TW
Tripwire
Find contracts. Test them. Review real vulns.
Confirmed Findings
2,205
crit 60 high 1157
All Findings
46,184
Across all runs
Chain
1
Mainnet focus
Signal Mix
24239
high severity in results
Findings
filter + triage
Reset
Quick filters: candidate lane confirmed only critical high detector codex
Severity Tool Title Address Value USD Validated Confirmed Found Run
medium codex Share issuance ignores secondary-token holdings when totalDeposit is zero 0xf1d29a124622c06f7026f35553543c833102183b $492,367.51 no 3 months ago bb9485bb-c626-4e0d-948e-2eb1a347a1d3
low codex Unchecked low-level DX claim can silently fail and strand funds 0xf1d29a124622c06f7026f35553543c833102183b $492,367.51 no 3 months ago bb9485bb-c626-4e0d-948e-2eb1a347a1d3
low codex Unchecked arithmetic on pool totals can overflow and corrupt accounting 0xf1d29a124622c06f7026f35553543c833102183b $492,367.51 no 3 months ago bb9485bb-c626-4e0d-948e-2eb1a347a1d3
medium codex External rate sources are trusted without bounds or sanity checks 0x02950460e2b9529d0e00284a5fa2d7bdf3fa4d72 $501,989.91 no 3 months ago 0372034b-676d-43a6-8bd1-e39cec724d64
low codex Admin fee withdrawal can be reentered before balances are cleared 0x02950460e2b9529d0e00284a5fa2d7bdf3fa4d72 $501,989.91 no 3 months ago 0372034b-676d-43a6-8bd1-e39cec724d64
low codex permit accepts malleable ECDSA signatures (no s/v range checks) 0xa19bf6fbf05624282cb6ed498f4761f22e084edd $463,118.12 no 3 months ago b28e34f9-0658-4c7e-a9c9-0eaee1716b09
low codex exchange_received can be front-run to consume pre-transferred pool balances 0xa19bf6fbf05624282cb6ed498f4761f22e084edd $463,118.12 no 3 months ago b28e34f9-0658-4c7e-a9c9-0eaee1716b09
low codex ERC20 return values ignored in command execution helpers 0xe0a9a32de2589f478074843d277ceb7234ffbd49 $0.00 no 3 months ago 363801c0-c873-4a99-a145-6211ab1fb838
medium codex Bridge-out signatures are not bound to a specific MezoBridge instance 0x7e994d7fc7a2c3cad2331dadb07902f3a46b6cd9 $0.00 no 3 months ago b3b26998-7224-4497-922f-149e2a3c3073
low codex ERC20 bridging assumes full transfer amount (fee-on-transfer tokens can undercollateralize) 0x7e994d7fc7a2c3cad2331dadb07902f3a46b6cd9 $0.00 no 3 months ago b3b26998-7224-4497-922f-149e2a3c3073
medium codex wrapTo mints based on requested amount, not actual tokens received 0x0492560fa7cfd6a85e50d8be3f77318994f8f429 $767,425.82 no 3 months ago 8330779e-3003-445a-bb0e-578b7883cb90
low codex Pause mechanism does not apply to wrap/unwrap 0x0492560fa7cfd6a85e50d8be3f77318994f8f429 $767,425.82 no 3 months ago 8330779e-3003-445a-bb0e-578b7883cb90
high codex Re-initializable setup can grant operator/flow-limiter roles to an attacker 0x8832f0381707bb29756edecf42580800207f2a9e $0.00 no 3 months ago 86d4515f-6381-4ede-ac6f-89c32fe84757
info codex Implementation resolved via external beacon staticcall before delegatecall 0x2693122c7e2275b125afae42bc9c47d237ed796e $1,767,967.79 no 3 months ago ef529a94-cae5-468f-8d1f-e180d2f3b1d6
high codex Public initializer can be front-run to hijack gateway configuration 0xb4299a1f5f26ff6a98b7ba35572290c359fde900 $0.00 no 3 months ago ce4d273e-c903-4f23-ab6a-43ad55bdeb64
low codex transferExitAndCall can invoke onExitTransfer without proving an exit exists 0xb4299a1f5f26ff6a98b7ba35572290c359fde900 $0.00 no 3 months ago ce4d273e-c903-4f23-ab6a-43ad55bdeb64
critical codex Unprotected initializer allows anyone to seize ownership and configure pool 0xf6a8e47daeeddcce297e7541523e27df2f167bf3 $0.00 no 3 months ago 90afe0c9-12a0-47b2-82ff-b59e5a092a6a
medium codex Oracle price is trusted without validation or bounds 0xf6a8e47daeeddcce297e7541523e27df2f167bf3 $0.00 no 3 months ago 90afe0c9-12a0-47b2-82ff-b59e5a092a6a
low codex Internal balance accounting breaks for fee-on-transfer or rebasing tokens 0xf6a8e47daeeddcce297e7541523e27df2f167bf3 $0.00 no 3 months ago 90afe0c9-12a0-47b2-82ff-b59e5a092a6a
low codex Unrestricted time manipulation if a test Timer is configured 0xe1ee8d4c5dba1c221840c08f6cf42154435b9d52 $549,207.35 no 3 months ago d86b5759-8ecf-4c17-8bea-30bd5b9c6e60
medium codex Reimbursement calculation relies on manipulable Uniswap V2 spot reserves 0x10c203fbfa80bb0855b615ba07ae5d001dcf2c1e $0.00 no 3 months ago 6c2f6309-b97c-4bb2-a53e-842ec90002c1
medium codex initialize does not assign Ownable ownership to initialOwner 0x10c203fbfa80bb0855b615ba07ae5d001dcf2c1e $0.00 no 3 months ago 6c2f6309-b97c-4bb2-a53e-842ec90002c1
low codex Unchecked ERC20 return values for approve/mint 0x10c203fbfa80bb0855b615ba07ae5d001dcf2c1e $0.00 no 3 months ago 6c2f6309-b97c-4bb2-a53e-842ec90002c1
high codex onlyL2Bridge fails open when messenger wrapper is unset or non-contract 0x3666f603cc164936c1b87e207f36beba4ac5f18a $538,298.12 no 3 months ago d486ca60-71f4-4936-9bef-5d94fbca5fdd
high codex Initializer callable after constructor enables ownership takeover on non-atomic deployments 0x8cfec459f62055ed3104a577c6613522c10b55c4 $0.00 no 3 months ago b204c673-73d8-4a76-b490-0df979244afc
high codex Withdraw/redeem always revert due to double nonReentrant in yTHOR overrides 0x8793cd69895c45b2d2474236b3cb28fc5c764775 $263,485.84 no 3 months ago 478c0b93-42fb-420f-976c-10c0f10515a8
low codex Accounting assumes asset/reward tokens transfer the full requested amount 0x8793cd69895c45b2d2474236b3cb28fc5c764775 $263,485.84 no 3 months ago 478c0b93-42fb-420f-976c-10c0f10515a8
low codex Signed rewardDebt can exceed accumulated after rounding, causing negative pending and claim DoS 0x8793cd69895c45b2d2474236b3cb28fc5c764775 $263,485.84 no 3 months ago 478c0b93-42fb-420f-976c-10c0f10515a8
high codex Unrestricted dispatcher initialize allows arbitrary sub-contract replacement and delegatecall execution 0x8c43c9bec15d82d153c52518030e0a9590abd35d $0.00 no 3 months ago 42220919-1f55-4be2-b0c0-1ee5ef2f8a32
high codex Nested initializer misuse bricks BToken initialization 0xd388b2a8e82df6a6c13a18ea7541df9449880954 $0.00 no 3 months ago df0b54ea-d387-4c94-beee-4819d345c6a5
high codex Privileged arbitrary delegatecall (owner backdoor) 0xe2b8eb988735f7709d08b7d07b41460073904830 $0.00 no 3 months ago 4e22cd5b-4962-4023-b255-f35d5e861e60
high codex Zero-in flashRebalance bypasses strategy validation and allows asset extraction 0xf90bb2baa90b457a35c37c5a96de2720ce367281 $0.00 no 3 months ago a6e01852-b60b-4be8-b0b9-857d2bbf0c58
medium codex Token recovery can sweep tracked assets due to disabled safety checks 0xf90bb2baa90b457a35c37c5a96de2720ce367281 $0.00 no 3 months ago a6e01852-b60b-4be8-b0b9-857d2bbf0c58
low codex Unchecked ETH transfer in recover can silently fail 0xf90bb2baa90b457a35c37c5a96de2720ce367281 $0.00 no 3 months ago a6e01852-b60b-4be8-b0b9-857d2bbf0c58
low codex Pre-transferred tokens can be claimed by anyone via exchange_received 0xee351f12eae8c2b8b9d1b9bfd3c5dd565234578d $605,273.80 no 3 months ago c9ec9bf5-5ece-4860-b199-9fddd62d46ef
low codex Unchecked ERC20 transfer return can mark claims as paid without transferring tokens 0x3d7b8d296f7d8e37ce57e556dea3dd6cb01b2f03 $629,116.27 no 3 months ago fff902d1-8613-4bc8-97f6-6dba982c6555
high codex Nested initializer modifiers brick initialization 0x1ef756da62278f3d43b0994f6e9e276f47a363e8 $0.00 no 3 months ago 14d2a919-005d-46a6-a7b3-489433ee41c1
low codex ERC20 transfer return value ignored 0x1ef756da62278f3d43b0994f6e9e276f47a363e8 $0.00 no 3 months ago 14d2a919-005d-46a6-a7b3-489433ee41c1
medium codex Unchecked ERC20 transfer return value can permanently burn claims 0xea402139c2a2c77ac724f6ab7724bc2938d30967 $583,386.53 no 3 months ago c28796c0-dadd-466a-a4b7-324e717eaa5f
low codex Snapshot validation compares block number to timestamp 0xea402139c2a2c77ac724f6ab7724bc2938d30967 $583,386.53 no 3 months ago c28796c0-dadd-466a-a4b7-324e717eaa5f
low codex Division by zero if totalSupplyAt snapshot is zero 0xea402139c2a2c77ac724f6ab7724bc2938d30967 $583,386.53 no 3 months ago c28796c0-dadd-466a-a4b7-324e717eaa5f
medium codex Accounting assumes full token transfers; fee-on-transfer/rebasing tokens can mint excess value 0xc629a01ec23ab04e1050500a3717a2a5c0701497 $0.00 no 3 months ago 8cc652a6-7cf0-4933-8cbc-f01f3bf664bd
low codex Initializer can be front-run on uninitialized clones 0xc629a01ec23ab04e1050500a3717a2a5c0701497 $0.00 no 3 months ago 8cc652a6-7cf0-4933-8cbc-f01f3bf664bd
high codex Public initializer allows post-deployment ownership takeover 0x905d9368cf8a337c420bfb87705d2cdbb4e1c26a $0.00 no 3 months ago 9f165857-e441-49d5-955a-03f4c7445c6c
medium codex Canceled validator set updates permanently block future proposals 0xca88d12919ecfe0eaf91326a1d9daedf4517b794 $0.00 no 3 months ago 20808da3-a735-44e2-86ed-b9e00a27e745
medium codex Prefetch can rewind interval pointers, enabling repeated earmarks and extra treasury transfers 0xaf51cd5f71ed88d6d1f65b575f1a8ce3a78ec42b $0.00 no 3 months ago 4ea3389e-4ea3-4963-b780-690e0ce1b56a
low codex Upgradeable implementations lack initializer lock 0xaf51cd5f71ed88d6d1f65b575f1a8ce3a78ec42b $0.00 no 3 months ago 4ea3389e-4ea3-4963-b780-690e0ce1b56a
low codex Unlocking a delegated stake does not snapshot the delegate, skewing reward snapshots 0xaf51cd5f71ed88d6d1f65b575f1a8ce3a78ec42b $0.00 no 3 months ago 4ea3389e-4ea3-4963-b780-690e0ce1b56a
medium codex Unchecked ERC20 transfer return values can permanently mark claims as paid 0xf5644345a5a9dc14076b58802dc908b83e62b0e1 $798,679.24 no 3 months ago bd446f50-167b-4602-9a1e-d7999d3ffe37
high codex Packet hashing uses abi.encodePacked with dynamic strings (collision-prone) 0xbdae358dc3b0389a5532d011a8b4098ffda11836 $0.00 no 3 months ago 2b03ce69-6667-4e80-a75c-83ddd1a33fc2