TW
Tripwire
Find contracts. Test them. Review real vulns.
Confirmed Findings
2,205
crit 60 high 1157
All Findings
46,184
Across all runs
Chain
1
Mainnet focus
Signal Mix
24239
high severity in results
Findings
filter + triage
Reset
Quick filters: candidate lane confirmed only critical high detector codex
Severity Tool Title Address Value USD Validated Confirmed Found Run
medium codex Redemption requests lock in unvalidated tokenOutRate, enabling oracle manipulation or stuck approvals 0x570c15bc5faf98531a8b351d69e22e41e3505e47 $0.00 no 3 months ago e18349bc-6257-4bf3-a411-59058d33edf0
medium codex Swapper redemption bypasses downstream vault user restrictions 0x570c15bc5faf98531a8b351d69e22e41e3505e47 $0.00 no 3 months ago e18349bc-6257-4bf3-a411-59058d33edf0
high codex Public initializer can be front-run to seize ownership 0x631953e16e8a57fc159e1fb1d92443c981b00770 $0.00 no 3 months ago ebf4d2a3-9c75-49d6-8715-64af033d3f68
medium codex User-triggerable delegatecall hook enables full-state execution if extension is compromised 0xbbcb91440523216e2b87052a99f69c604a7b6e00 $4,644,778.88 no 3 months ago ec13adc9-d3c5-410d-a84d-202d987a4dca
medium codex Center price uses external oracle without manipulation bounds 0xbbcb91440523216e2b87052a99f69c604a7b6e00 $4,644,778.88 no 3 months ago ec13adc9-d3c5-410d-a84d-202d987a4dca
low codex Dex pool ID truncation to 64 bits allows hash collisions 0xbbcb91440523216e2b87052a99f69c604a7b6e00 $4,644,778.88 no 3 months ago ec13adc9-d3c5-410d-a84d-202d987a4dca
high codex Keeper can mint unbacked tokens and redeem underlying assets 0x6eaf19b2fc24552925db245f9ff613157a7dbb4c $1,881,444.93 no 3 months ago 8e0fa5ae-1f20-4051-b147-c113e2c80b1a
medium codex Cross-chain OFT minting bypasses local asset backing and epoch accounting 0x6eaf19b2fc24552925db245f9ff613157a7dbb4c $1,881,444.93 no 3 months ago 8e0fa5ae-1f20-4051-b147-c113e2c80b1a
medium codex Accounting assumes full token transfers, enabling fee-on-transfer/rebasing token drains 0xa7062bba94c91d565ae33b893ab5dfaf1fc57c4d $1,766,184.43 no 3 months ago e06193e8-5116-4939-aa91-edaf29b45ab5
medium codex Untrusted relayer controls slippage on bridge receive (min output not authenticated) 0xa7062bba94c91d565ae33b893ab5dfaf1fc57c4d $1,766,184.43 no 3 months ago e06193e8-5116-4939-aa91-edaf29b45ab5
high codex Trade collateralization checks use stale balances (currentBalances never updated) 0xe883b3efdae637fc599b467478a23199778f2ccf $0.00 no 3 months ago df27c299-2f4f-495f-8947-7cb81561ac74
high codex Whitelisted caller can selfdestruct the contract 0x00000000003b3cc22af3ae1eac0440bcee416b40 $458,039.59 no 3 months ago a831cc82-3332-44dc-a8fb-dcf51c8ffe78
medium codex External token CALL before state updates (reentrancy window) 0xe2ff0a931f92198233c36501780d08d55dd9432f $2,714,050.00 no 3 months ago dc39f4dd-c3c3-4e8f-b144-c30baee7c884
low codex ERC20 transfer return value decoded but not enforced 0xe2ff0a931f92198233c36501780d08d55dd9432f $2,714,050.00 no 3 months ago dc39f4dd-c3c3-4e8f-b144-c30baee7c884
high codex Privileged selfdestruct sends balance to caller 0x01fdc48ba0903bb1ae7c517c9287d88ea236f8e1 $2,772,067.04 no 3 months ago ee30879d-f4f6-499a-b2bf-d4745076b528
high codex Whitelisted delegatecall enables arbitrary code execution 0x01fdc48ba0903bb1ae7c517c9287d88ea236f8e1 $2,772,067.04 no 3 months ago ee30879d-f4f6-499a-b2bf-d4745076b528
medium codex Authorization uses tx.origin 0x01fdc48ba0903bb1ae7c517c9287d88ea236f8e1 $2,772,067.04 no 3 months ago ee30879d-f4f6-499a-b2bf-d4745076b528
medium codex Pending share accounting uses pendingUnderlying instead of consumedUnderlying, locking pending funds 0xdff78a949e47c1e90f3dd6dd7fe2fa72b42a75f7 $2,778,991.52 no 3 months ago 57893a6f-7c59-4454-928f-4e100bf02a14
low codex Permit signatures depend on mutable conversion rate, enabling front‑run invalidation 0xdff78a949e47c1e90f3dd6dd7fe2fa72b42a75f7 $2,778,991.52 no 3 months ago 57893a6f-7c59-4454-928f-4e100bf02a14
low codex Unchecked ERC20 transfers when returning funds from strategy can desync accounting 0xdff78a949e47c1e90f3dd6dd7fe2fa72b42a75f7 $2,778,991.52 no 3 months ago 57893a6f-7c59-4454-928f-4e100bf02a14
high codex Silo initializer is publicly callable, enabling first-caller takeover 0xef1bc66e0ea9717a3f2c969633a989d6bf41024b $0.00 no 3 months ago 5fac7a82-c226-4c04-b342-64f4f4f1792b
medium codex Fee-on-transfer tokens break share and debt accounting 0xef1bc66e0ea9717a3f2c969633a989d6bf41024b $0.00 no 3 months ago 5fac7a82-c226-4c04-b342-64f4f4f1792b
low codex Hook receiver can delegatecall arbitrary targets with Silo/share-token storage context 0xef1bc66e0ea9717a3f2c969633a989d6bf41024b $0.00 no 3 months ago 5fac7a82-c226-4c04-b342-64f4f4f1792b
medium codex Silo initialization is permissionless and can be front‑run if deployment is not atomic 0xef1bc66e0ea9717a3f2c969633a989d6bf41024b $0.00 no 3 months ago 5f01c712-2dc6-4483-af43-8907a057dfb0
low codex Hook receiver can delegatecall arbitrary targets via `callOnBehalfOfSilo` 0xef1bc66e0ea9717a3f2c969633a989d6bf41024b $0.00 no 3 months ago 5f01c712-2dc6-4483-af43-8907a057dfb0
low codex Deposits trust `amount` rather than actual tokens received (deflationary/non-contract ERC20s can create unbacked L2 mints) 0xde2d792ca3c4d02de3ce1cd1456d8d0990cc3fab $0.00 no 3 months ago 9035c88c-553e-47a0-b816-95a3d2854a02
medium codex Fee-on-transfer/rebasing assets break accounting and can underfund withdrawals 0xb3b823ec39f3edeb4354f76997031b3826b615c2 $3,122,030.45 no 3 months ago 940f44ab-3054-4f33-947f-308cb4221507
low codex Hook return-data size check can use stale `returndatasize`, causing DoS or stale values 0xb3b823ec39f3edeb4354f76997031b3826b615c2 $3,122,030.45 no 3 months ago 940f44ab-3054-4f33-947f-308cb4221507
medium codex Deposits assume full `_amount` is received, enabling undercollateralization with fee-on-transfer/rebasing tokens 0x7510792a3b1969f9307f3845ce88e39578f2bae1 $2,448,766.92 no 3 months ago 3bea9124-b23e-42ef-9ab4-d9e84094b20c
medium codex Initializer allows takeover if proxy/implementation is left uninitialized 0xa092c7577354ea82a6c7e55b423c3dd80f0df255 $0.00 no 3 months ago 0a08cd3a-51b3-4d5e-80d8-1f93d022131c
high codex Unprotected reinitializer allows ownership takeover after upgrade 0x2ccd5486ea1b2a52dcd387c01314f6a328f66cbb $0.00 no 3 months ago 800d1a06-36c1-4158-8fb9-5c70f2e6e4cd
low codex Public initializer can be abused if proxy is left uninitialized 0x2ccd5486ea1b2a52dcd387c01314f6a328f66cbb $0.00 no 3 months ago 800d1a06-36c1-4158-8fb9-5c70f2e6e4cd
medium codex Fee-on-transfer tokens can mint more than the vault receives 0xb37d31b2a74029b5951a2778f959282e2d518595 $5,998,301.43 no 3 months ago 3b6969ea-3ebe-4726-b396-07fdd82c1a30
medium codex Unprotected initializer can be front-run on new clones 0xc629a01ec23ab04e1050500a3717a2a5c0701497 $0.00 no 3 months ago 701e8689-a4fb-49ed-97a9-87257dc93dff
low codex Accounting assumes tokens are not fee-on-transfer or deflationary 0xc629a01ec23ab04e1050500a3717a2a5c0701497 $0.00 no 3 months ago 701e8689-a4fb-49ed-97a9-87257dc93dff
low codex Unchecked ERC20/LP token call results can desynchronize pool accounting 0xd51a44d3fae010294c616388b506acda1bfaae46 $8,996,583.59 no 3 months ago 3933824a-3fda-43bc-bad9-bba7be857a17
medium codex TWAP from internal Uniswap pool can be manipulated to over-mint ULTI 0xf576e1f09e2eb4992d5ffdf68bec4ea489fa417d $4,656,368.94 no 3 months ago 5ca1ae8a-9ddf-4b4a-88ef-09e4f55fd259
low codex Launch can be blocked by pre-creating the Uniswap pool 0xf576e1f09e2eb4992d5ffdf68bec4ea489fa417d $4,656,368.94 no 3 months ago 5ca1ae8a-9ddf-4b4a-88ef-09e4f55fd259
low codex Stale minimum contributor tracking can evict non-min contributors 0xf576e1f09e2eb4992d5ffdf68bec4ea489fa417d $4,656,368.94 no 3 months ago 5ca1ae8a-9ddf-4b4a-88ef-09e4f55fd259
low codex exchange_received lets any caller consume pre-transferred balances 0xc061caa073f3d95f80f8e5428d32d2d76f5e1622 $3,839,013.25 no 3 months ago ffb196f5-96d5-445c-8185-3b020d31e22a
medium codex External rate sources used without bounds or staleness checks can misprice swaps or DoS the pool 0x7e19f0253a564e026c63eeaa9338d6dbddef3b09 $2,883,864.58 no 3 months ago 8269a4b6-4f22-476a-9b2f-e422a2b0bba1
medium codex Wrap mints based on requested amount instead of actual received tokens 0xa250cc729bb3323e7933022a67b52200fe354767 $3,021,719.87 no 3 months ago bb5b93eb-4200-4976-ba61-e903af632b89
low codex Permit allows malleable signatures (no EIP-2 s/v checks) 0xa250cc729bb3323e7933022a67b52200fe354767 $3,021,719.87 no 3 months ago bb5b93eb-4200-4976-ba61-e903af632b89
medium codex Signatures are not domain-separated by contract address or chain ID 0xa4108aa1ec4967f8b52220a4f7e94a8201f2d906 $5,776,559.81 no 3 months ago d2059fa9-7d9b-46bb-87e6-c88defafd461
low codex Validator address uniqueness is not enforced in valsets 0xa4108aa1ec4967f8b52220a4f7e94a8201f2d906 $5,776,559.81 no 3 months ago d2059fa9-7d9b-46bb-87e6-c88defafd461
low codex Authorization depends on tx.origin (phishing-prone pattern) 0x9ba0cf1588e1dfa905ec948f7fe5104dd40eda31 $9,569,709.10 no 3 months ago 4ee9e6aa-cee2-43f6-81ad-5f467998a375
high codex Uninitialized lastFeeTime causes excessive management fees and can brick first settlement 0xe50554ec802375c9c3f9c087a8a7bb8c26d3dedf $0.00 no 3 months ago 42f21ca1-82d3-426a-a45a-788b3a4f9d5b
high codex HighWaterMark initialized with underlying decimals triggers performance fees immediately for <18-decimal assets 0xe50554ec802375c9c3f9c087a8a7bb8c26d3dedf $0.00 no 3 months ago 42f21ca1-82d3-426a-a45a-788b3a4f9d5b
high codex Hardcoded privileged borrow bypasses Comptroller risk checks 0x2ac63723a576f89b628d514ff671300801dc1702 $0.00 no 3 months ago a66a7849-282c-405c-94d3-afe6d6d3f5a1
low codex Reentrancy during `_mint` can bypass `depositCap` 0x1b992302652a92611dcd5090d1cb388c6377f455 $0.00 no 3 months ago b92d2e03-21a2-487f-9e4b-54e0e3b1a93c