# [2023-04-Rubicon] Presorting **Contest repo:** https://github.com/code-423n4/2023-04-rubicon **Findings repo:** https://github.com/code-423n4/2023-04-rubicon-findings **Judging by:** [Hickuphh3](https://twitter.com/@HickupH) (Discord: `hickuphh3#4268`) **Pre-sorting by:** [sorryNotsorry](https://twitter.com/0xSorryNotSorry) (Discord: `sorryNotsorry#1586`) # High Severity Primary Submissions (76) ## [[H-1364] Rewards can be claimed from Comptroller without justification](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1364) ## [[H-1353] Automatic matching allows front running offers forcing the maker to pay fees instead of earning them](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1353) ## [[H-1313] BathBuddy.getReward should update rewards from all reward tokens](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1313) ## [[H-1299] `take` doesn't take the whole offer in `RubiconMarket`](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1299) ## [[H-1294] Leverage _Limit Calculation Vulnerability Due to Collateral Factor in _borrowLimit Function](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1294) ## [[H-1283] Unused amount of ERC20 token by target contract will be lost in `FeeWrapper`](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1283) ## [[H-1281] Orders created in RubiconMarket V1 will send dust to address(0)](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1281) ## [[H-1279] Reward accounting is incorrect in BathBuddy contract](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1279) ## [[H-1277] Lack of `swap` consideration, while calculating number of iteration (lend=>borrow=>swap) needs to be performed leads to incorrect iteration number](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1277) ## [[H-1256] _borrowLimit will return wrong iteration count](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1256) ## [[H-1251] `Position.closePosition` fails when maker fee is big enough.](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1251) ## [[H-1219] order in parameters of `openPosition` are incorrect when called in `buyAllAmountWithLeverage`](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1219) ## [[H-1218] Position `_maxBorrow` does not check for market liquidity limit](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1218) ## [[H-1212] Wrong use of block.number on optimism leads to wrong interest calculations and user may end up paying alot of interest or unable to close leverage position.](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1212) ## [[H-1184] Reward token will be lost when leftover tokens are different from the new duration rewards tokens](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1184) ## [[H-1179] No access control on `del_rank()` function resulting on deletion of any arbitrary id](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1179) ## [[H-1156] User can do an first deposit inflation attack on bathToken and can take away all the shares and rewards too.](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1156) ## [[H-1124] Leveraged position can be frontrunned due to lack of limit price and slippage control](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1124) ## [[H-1122] Integer overflow/underflow vulnerability in Rubicon smart contract.](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1122) ## [[H-1110] Manipulation of Offer Position in Sorted List](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1110) ## [[H-1052] RubiconMarket batchOffer and batchRequote make offers as self; complete loss of funds for some types of tokens, for example WETH](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1052) ## [[H-1021] Position doesn't distribute rewards to users](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1021) ## [[H-1017] Part of collateral assets is not taken into account when calculating the borrow amount](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1017) ## [[H-986] RubiconMarket.sol: offers aren't set properly due to precision loss in `_matcho` function](https://github.com/code-423n4/2023-04-rubicon-findings/issues/986) ## [[H-959] Debt + Interest in calculated wrong in _calculateDebt() in Position.sol](https://github.com/code-423n4/2023-04-rubicon-findings/issues/959) ## [[H-956] Opening and instantly closing a Position leads to profit](https://github.com/code-423n4/2023-04-rubicon-findings/issues/956) ## [[H-945] Funds can be stolen from market contract using reentrancy](https://github.com/code-423n4/2023-04-rubicon-findings/issues/945) ## [[H-943] Use of certain ERC20 tokens leads to trapped funds](https://github.com/code-423n4/2023-04-rubicon-findings/issues/943) ## [[H-935] batchRequote() function is missing few important validations on the function inputs](https://github.com/code-423n4/2023-04-rubicon-findings/issues/935) ## [[H-905] Reward truncation due to precision loss in BathBuddy contract](https://github.com/code-423n4/2023-04-rubicon-findings/issues/905) ## [[H-903] Calling `Position._marketBuy` and `Position._marketSell` functions that calculate `_fee` by dividing by `10000` can cause incorrect calculations](https://github.com/code-423n4/2023-04-rubicon-findings/issues/903) ## [[H-902] Incorrect calculations can occur when calling `Position._marketBuy` and `Position._marketSell` functions that do not include maker fee in `_fee`](https://github.com/code-423n4/2023-04-rubicon-findings/issues/902) ## [[H-897] Calling `Position._marketSell` function can charge too much fee](https://github.com/code-423n4/2023-04-rubicon-findings/issues/897) ## [[H-896] Increase of `IERC20(myBathTokenBuddy).totalSupply()` can cause user's unclaimed rewards to drop](https://github.com/code-423n4/2023-04-rubicon-findings/issues/896) ## [[H-876] [H-03] Incorrect value provided by price oracle can lead to overestimation and underestimation of the maximum borrable amount](https://github.com/code-423n4/2023-04-rubicon-findings/issues/876) ## [[H-827] [H-3] Using max borrow can increase the liquidation risk for traders](https://github.com/code-423n4/2023-04-rubicon-findings/issues/827) ## [[H-825] [H-2] Incorrect decimals in _maxBorrow function can cause over or under borrowing](https://github.com/code-423n4/2023-04-rubicon-findings/issues/825) ## [[H-821] Offers made by make() function in RubiconMarket contract can never be cancelled](https://github.com/code-423n4/2023-04-rubicon-findings/issues/821) ## [[H-813] RubiconMarket.sol _hide() can DOS due to out of gas](https://github.com/code-423n4/2023-04-rubicon-findings/issues/813) ## [[H-812] _borrowLimit would return less due to slippage](https://github.com/code-423n4/2023-04-rubicon-findings/issues/812) ## [[H-770] An attacker can steal all `RubiconRouter` funds](https://github.com/code-423n4/2023-04-rubicon-findings/issues/770) ## [[H-767] An attacker can steal all tokens of users that use `FeeWrapper`](https://github.com/code-423n4/2023-04-rubicon-findings/issues/767) ## [[H-766] Some offers can't be cancelled](https://github.com/code-423n4/2023-04-rubicon-findings/issues/766) ## [[H-720] Maker and Fee recipient do not receive all funds from Taker](https://github.com/code-423n4/2023-04-rubicon-findings/issues/720) ## [[H-702] Cannot close leveraged positions](https://github.com/code-423n4/2023-04-rubicon-findings/issues/702) ## [[H-666] RubiconMarket checks slippage incorrectly](https://github.com/code-423n4/2023-04-rubicon-findings/issues/666) ## [[H-644] DOS of market operations with malicious offers](https://github.com/code-423n4/2023-04-rubicon-findings/issues/644) ## [[H-631] Denial of service against BuyAllAmount in RubiConMarket under certain conditions](https://github.com/code-423n4/2023-04-rubicon-findings/issues/631) ## [[H-600] Incorrect and duplicate fee deduction could cause users to lose part of profit due to a smaller long/short exposure](https://github.com/code-423n4/2023-04-rubicon-findings/issues/600) ## [[H-587] Reentrancy possible in 6 functions of RubiconMarket core contract](https://github.com/code-423n4/2023-04-rubicon-findings/issues/587) ## [[H-583] Position could be removed if there is collateral / debt in the position](https://github.com/code-423n4/2023-04-rubicon-findings/issues/583) ## [[H-567] If bathToken token has already entered the market, then owner cannot open a long/short position with this bathToken](https://github.com/code-423n4/2023-04-rubicon-findings/issues/567) ## [[H-558] Prevent owner from exiting the market](https://github.com/code-423n4/2023-04-rubicon-findings/issues/558) ## [[H-551] Division rounding errors for maker and taker fees become large enough to incentivise abuse by splitting orders for fee evasion when token is USDC](https://github.com/code-423n4/2023-04-rubicon-findings/issues/551) ## [[H-546] Dos attack to open position](https://github.com/code-423n4/2023-04-rubicon-findings/issues/546) ## [[H-545] When opening a position, the collateral of the previous position is used for borrowing, which makes the user more easily liquidated](https://github.com/code-423n4/2023-04-rubicon-findings/issues/545) ## [[H-499] Users can bypass paying fees to the order maker](https://github.com/code-423n4/2023-04-rubicon-findings/issues/499) ## [[H-497] Users might get less assets than expected upon migration due to price manipulation attacks](https://github.com/code-423n4/2023-04-rubicon-findings/issues/497) ## [[H-488] `V2migrator.migrate()` can easily stop functioning for specific `bathTokenV1`](https://github.com/code-423n4/2023-04-rubicon-findings/issues/488) ## [[H-476] Functions `setRewardsDuration` always revert and `lastTimeRewardApplicable` always return `block.timestamp` when `periodFinish` is set](https://github.com/code-423n4/2023-04-rubicon-findings/issues/476) ## [[H-473] Griefer can cancel() other users active offers](https://github.com/code-423n4/2023-04-rubicon-findings/issues/473) ## [[H-441] user loses funds if they call rubicall() with any ETH along with their tokens.](https://github.com/code-423n4/2023-04-rubicon-findings/issues/441) ## [[H-423] The last borrowed asset will not be collateralized and the user may be liquidated due to insufficient collateral](https://github.com/code-423n4/2023-04-rubicon-findings/issues/423) ## [[H-410] User can steal all rewards and drain the pool](https://github.com/code-423n4/2023-04-rubicon-findings/issues/410) ## [[H-377] buy() fails to deduct fees from ``spend`` when sending ``buy_gem`` tokens to _offer.recipient, such over-sending will drain the contract (loss of funds).](https://github.com/code-423n4/2023-04-rubicon-findings/issues/377) ## [[H-361] User is unable to close position in Position.sol due to incorrect calculation of trading fee](https://github.com/code-423n4/2023-04-rubicon-findings/issues/361) ## [[H-348] Users lose funds to fees when the best order is the one submitted by the same user](https://github.com/code-423n4/2023-04-rubicon-findings/issues/348) ## [[H-347] Cancel() in RubiconMarket may fail resulting in a loss of funds if the user wishes to cancel](https://github.com/code-423n4/2023-04-rubicon-findings/issues/347) ## [[H-301] Rewards distribution continues after the reward duration expires.](https://github.com/code-423n4/2023-04-rubicon-findings/issues/301) ## [[H-296] Attacker can profit from front-run closePosition to cause user losses](https://github.com/code-423n4/2023-04-rubicon-findings/issues/296) ## [[H-282] Incorrect fee handling in Position.sol's Market Buy/Sell functions](https://github.com/code-423n4/2023-04-rubicon-findings/issues/282) ## [[H-281] Due to the loss of precision, openPosition will make the user's leverage higher than expected](https://github.com/code-423n4/2023-04-rubicon-findings/issues/281) ## [[H-259] Creation of new orders can become impossible on active pairs because of gas issues](https://github.com/code-423n4/2023-04-rubicon-findings/issues/259) ## [[H-239] There is no user-controllable minimum receiving amount when `openPosition` and`closePosition` which may lead to price manipulation attacks](https://github.com/code-423n4/2023-04-rubicon-findings/issues/239) ## [[H-201] Borrower could repay lesser amount due to flawed logic in `Position._repay()`](https://github.com/code-423n4/2023-04-rubicon-findings/issues/201) ## [[H-56] `can_offer` Modifier implementation does not revert](https://github.com/code-423n4/2023-04-rubicon-findings/issues/56) # Medium Severity Primary Submissions (106) ## [[M-1371] BPS denominator should be 10000](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1371) ## [[M-1344] [M-04] Frontrunning in the take function can lead to an attacker stealing a users' position in the buy function](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1344) ## [[M-1336] `RubiconMarket._matcho` doesn't consider market fees](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1336) ## [[M-1335] Fee calculation is wrong in `Position._marketBuy`](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1335) ## [[M-1333] `Position._marketSell` might revert due to lack of asset tokens](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1333) ## [[M-1312] Fee inclusivity calculations are inaccurate in RubiconMarket](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1312) ## [[M-1304] Fee calculation is wrong in `FeeWrapper`](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1304) ## [[M-1298] Low level calls to accounts with no code will succeed in `FeeWrapper`](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1298) ## [[M-1295] Rewards for initial period may be lost in `BathBuddy` contract](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1295) ## [[M-1290] `notifyRewardAmount` can be used to dilute rewards](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1290) ## [[M-1286] BathBuddy contract should implement methods to pause and unpause contract](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1286) ## [[M-1257] No deadline parameter in `sellAllAmount()` and `buyAllAmount()` functions:](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1257) ## [[M-1225] No cap on fees can result in loss of funds for clients](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1225) ## [[M-1185] lowering interest rate will cause `closePosition` to fail](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1185) ## [[M-1172] Anyone can create buddy for himself without calling `BathHouseV2.createBathToken` function](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1172) ## [[M-1167] Missing a check for minimum sell amount at make function](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1167) ## [[M-1158] Inconsistent reward payout before and after periodFinish[token]](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1158) ## [[M-1149] Fee accounted twice in `Position._rubiconSwap()`, results in less asset received than what it should](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1149) ## [[M-1145] Array Length Mismatch in `BathHouseV2.claimRewards` function](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1145) ## [[M-1144] If feeBPS is too low it might lead to revert in Buy function](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1144) ## [[M-1142] Precision Loss in `buy()` can result in maker getting unfair trade](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1142) ## [[M-1107] Repeated Calls to "sellAllAmount" can cause a Denial-of-Service (DoS) Attack.](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1107) ## [[M-1106] `buyAllAmount` will always revert when `buy` amount is greater than the best offer quote](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1106) ## [[M-1096] buyEnabled is always true](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1096) ## [[M-1077] Missing upper limit on `_rewardsDuration` can lead to setting up of arbitrarily large values](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1077) ## [[M-1062] RubiconMarket.feeTo set to zero-address can DoS buy function](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1062) ## [[M-1032] No slippage protection on fee changes in RubiconMarket](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1032) ## [[M-1019] owner can set himself as recipient when RubiconMarket.Make() called](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1019) ## [[M-1012] No unstop() function in the contract ExpiringMarket](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1012) ## [[M-1003] Wrong calculation of repayment amount in Position contract](https://github.com/code-423n4/2023-04-rubicon-findings/issues/1003) ## [[M-949] `RubiconMarket` does not support ERC20 tokens that do not return bool on transfer (USDT, BNB, etc.)](https://github.com/code-423n4/2023-04-rubicon-findings/issues/949) ## [[M-942] Owner of a position can transfer ownership of position to anyone without an update to positionAddresses in PoolsUtility](https://github.com/code-423n4/2023-04-rubicon-findings/issues/942) ## [[M-940] Single-step process for critical ownership transfer can be dangerous](https://github.com/code-423n4/2023-04-rubicon-findings/issues/940) ## [[M-938] _maxBorrow() function would lead to division by zero error, which further breaks the borrow functionality if the _bathToken price is unavailable.](https://github.com/code-423n4/2023-04-rubicon-findings/issues/938) ## [[M-933] Users can be rug pulled](https://github.com/code-423n4/2023-04-rubicon-findings/issues/933) ## [[M-921] COMP rewards cannot be claimed if getReward() function is paused](https://github.com/code-423n4/2023-04-rubicon-findings/issues/921) ## [[M-918] Broken invariant in `notifyRewardAmount` allows adding rewards without sending funds](https://github.com/code-423n4/2023-04-rubicon-findings/issues/918) ## [[M-910] The function pointer fn in RubiconMarket.sol#buy() will never reach super.buy because matchingEnabled cannot be false](https://github.com/code-423n4/2023-04-rubicon-findings/issues/910) ## [[M-907] Incorrect reward duration extension in notifyRewardAmount function](https://github.com/code-423n4/2023-04-rubicon-findings/issues/907) ## [[M-906] Calling `ExpiringMarket.stop` and `ExpiringMarket.isClosed` functions cannot pause any functionlities of the market](https://github.com/code-423n4/2023-04-rubicon-findings/issues/906) ## [[M-904] User can possess less value than before when `V2Migrator.migrate` function is called to give up bathTokenV1 tokens and hold bathTokenV2 tokens](https://github.com/code-423n4/2023-04-rubicon-findings/issues/904) ## [[M-900] `Position._marketBuy` or `Position._marketSell` function can be DOS'ed if corresponding `_quote` or `_asset` token is USDT](https://github.com/code-423n4/2023-04-rubicon-findings/issues/900) ## [[M-899] Calling `Position._marketSell` function compares `fill_amt` that includes fee to `min_fill_amount` that does not include fee](https://github.com/code-423n4/2023-04-rubicon-findings/issues/899) ## [[M-886] Last In First Out execution in order book](https://github.com/code-423n4/2023-04-rubicon-findings/issues/886) ## [[M-871] openPosition() May not work](https://github.com/code-423n4/2023-04-rubicon-findings/issues/871) ## [[M-854] `BathBuddy` rewards DoS](https://github.com/code-423n4/2023-04-rubicon-findings/issues/854) ## [[M-853] # Miscalculation of pay_amt so that _matcho function doesn't work as expected](https://github.com/code-423n4/2023-04-rubicon-findings/issues/853) ## [[M-850] FeeWrapper user can pay fees using ETH rather than ERC20](https://github.com/code-423n4/2023-04-rubicon-findings/issues/850) ## [[M-847] Division before multiplication can cause unnecessary rounding loss.](https://github.com/code-423n4/2023-04-rubicon-findings/issues/847) ## [[M-846] _buys() function in RubiconMarket.sol should use "<=" instead of "<" to determine if an offer is dust offer.](https://github.com/code-423n4/2023-04-rubicon-findings/issues/846) ## [[M-835] Chain reorganization could affect position opening and closing](https://github.com/code-423n4/2023-04-rubicon-findings/issues/835) ## [[M-831] [M-3] Offer is deleted but unsorted from order book when outstanding amount is less than _dust](https://github.com/code-423n4/2023-04-rubicon-findings/issues/831) ## [[M-819] Lack of validation for the `rewardsDuration`, which lead to no reward for the certain `rewardToken`](https://github.com/code-423n4/2023-04-rubicon-findings/issues/819) ## [[M-811] call() should be used instead of transfer()](https://github.com/code-423n4/2023-04-rubicon-findings/issues/811) ## [[M-793] Wrong events data when migrating](https://github.com/code-423n4/2023-04-rubicon-findings/issues/793) ## [[M-762] getPayAmountWithFee is calculated incorrectly, it should add the fee instead of subtracting it](https://github.com/code-423n4/2023-04-rubicon-findings/issues/762) ## [[M-725] The function buys() contains an internal function that will always return false. Leading to unexpected results](https://github.com/code-423n4/2023-04-rubicon-findings/issues/725) ## [[M-721] No feature to claim reward of across all pools](https://github.com/code-423n4/2023-04-rubicon-findings/issues/721) ## [[M-708] Positions are heavily prone to MEV](https://github.com/code-423n4/2023-04-rubicon-findings/issues/708) ## [[M-670] Position contract allows to interact with positions that are liquidated](https://github.com/code-423n4/2023-04-rubicon-findings/issues/670) ## [[M-654] address variables are not checked which could lead to transfer of funds to a wrong address - FeeWrapper contract](https://github.com/code-423n4/2023-04-rubicon-findings/issues/654) ## [[M-647] Proper constructor arguments validation needed in V2Migrator contract](https://github.com/code-423n4/2023-04-rubicon-findings/issues/647) ## [[M-604] Position._borrowLimit doesn't use exisiting collateral in case if user doesn't have any `_bathToken`](https://github.com/code-423n4/2023-04-rubicon-findings/issues/604) ## [[M-601] No greater than 100% check in RubiconMarket.setFeeBPS can result in underflow RubiconMarket.buy](https://github.com/code-423n4/2023-04-rubicon-findings/issues/601) ## [[M-586] repay function can be DOSed](https://github.com/code-423n4/2023-04-rubicon-findings/issues/586) ## [[M-576] Not using storage slots for all variable in the RubiconMarket can break the storage layout in an upgrade](https://github.com/code-423n4/2023-04-rubicon-findings/issues/576) ## [[M-557] Potential infinite loop in `_borrowLimit` function](https://github.com/code-423n4/2023-04-rubicon-findings/issues/557) ## [[M-555] _leverageCheck incorrectly reverts some short leveraged positions](https://github.com/code-423n4/2023-04-rubicon-findings/issues/555) ## [[M-553] User can front-run `batchRequote()`, `cancel()`, and `batchCancel()` to take advantage of more favourable offer terms before they are removed](https://github.com/code-423n4/2023-04-rubicon-findings/issues/553) ## [[M-542] ``_borrowLimit()`` might over-borrow when ``_assetAmount == _desiredAmount`` in the last loop iteration.](https://github.com/code-423n4/2023-04-rubicon-findings/issues/542) ## [[M-541] The Position._calculateDebt() does not calculate interest correctly](https://github.com/code-423n4/2023-04-rubicon-findings/issues/541) ## [[M-536] Reward tokens could be stuck on BathBuddy contract and there is no function to transfer them out](https://github.com/code-423n4/2023-04-rubicon-findings/issues/536) ## [[M-529] Leverage check will always fail due to wrong require statement provided](https://github.com/code-423n4/2023-04-rubicon-findings/issues/529) ## [[M-521] Unsafe casting of user amount from uint256 to uint128](https://github.com/code-423n4/2023-04-rubicon-findings/issues/521) ## [[M-517] Collateral factor could be 0 which should not be alowed](https://github.com/code-423n4/2023-04-rubicon-findings/issues/517) ## [[M-510] Fee should not be zero in buy market or sell market activities](https://github.com/code-423n4/2023-04-rubicon-findings/issues/510) ## [[M-495] Reentrancy on FeeWrapper could be used to break foreign implementations](https://github.com/code-423n4/2023-04-rubicon-findings/issues/495) ## [[M-494] FeeWrapper arbitrary calls enable gas theft](https://github.com/code-423n4/2023-04-rubicon-findings/issues/494) ## [[M-493] Users of other protocols can temporarily freeze non payable rubicalls for some tokens](https://github.com/code-423n4/2023-04-rubicon-findings/issues/493) ## [[M-489] Zero reward rate calculation impedes low-decimals token distributions](https://github.com/code-423n4/2023-04-rubicon-findings/issues/489) ## [[M-480] Transaction can be failed in the "_buys" function of "RubiconMarket" contract.](https://github.com/code-423n4/2023-04-rubicon-findings/issues/480) ## [[M-457] RubiconMarket: buy() may not take any fee for tokens with low decimal precision](https://github.com/code-423n4/2023-04-rubicon-findings/issues/457) ## [[M-412] `RubiconMarket` buys can not be disabled if offer matching is disabled](https://github.com/code-423n4/2023-04-rubicon-findings/issues/412) ## [[M-409] The used oracle has stablecoins like USDT and USDC fixed at 1 USD price](https://github.com/code-423n4/2023-04-rubicon-findings/issues/409) ## [[M-396] The curve of short leverage position is not smooth and may cause users to open positions that are different from expectations](https://github.com/code-423n4/2023-04-rubicon-findings/issues/396) ## [[M-360] Missed deals due to inadequate logic robustness in super.buy()](https://github.com/code-423n4/2023-04-rubicon-findings/issues/360) ## [[M-359] [M-02] No rewards period will be set when setRewardsDuration is called](https://github.com/code-423n4/2023-04-rubicon-findings/issues/359) ## [[M-355] [M-01] Initial user/s will not be set a rewards duration or rewards amount by the admin in setRewardsDuration() and notifyRewardAmount().](https://github.com/code-423n4/2023-04-rubicon-findings/issues/355) ## [[M-349] Partial orders will fail because buy() reverts when there is not enough liquidity in the market](https://github.com/code-423n4/2023-04-rubicon-findings/issues/349) ## [[M-319] Divison Before multipcation incurs heavy precision loss when borrowing asset from Position](https://github.com/code-423n4/2023-04-rubicon-findings/issues/319) ## [[M-315] Lack of consideration for Liquidation when shortfall happens.](https://github.com/code-423n4/2023-04-rubicon-findings/issues/315) ## [[M-293] Both buyAllAmountWithLeverage and sellAllAmountWithLeverage always revert](https://github.com/code-423n4/2023-04-rubicon-findings/issues/293) ## [[M-271] chainlink oracle integration should check if the L2 sequencer is active](https://github.com/code-423n4/2023-04-rubicon-findings/issues/271) ## [[M-269] User should not perform migration multiple times](https://github.com/code-423n4/2023-04-rubicon-findings/issues/269) ## [[M-258] Incorrect decimal handling in Position.sol truncate accured interest rate](https://github.com/code-423n4/2023-04-rubicon-findings/issues/258) ## [[M-255] `FeeWrapper._chargeFeePayable` may revert as checks is too restrictive](https://github.com/code-423n4/2023-04-rubicon-findings/issues/255) ## [[M-238] `Position#_repay` does not consider the balance in the contract when judging the obtained quote](https://github.com/code-423n4/2023-04-rubicon-findings/issues/238) ## [[M-228] The attacker may maliciously increase the gas fee of the migrate](https://github.com/code-423n4/2023-04-rubicon-findings/issues/228) ## [[M-213] `feeTo` set to zero-address can DoS the `rubicall` function](https://github.com/code-423n4/2023-04-rubicon-findings/issues/213) ## [[M-212] Must approve by zero first](https://github.com/code-423n4/2023-04-rubicon-findings/issues/212) ## [[M-181] Missing constructor for owner assignment in DSAuth](https://github.com/code-423n4/2023-04-rubicon-findings/issues/181) ## [[M-170] No way to change bathToken configuration if it is added wrongly for an underlying token](https://github.com/code-423n4/2023-04-rubicon-findings/issues/170) ## [[M-161] SimpleMarket.calcAmountAfterFee reverts if amount is zero](https://github.com/code-423n4/2023-04-rubicon-findings/issues/161) ## [[M-154] Offer maker may not be able to cancel offer using account that made the offer](https://github.com/code-423n4/2023-04-rubicon-findings/issues/154) ## [[M-151] RubiconRouter `maxSellAllAmount` tokens mismatch](https://github.com/code-423n4/2023-04-rubicon-findings/issues/151) ## [[M-4] Dependency Confusion Attack Deu to Unclamed Package](https://github.com/code-423n4/2023-04-rubicon-findings/issues/4)