content linked to Security
A primer on DeFi Liquidations and how can they be compromised.
Introduction
During the past month or so, I’ve been researching aave new v4 implementation during a contest in sherlock.
My focus diving deep into the protocol was not only to focus on finding bugs, but to explore his new implementation and learn how it works for future implementations.
Today, I wanted to write a bit on the topic of Liquidations: what they are, how they work and some attack vectors to keep in mind while auditing.
Top Paying Bugs of Sherlock Q4 2025
Analyzing Sherlock Q4 top paying bugs.
I will be analyzing here bugs that paid over 200$ as that is at least what I would want to get paid for a bug in competition to make this profitable.
| Contest | Issue | Description | Reward |
|---|---|---|---|
| Index Fun Order Book | M - Asymmetric fee structure allows market participants to get the same outcome for less fee | Users can take different paths to achieve lesser fees in trades. | $5492 |
| M - Violation of rule defined in EIP-1155 | “The URI MUST point to a JSON file that conforms to the ERC-1155 Metadata URI JSON Schema.” However, in the current implementation, the URI is set to an empty string, violating this requirement. | $720 | |
| M - Lack of Emergency Market Invalidation Mechanism | Lack of Mechanism, Market has no way to resolve to some state. | $720 | |
| Summer.fi Governance V2 | M - Foundation recall will inflate governance power for earnest voters | Missing logic to reduce escrowed weights after recallUnvestedTokens will cause an enduring governance power inflation for honest voters. | $381 |
| M - Satellite chains can’t execute onlyGovernance functions | The root cause is that the satellite chain execution logic fails to properly adapt to the standard OpenZeppelin (OZ) Governor design. | $5668 | |
| Super DCA Liquidity Network | M - Attackers will steal rewards from legitimate pools by making duplicate pools for listed token | Lack of pool-specific validation in _handleDistributionAndSettlement to check if the pool is listed before accruing rewards. Use of Uniswap V4 Hooks. | 232 OP |
| H - Unfair distribution of rewards for LPs | The pool’s reward distribution occurs during each liquidity operation through the beforeAddLiquidity and beforeRemoveLiquidity hooks. The Uniswap pool’s donate mechanism is used, which distributes rewards to in-range LPs at the current slot0.tick. The problem with this design is that rewards accrued over a certain period are distributed to the current in-range position, regardless of which positions provided active liquidity during the accrual period. | 5661 OP | |
| Dango DEX | H - Incorrect rounding direction in geometric pool ask_exact_amount_out allows theft of funds | 7467 $ | |
| H - Exploitation of fee bypass through Deposit-Then-Withdraw strategy | $4480 | ||
| M - User can pause all auctions by overflow in mid-price average causing DOS | $3318 | ||
| M - Overflow in geometric can dos swap | $3318 | ||
| M - Price cannot be represented when a high-value base asset is quoted in a high-decimal asset | $3318 | ||
| M - Inconsistent multiplication during order creation and cancellation can lead to panics and Denial of Service during order cancellation | $3318 | ||
| H - Geometric pool swap costs can be evaded through repeated small transactions leading to a loss of yield for LP’s | $1633 | ||
| M - XYK reflect_curve omits swap fee in order sizing, leaking LP fees | $1493 | ||
| M - XYK reflect_curve is incorrect and decreases K over time leading to loss of funds for LP providers. | $1493 | ||
| M - Unbounded spam limit asks can be created to DOS force cancellation | $1493 | ||
| Brevis Pico ZKVM | |||
| Ammplify |
Immunify ETH ESCAPE CTF Writeup
This are some of the solutions for the Immunify ETH ESCAPE CTF.