Skip to content

My public findings/reports from decentalized audits, select bug bounty programs and engagements

Notifications You must be signed in to change notification settings

MarioPoneder/audits

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

62 Commits
Β 
Β 
Β 
Β 

Repository files navigation

Public Findings

For more info, visit: https://decentra.vision/

Index


Team Engagements

Begin month Project Category Provider Duration Platform
2024-11 Near One OmniProtocol Cross-chain, Asset bridging AuditOne 2.0 weeks Rust / NEAR, Rust / Solana, Solidity / EVM
2024-11 To be disclosed Combinatorial prediction markets Oak Security 2.5 weeks Rust / Substrate
2024-11 Push Protocol - Comm Cairo / Rust Cross-chain, Notifications Oak Security 1.0 weeks Cairo / Starknet, Rust / Solana
2024-10 BugHole Restaking Kaia chain, Restaking Trust Security 0.6 weeks Solidity / EVM
2024-10 Level Money Stablecoin, Restaking Spearbit 1.0 weeks Solidity / EVM
2024-10 To be disclosed DEX, Aggregator Code4rena Zenith 0.4 weeks Rust / Solana
2024-10 4Real Finance Treasury, Staking, Yield Code4rena Zenith 0.8 weeks Rust / Solana
2024-10 To be disclosed DEX, Aggregator Code4rena Zenith 0.3 weeks Rust / Solana
2024-10 Near One OmniBridge Cross-chain, Asset bridging AuditOne 2.0 weeks Rust / NEAR, Solidity / EVM
2024-09 Balancer V3 AMM, DEX, Vault Spearbit 4.0 weeks Solidity / EVM
2024-08 Resolv Stablecoin, Liquid staking, Futures Pashov Audit Group 1.0 weeks Solidity / EVM
2024-08 Aurora BTC Light Client Bitcoin client, Relay AuditOne 1.0 weeks Rust / NEAR
2024-07 Undisclosed Proof of Liquidity, Staking, Voting Spearbit 3.0 weeks Solidity / EVM
2024-06 Router Protocol Cross-chain, Liquidity, Messaging Oak Security 3.0 weeks Rust / Solana
2024-06 Out GCC Tokenization, Marketplace Oak Security 1.0 weeks Rust / Solana
2024-06 Sharwa Finance Margin trading, Options Pashov Audit Group 1.0 weeks Solidity / EVM
2024-06 Undisclosed Cross-chain, Airdrop Pashov Audit Group 0.4 weeks Solidity / EVM
2024-05 Pendle Finance Tokenization, Yield trading Spearbit 3.0 weeks Solidity / EVM
2024-04 Undisclosed Game, Infrastructure Oak Security 1.1 weeks Rust / Substrate

Solo Engagements

Begin month Project Category Provider Duration Platform
2024-12 To be disclosed Lending, Leveraged yield Spearbit 1.0 weeks Solidity / EVM
2024-07 Possum Core (ref) Governance, Staking Decentra Vision 0.8 weeks Solidity / EVM
2024-06 Proportionalized Contracts Fee token, Staking Decentra Vision 0.8 weeks Solidity / EVM
2024-05 Yeet Cup Game, Yield Shieldify 0.8 weeks Solidity / EVM
2024-03 Olas Lockbox v2 - Mitigation review Liquidity bonding Cantina 0.4 weeks Rust / Solana

2024-03: Possum Labs Portals v2 πŸ₯ˆ

Risk Title Finding in report
🟨
Medium
Investors could earn 10x more than intended M-01
🟦
Low
Cannot revoke permit of MintBurnToken L-02

2024-02: Ion Protocol πŸ₯‡

Risk Title Finding in report
🟨
Medium
Unsafe downcast truncation in UniswapOracleLibrary leading to invalid price data M-01

Judging

2024-03: Acala

Rust / Substrate

Risk Title Selected for report
🟨
Medium
Incentive accumulation can be sandwiched with additional shares to gain advantage over long-term depositors M-02

2024-03: Canto Invitational πŸ₯ˆ

Risk Title Selected for report
πŸŸ₯
High
Native gas tokens can become stuck in ASDRouter contract H-01
πŸŸ₯
High
Dual transaction nature of composed message transfer allows anyone to steal user funds H-02
🟨
Medium
Removing token from the whitelist may cause DoS due to limited USDC amount
🟦
Low
Low Risk and Non-Critical Issues QA

2024-03: Phat Contract Runtime πŸ₯‰

Rust / Substrate

Related tweet

Awards have been announced for the $60,500 USDC @PhalaNetwork audit! πŸ₯³

Top 5:
πŸ₯‡ @DadeKuma - $15,937.95 USDC
πŸ₯ˆ zhaojie - $15,225.87 USDC
πŸ₯‰ @MarioPoneder - $12,619.42 USDC
πŸ… Koolex - $2,606.45 USDC
πŸ… Cryptor - $994.09 USDC pic.twitter.com/C15fmXxxJ2

β€” Code4rena (@code4rena) April 1, 2024
Risk Title Selected for report
🟨
Medium
Limited availability of balance_of(...) method M-01

2024-01: Opus πŸ₯‰

Cairo / Starknet

Related tweet

Rounding out the Top 3 was @MarioPoneder! πŸ₯‰

Rank: #3 (#86 All-time)
Medium-risk findings: 2 (2 solo) pic.twitter.com/vCgs0GlnQY

β€” Code4rena (@code4rena) March 6, 2024
Risk Title Selected for report
🟨
Medium
Collateral cannot be withdrawn from trove once yang is suspended M-07
🟨
Medium
Unhealthy troves with LTV > 90% cannot always be absorbed as intended M-09
🟦
Low
Low Risk and Non-Critical Issues QA

2023-12: Olas

Risk Title
πŸŸ₯
High
Bonds created in year cross epoch’s can lead to lost payouts

2023-10: zkSync Era

Risk Title
🟨
Medium
Incorrect max precompile address
🟦
Low
EIP-1559 transactions can be invoked from kernel space accounts due to missing assertion in bootloader
🟦
Low
EIP-712 transactions via custom accounts do not comply with EIP-3607 and could therefore fail
🟦
Low
State changes are preserved on failed L2 transactions using custom account abstraction
🟦
Low
Users can avoid paying fees for failed L2 transactions
Risk Title Selected for report
πŸŸ₯
High
All tokens can be stolen from VirtualAccount due to missing access modifier H-01

2023-09: Venus Prime

Risk Title
πŸŸ₯
High
Prime contract incompatible with currently deployed / active markets (vToken) with 8 decimals
πŸŸ₯
High
Prime contract incompatible with underlying assets differing from 18 decimals

Findings under NDA, requires Code4rena backstage access.

Risk Title
🟨
Medium
#223

2023-08: Dopex

Risk Title Selected for report
🟨
Medium
Change of fundingDuration causes "time travel" of PerpetualAtlanticVault.nextFundingPaymentTimestamp() M-10
🟦
Low
RdpxV2Core.removeAssetFromtokenReserves(...) irrecoverably breaks reserve token handling
Risk Title
🟨
Medium
SecurityCouncilNomineeElectionGovernorTiming.electionToTimestamp(...) can create unsupported/invalid dates

2023-07: Tapioca DAO

Risk Title Selected for report
πŸŸ₯
High
User can give himself approval for all assets held by MagnetarV2 contract H-49
πŸŸ₯
High
MagnetarMarketModule.depositRepayAndRemoveCollateralFromMarket(...) can be invoked with other user's tokens
🟨
Medium
Double accounting of action value in MagnetarV2.burst(...)
🟦
Low
Multicall3 ignores allowFailure leading to DoS
Risk Title Selected for report
🟨
Medium
Insufficient support for tokens with different decimals on different chains lead to loss of funds on cross-chain bridging M-08
Risk Title Selected for report
πŸŸ₯
High
UlyssesToken asset ID accounting error H-25
πŸŸ₯
High
Ulysses Omnichain support for tokens with other than 18 decimals is fundamentally flawed
🟨
Medium
RootBridgeAgent.redeemSettlement can be front-run using RootBridgeAgent.retrySettlement causing redeem DoS M-03
🟨
Medium
Maia Governance token balance dilution in vMaia vault is breaking the conversion rate mechanism M-22
🟨
Medium
Claiming outstanding utility tokens from vMaia vault DoS on pbHermes<>bHermes conversion rate > 1 M-23
🟨
Medium
UlyssesToken.setWeights(...) can cause user loss of assets on vault deposits/withdrawals M-34
🟨
Medium
Withdrawal from vMaia vault only on first Tuesday of the month is not strictly enforced
🟦
Low
Payable method RootBridgeAgent.retrySettlement can lead to loss of funds for users

Findings under NDA, requires Code4rena backstage access.

Risk Title
πŸŸ₯
High
#164
🟨
Medium
#95
🟨
Medium
#307

2023-05: Ajna Protocol

Risk Title Selected for report
πŸŸ₯
High
Position NFT can be spammed with insignificant positions by anyone until rewards DoS H-03
πŸŸ₯
High
Permanent loss of rewards on temporary underfunding of RewardsManager contract

2023-04: EigenLayer πŸ₯‡

Related tweet

Awards have been announced for the $90,500 USDC @eigenlayer audit 🀝

Top 5:
πŸ₯‡ @MarioPoneder - $13,081.90 USDC
πŸ₯ˆ volodya - $12,193.66 USDC
πŸ₯‰ windowhan001 - $5,031.50 USDC
πŸ… @CyfrinAudits - $3,177.34 USDC
πŸ… @QiuhaoLi - $2,972.95 USDC

β€” Code4rena (@code4rena) June 10, 2023
Risk Title Selected for report
πŸŸ₯
High
Slot and block number proofs not required for verification of withdrawal (multiple withdrawals possible) H-01

2023-04: Rubicon v2

Findings under NDA, requires Code4rena backstage access.

Risk Title
πŸŸ₯
High
#1214
πŸŸ₯
High
#1265
Risk Title
πŸŸ₯
High
Owner of PrivatePool can steal any NFTs and tokens that the pool has approval for
🟨
Medium
PrivatePool creation can be front-run

2023-02: Ethos Reserve

Risk Title
🟨
Medium
Strategy emergency exit (guardian privileges) harvest amount can be reduced with strategist privileges
🟨
Medium
Inconsistent support of ERC20 tokens that deduct transaction fee
🟦
Low
Strategy contract upgrade can be prevented by lower privileged roles

Judging

2024-02: 3DNS

Risk Title
πŸŸ₯
High
Anyone can drain the whole ETH balance of ThreeDNSRegControl when making a commitment
🟨
Medium
Safe transfers of registrations to ERC-721 receiver contracts which also have a fallback method will always fail
🟨
Medium
Batch transfers of registrations to contracts will always fail due to an invalid selector check

2024-01: Olas Lockbox πŸ₯ˆ

Rust / Solana

Related tweet

Congratulations to our resident rustaceans on an excellent job during the @autonolas security competition.

Here are your top 3 placements:

πŸ₯‡: @99crits - $22,275.61
πŸ₯ˆ: @MarioPoneder - $8,590.35
πŸ₯‰: @meltedblocks - $6,682.68

Full Results Below! pic.twitter.com/Cr5ATXONbQ

β€” Cantina πŸͺ (@cantinaxyz) March 18, 2024
Risk Title
🟨
Medium
Attacker can create token account for NFT position to cause deposit DoS
🟨
Medium
DoS on simultaneous deposit due to id restriction
🟦
Low
Missing mutable constraint leads to withdrawal DoS due to read-only signer
🟦
Low
Attacker can frontrun lockbox initialization to provide own fee token accounts

2023-11: Superform

Risk Title
🟨
Medium
Insufficient support for fee-on-transfer tokens
🟦
Low
ArrayCastLib.castToMultiVaultData(...) does not preserve values of hasDstSwap and retain4626
🟦
Low
Timing overlap of dispute/finalizeRescueFailedDeposits(...) methods

2023-11: Morpho Blue

Risk Title
🟦
Low
Interest/fee accrual can be suppressed in regular markets with low-decimal loan tokens
🟦
Low
Oracles should be whitelisted to avoid theft by direct price manipulation

Note that I am also listing issues here which were labeled as Excluded due to the strict High/Medium only policy at Sherlock.
However, those issues are still valid & valuable for the sponsor and most of them contain a coded PoC, therefore they might be a good read for new aspiring auditors.

2023-07: Perennial V2

Risk Title
🟦
Low
DSU token balance of MultiInvoker contract can be drained by anyone

2023-06: Tokemak

Risk Title
πŸŸ₯
High
Rewards can be drained due to incorrect handling of userRewardPerTokenPaid accounting
πŸŸ₯
High
LiquidationRow.liquidateVaultsForToken(...) will always revert due to missing token transfers
🟦
Low
LMPVaultRouter mint and deposit entry-points can be blocked by anyone

2023-06: Index Update

Risk Title
🟦
Low
New auction rebalance can be started before previous one concluded or duration elapsed
🟦
Low
Insufficient validation of auction execution price adapter config data
🟦
Low
SetToken can be indefinitely locked by AuctionRebalanceModule

About

My public findings/reports from decentalized audits, select bug bounty programs and engagements

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published