Report in progress
Panoptic

Panoptic: Next Core Mitigation Review

Panoptic is a DeFi options protocol designed to enhance LPing and trading. It transforms Uniswap LP positions into onchain options, enabling traders to access liquidity in a new, flexible way.

View dashboard
  • Start date13 Feb 2026
  • End date18 Feb 2026
  • Total awards$6,000 in USDC
  • Duration5 days

Panoptic: Next Core Mitigation Review

Important note

Each warden must submit a mitigation review for every individual item listed in the Scope section below. Incomplete or insufficient mitigation reviews will not be eligible for awards.

Scope

Mitigation of High & Medium Severity Issues

Mitigations of all High and Medium issues listed here will be considered in-scope:

FixMitigation ofNotes
Commit 5bff34bS-350: Commission fees can always be bypassedPrevent commission bypass
Commit 8d603d3S-195: Cross-contract reentrancy in liquidation enables conversion of phantom shares to real shares, draining CollateralTracker assetsEnhance reentrancy protection and add protocol loss tracking
Commit 249fb90S-16: BuilderWallet init() is unprotected/re-initializable, enabling takeover and theft of builder feesProtect builderWallet.init
Commit 8d603d3S-1224: Self-settlement via dispatchFrom bypasses refund mechanism allowing underfunded debt settlementRefactored part of the delegate/revoke workflow
Commit 14bb7ccS-1221: Intra-epoch rateAtTarget updates in CollateralTracker._updateInterestRate() allow compounding interest rate errorsCompute elapsed-time for IRM from epoch delta
Commit 4ef0998S-675: RiskEngine::_getRequiredCollateralAtTickSinglePosition() Fails to Accumulate Credits Across Multiple Legs, Leading to Potential Erroneous LiquidationsCombine credit amounts for multileg tokenIds
Commit d434388S-185: Incorrect UPPER_118BITS_MASK Mask in OraclePackLibrary Causes Unexpected Clearing of EMAs and lockMode in OraclePackUse the correct 138 bit mask in OraclePack
Commit a5cfcd6S-763: Liquidations Can Be Permanently Blocked via getLiquidationBonus() Unsigned Underflow (Insolvent-but-Unliquidatable Accounts)No more underflow for liquidation bonus calculation with no cross-margin
Commit fb73717S-463: Liquidator can receive an inflated bonus against PLPs on PanopticPool._liquidateInclude commissions in tokenPaid
Commit 949a3f4S-1049: Incorrect Collateral Calculation for Delayed Swap StrategiesNetting the credit against the loan legs
Commit 6b154d9S-382: Division-by-zero in long-leg collateral requirement can block solvency checks and dispatchFrom (liquidation/force-exercise) for tickSpacing==1 poolsNo more division-by-zero in long-leg collateral requirement
Commit b3b005eS-1215: PLPs Can Withdraw Assets Needed by Long Positions, Temporarely Locking BuyersPrevent withdrawal of credited shares
Commit 30f90ccS-1197: Solvency Tick Divergence Blind Spot in RiskEngine.getSolvencyTicksCheck solvency at 4 ticks when safeMode > 0
Commit 069c00bS-441: dispatchFrom() Liveness DoS via StaleOracle: Spot Price Manipulation Blocks Liquidations, Force Exercises, and Premium SettlementsNo more DoS via StaleOracle for liquidations
Commit bebe915S-61: TWAP misweights EMAs in RiskEngine, anchoring liquidation price to slow EMA and letting insolvent accounts dodge liquidationUse correct returned ema order in twapEMA

Out of Scope