sherlock-audit 2024-06-mellow-judging issues

sherlock-audit / 2024-06-mellow-judging

8 stars 4 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

Duplicate of #270

#315 debugging3 closed 4 months ago
0
hash - Lack of Access control for convertAndDeposit

#314 sherlock-admin3 closed 4 months ago
2
kaysoft - Malicious users can withdraw far more than the amount they deposited with the `emergencyWithdraw(...)` function.

#313 sherlock-admin2 closed 4 months ago
0
Ironsidesec - Wrong way of rounding when `expectedAmounts` calculation on withdrawal processing

#312 sherlock-admin2 closed 4 months ago
0
Audinarey - Missing reentrancy guard in the `delegateCall(...)` function

#311 sherlock-admin4 closed 4 months ago
0
John_Femi - deposit might revert for some scenarios in DepositWrapper

#310 sherlock-admin3 closed 4 months ago
0
karsar - Emergency Withdrawal Rounding Error Causes Insufficient Payouts

#309 sherlock-admin2 closed 4 months ago
1
Rea - ChainlinkOracle: priceX96 Finction Fails to Account For Token Decimals

#308 sherlock-admin4 closed 4 months ago
0
pwning_dev - Array Indexing in acceptProposal

#307 sherlock-admin3 closed 4 months ago
0
Audinarey - `_requireAtLeastOperator()` is implemented wrongly breaking core protocol functionality

#306 sherlock-admin4 closed 5 months ago
0
Angry_Mustache_Man - RestrictingKeeper.sol doesn't have any access control modifier on it

#305 sherlock-admin3 closed 4 months ago
0
tedox - It is impossible to call `Vault::delegateCall` through external methods as it is intended

#304 sherlock-admin2 closed 4 months ago
2
pwning_dev - Integer Underflow/Overflow in `_commit` Function

#303 sherlock-admin4 closed 4 months ago
0
hals - `WStethRatiosAggregatorV3.getAnswer()` always assumes `stETH:ETH` is 1:1 (pegged to ETH)

#302 sherlock-admin3 closed 4 months ago
0
hals - `RestrictingKeeper.processConfigurators()` is not protected

#301 sherlock-admin2 closed 4 months ago
0
hals - `ChainlinkOracle._validateAndGetPrice()` doesn't correctly validate the returned price

#300 sherlock-admin4 closed 4 months ago
10
hals - `DepositWrapper.deposit()`: incorrect handling of `steth` token transfer

#299 sherlock-admin3 closed 4 months ago
5
0xShoonya - Lido 1-2 wei transfer issue

#298 sherlock-admin2 closed 4 months ago
0
WildSniper - The `Vault` contract in the Mellow protocol allows users to register withdrawal requests to an arbitrary address, potentially enabling malicious actors to disrupt the withdrawal process by registering withdrawals to blacklisted addresses.

#297 sherlock-admin4 closed 4 months ago
0
0xe4669da - `DefaultBondStrategy::_deposit()` could fail silently hence no tokens will be minted for `Vault` because return value of `Vault::delegateCall` is unchecked in `DefaultBondStrategy::_deposit`

#296 sherlock-admin3 closed 4 months ago
1
hals - DoS in `SimpleDVTStakingStrategy.convertAndDeposit()`

#295 sherlock-admin2 closed 4 months ago
4
Hunter - `withdraw` in `Vault` allows withdrawing `to` to be non `msg.sender` this opens the gate for attacks and greifing by malcious user to revert `processAll` and any array provided withdrawal functions by withrawing `to` blacklisted users

#294 sherlock-admin4 closed 4 months ago
0
0xShoonya - Protocol doesn't consider `stETH` as a rebasing token

#293 sherlock-admin3 closed 4 months ago
0
hals - `Vault.emergencyWithdraw()` enables depositors to withdraw way more then their deposited value

#292 sherlock-admin2 closed 4 months ago
0
hals - `Vault.deposit()` : incorrect calculation of lp tokens

#291 sherlock-admin4 closed 4 months ago
0
WildSniper - the `vault` is actually not compatible with low decimal tokens like `USDC` and `USDT`

#290 sherlock-admin3 closed 4 months ago
0
hash - Donating dust can cause `removeToken` DOS

#289 sherlock-admin2 closed 4 months ago
0
hash - DOS due to expected amount during deposits/withdrawls being lowered due to withdrawals

#288 sherlock-admin4 closed 4 months ago
8
Hunter - The `Vault` contract in the codebase does not handle tokens with different decimal places correctly, leading to potential inaccuracies in `lpAmount` calculations and valuation of tokens.

#287 sherlock-admin3 closed 4 months ago
0
hash - Token decimals difference is not handled

#286 sherlock-admin2 closed 4 months ago
0
WildSniper - The `_wethToWSteth` function in the `StakingModule` is not handling the conversion properly, leading to potential reverts. and loss of funds

#285 sherlock-admin4 closed 4 months ago
5
pwning_dev - Front-Running Vulnerability in `registerWithdrawal`

#284 sherlock-admin3 closed 4 months ago
0
Hunter - Edge case that is during call of `_wethToWSteth` in `StakingModule` not handled that will lead to reverts and potential loss of funds

#283 sherlock-admin2 closed 4 months ago
0
hash - User's can arbitrage significant price updates if withdrawal/deposits ratios are different

#282 sherlock-admin4 closed 4 months ago
0
WildSniper - The `deposit()` function in the `DepositWrapper` will revert on multiple instances in some edge cases with potential loss of funds

#281 sherlock-admin3 closed 4 months ago
1
Hunter - the function `deposit()` in `DepositWrapper` causes multiple reverts and potentional loss of funds to due unhandled conversion of `ETH` and `wETH` to `wstETH`

#280 sherlock-admin2 closed 4 months ago
0
tedox - `Vault::deposit()` will always revert when `configurator.depositCallback()` is set to `DefaultBondStrategy::depositCallback()`

#279 sherlock-admin4 closed 4 months ago
0
Audinarey - Protocol won't be eligible for referral rewards for depositing ETH

#278 sherlock-admin3 closed 4 months ago
0
0xjarix - `ADMIN_ROLE`, `ADMIN_DELEGATE_ROLE`, and `OPERATOR` roles at risk

#277 sherlock-admin2 closed 4 months ago
0
0xBhumii - Potential Denial of Service (DoS) in `DepositWrapper` Contract Due to Rounding Errors in `stETH` Transfers

#276 sherlock-admin4 closed 4 months ago
13
hash - USDT fee on transfer will cause losses

#275 sherlock-admin3 closed 4 months ago
0
WildSniper - The `DepositWrapper` multiple reverts in this contract due to 1 to 2 wei less transferred `amount`

#274 sherlock-admin2 closed 4 months ago
0
infect3d - Call to `stETH.submit` inside `DepositWrapper` without checking staking rate limits lead do DOS of deposits

#273 sherlock-admin4 closed 4 months ago
0
Hunter - `deposit()` in `DepositWrapper` causes multiple reverts to due unhandled conversion of `stETH` to `wstETH`

#272 sherlock-admin3 closed 4 months ago
0
0xboriskataa - `stEth` deposits will result in a revert

#271 sherlock-admin2 closed 4 months ago
0
StraawHaat - Redundant check in `emergencyWithdraw()` makes the function almost unusable

#270 sherlock-admin4 closed 4 months ago
0
hash - 1:1 price is assumed b/w stETH and WETH

#269 sherlock-admin3 closed 4 months ago
0
Ironsidesec - Computing `actualAmounts` via target ratios based on token amounts is wrong.

#268 sherlock-admin2 closed 4 months ago
19
sandy - Vault contract can't handle ``USDC/USDT`` tokens.

#267 sherlock-admin4 closed 4 months ago
0
eeyore - Corrupted oracle system if more than 2 underlying tokens are used and one of them is WSTETH

#266 sherlock-admin3 opened 5 months ago
38