I'm a Web3 security researcher, here's a collection of some of my findings at C4:
- Project funds can be drained by reusing signatures
- Attacker can drain all the projects within minutes, if admin account has been exposed
- Project.raiseDispute() doesn't use approvedHashes - meaning users who use contracts can't raise disputes
- Uninitialized proxy - Vault implementation can be destroyed leading to loss of all assets
- Fraction price is not updated when total supply changes
- Try-catch block doesn't catch all errors
- Hash Collisoin - risk of using only part of
keccak256()'s output
(I've included only a small sample, plus the recent contests aren't public yet, will update as they become public)