sherlock-audit 2024-05-pooltogether-judging issues

sherlock-audit / 2024-05-pooltogether-judging

2 stars 0 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

trachev - The protocol will not function on many of the required chains

#120 sherlock-admin3 closed 1 month ago
1
trachev - Users may be unable to withdraw from their `Requestor` contract

#119 sherlock-admin2 closed 1 month ago
1
bareli - Result of transfer / transferFrom not checked

#118 sherlock-admin4 closed 1 month ago
1
trachev - The `canStartDraw` function may prevent auction draws from being started

#117 sherlock-admin3 closed 1 month ago
0
0xSpearmint1 - An attacker can force a prizeVault into a state to delay liquidations for a greater profit

#116 sherlock-admin2 closed 1 month ago
12
trachev - The `canStartDraw` function may return wrong data, causing loss of funds

#115 sherlock-admin4 closed 1 month ago
0
elhaj - Unfair Manipulation of Winning Chances Due to Stolen Yield on `Blast`

#114 sherlock-admin3 opened 1 month ago
6
trachev - The `startDraw` function can be called after the Prize Pool has become shutdown, causing a loss of funds

#113 sherlock-admin2 closed 1 month ago
0
Nihavent - When `PrizePool` reserves are low and more than expected number of prizes are won, race conditions are created to claim prizes. Some users' prize funds will be locked due to `PrizePool::claimPrize()` call reverting.

#112 sherlock-admin4 closed 3 weeks ago
20
jo13 - PoolTogether on Blast L2: Rebasing WETH Allows Malicious Users to Inflate Contributions and Manipulate Prize Odds

#111 sherlock-admin3 closed 1 month ago
0
ydlee - Prize winners can set claim hooks to revert `claimPrize` from others to save the claim rewards.

#110 sherlock-admin2 closed 1 month ago
1
MRXSNOWDEN - Reentrancy Vulnerability in The _claim function

#109 sherlock-admin4 closed 1 month ago
2
ydlee - `TpdaLiquidationPair.swapExactAmountOut` does not refund excess inTokens if not called from `TpdaLiquidationRouter`.

#108 sherlock-admin3 closed 1 month ago
2
0xmystery - safeTransfer() associated with stEth often results in 1-2 wei lesser of assets transfer from yieldVault, leading to easy DoS of PrizeVault._withdraw()

#107 sherlock-admin2 closed 1 month ago
1
aman - PUSH0 is not supported by Linea

#106 sherlock-admin4 closed 1 month ago
1
ydlee - For a new `drawId`, `startDraw` always reverts if the time elapsed for the first `startDraw` exceeds the auction duration.

#105 sherlock-admin3 closed 1 month ago
0
Kunhah - The result of the function `calculatePseudoNumber` can be previewed before calling `claimPrize`

#104 sherlock-admin2 closed 1 month ago
1
newt - Unrestricted Access to `burn` Function

#103 sherlock-admin4 closed 1 month ago
0
newt - Unrestricted Access to mint Function

#102 sherlock-admin3 closed 1 month ago
1
0x73696d616f - `Claimable` is vulnerable to return gas bomb attacks, DoSing claiming for all other winners

#101 sherlock-admin2 closed 1 month ago
0
0x73696d616f - `DrawManager::finishDraw()` may hand out more rewards than the reserve if RNG requests fail

#100 sherlock-admin4 closed 1 month ago
0
0x73696d616f - `DrawManager::canStartDraw()` does not take into account failed requests, returning false when it should return true and harms bots

#99 sherlock-admin3 closed 1 month ago
0
0x73696d616f - `Requestor` uses `to.transfer()` to withdraw the balance of the creator, but the creator may not be able to receive it

#98 sherlock-admin2 closed 1 month ago
1
0x73696d616f - The accumulated balance in the `TwabController` will overflow for tokens with a bigger number of decimals, leading to lost funds

#97 sherlock-admin4 closed 1 month ago
2
0x73696d616f - Vault portion calculation in `PrizePool::getVaultPortion()` is incorrect as `_startDrawIdInclusive` has been erased

#96 sherlock-admin3 opened 1 month ago
3
0x73696d616f - Estimated prize draws in TieredLiquidityDistributor are off due to rounding down when calculating the sum, leading to incorrect prizes

#95 sherlock-admin2 opened 1 month ago
25
0x73696d616f - Some tiers will not be awarded in the PrizePool when the last observation has been erased in the TwabController

#94 sherlock-admin4 closed 1 month ago
1
0x73696d616f - Current Tpda liquidations can not deal with upwards yield fluctuations, leading to yield loss in some scenarios

#93 sherlock-admin3 closed 1 month ago
2
0x73696d616f - Withdrawals in the `PrizeVault` will not work for some vaults due to using `previewWithdraw()` and then `redeem()`

#92 sherlock-admin2 closed 3 weeks ago
14
0x73696d616f - `PrizeVault::maxDeposit()` is not ERC4626 compliant as it does not consider rounding errors nor restricted receivers, nor `maxMint()`

#91 sherlock-admin4 closed 1 month ago
1
0x73696d616f - `PrizeVault::deposit/mint()` will always revert due to lossy deposits in yield vaults due to rounding errors when the yield buffer is depleted

#90 sherlock-admin3 closed 1 month ago
1
0x73696d616f - `PrizeVault::depositWithPermit()` still allows griefing attacks, despite the attempts of the code and comments

#89 sherlock-admin2 closed 1 month ago
1
0x73696d616f - DoSed liquidations as `PrizeVault::liquidatableBalanceOf()` does not take into account the `mintLimit` when the token out is the asset

#88 sherlock-admin4 opened 1 month ago
29
newt - Missing Zero Address Check for _rewardRecipient

#87 sherlock-admin3 closed 1 month ago
1
jovi - Claimer:claimPrizes does a naive feePerClaim calculation

#86 sherlock-admin2 closed 1 month ago
0
jovi - PrizeVault:transferTokensOut miscalculates the yield fee

#85 sherlock-admin4 closed 1 month ago
1
elhaj - Claimers Cannot Claim Prizes When Last Tier Liquidity is 0, Preventing Winners from Receiving Their Prizes

#84 sherlock-admin3 opened 1 month ago
41
jovi - TpdaLiquidationPair does not enforce the TpdaLiquidationRouter contract is the only possible caller for the swapExactAmountOut function

#83 sherlock-admin2 closed 1 month ago
2
jovi - Claimable:claimPrize beforeClaimPrize hooks can be used to steal rewards from the reward recipient

#82 sherlock-admin4 closed 1 month ago
2
elhaj - Hardcoded Gas for Hooks May Prevent Winners from Receiving Prizes Due to Insufficiency on Different Chains

#81 sherlock-admin3 closed 1 month ago
10
elhaj - Potential ETH Loss Due to transfer Usage in Requestor Contract on `zkSync`

#80 sherlock-admin2 opened 1 month ago
21
elhaj - `PUSH0` opcode Is Not Supported on Linea yet

#79 sherlock-admin4 opened 1 month ago
15
newt - Potential Revert on Insufficient Balance Transactions

#78 sherlock-admin3 closed 1 month ago
2
aman - Reorgs attack issue while deploying using create , will result in fund lost for Requester contract

#77 sherlock-admin2 closed 1 month ago
2
evmboi32 - The number of tiers is incorrectly used when claiming rewards.

#76 sherlock-admin4 closed 1 month ago
5
rudhra1749 - PricePool.sol:contributePrizeTokens wrong accounting of price tokens

#75 sherlock-admin3 closed 1 month ago
1
0xSpearmint1 - Frontrunning liquidations consistently will lead to honest liquidators reverting and vault user's having less yield contributed to the PrizePool long term

#74 sherlock-admin2 closed 1 month ago
2
cu5t0mPe0 - The claimer's fee will be stolen by the winner

#73 sherlock-admin4 opened 1 month ago
14
evmboi32 - Vault can auction off yield for an incorrect price

#72 sherlock-admin3 closed 1 month ago
2
evmboi32 - Users can be unable to claim rewards

#71 sherlock-admin2 closed 1 month ago
1

Previous Next