Frax

Findings · 25

1. 1 Testing is not routine Informational
2. 2 No clear mapping from contracts to tests Informational
3. 3 amoMinterBorrow cannot be paused Medium
4. 4 Array updates are not constant time Medium
5. 5 Incorrect calculation of collateral amount in redeemFrax High
6. 6 spotPriceOHM is vulnerable to manipulation High
7. 7 Return values of the Chainlink oracle are not validated Informational
8. 8 Unlimited arbitrage in CCFrax1to1AMM High
9. 9 Collateral prices are assumed to always be $1 Medium
10. 10 Solidity compiler optimizations can be problematic Informational
11. 11 Users are unable to limit the amount of collateral paid to FraxPoolV3 Medium
12. 12 Incorrect default price tolerance in CCFrax1to1AMM Low
13. 13 Significant code duplication Informational
14. 14 StakingRewardsMultiGauge.recoverERC20 allows token managers to steal rewards Medium
15. 15 Convex_AMO_V2 custodian can withdraw rewards Medium
16. 16 The FXS1559 documentation is inaccurate Informational
17. 17 Univ3LiquidityAMO defaults the price of collateral to $1 Medium
18. 18 calc_withdraw_one_coin is vulnerable to manipulation High
19. 19 Incorrect valuation of LP tokens High
20. 20 Missing check of return value of transfer and transferFrom High
21. 21 A rewards distributor does not exist for each reward token Undetermined
22. 22 minVeFXSForMaxBoost can be manipulated to increase rewards Medium
23. 23 Most collateral is not directly redeemable by depositors Undetermined
24. 24 FRAX.globalCollateralValue counts FRAX as collateral High
25. 25 Setting collateral values manually is error-prone High

Findings extracted from the published report PDF. See the full report below for details and remediation.