TW
Tripwire
Find contracts. Test them. Review real vulns.
Confirmed Findings
2,205
crit 60 high 1157
All Findings
46,184
Across all runs
Chain
1
Mainnet focus
Signal Mix
24239
high severity in results
Findings
filter + triage
Reset
Quick filters: candidate lane confirmed only critical high detector codex
Severity Tool Title Address Value USD Validated Confirmed Found Run
medium codex First oracle update ignores PERIOD, enabling short-window price manipulation 0x9dd78ea2b7a92b6cb5d4a495dac34f8641070ceb $169,604.82 no 3 months ago a386b194-baf5-428b-9962-3a89e8adeeb2
low codex Burn parameter order inconsistent between interface/documentation and implementation 0x9dd78ea2b7a92b6cb5d4a495dac34f8641070ceb $169,604.82 no 3 months ago a386b194-baf5-428b-9962-3a89e8adeeb2
low codex Pair can be reinitialized by factory after deployment 0x9dd78ea2b7a92b6cb5d4a495dac34f8641070ceb $169,604.82 no 3 months ago a386b194-baf5-428b-9962-3a89e8adeeb2
low codex Oracle update can divide by zero on first call in the same block as creation 0x9dd78ea2b7a92b6cb5d4a495dac34f8641070ceb $169,604.82 no 3 months ago a386b194-baf5-428b-9962-3a89e8adeeb2
high codex Unprotected initializer lets any caller take ownership of distribution parameters 0x9cd8d3c4380ab48d7cca425e34166efd2147ee40 $165,983.33 no 3 months ago 4b6d808e-caa6-4fa9-9cd9-5efbcbdeeda0
medium codex setToken is unrestricted and can be front‑run to brick or redirect the distribution 0x9cd8d3c4380ab48d7cca425e34166efd2147ee40 $165,983.33 no 3 months ago 4b6d808e-caa6-4fa9-9cd9-5efbcbdeeda0
medium codex Underflow in balance cap check blocks tokens with <9 decimals 0xf92cd566ea4864356c5491c177a430c222d7e678 $172,958.15 no 3 months ago 882ae0e9-fd6a-4ceb-881d-f1d42a224906
medium codex LPToDOKI.withdraw updates balances after external token transfer 0xde846827ce3022ecd5efd6ed316a2def9ab299b8 $177,058.38 no 3 months ago 8696931a-1274-4227-8ddf-d43b9eb04167
medium codex Privileged address can perform arbitrary external calls with value 0x0401b3e1f554b574da26482311dfb9414e382afa $177,290.18 no 3 months ago d295e25c-e0df-4ff8-a962-da094f11ac94
medium codex Privileged address can selfdestruct the contract 0x0401b3e1f554b574da26482311dfb9414e382afa $177,290.18 no 3 months ago d295e25c-e0df-4ff8-a962-da094f11ac94
low codex Withdrawal cooldown bypassable via LP token transfers 0xa92299289361fdcbb4ce9acbb512a84bd5fab37d $0.00 no 3 months ago 09655295-9ca8-4866-aeae-e0cd31e478e3
info codex LP token admin can grant VAULT_ROLE and mint unbacked shares 0xa92299289361fdcbb4ce9acbb512a84bd5fab37d $0.00 no 3 months ago 09655295-9ca8-4866-aeae-e0cd31e478e3
medium codex Pool initialization is permissionless and can be front-run 0x78d43a889f42a344fe98c3fb9455791dc8178d55 $0.00 no 3 months ago 9a608d87-4d7f-4721-8bdf-dd60e7f10e20
low codex Permit domain separator is cached without chainId check, enabling fork replay 0x78d43a889f42a344fe98c3fb9455791dc8178d55 $0.00 no 3 months ago 9a608d87-4d7f-4721-8bdf-dd60e7f10e20
low codex Non-expiring campaigns cannot be clawed back when protocol fee is zero 0xac48cfe22c21d85b488dfbfbc4e94279b7c84a37 $180,652.75 no 3 months ago 7274b3df-d91b-4045-b726-0de8607e38de
low codex Unchecked ERC20 transfer return value (silent failures possible) 0x22cb7c436decc35542c8599c7f0b6a0b7c609371 $67,385.05 no 3 months ago 28beba35-69fc-4696-bdc3-790cf8022029
medium codex Reentrant exit can double-withdraw a lockup via claimBonus external transfer 0x65c0dfbb89a35e3e514e0b02eca34ac2e3bbf7ef $0.00 no 3 months ago 1d8ee4e7-546b-49b6-a785-21b6dbd061e5
low codex Division by zero in WRN reward math can block exits if totalMultiplier is zero 0x65c0dfbb89a35e3e514e0b02eca34ac2e3bbf7ef $0.00 no 3 months ago 1d8ee4e7-546b-49b6-a785-21b6dbd061e5
low codex Incorrect ceil_div overestimates exact divisions and can revert on large inputs 0x2fe16dd18bba26e457b7dd2080d5674312b026a2 $201,034.48 no 3 months ago 9648f11d-9f3c-4a68-980a-9cb3ee913d22
medium codex Auto‑liquidation signatures lack domain separation and replay protection 0xd8dfc66f21149dda5b6904b9c9bcf3c62db303cd $0.00 no 3 months ago cb0d0890-71b6-43c1-9e9b-faffab747a65
low codex Withdrawal lock can be bypassed by transferring vault tokens 0xd8dfc66f21149dda5b6904b9c9bcf3c62db303cd $0.00 no 3 months ago cb0d0890-71b6-43c1-9e9b-faffab747a65
info codex Unchecked ERC20 approve return value during migration 0xd8dfc66f21149dda5b6904b9c9bcf3c62db303cd $0.00 no 3 months ago cb0d0890-71b6-43c1-9e9b-faffab747a65
medium codex `report()` is reentrancy‑reachable before `strategyLastReport`/`lastReport` updates 0x349c996c4a53208b6eb09c103782d86a3f1bb57e $184,646.42 no 3 months ago 3434233f-be8f-4773-8512-d71d9cb934b3
low codex Share/accounting mismatch for fee‑on‑transfer or rebasing underlying tokens 0x349c996c4a53208b6eb09c103782d86a3f1bb57e $184,646.42 no 3 months ago 3434233f-be8f-4773-8512-d71d9cb934b3
medium codex Unrestricted swap callback can spoof reserves and corrupt vault accounting 0x6ac78b7d787b5ddde1b342a1346fb545acf44e01 $0.00 no 3 months ago 4a6f5ba6-2691-48c0-bd6e-c5c33012cb30
medium codex Delegatecall to external OrderManager gives it full control of vault storage 0x6ac78b7d787b5ddde1b342a1346fb545acf44e01 $0.00 no 3 months ago 4a6f5ba6-2691-48c0-bd6e-c5c33012cb30
medium codex Initializer is publicly callable (only guarded by isInitialized flag) 0xb95193fba71b82b245cb3456d1dd2c15ee779e01 $0.00 no 3 months ago 214e9e7c-7d46-4b18-968f-335f407b9ed8
medium codex Strategy reporting functions lack caller validation 0xf296b1113cc49ae4c6890e7b5dd3bed780407487 $0.00 no 3 months ago 32eb8a4e-dc98-43be-afb6-db26de4e26fb
low codex Allowance can be spent multiple times via reentrancy in transferFrom 0xf296b1113cc49ae4c6890e7b5dd3bed780407487 $0.00 no 3 months ago 32eb8a4e-dc98-43be-afb6-db26de4e26fb
info codex Implementation contract is initializable (not locked) 0xf296b1113cc49ae4c6890e7b5dd3bed780407487 $0.00 no 3 months ago 32eb8a4e-dc98-43be-afb6-db26de4e26fb
medium codex Oracle price freshness is not enforced, allowing stale prices 0x717170b66654292dfbd89c39f5ae6753d2ac1381 $196,976.04 no 3 months ago 1e6b6a15-2941-4d1e-8cea-d31117070bed
low codex Collateral withdrawal can skip ratio enforcement when computed ratio rounds to zero 0x717170b66654292dfbd89c39f5ae6753d2ac1381 $196,976.04 no 3 months ago 1e6b6a15-2941-4d1e-8cea-d31117070bed
medium codex Fee-on-transfer or rebasing assets break accounting and can create unbacked balances 0xf76a7887521a91b47c62060ba57549dec1dc88c7 $190,857.26 no 3 months ago 6a9f8fb4-2803-400f-a1bc-5e8206080eb7
medium codex Checkpointing after long gaps can permanently lock undistributed tokens 0xd3cf852898b21fc233251427c2dc93d3d604f3bb $195,411.19 no 3 months ago aae94f7c-836c-4390-a20d-a9e2f0e8a71c
low codex Resolver response and success are not validated before delegatecall 0xdfc0b0a0dc341b6c83267a0121d820f16d3e59c7 $192,990.51 no 3 months ago c9cd9a6d-1d93-4304-8e92-802c612866c8
info codex Implementation address is resolved via external resolver each call 0xdfc0b0a0dc341b6c83267a0121d820f16d3e59c7 $192,990.51 no 3 months ago c9cd9a6d-1d93-4304-8e92-802c612866c8
medium codex Opening fee deducted after collateral check allows undercollateralized borrows 0x98eb27e5f24fb83b7d129d789665b08c258b4ccf $200,096.48 no 3 months ago ef44eea5-4f3a-4284-83ee-696fedf14b96
low codex Unchecked ERC20 transfers in withdrawInterest/burn can silently fail 0x98eb27e5f24fb83b7d129d789665b08c258b4ccf $200,096.48 no 3 months ago ef44eea5-4f3a-4284-83ee-696fedf14b96
low codex ERC20 transfer return value unchecked in claim payout 0x97dfbff1e89eac4fb84a372d6a4ec9cf52225afb $200,308.58 no 3 months ago 9824b367-42cd-45ef-8a5b-28f569eddd3a
high codex Unprotected initializer lets anyone become OWNER_ROLE if initialization is front‑run or forgotten 0xbe607a58206180fef691bf1b5ae9670174284388 $0.00 no 3 months ago 1fa951b9-2131-457c-8c77-edb910fcb7c3
medium codex batchExecute reuses msg.value across delegatecalls, enabling protocol-fee inflation 0xa26e80e7dea86279c6d778d702cc413e6cffa777 $206,938.93 no 3 months ago 16d829c8-3cab-4cbb-9742-3289e5bd9a3d
low codex Unchecked ERC20 transfer return values in ZRX vault and reward payouts 0xa26e80e7dea86279c6d778d702cc413e6cffa777 $206,938.93 no 3 months ago 16d829c8-3cab-4cbb-9742-3289e5bd9a3d
low codex Strategy can be permanently bricked after total supply hits zero (division by zero on mint/burn paths) 0x3ae72b6f5fb854eaa2b2b862359b6fca7e4bc2fc $207,915.84 no 3 months ago dc874f74-a1be-495d-a37a-0a8993a903eb
low codex ERC20Permit does not enforce EIP-2 lower‑s / v range checks (signature malleability) 0x3ae72b6f5fb854eaa2b2b862359b6fca7e4bc2fc $207,915.84 no 3 months ago dc874f74-a1be-495d-a37a-0a8993a903eb
high codex NFT burn lacks ownership check, enabling destruction of others’ tokens 0xc36cf0cfcb5d905b8b513860db0cfe63f6cf9f5c $208,137.22 no 3 months ago 5ee92886-8335-43e3-bee9-4a7cb539a22c
medium codex Non‑fungible transfers accept arbitrary _value, breaking base‑type accounting 0xc36cf0cfcb5d905b8b513860db0cfe63f6cf9f5c $208,137.22 no 3 months ago 5ee92886-8335-43e3-bee9-4a7cb539a22c
low codex Signature verification allows malleable signatures and packed-encoding ambiguity 0xc36cf0cfcb5d905b8b513860db0cfe63f6cf9f5c $208,137.22 no 3 months ago 5ee92886-8335-43e3-bee9-4a7cb539a22c
medium codex Global deposit counter lets any user inflate withdrawal fees or block withdrawals 0xdfc61bae9ac44758bf3e08fd248f2f1561236b51 $235,386.10 no 3 months ago ec521ee3-e27c-458a-99dd-4f685b433233
info codex Hardcoded liquidity manager can arbitrarily move assets and grant withdrawal rights 0xcad22983d6e9336cfa1a604a4aaee6a40485f911 $201,770.61 no 3 months ago fdc96e56-7733-4245-94be-d45bb0bfa698
low codex renounceOwnership can be reversed by a previously nominated owner 0xaedcfcdd80573c2a312d15d6bb9d921a01e4fb0f $206,828.85 no 3 months ago a707eba1-cb00-477e-932b-94b34a323437