Non-Solo 127
- [H-01] Reliance on
lifiData.receivingAssetId
can cause loss of funds
- [H-02] All swapping functions lack checks for returned tokens
- [H-01] Users can lose value in emergency state
- [H-01] Users can get unlimited votes
- [H-02]
VotingEscrow
’s merge and withdraw aren’t available for approved users
- [H-03] [WP-H0] Fake balances can be created for not-yet-existing ERC20 tokens, which allows attackers to set traps to steal funds from future users
- [H-03] User rewards stop accruing after any
_writeCheckpoint
calling action
- [H-01] Avoidance of Liquidation Via Malicious Oracle
- [H-02] The return value
success
of the get function of the INFTOracle interface is not checked
- [H-03] Critical Oracle Manipulation Risk by Lender
- [H-04] Lender is able to seize the collateral by changing the loan parameters
- [H-05] Mistake while checking LTV to lender accepted LTV
- [H-01] Malicious Users Can Duplicate Protocol Earned Yield By Transferring
wCVX
Tokens To Another Account
- [H-01] Wrong timing of check allows users to withdraw collateral without paying for the debt
- [H-01] Hard-coded slippage may freeze user funds during market turbulence
- [H-02] The check for value transfer success is made after the return statement in
_withdrawFromYieldPool
of LidoVault
- [H-01] Can force borrower to pay huge interest