TW
Tripwire
Find contracts. Test them. Review real vulns.
Confirmed Findings
2,205
crit 60 high 1157
All Findings
46,184
Across all runs
Chain
1
Mainnet focus
Signal Mix
24239
high severity in results
Findings
filter + triage
Reset
Quick filters: candidate lane confirmed only critical high detector codex
Severity Tool Title Address Value USD Validated Confirmed Found Run
high codex Deposits credit the requested amount instead of the amount actually received 0xa8372d6ff00d48a25baa1af16d6a86c936708f4e $0.00 no 2 weeks ago 019d5667-1339-71d8-a320-f4112d024afe
high slither StorageAccessible.simulateDelegatecallInternal(address,bytes) (lib/contracts/src/contracts/mixins/StorageAccessible.sol#87-95) uses delegatecall to a input-controlled function id 0x00000000d681e85e5783588f87a9573cb97eda01 $0.00 no 2 weeks ago 019d5666-f542-7208-84bc-d2e3db83e367
high slither TransferLibrary.receiveAssets(address,address,uint256) (src/libraries/TransferLibrary.sol#40-48) uses arbitrary from in transferFrom: IERC20(asset).safeTransferFrom(from,address... 0x00000000d681e85e5783588f87a9573cb97eda01 $0.00 no 2 weeks ago 019d5666-f542-7208-84bc-d2e3db83e367
high slither GPv2Transfer.fastTransferFromAccount(IVault,GPv2Transfer.Data,address) (lib/contracts/src/contracts/libraries/GPv2Transfer.sol#46-77) uses arbitrary from in transferFrom: transf... 0x00000000d681e85e5783588f87a9573cb97eda01 $0.00 no 2 weeks ago 019d5666-f542-7208-84bc-d2e3db83e367
high slither GPv2Transfer.transferFromAccounts(IVault,GPv2Transfer.Data[],address) (lib/contracts/src/contracts/libraries/GPv2Transfer.sol#91-136) uses arbitrary from in transferFrom: transf... 0x00000000d681e85e5783588f87a9573cb97eda01 $0.00 no 2 weeks ago 019d5666-f542-7208-84bc-d2e3db83e367
high codex Unchecked CowSwap feeAmount lets a limit order drain extra sellToken beyond params.amountIn 0x00000000d681e85e5783588f87a9573cb97eda01 $0.00 no 2 weeks ago 019d5666-f542-7208-84bc-d2e3db83e367
high slither Wallets.refundGasBySchain(bytes32,address,uint256,bool) (contracts/test/TestWallets.sol#53-68) sends eth to arbitrary user 0x29353f77c6b0d3772d73e708cc8e1fca08c80c11 $0.00 no 2 weeks ago 019d5666-e916-7246-acfd-c2f7d6ef4d74
high codex ERC20 bridge accounting trusts the requested amount instead of the amount actually received 0x29353f77c6b0d3772d73e708cc8e1fca08c80c11 $0.00 no 2 weeks ago 019d5666-e916-7246-acfd-c2f7d6ef4d74
high codex Fee-on-transfer collateral tokens let users over-withdraw from pooled escrow 0x6ac64c4760e0590f88233b2046810e87e0354324 $0.00 no 2 weeks ago 019d5666-ddb2-7138-a85b-4026ca2b3eec
high codex Owner can de-whitelist an active collateral token and withdraw funds backing live positions 0x6ac64c4760e0590f88233b2046810e87e0354324 $0.00 no 2 weeks ago 019d5666-ddb2-7138-a85b-4026ca2b3eec
high codex Keeper-controlled pricePerShare can be stair-stepped away from real NAV and used to overmint/overwithdraw 0x04393e5c6701237d7ee836d644f8dbdd122afebc $0.00 no 2 weeks ago 019d5666-b2b6-72b3-991d-f09cf3f2b2ec
high codex `claimAndStakeRewardsBySig` signatures are replayable across different gardens 0x04393e5c6701237d7ee836d644f8dbdd122afebc $0.00 no 2 weeks ago 019d5666-b2b6-72b3-991d-f09cf3f2b2ec
high codex Signed actions can be replayed across different GuruFund instances 0xec8902afffb06d0b075ea2d6fb3a45ec8598c39b $0.00 no 2 weeks ago 019d5666-7793-71fe-8365-fe0e83fcb95f
high detector Untrusted CALL target/value reachable 0xa8372d6ff00d48a25baa1af16d6a86c936708f4e $0.00 no no 2 weeks ago 019d5667-1339-71d8-a320-f4112d024afe
high detector ETH value transfer possible 0xa8372d6ff00d48a25baa1af16d6a86c936708f4e $0.00 no no 2 weeks ago 019d5667-1339-71d8-a320-f4112d024afe
high detector ETH value transfer possible 0x4f8b564e25337f6a3e66f12553221f6c05a13085 $0.00 no no 2 weeks ago 019d5667-0d9d-728c-b832-799ea2787070
high detector Untrusted CALL target/value reachable 0x4f8b564e25337f6a3e66f12553221f6c05a13085 $0.00 no no 2 weeks ago 019d5667-0d9d-728c-b832-799ea2787070
high codex Version-dependent storage slots can brick the proxy and strand assets on upgrade 0xc95b806ac073df930014ac476d26c8ad918f14e0 $41,195.58 no 2 weeks ago 019d5666-721c-732b-98f2-8fef0dd24f32
high detector ETH value transfer possible 0x00000000d681e85e5783588f87a9573cb97eda01 $0.00 no no 2 weeks ago 019d5666-f542-7208-84bc-d2e3db83e367
high detector Untrusted CALL target/value reachable 0x00000000d681e85e5783588f87a9573cb97eda01 $0.00 no no 2 weeks ago 019d5666-f542-7208-84bc-d2e3db83e367
high codex Mint permission can self-issue admin keys and seize full control 0xccb57afedecc8d975ca4ae06f850a175142499de $41,269.00 no 2 weeks ago 019d5666-7216-7238-b7b1-e53620c8a60e
high codex Public initializer allows takeover of any uninitialized clone/proxy 0xccb57afedecc8d975ca4ae06f850a175142499de $41,269.00 no 2 weeks ago 019d5666-7216-7238-b7b1-e53620c8a60e
high codex Fee-on-transfer ERC20s can overmint bridge balances and drain pooled collateral 0x588801ca36558310d91234afc2511502282b1621 $41,272.95 no 2 weeks ago 019d5666-7210-72a7-9067-e58ac94c06d2
high detector ETH value transfer possible 0x29353f77c6b0d3772d73e708cc8e1fca08c80c11 $0.00 no no 2 weeks ago 019d5666-e916-7246-acfd-c2f7d6ef4d74
high detector Untrusted CALL target/value reachable 0x29353f77c6b0d3772d73e708cc8e1fca08c80c11 $0.00 no no 2 weeks ago 019d5666-e916-7246-acfd-c2f7d6ef4d74
high codex `fillOffer` can be reentered before `filledAmount` is updated, allowing overfilled orders 0x849f4081899305a1fd24aac84db5174eb60dc28e $41,313.94 no 2 weeks ago 019d5666-7204-7199-9428-87c933f7acea
high codex Nominal ERC20 accounting makes fee-on-transfer collateral tokens insolvent 0x849f4081899305a1fd24aac84db5174eb60dc28e $41,313.94 no 2 weeks ago 019d5666-7204-7199-9428-87c933f7acea
high detector Untrusted CALL target/value reachable 0x6ac64c4760e0590f88233b2046810e87e0354324 $0.00 no no 2 weeks ago 019d5666-ddb2-7138-a85b-4026ca2b3eec
high detector ETH value transfer possible 0x6ac64c4760e0590f88233b2046810e87e0354324 $0.00 no no 2 weeks ago 019d5666-ddb2-7138-a85b-4026ca2b3eec
high codex Anyone can call post-dispatch hooks directly for the current latest message 0x15b5d6b614242b118aa404528a7f3e2ad241e4a4 $41,345.31 no 2 weeks ago 019d5666-71ff-7060-88f6-c0d2b403a889
high codex Permissionless initializers let the first caller seize control and mint supply 0x15b5d6b614242b118aa404528a7f3e2ad241e4a4 $41,345.31 no 2 weeks ago 019d5666-71ff-7060-88f6-c0d2b403a889
high detector Untrusted DELEGATECALL target reachable 0x04393e5c6701237d7ee836d644f8dbdd122afebc $0.00 no no 2 weeks ago 019d5666-b2b6-72b3-991d-f09cf3f2b2ec
high detector Authorization based on tx.origin 0x04393e5c6701237d7ee836d644f8dbdd122afebc $0.00 no 2 weeks ago 019d5666-b2b6-72b3-991d-f09cf3f2b2ec
high slither Sale._executeTokenSell(address,uint256,uint256,IERC20Metadata) (contracts/Sale.sol#376-395) sends eth to arbitrary user 0x80c1c65463427ea785fb7b03ba84b91f49f272eb $41,641.82 no 2 weeks ago 019d5666-71d1-72c0-baeb-d50b2b87dd1a
high slither Sale.withdrawTokens(IERC20Metadata,address,uint256) (contracts/Sale.sol#258-273) sends eth to arbitrary user 0x80c1c65463427ea785fb7b03ba84b91f49f272eb $41,641.82 no 2 weeks ago 019d5666-71d1-72c0-baeb-d50b2b87dd1a
high slither Reentrancy in Sale._executeTokenBuy(address,address,uint256,uint256,IERC20Metadata,uint256,uint256,uint256,bytes) (contracts/Sale.sol#338-376): 0x80c1c65463427ea785fb7b03ba84b91f49f272eb $41,641.82 no 2 weeks ago 019d5666-71d1-72c0-baeb-d50b2b87dd1a
high codex Referrer field is never validated, enabling self-referral and cyclic referral farming 0x80c1c65463427ea785fb7b03ba84b91f49f272eb $41,641.82 no 2 weeks ago 019d5666-71d1-72c0-baeb-d50b2b87dd1a
high codex Owner can sweep arbitrary ETH/ERC20 balances to itself 0x0376a35639dac611c49327426db9b342cdb553b8 $41,773.31 no 2 weeks ago 019d5666-71b0-70e9-ab1a-1f24cbe5b1c0
high codex Strategy execution uses owner-controlled DELEGATECALL with full vault-storage authority 0x0376a35639dac611c49327426db9b342cdb553b8 $41,773.31 no 2 weeks ago 019d5666-71b0-70e9-ab1a-1f24cbe5b1c0
high slither Crowdsale.withdrawTokens(IERC20,address) (contracts/Contract.sol#854-862) ignores return value by token_.transfer(beneficiary_,balance) (contracts/Contract.sol#859-862) 0xda9f13722fef7a6357944622f583285da14c90a5 $41,788.00 no 2 weeks ago 019d5666-71a5-72ca-9f63-c22da967b9db
high slither Reentrancy in Crowdsale.buyTokens(address) (contracts/Contract.sol#698-728): 0xda9f13722fef7a6357944622f583285da14c90a5 $41,788.00 no 2 weeks ago 019d5666-71a5-72ca-9f63-c22da967b9db
high codex ETH distribution accounting is never persisted, so crossing the payout threshold can brick subsequent purchases 0xda9f13722fef7a6357944622f583285da14c90a5 $41,788.00 no 2 weeks ago 019d5666-71a5-72ca-9f63-c22da967b9db
high codex Signed payloads are not bound to a specific fund instance 0xba4f097d22f283e619873f8e034755fc2e5a7c90 $41,846.47 no 2 weeks ago 019d5666-7189-71df-84df-536a07997697
high detector Untrusted DELEGATECALL target reachable 0xec8902afffb06d0b075ea2d6fb3a45ec8598c39b $0.00 no no 2 weeks ago 019d5666-7793-71fe-8365-fe0e83fcb95f
high detector Authorization based on tx.origin 0xec8902afffb06d0b075ea2d6fb3a45ec8598c39b $0.00 no 2 weeks ago 019d5666-7793-71fe-8365-fe0e83fcb95f
high detector Untrusted CALL target/value reachable 0x503052972547189fcf3e30d96b3457b0a70856a9 $41,162.00 no no 2 weeks ago 019d5666-722e-7090-ac76-01dc76d2ad3b
high detector ETH value transfer possible 0x503052972547189fcf3e30d96b3457b0a70856a9 $41,162.00 no no 2 weeks ago 019d5666-722e-7090-ac76-01dc76d2ad3b
high detector Untrusted CALL target/value reachable 0xdd06d8ad275d1d2e09e4c7162c231acb7df9b44d $41,170.41 no no 2 weeks ago 019d5666-7228-7302-a900-09a40daa9b14
high detector ETH value transfer possible 0xdd06d8ad275d1d2e09e4c7162c231acb7df9b44d $41,170.41 no no 2 weeks ago 019d5666-7228-7302-a900-09a40daa9b14
high cast SELFDESTRUCT present 0x96541c4926a32ea3a97fd8d335aff1f81e50ffe9 $41,190.88 no 2 weeks ago 019d5666-7222-713e-be7e-db522974661d