TW
Tripwire
Find contracts. Test them. Review real vulns.
Confirmed Findings
2,205
crit 60 high 1157
All Findings
46,184
Across all runs
Chain
1
Mainnet focus
Signal Mix
24239
high severity in results
Findings
filter + triage
Reset
Quick filters: candidate lane confirmed only critical high detector codex
Severity Tool Title Address Value USD Validated Confirmed Found Run
medium codex Inbound handlers lack replay protection for cross-chain messages 0x9371352ccef6f5b36efdfe90942ffe622ab77f1d $1,539,859.83 no 3 months ago 478c78f6-b81e-47bf-86e8-3a178cfe290f
low codex Plugs accept inbound messages without validating expected source chain/plug 0x9371352ccef6f5b36efdfe90942ffe622ab77f1d $1,539,859.83 no 3 months ago 478c78f6-b81e-47bf-86e8-3a178cfe290f
medium codex Permissionless initialize allows frontrun configuration takeover 0xef1bc66e0ea9717a3f2c969633a989d6bf41024b $0.00 no 3 months ago 845336e9-a114-4034-86fd-9e49f9a99810
medium codex Fee-on-transfer tokens break accounting in deposit/repay 0xef1bc66e0ea9717a3f2c969633a989d6bf41024b $0.00 no 3 months ago 845336e9-a114-4034-86fd-9e49f9a99810
low codex Hook receiver can execute arbitrary call/delegatecall via callOnBehalfOfSilo 0xef1bc66e0ea9717a3f2c969633a989d6bf41024b $0.00 no 3 months ago 845336e9-a114-4034-86fd-9e49f9a99810
medium codex Reward accrual can be wiped when updateRewards resets lastUpdateBlock 0xc8c3cc5be962b6d281e4a53dbcce1359f76a1b85 $1,642,812.54 no 3 months ago 682e09b2-8a52-43fd-9fd2-1a4d25cd281c
low codex Unchecked ERC20 return values on approve/mint can silently fail and desync accounting 0xc8c3cc5be962b6d281e4a53dbcce1359f76a1b85 $1,642,812.54 no 3 months ago 682e09b2-8a52-43fd-9fd2-1a4d25cd281c
medium codex Fee-on-transfer/rebasing tokens can undercollateralize synths 0x57dbcb192fa64bf07eab76941d1dae5177c8f4f3 $0.00 no 3 months ago 9ddbf2b4-3560-4207-aba0-175d63d7e610
medium codex Upgradeable Portal can be initialized by anyone if proxy/implementation is left uninitialized 0x57dbcb192fa64bf07eab76941d1dae5177c8f4f3 $0.00 no 3 months ago 9ddbf2b4-3560-4207-aba0-175d63d7e610
low codex Revert request functions are replayable, allowing repeated bridge calls 0x57dbcb192fa64bf07eab76941d1dae5177c8f4f3 $0.00 no 3 months ago 9ddbf2b4-3560-4207-aba0-175d63d7e610
high codex MintableToken allows unrestricted mint/burn, enabling collateral drain if used as the app-chain token 0x6d303cee7959f814042d31e0624fb88ec6fbcc1d $1,306,925.21 no 3 months ago f575c00d-7d47-4453-9d78-7ca636dc5e53
medium codex Deposit path assumes full transfer amount; fee-on-transfer tokens cause under-collateralized minting 0x6d303cee7959f814042d31e0624fb88ec6fbcc1d $1,306,925.21 no 3 months ago f575c00d-7d47-4453-9d78-7ca636dc5e53
high codex ERC777 liquidation payments credit liquidator balance, enabling free collateral extraction 0x8a134e651432a902041643668940c9a9cd270633 $0.00 no 3 months ago 6625d03d-07b7-460c-b8f4-4fc0c7f1ad3b
medium codex Chainlink price reads lack freshness/round validation 0x8a134e651432a902041643668940c9a9cd270633 $0.00 no 3 months ago 6625d03d-07b7-460c-b8f4-4fc0c7f1ad3b
medium codex Reentrancy guard can be reset mid-call via public initializePoolV2 0xfc59ab348e0c0e789e914b0864f08cab98db1553 $0.00 no 3 months ago a5d04c17-5a96-4bbb-8db1-668693dc67db
low codex Unprotected initializePoolV2 can be front‑run to block upgrade initialization 0xfc59ab348e0c0e789e914b0864f08cab98db1553 $0.00 no 3 months ago a5d04c17-5a96-4bbb-8db1-668693dc67db
low codex Owner can drain staked/reward tokens via saveMe 0xfc59ab348e0c0e789e914b0864f08cab98db1553 $0.00 no 3 months ago a5d04c17-5a96-4bbb-8db1-668693dc67db
medium codex Swapper redemption bypasses downstream vault user restrictions 0x570c15bc5faf98531a8b351d69e22e41e3505e47 $0.00 no 3 months ago e18349bc-6257-4bf3-a411-59058d33edf0
medium codex Redemption requests lock in unvalidated tokenOutRate, enabling oracle manipulation or stuck approvals 0x570c15bc5faf98531a8b351d69e22e41e3505e47 $0.00 no 3 months ago e18349bc-6257-4bf3-a411-59058d33edf0
high codex Public initializer can be front-run to seize ownership 0x631953e16e8a57fc159e1fb1d92443c981b00770 $0.00 no 3 months ago ebf4d2a3-9c75-49d6-8715-64af033d3f68
medium codex Center price uses external oracle without manipulation bounds 0xbbcb91440523216e2b87052a99f69c604a7b6e00 $4,644,778.88 no 3 months ago ec13adc9-d3c5-410d-a84d-202d987a4dca
medium codex User-triggerable delegatecall hook enables full-state execution if extension is compromised 0xbbcb91440523216e2b87052a99f69c604a7b6e00 $4,644,778.88 no 3 months ago ec13adc9-d3c5-410d-a84d-202d987a4dca
low codex Dex pool ID truncation to 64 bits allows hash collisions 0xbbcb91440523216e2b87052a99f69c604a7b6e00 $4,644,778.88 no 3 months ago ec13adc9-d3c5-410d-a84d-202d987a4dca
high codex Keeper can mint unbacked tokens and redeem underlying assets 0x6eaf19b2fc24552925db245f9ff613157a7dbb4c $1,881,444.93 no 3 months ago 8e0fa5ae-1f20-4051-b147-c113e2c80b1a
medium codex Cross-chain OFT minting bypasses local asset backing and epoch accounting 0x6eaf19b2fc24552925db245f9ff613157a7dbb4c $1,881,444.93 no 3 months ago 8e0fa5ae-1f20-4051-b147-c113e2c80b1a
medium codex Untrusted relayer controls slippage on bridge receive (min output not authenticated) 0xa7062bba94c91d565ae33b893ab5dfaf1fc57c4d $1,766,184.43 no 3 months ago e06193e8-5116-4939-aa91-edaf29b45ab5
medium codex Accounting assumes full token transfers, enabling fee-on-transfer/rebasing token drains 0xa7062bba94c91d565ae33b893ab5dfaf1fc57c4d $1,766,184.43 no 3 months ago e06193e8-5116-4939-aa91-edaf29b45ab5
high codex Trade collateralization checks use stale balances (currentBalances never updated) 0xe883b3efdae637fc599b467478a23199778f2ccf $0.00 no 3 months ago df27c299-2f4f-495f-8947-7cb81561ac74
high codex Whitelisted caller can selfdestruct the contract 0x00000000003b3cc22af3ae1eac0440bcee416b40 $458,039.59 no 3 months ago a831cc82-3332-44dc-a8fb-dcf51c8ffe78
medium codex External token CALL before state updates (reentrancy window) 0xe2ff0a931f92198233c36501780d08d55dd9432f $2,714,050.00 no 3 months ago dc39f4dd-c3c3-4e8f-b144-c30baee7c884
low codex ERC20 transfer return value decoded but not enforced 0xe2ff0a931f92198233c36501780d08d55dd9432f $2,714,050.00 no 3 months ago dc39f4dd-c3c3-4e8f-b144-c30baee7c884
high codex Privileged selfdestruct sends balance to caller 0x01fdc48ba0903bb1ae7c517c9287d88ea236f8e1 $2,772,067.04 no 3 months ago ee30879d-f4f6-499a-b2bf-d4745076b528
high codex Whitelisted delegatecall enables arbitrary code execution 0x01fdc48ba0903bb1ae7c517c9287d88ea236f8e1 $2,772,067.04 no 3 months ago ee30879d-f4f6-499a-b2bf-d4745076b528
medium codex Authorization uses tx.origin 0x01fdc48ba0903bb1ae7c517c9287d88ea236f8e1 $2,772,067.04 no 3 months ago ee30879d-f4f6-499a-b2bf-d4745076b528
medium codex Pending share accounting uses pendingUnderlying instead of consumedUnderlying, locking pending funds 0xdff78a949e47c1e90f3dd6dd7fe2fa72b42a75f7 $2,778,991.52 no 3 months ago 57893a6f-7c59-4454-928f-4e100bf02a14
low codex Permit signatures depend on mutable conversion rate, enabling front‑run invalidation 0xdff78a949e47c1e90f3dd6dd7fe2fa72b42a75f7 $2,778,991.52 no 3 months ago 57893a6f-7c59-4454-928f-4e100bf02a14
low codex Unchecked ERC20 transfers when returning funds from strategy can desync accounting 0xdff78a949e47c1e90f3dd6dd7fe2fa72b42a75f7 $2,778,991.52 no 3 months ago 57893a6f-7c59-4454-928f-4e100bf02a14
high codex Silo initializer is publicly callable, enabling first-caller takeover 0xef1bc66e0ea9717a3f2c969633a989d6bf41024b $0.00 no 3 months ago 5fac7a82-c226-4c04-b342-64f4f4f1792b
medium codex Fee-on-transfer tokens break share and debt accounting 0xef1bc66e0ea9717a3f2c969633a989d6bf41024b $0.00 no 3 months ago 5fac7a82-c226-4c04-b342-64f4f4f1792b
low codex Hook receiver can delegatecall arbitrary targets with Silo/share-token storage context 0xef1bc66e0ea9717a3f2c969633a989d6bf41024b $0.00 no 3 months ago 5fac7a82-c226-4c04-b342-64f4f4f1792b
medium codex Silo initialization is permissionless and can be front‑run if deployment is not atomic 0xef1bc66e0ea9717a3f2c969633a989d6bf41024b $0.00 no 3 months ago 5f01c712-2dc6-4483-af43-8907a057dfb0
low codex Hook receiver can delegatecall arbitrary targets via `callOnBehalfOfSilo` 0xef1bc66e0ea9717a3f2c969633a989d6bf41024b $0.00 no 3 months ago 5f01c712-2dc6-4483-af43-8907a057dfb0
low codex Deposits trust `amount` rather than actual tokens received (deflationary/non-contract ERC20s can create unbacked L2 mints) 0xde2d792ca3c4d02de3ce1cd1456d8d0990cc3fab $0.00 no 3 months ago 9035c88c-553e-47a0-b816-95a3d2854a02
medium codex Fee-on-transfer/rebasing assets break accounting and can underfund withdrawals 0xb3b823ec39f3edeb4354f76997031b3826b615c2 $3,122,030.45 no 3 months ago 940f44ab-3054-4f33-947f-308cb4221507
low codex Hook return-data size check can use stale `returndatasize`, causing DoS or stale values 0xb3b823ec39f3edeb4354f76997031b3826b615c2 $3,122,030.45 no 3 months ago 940f44ab-3054-4f33-947f-308cb4221507
medium codex Deposits assume full `_amount` is received, enabling undercollateralization with fee-on-transfer/rebasing tokens 0x7510792a3b1969f9307f3845ce88e39578f2bae1 $2,448,766.92 no 3 months ago 3bea9124-b23e-42ef-9ab4-d9e84094b20c
medium codex Initializer allows takeover if proxy/implementation is left uninitialized 0xa092c7577354ea82a6c7e55b423c3dd80f0df255 $0.00 no 3 months ago 0a08cd3a-51b3-4d5e-80d8-1f93d022131c
high codex Unprotected reinitializer allows ownership takeover after upgrade 0x2ccd5486ea1b2a52dcd387c01314f6a328f66cbb $0.00 no 3 months ago 800d1a06-36c1-4158-8fb9-5c70f2e6e4cd
low codex Public initializer can be abused if proxy is left uninitialized 0x2ccd5486ea1b2a52dcd387c01314f6a328f66cbb $0.00 no 3 months ago 800d1a06-36c1-4158-8fb9-5c70f2e6e4cd
medium codex Fee-on-transfer tokens can mint more than the vault receives 0xb37d31b2a74029b5951a2778f959282e2d518595 $5,998,301.43 no 3 months ago 3b6969ea-3ebe-4726-b396-07fdd82c1a30