issues
search
sherlock-audit
/
2024-05-pooltogether-judging
2
stars
0
forks
source link
issues
Newest
Newest
Most commented
Recently updated
Oldest
Least commented
Least recently updated
trachev - The protocol will not function on many of the required chains
#120
sherlock-admin3
closed
1 month ago
1
trachev - Users may be unable to withdraw from their `Requestor` contract
#119
sherlock-admin2
closed
1 month ago
1
bareli - Result of transfer / transferFrom not checked
#118
sherlock-admin4
closed
1 month ago
1
trachev - The `canStartDraw` function may prevent auction draws from being started
#117
sherlock-admin3
closed
1 month ago
0
0xSpearmint1 - An attacker can force a prizeVault into a state to delay liquidations for a greater profit
#116
sherlock-admin2
closed
1 month ago
12
trachev - The `canStartDraw` function may return wrong data, causing loss of funds
#115
sherlock-admin4
closed
1 month ago
0
elhaj - Unfair Manipulation of Winning Chances Due to Stolen Yield on `Blast`
#114
sherlock-admin3
opened
1 month ago
6
trachev - The `startDraw` function can be called after the Prize Pool has become shutdown, causing a loss of funds
#113
sherlock-admin2
closed
1 month ago
0
Nihavent - When `PrizePool` reserves are low and more than expected number of prizes are won, race conditions are created to claim prizes. Some users' prize funds will be locked due to `PrizePool::claimPrize()` call reverting.
#112
sherlock-admin4
closed
3 weeks ago
20
jo13 - PoolTogether on Blast L2: Rebasing WETH Allows Malicious Users to Inflate Contributions and Manipulate Prize Odds
#111
sherlock-admin3
closed
1 month ago
0
ydlee - Prize winners can set claim hooks to revert `claimPrize` from others to save the claim rewards.
#110
sherlock-admin2
closed
1 month ago
1
MRXSNOWDEN - Reentrancy Vulnerability in The _claim function
#109
sherlock-admin4
closed
1 month ago
2
ydlee - `TpdaLiquidationPair.swapExactAmountOut` does not refund excess inTokens if not called from `TpdaLiquidationRouter`.
#108
sherlock-admin3
closed
1 month ago
2
0xmystery - safeTransfer() associated with stEth often results in 1-2 wei lesser of assets transfer from yieldVault, leading to easy DoS of PrizeVault._withdraw()
#107
sherlock-admin2
closed
1 month ago
1
aman - PUSH0 is not supported by Linea
#106
sherlock-admin4
closed
1 month ago
1
ydlee - For a new `drawId`, `startDraw` always reverts if the time elapsed for the first `startDraw` exceeds the auction duration.
#105
sherlock-admin3
closed
1 month ago
0
Kunhah - The result of the function `calculatePseudoNumber` can be previewed before calling `claimPrize`
#104
sherlock-admin2
closed
1 month ago
1
newt - Unrestricted Access to `burn` Function
#103
sherlock-admin4
closed
1 month ago
0
newt - Unrestricted Access to mint Function
#102
sherlock-admin3
closed
1 month ago
1
0x73696d616f - `Claimable` is vulnerable to return gas bomb attacks, DoSing claiming for all other winners
#101
sherlock-admin2
closed
1 month ago
0
0x73696d616f - `DrawManager::finishDraw()` may hand out more rewards than the reserve if RNG requests fail
#100
sherlock-admin4
closed
1 month ago
0
0x73696d616f - `DrawManager::canStartDraw()` does not take into account failed requests, returning false when it should return true and harms bots
#99
sherlock-admin3
closed
1 month ago
0
0x73696d616f - `Requestor` uses `to.transfer()` to withdraw the balance of the creator, but the creator may not be able to receive it
#98
sherlock-admin2
closed
1 month ago
1
0x73696d616f - The accumulated balance in the `TwabController` will overflow for tokens with a bigger number of decimals, leading to lost funds
#97
sherlock-admin4
closed
1 month ago
2
0x73696d616f - Vault portion calculation in `PrizePool::getVaultPortion()` is incorrect as `_startDrawIdInclusive` has been erased
#96
sherlock-admin3
opened
1 month ago
3
0x73696d616f - Estimated prize draws in TieredLiquidityDistributor are off due to rounding down when calculating the sum, leading to incorrect prizes
#95
sherlock-admin2
opened
1 month ago
25
0x73696d616f - Some tiers will not be awarded in the PrizePool when the last observation has been erased in the TwabController
#94
sherlock-admin4
closed
1 month ago
1
0x73696d616f - Current Tpda liquidations can not deal with upwards yield fluctuations, leading to yield loss in some scenarios
#93
sherlock-admin3
closed
1 month ago
2
0x73696d616f - Withdrawals in the `PrizeVault` will not work for some vaults due to using `previewWithdraw()` and then `redeem()`
#92
sherlock-admin2
closed
3 weeks ago
14
0x73696d616f - `PrizeVault::maxDeposit()` is not ERC4626 compliant as it does not consider rounding errors nor restricted receivers, nor `maxMint()`
#91
sherlock-admin4
closed
1 month ago
1
0x73696d616f - `PrizeVault::deposit/mint()` will always revert due to lossy deposits in yield vaults due to rounding errors when the yield buffer is depleted
#90
sherlock-admin3
closed
1 month ago
1
0x73696d616f - `PrizeVault::depositWithPermit()` still allows griefing attacks, despite the attempts of the code and comments
#89
sherlock-admin2
closed
1 month ago
1
0x73696d616f - DoSed liquidations as `PrizeVault::liquidatableBalanceOf()` does not take into account the `mintLimit` when the token out is the asset
#88
sherlock-admin4
opened
1 month ago
29
newt - Missing Zero Address Check for _rewardRecipient
#87
sherlock-admin3
closed
1 month ago
1
jovi - Claimer:claimPrizes does a naive feePerClaim calculation
#86
sherlock-admin2
closed
1 month ago
0
jovi - PrizeVault:transferTokensOut miscalculates the yield fee
#85
sherlock-admin4
closed
1 month ago
1
elhaj - Claimers Cannot Claim Prizes When Last Tier Liquidity is 0, Preventing Winners from Receiving Their Prizes
#84
sherlock-admin3
opened
1 month ago
41
jovi - TpdaLiquidationPair does not enforce the TpdaLiquidationRouter contract is the only possible caller for the swapExactAmountOut function
#83
sherlock-admin2
closed
1 month ago
2
jovi - Claimable:claimPrize beforeClaimPrize hooks can be used to steal rewards from the reward recipient
#82
sherlock-admin4
closed
1 month ago
2
elhaj - Hardcoded Gas for Hooks May Prevent Winners from Receiving Prizes Due to Insufficiency on Different Chains
#81
sherlock-admin3
closed
1 month ago
10
elhaj - Potential ETH Loss Due to transfer Usage in Requestor Contract on `zkSync`
#80
sherlock-admin2
opened
1 month ago
21
elhaj - `PUSH0` opcode Is Not Supported on Linea yet
#79
sherlock-admin4
opened
1 month ago
15
newt - Potential Revert on Insufficient Balance Transactions
#78
sherlock-admin3
closed
1 month ago
2
aman - Reorgs attack issue while deploying using create , will result in fund lost for Requester contract
#77
sherlock-admin2
closed
1 month ago
2
evmboi32 - The number of tiers is incorrectly used when claiming rewards.
#76
sherlock-admin4
closed
1 month ago
5
rudhra1749 - PricePool.sol:contributePrizeTokens wrong accounting of price tokens
#75
sherlock-admin3
closed
1 month ago
1
0xSpearmint1 - Frontrunning liquidations consistently will lead to honest liquidators reverting and vault user's having less yield contributed to the PrizePool long term
#74
sherlock-admin2
closed
1 month ago
2
cu5t0mPe0 - The claimer's fee will be stolen by the winner
#73
sherlock-admin4
opened
1 month ago
14
evmboi32 - Vault can auction off yield for an incorrect price
#72
sherlock-admin3
closed
1 month ago
2
evmboi32 - Users can be unable to claim rewards
#71
sherlock-admin2
closed
1 month ago
1
Previous
Next