Public Findings

For more info, visit: https://decentra.vision/

Index

• Shieldify
• Code4rena
• Cantina
• Sherlock
• Hats Finance (Bug Bounty)

---

Shieldify

2024-03: Possum Labs Portals v2 🥈

Risk	Title	Finding in report
🟨 Medium	Investors could earn 10x more than intended	M-01
🟦 Low	Cannot revoke permit of MintBurnToken	L-02

2024-02: Ion Protocol 🥇

Risk	Title	Finding in report
🟨 Medium	Unsafe downcast truncation in UniswapOracleLibrary leading to invalid price data	M-01

Code4rena

2024-03: Acala

Risk	Title	Selected for report
🟨 Medium	Incentive accumulation can be sandwiched with additional shares to gain advantage over long-term depositors	M-02

2024-03: Canto Invitational 🥈

Risk	Title	Selected for report
🟥 High	Native gas tokens can become stuck in ASDRouter contract	H-01
🟥 High	Dual transaction nature of composed message transfer allows anyone to steal user funds	H-02
🟨 Medium	Removing token from the whitelist may cause DoS due to limited USDC amount
🟦 Low	Low Risk and Non-Critical Issues	QA

2024-03: Phat Contract Runtime 🥉

^{Rust / Substrate}

Related tweet

Awards have been announced for the $60,500 USDC @PhalaNetwork audit! 🥳

Top 5:
🥇 @DadeKuma - $15,937.95 USDC
🥈 zhaojie - $15,225.87 USDC
🥉 @MarioPoneder - $12,619.42 USDC
🏅 Koolex - $2,606.45 USDC
🏅 Cryptor - $994.09 USDC pic.twitter.com/C15fmXxxJ2

— Code4rena (@code4rena) April 1, 2024

Risk	Title	Selected for report
🟨 Medium	Limited availability of balance_of(...) method	M-01

2024-01: Opus 🥉

^{Rust / Starknet}

Related tweet

Rounding out the Top 3 was @MarioPoneder! 🥉

Rank: #3 (#86 All-time)
Medium-risk findings: 2 (2 solo) pic.twitter.com/vCgs0GlnQY

— Code4rena (@code4rena) March 6, 2024

Risk	Title	Selected for report
🟨 Medium	Collateral cannot be withdrawn from trove once yang is suspended	M-07
🟨 Medium	Unhealthy troves with LTV > 90% cannot always be absorbed as intended	M-09
🟦 Low	Low Risk and Non-Critical Issues	QA

2023-12: Olas

Risk	Title
🟥 High	Bonds created in year cross epoch’s can lead to lost payouts

2023-10: zkSync Era

Risk	Title
🟨 Medium	Incorrect max precompile address
🟦 Low	EIP-1559 transactions can be invoked from kernel space accounts due to missing assertion in bootloader
🟦 Low	EIP-712 transactions via custom accounts do not comply with EIP-3607 and could therefore fail
🟦 Low	State changes are preserved on failed L2 transactions using custom account abstraction
🟦 Low	Users can avoid paying fees for failed L2 transactions

2023-09: Maia DAO - Ulysses

Risk	Title	Selected for report
🟥 High	All tokens can be stolen from VirtualAccount due to missing access modifier	H-01

2023-09: Venus Prime

Risk	Title
🟥 High	Prime contract incompatible with currently deployed / active markets (vToken) with 8 decimals
🟥 High	Prime contract incompatible with underlying assets differing from 18 decimals

2023-08: Chainlink Staking v0.2

Findings under NDA, requires Code4rena backstage access.

Risk	Title
🟨 Medium	#223

2023-08: Dopex

Risk	Title	Selected for report
🟨 Medium	Change of fundingDuration causes "time travel" of PerpetualAtlanticVault.nextFundingPaymentTimestamp()	M-10
🟦 Low	RdpxV2Core.removeAssetFromtokenReserves(...) irrecoverably breaks reserve token handling

2023-08: Arbitrum Security Council Election System

Risk	Title
🟨 Medium	SecurityCouncilNomineeElectionGovernorTiming.electionToTimestamp(...) can create unsupported/invalid dates

2023-07: Tapioca DAO

Risk	Title	Selected for report
🟥 High	User can give himself approval for all assets held by MagnetarV2 contract	H-49
🟥 High	MagnetarMarketModule.depositRepayAndRemoveCollateralFromMarket(...) can be invoked with other user's tokens
🟨 Medium	Double accounting of action value in MagnetarV2.burst(...)
🟦 Low	Multicall3 ignores allowFailure leading to DoS

2023-07: Axelar Network

Risk	Title	Selected for report
🟨 Medium	Insufficient support for tokens with different decimals on different chains lead to loss of funds on cross-chain bridging	M-08

2023-05: Maia DAO Ecosystem

Risk	Title	Selected for report
🟥 High	UlyssesToken asset ID accounting error	H-25
🟥 High	Ulysses Omnichain support for tokens with other than 18 decimals is fundamentally flawed
🟨 Medium	RootBridgeAgent.redeemSettlement can be front-run using RootBridgeAgent.retrySettlement causing redeem DoS	M-03
🟨 Medium	Maia Governance token balance dilution in vMaia vault is breaking the conversion rate mechanism	M-22
🟨 Medium	Claiming outstanding utility tokens from vMaia vault DoS on pbHermes<>bHermes conversion rate > 1	M-23
🟨 Medium	UlyssesToken.setWeights(...) can cause user loss of assets on vault deposits/withdrawals	M-34
🟨 Medium	Withdrawal from vMaia vault only on first Tuesday of the month is not strictly enforced
🟦 Low	Payable method RootBridgeAgent.retrySettlement can lead to loss of funds for users

2023-05: Chainlink Cross-Chain Services: CCIP and ARM Network

Findings under NDA, requires Code4rena backstage access.

Risk	Title
🟥 High	#164
🟨 Medium	#95
🟨 Medium	#307

2023-05: Ajna Protocol

Risk	Title	Selected for report
🟥 High	Position NFT can be spammed with insignificant positions by anyone until rewards DoS	H-03
🟥 High	Permanent loss of rewards on temporary underfunding of RewardsManager contract

2023-04: EigenLayer 🥇

Related tweet

Awards have been announced for the $90,500 USDC @eigenlayer audit 🤝

Top 5:
🥇 @MarioPoneder - $13,081.90 USDC
🥈 volodya - $12,193.66 USDC
🥉 windowhan001 - $5,031.50 USDC
🏅 @CyfrinAudits - $3,177.34 USDC
🏅 @QiuhaoLi - $2,972.95 USDC

— Code4rena (@code4rena) June 10, 2023

Risk	Title	Selected for report
🟥 High	Slot and block number proofs not required for verification of withdrawal (multiple withdrawals possible)	H-01

2023-04: Rubicon v2

Findings under NDA, requires Code4rena backstage access.

Risk	Title
🟥 High	#1214
🟥 High	#1265

2023-04: Caviar Private Pools

Risk	Title
🟥 High	Owner of PrivatePool can steal any NFTs and tokens that the pool has approval for
🟨 Medium	PrivatePool creation can be front-run

2023-02: Ethos Reserve

Risk	Title
🟨 Medium	Strategy emergency exit (guardian privileges) harvest amount can be reduced with strategist privileges
🟨 Medium	Inconsistent support of ERC20 tokens that deduct transaction fee
🟦 Low	Strategy contract upgrade can be prevented by lower privileged roles

---

Cantina

2024-02: 3DNS

Risk	Title
🟥 High	Anyone can drain the whole ETH balance of ThreeDNSRegControl when making a commitment
🟨 Medium	Safe transfers of registrations to ERC-721 receiver contracts which also have a fallback method will always fail
🟨 Medium	Batch transfers of registrations to contracts will always fail due to an invalid selector check

2024-01: Olas Lockbox 🥈

^{Rust / Solana}

Related tweet

Congratulations to our resident rustaceans on an excellent job during the @autonolas security competition.

Here are your top 3 placements:

🥇: @99crits - $22,275.61
🥈: @MarioPoneder - $8,590.35
🥉: @meltedblocks - $6,682.68

Full Results Below! pic.twitter.com/Cr5ATXONbQ

— Cantina 🪐 (@cantinaxyz) March 18, 2024

Risk	Title
🟨 Medium	Attacker can create token account for NFT position to cause deposit DoS
🟨 Medium	DoS on simultaneous deposit due to id restriction
🟦 Low	Missing mutable constraint leads to withdrawal DoS due to read-only signer
🟦 Low	Attacker can frontrun lockbox initialization to provide own fee token accounts

2023-11: Superform

Risk	Title
🟨 Medium	Insufficient support for fee-on-transfer tokens
🟦 Low	ArrayCastLib.castToMultiVaultData(...) does not preserve values of hasDstSwap and retain4626
🟦 Low	Timing overlap of dispute/finalizeRescueFailedDeposits(...) methods

2023-11: Morpho Blue

Risk	Title
🟦 Low	Interest/fee accrual can be suppressed in regular markets with low-decimal loan tokens
🟦 Low	Oracles should be whitelisted to avoid theft by direct price manipulation

---

Sherlock

Note that I am also listing issues here which were labeled as Excluded due to the strict High/Medium only policy at Sherlock.
However, those issues are still valid & valuable for the sponsor and most of them contain a coded PoC, therefore they might be a good read for new aspiring auditors.

2023-07: Perennial V2

Risk	Title
🟦 Low	DSU token balance of MultiInvoker contract can be drained by anyone

2023-06: Tokemak

Risk	Title
🟥 High	Rewards can be drained due to incorrect handling of userRewardPerTokenPaid accounting
🟥 High	LiquidationRow.liquidateVaultsForToken(...) will always revert due to missing token transfers
🟦 Low	LMPVaultRouter mint and deposit entry-points can be blocked by anyone

2023-06: Index Update

Risk	Title
🟦 Low	New auction rebalance can be started before previous one concluded or duration elapsed
🟦 Low	Insufficient validation of auction execution price adapter config data
🟦 Low	SetToken can be indefinitely locked by AuctionRebalanceModule