Curvance

Findings · 13

1. 1 Combining continuous locks into single continuous lock terminal results in 1 wei in profit Undetermined
2. 2 Combining some noncontinuous locks into single continuous lock terminal does not change userPoints Undetermined
3. 3 Calls to repay with excessive amount result in underflow and panic Low
4. 4 processExpiredLock called with the relock option does not delete the existing lock High
5. 5 Combining locks is still possible after the system is shut down Low
6. 6 combineAllLocks erroneously decreases user points when used with expired lock Medium
7. 7 repayWithBadDebt can be 1 wei o and cause a panic Medium
8. 8 Possible underflow in combineAllLocks due to 1-wad dierence in veCVE balance and user points Undetermined
9. 9 Negative prices from OracleRouter cause underflow and panic Undetermined
10. 10 Division-by-zero error in _canLiquidate results in a panic Undetermined
11. 11 Missing validation allows the DAO address to be liquidated Undetermined
12. 12 Missing validation allows the DAO address to be the liquidator Undetermined
13. 13 The repay function will panic if a user’s total borrows and debt balance are 1 wei o Undetermined

Findings extracted from the published report PDF. See the full report below for details and remediation.