Skip to content

Issues: code-423n4/2024-04-gondi-findings

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

44 Open 40 Closed
44 Open 40 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Assignee
Filter by who’s assigned
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Issues list

Analysis A-01 analysis-advanced grade-a
#83 opened Apr 16, 2024 by c4-bot-9
1
QA Report bug Something isn't working edited-by-warden grade-a Q-01 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
#82 opened Apr 16, 2024 by c4-bot-5
2
Invalid maxTranches check can result in maxTranche cap to be exceeded 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-01 primary issue Highest quality submission among a set of duplicates 🤖_31_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#80 opened Apr 16, 2024 by c4-bot-2
4
Gas Optimizations bug Something isn't working edited-by-warden G (Gas Optimization) G-01 selected for report This submission will be included/highlighted in the audit report
#79 opened Apr 16, 2024 by c4-bot-7
2
A malicious user can take on a loan using an existing borrower's collateral in refinanceFromLoanExecutionData() 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-02 primary issue Highest quality submission among a set of duplicates 🤖_14_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#76 opened Apr 16, 2024 by c4-bot-3
7
QA Report bug Something isn't working grade-b Q-02 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
#74 opened Apr 16, 2024 by c4-bot-1
2
Analysis A-02 analysis-advanced selected for report This submission will be included/highlighted in the audit report
#71 opened Apr 16, 2024 by c4-bot-3
2
QA Report bug Something isn't working grade-a Q-03 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax selected for report This submission will be included/highlighted in the audit report
#70 opened Apr 16, 2024 by c4-bot-10
4
Merging tranches could make _loanTermination() accounting incorrect 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working H-01 primary issue Highest quality submission among a set of duplicates 🤖_12_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#69 opened Apr 16, 2024 by c4-bot-3
4
Division before multiplication could lead to users losing 50% in WithdrawalQueue 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working H-02 primary issue Highest quality submission among a set of duplicates satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#67 opened Apr 16, 2024 by c4-bot-5
4
Function addNewTranche() should use protocolFee from Loan struct 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-03 primary issue Highest quality submission among a set of duplicates satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#65 opened Apr 16, 2024 by c4-bot-7
4
Function distribute() lacks access control allowing anyone to spam and disrupt the pool's accounting 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working H-03 primary issue Highest quality submission among a set of duplicates 🤖_07_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#64 opened Apr 16, 2024 by c4-bot-8
4
Function Pool.validateOffer() does not work correctly in case principalAmount > currentBalance 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue M-04 primary issue Highest quality submission among a set of duplicates 🤖_21_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#63 opened Apr 16, 2024 by c4-bot-8
8
Collected fees are never transferred out of Pool contract 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue M-05 primary issue Highest quality submission among a set of duplicates satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#60 opened Apr 16, 2024 by c4-bot-7
8
Anyone can remove existing term without queueing through setTerms() 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-06 primary issue Highest quality submission among a set of duplicates 🤖_11_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#59 opened Apr 16, 2024 by c4-bot-7
4
Attacker can front-run and pass in empty terms, making it impossible to confirmTerms() 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-07 primary issue Highest quality submission among a set of duplicates 🤖_11_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#58 opened Apr 16, 2024 by c4-bot-8
4
Function refinanceFromLoanExecutionData() does not check executionData.tokenId == loan.nftCollateralTokenId 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working H-04 primary issue Highest quality submission among a set of duplicates 🤖_14_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report
#54 opened Apr 16, 2024 by c4-bot-7
3
Borrower signature could be reused in emitLoan() 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue M-08 primary issue Highest quality submission among a set of duplicates satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
#51 opened Apr 16, 2024 by c4-bot-5
7
triggerFee is stolen from other auctions during settleWithBuyout() 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working H-05 primary issue Highest quality submission among a set of duplicates 🤖_30_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#50 opened Apr 16, 2024 by c4-bot-5
6
Function settleWithBuyout() does not call LoanManager.loanLiquidation() during a buyout 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working H-06 primary issue Highest quality submission among a set of duplicates 🤖_09_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#49 opened Apr 16, 2024 by c4-bot-3
4
deployWithdrawalQueue() need clear _queueAccounting[lastQueueIndex] 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working H-07 primary issue Highest quality submission among a set of duplicates 🤖_19_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#48 opened Apr 16, 2024 by c4-bot-10
4
Incorrect circular array check in _updatePendingWithdrawalWithQueue flow , causing received funds added to the wrong queues 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working edited-by-warden H-08 primary issue Highest quality submission among a set of duplicates 🤖_46_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") upgraded by judge Original issue severity upgraded from QA/Gas by judge
#47 opened Apr 16, 2024 by c4-bot-8
7
Incorrect accounting of _pendingWithdrawal in queueClaiming flow 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working H-09 primary issue Highest quality submission among a set of duplicates 🤖_46_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#46 opened Apr 16, 2024 by c4-bot-4
4
Inconsistent accounting of undeployedAssets might result in undesired optimal range in the pool 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-09 primary issue Highest quality submission among a set of duplicates satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#44 opened Apr 16, 2024 by c4-bot-6
5
Any liquidators can pretend to be a loan contract to validate offers, due to insufficient validation 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-10 primary issue Highest quality submission among a set of duplicates satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
#41 opened Apr 16, 2024 by c4-bot-1
6
ProTip! Exclude everything labeled bug with -label:bug.