issues
search
sherlock-audit
/
2024-06-makerdao-endgame-judging
1
stars
1
forks
source link
issues
Newest
Newest
Most commented
Recently updated
Oldest
Least commented
Least recently updated
Laksmana - missing auth modifier, causing loss of user funds when lock at different ``urn``
#82
sherlock-admin2
closed
1 month ago
2
zraxx - A malicious urn owner can steal all funds.
#81
sherlock-admin4
closed
1 month ago
1
Laksmana - Incorrect parameter filled in, causes ``LockstakeMkr`` to not minted
#80
sherlock-admin3
closed
1 month ago
1
zraxx - Function `deposit` and `mint` have no slippage protection.
#79
sherlock-admin2
closed
1 month ago
1
zhoo - Some erc20 token transfer functions do not return a value
#78
sherlock-admin4
closed
1 month ago
1
zhoo - LockstakeEngine.wipe did not update the rate
#77
sherlock-admin3
closed
1 month ago
1
zraxx - The function `take` will cause the user to buy collateral exceeding the `max` price.
#76
sherlock-admin2
closed
1 month ago
1
zhoo - LockstakeClipper.yank did not process the burned lsmkr token
#75
sherlock-admin4
closed
1 month ago
1
zhoo - The StakingRewards will be sandwich attacked
#74
sherlock-admin3
closed
1 month ago
1
cryptphi - User would lose funds when rate is zero
#73
sherlock-admin2
closed
1 month ago
1
panprog - There is not enough incentive to call `VoteDelegate.reserveHatch` as it can be abused by attackers to drain gas fees from liquidators
#72
sherlock-admin4
closed
1 month ago
1
panprog - `LockstakeEngine.selectVoteDelegate` uses stored borrow rate for health calculation, making it possible to avoid liquidation by switching voteDelegate if nobody calls `jug.drip`.
#71
sherlock-admin3
closed
1 month ago
15
panprog - `UniV2PoolMigratorInit` can lose some funds during migration due to rounding error, up to 29% in the worst case
#70
sherlock-admin2
closed
1 month ago
1
JuggerNaut63 - Replay Attack in VoteDelegateFactory Contract Creation Mechanism
#69
sherlock-admin4
closed
1 month ago
1
panprog - User can bypass paying Lockstake borrow rate, effectively borrowing at 0 or small rate which is a loss of the protocol
#68
sherlock-admin3
closed
1 month ago
1
JuggerNaut63 - Inconsistent Token Transfer Handling Leading to Potential Fund Loss
#67
sherlock-admin2
closed
1 month ago
1
chaduke - ```LockstakeEngine.wipe()``` does not use the most current stability rate, as a result, the user will repay less than he is supposed to and the protocol will lose funds.
#66
sherlock-admin4
closed
1 month ago
1
panprog - Lockstake vault can be approved to be managed by any manager, not just the owner
#65
sherlock-admin3
closed
1 month ago
1
00xSEV - An attacker can exploit LSUrn address collisions using create2 for complete control of Maker protocol
#64
sherlock-admin2
closed
2 weeks ago
58
00xSEV - An attacker can exploit VD address collisions using create2 to lock some liquidations and withdrawals in Maker protocol
#63
sherlock-admin4
closed
1 month ago
13
00xSEV - An attacker can prevent liquidation by calling `lock`
#62
sherlock-admin3
closed
1 month ago
1
chaduke - The race condition between LockstakeClipper.redo() and LockstakeClipper.upchost() might lead to the loss of incentives and the cost of gas fee for a keeper.
#61
sherlock-admin2
closed
1 month ago
1
chaduke - LockstakeClipper.take() might use a stale value of chost and allows an invalid partial purchase, leaving a debt that can potentially not be able to cover, loss of funds for the protocol.
#60
sherlock-admin4
closed
1 month ago
1
bareli - Max approvals to any address is possible
#59
sherlock-admin3
closed
1 month ago
1
bareli - Anyone can burn anyone token
#58
sherlock-admin2
closed
1 month ago
1
bareli - Rewards for initial period can be lost in contracts
#57
sherlock-admin4
closed
1 month ago
1
bareli - stakingRewards reward rate can be dragged out and diluted
#56
sherlock-admin3
closed
1 month ago
1
bareli - StakingRewards: Significant loss of precision possible
#55
sherlock-admin2
closed
1 month ago
1
bareli - StakingRewards.setRewardsDuration allows setting near zero or enormous rewardsDuration`, which breaks reward logic
#54
sherlock-admin4
closed
1 month ago
1
bareli - StakingRewards.recoverERC20 allows owner to rug the rewardsToken
#53
sherlock-admin3
closed
1 month ago
1
Squilliam - Malicious stakers will cause loss of reward funds for honest participants
#52
sherlock-admin2
closed
1 month ago
1
Matin - Rewards are distributed even when there are no stakers, resulting in the rewards being permanently locked away
#51
sherlock-admin4
closed
1 month ago
1
Matin - StakingRewards `rewardPerTokenStored` can be inflated and rewards can be stolen
#50
sherlock-admin3
closed
1 month ago
1
newt - No minimum threshold for distribute function
#49
sherlock-admin2
closed
1 month ago
1
newt - Any User with Auth Access Can Grant or Revoke Admin Access to/from Any Other User
#48
sherlock-admin4
closed
1 month ago
1
JuggerNaut63 - Multicall Reentrancy Exploit via Delegatecall
#47
sherlock-admin3
closed
1 month ago
1
chaduke - Wrong access control for LockstakeEngine.freeNoFee() opens the door for urn owners to avoid paying ```tax```.
#46
sherlock-admin2
closed
1 month ago
1
JuggerNaut63 - Signature Malleability in _isValidSignature Function
#45
sherlock-admin4
closed
1 month ago
1
JuggerNaut63 - Token Transfer Failure Due to Non-Standard ERC20 Implementation
#44
sherlock-admin3
closed
1 month ago
1
chaduke - LockstakeClipper.kick() does not add incentives for keepers to tab, the amount of fund to be raised in the auction. As a result, the Vow contract might get into insolvent state eventually.
#43
sherlock-admin2
closed
1 month ago
1
Yashar - Attacker can prevent the liquidation of their loan using address collision in `LockstakeEngine`
#42
sherlock-admin4
closed
1 month ago
0
JuggerNaut63 - Unauthorized Token Recovery via recoverERC20 Function
#41
sherlock-admin3
closed
1 month ago
1
JuggerNaut63 - Front-Running Exploit in Reward Rate Update Mechanism
#40
sherlock-admin2
closed
1 month ago
1
kevinkien - Missing validation of the value v in the _isValidSignature function.
#39
sherlock-admin4
closed
1 month ago
1
kevinkien - Insufficient Input Validation in the kick and take Functions of LockstakeClipper Contract
#38
sherlock-admin3
closed
1 month ago
1
kevinkien - Salt Attack Vulnerability in VoteDelegateFactory create Function
#37
sherlock-admin2
closed
1 month ago
0
kevinkien - Front-Running Vulnerability due to Lack of TWAP Oracle in FlapperUniV2SwapOnly Contract
#36
sherlock-admin4
closed
1 month ago
1
maxim371 - Potential for allowance front-running in transferFrom function
#35
sherlock-admin3
closed
1 month ago
1
J4de - `StakingRewards.setRewardsDuration` will change the duration of an existing reward distribution
#34
sherlock-admin2
closed
1 month ago
1
J4de - After `StakingRewards` is paused, new rewards can still be added, resulting in rewards being claimed by existing stakers
#33
sherlock-admin4
closed
1 month ago
1
Previous
Next