

#163 sherlock-admin4 opened 5 months ago
9
hash - Users can setup hooks to control the expannsion of tiers

#162 sherlock-admin3 opened 5 months ago
19
0x73696d616f - Winners in `Claimable` may game claimer bots by claiming the prize when the `beforeHook` is called on the hook

#161 sherlock-admin2 closed 5 months ago
0
MrCrowNFT - [M-1] Users can deposit ERC 20 not accounted by any `LiquidationPair` and potentially freezing the deposits to the `PrizePool`

#160 sherlock-admin4 closed 5 months ago
1
hash - Can start draw will return incorrectly

#159 sherlock-admin3 closed 5 months ago
0
Ironsidesec - Prize claims with hooks will fail on Arbitrum L2

#158 sherlock-admin2 closed 5 months ago
2
0xShoonya - The swap mechanism does not have a deadline parameter

#157 sherlock-admin4 closed 5 months ago
1
0xSpearmint1 - Complex attack using flashswapcallback to steal user's deposits

#156 sherlock-admin3 closed 5 months ago
1
newt - Missing Authorization Check in `delegate` Function

#155 sherlock-admin2 closed 5 months ago
1
hash - User's might be able to add already errored witnet requests on L2's

#154 sherlock-admin4 closed 4 months ago
19
trachev - Users who deposit into a Prize Vault after the Prize Pool has shut down cannot earn any yield

#153 sherlock-admin3 closed 5 months ago
0
newt - Lack of Access Control on `sponsor` Function

#152 sherlock-admin2 closed 5 months ago
2
0x73696d616f - `Claimer::claimPrizes()` and `Claimer::computeTotalFees()` do not validate the intended `drawId`, which may incur significant costs for claimer bots

#151 sherlock-admin4 closed 5 months ago
2
cu5t0mPe0 - After the user calls startDraw, they are unable to obtain the reward.

#150 sherlock-admin3 closed 5 months ago
2
0xSpearmint1 - An attacker can frontrun a yieldVault accumulating yield with a large liquidation to lose/steal the yield of all the users

#149 sherlock-admin2 closed 5 months ago
24
aman - Griefing Attack: requests[requestId] Overflow Due to Large Request Volume and Short Block Time.

#148 sherlock-admin4 closed 5 months ago
2
trachev - `finishDraw` will fail in many occurences due to unpredictable calculations

#147 sherlock-admin3 closed 5 months ago
0
hash - Using `feePerClaim` for slippage control could result in claimer's making losses during claims

#146 sherlock-admin2 closed 5 months ago
0
hash - Vault beneficiary contribution may be shared to all in case of shutdown

#145 sherlock-admin4 closed 5 months ago
2
KupiaSec - The depositors of the vault with tokens with more than 18 decimals like `YAMv2` are unable to withdraw their shutdown balance due to an overflow error despite of large contribution of the vault to the `PrizePool`

#144 sherlock-admin3 closed 5 months ago
2
KupiaSec - `TpdaLiquidationPair.swapExactAmountOut()` calculates `swapAmountIn` incorrectly

#143 sherlock-admin2 closed 5 months ago
2
hash - Incorrect implementation of `drawTimeout`

#142 sherlock-admin4 closed 5 months ago
0
0x73696d616f - `Claimer::claimPrizes()` fee is incorrect and incurs very signficant costs whenever it is frontrunned

#141 sherlock-admin3 closed 5 months ago
0
hash - Reward allocation can result in allocation of more than 100% of available reserves

#140 sherlock-admin2 closed 5 months ago
0
0xAadi - Potential Fund Lock in `Requestor` Contract on `zkSync Era` Blockchain Due to the Use of `transfer()` Method to Transfer ETH

#139 sherlock-admin4 closed 5 months ago
1
hash - `permit` is not compatible with DAI

#138 sherlock-admin3 closed 5 months ago
1
hash - `shutdownBalanceOf` calculation can overflow

#137 sherlock-admin2 closed 5 months ago
6
hash - `maxRedeem` doesn't comply with ERC-4626

#136 sherlock-admin4 opened 5 months ago
6
0xRajkumar - When allowance is not equal to the assets in Prizevault, it causes a DOS.

#135 sherlock-admin3 closed 5 months ago
1
hash - `maxDeposit` doesn't comply with ERC-4626

#134 sherlock-admin2 opened 5 months ago
5
hash - User's might be able to claim their prizes even after shutdown

#133 sherlock-admin4 opened 5 months ago
34
Tri-pathi - Vault's `maxDeposit()` returns a positive value while `deposit()` reverts violating EIP-4626

#132 sherlock-admin3 closed 5 months ago
1
0x73696d616f - `Claimer::_claim()` should reserve gas to finish execution, or it may revert unexpectedly, losing fees and gas for the claimer bot

#131 sherlock-admin2 closed 5 months ago
0
berndartmueller - A new draw auction for the same draw cannot be started if the RNG request succeeded but the `finishDraw` auction expired

#130 sherlock-admin4 closed 5 months ago
2
berndartmueller - `DrawManager.canStartDraw` does not consider retried RNG requests when determining if a new draw auction can be started

#129 sherlock-admin3 opened 5 months ago
3
berndartmueller - Entire prize pool reserve is used up after a draw is awarded, preventing building up a larger reserve over time

#128 sherlock-admin2 closed 5 months ago
3
0x73696d616f - Witnet is not available on some networks listed

#127 sherlock-admin4 opened 5 months ago
14
berndartmueller - The RNG finish draw auction rewards are overpaid due to missing to account for the time it takes to fulfill the Witnet randomness request

#126 sherlock-admin3 opened 5 months ago
5
berndartmueller - Draw auction rewards likely exceed the available rewards, resulting in overpaying rewards or running into an `InsufficientReserve` error

#125 sherlock-admin2 opened 5 months ago
6
infect3d - `Claimers` can receive less `feePerClaim` than they should if some prizes are already claimed or if reverts because of a reverting hook

#124 sherlock-admin4 opened 5 months ago
3
infect3d - `DrawManager::finishDraw` can revert when the sum of rewards to distribute is more than available reserve

#123 sherlock-admin3 closed 5 months ago
0
infect3d - ClaimPrize hooks gas limit can be violated using a gas bomb, making `claimPrizes` revert

#122 sherlock-admin2 closed 5 months ago
0
ydlee - If a successful `startDrawAuction` has expired, `finishDraw` will always revert even if the draw has not finalized.

#121 sherlock-admin4 closed 5 months ago
0