A round-down vulnerability in Astroport's Staking.rs contract allows attackers to deflate the xASTRO token and break staking functionality by exploiting the absence of minimum liquidity requirements, potentially enabling governance token monopolization and voting manipulation.
Security researcher identified two bugs in Lybra Finance smart contracts: (1) incorrect liquidation logic using depositedEther instead of borrowed variable, allowing liquidation beyond the intended 50% limit, and (2) missing 7-day waiting period enforcement for redemption provider cancellation. Both issues were acknowledged and awarded $800 LBR each.
A critical bug in Fringe.fi's lending protocol allows borrowers to withdraw collateral without accruing interest being updated, leaving the protocol in an undercollaterized state. The vulnerability occurs when withdrawing non-maximum amounts, as the accrual field remains stale and isn't counted against the borrower's health factor calculation, enabling attackers to drain the protocol's reserves.
A delegatecall vulnerability in oasisDEX's BuyCommand and SellCommand contracts allows attackers to execute arbitrary code by directly calling the external execute() function with the continuous flag set, bypassing the intended AutomationBot access control and potentially gaining unauthorized access to user CDP funds or causing system freeze via selfdestruct().