TW
Tripwire
Find contracts. Test them. Review real vulns.
Confirmed Findings
2,205
crit 60 high 1157
All Findings
46,184
Across all runs
Chain
1
Mainnet focus
Signal Mix
24239
high severity in results
Findings
filter + triage
Reset
Quick filters: candidate lane confirmed only critical high detector codex
Severity Tool Title Address Value USD Validated Confirmed Found Run
high codex Unprotected initializer allows attacker to set recipient and sweep ERC20 balances 0x0a7d5c98d8b83bf36700c1c2fa03b3f10d1df2e8 $0.00 no 3 months ago f3e7c777-190e-4408-a4ce-7e7b7bb1ab2c
high codex Unprotected lazyInit lets attacker become host and drain treasury if uninitialized 0x85db6688de2c47c8acd5c4dff804e6d5740790e3 $115,675.14 no 3 months ago a9587494-c8ca-4fe1-bb88-33128e0a544a
critical codex Unprotected genesis/commit address initialization enables delegatecall takeover and fund drain 0xf2c351f22b148a9ff583a0f81701471a74e7338e $0.00 no 3 months ago 64fdfe11-456e-45f6-8615-c93b752c18eb
high codex Sold keys still count toward lucky pot distribution, enabling pot drain after selling 0xb453b2c67d70f1e19ce770296c7d2f35cb7cdfd8 $118,075.89 no 3 months ago 7fb51998-f809-4e92-b921-e783e72a0f6f
high codex Predictable airdrop RNG enables deterministic wins and draining airDropPot_ via constructor calls 0xf5fe6b716c0cd0e88059d8b3d8385c086012eb0e $118,219.32 no 3 months ago dc383973-a9df-4d52-9ed4-f43a225cee09
critical codex Unrestricted batch transfer allows draining ETH/ERC20 balances 0x30e3da29d03702ef45d2765feaa6e98b89195241 $0.00 no 3 months ago 73577ec6-1e74-4f61-9fee-a5ebf7f88ac0
critical codex Unprotected initializer allows ownership takeover if the contract is uninitialized 0xcd0eb8b89c43c3654b4f8d83eb38149327c1107c $0.00 no 3 months ago f517204f-a968-4a9f-8960-e187c975c3b2
critical codex Unprotected initialize allows ownership takeover and forged message withdrawals 0x341786048479f9f6ab7555e08ca2cdc4005ddec9 $0.00 no 3 months ago c39ceeb7-70db-44e9-8e1f-07ef0170dbac
high codex Per-Bloot mint cap bypass via balance-based check enables full supply capture 0x45c3844dea2e9fe9226524411de6d907188a1a9f $128,650.00 no 3 months ago 832463d7-9e93-4b74-bdd3-6d4bfa44b44d
high codex Unprotected initialize enables ownership takeover on uninitialized deployments 0xe5feb62fb34adba661b7c8256887a8b9a21c2278 $0.00 no 3 months ago 0b21ba73-c1f6-4b4c-8e29-104ce6180cba
critical codex Signature threshold can round down to zero, allowing proofs with no signatures on small validator sets 0x76bac85e1e82cd677faa2b3f00c4a2626c4c6e32 $131,004.64 no 3 months ago 61b6e8d3-1c26-43a5-ac80-2116ec147eeb
high codex Public buyback swaps all Whirlpool ETH with amountOutMin=0, enabling price manipulation to drain ETH 0x6db1c1b318275df254bb47c63e7f316380baf4be $131,959.27 no 3 months ago e6e1ae89-f441-48e7-a685-909fe0510b83
critical codex Unprotected external initializer enables ownership takeover and ETH drain if uninitialized 0x28083d8bce883aa7b70130c915cd4308448a6f1e $0.00 no 3 months ago 2763da7f-91ba-434d-8942-6b9a4e4ee8c5
critical codex Reentrant reward payout lets attackers claim the same rewards multiple times 0x60510caf94f3001651e3e83f5e0ebdd303758aae $139,150.78 no 3 months ago aaad28a3-b6c9-4817-a4d8-9f7fbf189252
critical codex Unprotected `setGenesisRootAndAddresses` lets attacker install malicious `zkSeaAddress` facet and drain funds via delegatecall 0x467a2b91f231d930f5eeb6b982c7666e81da8626 $0.00 no 3 months ago 95d6fcb3-dc31-4ad0-aad7-6796cf5b54e9
critical codex Reentrant splitDAO via withdrawRewardFor drains the main DAO balance 0xbb9bc244d798123fde783fcc1c72d3bb8c189413 $142,099.48 no 3 months ago 839a0dce-7e4a-416f-a10e-f6ca70c4e5cb
high codex Reentrant getMyReward drains rewardAccount 0xbb9bc244d798123fde783fcc1c72d3bb8c189413 $142,099.48 no 3 months ago 839a0dce-7e4a-416f-a10e-f6ca70c4e5cb
high codex Reentrant refund drains all funds if token creation fails 0xbb9bc244d798123fde783fcc1c72d3bb8c189413 $142,099.48 no 3 months ago 839a0dce-7e4a-416f-a10e-f6ca70c4e5cb
critical codex Uninitialized Bridge allows empty-signature withdrawals and/or initializer takeover 0x3f2e4e5a70f2a424d7c4e4e0323c878c77c20537 $0.00 no 3 months ago eca47d9b-d28d-4264-9f5c-73a33983661b
critical codex Unprotected initialize allows first caller to become sole signer and drain funds 0x43ffaa65fe273d2ef9edd78418091d41b1aa40e8 $0.00 no 3 months ago ce2e5a9a-c215-43ce-a3dd-14690402b335
critical codex Unprotected init() lets attacker become admin/executor and drain bridge funds 0x1bda1227875f0f8bb27625dd720f386b40003e14 $0.00 no 3 months ago 66199f28-d28d-4899-b8fd-5a726218d9b3
critical codex Unrestricted TokenGrant.receiveApproval lets anyone drain approved holders by creating grants to themselves 0xdf708431162ba247ddae362d2c919e0fbafcf9de $184,295.42 no 3 months ago 255dad02-bda3-4c93-9044-1ca2dfacc23f
critical codex Staking token can be selected as reward token, letting attacker withdraw all staked principal as rewards 0xa383c8390adbcd387db93babdf3f30308391bd57 $184,984.11 no 3 months ago e413baba-c804-4c21-b0e4-6aac90a2379e
high codex Publicly callable constructor-like function enables arbitrary minting 0xb6307611c06c57257ee2ad83beed39cc6650163e $212,009.00 no 3 months ago cb735c6e-3195-4e92-b44b-e34ec97fa506
critical codex Unprotected initialize enables attacker-controlled messenger and bridge takeover 0xa037b01bf218e87144446e9e87dd9dc58033fb57 $0.00 no 3 months ago 3fa32ee3-f6ed-4978-87cd-d4efcb7979e3
high codex Unprotected governance token initialization lets attacker become minter and drain DAO ETH 0x4f40e2f1edf9999124b2fcf26b04821e6ca7196d $0.00 no 3 months ago ff7f23a9-503b-490f-a989-b437a8f79cd7
critical codex Refund logic never consumes PANDA or enforces refundMap, enabling unlimited ETH redemptions 0x229cc0a81a1d6b4a2fc1452b3bd166462216e3f3 $216,476.99 no 3 months ago 50bc5866-a202-48b6-a7cd-e3e4d18a6a4c
medium codex Refunds do not reclaim tokens, enabling free tokens if soft cap is missed 0x12d5b7c26dd8dc6e2f71f5bf240d5e76452b2fe5 $253,846.35 no 3 months ago e6fd2d24-6eba-44aa-9a40-eae8d9f01e64
high codex Unprotected setup allows takeover of uninitialized Safe instances 0xb6029ea3b2c51d09a50b53ca8012feeb05bda35a $0.00 no 3 months ago 506a7469-4239-458c-8123-daf2bff25e39
critical codex Unprotected `initialize` lets first caller seize ownership and drain all cash 0x6c26c3abd3b8ac89adeb34db9d3a9fbb54a0060a $0.00 no 3 months ago 65a5bd7b-3587-490b-9faf-6447a94a5332
high codex AutoBoost reserve burn enables ETH‑neutral buy/sell loops that ratchet price upward 0xc618d56b6d606e59c6b87af724ab5a91eb40d1cb $281,927.44 no 3 months ago b84cc237-c90a-4d2a-a39b-3b8b6f7bf892
high codex Share inflation via donation + rounding-to-zero lets attacker steal later deposits 0xa6b658ce4b1cdb4e7d8f97dffb549b8688cafb84 $282,664.20 no 3 months ago 4a24a7a8-fa98-4282-90e6-77d327527635
critical codex Dividend distribution multiplies payouts when listed token sum is zero 0x25a06d4e1f804ce62cf11b091180a5c84980d93a $304,668.51 no 3 months ago 9e8b9e72-45c4-4568-9bc5-55a35670600e
high codex Unprotected initializer lets attacker seize ownership and drain an uninitialized WorkLockPoolingContract 0xb9a42d02300f71ca23a100864fef2d5f82f7f833 $0.00 no 3 months ago b00078b8-5707-459e-bc53-8181625ba80b
high codex Late-buy launch-fund sniping allows capture of accumulated prelaunch dividends 0xe01e2a3ceafa8233021fc759e5a69863558326b6 $327,031.26 no 3 months ago 2265ad84-b13f-4a4d-8194-e5ed07374046
high codex Settler can mint WOLK to self in settleSeller without balance debit, then drain ETH via sellWolk 0x728781e75735dc0962df3a51d7ef47e798a7107e $332,552.87 no 3 months ago 5483ecc5-bdc1-4a5d-b18c-7e50f97f968e
critical codex Canceled-mode payback does not persist account updates, enabling unlimited repeated withdrawals 0xa33c4a314faa9684eeffa6ba334688001ea99bbc $337,218.84 no 3 months ago 9372adcb-18e9-434e-8e91-6dd4039515e2
high codex Phantom ERC20 deposits enable trading fake balances for real assets 0x373c55c277b866a69dc047cad488154ab9759466 $382,415.50 no 3 months ago 58a5a56b-8358-4516-9f42-50181b41b98b
high codex Uncapped vesting math lets a payee drain all funds after vesting completes 0x02874867a6d48713d9cf275b7324b790e9c1f7ee $381,502.31 no 3 months ago c9e2ed6f-0694-4735-963b-c9651c1e9ab6
critical codex USDT transferFrom/transfer return values ignored, enabling fake deposits and pooled USDT withdrawal 0x6f35a5e6a7301627a090822895e5e7209ed72f77 $400,489.31 no 3 months ago ce59d179-7b6b-44f3-a1f7-22805cde84e2
critical codex Unprotected initialize enables proxy hijack and full ETH drain 0x91630f5e28f1f30067b92a8d9d7b8e836afddf9b $0.00 no 3 months ago 24348e6d-d2c2-4182-b020-1b80c138a33b
critical codex Unprotected initialize enables proxy hijack and ETH/ERC20 drain 0xeee6207d514c2845394b5f4b9f12b6d155f4524b $0.00 no 3 months ago 07e0721c-c079-4dc1-be4b-4e123bb0d340
critical codex Unprotected initializer enables ownership takeover and collateral drain via rebalance 0x522a1bc31fa8d9421c29506d4e600aecefaa1b7d $0.00 no 3 months ago 32c00cf5-d812-497b-98d4-d7d523f95e8a
medium codex ETH purchases spend OptionsExchange’s own balance (no msg.value check) 0xde34d5e3f942b4543c309a0fb0461497e72c793c $589,155.82 no 3 months ago 1d90d876-5b62-4dc6-83d3-3dc515b7cc9f
critical codex Unprotected initialize allows proxy takeover and unlimited minting 0x9e021c9607bd3adb7424d3b25a2d35763ff180bb $0.00 no 3 months ago e0b6a8c2-69a3-42d6-9367-2fd03f2174f9
medium codex initializeV2_1 lets anyone sweep the contract’s own token balance 0x9e021c9607bd3adb7424d3b25a2d35763ff180bb $0.00 no 3 months ago e0b6a8c2-69a3-42d6-9367-2fd03f2174f9
high codex Arbitrary caller can drain any existing allowance by crafting grants 0x27321f84704a599ab740281e285cc4463d89a3d5 $726,697.96 no 3 months ago 99652185-f97f-481e-ba06-fdb49250a93c
critical codex TokenGrant.receiveApproval allows arbitrary grant creation using victims’ allowances, enabling immediate token theft 0xa7d9e842efb252389d613da88eda3731512e40bd $801,526.50 no 3 months ago 27854931-6298-47ab-a143-fe61a05b0147
high codex Unprotected Chainlink feed initialization enables malicious oracle and governance takeover to drain ETH 0x6f6e72033ca61c3e5f8b3dbdf85a53ad0a736ed5 $0.00 no 3 months ago d7018378-90c4-46b6-a672-58cf2cad3803
critical codex Public verifyState delegates to attacker-controlled target during upgrades, enabling arbitrary code execution and token drain 0xe9778e69a961e64d3cdbb34cf6778281d34667c2 $902,684.34 no 3 months ago 9669f033-142c-498f-a5e9-51ea916b6a54