Fathom DAO

There's no owners array length validation in the constructor of MultiSigWallet

Adding a new owner doesn't change necessary amount of signatures in MultiSigWallet

Removing owner without revokeConfirmation transaction in MultiSigWallet

There is no function that implements the _cancel proposal in MainTokenGovernor

Changing the timelock address may cause re-execution of the proposals in GovernorTimelockControl

The initVault and initAdminAndOperator functions can be initialized from any address in the VaultPackage contract

There is no check that stream is active in the StakingHandler contract

Calling the updateConfig function may block the work of the StakingHandlers contract

In MultiSigWallet there's no parameter defining minimum amount of signatures

Transaction does not have a lifetime parameter in MultiSigWallet

Governance can delete TimelockAdmin and the contract will lose its control in TimelockController

There is no validation for maxTargets when executing in Governor

There is no possibility to update multisig in Governor

There is no emergency shutdown mode in Governor

It is possible to set a null address in GovernorTimelockControl when updating timelock

There is no validation for null values for newQuorumNumerator in GovernorVotesQuorumFraction

When MINTER_ROLE is added to VMainToken, the isWhiteListed list does not update

There is no possibility to transfer standard ERC20 tokens from the Governance balance in MainTokenGovernor

There is no option to migrate to another contract in the VaultPackage contract

There is a DoS possibility when calling updateVault in the StakingHandlers contract

There is no emergency suspension of the rewards payment in the VaultPackage contract

Unsafe use of the transfer and transferFrom functions in StakingHandlers and VaultPackage

Tokens that get into the VaultPackage balance can be used to withdraw rewards in the contract StakingHandler

Calling initializeStaking in the StakingHandlers contract does not allocate rewards for MAIN_STREAM in VaultPackage

Updating rpsDuringLastClaimForLock for inactive stream in the StakingInternals contract

There is a possibility for a manager to remove all streams in order to steal all pending rewards in StakingHandlers

MINTER_ROLE and WHITELISTER_ROLE have the same value in the VMainToken

Transaction should be marked as executed if the call fails

Admin role can be revoked forever by mistake in VMainToken

It is possible for attacker to create active locks to force users to reach the lock limit in StakingHandlers

prohibitedEarlyWithdraw is not set to false for lockid after unlocking in StakingHandlers

Calling unlock, earlyUnlock and unlockPartially before claimRewards will result in loss of rewards in StakingHandlers

Share weight drop formula is incorrect in StakingInternals

Penalty can be bigger than stake in the StakingInternals

Modifier onlyOwnerOrGov creates a complex confirmation structure in case of Governance calls in the MultiSigWallet

No parameter check when adding transaction in MultiSigWallet

Missing validation, that the bytecode of address _to did not change while running a transaction in MultiSigWallet

There's no ETH balance validation when adding a non-zero transaction _value in MultiSigWallet

There is no time limit for executing proposal in Governor

There is no check for gas consumption in Governor

confirmProposal is possible for both active and inactive proposals in Governor

There is no check for the msg.value value available for execution in Governor and TimelockController

There is no check for zero value for _token, _multiSig and _timelock in Governor, GovernorTimelockControl, MainTokenGovernor

There is no check for zero in GovernorSettings._setProposalThreshold

There is no limit on the number of proposals for one proposer in Governor

A missing check that tokens are on the balance when calling the payRewards function in the VaultPackage contract

There is no limit on the maximum number of active streams in the StakingHandlers contract

Incorrect processing of contract modifiers Initializable in the StakingHanders contract

It is possible for any user to call createStream in the StakingHandlers contract

Possible overflow with calculations

Multiple streams can be active at the same time with the same parameters in StakingHandler.sol

There is no limit for the amount of schedules on streams in StakingHandlers

It is possible to remove tokens that are used by another contract in VaultPackage

There's no logging of reverted transactions in MultiSigWallet

Non-optimal packing of the Transaction structure in MultiSigWallet

Incorrect status check in execute function in Governor

_minDelay can be set to zero in TimelockController

There is a redundant initialized check in VMainToken

There is redundant code in the VMainToken contract

The Governor and TimeLockController do not support the ERC721 and ERC1155 tokens

The addSupportedToken and removeSupportedToken calls have an redundant pausable modifier in the VaultPackage contract

There are no checks that admin, proposers and executors are not zero addresses in TimelockController

Unused import of StakingStructs in StakingStorage

Unused constant ONE_MONTH in StakingGettersHelper

Non-optimal storage layout for Stream struct in StakingStructs

Unnecessary ' in a RewardsLibrary comment

There is a typo in a comment in StakingInternals

Redundant check for maxDepositAmount > 0 in RewardsCalculator

It is not possible to withdraw tokens that were sent by mistake

Unused import of ReentracyGuard in StakingHandlers

Сustom initializer modifier is used instead of one from OpenZeppelin

Stream manager, treasury manager and admin represent the same account in StakingHandlers

Revert message strings are too long

Unnecessary reads from storage

Misleading check (scheduleTimeLength > 0) in the RewardsCalculator