Platform: Code4rena
Start Date: 16/12/2021
Pot Size: $100,000 USDC
Total HM: 21
Participants: 25
Period: 7 days
Judge: alcueca
Total Solo HM: 12
Id: 66
League: ETH
Rank: 10/25
Findings: 3
Award: $3,178.65
🌟 Selected for report: 3
🚀 Solo Findings: 0
🌟 Selected for report: defsec
Also found by: 0x1f8b, Jujic, WatchPug, broccolirob, certora, cmichel, csanuragjain, hyh, jayjonah8, kenzo, robee, sirhashalot
0x1f8b
Unsafe transfer was done.
In the method WJLP.wrap it's made a transferFrom and approve without checking the boolean result, ERC20 standard specify that the token can return false if the transfer was not made, so it's mandatory to check the result of transfer methods.
This also was seen in unwrapFor and _safeJoeTransfer methods.
Manual review
Use safeTransfer, safeTransferFrom and safeApprove or check the boolean result
#0 - kingyetifinance
2022-01-05T17:46:02Z
@LilYeti: Duplicate with #1
#1 - kingyetifinance
2022-01-10T06:22:28Z
Fixed
#2 - alcueca
2022-01-15T07:29:07Z
Duplicate of #94
69.7165 USDC - $69.72
0x1f8b
Because an human error it's possible to set a new invalid owner.
In the method YetiFinanceTreasury.updateTeamWallet it's possible to change the teamWallet, but this team wallet is not checked, it could be address(0) or an invalid address, when you want to change the address of the owner it's better to propose a new owner, and then accept this ownership with the new wallet, like this, you will never have the chance of loose the ownership.
Manual review
Implement an ACK system for change the ownership
#0 - kingyetifinance
2022-01-05T06:23:37Z
@LilYeti: Not really an error, the tx has to be approved by a multisig so there are already checks in place to not set it to 0. So acknowledged, but severity 0 probably.
#1 - alcueca
2022-01-15T06:06:16Z
Duplicate of #251
🌟 Selected for report: 0x1f8b
531.2947 USDC - $531.29
0x1f8b
Unsafe approve was done.
In the method sYETIToken.buyBack it's made an approve without checking the boolean result, ERC20 standard specify that the token can return false if the approve was not made, so it's mandatory to check the result of approve methods.
Manual review
Use safeApprove or check the boolean result
#0 - kingyetifinance
2022-01-06T06:56:42Z
@LilYeti: Duplicate issue #19 and is severity level 0
#1 - alcueca
2022-01-15T15:39:32Z
Not a duplicate
#2 - alcueca
2022-01-15T15:40:29Z
Low severity is warranted, as the lack of return check can lead to incorrect state handling.
0x1f8b
Gas saving.
There are one for in the method TeamAllocation.sendAllocatedYETI where the increment was made by i++, it's better to use ++i..
Gas saving
Use ++i
#0 - kingyetifinance
2022-01-06T07:55:48Z
@LilYeti : Duplicate of #12
26.3494 USDC - $26.35
0x1f8b
Gas saving.
It's possible to optimize the structures struct ChainlinkResponse and TellorResponse from PriceFeed to use less storage slots.
Use the following structure:
struct ChainlinkResponse { int256 answer; uint256 timestamp; uint80 roundId; bool success; uint8 decimals; } struct TellorResponse { uint256 value; uint256 timestamp; bool ifRetrieve; bool success; }
#0 - kingyetifinance
2022-01-06T09:15:05Z
@LilYeti : Duplicate #5 #6
#1 - alcueca
2022-01-14T21:28:15Z
Duplicate of #224
43.9157 USDC - $43.92
0x1f8b
Gas saving.
The variable yetiToken inside the LockupContract contract is never modified, so it's better to use immutable to avoid storage access.
Gas saving
Use immutable
#0 - kingyetifinance
2022-01-06T08:01:57Z
Similar to reported in #10 but that one never mentioned this specific variable
🌟 Selected for report: 0x1f8b
97.5905 USDC - $97.59
0x1f8b
Gas saving.
The variables yetiToken and unlockTime inside the ShortLockupContract contract are never modified, so it's better to use immutable to avoid storage access.
Gas saving
Use immutable
#0 - kingyetifinance
2022-01-06T08:02:58Z
@LilYeti: #132 is very similar, these could have been reported together as they were from same warden.