fyamf

fyamf

Rankings

#66 2024

#238 All-time

#359 90-day

High-risk

16 Total

Medium-risk

13 Total

3 Solo

Activity

7 Audits

SecondSwap 2024.12.19

High-risk

1/145

Medium-risk

2/226

QA report

Gas report

Analysis

Kakarot 2024.10.25

High-risk

1/6

Medium-risk

QA report

Gas report

Analysis

Chakra 2024.09.12

High-risk

9/14

Medium-risk

5/12

QA report

A Grade

Gas report

Analysis

Olas 2024.06.18

High-risk

Medium-risk

3/20

QA report

A Grade

Gas report

Analysis

Arbitrum BoLD 2024.05.27

High-risk

Medium-risk

QA report

B Grade

Gas report

Analysis

Munchables 2024.05.27

High-risk

2/2

Medium-risk

QA report

Gas report

Analysis

Renzo 2024.05.08

High-risk

3/8

Medium-risk

3/14

QA report

A Grade

Gas report

Analysis

High-risk

Medium-risk

QA report

Gas report

Analysis

High-risk

Medium-risk

QA report

Gas report

Analysis

High-risk

Medium-risk

QA report

Gas report

Analysis

High-risk

Medium-risk

QA report

Gas report

Analysis

High-risk

Medium-risk

QA report

Gas report

Analysis

Calendar icon

December 2024

Contest image

19 December 2024

SecondSwap

High-risk

Identified a finding grouped with:

Users can claim more that their actual allotment

Medium-risk

Selected for report

Incorrect listing type validation bypasses enforcement of minimum purchase amount

Medium-risk

Identified a finding grouped with:

Creator of one vesting plan can affect vesting plans created by other users.
Calendar icon

October 2024

Contest image

25 October 2024

Kakarot

High-risk

Selected for report

Three valid signatures for the same message
Calendar icon

September 2024

Contest image

12 September 2024

Chakra

High-risk

Identified a finding grouped with:

Malicious actors can manipulate the `cross_chain_callback` callback

High-risk

Identified a finding grouped with:

SettlementSignatureVerifier is missing check for duplicate validator signatures

High-risk

Identified a finding grouped with:

There is no refund mechanism in `ChakraSettlement.processCrossChainCallback` or `ChakraSettlementHandler.receive_cross_chain_callback` function

High-risk

Identified a finding grouped with:

Anyone can manipulate user nonce (nonce_manager) in settlement contract

High-risk

Identified a finding grouped with:

SettlementSignatureVerifier is missing check for duplicate validator signatures

Medium-risk

Selected for report

Wrong usage of transaction originator address instead of caller address

High-risk

Identified a finding grouped with:

In Starknet already processed messages can be re-submitted and by anyone

High-risk

Identified a finding grouped with:

`ChakraSettlement.receive_cross_chain_msg` and `ChakraSettlement.receive_cross_chain_callback` functions do not ensure that receiving `ChakraSettlement` contract's `contract_chain_name` must match `to_chain` corresponding to respective `txid` input though

Medium-risk

Selected for report

Bridging from Starknet to Starknet causes mismatch between minted ckrBTC and BTC transferred to MuSig2

High-risk

Identified a finding grouped with:

handler's `receive_cross_chain_callback()` will always set the tx_status to `SETTLED` on source chain & burn the tokens (MintBurn Mode) even when the msg fails on destination

Medium-risk

Identified a finding grouped with:

Excessive Authority Granted to Managers in the `ckr_btc.cairo` Contract Presents Significant Management Risks

High-risk

Identified a finding grouped with:

Anyone can manipulate user nonce (nonce_manager) in settlement contract

High-risk

Identified a finding grouped with:

Invalid token address used in `ChakraSettlementHandler::cross_chain_erc20_settlement(...)` leading to invalid transaction creation and event emission

High-risk

Identified a finding grouped with:

In settlement.cairo::receive_cross_chain_msg - the payload_type can be passed by the user, confusing offchain systems

Medium-risk

Identified a finding grouped with:

Does not check if to_chain and to_handler is whitelisted in cross_chain_erc20_settlement

Medium-risk

Identified a finding grouped with:

inconsistency in sender address when creating cross chain messages on Starknet can lead to loss of funds
Calendar icon

June 2024

Contest image

18 June 2024

Olas

Medium-risk

Identified a finding grouped with:

checkpoint function is not called before staking which can cause loss of rewards for already staked services.

Medium-risk

Selected for report

Loss of incentives if total weight in an epoch is zero

Medium-risk

Selected for report

Adding staking instance as nominee before it is created
Calendar icon

May 2024

Contest image

27 May 2024

Munchables

High-risk

Identified a finding grouped with:

Malicious User can call `lockOnBehalf` repeatedly extend a users `unlockTime`, removing their ability to withdraw previously locked tokens

High-risk

Identified a finding grouped with:

Invalid validation allows users to unlock early
Contest image

8 May 2024

Renzo

Medium-risk

Selected for report

Fetched price from the oracle is not stored in `xRenzoDeposit`

High-risk

Identified a finding grouped with:

The amount of `xezETH` in circulation will not represent the amount of `ezETH` tokens 1:1

Medium-risk

Identified a finding grouped with:

Deposits will always revert if the amount being deposited is less than the bufferToFill value

High-risk

Identified a finding grouped with:

Incorrect withdraw queue balance in TVL calculation

High-risk

Identified a finding grouped with:

Incorrect calculation of queued withdrawals can deflate TVL and increase ezETH mint rate

Medium-risk

Selected for report

Not handling the failure of cross chain messaging