Agentic Smart
Contract Auditing

• Medium

  Medium finding pending public disclosure

  Cecuro identified a Medium-severity vulnerability in a Solidity merkle-tree verification path that was reviewed and missed by SRLabs's May 2026 audit. Full technical writeup and the named project will be published once the issue is fixed and disclosure is appropriate.

• Low

  Low-severity finding missed across the V3 competition and review

  Cecuro identified a Low-severity vulnerability in Alchemix V3 that was reviewed and missed by both the Immunefi competition (298 researchers, 952 reports, $100k pool) and a subsequent Y-Audit review (commit 45e4b08).

Confirmed at commit 45e4b08.

• High

  First High finding pending public disclosure

  Cecuro identified a High-severity vulnerability reviewed and missed by Hacken's January 2026 audit. Full technical writeup and the named project will be published once the issue is fixed and disclosure is appropriate.

• High

  Second High finding pending public disclosure

  Cecuro identified a second High-severity vulnerability reviewed and missed by Hacken's January 2026 audit. Full technical writeup and the named project will be published once the issue is fixed and disclosure is appropriate.

• Critical

  Cross-function reentrancy in ServiceManager.create() drains pooled ERC20 deposits via _safeMint callback

  ServiceManager.create() registers a new service and mints its ownership NFT via ERC721 _safeMint, which hands control to the recipient's onERC721Received hook before the service's accounting is finalised. From inside that callback an attacker can re-enter the registry's deposit path and act against pooled ERC20 deposits while the contract's state is still mid-update — a classic cross-function reentrancy across the create/deposit boundary. Reviewed and missed by the Zellic V12 AI auditor, which inspected ServiceManager.create() and StakingBase but did not flag the _safeMint reentrancy window.

Reviewed ServiceManager.create() and StakingBase, but did not flag the _safeMint reentrancy window.

• High

  Cross-contract reentrancy in liquidation drains the collateral vault via live phantom shares

  During liquidation the account is temporarily inflated with "phantom" shares used only for solvency math, and the two collateral tokens are settled one after the other. An external callback fires mid-sequence while the phantom shares are still live, letting a malicious liquidator transfer them out and redeem them for real assets — draining the CollateralTracker and socializing the loss to all depositors. Reviewed and missed by Nethermind's NM-0701 audit; independently confirmed as High (H-02) by the parallel Code4rena "Panoptic: Next Core" competition and since mitigated.

• Medium

  Oracle rebase mask clears 8 bits of spot EMA, corrupting the solvency oracle after large moves

  The bitmask used when "rebasing" the packed price-oracle word is sized wrong and erases more bits than intended, wiping part of the stored EMA price values it was supposed to preserve. This corrupts the price feed the solvency checks depend on after large market moves. Missed by Nethermind's NM-0701; confirmed as Medium (M-04) by Code4rena and since mitigated.

• Medium

  Liquidation bonus underflow leaves insolvent accounts unliquidatable or overpays liquidators

  The liquidation-bonus formula subtracts collateral balance from the requirement without guarding against the balance being the larger of the two. The V2 solvency rewrite made that state reachable (an account insolvent in one token but flush in the other), so the unsigned subtraction misbehaves — blocking liquidations entirely, or producing a wildly inflated bonus. Missed by Nethermind's NM-0701; confirmed as Medium (M-01) by Code4rena and since mitigated.

• Medium

  Per-leg zero-width credits overwritten instead of accumulated, mis-valuing multi-leg positions

  When computing a position's required collateral, the credit for zero-width legs is overwritten on each loop iteration instead of summed. Positions with multiple such legs are mis-valued, which can trigger erroneous liquidations. Missed by Nethermind's NM-0701; confirmed as Medium (M-02) by Code4rena and since mitigated.

• Medium

  Liquidation / force-exercise DoS via manipulable spot-vs-TWAP stale-oracle check

  A short-lived spot-price manipulation can trip the StaleOracle guard inside dispatchFrom, blocking time-critical liquidations, force exercises, and premium settlements for as long as the attacker holds the price off-band. Missed by Nethermind's NM-0701; confirmed as Medium (M-06) by Code4rena and since mitigated.

• Medium

  Internal oracle is cheaply manipulable via slot0 tick across 64-second epochs

  The internal oracle ingests an easily-influenced spot tick, and once updated in a 64-second epoch it can't be corrected until the next one. An attacker can front-run legitimate updates and nudge the oracle across epochs (e.g. with flash loans) to skew the price used in risk calculations. Missed by Nethermind's NM-0701; confirmed as Medium (M-11) by Code4rena and since mitigated.

Nethermind's NM-0701 reviewed the panoptic-v2-core liquidation, oracle, and collateral-settlement paths — the same shared core logic — but did not flag any of these six issues. Each was independently confirmed by the parallel Code4rena "Panoptic: Next Core" competition (later commit 29980a74) and has since been mitigated by Panoptic.

• High

  High finding pending public disclosure

  Cecuro identified a High-severity vulnerability that was reviewed and missed by four independent audits — Cantina Code, GetRecon, 0xMacro, and Octane Security. Full technical writeup and the named project will be published once the issue is fixed and disclosure is appropriate.

• High

  High finding pending public disclosure

  Cecuro identified a High-severity vulnerability that was reviewed and missed by four independent audits — Cantina Code, GetRecon, 0xMacro, and Octane Security. Full technical writeup and the named project will be published once the issue is fixed and disclosure is appropriate.