TW
Tripwire
Find contracts. Test them. Review real vulns.
Confirmed Findings
2,205
crit 60 high 1157
All Findings
46,184
Across all runs
Chain
1
Mainnet focus
Signal Mix
24239
high severity in results
Findings
filter + triage
Reset
Quick filters: candidate lane confirmed only critical high detector codex
Severity Tool Title Address Value USD Validated Confirmed Found Run
medium codex Share minting fully trusts external TVL oracle without internal sanity checks 0x7bb1a6b19e37028b3aa5c580339c640720e35203 $214,622.89 no 3 months ago 5c9136af-117b-4158-85c8-f4b226b611a7
medium codex Accounting assumes full transfer amounts (fee-on-transfer/rebasing tokens break invariants) 0x7bb1a6b19e37028b3aa5c580339c640720e35203 $214,622.89 no 3 months ago 5c9136af-117b-4158-85c8-f4b226b611a7
low codex removeToken can desync dynasetTokens and records when passed an unbound token 0x7bb1a6b19e37028b3aa5c580339c640720e35203 $214,622.89 no 3 months ago 5c9136af-117b-4158-85c8-f4b226b611a7
medium codex Fee-on-transfer/rebasing tokens can drain bridge liquidity due to using nominal amounts 0x4f52b41a778761bd2eea5b7b7ed8cbdaa02cef3e $174,151.93 no 3 months ago 75d8a698-68e2-466a-b2b2-8bd25824ece8
low codex Operator privileges persist after ownership transfer 0x7ffe1ec3b0733e6455c790c6bbf8579e9552566b $237,320.20 no 3 months ago 7450153f-7c91-4384-9071-59cc3b2b264a
medium codex Initializer can be seized if proxy/implementation is left uninitialized 0x2e1ce0f2ab6b61d5a3d1682a77496c4611860b57 $0.00 no 3 months ago 4e8c3a13-f737-4379-a32a-ef45951dc98f
low codex Fee-on-transfer tokens break pool accounting 0x2e1ce0f2ab6b61d5a3d1682a77496c4611860b57 $0.00 no 3 months ago 4e8c3a13-f737-4379-a32a-ef45951dc98f
high codex Unprotected initialize allows admin/votingEscrow takeover 0x8549ba7f483afb13b8321830d6f07f30f0a2f1de $222,172.27 no 3 months ago 09fa5a2e-f3b7-46e9-8b86-0a03ea86c5f7
medium codex Claiming can revert when weekly total supply is zero 0x8549ba7f483afb13b8321830d6f07f30f0a2f1de $222,172.27 no 3 months ago 09fa5a2e-f3b7-46e9-8b86-0a03ea86c5f7
low codex Token distribution truncates after >20 weeks of inactivity 0x8549ba7f483afb13b8321830d6f07f30f0a2f1de $222,172.27 no 3 months ago 09fa5a2e-f3b7-46e9-8b86-0a03ea86c5f7
critical codex Unprotected proxy initialization allows takeover of DutchExchange 0x039fb002d21c1c5eeb400612aef3d64d49eb0d94 $0.00 no 3 months ago f48b1e81-4fa5-4c5d-a3aa-b4088c28d8f0
high codex Reentrancy window in withdraw before balance update 0x039fb002d21c1c5eeb400612aef3d64d49eb0d94 $0.00 no 3 months ago f48b1e81-4fa5-4c5d-a3aa-b4088c28d8f0
medium codex Oracle validity flag ignored; invalid/stale prices still used 0x039fb002d21c1c5eeb400612aef3d64d49eb0d94 $0.00 no 3 months ago f48b1e81-4fa5-4c5d-a3aa-b4088c28d8f0
low codex Unchecked low-level call in PriceFeed.post 0x039fb002d21c1c5eeb400612aef3d64d49eb0d94 $0.00 no 3 months ago f48b1e81-4fa5-4c5d-a3aa-b4088c28d8f0
medium codex External rate oracles / ERC4626 conversion feed directly into pricing without sanity bounds 0xb92b054b9cc33685e7f8c3f85177c4b6dc061391 $218,596.43 no 3 months ago b59a118d-c397-45af-8d13-1ddf618b6695
low codex Negative rebases can underflow admin-fee accounting and brick pool 0xb92b054b9cc33685e7f8c3f85177c4b6dc061391 $218,596.43 no 3 months ago b59a118d-c397-45af-8d13-1ddf618b6695
low codex Fee-on-transfer tokens can underfund streams and break protocol revenue accounting 0xb10daee1fcf62243ae27776d7a92d39dc8740f95 $216,450.13 no 3 months ago 27a2f35d-e022-40b2-a099-eb4efd5f89c4
high codex Failed execTransaction still consumes tezosOperation, enabling gas‑griefing DoS and stuck unwraps 0x5dc76fd132354be5567ad617fd1fe8fb79421d82 $250,884.11 no 3 months ago 6d9075ea-e510-4702-8437-3a8481b449fa
medium codex execTransaction ignores return data, so ERC20 transfers that return false are treated as successful 0x5dc76fd132354be5567ad617fd1fe8fb79421d82 $250,884.11 no 3 months ago 6d9075ea-e510-4702-8437-3a8481b449fa
low codex Domain separator omits chainId, allowing cross‑chain signature replay 0x5dc76fd132354be5567ad617fd1fe8fb79421d82 $250,884.11 no 3 months ago 6d9075ea-e510-4702-8437-3a8481b449fa
medium codex Authorization uses tx.origin instead of msg.sender 0x089af8339c47cfbeab37d115325fc3d2b02f4a1e $231,828.32 no 3 months ago b3a1ceb2-01ee-4bdb-a95e-7486ad0194a2
high codex Unprotected initializer allows manager takeover if deployment is not atomic 0xb542d5cb34ef265fb87c170181127332f7797369 $0.00 no 3 months ago 57607431-8897-4c7e-aa5c-98624726087b
medium codex Fee-on-transfer/rebasing tokens break share accounting 0xf5bce5077908a1b7370b9ae04adc565ebd643966 $240,716.91 no 3 months ago 46cff257-db03-4435-9677-6bd04c33af53
high codex Unprotected initializer allows takeover of uninitialized AToken proxy 0x30d06a9a992473a6a5d8b54f56bf457fa020794d $0.00 no 3 months ago 4b4a6e13-aa21-49a9-b499-317b5b9e8f6e
low codex Permit signature malleability due to raw ecrecover 0x30d06a9a992473a6a5d8b54f56bf457fa020794d $0.00 no 3 months ago 4b4a6e13-aa21-49a9-b499-317b5b9e8f6e
medium codex MarketMakerProxy accepts zero SIGNER, allowing signature bypass with invalid signatures 0x4a14347083b80e5216ca31350a2d21702ac3650d $473,613.07 no 3 months ago f79cdfdf-c2a6-4381-8634-dcbefab1610e
high codex Public initializers enable proxy takeover if not called atomically 0x281aa2e0684439ed9fee12eff0d8ff346b755a39 $0.00 no 3 months ago 845cb09f-5c1f-4394-8c8b-28bd2c6cb69a
medium codex KRWT ownership can be reclaimed after renounce via initialize 0x281aa2e0684439ed9fee12eff0d8ff346b755a39 $0.00 no 3 months ago 845cb09f-5c1f-4394-8c8b-28bd2c6cb69a
low codex Fee validation uses OR, allowing invalid fees that break mint/withdraw math 0x281aa2e0684439ed9fee12eff0d8ff346b755a39 $0.00 no 3 months ago 845cb09f-5c1f-4394-8c8b-28bd2c6cb69a
info codex Proxy initializer updates name/symbol without updating EIP-712 domain 0x281aa2e0684439ed9fee12eff0d8ff346b755a39 $0.00 no 3 months ago 845cb09f-5c1f-4394-8c8b-28bd2c6cb69a
low codex Fee-on-transfer/rebasing ERC20s can break pool accounting 0xb419c2867ab3cbc78921660cb95150d95a94ce86 $238,551.59 no 3 months ago bbe6df07-a5d0-437c-95c1-fe533e32b67d
medium codex Permit DOMAIN_SEPARATOR is immutable; clone deployments allow cross-pair signature replay 0x7290367aa694703220516a35e68e3d339ee7d193 $0.00 no 3 months ago a63772f1-048a-4d9c-860a-5b89e63f052c
medium codex initialize is permissionless and can be front-run to hijack a pair 0x7290367aa694703220516a35e68e3d339ee7d193 $0.00 no 3 months ago a63772f1-048a-4d9c-860a-5b89e63f052c
low codex Protocol fee mints even when feeTo is unset, causing LP dilution 0x7290367aa694703220516a35e68e3d339ee7d193 $0.00 no 3 months ago a63772f1-048a-4d9c-860a-5b89e63f052c
high codex Unprotected initializer enables ownership takeover on uninitialized deployments 0xd928d07d9c2629ecd3f3b81685b27bd50383f028 $0.00 no 3 months ago 28c692cb-34be-4594-99b9-e4f1085a916a
high codex Withdrawals ignore locked collateral, enabling pool insolvency 0xb9ed94c6d594b2517c4296e24a8c517ff133fb6d $249,700.33 no 3 months ago 4512afe7-5f93-4201-92ac-099a73dc43a6
medium codex Chainlink price used without freshness/positivity checks 0xb9ed94c6d594b2517c4296e24a8c517ff133fb6d $249,700.33 no 3 months ago 4512afe7-5f93-4201-92ac-099a73dc43a6
low codex Unrestricted `poolApprove` lets anyone grant unlimited allowances from Facade 0xb9ed94c6d594b2517c4296e24a8c517ff133fb6d $249,700.33 no 3 months ago 4512afe7-5f93-4201-92ac-099a73dc43a6
medium codex Unprotected initializer allows takeover of uninitialized proxy or post-upgrade reinitialization 0x850e6306c2777e1a66b66680c7999240e7d312bf $0.00 no 3 months ago d07213c7-d170-4ec7-9a2f-5a0a3c2a27d3
medium codex Votes are not reduced when stake is withdrawn, enabling vote‑reuse if withdrawals occur before proposal end 0x91e0fed1816f96652394423479537da3a4cdc929 $244,679.78 no 3 months ago e6a9694d-1da0-4b2d-a150-5c28b1f8078a
low codex Zero‑vote proposals cannot be tallied due to division by zero 0x91e0fed1816f96652394423479537da3a4cdc929 $244,679.78 no 3 months ago e6a9694d-1da0-4b2d-a150-5c28b1f8078a
low codex Off‑by‑one proposal IDs cause event IDs to point to the wrong proposal 0x91e0fed1816f96652394423479537da3a4cdc929 $244,679.78 no 3 months ago e6a9694d-1da0-4b2d-a150-5c28b1f8078a
medium codex Swap pricing fully trusts external oracle output (no invariant check) 0x8b0bb0d0d8b3d83ebb7c1b49d79d74df396634c6 $246,476.88 no 3 months ago 7f435b0b-07c9-42c2-8634-81c9a806bf16
low codex Permit signatures are malleable (no EIP‑2 `s`/`v` checks) 0x8b0bb0d0d8b3d83ebb7c1b49d79d74df396634c6 $246,476.88 no 3 months ago 7f435b0b-07c9-42c2-8634-81c9a806bf16
low codex Pair initialization can be called multiple times by the factory 0x8b0bb0d0d8b3d83ebb7c1b49d79d74df396634c6 $246,476.88 no 3 months ago 7f435b0b-07c9-42c2-8634-81c9a806bf16
medium codex Oracle price feeds directly set strike/premium/exercise costs without added integrity checks 0x8abf5358a88ca2586635d646aaaff172572fb0ed $0.00 no 3 months ago 3cda34f9-1fd9-4a06-ad4d-43dfafce2985
low codex RFQ/mint options lack strike/expiry validation, enabling underflow and unexercisable options 0x8abf5358a88ca2586635d646aaaff172572fb0ed $0.00 no 3 months ago 3cda34f9-1fd9-4a06-ad4d-43dfafce2985
medium codex Unchecked ERC20 return values allow silent failures and loss on redeem 0x4809010926aec940b550d34a46a52739f996d75d $254,732.60 no 3 months ago bda9f9dc-1008-4ba4-9734-24de3e36a576
low codex Unchecked ERC20 transfer return value can silently fail and skew vesting behavior 0x953c32158602e9690c6e86b94b230b5951b51a73 $250,000.00 no 3 months ago a960024e-2b54-4060-916f-c51d68cfaf24
medium codex Blacklist can be bypassed via allowance-based redemption/claims 0xf2cd14f02b4fdc0d26681fbc7f60a11b8378f96d $0.00 no 3 months ago cae98014-97ad-4a90-995b-7a0ce222c6b0