issues
search
sherlock-audit
/
2024-05-pooltogether-judging
8
stars
4
forks
source link
issues
Newest
Newest
Most commented
Recently updated
Oldest
Least commented
Least recently updated
0xSpearmint1 - A malicious user can set their hook to a malicious implementation, so that claimers tx spends all the gas allocated and reverts
#70
sherlock-admin4
closed
2 months ago
0
Rhaydden - Inconsistent Total Supply Accounting in `_transferBalance` Function
#69
sherlock-admin3
closed
2 months ago
2
Timenov - No token and gas yield configured for Blast.
#68
sherlock-admin2
closed
2 months ago
0
alexbabits - deadline can be current block.timestamp during swaps leading to maximum price slippage
#67
sherlock-admin4
closed
2 months ago
0
newt - Avoiding Contradictions in Conditional Logic
#66
sherlock-admin3
closed
2 months ago
1
newt - Lack Of Zero Address Checks
#65
sherlock-admin2
closed
2 months ago
1
Rhaydden - `liquidationPair` is able to add any number of `_yieldFee`
#64
sherlock-admin4
closed
2 months ago
2
AnasTur - TPDA Dutch Auction Manipulation in PoolTogether V5
#63
sherlock-admin3
closed
2 months ago
1
AnasTur - Inconsistent TWAB Calculation for Zero Balances in TwabController
#62
sherlock-admin2
closed
2 months ago
1
AnasTur - Prize Pool Tier Manipulation via Claim Counts
#61
sherlock-admin4
closed
2 months ago
0
AnasTur - Critical Access Control Flaw in PoolTogether V5 Prize Pool Contract - Potential for Prize Manipulation
#60
sherlock-admin3
closed
2 months ago
1
Rhaydden - Potential Issue in `withdrawShutdownBalance` can allow users receive more than their fair share at the expense of others
#59
sherlock-admin2
closed
2 months ago
2
zraxx - The function finishDraw and startDraw can be front-runned.
#58
sherlock-admin4
closed
2 months ago
2
zraxx - By claiming prizes at the canary tiers, malicious users can reduce the claim fee at other tiers
#57
sherlock-admin3
closed
2 months ago
1
0xSpearmint1 - If a user calls `contributePrizeTokens` they are vulnerable to a frontrunning attack
#56
sherlock-admin2
closed
2 months ago
1
0xSpearmint1 - Liquidator can avoid paying the yieldFee by liquidating small amounts
#55
sherlock-admin4
closed
2 months ago
2
zraxx - Since no deadline is set, `startDraw` will cause the user to suffer losses
#54
sherlock-admin3
closed
2 months ago
2
Rhaydden - Missing `notShutdown` modifier in `claimPrize`
#53
sherlock-admin2
closed
2 months ago
0
NoOne - Permit is not compatible with `DAI`
#52
sherlock-admin4
closed
2 months ago
1
0xSpearmint1 - An attacker can force the prize vault into a state such that `withdraw` will revert for all users that deposited
#51
sherlock-admin3
closed
2 months ago
0
zraxx - Attackers can create invalid observations by contributing 0 PrizeToken, causing getDisbursedBetween to return incorrect values.
#50
sherlock-admin2
closed
2 months ago
2
newt - Functions Missing Parameters
#49
sherlock-admin4
closed
2 months ago
1
volodya - _directlyContributedReserve doesn't work as expected
#48
sherlock-admin3
closed
2 months ago
1
zraxx - When the total Draw Auction Rewards exceeds availableRewards, `finishDraw` will fail.
#47
sherlock-admin2
closed
2 months ago
0
zraxx - `getDisbursedBetween` may return incorrect values when `ringBufferInfo.cardinality = 1`
#46
sherlock-admin4
closed
2 months ago
2
0xSpearmint1 - YieldVaults with fee on deposit are incompatible with the protocol
#45
sherlock-admin3
closed
2 months ago
11
0xSpearmint1 - An attacker can take advantage of a yield vault that made a loss, at the expense of all other users
#44
sherlock-admin2
closed
2 months ago
7
AuditorPraise - witnet doesn't support avalanche chain
#43
sherlock-admin4
closed
2 months ago
1
0xSpearmint1 - A new draw cannot be finished if the lastStartDrawAuction's rngRequestId is void
#42
sherlock-admin3
closed
2 months ago
1
AuditorPraise - Users can know the random number before a draw closes
#41
sherlock-admin2
closed
2 months ago
2
AuditorPraise - `prizeVault.previewDeposit()` and `prizeVault.previewMint()` don't comply to ERC4626 standard
#40
sherlock-admin4
closed
2 months ago
2
MiloTruck - `TpdaLiquidationPair.swapExactAmountOut()` can be DOSed by a vault's mint limit
#39
sherlock-admin3
opened
3 months ago
9
MiloTruck - Price formula in `TpdaLiquidationPair._computePrice()` does not account for a jump in liquidatable balance
#38
sherlock-admin2
opened
3 months ago
9
MiloTruck - `try/catch` in `Claimer._claim()` allows users to steal gas from claimer bots
#37
sherlock-admin4
closed
2 months ago
0
MiloTruck - Distributing liquidity based on the last `grandPrizePeriodDraws` days post-shutdown is problematic
#36
sherlock-admin3
closed
2 months ago
12
snapishere - DOS of claimprize function in the PrizePool.sol+ Loss of Tokens
#35
sherlock-admin2
closed
2 months ago
1
0xSpearmint1 - Attacker can ensure they win by manipulating `isWinner` calculation
#34
sherlock-admin4
closed
2 months ago
11
MiloTruck - `TierCalculationLib.calculateWinningZone()` rounding down could severely reduce a user's chances of winning
#33
sherlock-admin3
closed
2 months ago
2
MiloTruck - Inconsistent result from `DrawAccumulator.binarySearch()` causes prize pool calculations to be incorrect
#32
sherlock-admin2
closed
2 months ago
3
0xSpearmint1 - An attacker can DOS deposits by frontrunning to reach the TWAB limit
#31
sherlock-admin4
closed
2 months ago
1
MiloTruck - `uint96` is too small for `_directlyContributedReserve`, which is cumulative
#30
sherlock-admin3
closed
2 months ago
3
MiloTruck - Undistributed prize liquidity due to `tierLiquidityUtilizationRate` remains stuck in the prize pool
#29
sherlock-admin2
closed
2 months ago
1
MiloTruck - `drawTimeoutAt()` causes the prize pool to shutdown one draw earlier
#28
sherlock-admin4
opened
3 months ago
11
MiloTruck - Draws can be retried even if a random number is available or the current draw has finished
#27
sherlock-admin3
opened
3 months ago
11
MiloTruck - `DrawManager.startDraw()` can be called after prize pool shutdown, even though `finishDraw()` always reverts
#26
sherlock-admin2
closed
2 months ago
28
MiloTruck - `DrawManager.finishDraw()` might allocate more rewards than the reserve amount to draws
#25
sherlock-admin4
closed
2 months ago
0
MiloTruck - Use of `.transfer()` in `Requestor.withdraw()` will not work on zkSync
#24
sherlock-admin3
closed
2 months ago
1
0xSpearmint1 - `yieldFeeBalance` cannot be claimed once `TWAB_SUPPLY_LIMIT` is reached
#23
sherlock-admin2
closed
2 months ago
8
0xSpearmint1 - An attacker can DOS liquidations once a vault is near the TWAB limit
#22
sherlock-admin4
closed
2 months ago
1
dany.armstrong90 - The condition check of function `DrawManager.sol#canStartDraw` is wrong.
#21
sherlock-admin3
closed
2 months ago
1
Previous
Next