For more info, visit: https://decentra.vision/
| Begin month | Project | Category | Provider | Duration | Platform |
|---|---|---|---|---|---|
| 2024-09 | To be disclosed | AMM, DEX | Spearbit | 4.0 weeks | Solidity / EVM |
| 2024-08 | To be disclosed | Stablecoin, Liquid staking, Futures | Pashov Audit Group | 1.0 weeks | Solidity / EVM |
| 2024-08 | Aurora BTC Light Client | Bitcoin client, Relay | AuditOne | 1.0 weeks | Rust / NEAR |
| 2024-07 | To be disclosed | Proof of Liquidity, Staking, Voting | Spearbit | 3.0 weeks | Solidity / EVM |
| 2024-06 | Undisclosed | Cross-chain, Liquidity, Messaging | Oak Security | 3.0 weeks | Rust / Solana |
| 2024-06 | Out GCC | Tokenization, Marketplace | Oak Security | 1.0 weeks | Rust / Solana |
| 2024-06 | Sharwa Finance | Margin trading, Options | Pashov Audit Group | 1.0 weeks | Solidity / EVM |
| 2024-06 | Undisclosed | Cross-chain, Airdrop | Pashov Audit Group | 0.4 weeks | Solidity / EVM |
| 2024-05 | Pendle Finance | Tokenization, Yield trading | Spearbit | 3.0 weeks | Solidity / EVM |
| 2024-04 | Undisclosed | Game, Infrastructure | Oak Security | 1.1 weeks | Rust / Substrate |
| Begin month | Project | Category | Provider | Duration | Platform |
|---|---|---|---|---|---|
| 2024-07 | Possum Core (ref) | Governance, Staking | Decentra Vision | 0.8 weeks | Solidity / EVM |
| 2024-06 | Proportionalized Contracts | Fee token, Staking | Decentra Vision | 0.8 weeks | Solidity / EVM |
| 2024-05 | Yeet Cup | Game, Yield | Shieldify | 0.8 weeks | Solidity / EVM |
| 2024-03 | Olas Lockbox v2 - Mitigation review | Liquidity bonding | Cantina | 0.4 weeks | Rust / Solana |
2024-03: Possum Labs Portals v2 π₯
| Risk | Title | Finding in report |
|---|---|---|
| π¨ Medium |
Investors could earn 10x more than intended | M-01 |
| π¦ Low |
Cannot revoke permit of MintBurnToken | L-02 |
2024-02: Ion Protocol π₯
| Risk | Title | Finding in report |
|---|---|---|
| π¨ Medium |
Unsafe downcast truncation in UniswapOracleLibrary leading to invalid price data | M-01 |
- 2024-07: BendDAO Invitational
- 2024-05: Lavarage Appellate Court
- 2024-03: Neobase Invitational
- 2024-02: Code4rena Blue Bug Bounty submissions (undisclosed)
- 2024-02: UniStaker Infrastructure
- 2023-12: Revolution Protocol
- 2023-11: Canto Application Specific Dollars and Bonding Curves for 1155s
- 2023-10: The Wildcat Protocol
2024-03: Acala
Rust / Substrate
| Risk | Title | Selected for report |
|---|---|---|
| π¨ Medium |
Incentive accumulation can be sandwiched with additional shares to gain advantage over long-term depositors | M-02 |
2024-03: Canto Invitational π₯
| Risk | Title | Selected for report |
|---|---|---|
| π₯ High |
Native gas tokens can become stuck in ASDRouter contract | H-01 |
| π₯ High |
Dual transaction nature of composed message transfer allows anyone to steal user funds | H-02 |
| π¨ Medium |
Removing token from the whitelist may cause DoS due to limited USDC amount | |
| π¦ Low |
Low Risk and Non-Critical Issues | QA |
2024-03: Phat Contract Runtime π₯
Rust / Substrate
Related tweet
Awards have been announced for the $60,500 USDC @PhalaNetwork audit! π₯³
β Code4rena (@code4rena) April 1, 2024
Top 5:
π₯ @DadeKuma - $15,937.95 USDC
π₯ zhaojie - $15,225.87 USDC
π₯ @MarioPoneder - $12,619.42 USDC
π Koolex - $2,606.45 USDC
π Cryptor - $994.09 USDC pic.twitter.com/C15fmXxxJ2
| Risk | Title | Selected for report |
|---|---|---|
| π¨ Medium |
Limited availability of balance_of(...) method | M-01 |
2024-01: Opus π₯
Rust / Starknet
Related tweet
Rounding out the Top 3 was @MarioPoneder! π₯
β Code4rena (@code4rena) March 6, 2024
Rank: #3 (#86 All-time)
Medium-risk findings: 2 (2 solo) pic.twitter.com/vCgs0GlnQY
| Risk | Title | Selected for report |
|---|---|---|
| π¨ Medium |
Collateral cannot be withdrawn from trove once yang is suspended | M-07 |
| π¨ Medium |
Unhealthy troves with LTV > 90% cannot always be absorbed as intended | M-09 |
| π¦ Low |
Low Risk and Non-Critical Issues | QA |
2023-12: Olas
| Risk | Title |
|---|---|
| π₯ High |
Bonds created in year cross epochβs can lead to lost payouts |
2023-10: zkSync Era
2023-09: Maia DAO - Ulysses
| Risk | Title | Selected for report |
|---|---|---|
| π₯ High |
All tokens can be stolen from VirtualAccount due to missing access modifier | H-01 |
2023-09: Venus Prime
2023-08: Chainlink Staking v0.2
Findings under NDA, requires Code4rena backstage access.
| Risk | Title |
|---|---|
| π¨ Medium |
#223 |
2023-08: Dopex
| Risk | Title | Selected for report |
|---|---|---|
| π¨ Medium |
Change of fundingDuration causes "time travel" of PerpetualAtlanticVault.nextFundingPaymentTimestamp() | M-10 |
| π¦ Low |
RdpxV2Core.removeAssetFromtokenReserves(...) irrecoverably breaks reserve token handling |
| Risk | Title |
|---|---|
| π¨ Medium |
SecurityCouncilNomineeElectionGovernorTiming.electionToTimestamp(...) can create unsupported/invalid dates |
2023-07: Tapioca DAO
| Risk | Title | Selected for report |
|---|---|---|
| π₯ High |
User can give himself approval for all assets held by MagnetarV2 contract | H-49 |
| π₯ High |
MagnetarMarketModule.depositRepayAndRemoveCollateralFromMarket(...) can be invoked with other user's tokens | |
| π¨ Medium |
Double accounting of action value in MagnetarV2.burst(...) | |
| π¦ Low |
Multicall3 ignores allowFailure leading to DoS |
2023-07: Axelar Network
| Risk | Title | Selected for report |
|---|---|---|
| π¨ Medium |
Insufficient support for tokens with different decimals on different chains lead to loss of funds on cross-chain bridging | M-08 |
2023-05: Maia DAO Ecosystem
Findings under NDA, requires Code4rena backstage access.
| Risk | Title |
|---|---|
| π₯ High |
#164 |
| π¨ Medium |
#95 |
| π¨ Medium |
#307 |
2023-05: Ajna Protocol
| Risk | Title | Selected for report |
|---|---|---|
| π₯ High |
Position NFT can be spammed with insignificant positions by anyone until rewards DoS | H-03 |
| π₯ High |
Permanent loss of rewards on temporary underfunding of RewardsManager contract |
2023-04: EigenLayer π₯
Related tweet
Awards have been announced for the $90,500 USDC @eigenlayer audit π€
β Code4rena (@code4rena) June 10, 2023
Top 5:
π₯ @MarioPoneder - $13,081.90 USDC
π₯ volodya - $12,193.66 USDC
π₯ windowhan001 - $5,031.50 USDC
π @CyfrinAudits - $3,177.34 USDC
π @QiuhaoLi - $2,972.95 USDC
| Risk | Title | Selected for report |
|---|---|---|
| π₯ High |
Slot and block number proofs not required for verification of withdrawal (multiple withdrawals possible) | H-01 |
2023-04: Rubicon v2
Findings under NDA, requires Code4rena backstage access.
| Risk | Title |
|---|---|
| π₯ High |
#1214 |
| π₯ High |
#1265 |
2023-04: Caviar Private Pools
| Risk | Title |
|---|---|
| π₯ High |
Owner of PrivatePool can steal any NFTs and tokens that the pool has approval for |
| π¨ Medium |
PrivatePool creation can be front-run |
2023-02: Ethos Reserve
- 2024-09: Centrifuge
2024-02: 3DNS
2024-01: Olas Lockbox π₯
Rust / Solana
Related tweet
Congratulations to our resident rustaceans on an excellent job during the @autonolas security competition.
β Cantina πͺ (@cantinaxyz) March 18, 2024
Here are your top 3 placements:
π₯: @99crits - $22,275.61
π₯: @MarioPoneder - $8,590.35
π₯: @meltedblocks - $6,682.68
Full Results Below! pic.twitter.com/Cr5ATXONbQ
2023-11: Superform
2023-11: Morpho Blue
| Risk | Title |
|---|---|
| π¦ Low |
Interest/fee accrual can be suppressed in regular markets with low-decimal loan tokens |
| π¦ Low |
Oracles should be whitelisted to avoid theft by direct price manipulation |
Note that I am also listing issues here which were labeled as Excluded due to the strict High/Medium only policy at Sherlock.
However, those issues are still valid & valuable for the sponsor and most of them contain a coded PoC, therefore they might be a good read for new aspiring auditors.
2023-07: Perennial V2
| Risk | Title |
|---|---|
| π¦ Low |
DSU token balance of MultiInvoker contract can be drained by anyone |