TW
Tripwire
Find contracts. Test them. Review real vulns.
Confirmed Findings
2,205
crit 60 high 1157
All Findings
46,184
Across all runs
Chain
1
Mainnet focus
Signal Mix
24239
high severity in results
Findings
filter + triage
Reset
Quick filters: candidate lane confirmed only critical high detector codex
Severity Tool Title Address Value USD Validated Confirmed Found Run
low codex External asset change limit can be bypassed when values are <1 0xf2cd14f02b4fdc0d26681fbc7f60a11b8378f96d $0.00 no 3 months ago cae98014-97ad-4a90-995b-7a0ce222c6b0
low codex Fee-on-transfer or rebasing tokens break staking/reward accounting and can zero out user rewards 0xb1f131437e314614313aab3a3016fa05c1b0e087 $255,379.10 no 3 months ago 368dc22a-e2f4-4de7-b6ef-d1be70122119
info codex Initializer is publicly callable if deployed/left uninitialized 0xb1f131437e314614313aab3a3016fa05c1b0e087 $255,379.10 no 3 months ago 368dc22a-e2f4-4de7-b6ef-d1be70122119
medium codex Minting ignores actual received underlying, enabling undercollateralization with fee-on-transfer tokens 0x7ea2be2df7ba6e54b1a9c70676f668455e329d29 $253,816.35 no 3 months ago 0c565d08-f42f-431c-9f44-84e9a2ba2c0c
low codex Recipient guard uses OR, allowing transfers to zero or self and locking funds 0x7ea2be2df7ba6e54b1a9c70676f668455e329d29 $253,816.35 no 3 months ago 0c565d08-f42f-431c-9f44-84e9a2ba2c0c
info codex Owner can execute arbitrary external calls (multicall) 0x5f5aca1da12fa906fe2d9cbfcee284ae18b40e08 $270,940.00 no 3 months ago 10f2851f-10fd-400c-94e2-4f0602fb8ced
high codex Initializer can be called by anyone before owners are set 0x95ca2f7959f8848795dfb0868c1b0c59dd4e9330 $0.00 no 3 months ago e566fdea-a7ec-4850-8cb6-a61d047e3f9d
medium codex External call failures consume nonce and can mask failed token transfers 0x95ca2f7959f8848795dfb0868c1b0c59dd4e9330 $0.00 no 3 months ago e566fdea-a7ec-4850-8cb6-a61d047e3f9d
low codex Signed message lacks chain/domain separation (cross-chain replay risk) 0x95ca2f7959f8848795dfb0868c1b0c59dd4e9330 $0.00 no 3 months ago e566fdea-a7ec-4850-8cb6-a61d047e3f9d
medium codex Withdrawal signatures lack domain separation, enabling cross-contract/chain replay 0xc8c1b41713761281a520b7ad81544197bc85a4ce $314,551.19 no 3 months ago ecbd4a63-528c-4904-a826-66055a86935c
medium codex Fee-on-transfer tokens can be over-credited during transit 0xc8c1b41713761281a520b7ad81544197bc85a4ce $314,551.19 no 3 months ago ecbd4a63-528c-4904-a826-66055a86935c
low codex Signer can be set to zero address, weakening signature validation 0xc8c1b41713761281a520b7ad81544197bc85a4ce $314,551.19 no 3 months ago ecbd4a63-528c-4904-a826-66055a86935c
low codex Fee-on-transfer tokens break pool accounting and allow value extraction 0xf08d4dea369c456d26a3168ff0024b904f2d8b91 $286,377.62 no 3 months ago 2cd84221-a81a-485d-a866-8346329f1cca
medium codex Cached yToken balances let new LPs capture unaccounted yield 0x965cc658158a7689fbb6c4df735aa435c500c29b $0.00 no 3 months ago 15ac169e-dc7f-43ef-b03e-7068b7fd1271
medium codex Fee-on-transfer tokens break accounting and allow excess LP minting 0x965cc658158a7689fbb6c4df735aa435c500c29b $0.00 no 3 months ago 15ac169e-dc7f-43ef-b03e-7068b7fd1271
low codex initialize is reusable and mints LP tokens at a fixed 1:1 rate 0x965cc658158a7689fbb6c4df735aa435c500c29b $0.00 no 3 months ago 15ac169e-dc7f-43ef-b03e-7068b7fd1271
medium codex Quorum approvals do not bind action parameters, allowing last signer to choose arbitrary values 0x0629c8153eb19fb19b44dff1804fad66360a5441 $291,419.55 no 3 months ago 32a97564-7bf6-471b-b139-f8c4b61428d3
low codex ERC20 transfer return values are unchecked 0x0629c8153eb19fb19b44dff1804fad66360a5441 $291,419.55 no 3 months ago 32a97564-7bf6-471b-b139-f8c4b61428d3
low codex Quota revenue can be modified by any credit manager 0x0eecbdbf7331b8a50fcd0bf2c267bf47bd876054 $283,852.54 no 3 months ago 2471907b-e113-4c7f-8946-ea0343735370
high codex Unrestricted initializer allows proxy takeover if not initialized atomically 0x30d06a9a992473a6a5d8b54f56bf457fa020794d $0.00 no 3 months ago 0589f940-a7f8-42a6-985f-77e5f0b4e9ab
low codex sellAsset does not enforce the caller’s maxAmount after fee/rounding adjustments 0x7dadf78d641f7ad327aeb0f71e97b6229345eca4 $0.00 no 3 months ago 9707eaa0-327d-4499-891d-f96c86f59835
high codex Delegatecall into adapter grants full vault control if adapter is compromised or upgradeable 0x7a477d6570386e2b9d0f14d03bd976b0c68b94b9 $0.00 no 3 months ago 0bcec04f-71c6-45e6-b451-df0c2c08db21
medium codex Initializer can be front‑run if deployment does not initialize atomically 0x7a477d6570386e2b9d0f14d03bd976b0c68b94b9 $0.00 no 3 months ago 0bcec04f-71c6-45e6-b451-df0c2c08db21
low codex Old TSS retains PAUSER_ROLE after TSS rotation 0x37555f2e573b7d84fe0a09365d3a443509e0f645 $0.00 no 3 months ago 9fa9421d-55fc-4a1c-bd24-abcb9b4c1d7e
low codex Implementation contract not locked against initialization 0x37555f2e573b7d84fe0a09365d3a443509e0f645 $0.00 no 3 months ago 9fa9421d-55fc-4a1c-bd24-abcb9b4c1d7e
low codex Liquidation path does not update tokenDebts, drifting debt-limit accounting 0xb1cff81b9305166ff1efc49a129ad2afcd7bcf19 $328,591.09 no 3 months ago 97545a90-9bde-4620-9d97-4cdb67b2e665
low codex Legacy forwarder lacks payload-size checks after deprecation 0xdac17f958d2ee523a2206206994597c13d831ec7 $2,253,681.15 no 3 months ago 2b376d5a-7463-439f-990e-2ac02e70a615
medium codex Permissionless closeRound can bypass burning unsold oTokens 0x9a056f0040e1e84245bd7a79ed580ff1b1c44e95 $0.00 no 3 months ago 9d3c7d85-a3b0-4002-a5b2-7bb992cf7219
medium codex Fee collection can render refunds insolvent during the refund window 0x984f7dbd76286a9ce4c68ac84bb098c5fff3ed62 $0.00 no 3 months ago 73252535-2ea1-4a23-a722-3f8641951082
low codex Refund receiver can drain refund tokens at any time 0x984f7dbd76286a9ce4c68ac84bb098c5fff3ed62 $0.00 no 3 months ago 73252535-2ea1-4a23-a722-3f8641951082
low codex Implementation contract is not locked against direct initialization 0x984f7dbd76286a9ce4c68ac84bb098c5fff3ed62 $0.00 no 3 months ago 73252535-2ea1-4a23-a722-3f8641951082
low codex Privileged SELFDESTRUCT path (kill switch) present 0x828ae1566824a9835acb6f565e1e9ea22bfb883a $514,844.47 no 3 months ago acebfaeb-b1a5-4870-be13-af98cd1e9636
medium codex Accounting assumes full ERC20 transfers; fee‑on‑transfer/rebasing tokens can mint excess cpTokens or underpay debt 0x2e1ce0f2ab6b61d5a3d1682a77496c4611860b57 $0.00 no 3 months ago 34a90f5f-1d83-49d7-99ca-888574976d6b
medium codex Unrestricted initializer lets first caller become factory if initialization is not atomic 0x2e1ce0f2ab6b61d5a3d1682a77496c4611860b57 $0.00 no 3 months ago 34a90f5f-1d83-49d7-99ca-888574976d6b
high codex Upgradeable proxy can be taken over if not initialized atomically 0x0e6590f64a82cbc838b2a087281689de1a5bc8e0 $0.00 no 3 months ago 0f2dae3b-fa8e-4cc8-9793-fb705919c460
low codex Dispute deposit accounting assumes full transfer, risking permanent dispute lock with fee-on-transfer tokens 0x0e6590f64a82cbc838b2a087281689de1a5bc8e0 $0.00 no 3 months ago 0f2dae3b-fa8e-4cc8-9793-fb705919c460
low codex `tx.origin` allows bypassing operator-only claim policy 0x0e6590f64a82cbc838b2a087281689de1a5bc8e0 $0.00 no 3 months ago 0f2dae3b-fa8e-4cc8-9793-fb705919c460
high codex Initializer chaining uses `initializer` on parent functions, causing init revert and enabling role takeover/DoS 0xc616eaf17c5e3349c1fa493459494bb4dd0fd788 $0.00 no 3 months ago 2deaa8fd-acba-426c-b3ce-676760114af5
medium codex Fee-on-transfer ERC20s over-credit deposits, breaking accounting 0xc616eaf17c5e3349c1fa493459494bb4dd0fd788 $0.00 no 3 months ago 2deaa8fd-acba-426c-b3ce-676760114af5
high codex Initializer callable by anyone can set owner if not initialized 0x5018cc0d628fb322b2a040cfcd269a36c60b1538 $0.00 no 3 months ago f0cc17b9-48e1-4232-bd71-d421f424b320
low codex ERC20 transferFrom return value not checked 0x5018cc0d628fb322b2a040cfcd269a36c60b1538 $0.00 no 3 months ago f0cc17b9-48e1-4232-bd71-d421f424b320
critical codex Unprotected initializer allows proxy takeover 0x2bae491b065032a76be1db9e9ecf5738afae203e $0.00 no 3 months ago a05c4fac-ff2e-4d67-b086-539db9c0a0b3
medium codex External FRT mint before state updates enables reentrancy in claim flows 0x2bae491b065032a76be1db9e9ecf5738afae203e $0.00 no 3 months ago a05c4fac-ff2e-4d67-b086-539db9c0a0b3
medium codex Unverified keeper-supplied currentBalance drives pricePerShare and locked accounting 0xd912325c960f1a6276f1e905d2f7715bd3d5c06d $346,166.04 no 3 months ago 44965f42-5493-4803-b5d3-c3ecb3a30541
low codex Deposits credit the requested amount before transfer, allowing fee-on-transfer tokens to inflate shares 0xd912325c960f1a6276f1e905d2f7715bd3d5c06d $346,166.04 no 3 months ago 44965f42-5493-4803-b5d3-c3ecb3a30541
medium codex borrowBehalf lacks reentrancy guard, enabling nested calls during underlying transfer 0xefdf5ccc12d8cff4a7ed4e421b95f8f69cf2f766 $0.00 no 3 months ago e861a905-892a-48df-87c8-ed66476df752
low codex Reward claims update state after transfer, allowing reentrant double-claims with hook-enabled tokens 0xefdf5ccc12d8cff4a7ed4e421b95f8f69cf2f766 $0.00 no 3 months ago e861a905-892a-48df-87c8-ed66476df752
low codex Bootstrap mint can zero out first depositor shares 0x79400a2c9a5e2431419cac98bf46893c86e8bdd7 $347,747.31 no 3 months ago 84ff0dad-46bd-4cdc-a575-0515acc1b2bd
high codex Unprotected initialization enables auction takeover if not initialized atomically 0x364b7e2d5b11b9d2016d232fa271d89d5e6065f1 $0.00 no 3 months ago d49d2b94-52b3-40cd-ba7d-b3d971c536fe
medium codex Debt > credit underflow can brick totalAssets and withdrawals 0xfd6db5011b171b05e1ea3b92f9eacaeeb055e971 $362,528.08 no 3 months ago b806a3f0-ce94-4e32-977e-bb6d911ba46b