This repository includes a dataset of high vulnerabilities recorded on the platforms Code 4 Arena and Sherlock between January and September 2023. The dataset comprises 145 vulnerabilities, which have been manually categorized into the classifications described here.
A paper has been prepared to present the findings of this analysis.
The contests analyzed were the following:
| PLATFORM | CATEGORY | CONTEST | BOUNTY | HRF | nSLOC | PARTICIPANTS | DATE |
|---|---|---|---|---|---|---|---|
| Code4rena | DAO | Arbitrum security council election system | 90500 | 1 | 2184 | 39 | 2023-09 |
| Code4rena | DAO | Llama | 60500 | 2 | 2096 | 50 | 2023-07 |
| Code4rena | Stablecoin | Lybra finance | 60500 | 8 | 1762 | 136 | 2023-08 |
| Code4rena | Dexes | Maia DAO ecosystem | 300500 | 35 | 10997 | 85 | 2023-05 |
| Code4rena | Yield | PoolTogether | 121650 | 9 | 3324 | 117 | 2023-07 |
| Code4rena | Yield | PoolTogether v5: part deux | 42000 | 2 | 1001 | 45 | 2023-08 |
| Sherlock | Lending | Ajna update | 85600 | 6 | 5659 | 155 | 2023-06 |
| Sherlock | Yield Agreggator | Blueberry | 72500 | 10 | 284 | 2023-02 | |
| Sherlock | Yield Agreggator | Blueberry Update #3 | 23600 | 5 | 3633 | 183 | 2023-08 |
| Sherlock | Options | Bond options | 23600 | 2 | 885 | 153 | 2023-07 |
| Sherlock | Lending | Cooler update | 17000 | 4 | 512 | 170 | 2023-08 |
| Sherlock | Dexes | GFX labs | 20400 | 2 | 716 | 106 | 2023-07 |
| Sherlock | Derivatives | GMX | 200000 | 5 | 10571 | 220 | 2023-04 |
| Sherlock | Lending | Iron bank | 67400 | 1 | 2241 | 271 | 2023-05 |
| Sherlock | Derivatives | Perennial | 122000 | 1 | 4063 | 220 | 2023-05 |
| Sherlock | Derivatives | Perennial v2 | 125200 | 6 | 2494 | 252 | 2023-07 |
| Sherlock | Derivatives | Symmetrical | 91000 | 8 | 3553 | 233 | 2023-06 |
| Sherlock | Derivatives | Symmetrical Update | 27600 | 2 | 3921 | 52 | 2023-08 |
| Sherlock | Launchpad | Tokensoft | 21400 | 1 | 769 | 221 | 2023-07 |
| Sherlock | Stablecoin | Unitas protocol | 36400 | 1 | 1433 | 208 | 2023-06 |
| Code4rena | RWA | Ondo finance | 60500 | 1 | 4365 | 74 | 2023-01 |
| Sherlock | Indexes | Index coop | 130600 | 2 | 4383 | 283 | 2023-05 |
| Sherlock | Stablecoin | USSD | 18200 | 3 | 402 | 224 | 2023-05 |
| Sherlock | RWA | Dinari | 16000 | 1 | 575 | 176 | 2023-07 |
| Sherlock | Dexes | RealWagmi | 33200 | 5 | 1080 | 203 | 2023-06 |
| Code4rena | DAO | Nouns DAO | 100000 | 1 | 9098 | 36 | 2023-07 |
| Sherlock | Dexes | DODO v3 | 57800 | 5 | 2079 | 151 | 2023-06 |
| Sherlock | Derivatives | Hubble Exchange | 60000 | 3 | 1945 | 148 | 2023-06 |
| Code4rena | Stablecoin | Angle Protocol | 52500 | 3 | 2276 | 5 | 2023-07 |
| Code4rena | Liquidity manager | Arrakis | 81400 | 2 | 2801 | 247 | 2023-06 |
| Sherlock | Dexes | Unstoppable | 36400 | 8 | 2035 | 130 | 2023-06 |
| TOTALS | 2255950 | 145 | 3095.1 | 157.32258 |
- HRF: High Risk Findings
- nSLOC: Source lines of code number
- Identifying vulnerabilities in smart contract systems is a crucial task that requires a high level of expertise. In this regard, auditors face certain challenges in uncovering specific types of vulnerabilities. Of the various types of vulnerabilities, those related to contract implementation-specific bugs (C8), followed by C02 and C10, are particularly difficult to spot. Conversely, C05, C14, and C01 are the easiest to identify.
- Erroneous state updates (C03), privilege escalation and access control issues (C05), and wrong math (C06) are the dominant classes of vulnerabilities across multiple categories. This suggests that these vulnerability types are common in general. Specifically, erroneous state updates are found in eight categories, while privilege escalation and access control issues (C05) and wrong math (C06) appear in seven categories.
- Certain classes of vulnerabilities appear less frequently, indicating that they may be specific to certain protocol types or more challenging to find. For example, classes such as lack of signature replay protection (C09), missing check (C10), and contract implementation-specific bugs (C08) are sparse.
- Different protocol categories have different vulnerability profiles. Dexes protocols had the highest number of identified bugs, with 47 classified, followed by Derivatives with 25 and Aggregator and Stablecoin with 15 each.
- Wrong math (C06) is the most frequent classification across all categories, with 36 bugs classified as such. Broken business logic (C07) is the second most frequent classification, with 31 identified bugs. Erroneous state updates (C03) and missing check (C10) follow with 19 and 11 bugs classified, respectively. Finally, 10 bugs were classified as Mempool Manipulation / Front-Running Vulnerabilities (C01).
- The relationship between vulnerability categories and different protocol types is complex. Wrong math (C06) is the most frequent classification found in Derivatives, Yield Aggregator, and Stablecoins, while Broken business logic (C07) is the most frequent classification found in Dexes and Yield. Additionally, arrays (C14) and wrong math (C06) are the second most common type of bugs found in Dexes.